diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest index 146d6845ad..4c8c2478b9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -1,2 +1 @@ -DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681 DIST systemd-257.7.tar.gz 16327096 BLAKE2B 59a28ce9b355b98f718f26489400640f3d732bbf73c00ea0571302dfc6dfb3585bf07ec56af06d74c5aa033b06a6220c3c839af6dba5ab7f8bde1aef4b58f0f6 SHA512 fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch index 7171955041..50671ce19e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ -From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001 +From e228bd8a939e77f4ebc37aa029f8a89e8b9d4807 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/8] wait-online: set --any by default +Subject: [PATCH 1/7] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are @@ -15,12 +15,12 @@ earlier) for the original implementation. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c -index 5328bba2d8..95294df607 100644 +index 6f5aef903a..0acb3e76b9 100644 --- a/src/network/wait-online/wait-online.c +++ b/src/network/wait-online/wait-online.c @@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL; static char **arg_ignore = NULL; - static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; + static LinkOperationalStateRange arg_required_operstate = LINK_OPERSTATE_RANGE_INVALID; static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; -static bool arg_any = false; +static bool arg_any = true; @@ -28,5 +28,5 @@ index 5328bba2d8..95294df607 100644 STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch index 400cb96e05..f538682a5b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ -From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001 +From b8139561768e6745405461e1a765b262ece8f959 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 3/8] needs-update: don't require strictly newer usr +Subject: [PATCH 2/7] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- @@ -10,7 +10,7 @@ Updates should be triggered whenever usr changes, not only when it is newer. 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml -index 3393010ff6..5478baca25 100644 +index 6b863ecff3..c166c5e7ab 100644 --- a/man/systemd-update-done.service.xml +++ b/man/systemd-update-done.service.xml @@ -50,7 +50,7 @@ @@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644 This requires that updates to /usr/ are always followed by an update of the modification time of diff --git a/src/shared/condition.c b/src/shared/condition.c -index d3446e8a9d..3f7cc9ea58 100644 +index 1a03fdbe37..8577c35fa0 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * First, compare seconds as they are always accurate... */ if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) @@ -35,7 +35,7 @@ index d3446e8a9d..3f7cc9ea58 100644 /* * ...then compare nanoseconds. -@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * (otherwise the filesystem supports nsec timestamps, see stat(2)). */ if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) @@ -44,7 +44,7 @@ index d3446e8a9d..3f7cc9ea58 100644 _cleanup_free_ char *timestamp_str = NULL; r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); -@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) { return true; } @@ -54,5 +54,5 @@ index d3446e8a9d..3f7cc9ea58 100644 static bool in_first_boot(void) { -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch index a25e8f17ac..9ebd5e3129 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ -From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001 +From f5635c6b5153d894cf1bf6dca92219150d4252d5 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 -Subject: [PATCH 4/8] core: use max for DefaultTasksMax +Subject: [PATCH 3/7] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This @@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml -index 3c06b65f93..71f38692b6 100644 +index f7b414da5c..9c07e235ab 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml -@@ -501,7 +501,7 @@ +@@ -230,7 +230,7 @@ Configure the default value for the per-unit TasksMax= setting. See systemd.resource-control5 for details. This setting applies to all unit types that support resource control settings, with the exception @@ -34,10 +34,10 @@ index 3c06b65f93..71f38692b6 100644 Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/manager.c b/src/core/manager.c -index 88eebfc626..8992c8c3e3 100644 +index 4ccaba9054..3ab59c5bb3 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -114,7 +114,7 @@ +@@ -117,7 +117,7 @@ /* How many units and jobs to process of the bus queue before returning to the event loop. */ #define MANAGER_BUS_MESSAGE_BUDGET 100U @@ -47,10 +47,10 @@ index 88eebfc626..8992c8c3e3 100644 static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 05eb681270..94d0365244 100644 +index 1c08aa4d22..2faea3605e 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -58,7 +58,7 @@ +@@ -59,7 +59,7 @@ #DefaultIPAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultTasksAccounting=yes @@ -60,5 +60,5 @@ index 05eb681270..94d0365244 100644 #DefaultLimitFSIZE= #DefaultLimitDATA= -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch index 648e3fa308..445fdc2728 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ -From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001 +From f55e6415307ce77b3376a2bf9cc96b924c6ec52e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks +Subject: [PATCH 4/7] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy @@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index 62181a6309..448f9211d6 100644 +index a67a520a3b..3365b920eb 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -2,7 +2,7 @@ @@ -25,5 +25,5 @@ index 62181a6309..448f9211d6 100644 #include #include -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index 6f81ae8b68..f189765e9a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ -From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001 +From cf500f14557926259b58ee641fffb38b707494d6 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH 5/7] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. @@ -90,3 +90,6 @@ index 20a5eb2754..ba4cbc0edb 100644 TTYPath=/dev/%I TTYReset=yes TTYVHangup=yes +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch deleted file mode 100644 index 7baa379d34..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ /dev/null @@ -1,95 +0,0 @@ -From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001 -From: Sayan Chowdhury -Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin" - -This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. - -This is to work around a SELinux denial that happens when setting up standard -input for serial consoles (which is used for SSH connections). - -Signed-off-by: Sayan Chowdhury ---- - units/console-getty.service.in | 4 +--- - units/container-getty@.service.in | 4 +--- - units/getty@.service.in | 4 +--- - units/serial-getty@.service.in | 4 +--- - 4 files changed, 4 insertions(+), 12 deletions(-) - -diff --git a/units/console-getty.service.in b/units/console-getty.service.in -index d64112be5e..b908708d8c 100644 ---- a/units/console-getty.service.in -+++ b/units/console-getty.service.in -@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console - [Service] - # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), - # followed by '--' for safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM - Type=idle - Restart=always - UtmpIdentifier=cons --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/console - TTYReset=yes - TTYVHangup=yes -diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in -index 8847d735fb..8be25663f5 100644 ---- a/units/container-getty@.service.in -+++ b/units/container-getty@.service.in -@@ -27,13 +27,11 @@ Before=rescue.service - [Service] - # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), - # followed by '--' for safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM - Type=idle - Restart=always - RestartSec=0 - UtmpIdentifier=pts/%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/pts/%I - TTYReset=yes - TTYVHangup=yes -diff --git a/units/getty@.service.in b/units/getty@.service.in -index 80b8f3e922..b57666c123 100644 ---- a/units/getty@.service.in -+++ b/units/getty@.service.in -@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0 - # The '-o' option value tells agetty to replace 'login' arguments with an - # option to preserve environment (-p), followed by '--' for safety, and then - # the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM - Type=idle - Restart=always - RestartSec=0 - UtmpIdentifier=%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes -diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in -index 6bf101eac9..479b8759a9 100644 ---- a/units/serial-getty@.service.in -+++ b/units/serial-getty@.service.in -@@ -33,12 +33,10 @@ Before=rescue.service - # The '-o' option value tells agetty to replace 'login' arguments with an - # option to preserve environment (-p), followed by '--' for safety, and then - # the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM - Type=idle - Restart=always - UtmpIdentifier=%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch similarity index 75% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch index 8471991893..033ccf2f5f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch @@ -1,7 +1,7 @@ -From 6a4c6f97742afc9ca5de40335b2d041095990aa2 Mon Sep 17 00:00:00 2001 +From 1bf0301376df8e82593efccb80cd4e43638666c0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 -Subject: [PATCH 7/8] units: Keep using old journal file format +Subject: [PATCH 6/7] units: Keep using old journal file format Systemd 252 made an incompatible change in journal file format. Temporarily force journald to use the old journal format to give logging containers more @@ -14,22 +14,22 @@ Signed-off-by: Adrian Vladu 2 files changed, 2 insertions(+) diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index 37eeabc510..e5030a81bd 100644 +index 4404af963b..323af7cfb0 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in -@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes +@@ -30,6 +30,7 @@ IgnoreOnIsolate=yes [Service] DeviceAllow=char-* rw +Environment=SYSTEMD_JOURNAL_COMPACT=0 ExecStart={{LIBEXECDIR}}/systemd-journald FileDescriptorStoreMax=4224 - IPAddressDeny=any + # Ensure services using StandardOutput=journal do not break when journald is stopped diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in -index c3bcb08533..8780783cf6 100644 +index b705ce08ff..874701dac4 100644 --- a/units/systemd-journald@.service.in +++ b/units/systemd-journald@.service.in -@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target +@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket [Service] CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE DevicePolicy=closed @@ -38,5 +38,5 @@ index c3bcb08533..8780783cf6 100644 FileDescriptorStoreMax=4224 Group=systemd-journal -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-initrd-parse-etc.service.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-initrd-parse-etc.service.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch index e3f00be4e3..4c12dc2f6e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-initrd-parse-etc.service.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch @@ -1,8 +1,8 @@ -From 65e3f4e837001f6f00359a779b6c5801566aa750 Mon Sep 17 00:00:00 2001 +From 93775241c5f873a5862c2e7b06532bd3969341a0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Wed, 25 Sep 2024 15:51:02 +0000 -Subject: [PATCH] Revert "Revert "initrd-parse-etc: override argv[0] to avoid - dracut issue"" +Subject: [PATCH 7/7] Revert "Revert "initrd-parse-etc: override argv[0] to + avoid dracut issue"" This reverts commit 1c585a4ccda3258088d7bc27b27a314e7ed8be80. --- @@ -25,5 +25,5 @@ index 1eef2bd9be..3dadab1123 100644 # We want to enqueue initrd-cleanup.service/start after we finished the part # above. It can't be part of the initial transaction, because non-oneshot units -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch deleted file mode 100644 index f6fb957cd2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch +++ /dev/null @@ -1,1310 +0,0 @@ -From b3e3257bfa07ae9ff63f5a139a1f7b72353a456b Mon Sep 17 00:00:00 2001 -From: Krzesimir Nowak -Date: Mon, 22 Apr 2024 16:43:38 +0200 -Subject: [PATCH 8/8] sysext: Mutable overlays - ---- - src/basic/path-util.c | 12 + - src/basic/path-util.h | 3 +- - src/shared/mount-util.c | 10 + - src/shared/mount-util.h | 1 + - src/sysext/sysext.c | 954 +++++++++++++++++++++++++++++++++++++--- - 5 files changed, 913 insertions(+), 67 deletions(-) - -diff --git a/src/basic/path-util.c b/src/basic/path-util.c -index 6810bf66aa..b21c7b66a3 100644 ---- a/src/basic/path-util.c -+++ b/src/basic/path-util.c -@@ -525,6 +525,18 @@ int path_compare_filename(const char *a, const char *b) { - return strcmp(fa, fb); - } - -+int path_equal_or_inode_same_full(const char *a, const char *b, int flags) { -+ /* Returns true if paths are of the same entry, false if not, <0 on error. */ -+ -+ if (path_equal(a, b)) -+ return 1; -+ -+ if (!a || !b) -+ return 0; -+ -+ return inode_same(a, b, flags); -+} -+ - char* path_extend_internal(char **x, ...) { - size_t sz, old_sz; - char *q, *nx; -diff --git a/src/basic/path-util.h b/src/basic/path-util.h -index 6d943e967f..19d42c56bc 100644 ---- a/src/basic/path-util.h -+++ b/src/basic/path-util.h -@@ -68,8 +68,9 @@ static inline bool path_equal_filename(const char *a, const char *b) { - return path_compare_filename(a, b) == 0; - } - -+int path_equal_or_inode_same_full(const char *a, const char *b, int flags); - static inline bool path_equal_or_inode_same(const char *a, const char *b, int flags) { -- return path_equal(a, b) || inode_same(a, b, flags) > 0; -+ return path_equal_or_inode_same_full(a, b, flags) > 0; - } - - char* path_extend_internal(char **x, ...); -diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c -index 4f2acce513..dd9a995fb6 100644 ---- a/src/shared/mount-util.c -+++ b/src/shared/mount-util.c -@@ -453,6 +453,16 @@ int bind_remount_one_with_mountinfo( - return 0; - } - -+int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask) { -+ _cleanup_fclose_ FILE *proc_self_mountinfo = NULL; -+ -+ proc_self_mountinfo = fopen("/proc/self/mountinfo", "re"); -+ if (!proc_self_mountinfo) -+ return log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m"); -+ -+ return bind_remount_one_with_mountinfo(path, new_flags, flags_mask, proc_self_mountinfo); -+} -+ - static int mount_switch_root_pivot(int fd_newroot, const char *path) { - assert(fd_newroot >= 0); - assert(path); -diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h -index ef31104900..679c94c950 100644 ---- a/src/shared/mount-util.h -+++ b/src/shared/mount-util.h -@@ -26,6 +26,7 @@ static inline int bind_remount_recursive(const char *prefix, unsigned long new_f - } - - int bind_remount_one_with_mountinfo(const char *path, unsigned long new_flags, unsigned long flags_mask, FILE *proc_self_mountinfo); -+int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask); - - int mount_switch_root_full(const char *path, unsigned long mount_propagation_flag, bool force_ms_move); - static inline int mount_switch_root(const char *path, unsigned long mount_propagation_flag) { -diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c -index 8dc515e4d5..7c364e5bc7 100644 ---- a/src/sysext/sysext.c -+++ b/src/sysext/sysext.c -@@ -39,15 +39,41 @@ - #include "pager.h" - #include "parse-argument.h" - #include "parse-util.h" -+#include "path-util.h" - #include "pretty-print.h" - #include "process-util.h" -+#include "rm-rf.h" - #include "sort-util.h" -+#include "string-table.h" -+#include "string-util.h" - #include "terminal-util.h" - #include "user-util.h" - #include "varlink.h" - #include "varlink-io.systemd.sysext.h" - #include "verbs.h" - -+typedef enum MutableMode { -+ MUTABLE_NO, -+ MUTABLE_YES, -+ MUTABLE_AUTO, -+ MUTABLE_IMPORT, -+ MUTABLE_EPHEMERAL, -+ MUTABLE_EPHEMERAL_IMPORT, -+ _MUTABLE_MAX, -+ _MUTABLE_INVALID = -EINVAL, -+} MutableMode; -+ -+static const char* const mutable_mode_table[_MUTABLE_MAX] = { -+ [MUTABLE_NO] = "no", -+ [MUTABLE_YES] = "yes", -+ [MUTABLE_AUTO] = "auto", -+ [MUTABLE_IMPORT] = "import", -+ [MUTABLE_EPHEMERAL] = "ephemeral", -+ [MUTABLE_EPHEMERAL_IMPORT] = "ephemeral-import", -+}; -+ -+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(mutable_mode, MutableMode, MUTABLE_YES); -+ - static char **arg_hierarchies = NULL; /* "/usr" + "/opt" by default for sysext and /etc by default for confext */ - static char *arg_root = NULL; - static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; -@@ -58,10 +84,13 @@ static bool arg_no_reload = false; - static int arg_noexec = -1; - static ImagePolicy *arg_image_policy = NULL; - static bool arg_varlink = false; -+static MutableMode arg_mutable = MUTABLE_NO; - - /* Is set to IMAGE_CONFEXT when systemd is called with the confext functionality instead of the default */ - static ImageClass arg_image_class = IMAGE_SYSEXT; - -+#define MUTABLE_EXTENSIONS_BASE_DIR "/var/lib/extensions.mutable" -+ - STATIC_DESTRUCTOR_REGISTER(arg_hierarchies, strv_freep); - STATIC_DESTRUCTOR_REGISTER(arg_root, freep); - STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); -@@ -75,6 +104,7 @@ static const struct { - const char *level_env; - const char *scope_env; - const char *name_env; -+ const char *mode_env; - const ImagePolicy *default_image_policy; - unsigned long default_mount_flags; - } image_class_info[_IMAGE_CLASS_MAX] = { -@@ -86,6 +116,7 @@ static const struct { - .level_env = "SYSEXT_LEVEL", - .scope_env = "SYSEXT_SCOPE", - .name_env = "SYSTEMD_SYSEXT_HIERARCHIES", -+ .mode_env = "SYSTEMD_SYSEXT_MUTABLE_MODE", - .default_image_policy = &image_policy_sysext, - .default_mount_flags = MS_RDONLY|MS_NODEV, - }, -@@ -97,11 +128,16 @@ static const struct { - .level_env = "CONFEXT_LEVEL", - .scope_env = "CONFEXT_SCOPE", - .name_env = "SYSTEMD_CONFEXT_HIERARCHIES", -+ .mode_env = "SYSTEMD_CONFEXT_MUTABLE_MODE", - .default_image_policy = &image_policy_confext, - .default_mount_flags = MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC, - } - }; - -+static int parse_mutable_mode(const char *p) { -+ return mutable_mode_from_string(p); -+} -+ - static int is_our_mount_point( - ImageClass image_class, - const char *p) { -@@ -150,7 +186,7 @@ static int is_our_mount_point( - return log_error_errno(r, "Failed to parse device major/minor stored in '%s/dev' file on '%s': %m", image_class_info[image_class].dot_directory_name, p); - - if (lstat(p, &st) < 0) -- return log_error_errno(r, "Failed to stat %s: %m", p); -+ return log_error_errno(errno, "Failed to stat %s: %m", p); - - if (st.st_dev != dev) { - log_debug("Hierarchy '%s' reports a different device major/minor than what we are seeing, assuming offline copy.", p); -@@ -248,11 +284,22 @@ static int unmerge_hierarchy( - ImageClass image_class, - const char *p) { - -+ _cleanup_free_ char *dot_dir = NULL, *work_dir_info_file = NULL; - int r; - - assert(p); - -+ dot_dir = path_join(p, image_class_info[image_class].dot_directory_name); -+ if (!dot_dir) -+ return log_oom(); -+ -+ work_dir_info_file = path_join(dot_dir, "work_dir"); -+ if (!work_dir_info_file) -+ return log_oom(); -+ - for (;;) { -+ _cleanup_free_ char *escaped_work_dir_in_root = NULL, *work_dir = NULL; -+ - /* We only unmount /usr/ if it is a mount point and really one of ours, in order not to break - * systems where /usr/ is a mount point of its own already. */ - -@@ -262,9 +309,40 @@ static int unmerge_hierarchy( - if (r == 0) - break; - -+ r = read_one_line_file(work_dir_info_file, &escaped_work_dir_in_root); -+ if (r < 0) { -+ if (r != -ENOENT) -+ return log_error_errno(r, "Failed to read '%s': %m", work_dir_info_file); -+ } else { -+ _cleanup_free_ char *work_dir_in_root = NULL; -+ ssize_t l; -+ -+ l = cunescape_length(escaped_work_dir_in_root, r, 0, &work_dir_in_root); -+ if (l < 0) -+ return log_error_errno(l, "Failed to unescape work directory path: %m"); -+ work_dir = path_join(arg_root, work_dir_in_root); -+ if (!work_dir) -+ return log_oom(); -+ } -+ -+ r = umount_verbose(LOG_DEBUG, dot_dir, MNT_DETACH|UMOUNT_NOFOLLOW); -+ if (r < 0) { -+ /* EINVAL is possibly "not a mount point". Let it slide as it's expected to occur if -+ * the whole hierarchy was read-only, so the dot directory inside it was not -+ * bind-mounted as read-only. */ -+ if (r != -EINVAL) -+ return log_error_errno(r, "Failed to unmount '%s': %m", dot_dir); -+ } -+ - r = umount_verbose(LOG_ERR, p, MNT_DETACH|UMOUNT_NOFOLLOW); - if (r < 0) -- return log_error_errno(r, "Failed to unmount file system '%s': %m", p); -+ return r; -+ -+ if (work_dir) { -+ r = rm_rf(work_dir, REMOVE_ROOT | REMOVE_MISSING_OK | REMOVE_PHYSICAL); -+ if (r < 0) -+ return log_error_errno(r, "Failed to remove '%s': %m", work_dir); -+ } - - log_info("Unmerged '%s'.", p); - } -@@ -448,7 +526,7 @@ static int verb_status(int argc, char **argv, void *userdata) { - return log_oom(); - - if (stat(*p, &st) < 0) -- return log_error_errno(r, "Failed to stat() '%s': %m", *p); -+ return log_error_errno(errno, "Failed to stat() '%s': %m", *p); - - r = table_add_many( - t, -@@ -474,11 +552,38 @@ static int verb_status(int argc, char **argv, void *userdata) { - return ret; - } - -+static int append_overlayfs_path_option( -+ char **options, -+ const char *separator, -+ const char *option, -+ const char *path) { -+ -+ _cleanup_free_ char *escaped = NULL; -+ -+ assert(options); -+ assert(separator); -+ assert(path); -+ -+ escaped = shell_escape(path, ",:"); -+ if (!escaped) -+ return log_oom(); -+ -+ if (option) { -+ if (!strextend(options, separator, option, "=", escaped)) -+ return log_oom(); -+ } else if (!strextend(options, separator, escaped)) -+ return log_oom(); -+ -+ return 0; -+} -+ - static int mount_overlayfs( - ImageClass image_class, - int noexec, - const char *where, -- char **layers) { -+ char **layers, -+ const char *upper_dir, -+ const char *work_dir) { - - _cleanup_free_ char *options = NULL; - bool separator = false; -@@ -486,20 +591,16 @@ static int mount_overlayfs( - int r; - - assert(where); -+ assert((upper_dir && work_dir) || (!upper_dir && !work_dir)); - - options = strdup("lowerdir="); - if (!options) - return log_oom(); - - STRV_FOREACH(l, layers) { -- _cleanup_free_ char *escaped = NULL; -- -- escaped = shell_escape(*l, ",:"); -- if (!escaped) -- return log_oom(); -- -- if (!strextend(&options, separator ? ":" : "", escaped)) -- return log_oom(); -+ r = append_overlayfs_path_option(&options, separator ? ":" : "", NULL, *l); -+ if (r < 0) -+ return r; - - separator = true; - } -@@ -508,6 +609,22 @@ static int mount_overlayfs( - if (noexec >= 0) - SET_FLAG(flags, MS_NOEXEC, noexec); - -+ if (upper_dir && work_dir) { -+ r = append_overlayfs_path_option(&options, ",", "upperdir", upper_dir); -+ if (r < 0) -+ return r; -+ -+ flags &= ~MS_RDONLY; -+ -+ r = append_overlayfs_path_option(&options, ",", "workdir", work_dir); -+ if (r < 0) -+ return r; -+ /* redirect_dir=on and noatime prevent unnecessary upcopies, metacopy=off prevents broken -+ * files from partial upcopies after umount. */ -+ if (!strextend(&options, ",redirect_dir=on,noatime,metacopy=off")) -+ return log_oom(); -+ } -+ - /* Now mount the actual overlayfs */ - r = mount_nofollow_verbose(LOG_ERR, image_class_info[image_class].short_identifier, where, "overlay", flags, options); - if (r < 0) -@@ -516,62 +633,277 @@ static int mount_overlayfs( - return 0; - } - --static int merge_hierarchy( -- ImageClass image_class, -+static char *hierarchy_as_single_path_component(const char *hierarchy) { -+ /* We normally expect hierarchy to be /usr, /opt or /etc, but for debugging purposes the hierarchy -+ * could very well be like /foo/bar/baz/. So for a given hierarchy we generate a directory name by -+ * stripping the leading and trailing separators and replacing the rest of separators with dots. This -+ * makes the generated name to be the same for /foo/bar/baz and for /foo/bar.baz, but, again, -+ * speciyfing a different hierarchy is a debugging feature, so non-unique mapping should not be an -+ * issue in general case. */ -+ const char *stripped = hierarchy; -+ _cleanup_free_ char *dir_name = NULL; -+ -+ assert(hierarchy); -+ -+ stripped += strspn(stripped, "/"); -+ -+ dir_name = strdup(stripped); -+ if (!dir_name) -+ return NULL; -+ delete_trailing_chars(dir_name, "/"); -+ string_replace_char(dir_name, '/', '.'); -+ return TAKE_PTR(dir_name); -+} -+ -+static int paths_on_same_fs(const char *path1, const char *path2) { -+ struct stat st1, st2; -+ -+ assert(path1); -+ assert(path2); -+ -+ if (stat(path1, &st1) < 0) -+ return log_error_errno(errno, "Failed to stat '%s': %m", path1); -+ -+ if (stat(path2, &st2) < 0) -+ return log_error_errno(errno, "Failed to stat '%s': %m", path2); -+ -+ return st1.st_dev == st2.st_dev; -+} -+ -+static int work_dir_for_hierarchy( - const char *hierarchy, -- int noexec, -- char **extensions, -- char **paths, -- const char *meta_path, -- const char *overlay_path) { -+ const char *resolved_upper_dir, -+ char **ret_work_dir) { -+ -+ _cleanup_free_ char *parent = NULL; -+ int r; -+ -+ assert(hierarchy); -+ assert(resolved_upper_dir); -+ assert(ret_work_dir); -+ -+ r = path_extract_directory(resolved_upper_dir, &parent); -+ if (r < 0) -+ return log_error_errno(r, "Failed to get parent directory of upperdir '%s': %m", resolved_upper_dir); -+ -+ /* TODO: paths_in_same_superblock? partition? device? */ -+ r = paths_on_same_fs(resolved_upper_dir, parent); -+ if (r < 0) -+ return r; -+ if (!r) -+ return log_error_errno(SYNTHETIC_ERRNO(EXDEV), "Unable to find a suitable workdir location for upperdir '%s' for host hierarchy '%s' - parent directory of the upperdir is in a different filesystem", resolved_upper_dir, hierarchy); -+ -+ _cleanup_free_ char *f = NULL, *dir_name = NULL; -+ -+ f = hierarchy_as_single_path_component(hierarchy); -+ if (!f) -+ return log_oom(); -+ dir_name = strjoin(".systemd-", f, "-workdir"); -+ if (!dir_name) -+ return log_oom(); -+ -+ free(f); -+ f = path_join(parent, dir_name); -+ if (!f) -+ return log_oom(); -+ -+ *ret_work_dir = TAKE_PTR(f); -+ return 0; -+} -+ -+typedef struct OverlayFSPaths { -+ char *hierarchy; -+ mode_t hierarchy_mode; -+ char *resolved_hierarchy; -+ char *resolved_mutable_directory; -+ -+ /* NULL if merged fs is read-only */ -+ char *upper_dir; -+ /* NULL if merged fs is read-only */ -+ char *work_dir; -+ /* lowest index is top lowerdir, highest index is bottom lowerdir */ -+ char **lower_dirs; -+} OverlayFSPaths; -+ -+static OverlayFSPaths *overlayfs_paths_free(OverlayFSPaths *op) { -+ if (!op) -+ return NULL; -+ -+ free(op->hierarchy); -+ free(op->resolved_hierarchy); -+ free(op->resolved_mutable_directory); -+ -+ free(op->upper_dir); -+ free(op->work_dir); -+ strv_free(op->lower_dirs); -+ -+ free(op); -+ return NULL; -+} -+DEFINE_TRIVIAL_CLEANUP_FUNC(OverlayFSPaths *, overlayfs_paths_free); - -- _cleanup_free_ char *resolved_hierarchy = NULL, *f = NULL, *buf = NULL; -- _cleanup_strv_free_ char **layers = NULL; -+static int resolve_hierarchy(const char *hierarchy, char **ret_resolved_hierarchy) { -+ _cleanup_free_ char *resolved_path = NULL; -+ int r; -+ -+ assert(hierarchy); -+ assert(ret_resolved_hierarchy); -+ -+ r = chase(hierarchy, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); -+ if (r < 0 && r != -ENOENT) -+ return log_error_errno(r, "Failed to resolve hierarchy '%s': %m", hierarchy); -+ -+ *ret_resolved_hierarchy = TAKE_PTR(resolved_path); -+ return 0; -+} -+ -+static int mutable_directory_mode_matches_hierarchy( -+ const char *root_or_null, -+ const char *path, -+ mode_t hierarchy_mode) { -+ -+ _cleanup_free_ char *path_in_root = NULL; - struct stat st; -+ mode_t actual_mode; -+ -+ assert(path); -+ -+ path_in_root = path_join(root_or_null, path); -+ if (!path_in_root) -+ return log_oom(); -+ -+ if (stat(path_in_root, &st) < 0) { -+ if (errno == ENOENT) -+ return 0; -+ return log_error_errno(errno, "Failed to stat mutable directory '%s': %m", path_in_root); -+ } -+ -+ actual_mode = st.st_mode & 0777; -+ if (actual_mode != hierarchy_mode) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mutable directory '%s' has mode %04o, ought to have mode %04o", path_in_root, actual_mode, hierarchy_mode); -+ -+ return 0; -+} -+ -+static int resolve_mutable_directory( -+ const char *hierarchy, -+ mode_t hierarchy_mode, -+ const char *workspace, -+ char **ret_resolved_mutable_directory) { -+ -+ _cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL; -+ const char *root = arg_root, *base = MUTABLE_EXTENSIONS_BASE_DIR; - int r; - - assert(hierarchy); -- assert(meta_path); -- assert(overlay_path); -+ assert(ret_resolved_mutable_directory); - -- /* Resolve the path of the host's version of the hierarchy, i.e. what we want to use as lowest layer -- * in the overlayfs stack. */ -- r = chase(hierarchy, arg_root, CHASE_PREFIX_ROOT, &resolved_hierarchy, NULL); -- if (r == -ENOENT) -- log_debug_errno(r, "Hierarchy '%s' on host doesn't exist, not merging.", hierarchy); -- else if (r < 0) -- return log_error_errno(r, "Failed to resolve host hierarchy '%s': %m", hierarchy); -- else { -- r = dir_is_empty(resolved_hierarchy, /* ignore_hidden_or_backup= */ false); -- if (r < 0) -- return log_error_errno(r, "Failed to check if host hierarchy '%s' is empty: %m", resolved_hierarchy); -- if (r > 0) { -- log_debug("Host hierarchy '%s' is empty, not merging.", resolved_hierarchy); -- resolved_hierarchy = mfree(resolved_hierarchy); -- } -+ if (arg_mutable == MUTABLE_NO) { -+ log_debug("Mutability for hierarchy '%s' is disabled, not resolving mutable directory.", hierarchy); -+ *ret_resolved_mutable_directory = NULL; -+ return 0; - } - -- /* Let's generate a metadata file that lists all extensions we took into account for this -- * hierarchy. We include this in the final fs, to make things nicely discoverable and -- * recognizable. */ -- f = path_join(meta_path, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural); -- if (!f) -+ if (IN_SET(arg_mutable, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) { -+ /* We create mutable directory inside the temporary tmpfs workspace, which is a fixed -+ * location that ignores arg_root. */ -+ root = NULL; -+ base = workspace; -+ } -+ -+ dir_name = hierarchy_as_single_path_component(hierarchy); -+ if (!dir_name) - return log_oom(); - -- buf = strv_join(extensions, "\n"); -- if (!buf) -+ path = path_join(base, dir_name); -+ if (!path) - return log_oom(); - -- r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755); -+ if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_AUTO)) { -+ /* If there already is a mutable directory, check if its mode matches hierarchy. Merged -+ * hierarchy will have the same mode as the mutable directory, so we want no surprising mode -+ * changes here. */ -+ r = mutable_directory_mode_matches_hierarchy(root, path, hierarchy_mode); -+ if (r < 0) -+ return r; -+ } -+ -+ if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) { -+ _cleanup_free_ char *path_in_root = NULL; -+ -+ path_in_root = path_join(root, path); -+ if (!path_in_root) -+ return log_oom(); -+ -+ r = mkdir_p(path_in_root, 0700); -+ if (r < 0) -+ return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root); -+ } -+ -+ r = chase(path, root, CHASE_PREFIX_ROOT, &resolved_path, NULL); -+ if (r < 0 && r != -ENOENT) -+ return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); -+ -+ *ret_resolved_mutable_directory = TAKE_PTR(resolved_path); -+ return 0; -+} -+ -+static int overlayfs_paths_new(const char *hierarchy, const char *workspace_path, OverlayFSPaths **ret_op) { -+ _cleanup_free_ char *hierarchy_copy = NULL, *resolved_hierarchy = NULL, *resolved_mutable_directory = NULL; -+ mode_t hierarchy_mode; -+ -+ int r; -+ -+ assert (hierarchy); -+ assert (ret_op); -+ -+ hierarchy_copy = strdup(hierarchy); -+ if (!hierarchy_copy) -+ return log_oom(); -+ -+ r = resolve_hierarchy(hierarchy, &resolved_hierarchy); - if (r < 0) -- return log_error_errno(r, "Failed to write extension meta file '%s': %m", f); -+ return r; - -- /* Put the meta path (i.e. our synthesized stuff) at the top of the layer stack */ -- layers = strv_new(meta_path); -- if (!layers) -+ if (resolved_hierarchy) { -+ struct stat st; -+ -+ if (stat(resolved_hierarchy, &st) < 0) -+ return log_error_errno(errno, "Failed to stat '%s': %m", resolved_hierarchy); -+ hierarchy_mode = st.st_mode & 0777; -+ } else -+ hierarchy_mode = 0755; -+ -+ r = resolve_mutable_directory(hierarchy, hierarchy_mode, workspace_path, &resolved_mutable_directory); -+ if (r < 0) -+ return r; -+ -+ OverlayFSPaths *op; -+ op = new(OverlayFSPaths, 1); -+ if (!op) - return log_oom(); - -- /* Put the extensions in the middle */ -+ *op = (OverlayFSPaths) { -+ .hierarchy = TAKE_PTR(hierarchy_copy), -+ .hierarchy_mode = hierarchy_mode, -+ .resolved_hierarchy = TAKE_PTR(resolved_hierarchy), -+ .resolved_mutable_directory = TAKE_PTR(resolved_mutable_directory), -+ }; -+ -+ *ret_op = TAKE_PTR(op); -+ return 0; -+} -+ -+static int determine_used_extensions(const char *hierarchy, char **paths, char ***ret_used_paths, size_t *ret_extensions_used) { -+ _cleanup_strv_free_ char **used_paths = NULL; -+ size_t n = 0; -+ int r; -+ -+ assert(hierarchy); -+ assert(paths); -+ assert(ret_used_paths); -+ assert(ret_extensions_used); -+ - STRV_FOREACH(p, paths) { - _cleanup_free_ char *resolved = NULL; - -@@ -591,54 +923,514 @@ static int merge_hierarchy( - continue; - } - -- r = strv_consume(&layers, TAKE_PTR(resolved)); -+ r = strv_consume_with_size (&used_paths, &n, TAKE_PTR(resolved)); - if (r < 0) - return log_oom(); - } - -- if (!layers[1]) /* No extension with files in this hierarchy? Then don't do anything. */ -+ *ret_used_paths = TAKE_PTR(used_paths); -+ *ret_extensions_used = n; -+ return 0; -+} -+ -+static int maybe_import_mutable_directory(OverlayFSPaths *op) { -+ int r; -+ -+ assert(op); -+ -+ /* If importing mutable layer and it actually exists and is not a hierarchy itself, add it just below -+ * the meta path */ -+ -+ if (arg_mutable != MUTABLE_IMPORT || !op->resolved_mutable_directory) - return 0; - -- if (resolved_hierarchy) { -- /* Add the host hierarchy as last (lowest) layer in the stack */ -- r = strv_consume(&layers, TAKE_PTR(resolved_hierarchy)); -+ r = path_equal_or_inode_same_full(op->resolved_hierarchy, op->resolved_mutable_directory, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(ELOOP), "Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); -+ -+ r = strv_extend(&op->lower_dirs, op->resolved_mutable_directory); -+ if (r < 0) -+ return log_oom(); -+ -+ return 0; -+} -+ -+static int maybe_import_ignored_mutable_directory(OverlayFSPaths *op) { -+ _cleanup_free_ char *dir_name = NULL, *path = NULL, *resolved_path = NULL; -+ int r; -+ -+ assert(op); -+ -+ /* If importing the ignored mutable layer and it actually exists and is not a hierarchy itself, add -+ * it just below the meta path */ -+ if (arg_mutable != MUTABLE_EPHEMERAL_IMPORT) -+ return 0; -+ -+ dir_name = hierarchy_as_single_path_component(op->hierarchy); -+ if (!dir_name) -+ return log_oom(); -+ -+ path = path_join(MUTABLE_EXTENSIONS_BASE_DIR, dir_name); -+ if (!path) -+ return log_oom(); -+ -+ r = chase(path, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); -+ if (r == -ENOENT) { -+ log_debug("Mutable directory for %s does not exist, not importing", op->hierarchy); -+ return 0; -+ } -+ if (r < 0) -+ return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); -+ -+ r = path_equal_or_inode_same_full(op->resolved_hierarchy, resolved_path, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); -+ -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(ELOOP), "Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); -+ -+ r = strv_consume(&op->lower_dirs, TAKE_PTR(resolved_path)); -+ if (r < 0) -+ return log_oom(); -+ -+ return 0; -+} -+ -+static int determine_top_lower_dirs(OverlayFSPaths *op, const char *meta_path) { -+ int r; -+ -+ assert(op); -+ assert(meta_path); -+ -+ /* Put the meta path (i.e. our synthesized stuff) at the top of the layer stack */ -+ r = strv_extend(&op->lower_dirs, meta_path); -+ if (r < 0) -+ return log_oom(); -+ -+ r = maybe_import_mutable_directory(op); -+ if (r < 0) -+ return r; -+ -+ r = maybe_import_ignored_mutable_directory(op); -+ if (r < 0) -+ return r; -+ -+ return 0; -+} -+ -+static int determine_middle_lower_dirs(OverlayFSPaths *op, char **paths) { -+ int r; -+ -+ assert(op); -+ assert(paths); -+ -+ /* The paths were already determined in determine_used_extensions, so we just take them as is. */ -+ r = strv_extend_strv(&op->lower_dirs, paths, false); -+ if (r < 0) -+ return log_oom (); -+ -+ return 0; -+} -+ -+static int hierarchy_as_lower_dir(OverlayFSPaths *op) { -+ int r; -+ -+ /* return 0 if hierarchy should be used as lower dir, >0, if not */ -+ -+ assert(op); -+ -+ if (!op->resolved_hierarchy) { -+ log_debug("Host hierarchy '%s' does not exist, will not be used as lowerdir", op->hierarchy); -+ return 1; -+ } -+ -+ r = dir_is_empty(op->resolved_hierarchy, /* ignore_hidden_or_backup= */ false); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check if host hierarchy '%s' is empty: %m", op->resolved_hierarchy); -+ if (r > 0) { -+ log_debug("Host hierarchy '%s' is empty, will not be used as lower dir.", op->resolved_hierarchy); -+ return 1; -+ } -+ -+ if (arg_mutable == MUTABLE_IMPORT) { -+ log_debug("Mutability for host hierarchy '%s' is disabled, so host hierarchy will be a lowerdir", op->resolved_hierarchy); -+ return 0; -+ } -+ -+ if (arg_mutable == MUTABLE_EPHEMERAL_IMPORT) { -+ log_debug("Mutability for host hierarchy '%s' is ephemeral, so host hierarchy will be a lowerdir", op->resolved_hierarchy); -+ return 0; -+ } -+ -+ if (!op->resolved_mutable_directory) { -+ log_debug("No mutable directory found, so host hierarchy '%s' will be used as lowerdir", op->resolved_hierarchy); -+ return 0; -+ } -+ -+ r = path_equal_or_inode_same_full(op->resolved_hierarchy, op->resolved_mutable_directory, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); -+ if (r > 0) { -+ log_debug("Host hierarchy '%s' will serve as upperdir.", op->resolved_hierarchy); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+static int determine_bottom_lower_dirs(OverlayFSPaths *op) { -+ int r; -+ -+ assert(op); -+ -+ r = hierarchy_as_lower_dir(op); -+ if (r < 0) -+ return r; -+ if (!r) { -+ r = strv_extend(&op->lower_dirs, op->resolved_hierarchy); - if (r < 0) - return log_oom(); - } - -+ return 0; -+} -+ -+static int determine_lower_dirs( -+ OverlayFSPaths *op, -+ char **paths, -+ const char *meta_path) { -+ -+ int r; -+ -+ assert(op); -+ assert(paths); -+ assert(meta_path); -+ -+ r = determine_top_lower_dirs(op, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = determine_middle_lower_dirs(op, paths); -+ if (r < 0) -+ return r; -+ -+ r = determine_bottom_lower_dirs(op); -+ if (r < 0) -+ return r; -+ -+ return 0; -+} -+ -+static int determine_upper_dir(OverlayFSPaths *op) { -+ int r; -+ -+ assert(op); -+ assert(!op->upper_dir); -+ -+ if (arg_mutable == MUTABLE_IMPORT) { -+ log_debug("Mutability is disabled, there will be no upperdir for host hierarchy '%s'", op->hierarchy); -+ return 0; -+ } -+ -+ if (!op->resolved_mutable_directory) { -+ log_debug("No mutable directory found for host hierarchy '%s', there will be no upperdir", op->hierarchy); -+ return 0; -+ } -+ -+ /* Require upper dir to be on writable filesystem if it's going to be used as an actual overlayfs -+ * upperdir, instead of a lowerdir as an imported path. */ -+ r = path_is_read_only_fs(op->resolved_mutable_directory); -+ if (r < 0) -+ return log_error_errno(r, "Failed to determine if mutable directory '%s' is on read-only filesystem: %m", op->resolved_mutable_directory); -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(EROFS), "Can't use '%s' as an upperdir as it is read-only.", op->resolved_mutable_directory); -+ -+ op->upper_dir = strdup(op->resolved_mutable_directory); -+ if (!op->upper_dir) -+ return log_oom(); -+ -+ return 0; -+} -+ -+static int determine_work_dir(OverlayFSPaths *op) { -+ _cleanup_free_ char *work_dir = NULL; -+ int r; -+ -+ assert(op); -+ assert(!op->work_dir); -+ -+ if (!op->upper_dir) -+ return 0; -+ -+ if (arg_mutable == MUTABLE_IMPORT) -+ return 0; -+ -+ r = work_dir_for_hierarchy(op->hierarchy, op->upper_dir, &work_dir); -+ if (r < 0) -+ return r; -+ -+ op->work_dir = TAKE_PTR(work_dir); -+ return 0; -+} -+ -+static int mount_overlayfs_with_op( -+ OverlayFSPaths *op, -+ ImageClass image_class, -+ int noexec, -+ const char *overlay_path, -+ const char *meta_path) { -+ -+ int r; -+ const char *top_layer = NULL; -+ -+ assert(op); -+ assert(overlay_path); -+ - r = mkdir_p(overlay_path, 0700); - if (r < 0) - return log_error_errno(r, "Failed to make directory '%s': %m", overlay_path); - -- r = mount_overlayfs(image_class, noexec, overlay_path, layers); -+ r = mkdir_p(meta_path, 0700); -+ if (r < 0) -+ return log_error_errno(r, "Failed to make directory '%s': %m", meta_path); -+ -+ if (op->upper_dir && op->work_dir) { -+ r = mkdir_p(op->work_dir, 0700); -+ if (r < 0) -+ return log_error_errno(r, "Failed to make directory '%s': %m", op->work_dir); -+ top_layer = op->upper_dir; -+ } else { -+ assert(!strv_isempty(op->lower_dirs)); -+ top_layer = op->lower_dirs[0]; -+ } -+ -+ /* Overlayfs merged directory has the same mode as the top layer (either first lowerdir in options in -+ * read-only case, or upperdir for mutable case. Set up top overlayfs layer to the same mode as the -+ * unmerged hierarchy, otherwise we might end up with merged hierarchy owned by root and with mode -+ * being 0700. */ -+ if (chmod(top_layer, op->hierarchy_mode) < 0) -+ return log_error_errno(errno, "Failed to set permissions of '%s' to %04o: %m", top_layer, op->hierarchy_mode); -+ -+ r = mount_overlayfs(image_class, noexec, overlay_path, op->lower_dirs, op->upper_dir, op->work_dir); - if (r < 0) - return r; - -- /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra turbo safety 😎 */ -- r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); -+ return 0; -+} -+ -+static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) { -+ _cleanup_free_ char *f = NULL, *buf = NULL; -+ int r; -+ -+ assert(extensions); -+ assert(meta_path); -+ -+ /* Let's generate a metadata file that lists all extensions we took into account for this -+ * hierarchy. We include this in the final fs, to make things nicely discoverable and -+ * recognizable. */ -+ f = path_join(meta_path, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural); -+ if (!f) -+ return log_oom(); -+ -+ buf = strv_join(extensions, "\n"); -+ if (!buf) -+ return log_oom(); -+ -+ r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755); - if (r < 0) -- return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); -+ return log_error_errno(r, "Failed to write extension meta file '%s': %m", f); -+ -+ return 0; -+} -+ -+static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) { -+ _cleanup_free_ char *f = NULL; -+ struct stat st; -+ int r; -+ -+ assert(meta_path); -+ assert(overlay_path); - - /* Now we have mounted the new file system. Let's now figure out its .st_dev field, and make that - * available in the metadata directory. This is useful to detect whether the metadata dir actually - * belongs to the fs it is found on: if .st_dev of the top-level mount matches it, it's pretty likely - * we are looking at a live tree, and not an unpacked tar or so of one. */ - if (stat(overlay_path, &st) < 0) -- return log_error_errno(r, "Failed to stat mount '%s': %m", overlay_path); -+ return log_error_errno(errno, "Failed to stat mount '%s': %m", overlay_path); - -- free(f); - f = path_join(meta_path, image_class_info[image_class].dot_directory_name, "dev"); - if (!f) - return log_oom(); - -+ /* Modifying the underlying layers while the overlayfs is mounted is technically undefined, but at -+ * least it won't crash or deadlock, as per the kernel docs about overlayfs: -+ * https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#changes-to-underlying-filesystems */ - r = write_string_file(f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE); - if (r < 0) - return log_error_errno(r, "Failed to write '%s': %m", f); - -+ return 0; -+} -+ -+static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) { -+ _cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL; -+ char *work_dir_in_root = NULL; -+ int r; -+ -+ assert(meta_path); -+ -+ if (!work_dir) -+ return 0; -+ -+ /* Do not store work dir path for ephemeral mode, it will be gone once this process is done. */ -+ if (IN_SET(arg_mutable, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) -+ return 0; -+ -+ work_dir_in_root = path_startswith(work_dir, empty_to_root(arg_root)); -+ if (!work_dir_in_root) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Workdir '%s' must not be outside root '%s'", work_dir, empty_to_root(arg_root)); -+ -+ f = path_join(meta_path, image_class_info[image_class].dot_directory_name, "work_dir"); -+ if (!f) -+ return log_oom(); -+ -+ /* Paths can have newlines for whatever reason, so better escape them to really get a single -+ * line file. */ -+ escaped_work_dir_in_root = cescape(work_dir_in_root); -+ if (!escaped_work_dir_in_root) -+ return log_oom(); -+ r = write_string_file(f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE); -+ if (r < 0) -+ return log_error_errno(r, "Failed to write '%s': %m", f); -+ -+ return 0; -+} -+ -+static int store_info_in_meta( -+ ImageClass image_class, -+ char **extensions, -+ const char *meta_path, -+ const char *overlay_path, -+ const char *work_dir) { -+ -+ int r; -+ -+ assert(extensions); -+ assert(meta_path); -+ assert(overlay_path); -+ /* work_dir may be NULL */ -+ -+ r = write_extensions_file(image_class, extensions, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = write_dev_file(image_class, meta_path, overlay_path); -+ if (r < 0) -+ return r; -+ -+ r = write_work_dir_file(image_class, meta_path, work_dir); -+ if (r < 0) -+ return r; -+ - /* Make sure the top-level dir has an mtime marking the point we established the merge */ - if (utimensat(AT_FDCWD, meta_path, NULL, AT_SYMLINK_NOFOLLOW) < 0) - return log_error_errno(r, "Failed fix mtime of '%s': %m", meta_path); - -+ return 0; -+} -+ -+static int make_mounts_read_only(ImageClass image_class, const char *overlay_path, bool mutable) { -+ int r; -+ -+ assert(overlay_path); -+ -+ if (mutable) { -+ /* Bind mount the meta path as read-only on mutable overlays to avoid accidental -+ * modifications of the contents of meta directory, which could lead to systemd thinking that -+ * this hierarchy is not our mount. */ -+ _cleanup_free_ char *f = NULL; -+ -+ f = path_join(overlay_path, image_class_info[image_class].dot_directory_name); -+ if (!f) -+ return log_oom(); -+ -+ r = mount_nofollow_verbose(LOG_ERR, f, f, NULL, MS_BIND, NULL); -+ if (r < 0) -+ return r; -+ -+ r = bind_remount_one(f, MS_RDONLY, MS_RDONLY); -+ if (r < 0) -+ return log_error_errno(r, "Failed to remount '%s' as read-only: %m", f); -+ } else { -+ /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra -+ * turbo safety 😎 */ -+ r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); -+ if (r < 0) -+ return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); -+ } -+ -+ return 0; -+} -+ -+static int merge_hierarchy( -+ ImageClass image_class, -+ const char *hierarchy, -+ int noexec, -+ char **extensions, -+ char **paths, -+ const char *meta_path, -+ const char *overlay_path, -+ const char *workspace_path) { -+ -+ _cleanup_(overlayfs_paths_freep) OverlayFSPaths *op = NULL; -+ _cleanup_strv_free_ char **used_paths = NULL; -+ size_t extensions_used = 0; -+ int r; -+ -+ assert(hierarchy); -+ assert(extensions); -+ assert(paths); -+ assert(meta_path); -+ assert(overlay_path); -+ assert(workspace_path); -+ -+ r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used); -+ if (r < 0) -+ return r; -+ -+ if (extensions_used == 0) /* No extension with files in this hierarchy? Then don't do anything. */ -+ return 0; -+ -+ r = overlayfs_paths_new(hierarchy, workspace_path, &op); -+ if (r < 0) -+ return r; -+ -+ r = determine_lower_dirs(op, used_paths, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = determine_upper_dir(op); -+ if (r < 0) -+ return r; -+ -+ r = determine_work_dir(op); -+ if (r < 0) -+ return r; -+ -+ r = mount_overlayfs_with_op(op, image_class, noexec, overlay_path, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir); -+ if (r < 0) -+ return r; -+ -+ r = make_mounts_read_only(image_class, overlay_path, op->upper_dir && op->work_dir); -+ if (r < 0) -+ return r; -+ - return 1; - } - -@@ -908,7 +1700,7 @@ static int merge_subprocess( - - /* Create overlayfs mounts for all hierarchies */ - STRV_FOREACH(h, hierarchies) { -- _cleanup_free_ char *meta_path = NULL, *overlay_path = NULL; -+ _cleanup_free_ char *meta_path = NULL, *overlay_path = NULL, *merge_hierarchy_workspace = NULL; - - meta_path = path_join(workspace, "meta", *h); /* The place where to store metadata about this instance */ - if (!meta_path) -@@ -918,6 +1710,11 @@ static int merge_subprocess( - if (!overlay_path) - return log_oom(); - -+ /* Temporary directory for merge_hierarchy needs, like ephemeral directories. */ -+ merge_hierarchy_workspace = path_join(workspace, "mh_workspace", *h); -+ if (!merge_hierarchy_workspace) -+ return log_oom(); -+ - r = merge_hierarchy( - image_class, - *h, -@@ -925,7 +1722,8 @@ static int merge_subprocess( - extensions, - paths, - meta_path, -- overlay_path); -+ overlay_path, -+ merge_hierarchy_workspace); - if (r < 0) - return r; - } -@@ -954,7 +1752,8 @@ static int merge_subprocess( - if (r < 0) - return log_error_errno(r, "Failed to create hierarchy mount point '%s': %m", resolved); - -- r = mount_nofollow_verbose(LOG_ERR, p, resolved, NULL, MS_BIND, NULL); -+ /* Using MS_REC to potentially bring in our read-only bind mount of metadata. */ -+ r = mount_nofollow_verbose(LOG_ERR, p, resolved, NULL, MS_BIND|MS_REC, NULL); - if (r < 0) - return r; - -@@ -992,9 +1791,10 @@ static int merge(ImageClass image_class, - r = wait_for_terminate_and_check("(sd-merge)", pid, WAIT_LOG_ABNORMAL); - if (r < 0) - return r; -- - if (r == 123) /* exit code 123 means: didn't do anything */ - return 0; -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(EPROTO), "Failed to merge hierarchies"); - - r = need_reload(image_class, hierarchies, no_reload); - if (r < 0) -@@ -1373,6 +2173,8 @@ static int verb_help(int argc, char **argv, void *userdata) { - " -h --help Show this help\n" - " --version Show package version\n" - "\n%3$sOptions:%4$s\n" -+ " --mutable=yes|no|auto|import|ephemeral|ephemeral-import\n" -+ " Specify a mutability mode of the merged hierarchy\n" - " --no-pager Do not pipe output into a pager\n" - " --no-legend Do not show the headers and footers\n" - " --root=PATH Operate relative to root path\n" -@@ -1406,6 +2208,7 @@ static int parse_argv(int argc, char *argv[]) { - ARG_IMAGE_POLICY, - ARG_NOEXEC, - ARG_NO_RELOAD, -+ ARG_MUTABLE, - }; - - static const struct option options[] = { -@@ -1419,6 +2222,7 @@ static int parse_argv(int argc, char *argv[]) { - { "image-policy", required_argument, NULL, ARG_IMAGE_POLICY }, - { "noexec", required_argument, NULL, ARG_NOEXEC }, - { "no-reload", no_argument, NULL, ARG_NO_RELOAD }, -+ { "mutable", required_argument, NULL, ARG_MUTABLE }, - {} - }; - -@@ -1482,6 +2286,13 @@ static int parse_argv(int argc, char *argv[]) { - arg_no_reload = true; - break; - -+ case ARG_MUTABLE: -+ r = parse_mutable_mode(optarg); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse argument to --mutable=: %s", optarg); -+ arg_mutable = r; -+ break; -+ - case '?': - return -EINVAL; - -@@ -1514,12 +2325,23 @@ static int sysext_main(int argc, char *argv[]) { - } - - static int run(int argc, char *argv[]) { -+ const char *env_var; - int r; - - log_setup(); - - arg_image_class = invoked_as(argv, "systemd-confext") ? IMAGE_CONFEXT : IMAGE_SYSEXT; - -+ env_var = getenv(image_class_info[arg_image_class].mode_env); -+ if (env_var) { -+ r = parse_mutable_mode(env_var); -+ if (r < 0) -+ log_warning("Failed to parse %s environment variable value '%s'. Ignoring.", -+ image_class_info[arg_image_class].mode_env, env_var); -+ else -+ arg_mutable = r; -+ } -+ - r = parse_argv(argc, argv); - if (r <= 0) - return r; --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch deleted file mode 100644 index bcdf2a3f75..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 7136aa7db4423432392a0fe6055c48a922a4aad4 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 10 Sep 2024 00:12:41 +0900 -Subject: [PATCH] network/netdev: also check ifindex, iftype, and kind when - assigning NetDev to Link - -Even when a NetDev object with the same name found, its iftype or kind -may be different. For safety, let's also check them. - -(cherry picked from commit 1788c3462853e8bb955ff656007e20f402dd9af2) - -Signed-off-by: Jeremi Piotrowski ---- - src/network/netdev/netdev.c | 37 +++++++++++++++++++++++++++++++++++++ - src/network/netdev/netdev.h | 1 + - src/network/networkd-link.c | 10 ++-------- - 3 files changed, 40 insertions(+), 8 deletions(-) - -diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c -index 2b411425ba..9a528137ea 100644 ---- a/src/network/netdev/netdev.c -+++ b/src/network/netdev/netdev.c -@@ -265,6 +265,43 @@ int netdev_get(Manager *manager, const char *name, NetDev **ret) { - return 0; - } - -+void link_assign_netdev(Link *link) { -+ _unused_ _cleanup_(netdev_unrefp) NetDev *old = NULL; -+ NetDev *netdev; -+ -+ assert(link); -+ assert(link->manager); -+ assert(link->ifname); -+ -+ old = TAKE_PTR(link->netdev); -+ -+ if (netdev_get(link->manager, link->ifname, &netdev) < 0) -+ return; -+ -+ if (netdev->ifindex != link->ifindex) -+ return; -+ -+ if (NETDEV_VTABLE(netdev)->iftype != link->iftype) -+ return; -+ -+ if (!NETDEV_VTABLE(netdev)->skip_netdev_kind_check) { -+ const char *kind; -+ -+ if (netdev->kind == NETDEV_KIND_TAP) -+ kind = "tun"; /* the kernel does not distinguish between tun and tap */ -+ else -+ kind = netdev_kind_to_string(netdev->kind); -+ -+ if (!streq_ptr(kind, link->kind)) -+ return; -+ } -+ -+ link->netdev = netdev_ref(netdev); -+ -+ if (netdev != old) -+ log_link_debug(link, "Found matching .netdev file: %s", netdev->filename); -+} -+ - void netdev_enter_failed(NetDev *netdev) { - netdev->state = NETDEV_STATE_FAILED; - } -diff --git a/src/network/netdev/netdev.h b/src/network/netdev/netdev.h -index cb8cc8c6a9..1a03a9b592 100644 ---- a/src/network/netdev/netdev.h -+++ b/src/network/netdev/netdev.h -@@ -206,6 +206,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(NetDev*, netdev_unref); - - bool netdev_is_managed(NetDev *netdev); - int netdev_get(Manager *manager, const char *name, NetDev **ret); -+void link_assign_netdev(Link *link); - int netdev_set_ifindex(NetDev *netdev, sd_netlink_message *newlink); - int netdev_generate_hw_addr(NetDev *netdev, Link *link, const char *name, - const struct hw_addr_data *hw_addr, struct hw_addr_data *ret); -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index 8f21504d92..c3a5dc1f0d 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -1317,7 +1317,6 @@ static int link_get_network(Link *link, Network **ret) { - - int link_reconfigure_impl(Link *link, bool force) { - Network *network = NULL; -- NetDev *netdev = NULL; - int r; - - assert(link); -@@ -1326,13 +1325,11 @@ int link_reconfigure_impl(Link *link, bool force) { - if (link->manager->state != MANAGER_RUNNING) - return 0; - -+ link_assign_netdev(link); -+ - if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER)) - return 0; - -- r = netdev_get(link->manager, link->ifname, &netdev); -- if (r < 0 && r != -ENOENT) -- return r; -- - r = link_get_network(link, &network); - if (r < 0 && r != -ENOENT) - return r; -@@ -1397,9 +1394,6 @@ int link_reconfigure_impl(Link *link, bool force) { - link_free_engines(link); - link->network = network_unref(link->network); - -- netdev_unref(link->netdev); -- link->netdev = netdev_ref(netdev); -- - if (!network) { - link_set_state(link, LINK_STATE_UNMANAGED); - return 0; --- -2.39.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch deleted file mode 100644 index 3ab34f08b6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 916523aabc7fcb3b5b9362100a5e3417aae00cb2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 11 Jun 2025 18:05:46 +0900 -Subject: [PATCH] network: also check ID_NET_MANAGED_BY property on - reconfigure - -Previously, the property was checked only when an uevent is received, -so even if an interface has ID_NET_MANAGED_BY property, the interface -will be configured by networkd when reconfiguration is triggered e.g. -when interface state is changed. - -Follow-up for ba87a61d05d637be9f0b21707f7fe3b0a74c5a05. -Fixes #36997. - -(cherry picked from commit 78f8d5ed71ecc16ad36d1c215d2d57433d127679) - -Signed-off-by: Jeremi Piotrowski ---- - src/network/networkd-link.c | 44 ++++++++++++++----- - .../test-network/conf/11-dummy-unmanaged.link | 8 ++++ - test/test-network/systemd-networkd-tests.py | 11 +++++ - 3 files changed, 53 insertions(+), 10 deletions(-) - create mode 100644 test/test-network/conf/11-dummy-unmanaged.link - -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index c3a5dc1f0d..3ed1584807 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -1315,6 +1315,32 @@ static int link_get_network(Link *link, Network **ret) { - return -ENOENT; - } - -+static int link_managed_by_us(Link *link) { -+ int r; -+ -+ assert(link); -+ -+ if (!link->dev) -+ return true; -+ -+ const char *s; -+ r = sd_device_get_property_value(link->dev, "ID_NET_MANAGED_BY", &s); -+ if (r == -ENOENT) -+ return true; -+ if (r < 0) -+ return log_link_warning_errno(link, r, "Failed to get ID_NET_MANAGED_BY udev property: %m"); -+ -+ if (streq(s, "io.systemd.Network")) -+ return true; -+ -+ if (link->state == LINK_STATE_UNMANAGED) -+ return false; /* Already in unmanaged state */ -+ -+ log_link_debug(link, "Interface is requested to be managed by '%s', unmanaging the interface.", s); -+ link_set_state(link, LINK_STATE_UNMANAGED); -+ return false; -+} -+ - int link_reconfigure_impl(Link *link, bool force) { - Network *network = NULL; - int r; -@@ -1330,6 +1356,10 @@ int link_reconfigure_impl(Link *link, bool force) { - if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER)) - return 0; - -+ r = link_managed_by_us(link); -+ if (r <= 0) -+ return r; -+ - r = link_get_network(link, &network); - if (r < 0 && r != -ENOENT) - return r; -@@ -1584,6 +1614,10 @@ static int link_initialized(Link *link, sd_device *device) { - * or sysattrs) may be outdated. */ - device_unref_and_replace(link->dev, device); - -+ r = link_managed_by_us(link); -+ if (r <= 0) -+ return r; -+ - if (link->dhcp_client) { - r = sd_dhcp_client_attach_device(link->dhcp_client, link->dev); - if (r < 0) -@@ -1651,7 +1685,6 @@ static int link_check_initialized(Link *link) { - - int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t action) { - int r, ifindex; -- const char *s; - Link *link; - - assert(m); -@@ -1686,15 +1719,6 @@ int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t - return 0; - } - -- r = sd_device_get_property_value(device, "ID_NET_MANAGED_BY", &s); -- if (r < 0 && r != -ENOENT) -- log_device_debug_errno(device, r, "Failed to get ID_NET_MANAGED_BY udev property, ignoring: %m"); -- if (r >= 0 && !streq(s, "io.systemd.Network")) { -- log_device_debug(device, "Interface is requested to be managed by '%s', not managing the interface.", s); -- link_set_state(link, LINK_STATE_UNMANAGED); -- return 0; -- } -- - r = link_initialized(link, device); - if (r < 0) - link_enter_failed(link); -diff --git a/test/test-network/conf/11-dummy-unmanaged.link b/test/test-network/conf/11-dummy-unmanaged.link -new file mode 100644 -index 0000000000..99c07a72ce ---- /dev/null -+++ b/test/test-network/conf/11-dummy-unmanaged.link -@@ -0,0 +1,8 @@ -+# SPDX-License-Identifier: MIT-0 -+[Match] -+Kind=dummy -+OriginalName=test1 -+ -+[Link] -+NamePolicy=keep -+Property=ID_NET_MANAGED_BY=hoge -diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py -index d8acf538f0..391d219de8 100755 ---- a/test/test-network/systemd-networkd-tests.py -+++ b/test/test-network/systemd-networkd-tests.py -@@ -2735,6 +2735,17 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): - def tearDown(self): - tear_down_common() - -+ def test_ID_NET_MANAGED_BY(self): -+ copy_network_unit('11-dummy.netdev', '11-dummy-unmanaged.link', '11-dummy.network') -+ start_networkd() -+ self.wait_online('test1:off', setup_state='unmanaged') -+ -+ check_output('ip link set dev test1 up') -+ self.wait_online('test1:degraded', setup_state='unmanaged') -+ -+ check_output('ip link set dev test1 down') -+ self.wait_online('test1:off', setup_state='unmanaged') -+ - def verify_address_static( - self, - label1: str, --- -2.39.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch deleted file mode 100644 index 0570695d39..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://github.com/systemd/systemd/commit/dde6f1d7456db7aa72d24b1d6956b419b6f9945c - -From dde6f1d7456db7aa72d24b1d6956b419b6f9945c Mon Sep 17 00:00:00 2001 -From: Sam James -Date: Sat, 24 Aug 2024 13:09:47 +0100 -Subject: [PATCH] meson: search for 'bpf-unknown-none' too - -We currently search for 'bpf-gcc' and 'bpf-none-gcc'. Gentoo's -sys-devel/bpf-toolchain package uses 'bpf-unknown-none-gcc', as does Fedora's -cross-binutils. Search for this name too. ---- - meson.build | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/meson.build b/meson.build -index 5e0b666c64b17..fbc2bbdf2f22f 100644 ---- a/meson.build -+++ b/meson.build -@@ -1109,6 +1109,7 @@ else - elif bpf_compiler == 'gcc' - bpf_gcc = find_program('bpf-gcc', - 'bpf-none-gcc', -+ 'bpf-unknown-none-gcc', - required : true, - version : '>= 13.1.0') - bpf_gcc_found = bpf_gcc.found() diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch new file mode 100644 index 0000000000..a4f798dc4e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch @@ -0,0 +1,69 @@ +https://bugs.gentoo.org/956681 +https://github.com/systemd/systemd/pull/37017 + +From fd9c4b4f49990f0656092035464b85256a0ba6e3 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Fri, 4 Apr 2025 21:40:41 -0700 +Subject: [PATCH] shared/cred-util: Ensure TPM code is used with HAVE_TPM2 + guards +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Building with no TPM2 we end up with following error + +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’ +In function ‘memcpy’, + inlined from ‘encrypt_credential_and_warn’ at ../git/src/shared/creds-util.c:1091:17: +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: error: argument 2 null where non-null expected [-Werror=nonnull] + 29 | return __builtin___memcpy_chk (__dest, __src, __len, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 30 | __glibc_objsize0 (__dest)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~ +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’ +cc1: some warnings being treated as errors 29 | return __builtin___memcpy_chk (__dest, __src, __len, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 30 | __glibc_objsize0 (__dest)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is because code referencing tpm2 data structures is still used while the +initialization of the function has been compiled out since its conditional on HAVE_TPM2 + +We add needed guards in places where it is missing to fix this problem + +Signed-off-by: Khem Raj +--- + src/shared/creds-util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c +index ca8e15d4c9d1e..e074c8b24680a 100644 +--- a/src/shared/creds-util.c ++++ b/src/shared/creds-util.c +@@ -804,7 +804,9 @@ int encrypt_credential_and_warn( + _cleanup_(iovec_done_erase) struct iovec tpm2_key = {}, output = {}, host_key = {}; + _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; + _cleanup_free_ struct metadata_credential_header *m = NULL; ++#if HAVE_TPM2 + uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0; ++#endif + struct encrypted_credential_header *h; + int ksz, bsz, ivsz, tsz, added, r; + uint8_t md[SHA256_DIGEST_LENGTH]; +@@ -1078,6 +1080,7 @@ int encrypt_credential_and_warn( + + p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz); + ++#if HAVE_TPM2 + if (iovec_is_set(&tpm2_key)) { + struct tpm2_credential_header *t; + +@@ -1092,7 +1095,7 @@ int encrypt_credential_and_warn( + + p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob.iov_len + tpm2_policy_hash.iov_len); + } +- ++#endif + if (iovec_is_set(&pubkey)) { + struct tpm2_public_key_credential_header *z; + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf index 2b72383153..8a5df37ce2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf @@ -1,10 +1,2 @@ -# The list of directories is taken from Gentoo ebuild, where they use -# keepdir. The list isn't sorted, but tries to preserve the order of -# keepdir lines from Gentoo ebuild for easier comparisons. We skip the -# directories in /usr, though. -d /var/lib/systemd - - - - - -d /var/log/journal - - - - - -d /etc/sysctl.d - - - - - - # This seems to be our own addition. d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild deleted file mode 100644 index ed6aaf1aaa..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild +++ /dev/null @@ -1,773 +0,0 @@ -# Copyright 2011-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 -PYTHON_COMPAT=( python3_{10..13} ) - -# Avoid QA warnings -TMPFILES_OPTIONAL=1 -UDEV_OPTIONAL=1 - -QA_PKGCONFIG_VERSION=$(ver_cut 1) - -if [[ ${PV} == 9999 ]]; then - EGIT_REPO_URI="https://github.com/systemd/systemd.git" - inherit git-r3 -else - MY_PV=${PV/_/-} - MY_P=${PN}-${MY_PV} - S=${WORKDIR}/${MY_P} - SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" - - if [[ ${PV} != *rc* ]] ; then - # Flatcar: mark as stable - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" - fi -fi - -inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 -inherit secureboot systemd tmpfiles toolchain-funcs udev - -DESCRIPTION="System and service manager for Linux" -HOMEPAGE="https://systemd.io/" - -LICENSE="GPL-2 LGPL-2.1 MIT public-domain" -SLOT="0/2" -IUSE=" - acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils - fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod - +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode - +resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd -" -REQUIRED_USE=" - ${PYTHON_REQUIRED_USE} - dns-over-tls? ( || ( gnutls openssl ) ) - fido2? ( cryptsetup openssl ) - homed? ( cryptsetup pam openssl ) - importd? ( curl lzma || ( gcrypt openssl ) ) - pwquality? ( homed ) - boot? ( kernel-install ) - ukify? ( boot ) -" -RESTRICT="!test? ( test )" - -MINKV="4.15" - -COMMON_DEPEND=" - >=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}] - sys-libs/libcap:0=[${MULTILIB_USEDEP}] - virtual/libcrypt:=[${MULTILIB_USEDEP}] - acl? ( sys-apps/acl:0= ) - apparmor? ( >=sys-libs/libapparmor-2.13:0= ) - audit? ( >=sys-process/audit-2:0= ) - bpf? ( >=dev-libs/libbpf-1.4.0:0= ) - cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) - curl? ( >=net-misc/curl-7.32.0:0= ) - elfutils? ( >=dev-libs/elfutils-0.158:0= ) - fido2? ( dev-libs/libfido2:0= ) - gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) - gnutls? ( >=net-libs/gnutls-3.6.0:0= ) - http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) - idn? ( net-dns/libidn2:= ) - importd? ( - app-arch/bzip2:0= - sys-libs/zlib:0= - ) - kmod? ( >=sys-apps/kmod-15:0= ) - lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) - lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) - iptables? ( net-firewall/iptables:0= ) - openssl? ( >=dev-libs/openssl-1.1.0:0= ) - pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) - pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= ) - pcre? ( dev-libs/libpcre2 ) - pwquality? ( >=dev-libs/libpwquality-1.4.1:0= ) - qrcode? ( >=media-gfx/qrencode-3:0= ) - seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) - selinux? ( >=sys-libs/libselinux-2.1.9:0= ) - tpm? ( app-crypt/tpm2-tss:0= ) - xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) - zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) -" - -# Newer linux-headers needed by ia64, bug #480218 -DEPEND="${COMMON_DEPEND} - >=sys-kernel/linux-headers-${MINKV} -" - -PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' - -# baselayout-2.2 has /run -# -# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use -# flag). The image stage fails with "Failed to resolve -# typeattributeset statement at -# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120" -# -# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary -# needed by dracut's systemd-vconsole-setup module. -RDEPEND="${COMMON_DEPEND} - >=acct-group/adm-0-r1 - >=acct-group/wheel-0-r1 - >=acct-group/kmem-0-r1 - >=acct-group/tty-0-r1 - >=acct-group/utmp-0-r1 - >=acct-group/audio-0-r1 - >=acct-group/cdrom-0-r1 - >=acct-group/dialout-0-r1 - >=acct-group/disk-0-r1 - >=acct-group/input-0-r1 - >=acct-group/kvm-0-r1 - >=acct-group/lp-0-r1 - >=acct-group/render-0-r1 - acct-group/sgx - >=acct-group/tape-0-r1 - acct-group/users - >=acct-group/video-0-r1 - >=acct-group/systemd-journal-0-r1 - >=acct-user/root-0-r1 - acct-user/nobody - >=acct-user/systemd-journal-remote-0-r1 - >=acct-user/systemd-coredump-0-r1 - >=acct-user/systemd-network-0-r1 - acct-user/systemd-oom - >=acct-user/systemd-resolve-0-r1 - >=acct-user/systemd-timesync-0-r1 - >=sys-apps/baselayout-2.2 - sys-apps/kbd - ukify? ( - ${PYTHON_DEPS} - $(python_gen_cond_dep "${PEFILE_DEPEND}") - ) - selinux? ( - sec-policy/selinux-base-policy[systemd] - ) - sysv-utils? ( - !sys-apps/openrc[sysv-utils(-)] - !sys-apps/openrc-navi[sysv-utils(-)] - !sys-apps/sysvinit - ) - !sysv-utils? ( sys-apps/sysvinit ) - resolvconf? ( !net-dns/openresolv ) - !sys-auth/nss-myhostname - !sys-fs/eudev - !sys-fs/udev -" - -# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) -PDEPEND=">=sys-apps/dbus-1.9.8[systemd] - >=sys-fs/udev-init-scripts-34 - policykit? ( sys-auth/polkit ) - !vanilla? ( sys-apps/gentoo-systemd-integration )" - -BDEPEND=" - app-arch/xz-utils:0 - dev-util/gperf - >=dev-build/meson-0.46 - >=sys-apps/coreutils-8.16 - sys-devel/gettext - virtual/pkgconfig - bpf? ( - dev-util/bpftool - sys-devel/bpf-toolchain - ) - test? ( - app-text/tree - dev-lang/perl - sys-apps/dbus - ) - app-text/docbook-xml-dtd:4.2 - app-text/docbook-xml-dtd:4.5 - app-text/docbook-xsl-stylesheets - dev-libs/libxslt:0 - ${PYTHON_DEPS} - $(python_gen_cond_dep " - dev-python/jinja2[\${PYTHON_USEDEP}] - dev-python/lxml[\${PYTHON_USEDEP}] - boot? ( - >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] - test? ( ${PEFILE_DEPEND} ) - ) - ") -" - -QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" -QA_EXECSTACK="usr/lib/systemd/boot/efi/*" - -pkg_pretend() { - # Flatcar: We keep using split-usr for SDK. - # if use split-usr; then - # eerror "Please complete the migration to merged-usr." - # eerror "https://wiki.gentoo.org/wiki/Merge-usr" - # die "systemd no longer supports split-usr" - # fi - if [[ ${MERGE_TYPE} != buildonly ]]; then - local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS - ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE - ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS - ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS - ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH - ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED - ~!SYSFS_DEPRECATED_V2" - - use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" - use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF" - use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" - - if kernel_is -ge 5 10 20; then - CONFIG_CHECK+=" ~KCMP" - else - CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" - fi - - if kernel_is -ge 4 18; then - CONFIG_CHECK+=" ~AUTOFS_FS" - else - CONFIG_CHECK+=" ~AUTOFS4_FS" - fi - - if linux_config_exists; then - local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) - if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then - ewarn "It's recommended to set an empty value to the following kernel config option:" - ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" - fi - if linux_chkconfig_present X86; then - CONFIG_CHECK+=" ~DMIID" - fi - fi - - if kernel_is -lt ${MINKV//./ }; then - ewarn "Kernel version at least ${MINKV} required" - fi - - check_extra_config - fi -} - -pkg_setup() { - use boot && secureboot_pkg_setup -} - -src_unpack() { - default - [[ ${PV} != 9999 ]] || git-r3_src_unpack -} - -src_prepare() { - local PATCHES=( - "${FILESDIR}/systemd-test-process-util.patch" - "${FILESDIR}/256-bpf-gcc.patch" - # Flatcar: Adding our own patches here. - "${FILESDIR}/0001-wait-online-set-any-by-default.patch" - "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" - "${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch" - "${FILESDIR}/0009-initrd-parse-etc.service.patch" - "${FILESDIR}/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch" - "${FILESDIR}/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch" - ) - - if ! use vanilla; then - PATCHES+=( - "${FILESDIR}/gentoo-journald-audit-r1.patch" - ) - fi - - # Fails with split-usr. - sed -i -e '2i exit 77' test/test-rpm-macros.sh || die - - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., - # CoreDNS which has dnsPolicy "default", but unless the - # kubelet --resolv-conf flag is set to point to - # /run/systemd/resolve/resolv.conf this won't work with - # /etc/resolv.conf pointing to - # /run/systemd/resolve/stub-resolv.conf which configures - # 127.0.0.53. See - # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues - # This means that users who need split DNS to work should - # point /etc/resolv.conf back to - # /run/systemd/resolve/stub-resolv.conf (and if using K8s - # configure the kubelet resolvConf variable/--resolv-conf flag - # to /run/systemd/resolve/resolv.conf). - sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die - default -} - -src_configure() { - # Prevent conflicts with i686 cross toolchain, bug 559726 - tc-export AR CC NM OBJCOPY RANLIB - - python_setup - - multilib-minimal_src_configure -} - -# Flatcar: Our function, we use it in some places below. -get_rootprefix() { - usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" -} - -multilib_src_configure() { - local myconf=( - --localstatedir="${EPREFIX}/var" - # default is developer, bug 918671 - -Dmode=release - # Flatcar: Point to our user mailing list. - -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" - -Dpamlibdir="$(getpam_mod_dir)" - # avoid bash-completion dep - -Dbashcompletiondir="$(get_bashcompdir)" - # Flatcar: We keep using split-usr in SDK. - $(meson_use split-usr) - # Flatcar: Always set split-bin to true, we always - # have separate bin and sbin directories - -Dsplit-bin=true - # Flatcar: Use get_rootprefix. No functional change - # from upstream, just refactoring the common code used - # in some places. - # - # TODO: Drop -Drootprefix and -Drootlibdir we get rid - # of split-usr in SDK - -Drootprefix="$(get_rootprefix)" - -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" - # Disable compatibility with sysvinit - -Dsysvinit-path= - -Dsysvrcnd-path= - # no deps - -Dima=true - # Match /etc/shells, bug 919749 - -Ddebug-shell="${EPREFIX}/bin/sh" - -Ddefault-user-shell="${EPREFIX}/bin/bash" - # Optional components/dependencies - $(meson_native_use_bool acl) - $(meson_native_use_bool apparmor) - $(meson_native_use_bool audit) - $(meson_native_use_bool boot bootloader) - $(meson_native_use_bool bpf bpf-framework) - -Dbpf-compiler=gcc - $(meson_native_use_bool cryptsetup libcryptsetup) - $(meson_native_use_bool curl libcurl) - $(meson_native_use_bool dns-over-tls dns-over-tls) - $(meson_native_use_bool elfutils) - $(meson_native_use_bool fido2 libfido2) - $(meson_use gcrypt) - $(meson_native_use_bool gnutls) - $(meson_native_use_bool homed) - $(meson_native_use_bool http microhttpd) - $(meson_native_use_bool idn) - $(meson_native_use_bool importd) - $(meson_native_use_bool importd bzip2) - $(meson_native_use_bool importd zlib) - $(meson_native_use_bool kernel-install) - $(meson_native_use_bool kmod) - $(meson_use lz4) - $(meson_use lzma xz) - $(meson_use test tests) - $(meson_use zstd) - $(meson_native_use_bool iptables libiptc) - $(meson_native_use_bool openssl) - $(meson_use pam) - $(meson_native_use_bool pkcs11 p11kit) - $(meson_native_use_bool pcre pcre2) - $(meson_native_use_bool policykit polkit) - $(meson_native_use_bool pwquality) - $(meson_native_use_bool qrcode qrencode) - $(meson_native_use_bool seccomp) - $(meson_native_use_bool selinux) - $(meson_native_use_bool tpm tpm2) - $(meson_native_use_bool test dbus) - $(meson_native_use_bool ukify) - $(meson_native_use_bool xkb xkbcommon) - # Flatcar: Use our ntp servers. - -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" - # Breaks screen, tmux, etc. - -Ddefault-kill-user-processes=false - # Flatcar: TODO: Investigate if we want this. - -Dcreate-log-dirs=false - - # multilib options - $(meson_native_true backlight) - $(meson_native_true binfmt) - $(meson_native_true coredump) - $(meson_native_true environment-d) - $(meson_native_true firstboot) - $(meson_native_true hibernate) - $(meson_native_true hostnamed) - $(meson_native_true ldconfig) - $(meson_native_true localed) - $(meson_native_true man) - $(meson_native_true networkd) - $(meson_native_true quotacheck) - $(meson_native_true randomseed) - $(meson_native_true rfkill) - $(meson_native_true sysusers) - $(meson_native_true timedated) - $(meson_native_true timesyncd) - $(meson_native_true tmpfiles) - $(meson_native_true vconsole) - $(meson_native_enabled vmspawn) - # Flatcar: Specify this, or meson breaks due to no - # /etc/login.defs. - -Dsystem-gid-max=999 - -Dsystem-uid-max=999 - - # Flatcar: DBus paths. - -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" - -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" - - # Flatcar: PAM config directory. - -Dpamconfdir=/usr/share/pam.d - - # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC - # 2013. Used by timesyncd as a sanity check for the - # minimum acceptable time. Explicitly set to avoid - # using the current build time. - -Dtime-epoch=1372636800 - - # Flatcar: No default name servers. - -Ddns-servers= - - # Flatcar: Disable the "First Boot Wizard", it isn't - # very applicable to us. - -Dfirstboot=false - - # Flatcar: Set latest network interface naming scheme - # for https://github.com/flatcar/Flatcar/issues/36 - -Ddefault-net-naming-scheme=latest - - # Flatcar: Combined log format: name plus description - -Dstatus-unit-format-default=combined - - # Flatcar: Unported options, still needed? - -Dquotaon-path=/usr/sbin/quotaon - -Dquotacheck-path=/usr/sbin/quotacheck - -Ddefault-mdns=no - ) - - case $(tc-arch) in - amd64|arm|arm64|ppc|ppc64|s390|x86) - # src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE - myconf+=( $(meson_native_enabled vmspawn) ) ;; - *) - myconf+=( -Dvmspawn=disabled ) ;; - esac - - meson_src_configure "${myconf[@]}" -} - -multilib_src_test() { - ( - unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR - export COLUMNS=80 - addpredict /dev - addpredict /proc - addpredict /run - addpredict /sys/fs/cgroup - meson_src_test --timeout-multiplier=10 - ) || die -} - -multilib_src_install_all() { - # meson doesn't know about docdir - mv "${ED}"/usr/share/doc/{systemd,${PF}} || die - - einstalldocs - # Flatcar: Do not install sample nsswitch.conf, we don't - # provide it. - # dodoc "${FILESDIR}"/nsswitch.conf - - insinto /usr/lib/tmpfiles.d - doins "${FILESDIR}"/legacy.conf - - if ! use resolvconf; then - rm -f "${ED}"/usr/bin/resolvconf || die - fi - - if ! use sysv-utils; then - rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die - rm "${ED}"/usr/share/man/man1/init.1 || die - rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die - fi - - # https://bugs.gentoo.org/761763 - rm -r "${ED}"/usr/lib/sysusers.d || die - - # Flatcar: Upstream uses keepdir commands to keep some empty - # directories. We use tmpfiles. - # Preserve empty dirs in /etc & /var, bug #437008 - keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} - keepdir /etc/kernel/install.d - keepdir /etc/systemd/{network,system,user} - keepdir /etc/udev/rules.d - - keepdir /etc/udev/hwdb.d - - # keepdir /usr/lib/systemd/{system-sleep,system-shutdown} - # keepdir /usr/lib/{binfmt.d,modules-load.d} - # keepdir /usr/lib/systemd/user-generators - # keepdir /var/lib/systemd - # keepdir /var/log/journal - - # if use pam; then - # if use selinux; then - # newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user - # else - # newpamd "${FILESDIR}"/systemd-user.pam systemd-user - # fi - # fi - - if use kernel-install; then - # Dummy config, remove to make room for sys-kernel/installkernel - rm "${ED}/usr/lib/kernel/install.conf" || die - fi - # Flatcar: Ensure journal directory has correct ownership/mode - # in inital image. This is fixed by systemd-tmpfiles *but* - # journald starts before that and will create the journal if - # the filesystem is already read-write. Conveniently the - # systemd Makefile sets this up completely wrong. - # - # Flatcar: TODO: Is this still a problem? - dodir /var/log/journal - fowners root:systemd-journal /var/log/journal - fperms 2755 /var/log/journal - - # Flatcar: Don't prune systemd dirs. - dotmpfiles "${FILESDIR}"/systemd-flatcar.conf - # Flatcar: Add tmpfiles rule for resolv.conf. This path has - # changed after v213 so it must be handled here instead of - # baselayout now. - dotmpfiles "${FILESDIR}"/systemd-resolv.conf - - # Flatcar: Don't default to graphical.target. - local unitdir=$(builddir_systemd_get_systemunitdir) - dosym multi-user.target "${unitdir}"/default.target - - # Flatcar: Don't set any extra environment variables by default. - rm "${ED}/usr/lib/environment.d/99-environment.conf" || die - - # Flatcar: These lines more or less follow the systemd's - # preset file (90-systemd.preset). We do it that way, to avoid - # putting symlinks in /etc. Please keep the lines in the same - # order as the "enable" lines appear in the preset file. For a - # single enable line in preset, there may be more lines if the - # unit file had Also: clause which has units we enable here - # too. - - # Flatcar: enable remote-fs.target - builddir_systemd_enable_service multi-user.target remote-fs.target - # Flatcar: enable remote-cryptsetup.target - if use cryptsetup; then - builddir_systemd_enable_service multi-user.target remote-cryptsetup.target - fi - # Flatcar: enable machines.target - builddir_systemd_enable_service multi-user.target machines.target - # Flatcar: enable getty@.service - dodir "${unitdir}/getty.target.wants" - dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" - # Flatcar: enable systemd-timesyncd.service - builddir_systemd_enable_service sysinit.target systemd-timesyncd.service - # Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service) - builddir_systemd_enable_service multi-user.target systemd-networkd.service - builddir_systemd_enable_service sockets.target systemd-networkd.socket - builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service - # Flatcar: enable systemd-network-generator.service - builddir_systemd_enable_service sysinit.target systemd-network-generator.service - # Flatcar: enable systemd-resolved.service - builddir_systemd_enable_service multi-user.target systemd-resolved.service - # Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry]) - if use homed; then - builddir_systemd_enable_service multi-user.target systemd-homed.target - fi - # Flatcar: enable systemd-userdbd.socket - builddir_systemd_enable_service sockets.target systemd-userdbd.socket - # Flatcar: enable systemd-pstore.service - builddir_systemd_enable_service sysinit.target systemd-pstore.service - # Flatcar: enable systemd-boot-update.service - if use boot; then - builddir_systemd_enable_service sysinit.target systemd-boot-update.service - fi - # Flatcar: enable reboot.target (not enabled - has no WantedBy - # entry) - - # Flatcar: enable systemd-sysext.service by default - builddir_systemd_enable_service sysinit.target systemd-sysext.service - - # Flatcar: Use an empty preset file, because systemctl - # preset-all puts symlinks in /etc, not in /usr. We don't use - # /etc, because it is not autoupdated. We do the "preset" above. - rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die - insinto /usr/lib/systemd/system-preset - doins "${FILESDIR}"/99-default.preset - - # Flatcar: Do not ship distro-specific files (nsswitch.conf - # pam.d). This conflicts with our own configuration provided - # by baselayout. - rm -rf "${ED}"/usr/share/factory - sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ - -e '/^C!* \/etc\/nsswitch\.conf/d' \ - -e '/^C!* \/etc\/pam\.d/d' \ - -e '/^C!* \/etc\/issue/d' - - use ukify && python_fix_shebang "${ED}" - use boot && secureboot_auto_sign -} - -# Flatcar: Our own version of systemd_get_systemunitdir, that returns -# a path inside /usr, not /etc. -builddir_systemd_get_systemunitdir() { - echo "$(get_rootprefix)/lib/systemd/system" -} - -# Flatcar: Our own version of systemd_enable_service, that does -# operations inside /usr, not /etc. -builddir_systemd_enable_service() { - local target=${1} - local service=${2} - local ud=$(builddir_systemd_get_systemunitdir) - local destname=${service##*/} - - dodir "${ud}"/"${target}".wants && \ - dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}" - - if use boot; then - python_fix_shebang "${ED}" - secureboot_auto_sign - fi -} -migrate_locale() { - local envd_locale_def="${EROOT}/etc/env.d/02locale" - local envd_locale=( "${EROOT}"/etc/env.d/??locale ) - local locale_conf="${EROOT}/etc/locale.conf" - - if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then - # If locale.conf does not exist... - if [[ -e ${envd_locale} ]]; then - # ...either copy env.d/??locale if there's one - ebegin "Moving ${envd_locale} to ${locale_conf}" - mv "${envd_locale}" "${locale_conf}" - eend ${?} || FAIL=1 - else - # ...or create a dummy default - ebegin "Creating ${locale_conf}" - cat > "${locale_conf}" <<-EOF - # This file has been created by the sys-apps/systemd ebuild. - # See locale.conf(5) and localectl(1). - - # LANG=${LANG} - EOF - eend ${?} || FAIL=1 - fi - fi - - if [[ ! -L ${envd_locale} ]]; then - # now, if env.d/??locale is not a symlink (to locale.conf)... - if [[ -e ${envd_locale} ]]; then - # ...warn the user that he has duplicate locale settings - ewarn - ewarn "To ensure consistent behavior, you should replace ${envd_locale}" - ewarn "with a symlink to ${locale_conf}. Please migrate your settings" - ewarn "and create the symlink with the following command:" - ewarn "ln -s -n -f ../locale.conf ${envd_locale}" - ewarn - else - # ...or just create the symlink if there's nothing here - ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" - ln -n -s ../locale.conf "${envd_locale_def}" - eend ${?} || FAIL=1 - fi - fi -} - -pkg_preinst() { - if [[ -e ${EROOT}/etc/sysctl.conf ]]; then - # Symlink /etc/sysctl.conf for easy migration. - dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf - fi - - # Flatcar: This used to be in upstream ebuild, but now it's - # gone. We should drop it once we get rid of split-usr in SDK. - if ! use split-usr; then - local dir - # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list. - for dir in bin sbin lib; do - if [[ ! -L ${EROOT}/${dir} ]]; then - eerror "'${EROOT}/${dir}' is not a symbolic link." - FAIL=1 - fi - done - if [[ ${FAIL} ]]; then - eerror "Migration to system layout with merged directories must be performed before" - eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." - die "System layout with split directories still used" - fi - fi - if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then - ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." - ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." - fi -} - -pkg_postinst() { - systemd_update_catalog - - # Keep this here in case the database format changes so it gets updated - # when required. - systemd-hwdb --root="${ROOT}" update - - udev_reload || FAIL=1 - - # Bug 465468, make sure locales are respected, and ensure consistency - # between OpenRC & systemd - migrate_locale - - # Flatcar: We enable getty and remote-fs targets in /usr - # ourselves above. - # if [[ -z ${REPLACING_VERSIONS} ]]; then - # if type systemctl &>/dev/null; then - # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 - # fi - # elog "To enable a useful set of services, run the following:" - # elog " systemctl preset-all --preset-mode=enable-only" - # fi - - if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then - rm "${EROOT}/var/lib/systemd/timesync" - fi - - if [[ -z ${ROOT} && -d /run/systemd/system ]]; then - ebegin "Reexecuting system manager (systemd)" - systemctl daemon-reexec - eend $? || FAIL=1 - - # https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html - ebegin "Signaling user managers to reexec" - systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service' - eend $? - fi - - if [[ ${FAIL} ]]; then - eerror "One of the postinst commands failed. Please check the postinst output" - eerror "for errors. You may need to clean up your system and/or try installing" - eerror "systemd again." - eerror - fi - - if use boot; then - optfeature "installing kernels in systemd-boot's native layout and update loader entries" \ - "sys-kernel/installkernel[systemd-boot]" - fi - if use ukify; then - optfeature "generating unified kernel image on each kernel installation" \ - "sys-kernel/installkernel[ukify]" - fi -} - -pkg_prerm() { - # If removing systemd completely, remove the catalog database. - if [[ ! ${REPLACED_BY_VERSION} ]]; then - rm -f -v "${EROOT}"/var/lib/systemd/catalog/database - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index e4075f6c2a..a315604985 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=8 -PYTHON_COMPAT=( python3_{10..13} ) +PYTHON_COMPAT=( python3_{11..13} ) # Avoid QA warnings TMPFILES_OPTIONAL=1 @@ -20,12 +20,12 @@ else SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" if [[ ${PV} != *rc* ]] ; then - # Flatcar: mark as stable - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" fi fi inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 +# Flatcar: Inherited tmpfiles inherit secureboot systemd tmpfiles toolchain-funcs udev DESCRIPTION="System and service manager for Linux" @@ -144,11 +144,11 @@ RDEPEND="${COMMON_DEPEND} ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] - !sys-apps/openrc-navi[sysv-utils(-)] !sys-apps/sysvinit ) !sysv-utils? ( sys-apps/sysvinit ) resolvconf? ( !net-dns/openresolv ) + !sys-apps/hwids[udev] !sys-auth/nss-myhostname !sys-fs/eudev !sys-fs/udev @@ -168,7 +168,7 @@ BDEPEND=" sys-devel/gettext virtual/pkgconfig bpf? ( - dev-util/bpftool + >=dev-util/bpftool-7.0.0 sys-devel/bpf-toolchain ) test? ( @@ -194,13 +194,38 @@ BDEPEND=" QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" QA_EXECSTACK="usr/lib/systemd/boot/efi/*" +check_cgroup_layout() { + # https://bugs.gentoo.org/935261 + [[ ${MERGE_TYPE} != buildonly ]] || return + [[ -z ${ROOT} ]] || return + [[ -e /sys/fs/cgroup/unified ]] || return + grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return + + eerror "This system appears to be booted with the 'hybrid' cgroup layout." + eerror "This layout obsolete and is disabled in systemd." + + if grep -qF 'systemd.unified_cgroup_hierarchy'; then + eerror "Remove the systemd.unified_cgroup_hierarchy option" + eerror "from the kernel command line and reboot." + die "hybrid cgroup layout detected" + fi +} + pkg_pretend() { - # Flatcar: We keep using split-usr for SDK. - # if use split-usr; then - # eerror "Please complete the migration to merged-usr." - # eerror "https://wiki.gentoo.org/wiki/Merge-usr" - # die "systemd no longer supports split-usr" - # fi + if use split-usr; then + eerror "Please complete the migration to merged-usr." + eerror "https://wiki.gentoo.org/wiki/Merge-usr" + die "systemd no longer supports split-usr" + fi + + check_cgroup_layout + + if use cgroup-hybrid; then + eerror "Disable the 'cgroup-hybrid' USE flag." + eerror "Rebuild any initramfs images after rebuilding systemd." + die "cgroup-hybrid is no longer supported" + fi + if [[ ${MERGE_TYPE} != buildonly ]]; then local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE @@ -256,14 +281,15 @@ src_unpack() { src_prepare() { local PATCHES=( + "${FILESDIR}"/systemd-257-cred-util-tpm2.patch # Flatcar: Adding our own patches here. "${FILESDIR}/0001-wait-online-set-any-by-default.patch" - "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch" - "${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch" - "${FILESDIR}/0009-initrd-parse-etc.service.patch" + "${FILESDIR}/0002-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0003-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0004-systemd-Disable-SELinux-permissions-checks.patch" + "${FILESDIR}/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" + "${FILESDIR}/0006-units-Keep-using-old-journal-file-format.patch" + "${FILESDIR}/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch" ) if ! use vanilla; then @@ -272,9 +298,6 @@ src_prepare() { ) fi - # Fails with split-usr. - sed -i -e '2i exit 77' test/test-rpm-macros.sh || die - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., # CoreDNS which has dnsPolicy "default", but unless the # kubelet --resolv-conf flag is set to point to @@ -301,14 +324,10 @@ src_configure() { multilib-minimal_src_configure } -# Flatcar: Our function, we use it in some places below. -get_rootprefix() { - usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" -} - multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" + -Ddocdir="share/doc/${PF}" # default is developer, bug 918671 -Dmode=release # Flatcar: Point to our user mailing list. @@ -316,19 +335,7 @@ multilib_src_configure() { -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" - # Flatcar: We keep using split-usr in SDK. - $(meson_use split-usr) - # Flatcar: Always set split-bin to true, we always - # have separate bin and sbin directories - -Dsplit-bin=true - # Flatcar: Use get_rootprefix. No functional change - # from upstream, just refactoring the common code used - # in some places. - # - # TODO: Drop -Drootprefix and -Drootlibdir we get rid - # of split-usr in SDK - -Drootprefix="$(get_rootprefix)" - -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" + -Dsplit-bin=false # Disable compatibility with sysvinit -Dsysvinit-path= -Dsysvrcnd-path= @@ -381,7 +388,6 @@ multilib_src_configure() { -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false - # Flatcar: TODO: Investigate if we want this. -Dcreate-log-dirs=false # multilib options @@ -404,7 +410,6 @@ multilib_src_configure() { $(meson_native_true timesyncd) $(meson_native_true tmpfiles) $(meson_native_true vconsole) - $(meson_native_enabled vmspawn) # Flatcar: Specify this, or meson breaks due to no # /etc/login.defs. -Dsystem-gid-max=999 @@ -437,10 +442,10 @@ multilib_src_configure() { # Flatcar: Combined log format: name plus description -Dstatus-unit-format-default=combined - # Flatcar: Unported options, still needed? - -Dquotaon-path=/usr/sbin/quotaon - -Dquotacheck-path=/usr/sbin/quotacheck + # Flatcar: Disable multicast-dns, Link-Local Multicast Name Resolution and dnssec -Ddefault-mdns=no + -Ddefault-llmnr=no + -Ddefault-dnssec=no ) case $(tc-arch) in @@ -467,9 +472,6 @@ multilib_src_test() { } multilib_src_install_all() { - # meson doesn't know about docdir - mv "${ED}"/usr/share/doc/{systemd,${PF}} || die - einstalldocs # Flatcar: Do not install sample nsswitch.conf, we don't # provide it. @@ -491,8 +493,6 @@ multilib_src_install_all() { # https://bugs.gentoo.org/761763 rm -r "${ED}"/usr/lib/sysusers.d || die - # Flatcar: Upstream uses keepdir commands to keep some empty - # directories. We use tmpfiles. # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} keepdir /etc/kernel/install.d @@ -501,12 +501,13 @@ multilib_src_install_all() { keepdir /etc/udev/hwdb.d - # keepdir /usr/lib/systemd/{system-sleep,system-shutdown} - # keepdir /usr/lib/{binfmt.d,modules-load.d} - # keepdir /usr/lib/systemd/user-generators - # keepdir /var/lib/systemd - # keepdir /var/log/journal + keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + # Flatcar: We provide our own systemd-user config file in baselayout. # if use pam; then # if use selinux; then # newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user @@ -614,7 +615,7 @@ multilib_src_install_all() { # Flatcar: Our own version of systemd_get_systemunitdir, that returns # a path inside /usr, not /etc. builddir_systemd_get_systemunitdir() { - echo "$(get_rootprefix)/lib/systemd/system" + echo "${EPREFIX}/usr/lib/systemd/system" } # Flatcar: Our own version of systemd_enable_service, that does @@ -683,23 +684,6 @@ pkg_preinst() { dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf fi - # Flatcar: This used to be in upstream ebuild, but now it's - # gone. We should drop it once we get rid of split-usr in SDK. - if ! use split-usr; then - local dir - # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list. - for dir in bin sbin lib; do - if [[ ! -L ${EROOT}/${dir} ]]; then - eerror "'${EROOT}/${dir}' is not a symbolic link." - FAIL=1 - fi - done - if [[ ${FAIL} ]]; then - eerror "Migration to system layout with merged directories must be performed before" - eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." - die "System layout with split directories still used" - fi - fi if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."