overlay sys-apps/systemd: Some cleanups and diff minimization

- Drop unused systemd-256.9 ebuild.

- Drop unused patches and regenerate the rest.

- Pull in a patch from Gentoo.

- Drop Flatcar modifications related to split-usr. We kept those
  because SDK used to use split-dir.

- Drop meson options related to quota utilities - the values we
  specified were the same as systemd's defaults.

- Disable LLMNR and DNSSEC by default - we are disabling it with
  drop-ins in the init repo. We probably could just drop them.

- Preserved keepdir for directories inside /usr and /var. For the
  latter, dropped the related entries from our tmpfiles - we are
  generating tmpfiles for directories inside /var during image build.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest

@@ -1,2 +1 @@
-DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681
 DIST systemd-257.7.tar.gz 16327096 BLAKE2B 59a28ce9b355b98f718f26489400640f3d732bbf73c00ea0571302dfc6dfb3585bf07ec56af06d74c5aa033b06a6220c3c839af6dba5ab7f8bde1aef4b58f0f6 SHA512 fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch

@@ -1,7 +1,7 @@
-From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001
+From e228bd8a939e77f4ebc37aa029f8a89e8b9d4807 Mon Sep 17 00:00:00 2001
 From: David Michael <dm0@redhat.com>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
-Subject: [PATCH 1/8] wait-online: set --any by default
+Subject: [PATCH 1/7] wait-online: set --any by default
 
 The systemd-networkd-wait-online command would normally continue
 waiting after a network interface is usable if other interfaces are
@@ -15,12 +15,12 @@ earlier) for the original implementation.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
-index 5328bba2d8..95294df607 100644
+index 6f5aef903a..0acb3e76b9 100644
 --- a/src/network/wait-online/wait-online.c
 +++ b/src/network/wait-online/wait-online.c
 @@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL;
  static char **arg_ignore = NULL;
- static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
+ static LinkOperationalStateRange arg_required_operstate = LINK_OPERSTATE_RANGE_INVALID;
  static AddressFamily arg_required_family = ADDRESS_FAMILY_NO;
 -static bool arg_any = false;
 +static bool arg_any = true;
@@ -28,5 +28,5 @@ index 5328bba2d8..95294df607 100644
  STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
  STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
 -- 
-2.34.1
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch

@@ -1,7 +1,7 @@
-From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001
+From b8139561768e6745405461e1a765b262ece8f959 Mon Sep 17 00:00:00 2001
 From: Alex Crawford <alex.crawford@coreos.com>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 3/8] needs-update: don't require strictly newer usr
+Subject: [PATCH 2/7] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -10,7 +10,7 @@ Updates should be triggered whenever usr changes, not only when it is newer.
  2 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
-index 3393010ff6..5478baca25 100644
+index 6b863ecff3..c166c5e7ab 100644
 --- a/man/systemd-update-done.service.xml
 +++ b/man/systemd-update-done.service.xml
 @@ -50,7 +50,7 @@
@@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index d3446e8a9d..3f7cc9ea58 100644
+index 1a03fdbe37..8577c35fa0 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
-@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * First, compare seconds as they are always accurate...
           */
          if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@@ -35,7 +35,7 @@ index d3446e8a9d..3f7cc9ea58 100644
  
          /*
           * ...then compare nanoseconds.
-@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * (otherwise the filesystem supports nsec timestamps, see stat(2)).
           */
          if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@@ -44,7 +44,7 @@ index d3446e8a9d..3f7cc9ea58 100644
  
          _cleanup_free_ char *timestamp_str = NULL;
          r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
-@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
                  return true;
          }
  
@@ -54,5 +54,5 @@ index d3446e8a9d..3f7cc9ea58 100644
  
  static bool in_first_boot(void) {
 -- 
-2.34.1
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch

@@ -1,7 +1,7 @@
-From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001
+From f5635c6b5153d894cf1bf6dca92219150d4252d5 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:22:08 +0000
-Subject: [PATCH 4/8] core: use max for DefaultTasksMax
+Subject: [PATCH 3/7] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index 3c06b65f93..71f38692b6 100644
+index f7b414da5c..9c07e235ab 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
-@@ -501,7 +501,7 @@
+@@ -230,7 +230,7 @@
          <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
          <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details. This setting applies to all unit types that support resource control settings, with the exception
@@ -34,10 +34,10 @@ index 3c06b65f93..71f38692b6 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 88eebfc626..8992c8c3e3 100644
+index 4ccaba9054..3ab59c5bb3 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -114,7 +114,7 @@
+@@ -117,7 +117,7 @@
  /* How many units and jobs to process of the bus queue before returning to the event loop. */
  #define MANAGER_BUS_MESSAGE_BUDGET 100U
  
@@ -47,10 +47,10 @@ index 88eebfc626..8992c8c3e3 100644
  static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
  static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 05eb681270..94d0365244 100644
+index 1c08aa4d22..2faea3605e 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
-@@ -58,7 +58,7 @@
+@@ -59,7 +59,7 @@
  #DefaultIPAccounting=no
  #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
  #DefaultTasksAccounting=yes
@@ -60,5 +60,5 @@ index 05eb681270..94d0365244 100644
  #DefaultLimitFSIZE=
  #DefaultLimitDATA=
 -- 
-2.34.1
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch

@@ -1,7 +1,7 @@
-From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001
+From f55e6415307ce77b3376a2bf9cc96b924c6ec52e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks
+Subject: [PATCH 4/7] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 62181a6309..448f9211d6 100644
+index a67a520a3b..3365b920eb 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@
@@ -25,5 +25,5 @@ index 62181a6309..448f9211d6 100644
  #include <errno.h>
  #include <selinux/avc.h>
 -- 
-2.34.1
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch

@@ -1,7 +1,7 @@
-From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
+From cf500f14557926259b58ee641fffb38b707494d6 Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <schowdhury@microsoft.com>
 Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
+Subject: [PATCH 5/7] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
@@ -90,3 +90,6 @@ index 20a5eb2754..ba4cbc0edb 100644
  TTYPath=/dev/%I
  TTYReset=yes
  TTYVHangup=yes
+-- 
+2.51.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch

@@ -1,95 +0,0 @@
-From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
-From: Sayan Chowdhury <schowdhury@microsoft.com>
-Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
-
-This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
-
-This is to work around a SELinux denial that happens when setting up standard
-input for serial consoles (which is used for SSH connections).
-
-Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
----
- units/console-getty.service.in    | 4 +---
- units/container-getty@.service.in | 4 +---
- units/getty@.service.in           | 4 +---
- units/serial-getty@.service.in    | 4 +---
- 4 files changed, 4 insertions(+), 12 deletions(-)
-
-diff --git a/units/console-getty.service.in b/units/console-getty.service.in
-index d64112be5e..b908708d8c 100644
---- a/units/console-getty.service.in
-+++ b/units/console-getty.service.in
-@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
- [Service]
- # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
- # followed by '--' for safety, and then the entered username.
--ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
-+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM
- Type=idle
- Restart=always
- UtmpIdentifier=cons
--StandardInput=tty
--StandardOutput=tty
- TTYPath=/dev/console
- TTYReset=yes
- TTYVHangup=yes
-diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
-index 8847d735fb..8be25663f5 100644
---- a/units/container-getty@.service.in
-+++ b/units/container-getty@.service.in
-@@ -27,13 +27,11 @@ Before=rescue.service
- [Service]
- # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
- # followed by '--' for safety, and then the entered username.
--ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
-+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
- Type=idle
- Restart=always
- RestartSec=0
- UtmpIdentifier=pts/%I
--StandardInput=tty
--StandardOutput=tty
- TTYPath=/dev/pts/%I
- TTYReset=yes
- TTYVHangup=yes
-diff --git a/units/getty@.service.in b/units/getty@.service.in
-index 80b8f3e922..b57666c123 100644
---- a/units/getty@.service.in
-+++ b/units/getty@.service.in
-@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0
- # The '-o' option value tells agetty to replace 'login' arguments with an
- # option to preserve environment (-p), followed by '--' for safety, and then
- # the entered username.
--ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
-+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM
- Type=idle
- Restart=always
- RestartSec=0
- UtmpIdentifier=%I
--StandardInput=tty
--StandardOutput=tty
- TTYPath=/dev/%I
- TTYReset=yes
- TTYVHangup=yes
-diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
-index 6bf101eac9..479b8759a9 100644
---- a/units/serial-getty@.service.in
-+++ b/units/serial-getty@.service.in
-@@ -33,12 +33,10 @@ Before=rescue.service
- # The '-o' option value tells agetty to replace 'login' arguments with an
- # option to preserve environment (-p), followed by '--' for safety, and then
- # the entered username.
--ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
-+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM
- Type=idle
- Restart=always
- UtmpIdentifier=%I
--StandardInput=tty
--StandardOutput=tty
- TTYPath=/dev/%I
- TTYReset=yes
- TTYVHangup=yes
--- 
-2.34.1
-

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch

@@ -1,7 +1,7 @@
-From 6a4c6f97742afc9ca5de40335b2d041095990aa2 Mon Sep 17 00:00:00 2001
+From 1bf0301376df8e82593efccb80cd4e43638666c0 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:29:04 +0000
-Subject: [PATCH 7/8] units: Keep using old journal file format
+Subject: [PATCH 6/7] units: Keep using old journal file format
 
 Systemd 252 made an incompatible change in journal file format. Temporarily
 force journald to use the old journal format to give logging containers more
@@ -14,22 +14,22 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
  2 files changed, 2 insertions(+)
 
 diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index 37eeabc510..e5030a81bd 100644
+index 4404af963b..323af7cfb0 100644
 --- a/units/systemd-journald.service.in
 +++ b/units/systemd-journald.service.in
-@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes
+@@ -30,6 +30,7 @@ IgnoreOnIsolate=yes
  
  [Service]
  DeviceAllow=char-* rw
 +Environment=SYSTEMD_JOURNAL_COMPACT=0
  ExecStart={{LIBEXECDIR}}/systemd-journald
  FileDescriptorStoreMax=4224
- IPAddressDeny=any
+ # Ensure services using StandardOutput=journal do not break when journald is stopped
 diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in
-index c3bcb08533..8780783cf6 100644
+index b705ce08ff..874701dac4 100644
 --- a/units/systemd-journald@.service.in
 +++ b/units/systemd-journald@.service.in
-@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target
+@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
  [Service]
  CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
  DevicePolicy=closed
@@ -38,5 +38,5 @@ index c3bcb08533..8780783cf6 100644
  FileDescriptorStoreMax=4224
  Group=systemd-journal
 -- 
-2.34.1
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch

@@ -1,8 +1,8 @@
-From 65e3f4e837001f6f00359a779b6c5801566aa750 Mon Sep 17 00:00:00 2001
+From 93775241c5f873a5862c2e7b06532bd3969341a0 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Wed, 25 Sep 2024 15:51:02 +0000
-Subject: [PATCH] Revert "Revert "initrd-parse-etc: override argv[0] to avoid
+Subject: [PATCH 7/7] Revert "Revert "initrd-parse-etc: override argv[0] to
- dracut issue""
+ avoid dracut issue""
 
 This reverts commit 1c585a4ccda3258088d7bc27b27a314e7ed8be80.
 ---
@@ -25,5 +25,5 @@ index 1eef2bd9be..3dadab1123 100644
  # We want to enqueue initrd-cleanup.service/start after we finished the part
  # above. It can't be part of the initial transaction, because non-oneshot units
 -- 
-2.34.1
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch

@@ -1,119 +0,0 @@
-From 7136aa7db4423432392a0fe6055c48a922a4aad4 Mon Sep 17 00:00:00 2001
-From: Yu Watanabe <watanabe.yu+github@gmail.com>
-Date: Tue, 10 Sep 2024 00:12:41 +0900
-Subject: [PATCH] network/netdev: also check ifindex, iftype, and kind when
- assigning NetDev to Link
-
-Even when a NetDev object with the same name found, its iftype or kind
-may be different. For safety, let's also check them.
-
-(cherry picked from commit 1788c3462853e8bb955ff656007e20f402dd9af2)
-
-Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
----
- src/network/netdev/netdev.c | 37 +++++++++++++++++++++++++++++++++++++
- src/network/netdev/netdev.h |  1 +
- src/network/networkd-link.c | 10 ++--------
- 3 files changed, 40 insertions(+), 8 deletions(-)
-
-diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
-index 2b411425ba..9a528137ea 100644
---- a/src/network/netdev/netdev.c
-+++ b/src/network/netdev/netdev.c
-@@ -265,6 +265,43 @@ int netdev_get(Manager *manager, const char *name, NetDev **ret) {
-         return 0;
- }
- 
-+void link_assign_netdev(Link *link) {
-+        _unused_ _cleanup_(netdev_unrefp) NetDev *old = NULL;
-+        NetDev *netdev;
-+
-+        assert(link);
-+        assert(link->manager);
-+        assert(link->ifname);
-+
-+        old = TAKE_PTR(link->netdev);
-+
-+        if (netdev_get(link->manager, link->ifname, &netdev) < 0)
-+                return;
-+
-+        if (netdev->ifindex != link->ifindex)
-+                return;
-+
-+        if (NETDEV_VTABLE(netdev)->iftype != link->iftype)
-+                return;
-+
-+        if (!NETDEV_VTABLE(netdev)->skip_netdev_kind_check) {
-+                const char *kind;
-+
-+                if (netdev->kind == NETDEV_KIND_TAP)
-+                        kind = "tun"; /* the kernel does not distinguish between tun and tap */
-+                else
-+                        kind = netdev_kind_to_string(netdev->kind);
-+
-+                if (!streq_ptr(kind, link->kind))
-+                        return;
-+        }
-+
-+        link->netdev = netdev_ref(netdev);
-+
-+        if (netdev != old)
-+                log_link_debug(link, "Found matching .netdev file: %s", netdev->filename);
-+}
-+
- void netdev_enter_failed(NetDev *netdev) {
-         netdev->state = NETDEV_STATE_FAILED;
- }
-diff --git a/src/network/netdev/netdev.h b/src/network/netdev/netdev.h
-index cb8cc8c6a9..1a03a9b592 100644
---- a/src/network/netdev/netdev.h
-+++ b/src/network/netdev/netdev.h
-@@ -206,6 +206,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(NetDev*, netdev_unref);
- 
- bool netdev_is_managed(NetDev *netdev);
- int netdev_get(Manager *manager, const char *name, NetDev **ret);
-+void link_assign_netdev(Link *link);
- int netdev_set_ifindex(NetDev *netdev, sd_netlink_message *newlink);
- int netdev_generate_hw_addr(NetDev *netdev, Link *link, const char *name,
-                             const struct hw_addr_data *hw_addr, struct hw_addr_data *ret);
-diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-index 8f21504d92..c3a5dc1f0d 100644
---- a/src/network/networkd-link.c
-+++ b/src/network/networkd-link.c
-@@ -1317,7 +1317,6 @@ static int link_get_network(Link *link, Network **ret) {
- 
- int link_reconfigure_impl(Link *link, bool force) {
-         Network *network = NULL;
--        NetDev *netdev = NULL;
-         int r;
- 
-         assert(link);
-@@ -1326,13 +1325,11 @@ int link_reconfigure_impl(Link *link, bool force) {
-         if (link->manager->state != MANAGER_RUNNING)
-                 return 0;
- 
-+        link_assign_netdev(link);
-+
-         if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER))
-                 return 0;
- 
--        r = netdev_get(link->manager, link->ifname, &netdev);
--        if (r < 0 && r != -ENOENT)
--                return r;
--
-         r = link_get_network(link, &network);
-         if (r < 0 && r != -ENOENT)
-                 return r;
-@@ -1397,9 +1394,6 @@ int link_reconfigure_impl(Link *link, bool force) {
-         link_free_engines(link);
-         link->network = network_unref(link->network);
- 
--        netdev_unref(link->netdev);
--        link->netdev = netdev_ref(netdev);
--
-         if (!network) {
-                 link_set_state(link, LINK_STATE_UNMANAGED);
-                 return 0;
--- 
-2.39.5
-

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch

@@ -1,146 +0,0 @@
-From 916523aabc7fcb3b5b9362100a5e3417aae00cb2 Mon Sep 17 00:00:00 2001
-From: Yu Watanabe <watanabe.yu+github@gmail.com>
-Date: Wed, 11 Jun 2025 18:05:46 +0900
-Subject: [PATCH] network: also check ID_NET_MANAGED_BY property on
- reconfigure
-
-Previously, the property was checked only when an uevent is received,
-so even if an interface has ID_NET_MANAGED_BY property, the interface
-will be configured by networkd when reconfiguration is triggered e.g.
-when interface state is changed.
-
-Follow-up for ba87a61d05d637be9f0b21707f7fe3b0a74c5a05.
-Fixes #36997.
-
-(cherry picked from commit 78f8d5ed71ecc16ad36d1c215d2d57433d127679)
-
-Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
----
- src/network/networkd-link.c                   | 44 ++++++++++++++-----
- .../test-network/conf/11-dummy-unmanaged.link |  8 ++++
- test/test-network/systemd-networkd-tests.py   | 11 +++++
- 3 files changed, 53 insertions(+), 10 deletions(-)
- create mode 100644 test/test-network/conf/11-dummy-unmanaged.link
-
-diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-index c3a5dc1f0d..3ed1584807 100644
---- a/src/network/networkd-link.c
-+++ b/src/network/networkd-link.c
-@@ -1315,6 +1315,32 @@ static int link_get_network(Link *link, Network **ret) {
-         return -ENOENT;
- }
- 
-+static int link_managed_by_us(Link *link) {
-+        int r;
-+
-+        assert(link);
-+
-+        if (!link->dev)
-+                return true;
-+
-+        const char *s;
-+        r = sd_device_get_property_value(link->dev, "ID_NET_MANAGED_BY", &s);
-+        if (r == -ENOENT)
-+                return true;
-+        if (r < 0)
-+                return log_link_warning_errno(link, r, "Failed to get ID_NET_MANAGED_BY udev property: %m");
-+
-+        if (streq(s, "io.systemd.Network"))
-+                return true;
-+
-+        if (link->state == LINK_STATE_UNMANAGED)
-+                return false; /* Already in unmanaged state */
-+
-+        log_link_debug(link, "Interface is requested to be managed by '%s', unmanaging the interface.", s);
-+        link_set_state(link, LINK_STATE_UNMANAGED);
-+        return false;
-+}
-+
- int link_reconfigure_impl(Link *link, bool force) {
-         Network *network = NULL;
-         int r;
-@@ -1330,6 +1356,10 @@ int link_reconfigure_impl(Link *link, bool force) {
-         if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER))
-                 return 0;
- 
-+        r = link_managed_by_us(link);
-+        if (r <= 0)
-+                return r;
-+
-         r = link_get_network(link, &network);
-         if (r < 0 && r != -ENOENT)
-                 return r;
-@@ -1584,6 +1614,10 @@ static int link_initialized(Link *link, sd_device *device) {
-          * or sysattrs) may be outdated. */
-         device_unref_and_replace(link->dev, device);
- 
-+        r = link_managed_by_us(link);
-+        if (r <= 0)
-+                return r;
-+
-         if (link->dhcp_client) {
-                 r = sd_dhcp_client_attach_device(link->dhcp_client, link->dev);
-                 if (r < 0)
-@@ -1651,7 +1685,6 @@ static int link_check_initialized(Link *link) {
- 
- int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t action) {
-         int r, ifindex;
--        const char *s;
-         Link *link;
- 
-         assert(m);
-@@ -1686,15 +1719,6 @@ int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t
-                 return 0;
-         }
- 
--        r = sd_device_get_property_value(device, "ID_NET_MANAGED_BY", &s);
--        if (r < 0 && r != -ENOENT)
--                log_device_debug_errno(device, r, "Failed to get ID_NET_MANAGED_BY udev property, ignoring: %m");
--        if (r >= 0 && !streq(s, "io.systemd.Network")) {
--                log_device_debug(device, "Interface is requested to be managed by '%s', not managing the interface.", s);
--                link_set_state(link, LINK_STATE_UNMANAGED);
--                return 0;
--        }
--
-         r = link_initialized(link, device);
-         if (r < 0)
-                 link_enter_failed(link);
-diff --git a/test/test-network/conf/11-dummy-unmanaged.link b/test/test-network/conf/11-dummy-unmanaged.link
-new file mode 100644
-index 0000000000..99c07a72ce
---- /dev/null
-+++ b/test/test-network/conf/11-dummy-unmanaged.link
-@@ -0,0 +1,8 @@
-+# SPDX-License-Identifier: MIT-0
-+[Match]
-+Kind=dummy
-+OriginalName=test1
-+
-+[Link]
-+NamePolicy=keep
-+Property=ID_NET_MANAGED_BY=hoge
-diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
-index d8acf538f0..391d219de8 100755
---- a/test/test-network/systemd-networkd-tests.py
-+++ b/test/test-network/systemd-networkd-tests.py
-@@ -2735,6 +2735,17 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
-     def tearDown(self):
-         tear_down_common()
- 
-+    def test_ID_NET_MANAGED_BY(self):
-+        copy_network_unit('11-dummy.netdev', '11-dummy-unmanaged.link', '11-dummy.network')
-+        start_networkd()
-+        self.wait_online('test1:off', setup_state='unmanaged')
-+
-+        check_output('ip link set dev test1 up')
-+        self.wait_online('test1:degraded', setup_state='unmanaged')
-+
-+        check_output('ip link set dev test1 down')
-+        self.wait_online('test1:off', setup_state='unmanaged')
-+
-     def verify_address_static(
-             self,
-             label1: str,
--- 
-2.39.5
-

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch

@@ -1,26 +0,0 @@
-https://github.com/systemd/systemd/commit/dde6f1d7456db7aa72d24b1d6956b419b6f9945c
-
-From dde6f1d7456db7aa72d24b1d6956b419b6f9945c Mon Sep 17 00:00:00 2001
-From: Sam James <sam@gentoo.org>
-Date: Sat, 24 Aug 2024 13:09:47 +0100
-Subject: [PATCH] meson: search for 'bpf-unknown-none' too
-
-We currently search for 'bpf-gcc' and 'bpf-none-gcc'. Gentoo's
-sys-devel/bpf-toolchain package uses 'bpf-unknown-none-gcc', as does Fedora's
-cross-binutils. Search for this name too.
----
- meson.build | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/meson.build b/meson.build
-index 5e0b666c64b17..fbc2bbdf2f22f 100644
---- a/meson.build
-+++ b/meson.build
-@@ -1109,6 +1109,7 @@ else
-         elif bpf_compiler == 'gcc'
-                 bpf_gcc = find_program('bpf-gcc',
-                                        'bpf-none-gcc',
-+                                       'bpf-unknown-none-gcc',
-                                        required : true,
-                                        version : '>= 13.1.0')
-                 bpf_gcc_found = bpf_gcc.found()

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch

@@ -0,0 +1,69 @@
+https://bugs.gentoo.org/956681
+https://github.com/systemd/systemd/pull/37017
+
+From fd9c4b4f49990f0656092035464b85256a0ba6e3 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 4 Apr 2025 21:40:41 -0700
+Subject: [PATCH] shared/cred-util: Ensure TPM code is used with HAVE_TPM2
+ guards
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Building with no TPM2 we end up with following error
+
+/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’
+In function ‘memcpy’,
+    inlined from ‘encrypt_credential_and_warn’ at ../git/src/shared/creds-util.c:1091:17:
+/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: error: argument 2 null where non-null expected [-Werror=nonnull]
+   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
+      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   30 |                                  __glibc_objsize0 (__dest));
+      |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~
+/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’
+cc1: some warnings being treated as errors   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
+      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   30 |                                  __glibc_objsize0 (__dest));
+      |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is because code referencing tpm2 data structures is still used while the
+initialization of the function has been compiled out since its conditional on HAVE_TPM2
+
+We add needed guards in places where it is missing to fix this problem
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/shared/creds-util.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
+index ca8e15d4c9d1e..e074c8b24680a 100644
+--- a/src/shared/creds-util.c
++++ b/src/shared/creds-util.c
+@@ -804,7 +804,9 @@ int encrypt_credential_and_warn(
+         _cleanup_(iovec_done_erase) struct iovec tpm2_key = {}, output = {}, host_key = {};
+         _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
+         _cleanup_free_ struct metadata_credential_header *m = NULL;
++#if HAVE_TPM2
+         uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
++#endif
+         struct encrypted_credential_header *h;
+         int ksz, bsz, ivsz, tsz, added, r;
+         uint8_t md[SHA256_DIGEST_LENGTH];
+@@ -1078,6 +1080,7 @@ int encrypt_credential_and_warn(
+ 
+         p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz);
+ 
++#if HAVE_TPM2
+         if (iovec_is_set(&tpm2_key)) {
+                 struct tpm2_credential_header *t;
+ 
+@@ -1092,7 +1095,7 @@ int encrypt_credential_and_warn(
+ 
+                 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob.iov_len + tpm2_policy_hash.iov_len);
+         }
+-
++#endif
+         if (iovec_is_set(&pubkey)) {
+                 struct tpm2_public_key_credential_header *z;
+ 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf

@@ -1,10 +1,2 @@
-# The list of directories is taken from Gentoo ebuild, where they use
-# keepdir. The list isn't sorted, but tries to preserve the order of
-# keepdir lines from Gentoo ebuild for easier comparisons. We skip the
-# directories in /usr, though.
-d   /var/lib/systemd        -   -   -   -   -
-d   /var/log/journal        -   -   -   -   -
-d   /etc/sysctl.d           -   -   -   -   -
-
 # This seems to be our own addition.
 d   /var/log/journal/remote -   systemd-journal-remote   systemd-journal-remote   -   -

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild

@@ -1,773 +0,0 @@
-# Copyright 2011-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-PYTHON_COMPAT=( python3_{10..13} )
-
-# Avoid QA warnings
-TMPFILES_OPTIONAL=1
-UDEV_OPTIONAL=1
-
-QA_PKGCONFIG_VERSION=$(ver_cut 1)
-
-if [[ ${PV} == 9999 ]]; then
-	EGIT_REPO_URI="https://github.com/systemd/systemd.git"
-	inherit git-r3
-else
-	MY_PV=${PV/_/-}
-	MY_P=${PN}-${MY_PV}
-	S=${WORKDIR}/${MY_P}
-	SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz"
-
-	if [[ ${PV} != *rc* ]] ; then
-		# Flatcar: mark as stable
-		KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-	fi
-fi
-
-inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
-inherit secureboot systemd tmpfiles toolchain-funcs udev
-
-DESCRIPTION="System and service manager for Linux"
-HOMEPAGE="https://systemd.io/"
-
-LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
-SLOT="0/2"
-IUSE="
-	acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
-	fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod
-	+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
-	+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd
-"
-REQUIRED_USE="
-	${PYTHON_REQUIRED_USE}
-	dns-over-tls? ( || ( gnutls openssl ) )
-	fido2? ( cryptsetup openssl )
-	homed? ( cryptsetup pam openssl )
-	importd? ( curl lzma || ( gcrypt openssl ) )
-	pwquality? ( homed )
-	boot? ( kernel-install )
-	ukify? ( boot )
-"
-RESTRICT="!test? ( test )"
-
-MINKV="4.15"
-
-COMMON_DEPEND="
-	>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
-	sys-libs/libcap:0=[${MULTILIB_USEDEP}]
-	virtual/libcrypt:=[${MULTILIB_USEDEP}]
-	acl? ( sys-apps/acl:0= )
-	apparmor? ( >=sys-libs/libapparmor-2.13:0= )
-	audit? ( >=sys-process/audit-2:0= )
-	bpf? ( >=dev-libs/libbpf-1.4.0:0= )
-	cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
-	curl? ( >=net-misc/curl-7.32.0:0= )
-	elfutils? ( >=dev-libs/elfutils-0.158:0= )
-	fido2? ( dev-libs/libfido2:0= )
-	gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
-	gnutls? ( >=net-libs/gnutls-3.6.0:0= )
-	http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
-	idn? ( net-dns/libidn2:= )
-	importd? (
-		app-arch/bzip2:0=
-		sys-libs/zlib:0=
-	)
-	kmod? ( >=sys-apps/kmod-15:0= )
-	lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
-	lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
-	iptables? ( net-firewall/iptables:0= )
-	openssl? ( >=dev-libs/openssl-1.1.0:0= )
-	pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
-	pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
-	pcre? ( dev-libs/libpcre2 )
-	pwquality? ( >=dev-libs/libpwquality-1.4.1:0= )
-	qrcode? ( >=media-gfx/qrencode-3:0= )
-	seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
-	selinux? ( >=sys-libs/libselinux-2.1.9:0= )
-	tpm? ( app-crypt/tpm2-tss:0= )
-	xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
-	zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
-"
-
-# Newer linux-headers needed by ia64, bug #480218
-DEPEND="${COMMON_DEPEND}
-	>=sys-kernel/linux-headers-${MINKV}
-"
-
-PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'
-
-# baselayout-2.2 has /run
-#
-# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
-# flag). The image stage fails with "Failed to resolve
-# typeattributeset statement at
-# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120"
-#
-# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary
-# needed by dracut's systemd-vconsole-setup module.
-RDEPEND="${COMMON_DEPEND}
-	>=acct-group/adm-0-r1
-	>=acct-group/wheel-0-r1
-	>=acct-group/kmem-0-r1
-	>=acct-group/tty-0-r1
-	>=acct-group/utmp-0-r1
-	>=acct-group/audio-0-r1
-	>=acct-group/cdrom-0-r1
-	>=acct-group/dialout-0-r1
-	>=acct-group/disk-0-r1
-	>=acct-group/input-0-r1
-	>=acct-group/kvm-0-r1
-	>=acct-group/lp-0-r1
-	>=acct-group/render-0-r1
-	acct-group/sgx
-	>=acct-group/tape-0-r1
-	acct-group/users
-	>=acct-group/video-0-r1
-	>=acct-group/systemd-journal-0-r1
-	>=acct-user/root-0-r1
-	acct-user/nobody
-	>=acct-user/systemd-journal-remote-0-r1
-	>=acct-user/systemd-coredump-0-r1
-	>=acct-user/systemd-network-0-r1
-	acct-user/systemd-oom
-	>=acct-user/systemd-resolve-0-r1
-	>=acct-user/systemd-timesync-0-r1
-	>=sys-apps/baselayout-2.2
-	sys-apps/kbd
-	ukify? (
-		${PYTHON_DEPS}
-		$(python_gen_cond_dep "${PEFILE_DEPEND}")
-	)
-	selinux? (
-		sec-policy/selinux-base-policy[systemd]
-	)
-	sysv-utils? (
-		!sys-apps/openrc[sysv-utils(-)]
-		!sys-apps/openrc-navi[sysv-utils(-)]
-		!sys-apps/sysvinit
-	)
-	!sysv-utils? ( sys-apps/sysvinit )
-	resolvconf? ( !net-dns/openresolv )
-	!sys-auth/nss-myhostname
-	!sys-fs/eudev
-	!sys-fs/udev
-"
-
-# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
-PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
-	>=sys-fs/udev-init-scripts-34
-	policykit? ( sys-auth/polkit )
-	!vanilla? ( sys-apps/gentoo-systemd-integration )"
-
-BDEPEND="
-	app-arch/xz-utils:0
-	dev-util/gperf
-	>=dev-build/meson-0.46
-	>=sys-apps/coreutils-8.16
-	sys-devel/gettext
-	virtual/pkgconfig
-	bpf? (
-		dev-util/bpftool
-		sys-devel/bpf-toolchain
-	)
-	test? (
-		app-text/tree
-		dev-lang/perl
-		sys-apps/dbus
-	)
-	app-text/docbook-xml-dtd:4.2
-	app-text/docbook-xml-dtd:4.5
-	app-text/docbook-xsl-stylesheets
-	dev-libs/libxslt:0
-	${PYTHON_DEPS}
-	$(python_gen_cond_dep "
-		dev-python/jinja2[\${PYTHON_USEDEP}]
-		dev-python/lxml[\${PYTHON_USEDEP}]
-		boot? (
-			>=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}]
-			test? ( ${PEFILE_DEPEND} )
-		)
-	")
-"
-
-QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
-QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
-
-pkg_pretend() {
-	# Flatcar: We keep using split-usr for SDK.
-	# if use split-usr; then
-	# 	eerror "Please complete the migration to merged-usr."
-	# 	eerror "https://wiki.gentoo.org/wiki/Merge-usr"
-	# 	die "systemd no longer supports split-usr"
-	# fi
-	if [[ ${MERGE_TYPE} != buildonly ]]; then
-		local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
-			~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
-			~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
-			~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
-			~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
-			~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED
-			~!SYSFS_DEPRECATED_V2"
-
-		use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
-		use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF"
-		use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
-
-		if kernel_is -ge 5 10 20; then
-			CONFIG_CHECK+=" ~KCMP"
-		else
-			CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
-		fi
-
-		if kernel_is -ge 4 18; then
-			CONFIG_CHECK+=" ~AUTOFS_FS"
-		else
-			CONFIG_CHECK+=" ~AUTOFS4_FS"
-		fi
-
-		if linux_config_exists; then
-			local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
-			if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
-				ewarn "It's recommended to set an empty value to the following kernel config option:"
-				ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}"
-			fi
-			if linux_chkconfig_present X86; then
-				CONFIG_CHECK+=" ~DMIID"
-			fi
-		fi
-
-		if kernel_is -lt ${MINKV//./ }; then
-			ewarn "Kernel version at least ${MINKV} required"
-		fi
-
-		check_extra_config
-	fi
-}
-
-pkg_setup() {
-	use boot && secureboot_pkg_setup
-}
-
-src_unpack() {
-	default
-	[[ ${PV} != 9999 ]] || git-r3_src_unpack
-}
-
-src_prepare() {
-	local PATCHES=(
-		"${FILESDIR}/systemd-test-process-util.patch"
-		"${FILESDIR}/256-bpf-gcc.patch"
-		# Flatcar: Adding our own patches here.
-		"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
-		"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
-		"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
-		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
-		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
-		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
-		"${FILESDIR}/0009-initrd-parse-etc.service.patch"
-		"${FILESDIR}/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch"
-		"${FILESDIR}/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch"
-	)
-
-	if ! use vanilla; then
-		PATCHES+=(
-			"${FILESDIR}/gentoo-journald-audit-r1.patch"
-		)
-	fi
-
-	# Fails with split-usr.
-	sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
-
-	# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
-	# CoreDNS which has dnsPolicy "default", but unless the
-	# kubelet --resolv-conf flag is set to point to
-	# /run/systemd/resolve/resolv.conf this won't work with
-	# /etc/resolv.conf pointing to
-	# /run/systemd/resolve/stub-resolv.conf which configures
-	# 127.0.0.53.  See
-	# https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
-	# This means that users who need split DNS to work should
-	# point /etc/resolv.conf back to
-	# /run/systemd/resolve/stub-resolv.conf (and if using K8s
-	# configure the kubelet resolvConf variable/--resolv-conf flag
-	# to /run/systemd/resolve/resolv.conf).
-	sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
-	default
-}
-
-src_configure() {
-	# Prevent conflicts with i686 cross toolchain, bug 559726
-	tc-export AR CC NM OBJCOPY RANLIB
-
-	python_setup
-
-	multilib-minimal_src_configure
-}
-
-# Flatcar: Our function, we use it in some places below.
-get_rootprefix() {
-	usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--localstatedir="${EPREFIX}/var"
-		# default is developer, bug 918671
-		-Dmode=release
-		# Flatcar: Point to our user mailing list.
-		-Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user"
-		-Dpamlibdir="$(getpam_mod_dir)"
-		# avoid bash-completion dep
-		-Dbashcompletiondir="$(get_bashcompdir)"
-		# Flatcar: We keep using split-usr in SDK.
-		$(meson_use split-usr)
-		# Flatcar: Always set split-bin to true, we always
-		# have separate bin and sbin directories
-		-Dsplit-bin=true
-		# Flatcar: Use get_rootprefix. No functional change
-		# from upstream, just refactoring the common code used
-		# in some places.
-		#
-		# TODO: Drop -Drootprefix and -Drootlibdir we get rid
-		# of split-usr in SDK
-		-Drootprefix="$(get_rootprefix)"
-		-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
-		# Disable compatibility with sysvinit
-		-Dsysvinit-path=
-		-Dsysvrcnd-path=
-		# no deps
-		-Dima=true
-		# Match /etc/shells, bug 919749
-		-Ddebug-shell="${EPREFIX}/bin/sh"
-		-Ddefault-user-shell="${EPREFIX}/bin/bash"
-		# Optional components/dependencies
-		$(meson_native_use_bool acl)
-		$(meson_native_use_bool apparmor)
-		$(meson_native_use_bool audit)
-		$(meson_native_use_bool boot bootloader)
-		$(meson_native_use_bool bpf bpf-framework)
-		-Dbpf-compiler=gcc
-		$(meson_native_use_bool cryptsetup libcryptsetup)
-		$(meson_native_use_bool curl libcurl)
-		$(meson_native_use_bool dns-over-tls dns-over-tls)
-		$(meson_native_use_bool elfutils)
-		$(meson_native_use_bool fido2 libfido2)
-		$(meson_use gcrypt)
-		$(meson_native_use_bool gnutls)
-		$(meson_native_use_bool homed)
-		$(meson_native_use_bool http microhttpd)
-		$(meson_native_use_bool idn)
-		$(meson_native_use_bool importd)
-		$(meson_native_use_bool importd bzip2)
-		$(meson_native_use_bool importd zlib)
-		$(meson_native_use_bool kernel-install)
-		$(meson_native_use_bool kmod)
-		$(meson_use lz4)
-		$(meson_use lzma xz)
-		$(meson_use test tests)
-		$(meson_use zstd)
-		$(meson_native_use_bool iptables libiptc)
-		$(meson_native_use_bool openssl)
-		$(meson_use pam)
-		$(meson_native_use_bool pkcs11 p11kit)
-		$(meson_native_use_bool pcre pcre2)
-		$(meson_native_use_bool policykit polkit)
-		$(meson_native_use_bool pwquality)
-		$(meson_native_use_bool qrcode qrencode)
-		$(meson_native_use_bool seccomp)
-		$(meson_native_use_bool selinux)
-		$(meson_native_use_bool tpm tpm2)
-		$(meson_native_use_bool test dbus)
-		$(meson_native_use_bool ukify)
-		$(meson_native_use_bool xkb xkbcommon)
-		# Flatcar: Use our ntp servers.
-		-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
-		# Breaks screen, tmux, etc.
-		-Ddefault-kill-user-processes=false
-		# Flatcar: TODO: Investigate if we want this.
-		-Dcreate-log-dirs=false
-
-		# multilib options
-		$(meson_native_true backlight)
-		$(meson_native_true binfmt)
-		$(meson_native_true coredump)
-		$(meson_native_true environment-d)
-		$(meson_native_true firstboot)
-		$(meson_native_true hibernate)
-		$(meson_native_true hostnamed)
-		$(meson_native_true ldconfig)
-		$(meson_native_true localed)
-		$(meson_native_true man)
-		$(meson_native_true networkd)
-		$(meson_native_true quotacheck)
-		$(meson_native_true randomseed)
-		$(meson_native_true rfkill)
-		$(meson_native_true sysusers)
-		$(meson_native_true timedated)
-		$(meson_native_true timesyncd)
-		$(meson_native_true tmpfiles)
-		$(meson_native_true vconsole)
-		$(meson_native_enabled vmspawn)
-		# Flatcar: Specify this, or meson breaks due to no
-		# /etc/login.defs.
-		-Dsystem-gid-max=999
-		-Dsystem-uid-max=999
-
-		# Flatcar: DBus paths.
-		-Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
-		-Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
-
-		# Flatcar: PAM config directory.
-		-Dpamconfdir=/usr/share/pam.d
-
-		# Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC
-		# 2013. Used by timesyncd as a sanity check for the
-		# minimum acceptable time. Explicitly set to avoid
-		# using the current build time.
-		-Dtime-epoch=1372636800
-
-		# Flatcar: No default name servers.
-		-Ddns-servers=
-
-		# Flatcar: Disable the "First Boot Wizard", it isn't
-		# very applicable to us.
-		-Dfirstboot=false
-
-		# Flatcar: Set latest network interface naming scheme
-		# for https://github.com/flatcar/Flatcar/issues/36
-		-Ddefault-net-naming-scheme=latest
-
-		# Flatcar: Combined log format: name plus description
-		-Dstatus-unit-format-default=combined
-
-		# Flatcar: Unported options, still needed?
-		-Dquotaon-path=/usr/sbin/quotaon
-		-Dquotacheck-path=/usr/sbin/quotacheck
-		-Ddefault-mdns=no
-	)
-
-	case $(tc-arch) in
-		amd64|arm|arm64|ppc|ppc64|s390|x86)
-			# src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE
-			myconf+=( $(meson_native_enabled vmspawn) ) ;;
-		*)
-			myconf+=( -Dvmspawn=disabled ) ;;
-	esac
-
-	meson_src_configure "${myconf[@]}"
-}
-
-multilib_src_test() {
-	(
-		unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
-		export COLUMNS=80
-		addpredict /dev
-		addpredict /proc
-		addpredict /run
-		addpredict /sys/fs/cgroup
-		meson_src_test --timeout-multiplier=10
-	) || die
-}
-
-multilib_src_install_all() {
-	# meson doesn't know about docdir
-	mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
-
-	einstalldocs
-	# Flatcar: Do not install sample nsswitch.conf, we don't
-	# provide it.
-	# dodoc "${FILESDIR}"/nsswitch.conf
-
-	insinto /usr/lib/tmpfiles.d
-	doins "${FILESDIR}"/legacy.conf
-
-	if ! use resolvconf; then
-		rm -f "${ED}"/usr/bin/resolvconf || die
-	fi
-
-	if ! use sysv-utils; then
-		rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die
-		rm "${ED}"/usr/share/man/man1/init.1 || die
-		rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die
-	fi
-
-	# https://bugs.gentoo.org/761763
-	rm -r "${ED}"/usr/lib/sysusers.d || die
-
-	# Flatcar: Upstream uses keepdir commands to keep some empty
-	# directories. We use tmpfiles.
-	# Preserve empty dirs in /etc & /var, bug #437008
-	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
-	keepdir /etc/kernel/install.d
-	keepdir /etc/systemd/{network,system,user}
-	keepdir /etc/udev/rules.d
-
-	keepdir /etc/udev/hwdb.d
-
-	# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
-	# keepdir /usr/lib/{binfmt.d,modules-load.d}
-	# keepdir /usr/lib/systemd/user-generators
-	# keepdir /var/lib/systemd
-	# keepdir /var/log/journal
-
-	# if use pam; then
-	# 	if use selinux; then
-	# 		newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
-	#	else
-	#		newpamd "${FILESDIR}"/systemd-user.pam systemd-user
-	#	fi
-	# fi
-
-	if use kernel-install; then
-		# Dummy config, remove to make room for sys-kernel/installkernel
-		rm "${ED}/usr/lib/kernel/install.conf" || die
-	fi
-	# Flatcar: Ensure journal directory has correct ownership/mode
-	# in inital image.  This is fixed by systemd-tmpfiles *but*
-	# journald starts before that and will create the journal if
-	# the filesystem is already read-write.  Conveniently the
-	# systemd Makefile sets this up completely wrong.
-	#
-	# Flatcar: TODO: Is this still a problem?
-	dodir /var/log/journal
-	fowners root:systemd-journal /var/log/journal
-	fperms 2755 /var/log/journal
-
-	# Flatcar: Don't prune systemd dirs.
-	dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
-	# Flatcar: Add tmpfiles rule for resolv.conf. This path has
-	# changed after v213 so it must be handled here instead of
-	# baselayout now.
-	dotmpfiles "${FILESDIR}"/systemd-resolv.conf
-
-	# Flatcar: Don't default to graphical.target.
-	local unitdir=$(builddir_systemd_get_systemunitdir)
-	dosym multi-user.target "${unitdir}"/default.target
-
-	# Flatcar: Don't set any extra environment variables by default.
-	rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
-
-	# Flatcar: These lines more or less follow the systemd's
-	# preset file (90-systemd.preset). We do it that way, to avoid
-	# putting symlinks in /etc. Please keep the lines in the same
-	# order as the "enable" lines appear in the preset file. For a
-	# single enable line in preset, there may be more lines if the
-	# unit file had Also: clause which has units we enable here
-	# too.
-
-	# Flatcar: enable remote-fs.target
-	builddir_systemd_enable_service multi-user.target remote-fs.target
-	# Flatcar: enable remote-cryptsetup.target
-	if use cryptsetup; then
-		builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
-	fi
-	# Flatcar: enable machines.target
-	builddir_systemd_enable_service multi-user.target machines.target
-	# Flatcar: enable getty@.service
-	dodir "${unitdir}/getty.target.wants"
-	dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
-	# Flatcar: enable systemd-timesyncd.service
-	builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
-	# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
-	builddir_systemd_enable_service multi-user.target systemd-networkd.service
-	builddir_systemd_enable_service sockets.target systemd-networkd.socket
-	builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
-	# Flatcar: enable systemd-network-generator.service
-	builddir_systemd_enable_service sysinit.target systemd-network-generator.service
-	# Flatcar: enable systemd-resolved.service
-	builddir_systemd_enable_service multi-user.target systemd-resolved.service
-	# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
-	if use homed; then
-		builddir_systemd_enable_service multi-user.target systemd-homed.target
-	fi
-	# Flatcar: enable systemd-userdbd.socket
-	builddir_systemd_enable_service sockets.target systemd-userdbd.socket
-	# Flatcar: enable systemd-pstore.service
-	builddir_systemd_enable_service sysinit.target systemd-pstore.service
-	# Flatcar: enable systemd-boot-update.service
-	if use boot; then
-		builddir_systemd_enable_service sysinit.target systemd-boot-update.service
-	fi
-	# Flatcar: enable reboot.target (not enabled - has no WantedBy
-	# entry)
-
-	# Flatcar: enable systemd-sysext.service by default
-	builddir_systemd_enable_service sysinit.target systemd-sysext.service
-
-	# Flatcar: Use an empty preset file, because systemctl
-	# preset-all puts symlinks in /etc, not in /usr. We don't use
-	# /etc, because it is not autoupdated. We do the "preset" above.
-	rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
-	insinto /usr/lib/systemd/system-preset
-	doins "${FILESDIR}"/99-default.preset
-
-	# Flatcar: Do not ship distro-specific files (nsswitch.conf
-	# pam.d). This conflicts with our own configuration provided
-	# by baselayout.
-	rm -rf "${ED}"/usr/share/factory
-	sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
-		-e '/^C!* \/etc\/nsswitch\.conf/d' \
-		-e '/^C!* \/etc\/pam\.d/d' \
-		-e '/^C!* \/etc\/issue/d'
-
-	use ukify && python_fix_shebang "${ED}"
-	use boot && secureboot_auto_sign
-}
-
-# Flatcar: Our own version of systemd_get_systemunitdir, that returns
-# a path inside /usr, not /etc.
-builddir_systemd_get_systemunitdir() {
-	echo "$(get_rootprefix)/lib/systemd/system"
-}
-
-# Flatcar: Our own version of systemd_enable_service, that does
-# operations inside /usr, not /etc.
-builddir_systemd_enable_service() {
-	local target=${1}
-	local service=${2}
-	local ud=$(builddir_systemd_get_systemunitdir)
-	local destname=${service##*/}
-
-	dodir "${ud}"/"${target}".wants && \
-	dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
-
-	if use boot; then
-		python_fix_shebang "${ED}"
-		secureboot_auto_sign
-	fi
-}
-migrate_locale() {
-	local envd_locale_def="${EROOT}/etc/env.d/02locale"
-	local envd_locale=( "${EROOT}"/etc/env.d/??locale )
-	local locale_conf="${EROOT}/etc/locale.conf"
-
-	if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then
-		# If locale.conf does not exist...
-		if [[ -e ${envd_locale} ]]; then
-			# ...either copy env.d/??locale if there's one
-			ebegin "Moving ${envd_locale} to ${locale_conf}"
-			mv "${envd_locale}" "${locale_conf}"
-			eend ${?} || FAIL=1
-		else
-			# ...or create a dummy default
-			ebegin "Creating ${locale_conf}"
-			cat > "${locale_conf}" <<-EOF
-				# This file has been created by the sys-apps/systemd ebuild.
-				# See locale.conf(5) and localectl(1).
-
-				# LANG=${LANG}
-			EOF
-			eend ${?} || FAIL=1
-		fi
-	fi
-
-	if [[ ! -L ${envd_locale} ]]; then
-		# now, if env.d/??locale is not a symlink (to locale.conf)...
-		if [[ -e ${envd_locale} ]]; then
-			# ...warn the user that he has duplicate locale settings
-			ewarn
-			ewarn "To ensure consistent behavior, you should replace ${envd_locale}"
-			ewarn "with a symlink to ${locale_conf}. Please migrate your settings"
-			ewarn "and create the symlink with the following command:"
-			ewarn "ln -s -n -f ../locale.conf ${envd_locale}"
-			ewarn
-		else
-			# ...or just create the symlink if there's nothing here
-			ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink"
-			ln -n -s ../locale.conf "${envd_locale_def}"
-			eend ${?} || FAIL=1
-		fi
-	fi
-}
-
-pkg_preinst() {
-	if [[ -e ${EROOT}/etc/sysctl.conf ]]; then
-		# Symlink /etc/sysctl.conf for easy migration.
-		dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
-	fi
-
-	# Flatcar: This used to be in upstream ebuild, but now it's
-	# gone. We should drop it once we get rid of split-usr in SDK.
-	if ! use split-usr; then
-		local dir
-		# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
-		for dir in bin sbin lib; do
-			if [[ ! -L ${EROOT}/${dir} ]]; then
-				eerror "'${EROOT}/${dir}' is not a symbolic link."
-				FAIL=1
-			fi
-		done
-		if [[ ${FAIL} ]]; then
-			eerror "Migration to system layout with merged directories must be performed before"
-			eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage."
-			die "System layout with split directories still used"
-		fi
-	fi
-	if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
-		ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
-		ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
-	fi
-}
-
-pkg_postinst() {
-	systemd_update_catalog
-
-	# Keep this here in case the database format changes so it gets updated
-	# when required.
-	systemd-hwdb --root="${ROOT}" update
-
-	udev_reload || FAIL=1
-
-	# Bug 465468, make sure locales are respected, and ensure consistency
-	# between OpenRC & systemd
-	migrate_locale
-
-	# Flatcar: We enable getty and remote-fs targets in /usr
-	# ourselves above.
-	# if [[ -z ${REPLACING_VERSIONS} ]]; then
-	# 	if type systemctl &>/dev/null; then
-	# 		systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
-	# 	fi
-	# 	elog "To enable a useful set of services, run the following:"
-	# 	elog "  systemctl preset-all --preset-mode=enable-only"
-	# fi
-
-	if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
-		rm "${EROOT}/var/lib/systemd/timesync"
-	fi
-
-	if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
-		ebegin "Reexecuting system manager (systemd)"
-		systemctl daemon-reexec
-		eend $? || FAIL=1
-
-		# https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html
-		ebegin "Signaling user managers to reexec"
-		systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service'
-		eend $?
-	fi
-
-	if [[ ${FAIL} ]]; then
-		eerror "One of the postinst commands failed. Please check the postinst output"
-		eerror "for errors. You may need to clean up your system and/or try installing"
-		eerror "systemd again."
-		eerror
-	fi
-
-	if use boot; then
-		optfeature "installing kernels in systemd-boot's native layout and update loader entries" \
-			"sys-kernel/installkernel[systemd-boot]"
-	fi
-	if use ukify; then
-		optfeature "generating unified kernel image on each kernel installation" \
-			"sys-kernel/installkernel[ukify]"
-	fi
-}
-
-pkg_prerm() {
-	# If removing systemd completely, remove the catalog database.
-	if [[ ! ${REPLACED_BY_VERSION} ]]; then
-		rm -f -v "${EROOT}"/var/lib/systemd/catalog/database
-	fi
-}

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
-PYTHON_COMPAT=( python3_{10..13} )
+PYTHON_COMPAT=( python3_{11..13} )
 
 # Avoid QA warnings
 TMPFILES_OPTIONAL=1
@@ -20,12 +20,12 @@ else
 	SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz"
 
 	if [[ ${PV} != *rc* ]] ; then
-		# Flatcar: mark as stable
+		KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 	fi
 fi
 
 inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
+# Flatcar: Inherited tmpfiles
 inherit secureboot systemd tmpfiles toolchain-funcs udev
 
 DESCRIPTION="System and service manager for Linux"
@@ -144,11 +144,11 @@ RDEPEND="${COMMON_DEPEND}
 	)
 	sysv-utils? (
 		!sys-apps/openrc[sysv-utils(-)]
-		!sys-apps/openrc-navi[sysv-utils(-)]
 		!sys-apps/sysvinit
 	)
 	!sysv-utils? ( sys-apps/sysvinit )
 	resolvconf? ( !net-dns/openresolv )
+	!sys-apps/hwids[udev]
 	!sys-auth/nss-myhostname
 	!sys-fs/eudev
 	!sys-fs/udev
@@ -168,7 +168,7 @@ BDEPEND="
 	sys-devel/gettext
 	virtual/pkgconfig
 	bpf? (
-		dev-util/bpftool
+		>=dev-util/bpftool-7.0.0
 		sys-devel/bpf-toolchain
 	)
 	test? (
@@ -194,13 +194,38 @@ BDEPEND="
 QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
 QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
 
+check_cgroup_layout() {
+	# https://bugs.gentoo.org/935261
+	[[ ${MERGE_TYPE} != buildonly ]] || return
+	[[ -z ${ROOT} ]] || return
+	[[ -e /sys/fs/cgroup/unified ]] || return
+	grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return
+
+	eerror "This system appears to be booted with the 'hybrid' cgroup layout."
+	eerror "This layout obsolete and is disabled in systemd."
+
+	if grep -qF 'systemd.unified_cgroup_hierarchy'; then
+		eerror "Remove the systemd.unified_cgroup_hierarchy option"
+		eerror "from the kernel command line and reboot."
+		die "hybrid cgroup layout detected"
+	fi
+}
+
 pkg_pretend() {
-	# Flatcar: We keep using split-usr for SDK.
+	if use split-usr; then
-	# if use split-usr; then
+		eerror "Please complete the migration to merged-usr."
-	# 	eerror "Please complete the migration to merged-usr."
+		eerror "https://wiki.gentoo.org/wiki/Merge-usr"
-	# 	eerror "https://wiki.gentoo.org/wiki/Merge-usr"
+		die "systemd no longer supports split-usr"
-	# 	die "systemd no longer supports split-usr"
+	fi
-	# fi
+
+	check_cgroup_layout
+
+	if use cgroup-hybrid; then
+		eerror "Disable the 'cgroup-hybrid' USE flag."
+		eerror "Rebuild any initramfs images after rebuilding systemd."
+		die "cgroup-hybrid is no longer supported"
+	fi
+
 	if [[ ${MERGE_TYPE} != buildonly ]]; then
 		local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
 			~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
@@ -256,14 +281,15 @@ src_unpack() {
 
 src_prepare() {
 	local PATCHES=(
+		"${FILESDIR}"/systemd-257-cred-util-tpm2.patch
 		# Flatcar: Adding our own patches here.
 		"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
-		"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
+		"${FILESDIR}/0002-needs-update-don-t-require-strictly-newer-usr.patch"
-		"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
+		"${FILESDIR}/0003-core-use-max-for-DefaultTasksMax.patch"
-		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
+		"${FILESDIR}/0004-systemd-Disable-SELinux-permissions-checks.patch"
-		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch"
+		"${FILESDIR}/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
-		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
+		"${FILESDIR}/0006-units-Keep-using-old-journal-file-format.patch"
-		"${FILESDIR}/0009-initrd-parse-etc.service.patch"
+		"${FILESDIR}/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch"
 	)
 
 	if ! use vanilla; then
@@ -272,9 +298,6 @@ src_prepare() {
 		)
 	fi
 
-	# Fails with split-usr.
-	sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
-
 	# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
 	# CoreDNS which has dnsPolicy "default", but unless the
 	# kubelet --resolv-conf flag is set to point to
@@ -301,14 +324,10 @@ src_configure() {
 	multilib-minimal_src_configure
 }
 
-# Flatcar: Our function, we use it in some places below.
-get_rootprefix() {
-	usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
-}
-
 multilib_src_configure() {
 	local myconf=(
 		--localstatedir="${EPREFIX}/var"
+		-Ddocdir="share/doc/${PF}"
 		# default is developer, bug 918671
 		-Dmode=release
 		# Flatcar: Point to our user mailing list.
@@ -316,19 +335,7 @@ multilib_src_configure() {
 		-Dpamlibdir="$(getpam_mod_dir)"
 		# avoid bash-completion dep
 		-Dbashcompletiondir="$(get_bashcompdir)"
-		# Flatcar: We keep using split-usr in SDK.
+		-Dsplit-bin=false
-		$(meson_use split-usr)
-		# Flatcar: Always set split-bin to true, we always
-		# have separate bin and sbin directories
-		-Dsplit-bin=true
-		# Flatcar: Use get_rootprefix. No functional change
-		# from upstream, just refactoring the common code used
-		# in some places.
-		#
-		# TODO: Drop -Drootprefix and -Drootlibdir we get rid
-		# of split-usr in SDK
-		-Drootprefix="$(get_rootprefix)"
-		-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
 		# Disable compatibility with sysvinit
 		-Dsysvinit-path=
 		-Dsysvrcnd-path=
@@ -381,7 +388,6 @@ multilib_src_configure() {
 		-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
 		# Breaks screen, tmux, etc.
 		-Ddefault-kill-user-processes=false
-		# Flatcar: TODO: Investigate if we want this.
 		-Dcreate-log-dirs=false
 
 		# multilib options
@@ -404,7 +410,6 @@ multilib_src_configure() {
 		$(meson_native_true timesyncd)
 		$(meson_native_true tmpfiles)
 		$(meson_native_true vconsole)
-		$(meson_native_enabled vmspawn)
 		# Flatcar: Specify this, or meson breaks due to no
 		# /etc/login.defs.
 		-Dsystem-gid-max=999
@@ -437,10 +442,10 @@ multilib_src_configure() {
 		# Flatcar: Combined log format: name plus description
 		-Dstatus-unit-format-default=combined
 
-		# Flatcar: Unported options, still needed?
+		# Flatcar: Disable multicast-dns, Link-Local Multicast Name Resolution and dnssec
-		-Dquotaon-path=/usr/sbin/quotaon
-		-Dquotacheck-path=/usr/sbin/quotacheck
 		-Ddefault-mdns=no
+		-Ddefault-llmnr=no
+		-Ddefault-dnssec=no
 	)
 
 	case $(tc-arch) in
@@ -467,9 +472,6 @@ multilib_src_test() {
 }
 
 multilib_src_install_all() {
-	# meson doesn't know about docdir
-	mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
-
 	einstalldocs
 	# Flatcar: Do not install sample nsswitch.conf, we don't
 	# provide it.
@@ -491,8 +493,6 @@ multilib_src_install_all() {
 	# https://bugs.gentoo.org/761763
 	rm -r "${ED}"/usr/lib/sysusers.d || die
 
-	# Flatcar: Upstream uses keepdir commands to keep some empty
-	# directories. We use tmpfiles.
 	# Preserve empty dirs in /etc & /var, bug #437008
 	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
 	keepdir /etc/kernel/install.d
@@ -501,12 +501,13 @@ multilib_src_install_all() {
 
 	keepdir /etc/udev/hwdb.d
 
-	# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
+	keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
-	# keepdir /usr/lib/{binfmt.d,modules-load.d}
+	keepdir /usr/lib/{binfmt.d,modules-load.d}
-	# keepdir /usr/lib/systemd/user-generators
+	keepdir /usr/lib/systemd/user-generators
-	# keepdir /var/lib/systemd
+	keepdir /var/lib/systemd
-	# keepdir /var/log/journal
+	keepdir /var/log/journal
 
+	# Flatcar: We provide our own systemd-user config file in baselayout.
 	# if use pam; then
 	# 	if use selinux; then
 	# 		newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
@@ -614,7 +615,7 @@ multilib_src_install_all() {
 # Flatcar: Our own version of systemd_get_systemunitdir, that returns
 # a path inside /usr, not /etc.
 builddir_systemd_get_systemunitdir() {
-	echo "$(get_rootprefix)/lib/systemd/system"
+	echo "${EPREFIX}/usr/lib/systemd/system"
 }
 
 # Flatcar: Our own version of systemd_enable_service, that does
@@ -683,23 +684,6 @@ pkg_preinst() {
 		dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
 	fi
 
-	# Flatcar: This used to be in upstream ebuild, but now it's
-	# gone. We should drop it once we get rid of split-usr in SDK.
-	if ! use split-usr; then
-		local dir
-		# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
-		for dir in bin sbin lib; do
-			if [[ ! -L ${EROOT}/${dir} ]]; then
-				eerror "'${EROOT}/${dir}' is not a symbolic link."
-				FAIL=1
-			fi
-		done
-		if [[ ${FAIL} ]]; then
-			eerror "Migration to system layout with merged directories must be performed before"
-			eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage."
-			die "System layout with split directories still used"
-		fi
-	fi
 	if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
 		ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
 		ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."