diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md new file mode 100644 index 0000000000..db779a8f8c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md @@ -0,0 +1 @@ +- systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md new file mode 100644 index 0000000000..5d19a6ac7f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md @@ -0,0 +1 @@ +- systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3)) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force index cc901cedad..72862a71e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force @@ -1,5 +1,3 @@ -sys-apps/systemd -introspection - # Matt Turner (2020-03-28) # wget is the default FETCHCOMMAND, and most distfiles are distributed via # HTTPS. Bug #611072 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask index 97d928a576..91f11200ab 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask @@ -1,5 +1,2 @@ # This fails from -Werror=implicit-fallthrough, and it's disabled in the SDK. sys-devel/gcc sanitize - -# Undo Gentoo masking all this on arm64. -sys-apps/systemd -cryptsetup -http -policykit -qrcode -xkb diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 3336776b96..59f209a20e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -28,8 +28,10 @@ net-analyzer/nmap ncat -system-lua # removes mta dependencies app-admin/sudo -sendmail -# use lzma which is the default on non-gentoo systems, avoid pulling in gnutls -sys-apps/systemd build curl gcrypt idn libidn2 lzma -ssl +# use lzma which is the default on non-gentoo systems, use gnuefi for +# bootctl, enable selinux, disable hybrid cgroup as we use the unified +# mode now +sys-apps/systemd build curl idn lzma gnuefi selinux -cgroup-hybrid net-libs/libmicrohttpd -ssl # disable kernel config detection and module building @@ -85,7 +87,6 @@ sys-fs/btrfs-progs -zstd # Enable SELinux for all targets coreos-base/coreos selinux sys-apps/dbus selinux -sys-apps/systemd selinux # Enable SELinux for coreutils sys-apps/coreutils selinux @@ -127,9 +128,6 @@ net-firewall/iptables nftables # Install `perl` with a minimal set of dependencies dev-lang/perl minimal -# Disable cgroup-hybrid as we use the unified mode -sys-apps/systemd -cgroup-hybrid - # Remove support for GObject introspection sys-auth/polkit -introspection diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults index 65c384a9c2..b5de90b253 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults @@ -73,3 +73,26 @@ INSTALL_MASK="${INSTALL_MASK} INSTALL_MASK="${INSTALL_MASK} /usr/bin/cvtsudoers " + +# Override UIDs and GIDs where ours differ from Gentoo defaults. +ACCT_GROUP_DIALOUT_ID=249 +ACCT_GROUP_INPUT_ID=28 +ACCT_GROUP_MESSAGEBUS_ID=201 +ACCT_USER_MESSAGEBUS_ID=201 +ACCT_GROUP_NTP_ID=203 +ACCT_USER_NTP_ID=203 +ACCT_GROUP_POLKITD_ID=235 +ACCT_USER_POLKITD_ID=235 +ACCT_GROUP_RENDER_ID=30 +ACCT_GROUP_SSHD_ID=204 +ACCT_USER_SSHD_ID=204 +ACCT_GROUP_SYSTEMD_JOURNAL_ID=248 +ACCT_GROUP_SYSTEMD_JOURNAL_REMOTE_ID=242 +ACCT_USER_SYSTEMD_JOURNAL_REMOTE_ID=242 +ACCT_GROUP_SYSTEMD_NETWORK_ID=244 +ACCT_USER_SYSTEMD_NETWORK_ID=244 +ACCT_GROUP_SYSTEMD_RESOLVE_ID=245 +ACCT_USER_SYSTEMD_RESOLVE_ID=245 +# tss seems to be one of those users with a mismatching UID/GID +ACCT_GROUP_TSS_ID=252 +ACCT_USER_TSS_ID=236 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r5.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r5.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild index b432b9f7b0..a2d31c2cfd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild @@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="cc1be682dbd539eb4d39569531bfe548bdfb3809" # flatcar-master + CROS_WORKON_COMMIT="c0871373412a3efb3c94b03825b64025f4f0c0fc" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest index 48976f7e1b..11fad23078 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -1 +1 @@ -DIST systemd-stable-249.7.tar.gz 10608252 BLAKE2B a5597c4973b24c962779622cae47dbf8351af49f8cd898d9c16a967c6f3600c6feb293e9b03eab0423b860eef5b04b287185fb9827cb323429d0ab9fc6d809b2 SHA512 4daf8570621fdcda5c94d982908c64eddfeef989005f4fd79a10f199dbc6f366354177bb59dff34bcb14764fb4423a870ffabac1163849ec53592e29760105fc +DIST systemd-stable-250.3.tar.gz 11125151 BLAKE2B 659c39994e76f94407dd9079e28fc644981d3475a0ed440b9895e8f201c3ce1fc47aa8c4d599ad85ed89ddfb6ca8e514aee2a739e93640745cf46647f99efe56 SHA512 81847fb088ff271138b1ea318995a2ca2ee5d4c5d839c9dd81f0210d366198049199d59c49b25ef8783df2c6b8dd9fcdf2d916777788b1a6d42deec9da8e9da5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf new file mode 100644 index 0000000000..6b224ba9b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf @@ -0,0 +1,6 @@ +[Service] +# By running with these options instead of root, networkd is allowed to request +# a hostname change via DBUS when policykit is not present +User=systemd-network +Group=systemd-hostname +AmbientCapabilities=CAP_SYS_ADMIN diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch index 2e3d001c64..342d9d0ae3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ -From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001 +From d13deba6bad21e796829b83b00dce03085b0ab14 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/5] wait-online: set --any by default +Subject: [PATCH 1/8] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are @@ -15,7 +15,7 @@ earlier) for the original implementation. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c -index 1b24b6f1a6..dedbd50725 100644 +index a679b858fa..3b6dad8d1d 100644 --- a/src/network/wait-online/wait-online.c +++ b/src/network/wait-online/wait-online.c @@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL; @@ -24,9 +24,9 @@ index 1b24b6f1a6..dedbd50725 100644 static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; -static bool arg_any = false; +static bool arg_any = true; - + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); --- -2.30.2 +-- +2.35.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch similarity index 68% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch index ac52e2cf5b..8cfc66862d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch @@ -1,24 +1,24 @@ -From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001 +From 2a8f5356c608e6f4512ade1b3ce2176f4491bce1 Mon Sep 17 00:00:00 2001 From: Nick Owens Date: Tue, 2 Jun 2015 18:22:32 -0700 -Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting +Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting --- src/network/networkd-network.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c -index 850b4f449e..951c2d0815 100644 +index 873ad2e703..4395dce4e2 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c -@@ -398,6 +398,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi +@@ -458,6 +458,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + .link_local = _ADDRESS_FAMILY_INVALID, .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, - - .ipv4_accept_local = -1, + + .ip_forward = _ADDRESS_FAMILY_INVALID, + .ipv4_accept_local = -1, .ipv4_route_localnet = -1, .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, - .ipv6_accept_ra = -1, --- -2.30.2 +-- +2.35.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch index c8f1460902..5548f861d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ -From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001 +From 5ba2f094ba91f8f52a4b3c0aca83e2fe344594d8 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 3/5] needs-update: don't require strictly newer usr +Subject: [PATCH 3/8] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- @@ -23,36 +23,36 @@ index 3393010ff6..5478baca25 100644 This requires that updates to /usr/ are always followed by an update of the modification time of diff --git a/src/shared/condition.c b/src/shared/condition.c -index b2ec690bc3..4cf6523b90 100644 +index 68fbbf643a..306089cd26 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -593,7 +593,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * First, compare seconds as they are always accurate... */ if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) - return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; + return true; - + /* * ...then compare nanoseconds. -@@ -604,7 +604,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -780,7 +780,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * (otherwise the filesystem supports nsec timestamps, see stat(2)). */ if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) - return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; + return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; - + _cleanup_free_ char *timestamp_str = NULL; r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); -@@ -623,7 +623,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -799,7 +799,7 @@ static int condition_test_needs_update(Condition *c, char **env) { return true; } - + - return timespec_load_nsec(&usr.st_mtim) > timestamp; + return timespec_load_nsec(&usr.st_mtim) != timestamp; } - + static int condition_test_first_boot(Condition *c, char **env) { --- -2.26.2 +-- +2.35.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch index 00625b1496..2b4578bc58 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ -From 3acaafc6fcd34b272e5249c49e498ff7facb564e Mon Sep 17 00:00:00 2001 +From 75c683b81fcdb47eaa9aa6c4355ed96296d6d547 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Thu, 22 Apr 2021 20:08:33 +0530 -Subject: [PATCH] core: use max for DefaultTasksMax +Subject: [PATCH 4/8] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This @@ -21,10 +21,10 @@ Signed-off-by: Sayan Chowdhury 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml -index d39928ec23..4d89a68b16 100644 +index 3805a010e2..48d9061d16 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml -@@ -376,7 +376,7 @@ +@@ -404,7 +404,7 @@ Configure the default value for the per-unit TasksMax= setting. See systemd.resource-control5 for details. This setting applies to all unit types that support resource control settings, with the exception @@ -34,10 +34,10 @@ index d39928ec23..4d89a68b16 100644 Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/main.c b/src/core/main.c -index 0ddd629851..5e25a1b4b7 100644 +index 57aedb9b93..a8859478a9 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -91,7 +91,7 @@ +@@ -98,7 +98,7 @@ #include #endif @@ -47,12 +47,12 @@ index 0ddd629851..5e25a1b4b7 100644 static enum { ACTION_RUN, diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index fa6fb690c7..1e6df17d94 100644 +index 96fb64d2c1..7a71efbb0a 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -55,7 +55,7 @@ +@@ -54,7 +54,7 @@ #DefaultBlockIOAccounting=no - #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultTasksAccounting=yes -#DefaultTasksMax=15% +#DefaultTasksMax=100% @@ -60,6 +60,5 @@ index fa6fb690c7..1e6df17d94 100644 #DefaultLimitFSIZE= #DefaultLimitDATA= -- -2.30.2 - +2.35.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch index e4891b4f70..e998f3e37c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ -From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001 +From 170a29c01603c8815edf019bdc0ddc29c986e1a2 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks +Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy @@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index 1d52b5ff04..1653d241f6 100644 +index ad098e99df..8b341184a2 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -2,7 +2,7 @@ @@ -25,5 +25,5 @@ index 1d52b5ff04..1653d241f6 100644 #include #include -- -2.26.2 +2.35.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch index 6bed0f164b..824afeac28 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch @@ -1,7 +1,7 @@ -From 67d9962aa637401a1332069b6c8ad99a54e2b451 Mon Sep 17 00:00:00 2001 +From 8f007876ee3ac88087a8b24c252e9187e754c880 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 8 Sep 2021 12:10:35 +0530 -Subject: [PATCH] core: handle lookup paths being symlinks +Subject: [PATCH 6/8] core: handle lookup paths being symlinks With a recent change paths leaving the statically known lookup paths would be treated differently then those that remained within those. That @@ -19,10 +19,10 @@ Signed-off-by: Sayan Chowdhury 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c -index 884a0674a9..3ae2a115d0 100644 +index faea92f66d..b024df21a9 100644 --- a/src/basic/unit-file.c +++ b/src/basic/unit-file.c -@@ -254,6 +254,7 @@ int unit_file_build_name_map( +@@ -280,6 +280,7 @@ int unit_file_build_name_map( _cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL; _cleanup_set_free_free_ Set *paths = NULL; @@ -30,7 +30,7 @@ index 884a0674a9..3ae2a115d0 100644 uint64_t timestamp_hash; char **dir; int r; -@@ -273,6 +274,34 @@ int unit_file_build_name_map( +@@ -299,6 +300,34 @@ int unit_file_build_name_map( return log_oom(); } @@ -63,9 +63,9 @@ index 884a0674a9..3ae2a115d0 100644 + } + STRV_FOREACH(dir, (char**) lp->search_path) { - struct dirent *de; _cleanup_closedir_ DIR *d = NULL; -@@ -351,11 +380,11 @@ int unit_file_build_name_map( + +@@ -424,11 +453,11 @@ int unit_file_build_name_map( continue; } @@ -80,5 +80,5 @@ index 884a0674a9..3ae2a115d0 100644 log_debug("%s: linked unit file: %s → %s", __func__, filename, simplified); -- -2.30.2 +2.35.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch new file mode 100644 index 0000000000..7e46a13015 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -0,0 +1,93 @@ +From 925d668d820d728ec58e470fd64cdff1504d8e04 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Fri, 21 Jan 2022 19:17:11 +0100 +Subject: [PATCH 7/8] Revert "getty: Pass tty to use by agetty via stdin" + +This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. + +This is to work around a SELinux denial that happens when setting up standard +input for serial consoles (which is used for SSH connections). +--- + units/console-getty.service.in | 4 +--- + units/container-getty@.service.in | 4 +--- + units/getty@.service.in | 4 +--- + units/serial-getty@.service.in | 4 +--- + 4 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/units/console-getty.service.in b/units/console-getty.service.in +index 73871d6f50..bb67541dce 100644 +--- a/units/console-getty.service.in ++++ b/units/console-getty.service.in +@@ -23,12 +23,10 @@ ConditionPathExists=/dev/console + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM + Type=idle + Restart=always + UtmpIdentifier=cons +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/console + TTYReset=yes + TTYVHangup=yes +diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in +index a6e3f94e2a..ed1eb7bde1 100644 +--- a/units/container-getty@.service.in ++++ b/units/container-getty@.service.in +@@ -28,13 +28,11 @@ Before=rescue.service + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM + Type=idle + Restart=always + RestartSec=0 + UtmpIdentifier=pts/%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/pts/%I + TTYReset=yes + TTYVHangup=yes +diff --git a/units/getty@.service.in b/units/getty@.service.in +index 21d66f9367..78deb7cffe 100644 +--- a/units/getty@.service.in ++++ b/units/getty@.service.in +@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0 + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM + Type=idle + Restart=always + RestartSec=0 + UtmpIdentifier=%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes +diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in +index 2433124c55..bb7af3105d 100644 +--- a/units/serial-getty@.service.in ++++ b/units/serial-getty@.service.in +@@ -33,12 +33,10 @@ Before=rescue.service + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM + Type=idle + Restart=always + UtmpIdentifier=%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch index 035fac7eaf..a1f9295f38 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch @@ -1,7 +1,8 @@ -From 513429b47f0852d17ba721ad5d55baa985f48ddb Mon Sep 17 00:00:00 2001 +From c8d3f9b0f4964115c518eb009b17f026ad356ade Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 7 Feb 2022 17:39:23 +0100 -Subject: [PATCH] networkd: disable managing of foreign routes/rules by default +Subject: [PATCH 8/8] networkd: disable managing of foreign routes/rules by + default While systemd-networkd follows the principle of a declarative network configuration and thus needs a way to ensure that unwanted routes or @@ -29,11 +30,11 @@ https://github.com/flatcar-linux/Flatcar/issues/620 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c -index 374d27bef3..deb46e4a15 100644 +index 7e89366ae8..714ee5c226 100644 --- a/src/network/networkd-manager.c +++ b/src/network/networkd-manager.c -@@ -383,8 +383,8 @@ int manager_new(Manager **ret) { - *m = (Manager) { +@@ -471,8 +471,8 @@ int manager_new(Manager **ret, bool test_mode) { + .test_mode = test_mode, .speed_meter_interval_usec = SPEED_METER_DEFAULT_TIME_INTERVAL, .online_state = _LINK_ONLINE_STATE_INVALID, - .manage_foreign_routes = true, diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch deleted file mode 100644 index 73375b716e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f2c57d4f3805775e0ffdc80ce578eaa737017d31 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Fri, 9 Jul 2021 13:05:23 -0400 -Subject: [PATCH] libudev: add "Libs.private: -lrt -pthread" to libudev.pc - -This resolves a failure when linking cryptsetup.static against libudev.a. - -``` -libtool: link: x86_64-pc-linux-gnu-gcc -Wall -O2 -pipe -march=amdfam10 -static -O2 -o cryptsetup.static lib/utils_crypt.o lib/utils_loop.o lib/utils_io.o lib/utils_blkid.o src/utils_tools.o src/utils_password.o src/utils_luks2.o src/utils_blockdev.o src/cryptsetup.o -pthread -pthread -Wl,--as-needed ./.libs/libcryptsetup.a -largon2 -lrt -ljson-c -lpopt -luuid -lblkid -lssl -lcrypto -lz -ldl -ldevmapper -lm -lpthread -ludev -pthread -/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib64/libudev.a(src_libsystemd_sd-daemon_sd-daemon.c.o): in function `sd_is_mq': -(.text.sd_is_mq+0x3a): undefined reference to `mq_getattr' -``` ---- - src/libudev/libudev.pc.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libudev/libudev.pc.in b/src/libudev/libudev.pc.in -index 89028aaa6bf2..1d6487fa4084 100644 ---- a/src/libudev/libudev.pc.in -+++ b/src/libudev/libudev.pc.in -@@ -16,4 +16,5 @@ Name: libudev - Description: Library to access udev device information - Version: {{PROJECT_VERSION}} - Libs: -L${libdir} -ludev -+Libs.private: -lrt -pthread - Cflags: -I${includedir} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch new file mode 100644 index 0000000000..46e5c1dacb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch @@ -0,0 +1,26 @@ +From 91182cc273d2dd8325d856fd683d2d8e038abd91 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Tue, 25 Dec 2018 22:52:50 -0500 +Subject: [PATCH] path-lookup: look for generators in + /usr/lib/systemd/system-generators + +Bug: https://bugs.gentoo.org/625402 +--- + src/basic/path-lookup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c +index 52968dee34..0cb10b1116 100644 +--- a/src/basic/path-lookup.c ++++ b/src/basic/path-lookup.c +@@ -798,6 +798,7 @@ char **generator_binary_paths(UnitFileScope scope) { + add = strv_new("/run/systemd/system-generators", + "/etc/systemd/system-generators", + "/usr/local/lib/systemd/system-generators", ++ "/usr/lib/systemd/system-generators", + SYSTEM_GENERATOR_DIR); + break; + +-- +2.26.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch new file mode 100644 index 0000000000..088bceb769 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch @@ -0,0 +1,40 @@ +From 593db1c78011ddce551051ce17eda6feac079b3d Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Fri, 21 Aug 2020 13:16:17 -0400 +Subject: [PATCH] journald: do not change the kernel audit setting by default + +Bug: https://bugs.gentoo.org/736910 +--- + man/journald.conf.xml | 2 +- + src/journal/journald-server.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/journald.conf.xml b/man/journald.conf.xml +index bfd359a903..7e93d4050e 100644 +--- a/man/journald.conf.xml ++++ b/man/journald.conf.xml +@@ -411,7 +411,7 @@ + systemd-journald collects generated audit records, it just controls whether it + tells the kernel to generate them. This means if another tool turns on auditing even if + systemd-journald left it off, it will still collect the generated +- messages. Defaults to on. ++ messages. + + + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index 5865bf9809..163be685a8 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -2208,7 +2208,7 @@ int server_init(Server *s, const char *namespace) { + .compress.threshold_bytes = (uint64_t) -1, + .seal = true, + +- .set_audit = true, ++ .set_audit = -1, + + .watchdog_usec = USEC_INFINITY, + +-- +2.28.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch new file mode 100644 index 0000000000..a9d40be4ab --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch @@ -0,0 +1,25 @@ +From d9059d2ef1b0d6034267cc8ff44871d0f82f840f Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Sun, 8 Nov 2020 12:34:11 -0500 +Subject: [PATCH] systemctl: disable synchronizaion of sysv init scripts + +--- + src/systemctl/systemctl-sysv-compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-sysv-compat.c b/src/systemctl/systemctl-sysv-compat.c +index 2dca9e480f..5dcf13ba17 100644 +--- a/src/systemctl/systemctl-sysv-compat.c ++++ b/src/systemctl/systemctl-sysv-compat.c +@@ -111,7 +111,7 @@ int parse_shutdown_time_spec(const char *t, usec_t *ret) { + int enable_sysv_units(const char *verb, char **args) { + int r = 0; + +-#if HAVE_SYSV_COMPAT ++#if 0 + _cleanup_(lookup_paths_free) LookupPaths paths = {}; + unsigned f = 0; + +-- +2.29.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 0000000000..f4d0271cdb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf @@ -0,0 +1,11 @@ + + + + + + + + + + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf index 17587de5aa..c4f06a17f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf @@ -1,14 +1,19 @@ +# The list of directories is taken from Gentoo ebuild, where they use +# keepdir. The list isn't sorted, but tries to preserve the order of +# keepdir lines from Gentoo ebuild for easier comparisons. We skip the +# directories in /usr, though. d /etc/binfmt.d - - - - - -d /etc/kernel/install.d - - - - - d /etc/modules-load.d - - - - - -d /etc/sysctl.d - - - - - -d /etc/systemd - - - - - +d /etc/tmpfiles.d - - - - - +d /etc/kernel/install.d - - - - - d /etc/systemd/network - - - - - d /etc/systemd/system - - - - - d /etc/systemd/user - - - - - -d /etc/tmpfiles.d - - - - - -d /etc/sysusers.d - - - - - -d /etc/udev/hwdb.d - - - - - d /etc/udev/rules.d - - - - - +d /etc/udev/hwdb.d - - - - - d /var/lib/systemd - - - - - +d /var/log/journal - - - - - +d /etc/sysctl.d - - - - - + +# This seems to be our own addition. d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam deleted file mode 100644 index 38ae3211f8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam +++ /dev/null @@ -1,5 +0,0 @@ -account include system-auth - -session required pam_loginuid.so -session include system-auth -session optional pam_systemd.so diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml index cb86e5b1d2..1e7d92356b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml @@ -1,5 +1,5 @@ - + systemd@gentoo.org @@ -17,14 +17,16 @@ Enable DNS-over-TLS support Enable EFI boot manager and stub loader (built using sys-boot/gnu-efi) Enable coredump stacktraces in the journal + Enable FIDO2 support Enable sealing of journal files using gcrypt Enable portable home directories + Enable setting hostname with networkd/hostnamed without polkit (requires running sys-apps/dbus-broker) Enable embedded HTTP server in journald - Enable support for the hardware database Enable import daemon Enable kernel module loading via sys-apps/kmod Enable lz4 compression for the journal Enable support for network address translation in networkd + Enable use of dev-libs/openssl Enable PKCS#11 support for cryptsetup and homed Enable password quality checking in homed Enable support for growing/adding partitions diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild deleted file mode 120000 index 8da16946bc..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild +++ /dev/null @@ -1 +0,0 @@ -systemd-9999.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild similarity index 71% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild index ffc4e645c5..72d45b2eab 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild @@ -1,8 +1,11 @@ -# Copyright 2011-2021 Gentoo Authors +# Copyright 2011-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6..10} ) +PYTHON_COMPAT=( python3_{8..10} ) + +# Avoid QA warnings +TMPFILES_OPTIONAL=1 if [[ ${PV} == 9999 ]]; then EGIT_REPO_URI="https://github.com/systemd/systemd.git" @@ -17,33 +20,38 @@ else MY_P=${MY_PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" + # Flatcar: Stabilize for amd64 and arm64. + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" fi -# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript -TMPFILES_OPTIONAL=1 -inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev user tmpfiles +# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript. +# Adding tmpfiles, since we use it for installing some files. +inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles DESCRIPTION="System and service manager for Linux" HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -# Flatcar: Dropped static-libs, we don't care about static libraries. -IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd" - +IUSE=" + acl apparmor audit build cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd +kmod + +lz4 lzma nat +openssl pam pcre pkcs11 policykit pwquality qrcode + +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd +" REQUIRED_USE=" - homed? ( cryptsetup pam ) - importd? ( curl gcrypt lzma ) + dns-over-tls? ( || ( gnutls openssl ) ) + homed? ( cryptsetup pam openssl ) + importd? ( curl lzma || ( gcrypt openssl ) ) + policykit? ( !hostnamed-fallback ) pwquality? ( homed ) " RESTRICT="!test? ( test )" MINKV="3.11" -OPENSSL_DEP=">=dev-libs/openssl-1.1.0:0=" - -COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] +COMMON_DEPEND=" + >=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] sys-libs/libcap:0=[${MULTILIB_USEDEP}] virtual/libcrypt:=[${MULTILIB_USEDEP}] acl? ( sys-apps/acl:0= ) @@ -51,14 +59,11 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] audit? ( >=sys-process/audit-2:0= ) cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) curl? ( net-misc/curl:0= ) - dns-over-tls? ( >=net-libs/gnutls-3.6.0:0= ) elfutils? ( >=dev-libs/elfutils-0.158:0= ) + fido2? ( dev-libs/libfido2:0= ) gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) - homed? ( ${OPENSSL_DEP} ) - http? ( - >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] - >=net-libs/gnutls-3.1.4:0= - ) + gnutls? ( >=net-libs/gnutls-3.6.0:0= ) + http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) idn? ( net-dns/libidn2:= ) importd? ( app-arch/bzip2:0= @@ -68,12 +73,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) nat? ( net-firewall/iptables:0= ) + openssl? ( >=dev-libs/openssl-1.1.0:0= ) pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) pkcs11? ( app-crypt/p11-kit:0= ) pcre? ( dev-libs/libpcre2 ) pwquality? ( dev-libs/libpwquality:0= ) qrcode? ( media-gfx/qrencode:0= ) - repart? ( ${OPENSSL_DEP} ) seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) selinux? ( sys-libs/libselinux:0= ) tpm? ( app-crypt/tpm2-tss:0= ) @@ -87,22 +92,39 @@ DEPEND="${COMMON_DEPEND} gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) " -# Flatcar: We drop a few of the acct-group and acct-user as the gid provided by -# the upstream does not match with the ones we carry in baselayout. +# baselayout-2.2 has /run RDEPEND="${COMMON_DEPEND} >=acct-group/adm-0-r1 >=acct-group/wheel-0-r1 >=acct-group/kmem-0-r1 >=acct-group/tty-0-r1 >=acct-group/utmp-0-r1 + >=acct-group/audio-0-r1 + >=acct-group/cdrom-0-r1 + >=acct-group/dialout-0-r1 + >=acct-group/disk-0-r1 + >=acct-group/input-0-r1 >=acct-group/kvm-0-r1 + >=acct-group/lp-0-r1 + >=acct-group/render-0-r1 acct-group/sgx + >=acct-group/tape-0-r1 acct-group/users + >=acct-group/video-0-r1 + >=acct-group/systemd-journal-0-r1 >=acct-user/root-0-r1 acct-user/nobody + >=acct-user/systemd-journal-remote-0-r1 >=acct-user/systemd-coredump-0-r1 + >=acct-user/systemd-network-0-r1 acct-user/systemd-oom + >=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-timesync-0-r1 + >=sys-apps/baselayout-2.2 + hostnamed-fallback? ( + acct-group/systemd-hostname + sys-apps/dbus-broker + ) selinux? ( sec-policy/selinux-base-policy[systemd] ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] @@ -163,8 +185,8 @@ pkg_pretend() { ewarn "See https://bugs.gentoo.org/674458." fi - local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS - ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + local CONFIG_CHECK="~AUTOFS4_FS ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS + ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH @@ -177,6 +199,12 @@ pkg_pretend() { kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" + if kernel_is -lt 5 10 20; then + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + else + CONFIG_CHECK+=" ~KCMP" + fi + if linux_config_exists; then local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then @@ -214,26 +242,37 @@ src_prepare() { # Add local patches here PATCHES+=( # Flatcar: Adding our own patches here. - "${FILESDIR}/249-libudev-static.patch" - "${FILESDIR}/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch" - "${FILESDIR}/0004-wait-online-set-any-by-default.patch" - "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" - "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0009-core-handle-lookup-paths-being-symlinks.patch" + "${FILESDIR}/0001-wait-online-set-any-by-default.patch" + "${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" + "${FILESDIR}/0006-core-handle-lookup-paths-being-symlinks.patch" + "${FILESDIR}/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" + "${FILESDIR}/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch" ) - # Flatcar: We carry our own patches, we don't use the ones - # from Gentoo. Thus we dropped the `if ! use vanilla` code - # here. + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-generator-path-r2.patch" + "${FILESDIR}/gentoo-systemctl-disable-sysv-sync-r1.patch" + "${FILESDIR}/gentoo-journald-audit.patch" + ) + fi - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy "default", but unless - # the kubelet --resolv-conf flag is set to point to /run/systemd/resolve/resolv.conf this won't work with - # /etc/resolv.conf pointing to /run/systemd/resolve/stub-resolv.conf which configures 127.0.0.53. - # See https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues - # This means that users who need split DNS to work should point /etc/resolv.conf back to /run/systemd/resolve/stub-resolv.conf - # (and if using K8s configure the kubelet resolvConf variable/--resolv-conf flag to /run/systemd/resolve/resolv.conf). + # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., + # CoreDNS which has dnsPolicy "default", but unless the + # kubelet --resolv-conf flag is set to point to + # /run/systemd/resolve/resolv.conf this won't work with + # /etc/resolv.conf pointing to + # /run/systemd/resolve/stub-resolv.conf which configures + # 127.0.0.53. See + # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues + # This means that users who need split DNS to work should + # point /etc/resolv.conf back to + # /run/systemd/resolve/stub-resolv.conf (and if using K8s + # configure the kubelet resolvConf variable/--resolv-conf flag + # to /run/systemd/resolve/resolv.conf). sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/etc.conf.in || die default @@ -248,6 +287,7 @@ src_configure() { multilib-minimal_src_configure } +# Flatcar: Our function, we use it in some places below. get_rootprefix() { usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" } @@ -267,6 +307,7 @@ multilib_src_configure() { -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" # Avoid infinite exec recursion, bug 642724 -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" + # no deps -Dima=true -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) # Optional components/dependencies @@ -277,10 +318,11 @@ multilib_src_configure() { $(meson_native_use_bool curl libcurl) $(meson_native_use_bool dns-over-tls dns-over-tls) $(meson_native_use_bool elfutils) + $(meson_native_use_bool fido2 libfido2) $(meson_use gcrypt) $(meson_native_use_bool gnuefi gnu-efi) + $(meson_native_use_bool gnutls) -Defi-includedir="${ESYSROOT}/usr/include/efi" - -Defi-ld="$(tc-getLD)" -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" $(meson_native_use_bool homed) $(meson_native_use_bool http microhttpd) @@ -293,13 +335,13 @@ multilib_src_configure() { $(meson_use lzma xz) $(meson_use zstd) $(meson_native_use_bool nat libiptc) + $(meson_native_use_bool openssl) $(meson_use pam) $(meson_native_use_bool pkcs11 p11kit) $(meson_native_use_bool pcre pcre2) $(meson_native_use_bool policykit polkit) $(meson_native_use_bool pwquality) $(meson_native_use_bool qrcode qrencode) - $(meson_native_use_bool repart) $(meson_native_use_bool seccomp) $(meson_native_use_bool selinux) $(meson_native_use_bool tpm tpm2) @@ -367,8 +409,6 @@ multilib_src_configure() { -Defi-cc="$(tc-getCC)" -Dquotaon-path=/usr/sbin/quotaon -Dquotacheck-path=/usr/sbin/quotacheck - - # Flatcar: No static libs. ) meson_src_configure "${myconf[@]}" @@ -388,6 +428,7 @@ multilib_src_install_all() { einstalldocs # Flatcar: Do not install sample nsswitch.conf, we don't # provide it. + # dodoc "${FILESDIR}"/nsswitch.conf if ! use resolvconf; then rm -f "${ED}${rootprefix}"/sbin/resolvconf || die @@ -406,11 +447,33 @@ multilib_src_install_all() { rmdir "${ED}${rootprefix}"/sbin || die fi + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + # Flatcar: Upstream uses keepdir commands to keep some empty - # directories. + # directories. We use tmpfiles. + # # Preserve empty dirs in /etc & /var, bug #437008 + # keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + # keepdir /etc/kernel/install.d + # keepdir /etc/systemd/{network,system,user} + # keepdir /etc/udev/rules.d # - # Flatcar: TODO: Consider using that instead of - # dotmpfiles "${FILESDIR}"/systemd-flatcar.conf below. + # keepdir /etc/udev/hwdb.d + # + # keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} + # keepdir /usr/lib/{binfmt.d,modules-load.d} + # keepdir /usr/lib/systemd/user-generators + # keepdir /var/lib/systemd + # keepdir /var/log/journal + + # Flatcar: No migrations happening here. + # # Symlink /etc/sysctl.conf for easy migration. + # dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + + # Flatcar: Do not install a pam policy, we have our own. + # if use pam; then + # newpamd "${FILESDIR}"/systemd-user.pam systemd-user + # fi if use split-usr; then # Avoid breaking boot/reboot @@ -418,6 +481,20 @@ multilib_src_install_all() { dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown fi + # workaround for https://github.com/systemd/systemd/issues/13501 + if use hostnamed-fallback; then + # this file requires dbus-broker + insinto /usr/share/dbus-1/system.d/ + doins "${FILESDIR}/org.freedesktop.hostname1_no_polkit.conf" + + insinto "${rootprefix}/lib/systemd/system/systemd-hostnamed.service.d/" + doins "${FILESDIR}/00-hostnamed-network-user.conf" + fi + + # Flatcar: gen_usr_ldscript is likely for static libs, so we + # dropped it. + # gen_usr_ldscript -a systemd udev + # Flatcar: Ensure journal directory has correct ownership/mode # in inital image. This is fixed by systemd-tmpfiles *but* # journald starts before that and will create the journal if @@ -430,9 +507,6 @@ multilib_src_install_all() { fperms 2755 /var/log/journal # Flatcar: Don't prune systemd dirs. - # - # Flatcar: TODO: Upstream probably fixed it in different way - - # it's using some keepdir commands. dotmpfiles "${FILESDIR}"/systemd-flatcar.conf # Flatcar: Add tmpfiles rule for resolv.conf. This path has # changed after v213 so it must be handled here instead of @@ -448,37 +522,47 @@ multilib_src_install_all() { # Flatcar: These lines more or less follow the systemd's # preset file (90-systemd.preset). We do it that way, to avoid - # putting symlink in /etc. Please keep the lines in the same - # order as the "enable" lines appear in the preset file. - builddir_systemd_enable_service multi-user.target remote-fs.target - builddir_systemd_enable_service multi-user.target remote-cryptsetup.target - builddir_systemd_enable_service multi-user.target machines.target - # Flatcar: getty@.service is enabled manually below. - builddir_systemd_enable_service sysinit.target systemd-timesyncd.service - builddir_systemd_enable_service multi-user.target systemd-networkd.service - # Flatcar: For systemd-networkd.service, it has it in Also, which also - # needs to be enabled - builddir_systemd_enable_service sockets.target systemd-networkd.socket - # Flatcar: For systemd-networkd.service, it has it in Also, which also - # needs to be enabled - builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service - builddir_systemd_enable_service multi-user.target systemd-resolved.service - if use homed; then - builddir_systemd_enable_service multi-user.target systemd-homed.target - # Flatcar: systemd-homed.target has - # Also=systemd-userdbd.service, but the service has no - # WantedBy entry. It's likely going to be executed through - # systemd-userdbd.socket, which is enabled in upstream's - # presets file. - builddir_systemd_enable_service sockets.target systemd-userdbd.socket - fi - builddir_systemd_enable_service sysinit.target systemd-pstore.service - # Flatcar: not enabling reboot.target - it has no WantedBy - # entry. + # putting symlinks in /etc. Please keep the lines in the same + # order as the "enable" lines appear in the preset file. For a + # single enable line in preset, there may be more lines if the + # unit file had Also: clause which has units we enable here + # too. - # Flatcar: Enable getty manually. + # Flatcar: enable remote-fs.target + builddir_systemd_enable_service multi-user.target remote-fs.target + # Flatcar: enable remote-cryptsetup.target + if use cryptsetup; then + builddir_systemd_enable_service multi-user.target remote-cryptsetup.target + fi + # Flatcar: enable machines.target + builddir_systemd_enable_service multi-user.target machines.target + # Flatcar: enable getty@.service dodir "${unitdir}/getty.target.wants" dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" + # Flatcar: enable systemd-timesyncd.service + builddir_systemd_enable_service sysinit.target systemd-timesyncd.service + # Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service) + builddir_systemd_enable_service multi-user.target systemd-networkd.service + builddir_systemd_enable_service sockets.target systemd-networkd.socket + builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service + # Flatcar: enable systemd-network-generator.service + builddir_systemd_enable_service sysinit.target systemd-network-generator.service + # Flatcar: enable systemd-resolved.service + builddir_systemd_enable_service multi-user.target systemd-resolved.service + # Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry]) + if use homed; then + builddir_systemd_enable_service multi-user.target systemd-homed.target + fi + # Flatcar: enable systemd-userdbd.socket + builddir_systemd_enable_service sockets.target systemd-userdbd.socket + # Flatcar: enable systemd-pstore.service + builddir_systemd_enable_service sysinit.target systemd-pstore.service + # Flatcar: enable systemd-boot-update.service + if use gnuefi; then + builddir_systemd_enable_service sysinit.target systemd-boot-update.service + fi + # Flatcar: enable reboot.target (not enabled - has no WantedBy + # entry) # Flatcar: Use an empty preset file, because systemctl # preset-all puts symlinks in /etc, not in /usr. We don't use @@ -495,15 +579,16 @@ multilib_src_install_all() { -e '/^C!* \/etc\/nsswitch\.conf/d' \ -e '/^C!* \/etc\/pam\.d/d' \ -e '/^C!* \/etc\/issue/d' - - # Flatcar: gen_usr_ldscript is likely for static libs, so we - # dropped it. } +# Flatcar: Our own version of systemd_get_systemunitdir, that returns +# a path inside /usr, not /etc. builddir_systemd_get_systemunitdir() { echo "$(get_rootprefix)/lib/systemd/system" } +# Flatcar: Our own version of systemd_enable_service, that does +# operations inside /usr, not /etc. builddir_systemd_enable_service() { local target=${1} local service=${2} @@ -591,17 +676,18 @@ pkg_postinst() { # Flatcar: We enable getty and remote-fs targets in /usr # ourselves above. + # if [[ -z ${REPLACING_VERSIONS} ]]; then + # if type systemctl &>/dev/null; then + # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + # fi + # elog "To enable a useful set of services, run the following:" + # elog " systemctl preset-all --preset-mode=enable-only" + # fi if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then rm "${EROOT}/var/lib/systemd/timesync" fi - if [[ -z ${ROOT} && -d /run/systemd/system ]]; then - ebegin "Reexecuting system manager" - systemctl daemon-reexec - eend $? - fi - if [[ ${FAIL} ]]; then eerror "One of the postinst commands failed. Please check the postinst output" eerror "for errors. You may need to clean up your system and/or try installing"