From 4ff26d05db0ce7eb7c41561d479c102c08b56eb1 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 20 Jan 2022 16:30:45 +0100 Subject: [PATCH 1/6] sys-apps/systemd: Sync with gentoo It's from gentoo commit 909ff1217e19ce803fefbd16a67869426232f432. --- .../coreos-overlay/sys-apps/systemd/Manifest | 2 +- .../files/00-hostnamed-network-user.conf | 6 + .../0004-wait-online-set-any-by-default.patch | 32 -- ...fault-to-kernel-IPForwarding-setting.patch | 24 -- ...ate-don-t-require-strictly-newer-usr.patch | 58 ---- ...007-core-use-max-for-DefaultTasksMax.patch | 65 ---- ...d-Disable-SELinux-permissions-checks.patch | 29 -- ...e-handle-lookup-paths-being-symlinks.patch | 84 ----- .../systemd/files/249-libudev-static.patch | 26 -- .../sys-apps/systemd/files/99-default.preset | 2 - .../files/gentoo-generator-path-r2.patch | 26 ++ .../systemd/files/gentoo-journald-audit.patch | 40 +++ ...entoo-systemctl-disable-sysv-sync-r1.patch | 25 ++ .../sys-apps/systemd/files/nsswitch.conf | 27 ++ .../org.freedesktop.hostname1_no_polkit.conf | 11 + .../systemd/files/systemd-flatcar.conf | 14 - .../systemd/files/systemd-resolv.conf | 2 - .../sys-apps/systemd/metadata.xml | 6 +- .../sys-apps/systemd/systemd-249.7-r1.ebuild | 1 - ...stemd-9999.ebuild => systemd-250.3.ebuild} | 306 ++++++------------ 20 files changed, 244 insertions(+), 542 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf delete mode 120000 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-9999.ebuild => systemd-250.3.ebuild} (56%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest index 48976f7e1b..11fad23078 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -1 +1 @@ -DIST systemd-stable-249.7.tar.gz 10608252 BLAKE2B a5597c4973b24c962779622cae47dbf8351af49f8cd898d9c16a967c6f3600c6feb293e9b03eab0423b860eef5b04b287185fb9827cb323429d0ab9fc6d809b2 SHA512 4daf8570621fdcda5c94d982908c64eddfeef989005f4fd79a10f199dbc6f366354177bb59dff34bcb14764fb4423a870ffabac1163849ec53592e29760105fc +DIST systemd-stable-250.3.tar.gz 11125151 BLAKE2B 659c39994e76f94407dd9079e28fc644981d3475a0ed440b9895e8f201c3ce1fc47aa8c4d599ad85ed89ddfb6ca8e514aee2a739e93640745cf46647f99efe56 SHA512 81847fb088ff271138b1ea318995a2ca2ee5d4c5d839c9dd81f0210d366198049199d59c49b25ef8783df2c6b8dd9fcdf2d916777788b1a6d42deec9da8e9da5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf new file mode 100644 index 0000000000..6b224ba9b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf @@ -0,0 +1,6 @@ +[Service] +# By running with these options instead of root, networkd is allowed to request +# a hostname change via DBUS when policykit is not present +User=systemd-network +Group=systemd-hostname +AmbientCapabilities=CAP_SYS_ADMIN diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch deleted file mode 100644 index 2e3d001c64..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch +++ /dev/null @@ -1,32 +0,0 @@ -From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/5] wait-online: set --any by default - -The systemd-networkd-wait-online command would normally continue -waiting after a network interface is usable if other interfaces are -still configuring. There is a new flag --any to change this. - -Preserve previous Container Linux behavior for compatibility by -setting the --any flag by default. See patches from v241 (or -earlier) for the original implementation. ---- - src/network/wait-online/wait-online.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c -index 1b24b6f1a6..dedbd50725 100644 ---- a/src/network/wait-online/wait-online.c -+++ b/src/network/wait-online/wait-online.c -@@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL; - static char **arg_ignore = NULL; - static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; - static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; --static bool arg_any = false; -+static bool arg_any = true; - - STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); - STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); --- -2.30.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch deleted file mode 100644 index ac52e2cf5b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001 -From: Nick Owens -Date: Tue, 2 Jun 2015 18:22:32 -0700 -Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting - ---- - src/network/networkd-network.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c -index 850b4f449e..951c2d0815 100644 ---- a/src/network/networkd-network.c -+++ b/src/network/networkd-network.c -@@ -398,6 +398,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi - .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, - - .ipv4_accept_local = -1, -+ .ip_forward = _ADDRESS_FAMILY_INVALID, - .ipv4_route_localnet = -1, - .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, - .ipv6_accept_ra = -1, --- -2.30.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch deleted file mode 100644 index c8f1460902..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001 -From: Alex Crawford -Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 3/5] needs-update: don't require strictly newer usr - -Updates should be triggered whenever usr changes, not only when it is newer. ---- - man/systemd-update-done.service.xml | 2 +- - src/shared/condition.c | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml -index 3393010ff6..5478baca25 100644 ---- a/man/systemd-update-done.service.xml -+++ b/man/systemd-update-done.service.xml -@@ -50,7 +50,7 @@ - ConditionNeedsUpdate= (see - systemd.unit5) - condition to make sure to run when /etc/ or -- /var/ are older than /usr/ -+ /var/ aren't the same age as /usr/ - according to the modification times of the files described above. - This requires that updates to /usr/ are always - followed by an update of the modification time of -diff --git a/src/shared/condition.c b/src/shared/condition.c -index b2ec690bc3..4cf6523b90 100644 ---- a/src/shared/condition.c -+++ b/src/shared/condition.c -@@ -593,7 +593,7 @@ static int condition_test_needs_update(Condition *c, char **env) { - * First, compare seconds as they are always accurate... - */ - if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) -- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; -+ return true; - - /* - * ...then compare nanoseconds. -@@ -604,7 +604,7 @@ static int condition_test_needs_update(Condition *c, char **env) { - * (otherwise the filesystem supports nsec timestamps, see stat(2)). - */ - if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) -- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; -+ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; - - _cleanup_free_ char *timestamp_str = NULL; - r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); -@@ -623,7 +623,7 @@ static int condition_test_needs_update(Condition *c, char **env) { - return true; - } - -- return timespec_load_nsec(&usr.st_mtim) > timestamp; -+ return timespec_load_nsec(&usr.st_mtim) != timestamp; - } - - static int condition_test_first_boot(Condition *c, char **env) { --- -2.26.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch deleted file mode 100644 index 00625b1496..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 3acaafc6fcd34b272e5249c49e498ff7facb564e Mon Sep 17 00:00:00 2001 -From: Sayan Chowdhury -Date: Thu, 22 Apr 2021 20:08:33 +0530 -Subject: [PATCH] core: use max for DefaultTasksMax - -Since systemd v228, systemd has a DefaultTasksMax which defaulted -to 512, later 15% of the system's maximum number of PIDs. This -limit is low and a change in behavior that people running services -in containers will hit frequently, so revert to previous behavior. - -Though later the TasksMax was changed in the a dynamic property to -accommodate stale values. - -This change is built on previous patch by David Michael(dm0-). - -Signed-off-by: Sayan Chowdhury ---- - man/systemd-system.conf.xml | 2 +- - src/core/main.c | 2 +- - src/core/system.conf.in | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml -index d39928ec23..4d89a68b16 100644 ---- a/man/systemd-system.conf.xml -+++ b/man/systemd-system.conf.xml -@@ -376,7 +376,7 @@ - Configure the default value for the per-unit TasksMax= setting. See - systemd.resource-control5 - for details. This setting applies to all unit types that support resource control settings, with the exception -- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= -+ of slice units. Defaults to 100% of the minimum of kernel.pid_max=, kernel.threads-max= - and root cgroup pids.max. - Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. - For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, -diff --git a/src/core/main.c b/src/core/main.c -index 0ddd629851..5e25a1b4b7 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -91,7 +91,7 @@ - #include - #endif - --#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */ -+#define DEFAULT_TASKS_MAX ((TasksMax) { 100U, 100U }) /* 100% */ - - static enum { - ACTION_RUN, -diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index fa6fb690c7..1e6df17d94 100644 ---- a/src/core/system.conf.in -+++ b/src/core/system.conf.in -@@ -55,7 +55,7 @@ - #DefaultBlockIOAccounting=no - #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ - #DefaultTasksAccounting=yes --#DefaultTasksMax=15% -+#DefaultTasksMax=100% - #DefaultLimitCPU= - #DefaultLimitFSIZE= - #DefaultLimitDATA= --- -2.30.2 - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch deleted file mode 100644 index e4891b4f70..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks - -We don't care about the interaction between systemd and SELinux policy, so -let's just disable these checks rather than having to incorporate policy -support. This has no impact on our SELinux use-case, which is purely intended -to limit containers and not anything running directly on the host. ---- - src/core/selinux-access.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index 1d52b5ff04..1653d241f6 100644 ---- a/src/core/selinux-access.c -+++ b/src/core/selinux-access.c -@@ -2,7 +2,7 @@ - - #include "selinux-access.h" - --#if HAVE_SELINUX -+#if 0 - - #include - #include --- -2.26.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch deleted file mode 100644 index 6bed0f164b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 67d9962aa637401a1332069b6c8ad99a54e2b451 Mon Sep 17 00:00:00 2001 -From: Sayan Chowdhury -Date: Wed, 8 Sep 2021 12:10:35 +0530 -Subject: [PATCH] core: handle lookup paths being symlinks - -With a recent change paths leaving the statically known lookup paths -would be treated differently then those that remained within those. That -was done (AFAIK) to consistently handle alias names. Unfortunately that -means that on some distributions, especially those where /etc/ consists -mostly of symlinks, would trigger that new detection for every single -unit in /etc/systemd/system. The reason for that is that the units -directory itself is already a symlink. - -Original Patch from: https://github.com/systemd/systemd/pull/20479 - -Signed-off-by: Sayan Chowdhury ---- - src/basic/unit-file.c | 33 +++++++++++++++++++++++++++++++-- - 1 file changed, 31 insertions(+), 2 deletions(-) - -diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c -index 884a0674a9..3ae2a115d0 100644 ---- a/src/basic/unit-file.c -+++ b/src/basic/unit-file.c -@@ -254,6 +254,7 @@ int unit_file_build_name_map( - - _cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL; - _cleanup_set_free_free_ Set *paths = NULL; -+ _cleanup_strv_free_ char **expanded_search_paths = NULL; - uint64_t timestamp_hash; - char **dir; - int r; -@@ -273,6 +274,34 @@ int unit_file_build_name_map( - return log_oom(); - } - -+ /* Go over all our search paths, chase their symlinks and store the -+ * result in the expanded_search_paths list. -+ * -+ * This is important for cases where any of the unit directories itself -+ * are symlinks into other directories and would therefore cause all of -+ * the unit files to be recognized as linked units. -+ * -+ * This is important for distributions such as NixOS where most paths -+ * in /etc/ are symlinks to some other location on the filesystem (e.g. -+ * into /nix/store/). -+ */ -+ STRV_FOREACH(dir, (char**) lp->search_path) { -+ _cleanup_free_ char *resolved_dir = NULL; -+ r = strv_extend(&expanded_search_paths, *dir); -+ if (r < 0) -+ return log_oom(); -+ -+ r = chase_symlinks(*dir, NULL, 0, &resolved_dir, NULL); -+ if (r < 0) { -+ if (r != -ENOENT) -+ log_warning_errno(r, "Failed to resolve symlink %s, ignoring: %m", *dir); -+ continue; -+ } -+ -+ if (strv_consume(&expanded_search_paths, TAKE_PTR(resolved_dir)) < 0) -+ return log_oom(); -+ } -+ - STRV_FOREACH(dir, (char**) lp->search_path) { - struct dirent *de; - _cleanup_closedir_ DIR *d = NULL; -@@ -351,11 +380,11 @@ int unit_file_build_name_map( - continue; - } - -- /* Check if the symlink goes outside of our search path. -+ /* Check if the symlink goes outside of our (expanded) search path. - * If yes, it's a linked unit file or mask, and we don't care about the target name. - * Let's just store the link source directly. - * If not, let's verify that it's a good symlink. */ -- char *tail = path_startswith_strv(simplified, lp->search_path); -+ char *tail = path_startswith_strv(simplified, expanded_search_paths); - if (!tail) { - log_debug("%s: linked unit file: %s → %s", - __func__, filename, simplified); --- -2.30.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch deleted file mode 100644 index 73375b716e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f2c57d4f3805775e0ffdc80ce578eaa737017d31 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Fri, 9 Jul 2021 13:05:23 -0400 -Subject: [PATCH] libudev: add "Libs.private: -lrt -pthread" to libudev.pc - -This resolves a failure when linking cryptsetup.static against libudev.a. - -``` -libtool: link: x86_64-pc-linux-gnu-gcc -Wall -O2 -pipe -march=amdfam10 -static -O2 -o cryptsetup.static lib/utils_crypt.o lib/utils_loop.o lib/utils_io.o lib/utils_blkid.o src/utils_tools.o src/utils_password.o src/utils_luks2.o src/utils_blockdev.o src/cryptsetup.o -pthread -pthread -Wl,--as-needed ./.libs/libcryptsetup.a -largon2 -lrt -ljson-c -lpopt -luuid -lblkid -lssl -lcrypto -lz -ldl -ldevmapper -lm -lpthread -ludev -pthread -/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib64/libudev.a(src_libsystemd_sd-daemon_sd-daemon.c.o): in function `sd_is_mq': -(.text.sd_is_mq+0x3a): undefined reference to `mq_getattr' -``` ---- - src/libudev/libudev.pc.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libudev/libudev.pc.in b/src/libudev/libudev.pc.in -index 89028aaa6bf2..1d6487fa4084 100644 ---- a/src/libudev/libudev.pc.in -+++ b/src/libudev/libudev.pc.in -@@ -16,4 +16,5 @@ Name: libudev - Description: Library to access udev device information - Version: {{PROJECT_VERSION}} - Libs: -L${libdir} -ludev -+Libs.private: -lrt -pthread - Cflags: -I${includedir} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset deleted file mode 100644 index d2545d5d1d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset +++ /dev/null @@ -1,2 +0,0 @@ -# Do not enable any services if /etc is detected as empty. -disable * diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch new file mode 100644 index 0000000000..46e5c1dacb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch @@ -0,0 +1,26 @@ +From 91182cc273d2dd8325d856fd683d2d8e038abd91 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Tue, 25 Dec 2018 22:52:50 -0500 +Subject: [PATCH] path-lookup: look for generators in + /usr/lib/systemd/system-generators + +Bug: https://bugs.gentoo.org/625402 +--- + src/basic/path-lookup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c +index 52968dee34..0cb10b1116 100644 +--- a/src/basic/path-lookup.c ++++ b/src/basic/path-lookup.c +@@ -798,6 +798,7 @@ char **generator_binary_paths(UnitFileScope scope) { + add = strv_new("/run/systemd/system-generators", + "/etc/systemd/system-generators", + "/usr/local/lib/systemd/system-generators", ++ "/usr/lib/systemd/system-generators", + SYSTEM_GENERATOR_DIR); + break; + +-- +2.26.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch new file mode 100644 index 0000000000..088bceb769 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch @@ -0,0 +1,40 @@ +From 593db1c78011ddce551051ce17eda6feac079b3d Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Fri, 21 Aug 2020 13:16:17 -0400 +Subject: [PATCH] journald: do not change the kernel audit setting by default + +Bug: https://bugs.gentoo.org/736910 +--- + man/journald.conf.xml | 2 +- + src/journal/journald-server.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/journald.conf.xml b/man/journald.conf.xml +index bfd359a903..7e93d4050e 100644 +--- a/man/journald.conf.xml ++++ b/man/journald.conf.xml +@@ -411,7 +411,7 @@ + systemd-journald collects generated audit records, it just controls whether it + tells the kernel to generate them. This means if another tool turns on auditing even if + systemd-journald left it off, it will still collect the generated +- messages. Defaults to on. ++ messages. + + + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index 5865bf9809..163be685a8 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -2208,7 +2208,7 @@ int server_init(Server *s, const char *namespace) { + .compress.threshold_bytes = (uint64_t) -1, + .seal = true, + +- .set_audit = true, ++ .set_audit = -1, + + .watchdog_usec = USEC_INFINITY, + +-- +2.28.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch new file mode 100644 index 0000000000..a9d40be4ab --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch @@ -0,0 +1,25 @@ +From d9059d2ef1b0d6034267cc8ff44871d0f82f840f Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Sun, 8 Nov 2020 12:34:11 -0500 +Subject: [PATCH] systemctl: disable synchronizaion of sysv init scripts + +--- + src/systemctl/systemctl-sysv-compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-sysv-compat.c b/src/systemctl/systemctl-sysv-compat.c +index 2dca9e480f..5dcf13ba17 100644 +--- a/src/systemctl/systemctl-sysv-compat.c ++++ b/src/systemctl/systemctl-sysv-compat.c +@@ -111,7 +111,7 @@ int parse_shutdown_time_spec(const char *t, usec_t *ret) { + int enable_sysv_units(const char *verb, char **args) { + int r = 0; + +-#if HAVE_SYSV_COMPAT ++#if 0 + _cleanup_(lookup_paths_free) LookupPaths paths = {}; + unsigned f = 0; + +-- +2.29.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf new file mode 100644 index 0000000000..91dbe757f9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf @@ -0,0 +1,27 @@ +# Sample nss configuration for systemd + +# systemd-specific modules +# See the manual pages fore further information. +# nss-myhostname - host resolution for the local hostname +# nss-mymachines - host, user, group resolution for containers +# nss-resolve - host resolution using resolved +# nss-systemd - dynamic user/group resolution (DynamicUser in unit files) + +passwd: files mymachines systemd +shadow: files +group: files mymachines systemd +gshadow: files + +hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname +networks: files + +services: db files +protocols: db files +rpc: db files +ethers: db files +netmasks: files +netgroup: files +bootparams: files + +automount: files +aliases: files diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 0000000000..f4d0271cdb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf @@ -0,0 +1,11 @@ + + + + + + + + + + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf deleted file mode 100644 index 17587de5aa..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf +++ /dev/null @@ -1,14 +0,0 @@ -d /etc/binfmt.d - - - - - -d /etc/kernel/install.d - - - - - -d /etc/modules-load.d - - - - - -d /etc/sysctl.d - - - - - -d /etc/systemd - - - - - -d /etc/systemd/network - - - - - -d /etc/systemd/system - - - - - -d /etc/systemd/user - - - - - -d /etc/tmpfiles.d - - - - - -d /etc/sysusers.d - - - - - -d /etc/udev/hwdb.d - - - - - -d /etc/udev/rules.d - - - - - -d /var/lib/systemd - - - - - -d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf deleted file mode 100644 index 32b7e9d214..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /run/systemd/network - - - - - -L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml index cb86e5b1d2..1e7d92356b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml @@ -1,5 +1,5 @@ - + systemd@gentoo.org @@ -17,14 +17,16 @@ Enable DNS-over-TLS support Enable EFI boot manager and stub loader (built using sys-boot/gnu-efi) Enable coredump stacktraces in the journal + Enable FIDO2 support Enable sealing of journal files using gcrypt Enable portable home directories + Enable setting hostname with networkd/hostnamed without polkit (requires running sys-apps/dbus-broker) Enable embedded HTTP server in journald - Enable support for the hardware database Enable import daemon Enable kernel module loading via sys-apps/kmod Enable lz4 compression for the journal Enable support for network address translation in networkd + Enable use of dev-libs/openssl Enable PKCS#11 support for cryptsetup and homed Enable password quality checking in homed Enable support for growing/adding partitions diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild deleted file mode 120000 index 8da16946bc..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild +++ /dev/null @@ -1 +0,0 @@ -systemd-9999.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild similarity index 56% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild index ffc4e645c5..0d675fb078 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild @@ -1,8 +1,11 @@ -# Copyright 2011-2021 Gentoo Authors +# Copyright 2011-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6..10} ) +PYTHON_COMPAT=( python3_{8..10} ) + +# Avoid QA warnings +TMPFILES_OPTIONAL=1 if [[ ${PV} == 9999 ]]; then EGIT_REPO_URI="https://github.com/systemd/systemd.git" @@ -17,33 +20,35 @@ else MY_P=${MY_PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" fi -# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript -TMPFILES_OPTIONAL=1 -inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev user tmpfiles +inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev usr-ldscript DESCRIPTION="System and service manager for Linux" HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -# Flatcar: Dropped static-libs, we don't care about static libraries. -IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd" - +IUSE=" + acl apparmor audit build cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd +kmod + +lz4 lzma nat +openssl pam pcre pkcs11 policykit pwquality qrcode + +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd +" REQUIRED_USE=" - homed? ( cryptsetup pam ) - importd? ( curl gcrypt lzma ) + dns-over-tls? ( || ( gnutls openssl ) ) + homed? ( cryptsetup pam openssl ) + importd? ( curl lzma || ( gcrypt openssl ) ) + policykit? ( !hostnamed-fallback ) pwquality? ( homed ) " RESTRICT="!test? ( test )" MINKV="3.11" -OPENSSL_DEP=">=dev-libs/openssl-1.1.0:0=" - -COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] +COMMON_DEPEND=" + >=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] sys-libs/libcap:0=[${MULTILIB_USEDEP}] virtual/libcrypt:=[${MULTILIB_USEDEP}] acl? ( sys-apps/acl:0= ) @@ -51,14 +56,11 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] audit? ( >=sys-process/audit-2:0= ) cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) curl? ( net-misc/curl:0= ) - dns-over-tls? ( >=net-libs/gnutls-3.6.0:0= ) elfutils? ( >=dev-libs/elfutils-0.158:0= ) + fido2? ( dev-libs/libfido2:0= ) gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) - homed? ( ${OPENSSL_DEP} ) - http? ( - >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] - >=net-libs/gnutls-3.1.4:0= - ) + gnutls? ( >=net-libs/gnutls-3.6.0:0= ) + http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) idn? ( net-dns/libidn2:= ) importd? ( app-arch/bzip2:0= @@ -68,12 +70,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) nat? ( net-firewall/iptables:0= ) + openssl? ( >=dev-libs/openssl-1.1.0:0= ) pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) pkcs11? ( app-crypt/p11-kit:0= ) pcre? ( dev-libs/libpcre2 ) pwquality? ( dev-libs/libpwquality:0= ) qrcode? ( media-gfx/qrencode:0= ) - repart? ( ${OPENSSL_DEP} ) seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) selinux? ( sys-libs/libselinux:0= ) tpm? ( app-crypt/tpm2-tss:0= ) @@ -87,22 +89,39 @@ DEPEND="${COMMON_DEPEND} gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) " -# Flatcar: We drop a few of the acct-group and acct-user as the gid provided by -# the upstream does not match with the ones we carry in baselayout. +# baselayout-2.2 has /run RDEPEND="${COMMON_DEPEND} >=acct-group/adm-0-r1 >=acct-group/wheel-0-r1 >=acct-group/kmem-0-r1 >=acct-group/tty-0-r1 >=acct-group/utmp-0-r1 + >=acct-group/audio-0-r1 + >=acct-group/cdrom-0-r1 + >=acct-group/dialout-0-r1 + >=acct-group/disk-0-r1 + >=acct-group/input-0-r1 >=acct-group/kvm-0-r1 + >=acct-group/lp-0-r1 + >=acct-group/render-0-r1 acct-group/sgx + >=acct-group/tape-0-r1 acct-group/users + >=acct-group/video-0-r1 + >=acct-group/systemd-journal-0-r1 >=acct-user/root-0-r1 acct-user/nobody + >=acct-user/systemd-journal-remote-0-r1 >=acct-user/systemd-coredump-0-r1 + >=acct-user/systemd-network-0-r1 acct-user/systemd-oom + >=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-timesync-0-r1 + >=sys-apps/baselayout-2.2 + hostnamed-fallback? ( + acct-group/systemd-hostname + sys-apps/dbus-broker + ) selinux? ( sec-policy/selinux-base-policy[systemd] ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] @@ -122,9 +141,8 @@ RDEPEND="${COMMON_DEPEND} " # sys-apps/dbus: the daemon only (+ build-time lib dep for tests) -# -# Flatcar: We don't have sys-fs/udev-init-scripts-34, so it's dropped. PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-fs/udev-init-scripts-34 policykit? ( sys-auth/polkit ) !vanilla? ( sys-apps/gentoo-systemd-integration )" @@ -163,8 +181,8 @@ pkg_pretend() { ewarn "See https://bugs.gentoo.org/674458." fi - local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS - ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + local CONFIG_CHECK="~AUTOFS4_FS ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS + ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH @@ -177,6 +195,12 @@ pkg_pretend() { kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" + if kernel_is -lt 5 10 20; then + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + else + CONFIG_CHECK+=" ~KCMP" + fi + if linux_config_exists; then local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then @@ -213,28 +237,15 @@ src_prepare() { # Add local patches here PATCHES+=( - # Flatcar: Adding our own patches here. - "${FILESDIR}/249-libudev-static.patch" - "${FILESDIR}/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch" - "${FILESDIR}/0004-wait-online-set-any-by-default.patch" - "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" - "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0009-core-handle-lookup-paths-being-symlinks.patch" ) - # Flatcar: We carry our own patches, we don't use the ones - # from Gentoo. Thus we dropped the `if ! use vanilla` code - # here. - - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy "default", but unless - # the kubelet --resolv-conf flag is set to point to /run/systemd/resolve/resolv.conf this won't work with - # /etc/resolv.conf pointing to /run/systemd/resolve/stub-resolv.conf which configures 127.0.0.53. - # See https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues - # This means that users who need split DNS to work should point /etc/resolv.conf back to /run/systemd/resolve/stub-resolv.conf - # (and if using K8s configure the kubelet resolvConf variable/--resolv-conf flag to /run/systemd/resolve/resolv.conf). - sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/etc.conf.in || die + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-generator-path-r2.patch" + "${FILESDIR}/gentoo-systemctl-disable-sysv-sync-r1.patch" + "${FILESDIR}/gentoo-journald-audit.patch" + ) + fi default } @@ -248,25 +259,21 @@ src_configure() { multilib-minimal_src_configure } -get_rootprefix() { - usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" -} - multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" - # Flatcar: Point to our user mailing list. - -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" + -Dsupport-url="https://gentoo.org/support/" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" # make sure we get /bin:/sbin in PATH $(meson_use split-usr) -Dsplit-bin=true - -Drootprefix="$(get_rootprefix)" + -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" # Avoid infinite exec recursion, bug 642724 -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" + # no deps -Dima=true -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) # Optional components/dependencies @@ -277,10 +284,11 @@ multilib_src_configure() { $(meson_native_use_bool curl libcurl) $(meson_native_use_bool dns-over-tls dns-over-tls) $(meson_native_use_bool elfutils) + $(meson_native_use_bool fido2 libfido2) $(meson_use gcrypt) $(meson_native_use_bool gnuefi gnu-efi) + $(meson_native_use_bool gnutls) -Defi-includedir="${ESYSROOT}/usr/include/efi" - -Defi-ld="$(tc-getLD)" -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" $(meson_native_use_bool homed) $(meson_native_use_bool http microhttpd) @@ -293,23 +301,21 @@ multilib_src_configure() { $(meson_use lzma xz) $(meson_use zstd) $(meson_native_use_bool nat libiptc) + $(meson_native_use_bool openssl) $(meson_use pam) $(meson_native_use_bool pkcs11 p11kit) $(meson_native_use_bool pcre pcre2) $(meson_native_use_bool policykit polkit) $(meson_native_use_bool pwquality) $(meson_native_use_bool qrcode qrencode) - $(meson_native_use_bool repart) $(meson_native_use_bool seccomp) $(meson_native_use_bool selinux) $(meson_native_use_bool tpm tpm2) $(meson_native_use_bool test dbus) $(meson_native_use_bool xkb xkbcommon) - # Flatcar: Use our ntp servers. - -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false - # Flatcar: TODO: Investigate if we want this. -Dcreate-log-dirs=false # multilib options @@ -332,43 +338,6 @@ multilib_src_configure() { $(meson_native_true timesyncd) $(meson_native_true tmpfiles) $(meson_native_true vconsole) - - # Flatcar: Specify this, or meson breaks due to no - # /etc/login.defs. - -Dsystem-gid-max=999 - -Dsystem-uid-max=999 - - # Flatcar: DBus paths. - -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" - -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" - - # Flatcar: PAM config directory. - -Dpamconfdir=/usr/share/pam.d - - # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC - # 2013. Used by timesyncd as a sanity check for the - # minimum acceptable time. Explicitly set to avoid - # using the current build time. - -Dtime-epoch=1372636800 - - # Flatcar: No default name servers. - -Ddns-servers= - - # Flatcar: Disable the "First Boot Wizard", it isn't - # very applicable to us. - -Dfirstboot=false - - # Flatcar: Set latest network interface naming scheme - # for - # https://github.com/flatcar-linux/Flatcar/issues/36 - -Ddefault-net-naming-scheme=latest - - # Flatcar: Unported options, still needed? - -Defi-cc="$(tc-getCC)" - -Dquotaon-path=/usr/sbin/quotaon - -Dquotacheck-path=/usr/sbin/quotacheck - - # Flatcar: No static libs. ) meson_src_configure "${myconf[@]}" @@ -386,8 +355,7 @@ multilib_src_install_all() { mv "${ED}"/usr/share/doc/{systemd,${PF}} || die einstalldocs - # Flatcar: Do not install sample nsswitch.conf, we don't - # provide it. + dodoc "${FILESDIR}"/nsswitch.conf if ! use resolvconf; then rm -f "${ED}${rootprefix}"/sbin/resolvconf || die @@ -406,11 +374,29 @@ multilib_src_install_all() { rmdir "${ED}${rootprefix}"/sbin || die fi - # Flatcar: Upstream uses keepdir commands to keep some empty - # directories. - # - # Flatcar: TODO: Consider using that instead of - # dotmpfiles "${FILESDIR}"/systemd-flatcar.conf below. + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,system,user} + keepdir /etc/udev/rules.d + + keepdir /etc/udev/hwdb.d + + keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + + # Symlink /etc/sysctl.conf for easy migration. + dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + + if use pam; then + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi if use split-usr; then # Avoid breaking boot/reboot @@ -418,100 +404,17 @@ multilib_src_install_all() { dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown fi - # Flatcar: Ensure journal directory has correct ownership/mode - # in inital image. This is fixed by systemd-tmpfiles *but* - # journald starts before that and will create the journal if - # the filesystem is already read-write. Conveniently the - # systemd Makefile sets this up completely wrong. - # - # Flatcar: TODO: Is this still a problem? - dodir /var/log/journal - fowners root:systemd-journal /var/log/journal - fperms 2755 /var/log/journal + # workaround for https://github.com/systemd/systemd/issues/13501 + if use hostnamed-fallback; then + # this file requires dbus-broker + insinto /usr/share/dbus-1/system.d/ + doins "${FILESDIR}/org.freedesktop.hostname1_no_polkit.conf" - # Flatcar: Don't prune systemd dirs. - # - # Flatcar: TODO: Upstream probably fixed it in different way - - # it's using some keepdir commands. - dotmpfiles "${FILESDIR}"/systemd-flatcar.conf - # Flatcar: Add tmpfiles rule for resolv.conf. This path has - # changed after v213 so it must be handled here instead of - # baselayout now. - dotmpfiles "${FILESDIR}"/systemd-resolv.conf - - # Flatcar: Don't default to graphical.target. - local unitdir=$(builddir_systemd_get_systemunitdir) - dosym multi-user.target "${unitdir}"/default.target - - # Flatcar: Don't set any extra environment variables by default. - rm "${ED}/usr/lib/environment.d/99-environment.conf" || die - - # Flatcar: These lines more or less follow the systemd's - # preset file (90-systemd.preset). We do it that way, to avoid - # putting symlink in /etc. Please keep the lines in the same - # order as the "enable" lines appear in the preset file. - builddir_systemd_enable_service multi-user.target remote-fs.target - builddir_systemd_enable_service multi-user.target remote-cryptsetup.target - builddir_systemd_enable_service multi-user.target machines.target - # Flatcar: getty@.service is enabled manually below. - builddir_systemd_enable_service sysinit.target systemd-timesyncd.service - builddir_systemd_enable_service multi-user.target systemd-networkd.service - # Flatcar: For systemd-networkd.service, it has it in Also, which also - # needs to be enabled - builddir_systemd_enable_service sockets.target systemd-networkd.socket - # Flatcar: For systemd-networkd.service, it has it in Also, which also - # needs to be enabled - builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service - builddir_systemd_enable_service multi-user.target systemd-resolved.service - if use homed; then - builddir_systemd_enable_service multi-user.target systemd-homed.target - # Flatcar: systemd-homed.target has - # Also=systemd-userdbd.service, but the service has no - # WantedBy entry. It's likely going to be executed through - # systemd-userdbd.socket, which is enabled in upstream's - # presets file. - builddir_systemd_enable_service sockets.target systemd-userdbd.socket + insinto "${rootprefix}/lib/systemd/system/systemd-hostnamed.service.d/" + doins "${FILESDIR}/00-hostnamed-network-user.conf" fi - builddir_systemd_enable_service sysinit.target systemd-pstore.service - # Flatcar: not enabling reboot.target - it has no WantedBy - # entry. - # Flatcar: Enable getty manually. - dodir "${unitdir}/getty.target.wants" - dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" - - # Flatcar: Use an empty preset file, because systemctl - # preset-all puts symlinks in /etc, not in /usr. We don't use - # /etc, because it is not autoupdated. We do the "preset" above. - rm "${ED}$(usex split-usr '' /usr)/lib/systemd/system-preset/90-systemd.preset" || die - insinto $(usex split-usr '' /usr)/lib/systemd/system-preset - doins "${FILESDIR}"/99-default.preset - - # Flatcar: Do not ship distro-specific files (nsswitch.conf - # pam.d). This conflicts with our own configuration provided - # by baselayout. - rm -rf "${ED}"/usr/share/factory - sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ - -e '/^C!* \/etc\/nsswitch\.conf/d' \ - -e '/^C!* \/etc\/pam\.d/d' \ - -e '/^C!* \/etc\/issue/d' - - # Flatcar: gen_usr_ldscript is likely for static libs, so we - # dropped it. -} - -builddir_systemd_get_systemunitdir() { - echo "$(get_rootprefix)/lib/systemd/system" -} - -builddir_systemd_enable_service() { - local target=${1} - local service=${2} - local ud=$(builddir_systemd_get_systemunitdir) - local destname=${service##*/} - - dodir "${ud}"/"${target}".wants && \ - dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}" + gen_usr_ldscript -a systemd udev } migrate_locale() { @@ -589,19 +492,18 @@ pkg_postinst() { # between OpenRC & systemd migrate_locale - # Flatcar: We enable getty and remote-fs targets in /usr - # ourselves above. + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then rm "${EROOT}/var/lib/systemd/timesync" fi - if [[ -z ${ROOT} && -d /run/systemd/system ]]; then - ebegin "Reexecuting system manager" - systemctl daemon-reexec - eend $? - fi - if [[ ${FAIL} ]]; then eerror "One of the postinst commands failed. Please check the postinst output" eerror "for errors. You may need to clean up your system and/or try installing" From ca71cd3a3fef49b8d8b1880ec0cd79cbc00b7765 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 20 Jan 2022 16:42:24 +0100 Subject: [PATCH 2/6] sys-apps/systemd: Apply Flatcar modifications --- .../0001-wait-online-set-any-by-default.patch | 32 +++ ...fault-to-kernel-IPForwarding-setting.patch | 24 ++ ...ate-don-t-require-strictly-newer-usr.patch | 58 ++++ ...004-core-use-max-for-DefaultTasksMax.patch | 64 +++++ ...d-Disable-SELinux-permissions-checks.patch | 29 ++ ...e-handle-lookup-paths-being-symlinks.patch | 84 ++++++ ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 93 +++++++ ...managing-of-foreign-routes-rules-by.patch} | 11 +- .../sys-apps/systemd/files/99-default.preset | 2 + .../sys-apps/systemd/files/nsswitch.conf | 27 -- .../systemd/files/systemd-flatcar.conf | 19 ++ .../systemd/files/systemd-resolv.conf | 2 + .../sys-apps/systemd/files/systemd-user.pam | 5 - .../sys-apps/systemd/systemd-250.3.ebuild | 250 +++++++++++++++--- 14 files changed, 630 insertions(+), 70 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch => 0008-networkd-disable-managing-of-foreign-routes-rules-by.patch} (88%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch new file mode 100644 index 0000000000..342d9d0ae3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch @@ -0,0 +1,32 @@ +From d13deba6bad21e796829b83b00dce03085b0ab14 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 16 Apr 2019 02:44:51 +0000 +Subject: [PATCH 1/8] wait-online: set --any by default + +The systemd-networkd-wait-online command would normally continue +waiting after a network interface is usable if other interfaces are +still configuring. There is a new flag --any to change this. + +Preserve previous Container Linux behavior for compatibility by +setting the --any flag by default. See patches from v241 (or +earlier) for the original implementation. +--- + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index a679b858fa..3b6dad8d1d 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL; + static char **arg_ignore = NULL; + static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; + static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; +-static bool arg_any = false; ++static bool arg_any = true; + + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); + STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch new file mode 100644 index 0000000000..8cfc66862d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch @@ -0,0 +1,24 @@ +From 2a8f5356c608e6f4512ade1b3ce2176f4491bce1 Mon Sep 17 00:00:00 2001 +From: Nick Owens +Date: Tue, 2 Jun 2015 18:22:32 -0700 +Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting + +--- + src/network/networkd-network.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 873ad2e703..4395dce4e2 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -458,6 +458,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + .link_local = _ADDRESS_FAMILY_INVALID, + .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, + ++ .ip_forward = _ADDRESS_FAMILY_INVALID, + .ipv4_accept_local = -1, + .ipv4_route_localnet = -1, + .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch new file mode 100644 index 0000000000..5548f861d6 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch @@ -0,0 +1,58 @@ +From 5ba2f094ba91f8f52a4b3c0aca83e2fe344594d8 Mon Sep 17 00:00:00 2001 +From: Alex Crawford +Date: Wed, 2 Mar 2016 10:46:33 -0800 +Subject: [PATCH 3/8] needs-update: don't require strictly newer usr + +Updates should be triggered whenever usr changes, not only when it is newer. +--- + man/systemd-update-done.service.xml | 2 +- + src/shared/condition.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml +index 3393010ff6..5478baca25 100644 +--- a/man/systemd-update-done.service.xml ++++ b/man/systemd-update-done.service.xml +@@ -50,7 +50,7 @@ + ConditionNeedsUpdate= (see + systemd.unit5) + condition to make sure to run when /etc/ or +- /var/ are older than /usr/ ++ /var/ aren't the same age as /usr/ + according to the modification times of the files described above. + This requires that updates to /usr/ are always + followed by an update of the modification time of +diff --git a/src/shared/condition.c b/src/shared/condition.c +index 68fbbf643a..306089cd26 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * First, compare seconds as they are always accurate... + */ + if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) +- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; ++ return true; + + /* + * ...then compare nanoseconds. +@@ -780,7 +780,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * (otherwise the filesystem supports nsec timestamps, see stat(2)). + */ + if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) +- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; ++ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; + + _cleanup_free_ char *timestamp_str = NULL; + r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); +@@ -799,7 +799,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + return true; + } + +- return timespec_load_nsec(&usr.st_mtim) > timestamp; ++ return timespec_load_nsec(&usr.st_mtim) != timestamp; + } + + static int condition_test_first_boot(Condition *c, char **env) { +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch new file mode 100644 index 0000000000..2b4578bc58 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch @@ -0,0 +1,64 @@ +From 75c683b81fcdb47eaa9aa6c4355ed96296d6d547 Mon Sep 17 00:00:00 2001 +From: Sayan Chowdhury +Date: Thu, 22 Apr 2021 20:08:33 +0530 +Subject: [PATCH 4/8] core: use max for DefaultTasksMax + +Since systemd v228, systemd has a DefaultTasksMax which defaulted +to 512, later 15% of the system's maximum number of PIDs. This +limit is low and a change in behavior that people running services +in containers will hit frequently, so revert to previous behavior. + +Though later the TasksMax was changed in the a dynamic property to +accommodate stale values. + +This change is built on previous patch by David Michael(dm0-). + +Signed-off-by: Sayan Chowdhury +--- + man/systemd-system.conf.xml | 2 +- + src/core/main.c | 2 +- + src/core/system.conf.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index 3805a010e2..48d9061d16 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -404,7 +404,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 100% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. + For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, +diff --git a/src/core/main.c b/src/core/main.c +index 57aedb9b93..a8859478a9 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -98,7 +98,7 @@ + #include + #endif + +-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((TasksMax) { 100U, 100U }) /* 100% */ + + static enum { + ACTION_RUN, +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 96fb64d2c1..7a71efbb0a 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -54,7 +54,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=100% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch new file mode 100644 index 0000000000..e998f3e37c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch @@ -0,0 +1,29 @@ +From 170a29c01603c8815edf019bdc0ddc29c986e1a2 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 20 Dec 2016 16:43:22 +0000 +Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks + +We don't care about the interaction between systemd and SELinux policy, so +let's just disable these checks rather than having to incorporate policy +support. This has no impact on our SELinux use-case, which is purely intended +to limit containers and not anything running directly on the host. +--- + src/core/selinux-access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index ad098e99df..8b341184a2 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -2,7 +2,7 @@ + + #include "selinux-access.h" + +-#if HAVE_SELINUX ++#if 0 + + #include + #include +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch new file mode 100644 index 0000000000..824afeac28 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch @@ -0,0 +1,84 @@ +From 8f007876ee3ac88087a8b24c252e9187e754c880 Mon Sep 17 00:00:00 2001 +From: Sayan Chowdhury +Date: Wed, 8 Sep 2021 12:10:35 +0530 +Subject: [PATCH 6/8] core: handle lookup paths being symlinks + +With a recent change paths leaving the statically known lookup paths +would be treated differently then those that remained within those. That +was done (AFAIK) to consistently handle alias names. Unfortunately that +means that on some distributions, especially those where /etc/ consists +mostly of symlinks, would trigger that new detection for every single +unit in /etc/systemd/system. The reason for that is that the units +directory itself is already a symlink. + +Original Patch from: https://github.com/systemd/systemd/pull/20479 + +Signed-off-by: Sayan Chowdhury +--- + src/basic/unit-file.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c +index faea92f66d..b024df21a9 100644 +--- a/src/basic/unit-file.c ++++ b/src/basic/unit-file.c +@@ -280,6 +280,7 @@ int unit_file_build_name_map( + + _cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL; + _cleanup_set_free_free_ Set *paths = NULL; ++ _cleanup_strv_free_ char **expanded_search_paths = NULL; + uint64_t timestamp_hash; + char **dir; + int r; +@@ -299,6 +300,34 @@ int unit_file_build_name_map( + return log_oom(); + } + ++ /* Go over all our search paths, chase their symlinks and store the ++ * result in the expanded_search_paths list. ++ * ++ * This is important for cases where any of the unit directories itself ++ * are symlinks into other directories and would therefore cause all of ++ * the unit files to be recognized as linked units. ++ * ++ * This is important for distributions such as NixOS where most paths ++ * in /etc/ are symlinks to some other location on the filesystem (e.g. ++ * into /nix/store/). ++ */ ++ STRV_FOREACH(dir, (char**) lp->search_path) { ++ _cleanup_free_ char *resolved_dir = NULL; ++ r = strv_extend(&expanded_search_paths, *dir); ++ if (r < 0) ++ return log_oom(); ++ ++ r = chase_symlinks(*dir, NULL, 0, &resolved_dir, NULL); ++ if (r < 0) { ++ if (r != -ENOENT) ++ log_warning_errno(r, "Failed to resolve symlink %s, ignoring: %m", *dir); ++ continue; ++ } ++ ++ if (strv_consume(&expanded_search_paths, TAKE_PTR(resolved_dir)) < 0) ++ return log_oom(); ++ } ++ + STRV_FOREACH(dir, (char**) lp->search_path) { + _cleanup_closedir_ DIR *d = NULL; + +@@ -424,11 +453,11 @@ int unit_file_build_name_map( + continue; + } + +- /* Check if the symlink goes outside of our search path. ++ /* Check if the symlink goes outside of our (expanded) search path. + * If yes, it's a linked unit file or mask, and we don't care about the target name. + * Let's just store the link source directly. + * If not, let's verify that it's a good symlink. */ +- char *tail = path_startswith_strv(simplified, lp->search_path); ++ char *tail = path_startswith_strv(simplified, expanded_search_paths); + if (!tail) { + log_debug("%s: linked unit file: %s → %s", + __func__, filename, simplified); +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch new file mode 100644 index 0000000000..7e46a13015 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -0,0 +1,93 @@ +From 925d668d820d728ec58e470fd64cdff1504d8e04 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Fri, 21 Jan 2022 19:17:11 +0100 +Subject: [PATCH 7/8] Revert "getty: Pass tty to use by agetty via stdin" + +This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. + +This is to work around a SELinux denial that happens when setting up standard +input for serial consoles (which is used for SSH connections). +--- + units/console-getty.service.in | 4 +--- + units/container-getty@.service.in | 4 +--- + units/getty@.service.in | 4 +--- + units/serial-getty@.service.in | 4 +--- + 4 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/units/console-getty.service.in b/units/console-getty.service.in +index 73871d6f50..bb67541dce 100644 +--- a/units/console-getty.service.in ++++ b/units/console-getty.service.in +@@ -23,12 +23,10 @@ ConditionPathExists=/dev/console + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM + Type=idle + Restart=always + UtmpIdentifier=cons +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/console + TTYReset=yes + TTYVHangup=yes +diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in +index a6e3f94e2a..ed1eb7bde1 100644 +--- a/units/container-getty@.service.in ++++ b/units/container-getty@.service.in +@@ -28,13 +28,11 @@ Before=rescue.service + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM + Type=idle + Restart=always + RestartSec=0 + UtmpIdentifier=pts/%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/pts/%I + TTYReset=yes + TTYVHangup=yes +diff --git a/units/getty@.service.in b/units/getty@.service.in +index 21d66f9367..78deb7cffe 100644 +--- a/units/getty@.service.in ++++ b/units/getty@.service.in +@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0 + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM + Type=idle + Restart=always + RestartSec=0 + UtmpIdentifier=%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes +diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in +index 2433124c55..bb7af3105d 100644 +--- a/units/serial-getty@.service.in ++++ b/units/serial-getty@.service.in +@@ -33,12 +33,10 @@ Before=rescue.service + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM + Type=idle + Restart=always + UtmpIdentifier=%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch index 035fac7eaf..a1f9295f38 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch @@ -1,7 +1,8 @@ -From 513429b47f0852d17ba721ad5d55baa985f48ddb Mon Sep 17 00:00:00 2001 +From c8d3f9b0f4964115c518eb009b17f026ad356ade Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 7 Feb 2022 17:39:23 +0100 -Subject: [PATCH] networkd: disable managing of foreign routes/rules by default +Subject: [PATCH 8/8] networkd: disable managing of foreign routes/rules by + default While systemd-networkd follows the principle of a declarative network configuration and thus needs a way to ensure that unwanted routes or @@ -29,11 +30,11 @@ https://github.com/flatcar-linux/Flatcar/issues/620 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c -index 374d27bef3..deb46e4a15 100644 +index 7e89366ae8..714ee5c226 100644 --- a/src/network/networkd-manager.c +++ b/src/network/networkd-manager.c -@@ -383,8 +383,8 @@ int manager_new(Manager **ret) { - *m = (Manager) { +@@ -471,8 +471,8 @@ int manager_new(Manager **ret, bool test_mode) { + .test_mode = test_mode, .speed_meter_interval_usec = SPEED_METER_DEFAULT_TIME_INTERVAL, .online_state = _LINK_ONLINE_STATE_INVALID, - .manage_foreign_routes = true, diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset new file mode 100644 index 0000000000..d2545d5d1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset @@ -0,0 +1,2 @@ +# Do not enable any services if /etc is detected as empty. +disable * diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf deleted file mode 100644 index 91dbe757f9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf +++ /dev/null @@ -1,27 +0,0 @@ -# Sample nss configuration for systemd - -# systemd-specific modules -# See the manual pages fore further information. -# nss-myhostname - host resolution for the local hostname -# nss-mymachines - host, user, group resolution for containers -# nss-resolve - host resolution using resolved -# nss-systemd - dynamic user/group resolution (DynamicUser in unit files) - -passwd: files mymachines systemd -shadow: files -group: files mymachines systemd -gshadow: files - -hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname -networks: files - -services: db files -protocols: db files -rpc: db files -ethers: db files -netmasks: files -netgroup: files -bootparams: files - -automount: files -aliases: files diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf new file mode 100644 index 0000000000..c4f06a17f7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf @@ -0,0 +1,19 @@ +# The list of directories is taken from Gentoo ebuild, where they use +# keepdir. The list isn't sorted, but tries to preserve the order of +# keepdir lines from Gentoo ebuild for easier comparisons. We skip the +# directories in /usr, though. +d /etc/binfmt.d - - - - - +d /etc/modules-load.d - - - - - +d /etc/tmpfiles.d - - - - - +d /etc/kernel/install.d - - - - - +d /etc/systemd/network - - - - - +d /etc/systemd/system - - - - - +d /etc/systemd/user - - - - - +d /etc/udev/rules.d - - - - - +d /etc/udev/hwdb.d - - - - - +d /var/lib/systemd - - - - - +d /var/log/journal - - - - - +d /etc/sysctl.d - - - - - + +# This seems to be our own addition. +d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf new file mode 100644 index 0000000000..32b7e9d214 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf @@ -0,0 +1,2 @@ +d /run/systemd/network - - - - - +L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam deleted file mode 100644 index 38ae3211f8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam +++ /dev/null @@ -1,5 +0,0 @@ -account include system-auth - -session required pam_loginuid.so -session include system-auth -session optional pam_systemd.so diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild index 0d675fb078..72d45b2eab 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild @@ -20,10 +20,13 @@ else MY_P=${MY_PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + # Flatcar: Stabilize for amd64 and arm64. + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" fi -inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev usr-ldscript +# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript. +# Adding tmpfiles, since we use it for installing some files. +inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles DESCRIPTION="System and service manager for Linux" HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" @@ -141,8 +144,9 @@ RDEPEND="${COMMON_DEPEND} " # sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +# +# Flatcar: We don't have sys-fs/udev-init-scripts-34, so it's dropped. PDEPEND=">=sys-apps/dbus-1.9.8[systemd] - >=sys-fs/udev-init-scripts-34 policykit? ( sys-auth/polkit ) !vanilla? ( sys-apps/gentoo-systemd-integration )" @@ -237,6 +241,15 @@ src_prepare() { # Add local patches here PATCHES+=( + # Flatcar: Adding our own patches here. + "${FILESDIR}/0001-wait-online-set-any-by-default.patch" + "${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" + "${FILESDIR}/0006-core-handle-lookup-paths-being-symlinks.patch" + "${FILESDIR}/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" + "${FILESDIR}/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch" ) if ! use vanilla; then @@ -247,6 +260,21 @@ src_prepare() { ) fi + # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., + # CoreDNS which has dnsPolicy "default", but unless the + # kubelet --resolv-conf flag is set to point to + # /run/systemd/resolve/resolv.conf this won't work with + # /etc/resolv.conf pointing to + # /run/systemd/resolve/stub-resolv.conf which configures + # 127.0.0.53. See + # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues + # This means that users who need split DNS to work should + # point /etc/resolv.conf back to + # /run/systemd/resolve/stub-resolv.conf (and if using K8s + # configure the kubelet resolvConf variable/--resolv-conf flag + # to /run/systemd/resolve/resolv.conf). + sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/etc.conf.in || die + default } @@ -259,17 +287,23 @@ src_configure() { multilib-minimal_src_configure } +# Flatcar: Our function, we use it in some places below. +get_rootprefix() { + usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" +} + multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" - -Dsupport-url="https://gentoo.org/support/" + # Flatcar: Point to our user mailing list. + -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" # make sure we get /bin:/sbin in PATH $(meson_use split-usr) -Dsplit-bin=true - -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" + -Drootprefix="$(get_rootprefix)" -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" # Avoid infinite exec recursion, bug 642724 -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" @@ -313,9 +347,11 @@ multilib_src_configure() { $(meson_native_use_bool tpm tpm2) $(meson_native_use_bool test dbus) $(meson_native_use_bool xkb xkbcommon) - -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Flatcar: Use our ntp servers. + -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false + # Flatcar: TODO: Investigate if we want this. -Dcreate-log-dirs=false # multilib options @@ -338,6 +374,41 @@ multilib_src_configure() { $(meson_native_true timesyncd) $(meson_native_true tmpfiles) $(meson_native_true vconsole) + + # Flatcar: Specify this, or meson breaks due to no + # /etc/login.defs. + -Dsystem-gid-max=999 + -Dsystem-uid-max=999 + + # Flatcar: DBus paths. + -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" + -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" + + # Flatcar: PAM config directory. + -Dpamconfdir=/usr/share/pam.d + + # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC + # 2013. Used by timesyncd as a sanity check for the + # minimum acceptable time. Explicitly set to avoid + # using the current build time. + -Dtime-epoch=1372636800 + + # Flatcar: No default name servers. + -Ddns-servers= + + # Flatcar: Disable the "First Boot Wizard", it isn't + # very applicable to us. + -Dfirstboot=false + + # Flatcar: Set latest network interface naming scheme + # for + # https://github.com/flatcar-linux/Flatcar/issues/36 + -Ddefault-net-naming-scheme=latest + + # Flatcar: Unported options, still needed? + -Defi-cc="$(tc-getCC)" + -Dquotaon-path=/usr/sbin/quotaon + -Dquotacheck-path=/usr/sbin/quotacheck ) meson_src_configure "${myconf[@]}" @@ -355,7 +426,9 @@ multilib_src_install_all() { mv "${ED}"/usr/share/doc/{systemd,${PF}} || die einstalldocs - dodoc "${FILESDIR}"/nsswitch.conf + # Flatcar: Do not install sample nsswitch.conf, we don't + # provide it. + # dodoc "${FILESDIR}"/nsswitch.conf if ! use resolvconf; then rm -f "${ED}${rootprefix}"/sbin/resolvconf || die @@ -377,26 +450,30 @@ multilib_src_install_all() { # https://bugs.gentoo.org/761763 rm -r "${ED}"/usr/lib/sysusers.d || die - # Preserve empty dirs in /etc & /var, bug #437008 - keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} - keepdir /etc/kernel/install.d - keepdir /etc/systemd/{network,system,user} - keepdir /etc/udev/rules.d + # Flatcar: Upstream uses keepdir commands to keep some empty + # directories. We use tmpfiles. + # # Preserve empty dirs in /etc & /var, bug #437008 + # keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + # keepdir /etc/kernel/install.d + # keepdir /etc/systemd/{network,system,user} + # keepdir /etc/udev/rules.d + # + # keepdir /etc/udev/hwdb.d + # + # keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} + # keepdir /usr/lib/{binfmt.d,modules-load.d} + # keepdir /usr/lib/systemd/user-generators + # keepdir /var/lib/systemd + # keepdir /var/log/journal - keepdir /etc/udev/hwdb.d + # Flatcar: No migrations happening here. + # # Symlink /etc/sysctl.conf for easy migration. + # dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf - keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} - keepdir /usr/lib/{binfmt.d,modules-load.d} - keepdir /usr/lib/systemd/user-generators - keepdir /var/lib/systemd - keepdir /var/log/journal - - # Symlink /etc/sysctl.conf for easy migration. - dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf - - if use pam; then - newpamd "${FILESDIR}"/systemd-user.pam systemd-user - fi + # Flatcar: Do not install a pam policy, we have our own. + # if use pam; then + # newpamd "${FILESDIR}"/systemd-user.pam systemd-user + # fi if use split-usr; then # Avoid breaking boot/reboot @@ -414,7 +491,112 @@ multilib_src_install_all() { doins "${FILESDIR}/00-hostnamed-network-user.conf" fi - gen_usr_ldscript -a systemd udev + # Flatcar: gen_usr_ldscript is likely for static libs, so we + # dropped it. + # gen_usr_ldscript -a systemd udev + + # Flatcar: Ensure journal directory has correct ownership/mode + # in inital image. This is fixed by systemd-tmpfiles *but* + # journald starts before that and will create the journal if + # the filesystem is already read-write. Conveniently the + # systemd Makefile sets this up completely wrong. + # + # Flatcar: TODO: Is this still a problem? + dodir /var/log/journal + fowners root:systemd-journal /var/log/journal + fperms 2755 /var/log/journal + + # Flatcar: Don't prune systemd dirs. + dotmpfiles "${FILESDIR}"/systemd-flatcar.conf + # Flatcar: Add tmpfiles rule for resolv.conf. This path has + # changed after v213 so it must be handled here instead of + # baselayout now. + dotmpfiles "${FILESDIR}"/systemd-resolv.conf + + # Flatcar: Don't default to graphical.target. + local unitdir=$(builddir_systemd_get_systemunitdir) + dosym multi-user.target "${unitdir}"/default.target + + # Flatcar: Don't set any extra environment variables by default. + rm "${ED}/usr/lib/environment.d/99-environment.conf" || die + + # Flatcar: These lines more or less follow the systemd's + # preset file (90-systemd.preset). We do it that way, to avoid + # putting symlinks in /etc. Please keep the lines in the same + # order as the "enable" lines appear in the preset file. For a + # single enable line in preset, there may be more lines if the + # unit file had Also: clause which has units we enable here + # too. + + # Flatcar: enable remote-fs.target + builddir_systemd_enable_service multi-user.target remote-fs.target + # Flatcar: enable remote-cryptsetup.target + if use cryptsetup; then + builddir_systemd_enable_service multi-user.target remote-cryptsetup.target + fi + # Flatcar: enable machines.target + builddir_systemd_enable_service multi-user.target machines.target + # Flatcar: enable getty@.service + dodir "${unitdir}/getty.target.wants" + dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" + # Flatcar: enable systemd-timesyncd.service + builddir_systemd_enable_service sysinit.target systemd-timesyncd.service + # Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service) + builddir_systemd_enable_service multi-user.target systemd-networkd.service + builddir_systemd_enable_service sockets.target systemd-networkd.socket + builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service + # Flatcar: enable systemd-network-generator.service + builddir_systemd_enable_service sysinit.target systemd-network-generator.service + # Flatcar: enable systemd-resolved.service + builddir_systemd_enable_service multi-user.target systemd-resolved.service + # Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry]) + if use homed; then + builddir_systemd_enable_service multi-user.target systemd-homed.target + fi + # Flatcar: enable systemd-userdbd.socket + builddir_systemd_enable_service sockets.target systemd-userdbd.socket + # Flatcar: enable systemd-pstore.service + builddir_systemd_enable_service sysinit.target systemd-pstore.service + # Flatcar: enable systemd-boot-update.service + if use gnuefi; then + builddir_systemd_enable_service sysinit.target systemd-boot-update.service + fi + # Flatcar: enable reboot.target (not enabled - has no WantedBy + # entry) + + # Flatcar: Use an empty preset file, because systemctl + # preset-all puts symlinks in /etc, not in /usr. We don't use + # /etc, because it is not autoupdated. We do the "preset" above. + rm "${ED}$(usex split-usr '' /usr)/lib/systemd/system-preset/90-systemd.preset" || die + insinto $(usex split-usr '' /usr)/lib/systemd/system-preset + doins "${FILESDIR}"/99-default.preset + + # Flatcar: Do not ship distro-specific files (nsswitch.conf + # pam.d). This conflicts with our own configuration provided + # by baselayout. + rm -rf "${ED}"/usr/share/factory + sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ + -e '/^C!* \/etc\/nsswitch\.conf/d' \ + -e '/^C!* \/etc\/pam\.d/d' \ + -e '/^C!* \/etc\/issue/d' +} + +# Flatcar: Our own version of systemd_get_systemunitdir, that returns +# a path inside /usr, not /etc. +builddir_systemd_get_systemunitdir() { + echo "$(get_rootprefix)/lib/systemd/system" +} + +# Flatcar: Our own version of systemd_enable_service, that does +# operations inside /usr, not /etc. +builddir_systemd_enable_service() { + local target=${1} + local service=${2} + local ud=$(builddir_systemd_get_systemunitdir) + local destname=${service##*/} + + dodir "${ud}"/"${target}".wants && \ + dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}" } migrate_locale() { @@ -492,13 +674,15 @@ pkg_postinst() { # between OpenRC & systemd migrate_locale - if [[ -z ${REPLACING_VERSIONS} ]]; then - if type systemctl &>/dev/null; then - systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 - fi - elog "To enable a useful set of services, run the following:" - elog " systemctl preset-all --preset-mode=enable-only" - fi + # Flatcar: We enable getty and remote-fs targets in /usr + # ourselves above. + # if [[ -z ${REPLACING_VERSIONS} ]]; then + # if type systemctl &>/dev/null; then + # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + # fi + # elog "To enable a useful set of services, run the following:" + # elog " systemctl preset-all --preset-mode=enable-only" + # fi if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then rm "${EROOT}/var/lib/systemd/timesync" From e349d36ba679ba6a9cd7a9381c3fe76bc20918eb Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 24 Jan 2022 16:47:12 +0100 Subject: [PATCH 3/6] profiles: Update systemd use flags - Consolidate them (so enabling selinux and disabling hybrid cgroups was moved). - Remove outdated masks (arm64 does not mask any use flags any more) and use flags (ssl was replaced in favor of +openssl and gnutls, introspection is gone). - Add gnuefi (for bootctl, earlier it was built if we requested general efi support, now it's built when support also for gnu-efi is requested). --- .../profiles/coreos/arm64/package.use.force | 2 -- .../profiles/coreos/arm64/package.use.mask | 3 --- .../coreos-overlay/profiles/coreos/base/package.use | 10 ++++------ 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force index cc901cedad..72862a71e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force @@ -1,5 +1,3 @@ -sys-apps/systemd -introspection - # Matt Turner (2020-03-28) # wget is the default FETCHCOMMAND, and most distfiles are distributed via # HTTPS. Bug #611072 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask index 97d928a576..91f11200ab 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask @@ -1,5 +1,2 @@ # This fails from -Werror=implicit-fallthrough, and it's disabled in the SDK. sys-devel/gcc sanitize - -# Undo Gentoo masking all this on arm64. -sys-apps/systemd -cryptsetup -http -policykit -qrcode -xkb diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 3336776b96..59f209a20e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -28,8 +28,10 @@ net-analyzer/nmap ncat -system-lua # removes mta dependencies app-admin/sudo -sendmail -# use lzma which is the default on non-gentoo systems, avoid pulling in gnutls -sys-apps/systemd build curl gcrypt idn libidn2 lzma -ssl +# use lzma which is the default on non-gentoo systems, use gnuefi for +# bootctl, enable selinux, disable hybrid cgroup as we use the unified +# mode now +sys-apps/systemd build curl idn lzma gnuefi selinux -cgroup-hybrid net-libs/libmicrohttpd -ssl # disable kernel config detection and module building @@ -85,7 +87,6 @@ sys-fs/btrfs-progs -zstd # Enable SELinux for all targets coreos-base/coreos selinux sys-apps/dbus selinux -sys-apps/systemd selinux # Enable SELinux for coreutils sys-apps/coreutils selinux @@ -127,9 +128,6 @@ net-firewall/iptables nftables # Install `perl` with a minimal set of dependencies dev-lang/perl minimal -# Disable cgroup-hybrid as we use the unified mode -sys-apps/systemd -cgroup-hybrid - # Remove support for GObject introspection sys-auth/polkit -introspection From d3ccff1f01a950a511bde066820f76e44ac805ce Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 24 Jan 2022 17:03:29 +0100 Subject: [PATCH 4/6] changelog: Add entries --- .../coreos-overlay/changelog/security/2022-01-24-systemd-250.md | 1 + .../changelog/updates/2022-01-24-systemd-250-update.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md new file mode 100644 index 0000000000..db779a8f8c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md @@ -0,0 +1 @@ +- systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md new file mode 100644 index 0000000000..5d19a6ac7f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md @@ -0,0 +1 @@ +- systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3)) From f186c4720d2e3f5f63c6bf8a800aeab0cccbcf79 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 14 Feb 2022 15:26:41 +0100 Subject: [PATCH 5/6] sys-apps/baselayout: Bump Add missing entries to passwd and group. Updated netperf needs netperf user and group. Updated systemd needs various systemd users and groups. Dnsmasq also seems to require its own user/group. All this is added to prevent systemd-sysusers adding these to /etc/passwd. And systemd-sysusers adds these, because the updated user/group eclass in portage-stable now drops configuration files into /usr/lib/sysusers.d. Maybe at some point we will switch over to (patched?) systemd-sysusers, so this catch-up game won't be necessary, but we are not there yet. --- .../{baselayout-3.6.8-r4.ebuild => baselayout-3.6.8-r5.ebuild} | 0 .../coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/{baselayout-3.6.8-r4.ebuild => baselayout-3.6.8-r5.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r5.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r5.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild index b432b9f7b0..a2d31c2cfd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild @@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="cc1be682dbd539eb4d39569531bfe548bdfb3809" # flatcar-master + CROS_WORKON_COMMIT="c0871373412a3efb3c94b03825b64025f4f0c0fc" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi From b8505e5d898b05817795297cdb5941fb3399a212 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 14 Feb 2022 16:26:51 +0100 Subject: [PATCH 6/6] profiles: Override UIDs and GIDs where we differ grom Gentoo These mostly are UIDs and GIDs that we have allocated before we picked up changes from Gentoo. --- .../coreos/targets/generic/make.defaults | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults index 65c384a9c2..b5de90b253 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults @@ -73,3 +73,26 @@ INSTALL_MASK="${INSTALL_MASK} INSTALL_MASK="${INSTALL_MASK} /usr/bin/cvtsudoers " + +# Override UIDs and GIDs where ours differ from Gentoo defaults. +ACCT_GROUP_DIALOUT_ID=249 +ACCT_GROUP_INPUT_ID=28 +ACCT_GROUP_MESSAGEBUS_ID=201 +ACCT_USER_MESSAGEBUS_ID=201 +ACCT_GROUP_NTP_ID=203 +ACCT_USER_NTP_ID=203 +ACCT_GROUP_POLKITD_ID=235 +ACCT_USER_POLKITD_ID=235 +ACCT_GROUP_RENDER_ID=30 +ACCT_GROUP_SSHD_ID=204 +ACCT_USER_SSHD_ID=204 +ACCT_GROUP_SYSTEMD_JOURNAL_ID=248 +ACCT_GROUP_SYSTEMD_JOURNAL_REMOTE_ID=242 +ACCT_USER_SYSTEMD_JOURNAL_REMOTE_ID=242 +ACCT_GROUP_SYSTEMD_NETWORK_ID=244 +ACCT_USER_SYSTEMD_NETWORK_ID=244 +ACCT_GROUP_SYSTEMD_RESOLVE_ID=245 +ACCT_USER_SYSTEMD_RESOLVE_ID=245 +# tss seems to be one of those users with a mismatching UID/GID +ACCT_GROUP_TSS_ID=252 +ACCT_USER_TSS_ID=236