mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-10-02 19:11:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1579 from flatcar-linux/krnowak/systemd-250

Browse Source 
sys-apps/systemd: Update to 250.3
This commit is contained in:
Krzesimir Nowak 2022-02-15 17:46:03 +01:00 committed by GitHub
commit 26f624cb8d
28 changed files with 477 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-24-systemd-250.md vendored Normal file
View File

@ -0,0 +1 @@
- systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997))

1
sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-24-systemd-250-update.md vendored Normal file
View File

@ -0,0 +1 @@
- systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3))

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force vendored
View File

@ -1,5 +1,3 @@
sys-apps/systemd -introspection
# Matt Turner <mattst88@gentoo.org> (2020-03-28)
# wget is the default FETCHCOMMAND, and most distfiles are distributed via
# HTTPS. Bug #611072

3
sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask vendored
View File

@ -1,5 +1,2 @@
# This fails from -Werror=implicit-fallthrough, and it's disabled in the SDK.
sys-devel/gcc sanitize
# Undo Gentoo masking all this on arm64.
sys-apps/systemd -cryptsetup -http -policykit -qrcode -xkb

10
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -28,8 +28,10 @@ net-analyzer/nmap ncat -system-lua
# removes mta dependencies
app-admin/sudo -sendmail
# use lzma which is the default on non-gentoo systems, avoid pulling in gnutls
sys-apps/systemd build curl gcrypt idn libidn2 lzma -ssl
# use lzma which is the default on non-gentoo systems, use gnuefi for
# bootctl, enable selinux, disable hybrid cgroup as we use the unified
# mode now
sys-apps/systemd build curl idn lzma gnuefi selinux -cgroup-hybrid
net-libs/libmicrohttpd -ssl
# disable kernel config detection and module building
@ -85,7 +87,6 @@ sys-fs/btrfs-progs -zstd
# Enable SELinux for all targets
coreos-base/coreos selinux
sys-apps/dbus selinux
sys-apps/systemd selinux
# Enable SELinux for coreutils
sys-apps/coreutils selinux
@ -127,9 +128,6 @@ net-firewall/iptables nftables
# Install `perl` with a minimal set of dependencies
dev-lang/perl minimal
# Disable cgroup-hybrid as we use the unified mode
sys-apps/systemd -cgroup-hybrid
# Remove support for GObject introspection
sys-auth/polkit -introspection

23
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults vendored
View File

@ -73,3 +73,26 @@ INSTALL_MASK="${INSTALL_MASK}
INSTALL_MASK="${INSTALL_MASK}
/usr/bin/cvtsudoers
"
# Override UIDs and GIDs where ours differ from Gentoo defaults.
ACCT_GROUP_DIALOUT_ID=249
ACCT_GROUP_INPUT_ID=28
ACCT_GROUP_MESSAGEBUS_ID=201
ACCT_USER_MESSAGEBUS_ID=201
ACCT_GROUP_NTP_ID=203
ACCT_USER_NTP_ID=203
ACCT_GROUP_POLKITD_ID=235
ACCT_USER_POLKITD_ID=235
ACCT_GROUP_RENDER_ID=30
ACCT_GROUP_SSHD_ID=204
ACCT_USER_SSHD_ID=204
ACCT_GROUP_SYSTEMD_JOURNAL_ID=248
ACCT_GROUP_SYSTEMD_JOURNAL_REMOTE_ID=242
ACCT_USER_SYSTEMD_JOURNAL_REMOTE_ID=242
ACCT_GROUP_SYSTEMD_NETWORK_ID=244
ACCT_USER_SYSTEMD_NETWORK_ID=244
ACCT_GROUP_SYSTEMD_RESOLVE_ID=245
ACCT_USER_SYSTEMD_RESOLVE_ID=245
# tss seems to be one of those users with a mismatching UID/GID
ACCT_GROUP_TSS_ID=252
ACCT_USER_TSS_ID=236

0
sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild → sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r5.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild vendored
View File

@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
else
CROS_WORKON_COMMIT="cc1be682dbd539eb4d39569531bfe548bdfb3809" # flatcar-master
CROS_WORKON_COMMIT="c0871373412a3efb3c94b03825b64025f4f0c0fc" # flatcar-master
KEYWORDS="amd64 arm arm64 x86"
fi

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest vendored
View File

@ -1 +1 @@
DIST systemd-stable-249.7.tar.gz 10608252 BLAKE2B a5597c4973b24c962779622cae47dbf8351af49f8cd898d9c16a967c6f3600c6feb293e9b03eab0423b860eef5b04b287185fb9827cb323429d0ab9fc6d809b2 SHA512 4daf8570621fdcda5c94d982908c64eddfeef989005f4fd79a10f199dbc6f366354177bb59dff34bcb14764fb4423a870ffabac1163849ec53592e29760105fc
DIST systemd-stable-250.3.tar.gz 11125151 BLAKE2B 659c39994e76f94407dd9079e28fc644981d3475a0ed440b9895e8f201c3ce1fc47aa8c4d599ad85ed89ddfb6ca8e514aee2a739e93640745cf46647f99efe56 SHA512 81847fb088ff271138b1ea318995a2ca2ee5d4c5d839c9dd81f0210d366198049199d59c49b25ef8783df2c6b8dd9fcdf2d916777788b1a6d42deec9da8e9da5

6
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf vendored Normal file
View File

@ -0,0 +1,6 @@
[Service]
# By running with these options instead of root, networkd is allowed to request
# a hostname change via DBUS when policykit is not present
User=systemd-network
Group=systemd-hostname
AmbientCapabilities=CAP_SYS_ADMIN

8
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch vendored
View File

@ -1,7 +1,7 @@
From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001
From d13deba6bad21e796829b83b00dce03085b0ab14 Mon Sep 17 00:00:00 2001
From: David Michael <dm0@redhat.com>
Date: Tue, 16 Apr 2019 02:44:51 +0000
Subject: [PATCH 1/5] wait-online: set --any by default
Subject: [PATCH 1/8] wait-online: set --any by default
The systemd-networkd-wait-online command would normally continue
waiting after a network interface is usable if other interfaces are
@ -15,7 +15,7 @@ earlier) for the original implementation.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
index 1b24b6f1a6..dedbd50725 100644
index a679b858fa..3b6dad8d1d 100644
--- a/src/network/wait-online/wait-online.c
+++ b/src/network/wait-online/wait-online.c
@@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL;
@ -28,5 +28,5 @@ index 1b24b6f1a6..dedbd50725 100644
STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
--
2.30.2
2.35.1

14
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch vendored
View File

@ -1,24 +1,24 @@
From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001
From 2a8f5356c608e6f4512ade1b3ce2176f4491bce1 Mon Sep 17 00:00:00 2001
From: Nick Owens <nick.owens@coreos.com>
Date: Tue, 2 Jun 2015 18:22:32 -0700
Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting
Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting
---
src/network/networkd-network.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 850b4f449e..951c2d0815 100644
index 873ad2e703..4395dce4e2 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -398,6 +398,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
@@ -458,6 +458,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
.link_local = _ADDRESS_FAMILY_INVALID,
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
.ipv4_accept_local = -1,
+ .ip_forward = _ADDRESS_FAMILY_INVALID,
.ipv4_accept_local = -1,
.ipv4_route_localnet = -1,
.ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
.ipv6_accept_ra = -1,
--
2.30.2
2.35.1

14
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch vendored
View File

@ -1,7 +1,7 @@
From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001
From 5ba2f094ba91f8f52a4b3c0aca83e2fe344594d8 Mon Sep 17 00:00:00 2001
From: Alex Crawford <alex.crawford@coreos.com>
Date: Wed, 2 Mar 2016 10:46:33 -0800
Subject: [PATCH 3/5] needs-update: don't require strictly newer usr
Subject: [PATCH 3/8] needs-update: don't require strictly newer usr
Updates should be triggered whenever usr changes, not only when it is newer.
---
@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
This requires that updates to <filename>/usr/</filename> are always
followed by an update of the modification time of
diff --git a/src/shared/condition.c b/src/shared/condition.c
index b2ec690bc3..4cf6523b90 100644
index 68fbbf643a..306089cd26 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -593,7 +593,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* First, compare seconds as they are always accurate...
*/
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@ -35,7 +35,7 @@ index b2ec690bc3..4cf6523b90 100644
/*
* ...then compare nanoseconds.
@@ -604,7 +604,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
@@ -780,7 +780,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* (otherwise the filesystem supports nsec timestamps, see stat(2)).
*/
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@ -44,7 +44,7 @@ index b2ec690bc3..4cf6523b90 100644
_cleanup_free_ char *timestamp_str = NULL;
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
@@ -623,7 +623,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
@@ -799,7 +799,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
return true;
}
@ -54,5 +54,5 @@ index b2ec690bc3..4cf6523b90 100644
static int condition_test_first_boot(Condition *c, char **env) {
--
2.26.2
2.35.1

21
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch vendored
View File

@ -1,7 +1,7 @@
From 3acaafc6fcd34b272e5249c49e498ff7facb564e Mon Sep 17 00:00:00 2001
From 75c683b81fcdb47eaa9aa6c4355ed96296d6d547 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Thu, 22 Apr 2021 20:08:33 +0530
Subject: [PATCH] core: use max for DefaultTasksMax
Subject: [PATCH 4/8] core: use max for DefaultTasksMax
Since systemd v228, systemd has a DefaultTasksMax which defaulted
to 512, later 15% of the system's maximum number of PIDs. This
@ -21,10 +21,10 @@ Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index d39928ec23..4d89a68b16 100644
index 3805a010e2..48d9061d16 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -376,7 +376,7 @@
@@ -404,7 +404,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
@ -34,10 +34,10 @@ index d39928ec23..4d89a68b16 100644
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/main.c b/src/core/main.c
index 0ddd629851..5e25a1b4b7 100644
index 57aedb9b93..a8859478a9 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -91,7 +91,7 @@
@@ -98,7 +98,7 @@
#include <sanitizer/lsan_interface.h>
#endif
@ -47,12 +47,12 @@ index 0ddd629851..5e25a1b4b7 100644
static enum {
ACTION_RUN,
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index fa6fb690c7..1e6df17d94 100644
index 96fb64d2c1..7a71efbb0a 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -55,7 +55,7 @@
@@ -54,7 +54,7 @@
#DefaultBlockIOAccounting=no
#DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=100%
@ -60,6 +60,5 @@ index fa6fb690c7..1e6df17d94 100644
#DefaultLimitFSIZE=
#DefaultLimitDATA=
--
2.30.2
2.35.1

8
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch vendored
View File

@ -1,7 +1,7 @@
From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001
From 170a29c01603c8815edf019bdc0ddc29c986e1a2 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 20 Dec 2016 16:43:22 +0000
Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks
Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks
We don't care about the interaction between systemd and SELinux policy, so
let's just disable these checks rather than having to incorporate policy
@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 1d52b5ff04..1653d241f6 100644
index ad098e99df..8b341184a2 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -2,7 +2,7 @@
@ -25,5 +25,5 @@ index 1d52b5ff04..1653d241f6 100644
#include <errno.h>
#include <selinux/avc.h>
--
2.26.2
2.35.1

16
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch vendored
View File

@ -1,7 +1,7 @@
From 67d9962aa637401a1332069b6c8ad99a54e2b451 Mon Sep 17 00:00:00 2001
From 8f007876ee3ac88087a8b24c252e9187e754c880 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Wed, 8 Sep 2021 12:10:35 +0530
Subject: [PATCH] core: handle lookup paths being symlinks
Subject: [PATCH 6/8] core: handle lookup paths being symlinks
With a recent change paths leaving the statically known lookup paths
would be treated differently then those that remained within those. That
@ -19,10 +19,10 @@ Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c
index 884a0674a9..3ae2a115d0 100644
index faea92f66d..b024df21a9 100644
--- a/src/basic/unit-file.c
+++ b/src/basic/unit-file.c
@@ -254,6 +254,7 @@ int unit_file_build_name_map(
@@ -280,6 +280,7 @@ int unit_file_build_name_map(
_cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL;
_cleanup_set_free_free_ Set *paths = NULL;
@ -30,7 +30,7 @@ index 884a0674a9..3ae2a115d0 100644
uint64_t timestamp_hash;
char **dir;
int r;
@@ -273,6 +274,34 @@ int unit_file_build_name_map(
@@ -299,6 +300,34 @@ int unit_file_build_name_map(
return log_oom();
}
@ -63,9 +63,9 @@ index 884a0674a9..3ae2a115d0 100644
+ }
+
STRV_FOREACH(dir, (char**) lp->search_path) {
struct dirent *de;
_cleanup_closedir_ DIR *d = NULL;
@@ -351,11 +380,11 @@ int unit_file_build_name_map(
@@ -424,11 +453,11 @@ int unit_file_build_name_map(
continue;
}
@ -80,5 +80,5 @@ index 884a0674a9..3ae2a115d0 100644
log_debug("%s: linked unit file: %s → %s",
__func__, filename, simplified);
--
2.30.2
2.35.1

93
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch vendored Normal file
View File

@ -0,0 +1,93 @@
From 925d668d820d728ec58e470fd64cdff1504d8e04 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 21 Jan 2022 19:17:11 +0100
Subject: [PATCH 7/8] Revert "getty: Pass tty to use by agetty via stdin"
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
This is to work around a SELinux denial that happens when setting up standard
input for serial consoles (which is used for SSH connections).
---
units/console-getty.service.in | 4 +---
units/container-getty@.service.in | 4 +---
units/getty@.service.in | 4 +---
units/serial-getty@.service.in | 4 +---
4 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/units/console-getty.service.in b/units/console-getty.service.in
index 73871d6f50..bb67541dce 100644
--- a/units/console-getty.service.in
+++ b/units/console-getty.service.in
@@ -23,12 +23,10 @@ ConditionPathExists=/dev/console
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM
Type=idle
Restart=always
UtmpIdentifier=cons
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/console
TTYReset=yes
TTYVHangup=yes
diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
index a6e3f94e2a..ed1eb7bde1 100644
--- a/units/container-getty@.service.in
+++ b/units/container-getty@.service.in
@@ -28,13 +28,11 @@ Before=rescue.service
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=pts/%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/pts/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/getty@.service.in b/units/getty@.service.in
index 21d66f9367..78deb7cffe 100644
--- a/units/getty@.service.in
+++ b/units/getty@.service.in
@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
index 2433124c55..bb7af3105d 100644
--- a/units/serial-getty@.service.in
+++ b/units/serial-getty@.service.in
@@ -33,12 +33,10 @@ Before=rescue.service
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM
Type=idle
Restart=always
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
--
2.35.1

11
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch vendored
View File

@ -1,7 +1,8 @@
From 513429b47f0852d17ba721ad5d55baa985f48ddb Mon Sep 17 00:00:00 2001
From c8d3f9b0f4964115c518eb009b17f026ad356ade Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 7 Feb 2022 17:39:23 +0100
Subject: [PATCH] networkd: disable managing of foreign routes/rules by default
Subject: [PATCH 8/8] networkd: disable managing of foreign routes/rules by
default
While systemd-networkd follows the principle of a declarative network
configuration and thus needs a way to ensure that unwanted routes or
@ -29,11 +30,11 @@ https://github.com/flatcar-linux/Flatcar/issues/620
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index 374d27bef3..deb46e4a15 100644
index 7e89366ae8..714ee5c226 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -383,8 +383,8 @@ int manager_new(Manager **ret) {
*m = (Manager) {
@@ -471,8 +471,8 @@ int manager_new(Manager **ret, bool test_mode) {
.test_mode = test_mode,
.speed_meter_interval_usec = SPEED_METER_DEFAULT_TIME_INTERVAL,
.online_state = _LINK_ONLINE_STATE_INVALID,
- .manage_foreign_routes = true,

26
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/249-libudev-static.patch vendored
View File

@ -1,26 +0,0 @@
From f2c57d4f3805775e0ffdc80ce578eaa737017d31 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Fri, 9 Jul 2021 13:05:23 -0400
Subject: [PATCH] libudev: add "Libs.private: -lrt -pthread" to libudev.pc
This resolves a failure when linking cryptsetup.static against libudev.a.
```
libtool: link: x86_64-pc-linux-gnu-gcc -Wall -O2 -pipe -march=amdfam10 -static -O2 -o cryptsetup.static lib/utils_crypt.o lib/utils_loop.o lib/utils_io.o lib/utils_blkid.o src/utils_tools.o src/utils_password.o src/utils_luks2.o src/utils_blockdev.o src/cryptsetup.o -pthread -pthread -Wl,--as-needed ./.libs/libcryptsetup.a -largon2 -lrt -ljson-c -lpopt -luuid -lblkid -lssl -lcrypto -lz -ldl -ldevmapper -lm -lpthread -ludev -pthread
/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib64/libudev.a(src_libsystemd_sd-daemon_sd-daemon.c.o): in function `sd_is_mq':
(.text.sd_is_mq+0x3a): undefined reference to `mq_getattr'
```
---
src/libudev/libudev.pc.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libudev/libudev.pc.in b/src/libudev/libudev.pc.in
index 89028aaa6bf2..1d6487fa4084 100644
--- a/src/libudev/libudev.pc.in
+++ b/src/libudev/libudev.pc.in
@@ -16,4 +16,5 @@ Name: libudev
Description: Library to access udev device information
Version: {{PROJECT_VERSION}}
Libs: -L${libdir} -ludev
+Libs.private: -lrt -pthread
Cflags: -I${includedir}

26
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch vendored Normal file
View File

@ -0,0 +1,26 @@
From 91182cc273d2dd8325d856fd683d2d8e038abd91 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Tue, 25 Dec 2018 22:52:50 -0500
Subject: [PATCH] path-lookup: look for generators in
/usr/lib/systemd/system-generators
Bug: https://bugs.gentoo.org/625402
---
src/basic/path-lookup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
index 52968dee34..0cb10b1116 100644
--- a/src/basic/path-lookup.c
+++ b/src/basic/path-lookup.c
@@ -798,6 +798,7 @@ char **generator_binary_paths(UnitFileScope scope) {
add = strv_new("/run/systemd/system-generators",
"/etc/systemd/system-generators",
"/usr/local/lib/systemd/system-generators",
+ "/usr/lib/systemd/system-generators",
SYSTEM_GENERATOR_DIR);
break;
--
2.26.1

40
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From 593db1c78011ddce551051ce17eda6feac079b3d Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Fri, 21 Aug 2020 13:16:17 -0400
Subject: [PATCH] journald: do not change the kernel audit setting by default
Bug: https://bugs.gentoo.org/736910
---
man/journald.conf.xml | 2 +-
src/journal/journald-server.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index bfd359a903..7e93d4050e 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -411,7 +411,7 @@
<command>systemd-journald</command> collects generated audit records, it just controls whether it
tells the kernel to generate them. This means if another tool turns on auditing even if
<command>systemd-journald</command> left it off, it will still collect the generated
- messages. Defaults to on.</para></listitem>
+ messages.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 5865bf9809..163be685a8 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2208,7 +2208,7 @@ int server_init(Server *s, const char *namespace) {
.compress.threshold_bytes = (uint64_t) -1,
.seal = true,
- .set_audit = true,
+ .set_audit = -1,
.watchdog_usec = USEC_INFINITY,
--
2.28.0

25
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From d9059d2ef1b0d6034267cc8ff44871d0f82f840f Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sun, 8 Nov 2020 12:34:11 -0500
Subject: [PATCH] systemctl: disable synchronizaion of sysv init scripts
---
src/systemctl/systemctl-sysv-compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/systemctl/systemctl-sysv-compat.c b/src/systemctl/systemctl-sysv-compat.c
index 2dca9e480f..5dcf13ba17 100644
--- a/src/systemctl/systemctl-sysv-compat.c
+++ b/src/systemctl/systemctl-sysv-compat.c
@@ -111,7 +111,7 @@ int parse_shutdown_time_spec(const char *t, usec_t *ret) {
int enable_sysv_units(const char *verb, char **args) {
int r = 0;
-#if HAVE_SYSV_COMPAT
+#if 0
_cleanup_(lookup_paths_free) LookupPaths paths = {};
unsigned f = 0;
--
2.29.0

11
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf vendored Normal file
View File

@ -0,0 +1,11 @@
<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy group="systemd-hostname">
<allow own="org.freedesktop.hostname1"/>
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>
</busconfig>

17
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf vendored
View File

@ -1,14 +1,19 @@
# The list of directories is taken from Gentoo ebuild, where they use
# keepdir. The list isn't sorted, but tries to preserve the order of
# keepdir lines from Gentoo ebuild for easier comparisons. We skip the
# directories in /usr, though.
d /etc/binfmt.d - - - - -
d /etc/kernel/install.d - - - - -
d /etc/modules-load.d - - - - -
d /etc/sysctl.d - - - - -
d /etc/systemd - - - - -
d /etc/tmpfiles.d - - - - -
d /etc/kernel/install.d - - - - -
d /etc/systemd/network - - - - -
d /etc/systemd/system - - - - -
d /etc/systemd/user - - - - -
d /etc/tmpfiles.d - - - - -
d /etc/sysusers.d - - - - -
d /etc/udev/hwdb.d - - - - -
d /etc/udev/rules.d - - - - -
d /etc/udev/hwdb.d - - - - -
d /var/lib/systemd - - - - -
d /var/log/journal - - - - -
d /etc/sysctl.d - - - - -
# This seems to be our own addition.
d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - -

5
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam vendored
View File

@ -1,5 +0,0 @@
account include system-auth
session required pam_loginuid.so
session include system-auth
session optional pam_systemd.so

6
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>systemd@gentoo.org</email>
@ -17,14 +17,16 @@
<flag name="dns-over-tls">Enable DNS-over-TLS support</flag>
<flag name="gnuefi">Enable EFI boot manager and stub loader (built using <pkg>sys-boot/gnu-efi</pkg>)</flag>
<flag name="elfutils">Enable coredump stacktraces in the journal</flag>
<flag name="fido2">Enable FIDO2 support</flag>
<flag name="gcrypt">Enable sealing of journal files using gcrypt</flag>
<flag name="homed">Enable portable home directories</flag>
<flag name="hostnamed-fallback">Enable setting hostname with networkd/hostnamed without polkit (requires running <pkg>sys-apps/dbus-broker</pkg>)</flag>
<flag name="http">Enable embedded HTTP server in journald</flag>
<flag name="hwdb">Enable support for the hardware database</flag>
<flag name="importd">Enable import daemon</flag>
<flag name="kmod">Enable kernel module loading via <pkg>sys-apps/kmod</pkg></flag>
<flag name="lz4">Enable lz4 compression for the journal</flag>
<flag name="nat">Enable support for network address translation in networkd</flag>
<flag name="openssl">Enable use of <pkg>dev-libs/openssl</pkg></flag>
<flag name="pkcs11">Enable PKCS#11 support for cryptsetup and homed</flag>
<flag name="pwquality">Enable password quality checking in homed</flag>
<flag name="repart">Enable support for growing/adding partitions</flag>

1
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-249.7-r1.ebuild vendored
View File

@ -1 +0,0 @@
systemd-9999.ebuild

264
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild vendored
View File

@ -1,8 +1,11 @@
# Copyright 2011-2021 Gentoo Authors
# Copyright 2011-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
PYTHON_COMPAT=( python3_{6..10} )
PYTHON_COMPAT=( python3_{8..10} )
# Avoid QA warnings
TMPFILES_OPTIONAL=1
if [[ ${PV} == 9999 ]]; then
EGIT_REPO_URI="https://github.com/systemd/systemd.git"
@ -17,33 +20,38 @@ else
MY_P=${MY_PN}-${MY_PV}
S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86"
# Flatcar: Stabilize for amd64 and arm64.
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
fi
# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript
TMPFILES_OPTIONAL=1
inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev user tmpfiles
# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
# Adding tmpfiles, since we use it for installing some files.
inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles
DESCRIPTION="System and service manager for Linux"
HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
# Flatcar: Dropped static-libs, we don't care about static libraries.
IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd"
IUSE="
acl apparmor audit build cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd +kmod
+lz4 lzma nat +openssl pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd
"
REQUIRED_USE="
homed? ( cryptsetup pam )
importd? ( curl gcrypt lzma )
dns-over-tls? ( || ( gnutls openssl ) )
homed? ( cryptsetup pam openssl )
importd? ( curl lzma || ( gcrypt openssl ) )
policykit? ( !hostnamed-fallback )
pwquality? ( homed )
"
RESTRICT="!test? ( test )"
MINKV="3.11"
OPENSSL_DEP=">=dev-libs/openssl-1.1.0:0="
COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
COMMON_DEPEND="
>=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
sys-libs/libcap:0=[${MULTILIB_USEDEP}]
virtual/libcrypt:=[${MULTILIB_USEDEP}]
acl? ( sys-apps/acl:0= )
@ -51,14 +59,11 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2:0= )
cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
curl? ( net-misc/curl:0= )
dns-over-tls? ( >=net-libs/gnutls-3.6.0:0= )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
fido2? ( dev-libs/libfido2:0= )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
homed? ( ${OPENSSL_DEP} )
http? (
>=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
>=net-libs/gnutls-3.1.4:0=
)
gnutls? ( >=net-libs/gnutls-3.6.0:0= )
http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
idn? ( net-dns/libidn2:= )
importd? (
app-arch/bzip2:0=
@ -68,12 +73,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
nat? ( net-firewall/iptables:0= )
openssl? ( >=dev-libs/openssl-1.1.0:0= )
pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
pkcs11? ( app-crypt/p11-kit:0= )
pcre? ( dev-libs/libpcre2 )
pwquality? ( dev-libs/libpwquality:0= )
qrcode? ( media-gfx/qrencode:0= )
repart? ( ${OPENSSL_DEP} )
seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
selinux? ( sys-libs/libselinux:0= )
tpm? ( app-crypt/tpm2-tss:0= )
@ -87,22 +92,39 @@ DEPEND="${COMMON_DEPEND}
gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
"
# Flatcar: We drop a few of the acct-group and acct-user as the gid provided by
# the upstream does not match with the ones we carry in baselayout.
# baselayout-2.2 has /run
RDEPEND="${COMMON_DEPEND}
>=acct-group/adm-0-r1
>=acct-group/wheel-0-r1
>=acct-group/kmem-0-r1
>=acct-group/tty-0-r1
>=acct-group/utmp-0-r1
>=acct-group/audio-0-r1
>=acct-group/cdrom-0-r1
>=acct-group/dialout-0-r1
>=acct-group/disk-0-r1
>=acct-group/input-0-r1
>=acct-group/kvm-0-r1
>=acct-group/lp-0-r1
>=acct-group/render-0-r1
acct-group/sgx
>=acct-group/tape-0-r1
acct-group/users
>=acct-group/video-0-r1
>=acct-group/systemd-journal-0-r1
>=acct-user/root-0-r1
acct-user/nobody
>=acct-user/systemd-journal-remote-0-r1
>=acct-user/systemd-coredump-0-r1
>=acct-user/systemd-network-0-r1
acct-user/systemd-oom
>=acct-user/systemd-resolve-0-r1
>=acct-user/systemd-timesync-0-r1
>=sys-apps/baselayout-2.2
hostnamed-fallback? (
acct-group/systemd-hostname
sys-apps/dbus-broker
)
selinux? ( sec-policy/selinux-base-policy[systemd] )
sysv-utils? (
!sys-apps/openrc[sysv-utils(-)]
@ -163,8 +185,8 @@ pkg_pretend() {
ewarn "See https://bugs.gentoo.org/674458."
fi
local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS
~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
local CONFIG_CHECK="~AUTOFS4_FS ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS
~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
@ -177,6 +199,12 @@ pkg_pretend() {
kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES"
kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF"
if kernel_is -lt 5 10 20; then
CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
else
CONFIG_CHECK+=" ~KCMP"
fi
if linux_config_exists; then
local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
@ -214,26 +242,37 @@ src_prepare() {
# Add local patches here
PATCHES+=(
# Flatcar: Adding our own patches here.
"${FILESDIR}/249-libudev-static.patch"
"${FILESDIR}/0001-networkd-disable-managing-of-foreign-routes-rules-by-default.patch"
"${FILESDIR}/0004-wait-online-set-any-by-default.patch"
"${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch"
"${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch"
"${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch"
"${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch"
"${FILESDIR}/0009-core-handle-lookup-paths-being-symlinks.patch"
"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
"${FILESDIR}/0006-core-handle-lookup-paths-being-symlinks.patch"
"${FILESDIR}/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
"${FILESDIR}/0008-networkd-disable-managing-of-foreign-routes-rules-by.patch"
)
# Flatcar: We carry our own patches, we don't use the ones
# from Gentoo. Thus we dropped the `if ! use vanilla` code
# here.
if ! use vanilla; then
PATCHES+=(
"${FILESDIR}/gentoo-generator-path-r2.patch"
"${FILESDIR}/gentoo-systemctl-disable-sysv-sync-r1.patch"
"${FILESDIR}/gentoo-journald-audit.patch"
)
fi
# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy "default", but unless
# the kubelet --resolv-conf flag is set to point to /run/systemd/resolve/resolv.conf this won't work with
# /etc/resolv.conf pointing to /run/systemd/resolve/stub-resolv.conf which configures 127.0.0.53.
# See https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
# This means that users who need split DNS to work should point /etc/resolv.conf back to /run/systemd/resolve/stub-resolv.conf
# (and if using K8s configure the kubelet resolvConf variable/--resolv-conf flag to /run/systemd/resolve/resolv.conf).
# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
# CoreDNS which has dnsPolicy "default", but unless the
# kubelet --resolv-conf flag is set to point to
# /run/systemd/resolve/resolv.conf this won't work with
# /etc/resolv.conf pointing to
# /run/systemd/resolve/stub-resolv.conf which configures
# 127.0.0.53. See
# https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
# This means that users who need split DNS to work should
# point /etc/resolv.conf back to
# /run/systemd/resolve/stub-resolv.conf (and if using K8s
# configure the kubelet resolvConf variable/--resolv-conf flag
# to /run/systemd/resolve/resolv.conf).
sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/etc.conf.in || die
default
@ -248,6 +287,7 @@ src_configure() {
multilib-minimal_src_configure
}
# Flatcar: Our function, we use it in some places below.
get_rootprefix() {
usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
}
@ -267,6 +307,7 @@ multilib_src_configure() {
-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
# Avoid infinite exec recursion, bug 642724
-Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit"
# no deps
-Dima=true
-Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified)
# Optional components/dependencies
@ -277,10 +318,11 @@ multilib_src_configure() {
$(meson_native_use_bool curl libcurl)
$(meson_native_use_bool dns-over-tls dns-over-tls)
$(meson_native_use_bool elfutils)
$(meson_native_use_bool fido2 libfido2)
$(meson_use gcrypt)
$(meson_native_use_bool gnuefi gnu-efi)
$(meson_native_use_bool gnutls)
-Defi-includedir="${ESYSROOT}/usr/include/efi"
-Defi-ld="$(tc-getLD)"
-Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
$(meson_native_use_bool homed)
$(meson_native_use_bool http microhttpd)
@ -293,13 +335,13 @@ multilib_src_configure() {
$(meson_use lzma xz)
$(meson_use zstd)
$(meson_native_use_bool nat libiptc)
$(meson_native_use_bool openssl)
$(meson_use pam)
$(meson_native_use_bool pkcs11 p11kit)
$(meson_native_use_bool pcre pcre2)
$(meson_native_use_bool policykit polkit)
$(meson_native_use_bool pwquality)
$(meson_native_use_bool qrcode qrencode)
$(meson_native_use_bool repart)
$(meson_native_use_bool seccomp)
$(meson_native_use_bool selinux)
$(meson_native_use_bool tpm tpm2)
@ -367,8 +409,6 @@ multilib_src_configure() {
-Defi-cc="$(tc-getCC)"
-Dquotaon-path=/usr/sbin/quotaon
-Dquotacheck-path=/usr/sbin/quotacheck
# Flatcar: No static libs.
)
meson_src_configure "${myconf[@]}"
@ -388,6 +428,7 @@ multilib_src_install_all() {
einstalldocs
# Flatcar: Do not install sample nsswitch.conf, we don't
# provide it.
# dodoc "${FILESDIR}"/nsswitch.conf
if ! use resolvconf; then
rm -f "${ED}${rootprefix}"/sbin/resolvconf || die
@ -406,11 +447,33 @@ multilib_src_install_all() {
rmdir "${ED}${rootprefix}"/sbin || die
fi
# https://bugs.gentoo.org/761763
rm -r "${ED}"/usr/lib/sysusers.d || die
# Flatcar: Upstream uses keepdir commands to keep some empty
# directories.
# directories. We use tmpfiles.
# # Preserve empty dirs in /etc & /var, bug #437008
# keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
# keepdir /etc/kernel/install.d
# keepdir /etc/systemd/{network,system,user}
# keepdir /etc/udev/rules.d
#
# Flatcar: TODO: Consider using that instead of
# dotmpfiles "${FILESDIR}"/systemd-flatcar.conf below.
# keepdir /etc/udev/hwdb.d
#
# keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
# keepdir /usr/lib/{binfmt.d,modules-load.d}
# keepdir /usr/lib/systemd/user-generators
# keepdir /var/lib/systemd
# keepdir /var/log/journal
# Flatcar: No migrations happening here.
# # Symlink /etc/sysctl.conf for easy migration.
# dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
# Flatcar: Do not install a pam policy, we have our own.
# if use pam; then
# newpamd "${FILESDIR}"/systemd-user.pam systemd-user
# fi
if use split-usr; then
# Avoid breaking boot/reboot
@ -418,6 +481,20 @@ multilib_src_install_all() {
dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown
fi
# workaround for https://github.com/systemd/systemd/issues/13501
if use hostnamed-fallback; then
# this file requires dbus-broker
insinto /usr/share/dbus-1/system.d/
doins "${FILESDIR}/org.freedesktop.hostname1_no_polkit.conf"
insinto "${rootprefix}/lib/systemd/system/systemd-hostnamed.service.d/"
doins "${FILESDIR}/00-hostnamed-network-user.conf"
fi
# Flatcar: gen_usr_ldscript is likely for static libs, so we
# dropped it.
# gen_usr_ldscript -a systemd udev
# Flatcar: Ensure journal directory has correct ownership/mode
# in inital image. This is fixed by systemd-tmpfiles *but*
# journald starts before that and will create the journal if
@ -430,9 +507,6 @@ multilib_src_install_all() {
fperms 2755 /var/log/journal
# Flatcar: Don't prune systemd dirs.
#
# Flatcar: TODO: Upstream probably fixed it in different way -
# it's using some keepdir commands.
dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
# Flatcar: Add tmpfiles rule for resolv.conf. This path has
# changed after v213 so it must be handled here instead of
@ -448,37 +522,47 @@ multilib_src_install_all() {
# Flatcar: These lines more or less follow the systemd's
# preset file (90-systemd.preset). We do it that way, to avoid
# putting symlink in /etc. Please keep the lines in the same
# order as the "enable" lines appear in the preset file.
builddir_systemd_enable_service multi-user.target remote-fs.target
builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
builddir_systemd_enable_service multi-user.target machines.target
# Flatcar: getty@.service is enabled manually below.
builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
builddir_systemd_enable_service multi-user.target systemd-networkd.service
# Flatcar: For systemd-networkd.service, it has it in Also, which also
# needs to be enabled
builddir_systemd_enable_service sockets.target systemd-networkd.socket
# Flatcar: For systemd-networkd.service, it has it in Also, which also
# needs to be enabled
builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
builddir_systemd_enable_service multi-user.target systemd-resolved.service
if use homed; then
builddir_systemd_enable_service multi-user.target systemd-homed.target
# Flatcar: systemd-homed.target has
# Also=systemd-userdbd.service, but the service has no
# WantedBy entry. It's likely going to be executed through
# systemd-userdbd.socket, which is enabled in upstream's
# presets file.
builddir_systemd_enable_service sockets.target systemd-userdbd.socket
fi
builddir_systemd_enable_service sysinit.target systemd-pstore.service
# Flatcar: not enabling reboot.target - it has no WantedBy
# entry.
# putting symlinks in /etc. Please keep the lines in the same
# order as the "enable" lines appear in the preset file. For a
# single enable line in preset, there may be more lines if the
# unit file had Also: clause which has units we enable here
# too.
# Flatcar: Enable getty manually.
# Flatcar: enable remote-fs.target
builddir_systemd_enable_service multi-user.target remote-fs.target
# Flatcar: enable remote-cryptsetup.target
if use cryptsetup; then
builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
fi
# Flatcar: enable machines.target
builddir_systemd_enable_service multi-user.target machines.target
# Flatcar: enable getty@.service
dodir "${unitdir}/getty.target.wants"
dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
# Flatcar: enable systemd-timesyncd.service
builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
builddir_systemd_enable_service multi-user.target systemd-networkd.service
builddir_systemd_enable_service sockets.target systemd-networkd.socket
builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
# Flatcar: enable systemd-network-generator.service
builddir_systemd_enable_service sysinit.target systemd-network-generator.service
# Flatcar: enable systemd-resolved.service
builddir_systemd_enable_service multi-user.target systemd-resolved.service
# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
if use homed; then
builddir_systemd_enable_service multi-user.target systemd-homed.target
fi
# Flatcar: enable systemd-userdbd.socket
builddir_systemd_enable_service sockets.target systemd-userdbd.socket
# Flatcar: enable systemd-pstore.service
builddir_systemd_enable_service sysinit.target systemd-pstore.service
# Flatcar: enable systemd-boot-update.service
if use gnuefi; then
builddir_systemd_enable_service sysinit.target systemd-boot-update.service
fi
# Flatcar: enable reboot.target (not enabled - has no WantedBy
# entry)
# Flatcar: Use an empty preset file, because systemctl
# preset-all puts symlinks in /etc, not in /usr. We don't use
@ -495,15 +579,16 @@ multilib_src_install_all() {
-e '/^C!* \/etc\/nsswitch\.conf/d' \
-e '/^C!* \/etc\/pam\.d/d' \
-e '/^C!* \/etc\/issue/d'
# Flatcar: gen_usr_ldscript is likely for static libs, so we
# dropped it.
}
# Flatcar: Our own version of systemd_get_systemunitdir, that returns
# a path inside /usr, not /etc.
builddir_systemd_get_systemunitdir() {
echo "$(get_rootprefix)/lib/systemd/system"
}
# Flatcar: Our own version of systemd_enable_service, that does
# operations inside /usr, not /etc.
builddir_systemd_enable_service() {
local target=${1}
local service=${2}
@ -591,17 +676,18 @@ pkg_postinst() {
# Flatcar: We enable getty and remote-fs targets in /usr
# ourselves above.
# if [[ -z ${REPLACING_VERSIONS} ]]; then
# if type systemctl &>/dev/null; then
# systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
# fi
# elog "To enable a useful set of services, run the following:"
# elog " systemctl preset-all --preset-mode=enable-only"
# fi
if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
rm "${EROOT}/var/lib/systemd/timesync"
fi
if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
ebegin "Reexecuting system manager"
systemctl daemon-reexec
eend $?
fi
if [[ ${FAIL} ]]; then
eerror "One of the postinst commands failed. Please check the postinst output"
eerror "for errors. You may need to clean up your system and/or try installing"