overlay sys-apps/systemd: Apply Flatcar modifications

Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
2025-11-28 14:01:43 +01:00 · 2024-07-23 09:28:24 +00:00 · 2024-07-23 09:28:24 +00:00 · 3279f8c322
commit 3279f8c322
parent ca868e8a04
2 changed files with 258 additions and 58 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
@ -1 +1 @@
-DIST systemd-256.7.tar.gz 15672532 BLAKE2B d718b7bcbf9c3583953a9fa82319f04b32d17c5b7539a49b9999881bd8cea7fd9a06f252d763170613a6cd0fd2535762b233cba74eb87764f662c4bdf2d8c1da SHA512 2ff3805a7d97780a716b23ddeea3722a85aba6326ecee527e53e9d35510a0ffa5ec0bf0cdbf8f3409bb9c6832406916f63eb7e8305db5f67c284e5590c642422
+DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9.ebuild
@ -20,12 +20,13 @@ else
 	SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz"

 	if [[ ${PV} != *rc* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+		# Flatcar: mark as stable
+		KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 	fi
 fi

 inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
-inherit secureboot systemd toolchain-funcs udev
+inherit secureboot systemd tmpfiles toolchain-funcs udev

 DESCRIPTION="System and service manager for Linux"
 HOMEPAGE="https://systemd.io/"
@ -97,6 +98,14 @@ DEPEND="${COMMON_DEPEND}
 PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'

 # baselayout-2.2 has /run
+#
+# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
+# flag). The image stage fails with "Failed to resolve
+# typeattributeset statement at
+# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120"
+#
+# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary
+# needed by dracut's systemd-vconsole-setup module.
 RDEPEND="${COMMON_DEPEND}
 	>=acct-group/adm-0-r1
 	>=acct-group/wheel-0-r1
@ -125,13 +134,13 @@ RDEPEND="${COMMON_DEPEND}
 	>=acct-user/systemd-resolve-0-r1
 	>=acct-user/systemd-timesync-0-r1
 	>=sys-apps/baselayout-2.2
+	sys-apps/kbd
 	ukify? (
 		${PYTHON_DEPS}
 		$(python_gen_cond_dep "${PEFILE_DEPEND}")
 	)
 	selinux? (
 		sec-policy/selinux-base-policy[systemd]
-		sec-policy/selinux-ntp
 	)
 	sysv-utils? (
 		!sys-apps/openrc[sysv-utils(-)]
@ -185,38 +194,13 @@ BDEPEND="
 QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
 QA_EXECSTACK="usr/lib/systemd/boot/efi/*"

-check_cgroup_layout() {
-	# https://bugs.gentoo.org/935261
-	[[ ${MERGE_TYPE} != buildonly ]] || return
-	[[ -z ${ROOT} ]] || return
-	[[ -e /sys/fs/cgroup/unified ]] || return
-	grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return
-
-	eerror "This system appears to be booted with the 'hybrid' cgroup layout."
-	eerror "This layout obsolete and is disabled in systemd."
-
-	if grep -qF 'systemd.unified_cgroup_hierarchy'; then
-		eerror "Remove the systemd.unified_cgroup_hierarchy option"
-		eerror "from the kernel command line and reboot."
-		die "hybrid cgroup layout detected"
-	fi
-}
-
 pkg_pretend() {
-	if use split-usr; then
-		eerror "Please complete the migration to merged-usr."
-		eerror "https://wiki.gentoo.org/wiki/Merge-usr"
-		die "systemd no longer supports split-usr"
-	fi
-
-	check_cgroup_layout
-
-	if use cgroup-hybrid; then
-		eerror "Disable the 'cgroup-hybrid' USE flag."
-		eerror "Rebuild any initramfs images after rebuilding systemd."
-		die "cgroup-hybrid is no longer supported"
-	fi
-
+	# Flatcar: We keep using split-usr for SDK.
+	# if use split-usr; then
+	# 	eerror "Please complete the migration to merged-usr."
+	# 	eerror "https://wiki.gentoo.org/wiki/Merge-usr"
+	# 	die "systemd no longer supports split-usr"
+	# fi
 	if [[ ${MERGE_TYPE} != buildonly ]]; then
 		local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
 			~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
@ -274,6 +258,16 @@ src_prepare() {
 	local PATCHES=(
 		"${FILESDIR}/systemd-test-process-util.patch"
 		"${FILESDIR}/256-bpf-gcc.patch"
+		# Flatcar: Adding our own patches here.
+		"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
+		"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
+		"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
+		"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
+		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
+		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
+		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
+		# Flatcar: This can be dropped when updating to 256.
+		"${FILESDIR}/0008-sysext-Mutable-overlays.patch"
 	)

 	if ! use vanilla; then
@ -282,6 +276,23 @@ src_prepare() {
 		)
 	fi

+	# Fails with split-usr.
+	sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
+
+	# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
+	# CoreDNS which has dnsPolicy "default", but unless the
+	# kubelet --resolv-conf flag is set to point to
+	# /run/systemd/resolve/resolv.conf this won't work with
+	# /etc/resolv.conf pointing to
+	# /run/systemd/resolve/stub-resolv.conf which configures
+	# 127.0.0.53.  See
+	# https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
+	# This means that users who need split DNS to work should
+	# point /etc/resolv.conf back to
+	# /run/systemd/resolve/stub-resolv.conf (and if using K8s
+	# configure the kubelet resolvConf variable/--resolv-conf flag
+	# to /run/systemd/resolve/resolv.conf).
+	sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
 	default
 }

@ -294,16 +305,34 @@ src_configure() {
 	multilib-minimal_src_configure
 }

+# Flatcar: Our function, we use it in some places below.
+get_rootprefix() {
+	usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
+}
+
 multilib_src_configure() {
 	local myconf=(
 		--localstatedir="${EPREFIX}/var"
 		# default is developer, bug 918671
 		-Dmode=release
-		-Dsupport-url="https://gentoo.org/support/"
+		# Flatcar: Point to our user mailing list.
+		-Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user"
 		-Dpamlibdir="$(getpam_mod_dir)"
 		# avoid bash-completion dep
 		-Dbashcompletiondir="$(get_bashcompdir)"
-		-Dsplit-bin=false
+		# Flatcar: We keep using split-usr in SDK.
+		$(meson_use split-usr)
+		# Flatcar: Always set split-bin to true, we always
+		# have separate bin and sbin directories
+		-Dsplit-bin=true
+		# Flatcar: Use get_rootprefix. No functional change
+		# from upstream, just refactoring the common code used
+		# in some places.
+		#
+		# TODO: Drop -Drootprefix and -Drootlibdir we get rid
+		# of split-usr in SDK
+		-Drootprefix="$(get_rootprefix)"
+		-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
 		# Disable compatibility with sysvinit
 		-Dsysvinit-path=
 		-Dsysvrcnd-path=
@ -352,9 +381,11 @@ multilib_src_configure() {
 		$(meson_native_use_bool test dbus)
 		$(meson_native_use_bool ukify)
 		$(meson_native_use_bool xkb xkbcommon)
-		-Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
+		# Flatcar: Use our ntp servers.
+		-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
 		# Breaks screen, tmux, etc.
 		-Ddefault-kill-user-processes=false
+		# Flatcar: TODO: Investigate if we want this.
 		-Dcreate-log-dirs=false

 		# multilib options
@ -377,6 +408,43 @@ multilib_src_configure() {
 		$(meson_native_true timesyncd)
 		$(meson_native_true tmpfiles)
 		$(meson_native_true vconsole)
+		$(meson_native_enabled vmspawn)
+		# Flatcar: Specify this, or meson breaks due to no
+		# /etc/login.defs.
+		-Dsystem-gid-max=999
+		-Dsystem-uid-max=999
+
+		# Flatcar: DBus paths.
+		-Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
+		-Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
+
+		# Flatcar: PAM config directory.
+		-Dpamconfdir=/usr/share/pam.d
+
+		# Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC
+		# 2013. Used by timesyncd as a sanity check for the
+		# minimum acceptable time. Explicitly set to avoid
+		# using the current build time.
+		-Dtime-epoch=1372636800
+
+		# Flatcar: No default name servers.
+		-Ddns-servers=
+
+		# Flatcar: Disable the "First Boot Wizard", it isn't
+		# very applicable to us.
+		-Dfirstboot=false
+
+		# Flatcar: Set latest network interface naming scheme
+		# for https://github.com/flatcar/Flatcar/issues/36
+		-Ddefault-net-naming-scheme=latest
+
+		# Flatcar: Combined log format: name plus description
+		-Dstatus-unit-format-default=combined
+
+		# Flatcar: Unported options, still needed?
+		-Dquotaon-path=/usr/sbin/quotaon
+		-Dquotacheck-path=/usr/sbin/quotacheck
+		-Ddefault-mdns=no
 	)

 	case $(tc-arch) in
@ -407,7 +475,9 @@ multilib_src_install_all() {
 	mv "${ED}"/usr/share/doc/{systemd,${PF}} || die

 	einstalldocs
-	dodoc "${FILESDIR}"/nsswitch.conf
+	# Flatcar: Do not install sample nsswitch.conf, we don't
+	# provide it.
+	# dodoc "${FILESDIR}"/nsswitch.conf

 	insinto /usr/lib/tmpfiles.d
 	doins "${FILESDIR}"/legacy.conf
@ -425,6 +495,8 @@ multilib_src_install_all() {
 	# https://bugs.gentoo.org/761763
 	rm -r "${ED}"/usr/lib/sysusers.d || die

+	# Flatcar: Upstream uses keepdir commands to keep some empty
+	# directories. We use tmpfiles.
 	# Preserve empty dirs in /etc & /var, bug #437008
 	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
 	keepdir /etc/kernel/install.d
@ -433,29 +505,138 @@ multilib_src_install_all() {

 	keepdir /etc/udev/hwdb.d

-	keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
-	keepdir /usr/lib/{binfmt.d,modules-load.d}
-	keepdir /usr/lib/systemd/user-generators
-	keepdir /var/lib/systemd
-	keepdir /var/log/journal
+	# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
+	# keepdir /usr/lib/{binfmt.d,modules-load.d}
+	# keepdir /usr/lib/systemd/user-generators
+	# keepdir /var/lib/systemd
+	# keepdir /var/log/journal

-	if use pam; then
-		if use selinux; then
-			newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
-		else
-			newpamd "${FILESDIR}"/systemd-user.pam systemd-user
-		fi
-	fi
+	# if use pam; then
+	# 	if use selinux; then
+	# 		newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
+	#	else
+	#		newpamd "${FILESDIR}"/systemd-user.pam systemd-user
+	#	fi
+	# fi

 	if use kernel-install; then
 		# Dummy config, remove to make room for sys-kernel/installkernel
 		rm "${ED}/usr/lib/kernel/install.conf" || die
 	fi
+	# Flatcar: Ensure journal directory has correct ownership/mode
+	# in inital image.  This is fixed by systemd-tmpfiles *but*
+	# journald starts before that and will create the journal if
+	# the filesystem is already read-write.  Conveniently the
+	# systemd Makefile sets this up completely wrong.
+	#
+	# Flatcar: TODO: Is this still a problem?
+	dodir /var/log/journal
+	fowners root:systemd-journal /var/log/journal
+	fperms 2755 /var/log/journal
+
+	# Flatcar: Don't prune systemd dirs.
+	dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
+	# Flatcar: Add tmpfiles rule for resolv.conf. This path has
+	# changed after v213 so it must be handled here instead of
+	# baselayout now.
+	dotmpfiles "${FILESDIR}"/systemd-resolv.conf
+
+	# Flatcar: Don't default to graphical.target.
+	local unitdir=$(builddir_systemd_get_systemunitdir)
+	dosym multi-user.target "${unitdir}"/default.target
+
+	# Flatcar: Don't set any extra environment variables by default.
+	rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
+
+	# Flatcar: These lines more or less follow the systemd's
+	# preset file (90-systemd.preset). We do it that way, to avoid
+	# putting symlinks in /etc. Please keep the lines in the same
+	# order as the "enable" lines appear in the preset file. For a
+	# single enable line in preset, there may be more lines if the
+	# unit file had Also: clause which has units we enable here
+	# too.
+
+	# Flatcar: enable remote-fs.target
+	builddir_systemd_enable_service multi-user.target remote-fs.target
+	# Flatcar: enable remote-cryptsetup.target
+	if use cryptsetup; then
+		builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
+	fi
+	# Flatcar: enable machines.target
+	builddir_systemd_enable_service multi-user.target machines.target
+	# Flatcar: enable getty@.service
+	dodir "${unitdir}/getty.target.wants"
+	dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
+	# Flatcar: enable systemd-timesyncd.service
+	builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
+	# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
+	builddir_systemd_enable_service multi-user.target systemd-networkd.service
+	builddir_systemd_enable_service sockets.target systemd-networkd.socket
+	builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
+	# Flatcar: enable systemd-network-generator.service
+	builddir_systemd_enable_service sysinit.target systemd-network-generator.service
+	# Flatcar: enable systemd-resolved.service
+	builddir_systemd_enable_service multi-user.target systemd-resolved.service
+	# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
+	if use homed; then
+		builddir_systemd_enable_service multi-user.target systemd-homed.target
+	fi
+	# Flatcar: enable systemd-userdbd.socket
+	builddir_systemd_enable_service sockets.target systemd-userdbd.socket
+	# Flatcar: enable systemd-pstore.service
+	builddir_systemd_enable_service sysinit.target systemd-pstore.service
+	# Flatcar: enable systemd-boot-update.service
+	if use boot; then
+		builddir_systemd_enable_service sysinit.target systemd-boot-update.service
+	fi
+	# Flatcar: enable reboot.target (not enabled - has no WantedBy
+	# entry)
+
+	# Flatcar: enable systemd-sysext.service by default
+	builddir_systemd_enable_service sysinit.target systemd-sysext.service
+
+	# Flatcar: Use an empty preset file, because systemctl
+	# preset-all puts symlinks in /etc, not in /usr. We don't use
+	# /etc, because it is not autoupdated. We do the "preset" above.
+	rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
+	insinto /usr/lib/systemd/system-preset
+	doins "${FILESDIR}"/99-default.preset
+
+	# Flatcar: Do not ship distro-specific files (nsswitch.conf
+	# pam.d). This conflicts with our own configuration provided
+	# by baselayout.
+	rm -rf "${ED}"/usr/share/factory
+	sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
+		-e '/^C!* \/etc\/nsswitch\.conf/d' \
+		-e '/^C!* \/etc\/pam\.d/d' \
+		-e '/^C!* \/etc\/issue/d'

 	use ukify && python_fix_shebang "${ED}"
 	use boot && secureboot_auto_sign
 }

+# Flatcar: Our own version of systemd_get_systemunitdir, that returns
+# a path inside /usr, not /etc.
+builddir_systemd_get_systemunitdir() {
+	echo "$(get_rootprefix)/lib/systemd/system"
+}
+
+# Flatcar: Our own version of systemd_enable_service, that does
+# operations inside /usr, not /etc.
+builddir_systemd_enable_service() {
+	local target=${1}
+	local service=${2}
+	local ud=$(builddir_systemd_get_systemunitdir)
+	local destname=${service##*/}
+
+	dodir "${ud}"/"${target}".wants && \
+	dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
+
+	if use boot; then
+		python_fix_shebang "${ED}"
+		secureboot_auto_sign
+	fi
+}
 migrate_locale() {
 	local envd_locale_def="${EROOT}/etc/env.d/02locale"
 	local envd_locale=( "${EROOT}"/etc/env.d/??locale )
@ -506,6 +687,23 @@ pkg_preinst() {
 		dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
 	fi

+	# Flatcar: This used to be in upstream ebuild, but now it's
+	# gone. We should drop it once we get rid of split-usr in SDK.
+	if ! use split-usr; then
+		local dir
+		# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
+		for dir in bin sbin lib; do
+			if [[ ! -L ${EROOT}/${dir} ]]; then
+				eerror "'${EROOT}/${dir}' is not a symbolic link."
+				FAIL=1
+			fi
+		done
+		if [[ ${FAIL} ]]; then
+			eerror "Migration to system layout with merged directories must be performed before"
+			eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage."
+			die "System layout with split directories still used"
+		fi
+	fi
 	if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
 		ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
 		ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
@ -525,13 +723,15 @@ pkg_postinst() {
 	# between OpenRC & systemd
 	migrate_locale

-	if [[ -z ${REPLACING_VERSIONS} ]]; then
-		if type systemctl &>/dev/null; then
-			systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
-		fi
-		elog "To enable a useful set of services, run the following:"
-		elog "  systemctl preset-all --preset-mode=enable-only"
-	fi
+	# Flatcar: We enable getty and remote-fs targets in /usr
+	# ourselves above.
+	# if [[ -z ${REPLACING_VERSIONS} ]]; then
+	# 	if type systemctl &>/dev/null; then
+	# 		systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
+	# 	fi
+	# 	elog "To enable a useful set of services, run the following:"
+	# 	elog "  systemctl preset-all --preset-mode=enable-only"
+	# fi

 	if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
 		rm "${EROOT}/var/lib/systemd/timesync"