Merge pull request #2425 from flatcar/krnowak/systemd-252

sys-apps/systemd: Update to 252.5

sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-02-09-systemd-update.md

@@ -0,0 +1 @@
+- systemd ([252.5](https://github.com/systemd/systemd-stable/releases/tag/v252.5) (includes [252](https://github.com/systemd/systemd/releases/tag/v252)))

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -55,8 +55,7 @@ src_install() {
 
 	# Create compatibility symlinks in case /usr/lib64/ instead of /usr/lib/ was used
 	local compat
-	# os-release symlink is set up in scripts
-	for compat in modules systemd flatcar coreos kernel modprobe.d pam pam.d sysctl.d udev ; do
+	for compat in modules flatcar coreos ; do
 		dosym "../lib/${compat}" "/usr/lib64/${compat}"
 	done
 }

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild

@@ -242,4 +242,15 @@ pkg_postinst() {
 		mkdir -p "${ROOT}/etc/init.d"
 		ln -sf "${func}" "${ROOT}/etc/init.d/functions.sh"
 	fi
+	# install compat symlinks in production images, not in SDK
+	# os-release symlink is set up in scripts
+	if ! use cros_host; then
+		local compat libdir
+		for compat in systemd kernel modprobe.d pam pam.d sysctl.d udev ; do
+			for libdir in $(get_all_libdirs) ; do
+				if [[ "${libdir}" == 'lib' ]]; then continue; fi
+				ln -sfT "../lib/${compat}" "${ROOT}/usr/${libdir}/${compat}"
+			done
+		done
+	fi
 }

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest

@@ -1 +1 @@
-DIST systemd-stable-251.10.tar.gz 11461671 BLAKE2B a351b6dd9fc307e4bdcf0323b16e7f58c714392cfa466180a81196309c289b54767bfe5d03037eb1bd6b273d7eb8f6f42b927aabaa1310be04266675d1a3dd06 SHA512 49e33dbbc1b2ebe123b2f722070c87524b3126d1e605fb3e24a3f9f328ab67de506dc4588a92caf157428c21b9c73c3884726c4a5b1f67bb997d4a68bb871e5b
+DIST systemd-stable-252.5.tar.gz 11762414 BLAKE2B c9560ad5e49b7ff33ebcf2e553fa1824131e84bb7c40e5b04135bcdce9ad2ef32194382a501a1853a28e02b7f434bf1fb53edd6e9272d432c23fb116015d751f SHA512 f3359e0496b673033d6c8da5c117890e0dc26c9db51003b28f629ac751d9bae117be32d9f54c377eb2d5a7c2d36ac0dbdc2116498698e993550fbdd9aae535b9

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch

@@ -1,7 +1,7 @@
-From 48b7456e73800ccabef09416ec9e1480781613e7 Mon Sep 17 00:00:00 2001
+From 02ebe43df912c7090a155484fbd1b422c4f438f4 Mon Sep 17 00:00:00 2001
 From: David Michael <dm0@redhat.com>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
-Subject: [PATCH 1/6] wait-online: set --any by default
+Subject: [PATCH 1/7] wait-online: set --any by default
 
 The systemd-networkd-wait-online command would normally continue
 waiting after a network interface is usable if other interfaces are

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch

@@ -1,17 +1,17 @@
-From b4ce1af6005f6137774ba69fb1db5b320a853513 Mon Sep 17 00:00:00 2001
+From e124d3716ada4fc7c34278435a61d51b07b61024 Mon Sep 17 00:00:00 2001
 From: Nick Owens <nick.owens@coreos.com>
 Date: Tue, 2 Jun 2015 18:22:32 -0700
-Subject: [PATCH 2/6] networkd: default to "kernel" IPForwarding setting
+Subject: [PATCH 2/7] networkd: default to "kernel" IPForwarding setting
 
 ---
  src/network/networkd-network.c | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
-index 39ea4eddd0..9780f920f1 100644
+index a6c5b44238..54f9d12fec 100644
 --- a/src/network/networkd-network.c
 +++ b/src/network/networkd-network.c
-@@ -464,6 +464,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
+@@ -465,6 +465,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                  .link_local = _ADDRESS_FAMILY_INVALID,
                  .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
  

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch

@@ -1,7 +1,7 @@
-From bce25cf9f7914804515fdcf8852e7aec37d9d99a Mon Sep 17 00:00:00 2001
+From a8366f0ddffabef08c010064ea62e64d7276a0f3 Mon Sep 17 00:00:00 2001
 From: Alex Crawford <alex.crawford@coreos.com>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 3/6] needs-update: don't require strictly newer usr
+Subject: [PATCH 3/7] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index 0f06944fb0..c7c9a411a3 100644
+index a23d6a3e45..8ca1f4606f 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
-@@ -758,7 +758,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -792,7 +792,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * First, compare seconds as they are always accurate...
           */
          if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@@ -35,7 +35,7 @@ index 0f06944fb0..c7c9a411a3 100644
  
          /*
           * ...then compare nanoseconds.
-@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -803,7 +803,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * (otherwise the filesystem supports nsec timestamps, see stat(2)).
           */
          if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@@ -44,7 +44,7 @@ index 0f06944fb0..c7c9a411a3 100644
  
          _cleanup_free_ char *timestamp_str = NULL;
          r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
-@@ -789,7 +789,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -823,7 +823,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
                  return true;
          }
  

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch

@@ -1,7 +1,7 @@
-From 485151e5ecc94402d81ff755c02a244980f931fa Mon Sep 17 00:00:00 2001
+From 7f71d79cc1cac4dc509cecb2f5c00b6dcfd7732b Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <sayan@kinvolk.io>
 Date: Thu, 22 Apr 2021 20:08:33 +0530
-Subject: [PATCH 4/6] core: use max for DefaultTasksMax
+Subject: [PATCH 4/7] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,10 +21,10 @@ Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index b104044cc2..32e07f8e5e 100644
+index ac21c31d9a..39323f6a55 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
-@@ -448,7 +448,7 @@
+@@ -461,7 +461,7 @@
          <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
          <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details. This setting applies to all unit types that support resource control settings, with the exception
@@ -34,7 +34,7 @@ index b104044cc2..32e07f8e5e 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/main.c b/src/core/main.c
-index 79c0e0fbf6..4d72ba3b24 100644
+index a3fdd1dfe1..9b79308397 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
 @@ -100,7 +100,7 @@
@@ -47,11 +47,11 @@ index 79c0e0fbf6..4d72ba3b24 100644
  static enum {
          ACTION_RUN,
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 67e55f10a2..8ba48406b1 100644
+index 71a5869ec0..92fe35b2d6 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
 @@ -56,7 +56,7 @@
- #DefaultBlockIOAccounting=no
+ #DefaultIPAccounting=no
  #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
  #DefaultTasksAccounting=yes
 -#DefaultTasksMax=15%

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch

@@ -1,7 +1,7 @@
-From 505f92caa2e1d93cf385dbeaefa9225eff4422b4 Mon Sep 17 00:00:00 2001
+From 0a5e52f5511cd7a5312d06abff12bc432bdedc96 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 5/6] systemd: Disable SELinux permissions checks
+Subject: [PATCH 5/7] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 2b6a6a654a..5a0b8f5dc0 100644
+index 11dbf4640e..c839a4f39e 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch

@@ -1,12 +1,14 @@
-From 12e90f7f45e4693e6e366c7c894939a18fc86437 Mon Sep 17 00:00:00 2001
-From: Krzesimir Nowak <knowak@microsoft.com>
-Date: Fri, 21 Jan 2022 19:17:11 +0100
-Subject: [PATCH 6/6] Revert "getty: Pass tty to use by agetty via stdin"
+From ede353ea720f07b7b19fa638d5a59a7471237e2d Mon Sep 17 00:00:00 2001
+From: Sayan Chowdhury <schowdhury@microsoft.com>
+Date: Fri, 16 Dec 2022 16:28:26 +0530
+Subject: [PATCH 6/7] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
 This is to work around a SELinux denial that happens when setting up standard
 input for serial consoles (which is used for SSH connections).
+
+Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
 ---
  units/console-getty.service.in    | 4 +---
  units/container-getty@.service.in | 4 +---
@@ -15,13 +17,13 @@ input for serial consoles (which is used for SSH connections).
  4 files changed, 4 insertions(+), 12 deletions(-)
 
 diff --git a/units/console-getty.service.in b/units/console-getty.service.in
-index 73871d6f50..bb67541dce 100644
+index 606b7dbe16..54fd7c292d 100644
 --- a/units/console-getty.service.in
 +++ b/units/console-getty.service.in
-@@ -23,12 +23,10 @@ ConditionPathExists=/dev/console
- # The '-o' option value tells agetty to replace 'login' arguments with an
- # option to preserve environment (-p), followed by '--' for safety, and then
- # the entered username.
+@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
+ # followed by '--' for safety, and then the entered username.
 -ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
 +ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM
  Type=idle
@@ -33,14 +35,14 @@ index 73871d6f50..bb67541dce 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
-index a6e3f94e2a..ed1eb7bde1 100644
+index 8d7e20d5ec..5f095f48b0 100644
 --- a/units/container-getty@.service.in
 +++ b/units/container-getty@.service.in
-@@ -28,13 +28,11 @@ Before=rescue.service
- # The '-o' option value tells agetty to replace 'login' arguments with an
- # option to preserve environment (-p), followed by '--' for safety, and then
- # the entered username.
--ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
+@@ -27,13 +27,11 @@ Before=rescue.service
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
+ # followed by '--' for safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
 +ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
  Type=idle
  Restart=always

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch

@@ -0,0 +1,40 @@
+From ff9f1aa2ab7d707c57008f406186c45cd9858228 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <knowak@microsoft.com>
+Date: Tue, 7 Feb 2023 11:33:44 +0100
+Subject: [PATCH 7/7] units: Keep using old journal file format
+
+Systemd 252 made an incompatible change in journal file format. Temporarily
+force journald to use the old journal format to give logging containers more
+time to adapt to the new format.
+---
+ units/systemd-journald.service.in  | 1 +
+ units/systemd-journald@.service.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
+index 38ba3e2856..e7f671e070 100644
+--- a/units/systemd-journald.service.in
++++ b/units/systemd-journald.service.in
+@@ -22,6 +22,7 @@ IgnoreOnIsolate=yes
+ 
+ [Service]
+ DeviceAllow=char-* rw
++Environment=SYSTEMD_JOURNAL_COMPACT=0
+ ExecStart={{ROOTLIBEXECDIR}}/systemd-journald
+ FileDescriptorStoreMax=4224
+ IPAddressDeny=any
+diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in
+index 35c998285f..9f7c6a2b3f 100644
+--- a/units/systemd-journald@.service.in
++++ b/units/systemd-journald@.service.in
+@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
+ [Service]
+ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+ DevicePolicy=closed
++Environment=SYSTEMD_JOURNAL_COMPACT=0
+ ExecStart={{ROOTLIBEXECDIR}}/systemd-journald %i
+ FileDescriptorStoreMax=4224
+ Group=systemd-journal
+-- 
+2.25.1
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/251-gpt-auto-no-cryptsetup.patch

@@ -1,28 +0,0 @@
-https://github.com/systemd/systemd/commit/d0523bb0d12766485fde3b87bb42db8dfc3c45d3
-https://github.com/systemd/systemd/issues/24978
-
-From d0523bb0d12766485fde3b87bb42db8dfc3c45d3 Mon Sep 17 00:00:00 2001
-From: David Seifert <soap@gentoo.org>
-Date: Wed, 12 Oct 2022 21:47:29 +0200
-Subject: [PATCH] gpt-auto: allow using without cryptsetup
-
-Fixes #24978
---- a/src/gpt-auto-generator/gpt-auto-generator.c
-+++ b/src/gpt-auto-generator/gpt-auto-generator.c
-@@ -571,11 +571,15 @@ static int add_root_rw(DissectedPartition *p) {
- 
- #if ENABLE_EFI
- static int add_root_cryptsetup(void) {
-+#if HAVE_LIBCRYPTSETUP
- 
-         /* If a device /dev/gpt-auto-root-luks appears, then make it pull in systemd-cryptsetup-root.service, which
-          * sets it up, and causes /dev/gpt-auto-root to appear which is all we are looking for. */
- 
-         return add_cryptsetup("root", "/dev/gpt-auto-root-luks", true, false, NULL);
-+#else
-+        return 0;
-+#endif
- }
- #endif
- 
-

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/252-no-stack-protector-bpf.patch

@@ -0,0 +1,26 @@
+https://github.com/systemd/systemd/pull/26050
+
+From d6a0784a350fb27698ed04f7ada17137324b31bb Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Fri, 13 Jan 2023 05:17:56 +0000
+Subject: [PATCH] bpf: disable -fstack-protector in meson
+
+In Gentoo, we recently started making Clang behave the same way as
+our GCC, with -fstack-protector and some friends enabled by default.
+
+SSP doesn't make sense for BPF, so disable it explicitly.
+
+See also e.g. https://www.spinics.net/lists/netdev/msg556400.html.
+
+Bug: https://bugs.gentoo.org/890004
+--- a/src/core/bpf/meson.build
++++ b/src/core/bpf/meson.build
+@@ -7,6 +7,7 @@ endif
+ bpf_clang_flags = [
+         '-std=gnu11',
+         '-Wno-compare-distinct-pointer-types',
++        '-fno-stack-protector',
+         '-O2',
+         '-target',
+         'bpf',
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.5.ebuild

@@ -1,8 +1,8 @@
-# Copyright 2011-2022 Gentoo Authors
+# Copyright 2011-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_{8..11} )
+PYTHON_COMPAT=( python3_{9..11} )
 
 # Avoid QA warnings
 TMPFILES_OPTIONAL=1
@@ -27,10 +27,10 @@ else
 	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 fi
 
-inherit bash-completion-r1 flag-o-matic linux-info meson-multilib pam
+inherit bash-completion-r1 linux-info meson-multilib pam
 # Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
 # Adding tmpfiles, since we use it for installing some files.
-inherit python-any-r1 systemd tmpfiles toolchain-funcs udev
+inherit python-any-r1 systemd tmpfiles toolchain-funcs udev usr-ldscript
 
 DESCRIPTION="System and service manager for Linux"
 HOMEPAGE="http://systemd.io/"
@@ -239,7 +239,7 @@ src_unpack() {
 
 src_prepare() {
 	local PATCHES=(
-		"${FILESDIR}/251-gpt-auto-no-cryptsetup.patch"
+		"${FILESDIR}/252-no-stack-protector-bpf.patch"
 		# Flatcar: Adding our own patches here.
 		"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
 		"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
@@ -247,6 +247,7 @@ src_prepare() {
 		"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
 		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
 		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
+		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
 	)
 
 	if ! use vanilla; then
@@ -282,20 +283,6 @@ src_configure() {
 	# Prevent conflicts with i686 cross toolchain, bug 559726
 	tc-export AR CC NM OBJCOPY RANLIB
 
-	# Broken with FORTIFY_SOURCE=3: bug #841770.
-	#
-	# Our toolchain sets F_S=2 by default w/ >= -O2, so we need
-	# to unset F_S first, then explicitly set 2, to negate any default
-	# and anything set by the user if they're choosing 3 (or if they've
-	# modified GCC to set 3).
-	#
-	if is-flagq '-O[23]' || is-flagq '-Ofast' ; then
-		# We can't unconditionally do this b/c we fortify needs
-		# some level of optimisation.
-		filter-flags -D_FORTIFY_SOURCE=3
-		append-cppflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
-	fi
-
 	python_setup
 
 	multilib-minimal_src_configure