diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-09-systemd-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-09-systemd-update.md new file mode 100644 index 0000000000..8b6586e0ed --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-09-systemd-update.md @@ -0,0 +1 @@ +- systemd ([CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821), [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-09-systemd-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-09-systemd-update.md new file mode 100644 index 0000000000..d3d235636d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-09-systemd-update.md @@ -0,0 +1 @@ +- systemd ([251.10](https://github.com/systemd/systemd-stable/commits/v251.10) (includes [251](https://github.com/systemd/systemd/releases/tag/v251))) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 898f2b7f96..7984f1d946 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -29,9 +29,9 @@ net-analyzer/nmap ncat -system-lua symlink # removes mta dependencies app-admin/sudo -sendmail -# use lzma which is the default on non-gentoo systems, enable selinux, # disable hybrid cgroup as we use the unified mode now -sys-apps/systemd build curl idn lzma selinux -cgroup-hybrid +# use lzma which is the default on non-gentoo systems, enable selinux, +sys-apps/systemd -cgroup-hybrid curl idn lzma selinux net-libs/libmicrohttpd -ssl # disable kernel config detection and module building diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index e32127fa26..1154ac8dc0 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -20,7 +20,7 @@ sys-libs/ncurses minimal sys-libs/pam audit # enable journal gateway, bootctl and container features -sys-apps/systemd audit gnuefi importd http iptables +sys-apps/systemd audit gnuefi http importd iptables # epoll is needed for systemd-journal-remote to work. coreos/bugs#919 net-libs/libmicrohttpd epoll diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.accept_keywords deleted file mode 100644 index 9809abddca..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.accept_keywords +++ /dev/null @@ -1,2 +0,0 @@ -# Various dependencies that also need to be up-to-date -sys-apps/kmod ~amd64 ~x86 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.unmask b/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.unmask index e4813f3969..9b52e5deb1 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.unmask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.unmask @@ -1,2 +1 @@ sys-apps/systemd -sys-apps/systemd-ui diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.use.force index 0b09521feb..0b373328b3 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.use.force +++ b/sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.use.force @@ -1,8 +1,8 @@ # Copyright (c) 2014 The CoreOS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 -# disable gentoo-only bits and replace sysvinit -sys-apps/systemd vanilla sysv-utils +# replace sysvinit and disable gentoo-only bits +sys-apps/systemd sysv-utils vanilla # dbus without systemd conflicts with systemd sys-apps/dbus systemd diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md index 0685b359fd..df01f3aea5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md @@ -1 +1,2 @@ - Check that the `systemd-sysext.service`'s `ConditionDirectoryNotEmpty` entries are correctly reflected in `flatcar/init:systemd/system/ensure-sysext.service` +- Check if our preset setup in `multilib_src_install_all` is in sync with `systemd/systemd:presets/90-systemd.preset`. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest index 414ac1a206..22b3ce7401 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -1 +1 @@ -DIST systemd-stable-250.7.tar.gz 11214975 BLAKE2B 5d94b4b1f8b0cd6e8284a89ac0d4bd373eccdad2c3d6e6c453df79c8df47ee0f9cfbde764b72b1f9d172d07e2d9f1f1f41c1ab254cf4abd0722469ebc3ad7cf8 SHA512 99bc6f0c9757b280cb694f3fb4d6fe04d5ce55583eb2bae5ddeb324bb5ee9930c1720fcc27293d90cddba188473653ec541a471ae8115710a5850c26d0ba215d +DIST systemd-stable-251.10.tar.gz 11461671 BLAKE2B a351b6dd9fc307e4bdcf0323b16e7f58c714392cfa466180a81196309c289b54767bfe5d03037eb1bd6b273d7eb8f6f42b927aabaa1310be04266675d1a3dd06 SHA512 49e33dbbc1b2ebe123b2f722070c87524b3126d1e605fb3e24a3f9f328ab67de506dc4588a92caf157428c21b9c73c3884726c4a5b1f67bb997d4a68bb871e5b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf deleted file mode 100644 index 6b224ba9b9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Service] -# By running with these options instead of root, networkd is allowed to request -# a hostname change via DBUS when policykit is not present -User=systemd-network -Group=systemd-hostname -AmbientCapabilities=CAP_SYS_ADMIN diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch index 342d9d0ae3..8d27c21f72 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ -From d13deba6bad21e796829b83b00dce03085b0ab14 Mon Sep 17 00:00:00 2001 +From 48b7456e73800ccabef09416ec9e1480781613e7 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/8] wait-online: set --any by default +Subject: [PATCH 1/6] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are @@ -28,5 +28,5 @@ index a679b858fa..3b6dad8d1d 100644 STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); -- -2.35.1 +2.25.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch index 8cfc66862d..f8fc59011b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch @@ -1,17 +1,17 @@ -From 2a8f5356c608e6f4512ade1b3ce2176f4491bce1 Mon Sep 17 00:00:00 2001 +From b4ce1af6005f6137774ba69fb1db5b320a853513 Mon Sep 17 00:00:00 2001 From: Nick Owens Date: Tue, 2 Jun 2015 18:22:32 -0700 -Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting +Subject: [PATCH 2/6] networkd: default to "kernel" IPForwarding setting --- src/network/networkd-network.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c -index 873ad2e703..4395dce4e2 100644 +index 39ea4eddd0..9780f920f1 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c -@@ -458,6 +458,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi +@@ -464,6 +464,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi .link_local = _ADDRESS_FAMILY_INVALID, .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, @@ -20,5 +20,5 @@ index 873ad2e703..4395dce4e2 100644 .ipv4_route_localnet = -1, .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, -- -2.35.1 +2.25.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch index 5548f861d6..46e986227f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ -From 5ba2f094ba91f8f52a4b3c0aca83e2fe344594d8 Mon Sep 17 00:00:00 2001 +From bce25cf9f7914804515fdcf8852e7aec37d9d99a Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 3/8] needs-update: don't require strictly newer usr +Subject: [PATCH 3/6] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- @@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644 This requires that updates to /usr/ are always followed by an update of the modification time of diff --git a/src/shared/condition.c b/src/shared/condition.c -index 68fbbf643a..306089cd26 100644 +index 0f06944fb0..c7c9a411a3 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -758,7 +758,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * First, compare seconds as they are always accurate... */ if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) @@ -35,7 +35,7 @@ index 68fbbf643a..306089cd26 100644 /* * ...then compare nanoseconds. -@@ -780,7 +780,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * (otherwise the filesystem supports nsec timestamps, see stat(2)). */ if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) @@ -44,7 +44,7 @@ index 68fbbf643a..306089cd26 100644 _cleanup_free_ char *timestamp_str = NULL; r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); -@@ -799,7 +799,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -789,7 +789,7 @@ static int condition_test_needs_update(Condition *c, char **env) { return true; } @@ -54,5 +54,5 @@ index 68fbbf643a..306089cd26 100644 static int condition_test_first_boot(Condition *c, char **env) { -- -2.35.1 +2.25.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch index 2b4578bc58..18585105a4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ -From 75c683b81fcdb47eaa9aa6c4355ed96296d6d547 Mon Sep 17 00:00:00 2001 +From 485151e5ecc94402d81ff755c02a244980f931fa Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Thu, 22 Apr 2021 20:08:33 +0530 -Subject: [PATCH 4/8] core: use max for DefaultTasksMax +Subject: [PATCH 4/6] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This @@ -21,10 +21,10 @@ Signed-off-by: Sayan Chowdhury 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml -index 3805a010e2..48d9061d16 100644 +index b104044cc2..32e07f8e5e 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml -@@ -404,7 +404,7 @@ +@@ -448,7 +448,7 @@ Configure the default value for the per-unit TasksMax= setting. See systemd.resource-control5 for details. This setting applies to all unit types that support resource control settings, with the exception @@ -34,10 +34,10 @@ index 3805a010e2..48d9061d16 100644 Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/main.c b/src/core/main.c -index 57aedb9b93..a8859478a9 100644 +index 79c0e0fbf6..4d72ba3b24 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -98,7 +98,7 @@ +@@ -100,7 +100,7 @@ #include #endif @@ -47,10 +47,10 @@ index 57aedb9b93..a8859478a9 100644 static enum { ACTION_RUN, diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 96fb64d2c1..7a71efbb0a 100644 +index 67e55f10a2..8ba48406b1 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -54,7 +54,7 @@ +@@ -56,7 +56,7 @@ #DefaultBlockIOAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultTasksAccounting=yes @@ -60,5 +60,5 @@ index 96fb64d2c1..7a71efbb0a 100644 #DefaultLimitFSIZE= #DefaultLimitDATA= -- -2.35.1 +2.25.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch index e998f3e37c..9f7b97f785 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ -From 170a29c01603c8815edf019bdc0ddc29c986e1a2 Mon Sep 17 00:00:00 2001 +From 505f92caa2e1d93cf385dbeaefa9225eff4422b4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks +Subject: [PATCH 5/6] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy @@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index ad098e99df..8b341184a2 100644 +index 2b6a6a654a..5a0b8f5dc0 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -2,7 +2,7 @@ @@ -25,5 +25,5 @@ index ad098e99df..8b341184a2 100644 #include #include -- -2.35.1 +2.25.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index 7e46a13015..4610dc987c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ -From 925d668d820d728ec58e470fd64cdff1504d8e04 Mon Sep 17 00:00:00 2001 +From 12e90f7f45e4693e6e366c7c894939a18fc86437 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 21 Jan 2022 19:17:11 +0100 -Subject: [PATCH 7/8] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH 6/6] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. @@ -89,5 +89,5 @@ index 2433124c55..bb7af3105d 100644 TTYReset=yes TTYVHangup=yes -- -2.35.1 +2.25.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch deleted file mode 100644 index 824afeac28..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 8f007876ee3ac88087a8b24c252e9187e754c880 Mon Sep 17 00:00:00 2001 -From: Sayan Chowdhury -Date: Wed, 8 Sep 2021 12:10:35 +0530 -Subject: [PATCH 6/8] core: handle lookup paths being symlinks - -With a recent change paths leaving the statically known lookup paths -would be treated differently then those that remained within those. That -was done (AFAIK) to consistently handle alias names. Unfortunately that -means that on some distributions, especially those where /etc/ consists -mostly of symlinks, would trigger that new detection for every single -unit in /etc/systemd/system. The reason for that is that the units -directory itself is already a symlink. - -Original Patch from: https://github.com/systemd/systemd/pull/20479 - -Signed-off-by: Sayan Chowdhury ---- - src/basic/unit-file.c | 33 +++++++++++++++++++++++++++++++-- - 1 file changed, 31 insertions(+), 2 deletions(-) - -diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c -index faea92f66d..b024df21a9 100644 ---- a/src/basic/unit-file.c -+++ b/src/basic/unit-file.c -@@ -280,6 +280,7 @@ int unit_file_build_name_map( - - _cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL; - _cleanup_set_free_free_ Set *paths = NULL; -+ _cleanup_strv_free_ char **expanded_search_paths = NULL; - uint64_t timestamp_hash; - char **dir; - int r; -@@ -299,6 +300,34 @@ int unit_file_build_name_map( - return log_oom(); - } - -+ /* Go over all our search paths, chase their symlinks and store the -+ * result in the expanded_search_paths list. -+ * -+ * This is important for cases where any of the unit directories itself -+ * are symlinks into other directories and would therefore cause all of -+ * the unit files to be recognized as linked units. -+ * -+ * This is important for distributions such as NixOS where most paths -+ * in /etc/ are symlinks to some other location on the filesystem (e.g. -+ * into /nix/store/). -+ */ -+ STRV_FOREACH(dir, (char**) lp->search_path) { -+ _cleanup_free_ char *resolved_dir = NULL; -+ r = strv_extend(&expanded_search_paths, *dir); -+ if (r < 0) -+ return log_oom(); -+ -+ r = chase_symlinks(*dir, NULL, 0, &resolved_dir, NULL); -+ if (r < 0) { -+ if (r != -ENOENT) -+ log_warning_errno(r, "Failed to resolve symlink %s, ignoring: %m", *dir); -+ continue; -+ } -+ -+ if (strv_consume(&expanded_search_paths, TAKE_PTR(resolved_dir)) < 0) -+ return log_oom(); -+ } -+ - STRV_FOREACH(dir, (char**) lp->search_path) { - _cleanup_closedir_ DIR *d = NULL; - -@@ -424,11 +453,11 @@ int unit_file_build_name_map( - continue; - } - -- /* Check if the symlink goes outside of our search path. -+ /* Check if the symlink goes outside of our (expanded) search path. - * If yes, it's a linked unit file or mask, and we don't care about the target name. - * Let's just store the link source directly. - * If not, let's verify that it's a good symlink. */ -- char *tail = path_startswith_strv(simplified, lp->search_path); -+ char *tail = path_startswith_strv(simplified, expanded_search_paths); - if (!tail) { - log_debug("%s: linked unit file: %s → %s", - __func__, filename, simplified); --- -2.35.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/251-gpt-auto-no-cryptsetup.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/251-gpt-auto-no-cryptsetup.patch new file mode 100644 index 0000000000..f56f2febfd --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/251-gpt-auto-no-cryptsetup.patch @@ -0,0 +1,28 @@ +https://github.com/systemd/systemd/commit/d0523bb0d12766485fde3b87bb42db8dfc3c45d3 +https://github.com/systemd/systemd/issues/24978 + +From d0523bb0d12766485fde3b87bb42db8dfc3c45d3 Mon Sep 17 00:00:00 2001 +From: David Seifert +Date: Wed, 12 Oct 2022 21:47:29 +0200 +Subject: [PATCH] gpt-auto: allow using without cryptsetup + +Fixes #24978 +--- a/src/gpt-auto-generator/gpt-auto-generator.c ++++ b/src/gpt-auto-generator/gpt-auto-generator.c +@@ -571,11 +571,15 @@ static int add_root_rw(DissectedPartition *p) { + + #if ENABLE_EFI + static int add_root_cryptsetup(void) { ++#if HAVE_LIBCRYPTSETUP + + /* If a device /dev/gpt-auto-root-luks appears, then make it pull in systemd-cryptsetup-root.service, which + * sets it up, and causes /dev/gpt-auto-root to appear which is all we are looking for. */ + + return add_cryptsetup("root", "/dev/gpt-auto-root-luks", true, false, NULL); ++#else ++ return 0; ++#endif + } + #endif + + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf deleted file mode 100644 index f4d0271cdb..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml index d9f94345f7..34a269d81d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml @@ -9,7 +9,6 @@ Incremented for ABI breaks in libudev or libsystemd - Enable AppArmor support Enable support for sys-process/audit Default to hybrid (legacy) cgroup hierarchy instead of unified (modern). Enable support for uploading journals @@ -20,7 +19,6 @@ Enable FIDO2 support Enable use of dev-libs/libgcrypt for various features Enable portable home directories - Enable setting hostname with networkd/hostnamed without polkit (requires running sys-apps/dbus-broker) Enable embedded HTTP server in journald Enable import daemon Use libiptc from net-firewall/iptables for NAT support in systemd-networkd; this is used only if the running kernel does not support nftables diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-251.10.ebuild similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-251.10.ebuild index ef9c3041bd..36fefb4b15 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-251.10.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{8..10} ) +PYTHON_COMPAT=( python3_{8..11} ) # Avoid QA warnings TMPFILES_OPTIONAL=1 @@ -23,12 +23,14 @@ else MY_P=${MY_PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86" + # Flatcar: Mark as stable. + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" fi +inherit bash-completion-r1 flag-o-matic linux-info meson-multilib pam # Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript. # Adding tmpfiles, since we use it for installing some files. -inherit bash-completion-r1 flag-o-matic linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles +inherit python-any-r1 systemd tmpfiles toolchain-funcs udev DESCRIPTION="System and service manager for Linux" HOMEPAGE="http://systemd.io/" @@ -36,8 +38,8 @@ HOMEPAGE="http://systemd.io/" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" IUSE=" - acl apparmor audit build cgroup-hybrid cryptsetup curl +dns-over-tls elfutils - fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd iptables +kmod + acl apparmor audit cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnuefi gnutls homed http idn importd iptables +kmod +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd " @@ -45,12 +47,11 @@ REQUIRED_USE=" dns-over-tls? ( || ( gnutls openssl ) ) homed? ( cryptsetup pam openssl ) importd? ( curl lzma || ( gcrypt openssl ) ) - policykit? ( !hostnamed-fallback ) pwquality? ( homed ) " RESTRICT="!test? ( test )" -MINKV="3.11" +MINKV="4.15" COMMON_DEPEND=" >=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] @@ -128,10 +129,6 @@ RDEPEND="${COMMON_DEPEND} >=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-timesync-0-r1 >=sys-apps/baselayout-2.2 - hostnamed-fallback? ( - acct-group/systemd-hostname - sys-apps/dbus-broker - ) selinux? ( sec-policy/selinux-base-policy[systemd] ) @@ -141,11 +138,6 @@ RDEPEND="${COMMON_DEPEND} ) !sysv-utils? ( sys-apps/sysvinit ) resolvconf? ( !net-dns/openresolv ) - !build? ( || ( - sys-apps/util-linux[kill(-)] - sys-process/procps[kill(+)] - sys-apps/coreutils[kill(-)] - ) ) !sys-apps/hwids[udev] !sys-auth/nss-myhostname !sys-fs/eudev @@ -180,8 +172,8 @@ BDEPEND=" " python_check_deps() { - has_version -b "dev-python/jinja[${PYTHON_USEDEP}]" && - has_version -b "dev-python/lxml[${PYTHON_USEDEP}]" + python_has_version "dev-python/jinja[${PYTHON_USEDEP}]" && + python_has_version "dev-python/lxml[${PYTHON_USEDEP}]" } QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" @@ -195,7 +187,7 @@ pkg_pretend() { fi local CONFIG_CHECK=" ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS - ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH @@ -204,9 +196,6 @@ pkg_pretend() { use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" - kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG" - kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" - kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" if kernel_is -ge 5 10 20; then CONFIG_CHECK+=" ~KCMP" @@ -249,21 +238,15 @@ src_unpack() { } src_prepare() { - # Do NOT add patches here - local PATCHES=() - - [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) - - # Add local patches here - PATCHES+=( + local PATCHES=( + "${FILESDIR}/251-gpt-auto-no-cryptsetup.patch" # Flatcar: Adding our own patches here. "${FILESDIR}/0001-wait-online-set-any-by-default.patch" "${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch" "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0006-core-handle-lookup-paths-being-symlinks.patch" - "${FILESDIR}/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" + "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" ) if ! use vanilla; then @@ -274,6 +257,9 @@ src_prepare() { ) fi + # Fails with split-usr. + sed -i -e '2i exit 77' test/test-rpm-macros.sh || die + # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., # CoreDNS which has dnsPolicy "default", but unless the # kubelet --resolv-conf flag is set to point to @@ -296,9 +282,7 @@ src_configure() { # Prevent conflicts with i686 cross toolchain, bug 559726 tc-export AR CC NM OBJCOPY RANLIB - # Broken with FORTIFY_SOURCE=3 without a patch. And the patch - # wasn't backported to 250.x, but it turns out to break Clang - # anyway: bug #841770. + # Broken with FORTIFY_SOURCE=3: bug #841770. # # Our toolchain sets F_S=2 by default w/ >= -O2, so we need # to unset F_S first, then explicitly set 2, to negate any default @@ -330,9 +314,13 @@ multilib_src_configure() { -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" - # make sure we get /bin:/sbin in PATH $(meson_use split-usr) + # Flatcar: Always set split-bin to true, we always + # have separate bin and sbin directories -Dsplit-bin=true + # Flatcar: Use get_rootprefix. No functional change + # from upstream, just refactoring the common code used + # in some places. -Drootprefix="$(get_rootprefix)" -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" # Avoid infinite exec recursion, bug 642724 @@ -435,7 +423,6 @@ multilib_src_configure() { -Ddefault-net-naming-scheme=latest # Flatcar: Unported options, still needed? - -Defi-cc="$(tc-getCC)" -Dquotaon-path=/usr/sbin/quotaon -Dquotacheck-path=/usr/sbin/quotacheck ) @@ -450,6 +437,9 @@ multilib_src_test() { multilib_src_install_all() { local rootprefix=$(usex split-usr '' /usr) + # Flatcar: We always have bin separate from sbin + # local sbin=$(usex split-usr sbin bin) + local sbin='sbin' # meson doesn't know about docdir mv "${ED}"/usr/share/doc/{systemd,${PF}} || die @@ -460,18 +450,20 @@ multilib_src_install_all() { # dodoc "${FILESDIR}"/nsswitch.conf if ! use resolvconf; then - rm -f "${ED}${rootprefix}"/sbin/resolvconf || die + rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die fi rm "${ED}"/etc/init.d/README || die rm "${ED}${rootprefix}"/lib/systemd/system-generators/systemd-sysv-generator || die if ! use sysv-utils; then - rm "${ED}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die + rm "${ED}${rootprefix}/${sbin}"/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die rm "${ED}"/usr/share/man/man1/init.1 || die rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die fi + # Flatcar: We always have bin separate from sbin, so drop the + # "&& use split-usr" part. if ! use resolvconf && ! use sysv-utils; then rmdir "${ED}${rootprefix}"/sbin || die fi @@ -510,16 +502,6 @@ multilib_src_install_all() { dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown fi - # workaround for https://github.com/systemd/systemd/issues/13501 - if use hostnamed-fallback; then - # this file requires dbus-broker - insinto /usr/share/dbus-1/system.d/ - doins "${FILESDIR}/org.freedesktop.hostname1_no_polkit.conf" - - insinto "${rootprefix}/lib/systemd/system/systemd-hostnamed.service.d/" - doins "${FILESDIR}/00-hostnamed-network-user.conf" - fi - # Flatcar: gen_usr_ldscript is likely for static libs, so we # dropped it. # gen_usr_ldscript -a systemd udev @@ -678,16 +660,16 @@ migrate_locale() { pkg_preinst() { if ! use split-usr; then local dir + # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list. for dir in bin sbin lib; do - if [[ ! ${EROOT}/${dir} -ef ${EROOT}/usr/${dir} ]]; then - eerror "\"${EROOT}/${dir}\" and \"${EROOT}/usr/${dir}\" are not merged." - eerror "One of them should be a symbolic link to the other one." + if [[ ! -L ${EROOT}/${dir} ]]; then + eerror "'${EROOT}/${dir}' is not a symbolic link." FAIL=1 fi done if [[ ${FAIL} ]]; then eerror "Migration to system layout with merged directories must be performed before" - eerror "rebuilding ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." + eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." die "System layout with split directories still used" fi fi @@ -726,14 +708,6 @@ pkg_postinst() { eerror "systemd again." eerror fi - - if use hostnamed-fallback; then - if ! systemctl --root="${ROOT:-/}" is-enabled --quiet dbus-broker.service 2>/dev/null; then - ewarn "dbus-broker.service is not enabled, systemd-hostnamed will fail to run." - ewarn "To enable dbus-broker.service run the next command as root:" - ewarn "systemctl enable dbus-broker.service" - fi - fi } pkg_prerm() {