mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-19 05:21:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2363 from flatcar/krnowak/systemd-251

Browse Source 
Update sys-apps/systemd to 251.10 and do some cleanups in profiles
This commit is contained in:
Krzesimir Nowak 2023-01-09 10:52:27 +01:00 committed by GitHub
commit 43e1235e38
21 changed files with 102 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-09-systemd-update.md vendored Normal file
View File

@ -0,0 +1 @@
- systemd ([CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821), [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415))

1
sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-09-systemd-update.md vendored Normal file
View File

@ -0,0 +1 @@
- systemd ([251.10](https://github.com/systemd/systemd-stable/commits/v251.10) (includes [251](https://github.com/systemd/systemd/releases/tag/v251)))

4
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -29,9 +29,9 @@ net-analyzer/nmap ncat -system-lua symlink
# removes mta dependencies # removes mta dependencies
app-admin/sudo -sendmail app-admin/sudo -sendmail
# use lzma which is the default on non-gentoo systems, enable selinux,
# disable hybrid cgroup as we use the unified mode now # disable hybrid cgroup as we use the unified mode now
sys-apps/systemd build curl idn lzma selinux -cgroup-hybrid # use lzma which is the default on non-gentoo systems, enable selinux,
sys-apps/systemd -cgroup-hybrid curl idn lzma selinux
net-libs/libmicrohttpd -ssl net-libs/libmicrohttpd -ssl
# disable kernel config detection and module building # disable kernel config detection and module building

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use vendored
View File

@ -20,7 +20,7 @@ sys-libs/ncurses minimal
sys-libs/pam audit sys-libs/pam audit
# enable journal gateway, bootctl and container features # enable journal gateway, bootctl and container features
sys-apps/systemd audit gnuefi importd http iptables sys-apps/systemd audit gnuefi http importd iptables
# epoll is needed for systemd-journal-remote to work. coreos/bugs#919 # epoll is needed for systemd-journal-remote to work. coreos/bugs#919
net-libs/libmicrohttpd epoll net-libs/libmicrohttpd epoll

2
sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.accept_keywords vendored
View File

@ -1,2 +0,0 @@
# Various dependencies that also need to be up-to-date
sys-apps/kmod ~amd64 ~x86

1
sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.unmask vendored
View File

@ -1,2 +1 @@
sys-apps/systemd sys-apps/systemd
sys-apps/systemd-ui

4
sdk_container/src/third_party/coreos-overlay/profiles/features/systemd/package.use.force vendored
View File

@ -1,8 +1,8 @@
# Copyright (c) 2014 The CoreOS Authors. All rights reserved. # Copyright (c) 2014 The CoreOS Authors. All rights reserved.
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
# disable gentoo-only bits and replace sysvinit # replace sysvinit and disable gentoo-only bits
sys-apps/systemd vanilla sysv-utils sys-apps/systemd sysv-utils vanilla
# dbus without systemd conflicts with systemd # dbus without systemd conflicts with systemd
sys-apps/dbus systemd sys-apps/dbus systemd

1
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md vendored
View File

@ -1 +1,2 @@
- Check that the `systemd-sysext.service`'s `ConditionDirectoryNotEmpty` entries are correctly reflected in `flatcar/init:systemd/system/ensure-sysext.service` - Check that the `systemd-sysext.service`'s `ConditionDirectoryNotEmpty` entries are correctly reflected in `flatcar/init:systemd/system/ensure-sysext.service`
- Check if our preset setup in `multilib_src_install_all` is in sync with `systemd/systemd:presets/90-systemd.preset`.

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest vendored
View File

@ -1 +1 @@
DIST systemd-stable-250.7.tar.gz 11214975 BLAKE2B 5d94b4b1f8b0cd6e8284a89ac0d4bd373eccdad2c3d6e6c453df79c8df47ee0f9cfbde764b72b1f9d172d07e2d9f1f1f41c1ab254cf4abd0722469ebc3ad7cf8 SHA512 99bc6f0c9757b280cb694f3fb4d6fe04d5ce55583eb2bae5ddeb324bb5ee9930c1720fcc27293d90cddba188473653ec541a471ae8115710a5850c26d0ba215d DIST systemd-stable-251.10.tar.gz 11461671 BLAKE2B a351b6dd9fc307e4bdcf0323b16e7f58c714392cfa466180a81196309c289b54767bfe5d03037eb1bd6b273d7eb8f6f42b927aabaa1310be04266675d1a3dd06 SHA512 49e33dbbc1b2ebe123b2f722070c87524b3126d1e605fb3e24a3f9f328ab67de506dc4588a92caf157428c21b9c73c3884726c4a5b1f67bb997d4a68bb871e5b

6
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/00-hostnamed-network-user.conf vendored
View File

@ -1,6 +0,0 @@
[Service]
# By running with these options instead of root, networkd is allowed to request
# a hostname change via DBUS when policykit is not present
User=systemd-network
Group=systemd-hostname
AmbientCapabilities=CAP_SYS_ADMIN

6
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch vendored
View File

@ -1,7 +1,7 @@
From d13deba6bad21e796829b83b00dce03085b0ab14 Mon Sep 17 00:00:00 2001 From 48b7456e73800ccabef09416ec9e1480781613e7 Mon Sep 17 00:00:00 2001
From: David Michael <dm0@redhat.com> From: David Michael <dm0@redhat.com>
Date: Tue, 16 Apr 2019 02:44:51 +0000 Date: Tue, 16 Apr 2019 02:44:51 +0000
Subject: [PATCH 1/8] wait-online: set --any by default Subject: [PATCH 1/6] wait-online: set --any by default
The systemd-networkd-wait-online command would normally continue The systemd-networkd-wait-online command would normally continue
waiting after a network interface is usable if other interfaces are waiting after a network interface is usable if other interfaces are
@ -28,5 +28,5 @@ index a679b858fa..3b6dad8d1d 100644
STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
-- --
2.35.1 2.25.1

10
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch vendored
View File

@ -1,17 +1,17 @@
From 2a8f5356c608e6f4512ade1b3ce2176f4491bce1 Mon Sep 17 00:00:00 2001 From b4ce1af6005f6137774ba69fb1db5b320a853513 Mon Sep 17 00:00:00 2001
From: Nick Owens <nick.owens@coreos.com> From: Nick Owens <nick.owens@coreos.com>
Date: Tue, 2 Jun 2015 18:22:32 -0700 Date: Tue, 2 Jun 2015 18:22:32 -0700
Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting Subject: [PATCH 2/6] networkd: default to "kernel" IPForwarding setting
--- ---
src/network/networkd-network.c | 1 + src/network/networkd-network.c | 1 +
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 873ad2e703..4395dce4e2 100644 index 39ea4eddd0..9780f920f1 100644
--- a/src/network/networkd-network.c --- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c +++ b/src/network/networkd-network.c
@@ -458,6 +458,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi @@ -464,6 +464,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
.link_local = _ADDRESS_FAMILY_INVALID, .link_local = _ADDRESS_FAMILY_INVALID,
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
@ -20,5 +20,5 @@ index 873ad2e703..4395dce4e2 100644
.ipv4_route_localnet = -1, .ipv4_route_localnet = -1,
.ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
-- --
2.35.1 2.25.1

14
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch vendored
View File

@ -1,7 +1,7 @@
From 5ba2f094ba91f8f52a4b3c0aca83e2fe344594d8 Mon Sep 17 00:00:00 2001 From bce25cf9f7914804515fdcf8852e7aec37d9d99a Mon Sep 17 00:00:00 2001
From: Alex Crawford <alex.crawford@coreos.com> From: Alex Crawford <alex.crawford@coreos.com>
Date: Wed, 2 Mar 2016 10:46:33 -0800 Date: Wed, 2 Mar 2016 10:46:33 -0800
Subject: [PATCH 3/8] needs-update: don't require strictly newer usr Subject: [PATCH 3/6] needs-update: don't require strictly newer usr
Updates should be triggered whenever usr changes, not only when it is newer. Updates should be triggered whenever usr changes, not only when it is newer.
--- ---
@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
This requires that updates to <filename>/usr/</filename> are always This requires that updates to <filename>/usr/</filename> are always
followed by an update of the modification time of followed by an update of the modification time of
diff --git a/src/shared/condition.c b/src/shared/condition.c diff --git a/src/shared/condition.c b/src/shared/condition.c
index 68fbbf643a..306089cd26 100644 index 0f06944fb0..c7c9a411a3 100644
--- a/src/shared/condition.c --- a/src/shared/condition.c
+++ b/src/shared/condition.c +++ b/src/shared/condition.c
@@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) { @@ -758,7 +758,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* First, compare seconds as they are always accurate... * First, compare seconds as they are always accurate...
*/ */
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@ -35,7 +35,7 @@ index 68fbbf643a..306089cd26 100644
/* /*
* ...then compare nanoseconds. * ...then compare nanoseconds.
@@ -780,7 +780,7 @@ static int condition_test_needs_update(Condition *c, char **env) { @@ -769,7 +769,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* (otherwise the filesystem supports nsec timestamps, see stat(2)). * (otherwise the filesystem supports nsec timestamps, see stat(2)).
*/ */
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@ -44,7 +44,7 @@ index 68fbbf643a..306089cd26 100644
_cleanup_free_ char *timestamp_str = NULL; _cleanup_free_ char *timestamp_str = NULL;
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str); r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
@@ -799,7 +799,7 @@ static int condition_test_needs_update(Condition *c, char **env) { @@ -789,7 +789,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
return true; return true;
} }
@ -54,5 +54,5 @@ index 68fbbf643a..306089cd26 100644
static int condition_test_first_boot(Condition *c, char **env) { static int condition_test_first_boot(Condition *c, char **env) {
-- --
2.35.1 2.25.1

18
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch vendored
View File

@ -1,7 +1,7 @@
From 75c683b81fcdb47eaa9aa6c4355ed96296d6d547 Mon Sep 17 00:00:00 2001 From 485151e5ecc94402d81ff755c02a244980f931fa Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io> From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Thu, 22 Apr 2021 20:08:33 +0530 Date: Thu, 22 Apr 2021 20:08:33 +0530
Subject: [PATCH 4/8] core: use max for DefaultTasksMax Subject: [PATCH 4/6] core: use max for DefaultTasksMax
Since systemd v228, systemd has a DefaultTasksMax which defaulted Since systemd v228, systemd has a DefaultTasksMax which defaulted
to 512, later 15% of the system's maximum number of PIDs. This to 512, later 15% of the system's maximum number of PIDs. This
@ -21,10 +21,10 @@ Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
3 files changed, 3 insertions(+), 3 deletions(-) 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 3805a010e2..48d9061d16 100644 index b104044cc2..32e07f8e5e 100644
--- a/man/systemd-system.conf.xml --- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml
@@ -404,7 +404,7 @@ @@ -448,7 +448,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception for details. This setting applies to all unit types that support resource control settings, with the exception
@ -34,10 +34,10 @@ index 3805a010e2..48d9061d16 100644
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores. Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915, For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/main.c b/src/core/main.c diff --git a/src/core/main.c b/src/core/main.c
index 57aedb9b93..a8859478a9 100644 index 79c0e0fbf6..4d72ba3b24 100644
--- a/src/core/main.c --- a/src/core/main.c
+++ b/src/core/main.c +++ b/src/core/main.c
@@ -98,7 +98,7 @@ @@ -100,7 +100,7 @@
#include <sanitizer/lsan_interface.h> #include <sanitizer/lsan_interface.h>
#endif #endif
@ -47,10 +47,10 @@ index 57aedb9b93..a8859478a9 100644
static enum { static enum {
ACTION_RUN, ACTION_RUN,
diff --git a/src/core/system.conf.in b/src/core/system.conf.in diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 96fb64d2c1..7a71efbb0a 100644 index 67e55f10a2..8ba48406b1 100644
--- a/src/core/system.conf.in --- a/src/core/system.conf.in
+++ b/src/core/system.conf.in +++ b/src/core/system.conf.in
@@ -54,7 +54,7 @@ @@ -56,7 +56,7 @@
#DefaultBlockIOAccounting=no #DefaultBlockIOAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes #DefaultTasksAccounting=yes
@ -60,5 +60,5 @@ index 96fb64d2c1..7a71efbb0a 100644
#DefaultLimitFSIZE= #DefaultLimitFSIZE=
#DefaultLimitDATA= #DefaultLimitDATA=
-- --
2.35.1 2.25.1

8
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch vendored
View File

@ -1,7 +1,7 @@
From 170a29c01603c8815edf019bdc0ddc29c986e1a2 Mon Sep 17 00:00:00 2001 From 505f92caa2e1d93cf385dbeaefa9225eff4422b4 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com> From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 20 Dec 2016 16:43:22 +0000 Date: Tue, 20 Dec 2016 16:43:22 +0000
Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks Subject: [PATCH 5/6] systemd: Disable SELinux permissions checks
We don't care about the interaction between systemd and SELinux policy, so We don't care about the interaction between systemd and SELinux policy, so
let's just disable these checks rather than having to incorporate policy let's just disable these checks rather than having to incorporate policy
@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index ad098e99df..8b341184a2 100644 index 2b6a6a654a..5a0b8f5dc0 100644
--- a/src/core/selinux-access.c --- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c +++ b/src/core/selinux-access.c
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
@ -25,5 +25,5 @@ index ad098e99df..8b341184a2 100644
#include <errno.h> #include <errno.h>
#include <selinux/avc.h> #include <selinux/avc.h>
-- --
2.35.1 2.25.1

6
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch vendored
View File

@ -1,7 +1,7 @@
From 925d668d820d728ec58e470fd64cdff1504d8e04 Mon Sep 17 00:00:00 2001 From 12e90f7f45e4693e6e366c7c894939a18fc86437 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com> From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 21 Jan 2022 19:17:11 +0100 Date: Fri, 21 Jan 2022 19:17:11 +0100
Subject: [PATCH 7/8] Revert "getty: Pass tty to use by agetty via stdin" Subject: [PATCH 6/6] Revert "getty: Pass tty to use by agetty via stdin"
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
@ -89,5 +89,5 @@ index 2433124c55..bb7af3105d 100644
TTYReset=yes TTYReset=yes
TTYVHangup=yes TTYVHangup=yes
-- --
2.35.1 2.25.1

84
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-core-handle-lookup-paths-being-symlinks.patch vendored
View File

@ -1,84 +0,0 @@
From 8f007876ee3ac88087a8b24c252e9187e754c880 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Wed, 8 Sep 2021 12:10:35 +0530
Subject: [PATCH 6/8] core: handle lookup paths being symlinks
With a recent change paths leaving the statically known lookup paths
would be treated differently then those that remained within those. That
was done (AFAIK) to consistently handle alias names. Unfortunately that
means that on some distributions, especially those where /etc/ consists
mostly of symlinks, would trigger that new detection for every single
unit in /etc/systemd/system. The reason for that is that the units
directory itself is already a symlink.
Original Patch from: https://github.com/systemd/systemd/pull/20479
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
---
src/basic/unit-file.c | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c
index faea92f66d..b024df21a9 100644
--- a/src/basic/unit-file.c
+++ b/src/basic/unit-file.c
@@ -280,6 +280,7 @@ int unit_file_build_name_map(
_cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL;
_cleanup_set_free_free_ Set *paths = NULL;
+ _cleanup_strv_free_ char **expanded_search_paths = NULL;
uint64_t timestamp_hash;
char **dir;
int r;
@@ -299,6 +300,34 @@ int unit_file_build_name_map(
return log_oom();
}
+ /* Go over all our search paths, chase their symlinks and store the
+ * result in the expanded_search_paths list.
+ *
+ * This is important for cases where any of the unit directories itself
+ * are symlinks into other directories and would therefore cause all of
+ * the unit files to be recognized as linked units.
+ *
+ * This is important for distributions such as NixOS where most paths
+ * in /etc/ are symlinks to some other location on the filesystem (e.g.
+ * into /nix/store/).
+ */
+ STRV_FOREACH(dir, (char**) lp->search_path) {
+ _cleanup_free_ char *resolved_dir = NULL;
+ r = strv_extend(&expanded_search_paths, *dir);
+ if (r < 0)
+ return log_oom();
+
+ r = chase_symlinks(*dir, NULL, 0, &resolved_dir, NULL);
+ if (r < 0) {
+ if (r != -ENOENT)
+ log_warning_errno(r, "Failed to resolve symlink %s, ignoring: %m", *dir);
+ continue;
+ }
+
+ if (strv_consume(&expanded_search_paths, TAKE_PTR(resolved_dir)) < 0)
+ return log_oom();
+ }
+
STRV_FOREACH(dir, (char**) lp->search_path) {
_cleanup_closedir_ DIR *d = NULL;
@@ -424,11 +453,11 @@ int unit_file_build_name_map(
continue;
}
- /* Check if the symlink goes outside of our search path.
+ /* Check if the symlink goes outside of our (expanded) search path.
* If yes, it's a linked unit file or mask, and we don't care about the target name.
* Let's just store the link source directly.
* If not, let's verify that it's a good symlink. */
- char *tail = path_startswith_strv(simplified, lp->search_path);
+ char *tail = path_startswith_strv(simplified, expanded_search_paths);
if (!tail) {
log_debug("%s: linked unit file: %s → %s",
__func__, filename, simplified);
--
2.35.1

28
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/251-gpt-auto-no-cryptsetup.patch vendored Normal file
View File

@ -0,0 +1,28 @@
https://github.com/systemd/systemd/commit/d0523bb0d12766485fde3b87bb42db8dfc3c45d3
https://github.com/systemd/systemd/issues/24978
From d0523bb0d12766485fde3b87bb42db8dfc3c45d3 Mon Sep 17 00:00:00 2001
From: David Seifert <soap@gentoo.org>
Date: Wed, 12 Oct 2022 21:47:29 +0200
Subject: [PATCH] gpt-auto: allow using without cryptsetup
Fixes #24978
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -571,11 +571,15 @@ static int add_root_rw(DissectedPartition *p) {
#if ENABLE_EFI
static int add_root_cryptsetup(void) {
+#if HAVE_LIBCRYPTSETUP
/* If a device /dev/gpt-auto-root-luks appears, then make it pull in systemd-cryptsetup-root.service, which
* sets it up, and causes /dev/gpt-auto-root to appear which is all we are looking for. */
return add_cryptsetup("root", "/dev/gpt-auto-root-luks", true, false, NULL);
+#else
+ return 0;
+#endif
}
#endif

11
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/org.freedesktop.hostname1_no_polkit.conf vendored
View File

@ -1,11 +0,0 @@
<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy group="systemd-hostname">
<allow own="org.freedesktop.hostname1"/>
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>
</busconfig>

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml vendored
View File

@ -9,7 +9,6 @@
<subslots>Incremented for ABI breaks in libudev or libsystemd</subslots> <subslots>Incremented for ABI breaks in libudev or libsystemd</subslots>
</slots> </slots>
<use> <use>
<flag name="apparmor">Enable AppArmor support</flag>
<flag name="audit">Enable support for <pkg>sys-process/audit</pkg></flag> <flag name="audit">Enable support for <pkg>sys-process/audit</pkg></flag>
<flag name="cgroup-hybrid">Default to hybrid (legacy) cgroup hierarchy instead of unified (modern).</flag> <flag name="cgroup-hybrid">Default to hybrid (legacy) cgroup hierarchy instead of unified (modern).</flag>
<flag name="curl">Enable support for uploading journals</flag> <flag name="curl">Enable support for uploading journals</flag>
@ -20,7 +19,6 @@
<flag name="fido2">Enable FIDO2 support</flag> <flag name="fido2">Enable FIDO2 support</flag>
<flag name="gcrypt">Enable use of <pkg>dev-libs/libgcrypt</pkg> for various features</flag> <flag name="gcrypt">Enable use of <pkg>dev-libs/libgcrypt</pkg> for various features</flag>
<flag name="homed">Enable portable home directories</flag> <flag name="homed">Enable portable home directories</flag>
<flag name="hostnamed-fallback">Enable setting hostname with networkd/hostnamed without polkit (requires running <pkg>sys-apps/dbus-broker</pkg>)</flag>
<flag name="http">Enable embedded HTTP server in journald</flag> <flag name="http">Enable embedded HTTP server in journald</flag>
<flag name="importd">Enable import daemon</flag> <flag name="importd">Enable import daemon</flag>
<flag name="iptables">Use libiptc from <pkg>net-firewall/iptables</pkg> for NAT support in systemd-networkd; this is used only if the running kernel does not support nftables</flag> <flag name="iptables">Use libiptc from <pkg>net-firewall/iptables</pkg> for NAT support in systemd-networkd; this is used only if the running kernel does not support nftables</flag>

94
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-251.10.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI=7 EAPI=7
PYTHON_COMPAT=( python3_{8..10} ) PYTHON_COMPAT=( python3_{8..11} )
# Avoid QA warnings # Avoid QA warnings
TMPFILES_OPTIONAL=1 TMPFILES_OPTIONAL=1
@ -23,12 +23,14 @@ else
MY_P=${MY_PN}-${MY_PV} MY_P=${MY_PN}-${MY_PV}
S=${WORKDIR}/${MY_P} S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86" # Flatcar: Mark as stable.
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi fi
inherit bash-completion-r1 flag-o-matic linux-info meson-multilib pam
# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript. # Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
# Adding tmpfiles, since we use it for installing some files. # Adding tmpfiles, since we use it for installing some files.
inherit bash-completion-r1 flag-o-matic linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles inherit python-any-r1 systemd tmpfiles toolchain-funcs udev
DESCRIPTION="System and service manager for Linux" DESCRIPTION="System and service manager for Linux"
HOMEPAGE="http://systemd.io/" HOMEPAGE="http://systemd.io/"
@ -36,8 +38,8 @@ HOMEPAGE="http://systemd.io/"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain" LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2" SLOT="0/2"
IUSE=" IUSE="
acl apparmor audit build cgroup-hybrid cryptsetup curl +dns-over-tls elfutils acl apparmor audit cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd iptables +kmod fido2 +gcrypt gnuefi gnutls homed http idn importd iptables +kmod
+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd
" "
@ -45,12 +47,11 @@ REQUIRED_USE="
dns-over-tls? ( || ( gnutls openssl ) ) dns-over-tls? ( || ( gnutls openssl ) )
homed? ( cryptsetup pam openssl ) homed? ( cryptsetup pam openssl )
importd? ( curl lzma || ( gcrypt openssl ) ) importd? ( curl lzma || ( gcrypt openssl ) )
policykit? ( !hostnamed-fallback )
pwquality? ( homed ) pwquality? ( homed )
" "
RESTRICT="!test? ( test )" RESTRICT="!test? ( test )"
MINKV="3.11" MINKV="4.15"
COMMON_DEPEND=" COMMON_DEPEND="
>=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] >=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
@ -128,10 +129,6 @@ RDEPEND="${COMMON_DEPEND}
>=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-resolve-0-r1
>=acct-user/systemd-timesync-0-r1 >=acct-user/systemd-timesync-0-r1
>=sys-apps/baselayout-2.2 >=sys-apps/baselayout-2.2
hostnamed-fallback? (
acct-group/systemd-hostname
sys-apps/dbus-broker
)
selinux? ( selinux? (
sec-policy/selinux-base-policy[systemd] sec-policy/selinux-base-policy[systemd]
) )
@ -141,11 +138,6 @@ RDEPEND="${COMMON_DEPEND}
) )
!sysv-utils? ( sys-apps/sysvinit ) !sysv-utils? ( sys-apps/sysvinit )
resolvconf? ( !net-dns/openresolv ) resolvconf? ( !net-dns/openresolv )
!build? ( || (
sys-apps/util-linux[kill(-)]
sys-process/procps[kill(+)]
sys-apps/coreutils[kill(-)]
) )
!sys-apps/hwids[udev] !sys-apps/hwids[udev]
!sys-auth/nss-myhostname !sys-auth/nss-myhostname
!sys-fs/eudev !sys-fs/eudev
@ -180,8 +172,8 @@ BDEPEND="
" "
python_check_deps() { python_check_deps() {
has_version -b "dev-python/jinja[${PYTHON_USEDEP}]" && python_has_version "dev-python/jinja[${PYTHON_USEDEP}]" &&
has_version -b "dev-python/lxml[${PYTHON_USEDEP}]" python_has_version "dev-python/lxml[${PYTHON_USEDEP}]"
} }
QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
@ -195,7 +187,7 @@ pkg_pretend() {
fi fi
local CONFIG_CHECK=" ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS local CONFIG_CHECK=" ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS
~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
@ -204,9 +196,6 @@ pkg_pretend() {
use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG"
kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES"
kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF"
if kernel_is -ge 5 10 20; then if kernel_is -ge 5 10 20; then
CONFIG_CHECK+=" ~KCMP" CONFIG_CHECK+=" ~KCMP"
@ -249,21 +238,15 @@ src_unpack() {
} }
src_prepare() { src_prepare() {
# Do NOT add patches here local PATCHES=(
local PATCHES=() "${FILESDIR}/251-gpt-auto-no-cryptsetup.patch"
[[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
# Add local patches here
PATCHES+=(
# Flatcar: Adding our own patches here. # Flatcar: Adding our own patches here.
"${FILESDIR}/0001-wait-online-set-any-by-default.patch" "${FILESDIR}/0001-wait-online-set-any-by-default.patch"
"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch" "${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
"${FILESDIR}/0006-core-handle-lookup-paths-being-symlinks.patch" "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
"${FILESDIR}/0007-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
) )
if ! use vanilla; then if ! use vanilla; then
@ -274,6 +257,9 @@ src_prepare() {
) )
fi fi
# Fails with split-usr.
sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
# CoreDNS which has dnsPolicy "default", but unless the # CoreDNS which has dnsPolicy "default", but unless the
# kubelet --resolv-conf flag is set to point to # kubelet --resolv-conf flag is set to point to
@ -296,9 +282,7 @@ src_configure() {
# Prevent conflicts with i686 cross toolchain, bug 559726 # Prevent conflicts with i686 cross toolchain, bug 559726
tc-export AR CC NM OBJCOPY RANLIB tc-export AR CC NM OBJCOPY RANLIB
# Broken with FORTIFY_SOURCE=3 without a patch. And the patch # Broken with FORTIFY_SOURCE=3: bug #841770.
# wasn't backported to 250.x, but it turns out to break Clang
# anyway: bug #841770.
# #
# Our toolchain sets F_S=2 by default w/ >= -O2, so we need # Our toolchain sets F_S=2 by default w/ >= -O2, so we need
# to unset F_S first, then explicitly set 2, to negate any default # to unset F_S first, then explicitly set 2, to negate any default
@ -330,9 +314,13 @@ multilib_src_configure() {
-Dpamlibdir="$(getpam_mod_dir)" -Dpamlibdir="$(getpam_mod_dir)"
# avoid bash-completion dep # avoid bash-completion dep
-Dbashcompletiondir="$(get_bashcompdir)" -Dbashcompletiondir="$(get_bashcompdir)"
# make sure we get /bin:/sbin in PATH
$(meson_use split-usr) $(meson_use split-usr)
# Flatcar: Always set split-bin to true, we always
# have separate bin and sbin directories
-Dsplit-bin=true -Dsplit-bin=true
# Flatcar: Use get_rootprefix. No functional change
# from upstream, just refactoring the common code used
# in some places.
-Drootprefix="$(get_rootprefix)" -Drootprefix="$(get_rootprefix)"
-Drootlibdir="${EPREFIX}/usr/$(get_libdir)" -Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
# Avoid infinite exec recursion, bug 642724 # Avoid infinite exec recursion, bug 642724
@ -435,7 +423,6 @@ multilib_src_configure() {
-Ddefault-net-naming-scheme=latest -Ddefault-net-naming-scheme=latest
# Flatcar: Unported options, still needed? # Flatcar: Unported options, still needed?
-Defi-cc="$(tc-getCC)"
-Dquotaon-path=/usr/sbin/quotaon -Dquotaon-path=/usr/sbin/quotaon
-Dquotacheck-path=/usr/sbin/quotacheck -Dquotacheck-path=/usr/sbin/quotacheck
) )
@ -450,6 +437,9 @@ multilib_src_test() {
multilib_src_install_all() { multilib_src_install_all() {
local rootprefix=$(usex split-usr '' /usr) local rootprefix=$(usex split-usr '' /usr)
# Flatcar: We always have bin separate from sbin
# local sbin=$(usex split-usr sbin bin)
local sbin='sbin'
# meson doesn't know about docdir # meson doesn't know about docdir
mv "${ED}"/usr/share/doc/{systemd,${PF}} || die mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
@ -460,18 +450,20 @@ multilib_src_install_all() {
# dodoc "${FILESDIR}"/nsswitch.conf # dodoc "${FILESDIR}"/nsswitch.conf
if ! use resolvconf; then if ! use resolvconf; then
rm -f "${ED}${rootprefix}"/sbin/resolvconf || die rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die
fi fi
rm "${ED}"/etc/init.d/README || die rm "${ED}"/etc/init.d/README || die
rm "${ED}${rootprefix}"/lib/systemd/system-generators/systemd-sysv-generator || die rm "${ED}${rootprefix}"/lib/systemd/system-generators/systemd-sysv-generator || die
if ! use sysv-utils; then if ! use sysv-utils; then
rm "${ED}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die rm "${ED}${rootprefix}/${sbin}"/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die
rm "${ED}"/usr/share/man/man1/init.1 || die rm "${ED}"/usr/share/man/man1/init.1 || die
rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die
fi fi
# Flatcar: We always have bin separate from sbin, so drop the
# "&& use split-usr" part.
if ! use resolvconf && ! use sysv-utils; then if ! use resolvconf && ! use sysv-utils; then
rmdir "${ED}${rootprefix}"/sbin || die rmdir "${ED}${rootprefix}"/sbin || die
fi fi
@ -510,16 +502,6 @@ multilib_src_install_all() {
dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown
fi fi
# workaround for https://github.com/systemd/systemd/issues/13501
if use hostnamed-fallback; then
# this file requires dbus-broker
insinto /usr/share/dbus-1/system.d/
doins "${FILESDIR}/org.freedesktop.hostname1_no_polkit.conf"
insinto "${rootprefix}/lib/systemd/system/systemd-hostnamed.service.d/"
doins "${FILESDIR}/00-hostnamed-network-user.conf"
fi
# Flatcar: gen_usr_ldscript is likely for static libs, so we # Flatcar: gen_usr_ldscript is likely for static libs, so we
# dropped it. # dropped it.
# gen_usr_ldscript -a systemd udev # gen_usr_ldscript -a systemd udev
@ -678,16 +660,16 @@ migrate_locale() {
pkg_preinst() { pkg_preinst() {
if ! use split-usr; then if ! use split-usr; then
local dir local dir
# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
for dir in bin sbin lib; do for dir in bin sbin lib; do
if [[ ! ${EROOT}/${dir} -ef ${EROOT}/usr/${dir} ]]; then if [[ ! -L ${EROOT}/${dir} ]]; then
eerror "\"${EROOT}/${dir}\" and \"${EROOT}/usr/${dir}\" are not merged." eerror "'${EROOT}/${dir}' is not a symbolic link."
eerror "One of them should be a symbolic link to the other one."
FAIL=1 FAIL=1
fi fi
done done
if [[ ${FAIL} ]]; then if [[ ${FAIL} ]]; then
eerror "Migration to system layout with merged directories must be performed before" eerror "Migration to system layout with merged directories must be performed before"
eerror "rebuilding ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage."
die "System layout with split directories still used" die "System layout with split directories still used"
fi fi
fi fi
@ -726,14 +708,6 @@ pkg_postinst() {
eerror "systemd again." eerror "systemd again."
eerror eerror
fi fi
if use hostnamed-fallback; then
if ! systemctl --root="${ROOT:-/}" is-enabled --quiet dbus-broker.service 2>/dev/null; then
ewarn "dbus-broker.service is not enabled, systemd-hostnamed will fail to run."
ewarn "To enable dbus-broker.service run the next command as root:"
ewarn "systemctl enable dbus-broker.service"
fi
fi
} }
pkg_prerm() { pkg_prerm() {