From 493f02ce690a999df4a8a9adea155fdf54697062 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 4 Mar 2026 13:39:50 +0100 Subject: [PATCH] overlay coreos/user-patches: Regenerate patches for sys-apps/systemd Signed-off-by: Krzesimir Nowak --- .../0001-wait-online-set-any-by-default.patch | 10 ++-- ...ate-don-t-require-strictly-newer-usr.patch | 16 +++--- ...003-core-use-max-for-DefaultTasksMax.patch | 18 +++---- ...d-Disable-SELinux-permissions-checks.patch | 8 +-- ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 48 ++++++++++-------- ...s-Keep-using-old-journal-file-format.patch | 6 +-- ...NS-issues-with-default-k8s-configura.patch | 5 +- ...multi-user.target-the-default-target.patch | 31 ++++++------ ...penat-directly-but-resolve-symlinks.patch} | 6 +-- ...age-Follow-symlinks-in-a-given-root.patch} | 6 +-- ...t-image-name-for-extension-release-.patch} | 12 ++--- ...r-handling-symlinks-with-systemd-sy.patch} | 7 +-- ...table-directory-with-the-right-mode.patch} | 6 +-- ...kip-refresh-if-no-changes-are-found.patch} | 6 +-- ...t-verity-user-certs-from-given-root.patch} | 50 +++++++++++-------- ...sysext-introduce-global-config-file.patch} | 6 +-- ...onf-add-systemd-sysext-config-files.patch} | 6 +-- ...rt-ImagePolicy-global-config-option.patch} | 6 +-- ...t-Fix-config-file-support-with-root.patch} | 4 +- ...SC-event-field-if-etc-machine-id-do.patch} | 19 ++++--- .../user-patches/sys-apps/systemd/README.md | 20 +++++++- 21 files changed, 171 insertions(+), 125 deletions(-) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0001-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch => 0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch} (87%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0002-discover-image-Follow-symlinks-in-a-given-root.patch => 0010-discover-image-Follow-symlinks-in-a-given-root.patch} (99%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0003-sysext-Use-correct-image-name-for-extension-release-.patch => 0011-sysext-Use-correct-image-name-for-extension-release-.patch} (86%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0004-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch => 0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch} (98%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0005-sysext-Create-mutable-directory-with-the-right-mode.patch => 0013-sysext-Create-mutable-directory-with-the-right-mode.patch} (92%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0006-sysext-Skip-refresh-if-no-changes-are-found.patch => 0014-sysext-Skip-refresh-if-no-changes-are-found.patch} (99%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0007-sysext-Get-verity-user-certs-from-given-root.patch => 0015-sysext-Get-verity-user-certs-from-given-root.patch} (91%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0008-sysext-introduce-global-config-file.patch => 0016-sysext-introduce-global-config-file.patch} (95%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0009-man-sysext.conf-add-systemd-sysext-config-files.patch => 0017-man-sysext.conf-add-systemd-sysext-config-files.patch} (97%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0010-sysext-support-ImagePolicy-global-config-option.patch => 0018-sysext-support-ImagePolicy-global-config-option.patch} (93%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0011-sysext-Fix-config-file-support-with-root.patch => 0019-sysext-Fix-config-file-support-with-root.patch} (98%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0001-handle-missing-machine-id.patch => 0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch} (72%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index 6cbf8caa1b..3625fda73f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ -From 61ae07bbf1d7032eef32137b1fe299647602e3de Mon Sep 17 00:00:00 2001 +From 6055d8b50c4a39d3e5f4fa0cf017a3b04786c5ba Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH] wait-online: set --any by default +Subject: [PATCH 01/20] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are @@ -11,8 +11,8 @@ Preserve previous Container Linux behavior for compatibility by setting the --any flag by default. See patches from v241 (or earlier) for the original implementation. --- - src/network/wait-online/wait-online.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c index b1d0b9cde2..e07c11d807 100644 @@ -28,5 +28,5 @@ index b1d0b9cde2..e07c11d807 100644 STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_freep); -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch index b2b93ebb85..d785014aea 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ -From 5097368cb45b455355165706876509272e49d538 Mon Sep 17 00:00:00 2001 +From 5bff53a23228b10d93d342510f0ffd41185e3011 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 2/8] needs-update: don't require strictly newer usr +Subject: [PATCH 02/20] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- @@ -10,10 +10,10 @@ Updates should be triggered whenever usr changes, not only when it is newer. 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml -index 6b863ecff3..c166c5e7ab 100644 +index d9d78262a1..761bbdecca 100644 --- a/man/systemd-update-done.service.xml +++ b/man/systemd-update-done.service.xml -@@ -50,7 +50,7 @@ +@@ -49,7 +49,7 @@ ConditionNeedsUpdate= (see systemd.unit5) condition to make sure to run when /etc/ or @@ -23,10 +23,10 @@ index 6b863ecff3..c166c5e7ab 100644 This requires that updates to /usr/ are always followed by an update of the modification time of diff --git a/src/shared/condition.c b/src/shared/condition.c -index 1a03fdbe37..8577c35fa0 100644 +index b09eff1bfb..3a170b1820 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -817,7 +817,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * First, compare seconds as they are always accurate... */ if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) @@ -35,7 +35,7 @@ index 1a03fdbe37..8577c35fa0 100644 /* * ...then compare nanoseconds. -@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -828,7 +828,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * (otherwise the filesystem supports nsec timestamps, see stat(2)). */ if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) @@ -44,7 +44,7 @@ index 1a03fdbe37..8577c35fa0 100644 _cleanup_free_ char *timestamp_str = NULL; r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); -@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -848,7 +848,7 @@ static int condition_test_needs_update(Condition *c, char **env) { return true; } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch index e11beb5457..446428fbb6 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ -From 18ce110c4a4a5065ac9003ef67ccd58ada6d3c38 Mon Sep 17 00:00:00 2001 +From df56cf2ad0c6c84a22e9fca8893c610b82b78377 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 -Subject: [PATCH 3/8] core: use max for DefaultTasksMax +Subject: [PATCH 03/20] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This @@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml -index f7b414da5c..9c07e235ab 100644 +index cf5a3612f6..a0f9f8ba57 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml -@@ -230,7 +230,7 @@ +@@ -227,7 +227,7 @@ Configure the default value for the per-unit TasksMax= setting. See systemd.resource-control5 for details. This setting applies to all unit types that support resource control settings, with the exception @@ -34,10 +34,10 @@ index f7b414da5c..9c07e235ab 100644 Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/manager.c b/src/core/manager.c -index e9fa84079d..af8d3c7b41 100644 +index 20a535f2f4..be1c352045 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -117,7 +117,7 @@ +@@ -112,7 +112,7 @@ /* How many units and jobs to process of the bus queue before returning to the event loop. */ #define MANAGER_BUS_MESSAGE_BUDGET 100U @@ -45,12 +45,12 @@ index e9fa84079d..af8d3c7b41 100644 +#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); - static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); + static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 1c08aa4d22..2faea3605e 100644 +index 54196e8489..b0b5c78b56 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -59,7 +59,7 @@ +@@ -58,7 +58,7 @@ #DefaultIPAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultTasksAccounting=yes diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch index d22e57f183..0903e0e3b7 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ -From 1716754b1f3ea3d5d3f232d9fe50ba1df0c5eff7 Mon Sep 17 00:00:00 2001 +From 38ef166d85928d1f806bc48f3d29f45563d1abde Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 4/8] systemd: Disable SELinux permissions checks +Subject: [PATCH 04/20] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy @@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index a67a520a3b..3365b920eb 100644 +index 8ccc31630d..34e9cebee8 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -2,7 +2,7 @@ @@ -22,8 +22,8 @@ index a67a520a3b..3365b920eb 100644 -#if HAVE_SELINUX +#if 0 - #include #include + #include -- 2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index 0bbf3aff06..0517aea527 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ -From 306da1d06e84a721ac34fbc303b4629b2c1c7257 Mon Sep 17 00:00:00 2001 +From 4e071bef0713099cfe2540a5576744c0e5c41723 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH 05/20] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. @@ -10,22 +10,24 @@ input for serial consoles (which is used for SSH connections). Signed-off-by: Sayan Chowdhury --- - units/console-getty.service.in | 4 +--- - units/container-getty@.service.in | 4 +--- - units/getty@.service.in | 4 +--- - units/serial-getty@.service.in | 4 +--- - 4 files changed, 4 insertions(+), 12 deletions(-) + units/console-getty.service.in | 6 +++--- + units/container-getty@.service.in | 6 +++--- + units/getty@.service.in | 6 +++--- + units/serial-getty@.service.in | 6 +++--- + 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/units/console-getty.service.in b/units/console-getty.service.in -index 967d8337ab..cde822afc8 100644 +index 967d8337ab..1f2d8b910f 100644 --- a/units/console-getty.service.in +++ b/units/console-getty.service.in -@@ -20,12 +20,10 @@ Before=getty.target +@@ -20,12 +20,12 @@ Before=getty.target ConditionPathExists=/dev/console [Service] -ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM} -+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 console ${TERM} ++# The '-o' option value tells agetty to replace 'login' arguments with '--' for ++# safety, and then the entered username. ++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM} Type=idle Restart=always UtmpIdentifier=cons @@ -35,15 +37,17 @@ index 967d8337ab..cde822afc8 100644 TTYReset=yes TTYVHangup=yes diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in -index e0b27613df..2868d56ad0 100644 +index e0b27613df..5f27653d1f 100644 --- a/units/container-getty@.service.in +++ b/units/container-getty@.service.in -@@ -25,13 +25,11 @@ Conflicts=rescue.service +@@ -25,13 +25,13 @@ Conflicts=rescue.service Before=rescue.service [Service] -ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM} -+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d pts/%I ${TERM} ++# The '-o' option value tells agetty to replace 'login' arguments with '--' for ++# safety, and then the entered username. ++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM} Type=idle Restart=always RestartSec=0 @@ -54,15 +58,17 @@ index e0b27613df..2868d56ad0 100644 TTYReset=yes TTYVHangup=yes diff --git a/units/getty@.service.in b/units/getty@.service.in -index 104c4acc96..bedf0aae54 100644 +index 104c4acc96..1819627d1c 100644 --- a/units/getty@.service.in +++ b/units/getty@.service.in -@@ -34,13 +34,11 @@ Before=rescue.service +@@ -34,13 +34,13 @@ Before=rescue.service ConditionPathExists=/dev/tty0 [Service] -ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM} -+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d %I ${TERM} ++# The '-o' option value tells agetty to replace 'login' arguments with '--' for ++# safety, and then the entered username. ++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM} Type=idle Restart=always RestartSec=0 @@ -73,15 +79,17 @@ index 104c4acc96..bedf0aae54 100644 TTYReset=yes TTYVHangup=yes diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in -index 0134c83d48..7e5c8797ca 100644 +index 0134c83d48..ba4cbc0edb 100644 --- a/units/serial-getty@.service.in +++ b/units/serial-getty@.service.in -@@ -30,12 +30,10 @@ Conflicts=rescue.service +@@ -30,12 +30,12 @@ Conflicts=rescue.service Before=rescue.service [Service] -ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM} -+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 %I ${TERM} ++# The '-o' option value tells agetty to replace 'login' arguments with '--' for ++# safety, and then the entered username. ++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM} Type=idle Restart=always UtmpIdentifier=%I @@ -91,5 +99,5 @@ index 0134c83d48..7e5c8797ca 100644 TTYReset=yes TTYVHangup=yes -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch index 7cdedc6ba6..38f780cec1 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch @@ -1,7 +1,7 @@ -From 63fe9e7a742c070c83919be74c383f74420e6777 Mon Sep 17 00:00:00 2001 +From b097e139801009d722c33a9580bcda23a4a7a1e1 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 -Subject: [PATCH 6/8] units: Keep using old journal file format +Subject: [PATCH 06/20] units: Keep using old journal file format Systemd 252 made an incompatible change in journal file format. Temporarily force journald to use the old journal format to give logging containers more @@ -14,7 +14,7 @@ Signed-off-by: Adrian Vladu 2 files changed, 2 insertions(+) diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index 4404af963b..323af7cfb0 100644 +index 1fb080d268..960568aaff 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -30,6 +30,7 @@ IgnoreOnIsolate=yes diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch index 28215448a3..9925f0dfc6 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch @@ -1,7 +1,8 @@ -From a31573ecdeff40d109951750c7adf086c52c2869 Mon Sep 17 00:00:00 2001 +From 0ba9b9356861f8012c0e7794d9c61ebf21a9c6d7 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 22 Oct 2025 10:39:42 +0200 -Subject: [PATCH 7/8] tmpfiles.d: Fix DNS issues with default k8s configuration +Subject: [PATCH 07/20] tmpfiles.d: Fix DNS issues with default k8s + configuration The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy "default", but unless the kubelet `--resolv-conf` flag is set to point to diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch index a09e66cc70..418a015c0c 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch @@ -1,38 +1,41 @@ -From 3c13363e4b3f2e5bcc762a71460d84b93452f53f Mon Sep 17 00:00:00 2001 +From b3430348f5ae93251076fb4e3b4aecbfa02513b5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:06:57 +0200 -Subject: [PATCH] units: Make multi-user.target the default target +Subject: [PATCH 08/20] units: Make multi-user.target the default target Signed-off-by: Krzesimir Nowak -Signed-off-by: Kai Lueke --- - units/meson.build | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) + units/meson.build | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/units/meson.build b/units/meson.build -index 4f47a3b2bd..9663e21e0c 100644 +index 4f47a3b2bd..63940a72be 100644 --- a/units/meson.build +++ b/units/meson.build -@@ -48,8 +48,7 @@ units = [ +@@ -47,10 +47,7 @@ units = [ + 'file' : 'getty@.service.in', 'symlinks' : ['autovt@.service'], }, - { +- { - 'file' : 'graphical.target', - 'symlinks' : ['default.target'], -+ 'file' : 'graphical.target' - }, +- }, ++ { 'file' : 'graphical.target' }, { 'file' : 'halt.target' }, { -@@ -142,7 +141,9 @@ units = [ + 'file' : 'hibernate.target', +@@ -142,7 +139,10 @@ units = [ 'conditions' : ['ENABLE_MACHINED'], }, { 'file' : 'modprobe@.service' }, - { 'file' : 'multi-user.target' }, -+ { 'file' : 'multi-user.target' , -+ 'symlinks' : ['default.target'] ++ { ++ 'file' : 'multi-user.target', ++ 'symlinks' : ['default.target'], + }, { 'file' : 'network-online.target' }, { 'file' : 'network-pre.target' }, { 'file' : 'network.target' }, -- -2.51.0 +2.52.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch index 2c7319246f..cd41955840 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch @@ -1,7 +1,7 @@ -From 6f4b065b626edd8a06ff0c8028173e060b5e444b Mon Sep 17 00:00:00 2001 +From 42b6a55f8d2bdf68ff93764219b3bedffb11f4e0 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 03/10] vpick: Don't use openat directly but resolve symlinks +Subject: [PATCH 09/20] vpick: Don't use openat directly but resolve symlinks in given root With systemd-sysext --root= all symlinks should be followed relative to @@ -13,7 +13,7 @@ symlink in the given root. 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shared/vpick.c b/src/shared/vpick.c -index b1b2d93054..dfe58cafa5 100644 +index 07d9d9ffd8..b203609cc9 100644 --- a/src/shared/vpick.c +++ b/src/shared/vpick.c @@ -471,9 +471,9 @@ static int make_choice( diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-discover-image-Follow-symlinks-in-a-given-root.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-discover-image-Follow-symlinks-in-a-given-root.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch index fcef9d20ac..3aa92e1e6c 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-discover-image-Follow-symlinks-in-a-given-root.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch @@ -1,7 +1,7 @@ -From 9b6f1b1d8e1066a513a2939c613b36c9e887512c Mon Sep 17 00:00:00 2001 +From 530ffcd9e3212e0c93002e752b682dd41a8889b1 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 04/10] discover-image: Follow symlinks in a given root +Subject: [PATCH 10/20] discover-image: Follow symlinks in a given root So far systemd-sysext with --root= specified didn't follow extension symlinks (such as the "current" symlinks managed by systemd-sysupdate). @@ -25,7 +25,7 @@ is to do this for the final system which is trusted at this stage. 1 file changed, 122 insertions(+), 40 deletions(-) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c -index 1402303a8e..97c4284eca 100644 +index 888f11f206..53ee30c3f8 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -356,6 +356,8 @@ static int image_make( diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-sysext-Use-correct-image-name-for-extension-release-.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-sysext-Use-correct-image-name-for-extension-release-.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch index adedfd3268..01379577a9 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-sysext-Use-correct-image-name-for-extension-release-.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch @@ -1,7 +1,7 @@ -From 5480f56002399069f74f30ce3ef620ec44ecf527 Mon Sep 17 00:00:00 2001 +From 6a95919888a99d92636e0aa28c68d0f95f16e48e Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 3/7] sysext: Use correct image name for extension release +Subject: [PATCH 11/20] sysext: Use correct image name for extension release checks For the extension release check the image name is needed and was derived @@ -21,12 +21,12 @@ device but directly the extension name we have at hand. 2 files changed, 10 insertions(+) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c -index 91f4407b0e..480ffd221c 100644 +index 53ee30c3f8..2801793d6d 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c -@@ -1822,6 +1822,11 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) { +@@ -1844,6 +1844,11 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) { if (r < 0) - return r; + return log_debug_errno(r, "Failed to decrypt image '%s': %m", i->path); + /* Do not use the image name derived from the backing file of the loop device */ + r = free_and_strdup(&m->image_name, i->name); @@ -53,5 +53,5 @@ index 5d432b42da..72da02cd89 100644 m, d->fd, -- -2.51.1 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch index 3f5c483ad7..b6d24f7193 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch @@ -1,7 +1,8 @@ -From f2e3cd402e64528454d3825681ccf242ff1b46af Mon Sep 17 00:00:00 2001 +From 187e60032a26fb58b8944aac5c48a495f9de2644 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 4/7] test: Add tests for handling symlinks with systemd-sysext +Subject: [PATCH 12/20] test: Add tests for handling symlinks with + systemd-sysext When we now allow following symlinks inside a --root= we should also test that it works in various cases from simple relative and absolute @@ -330,5 +331,5 @@ index ecf0b83b1d..3eec224eb6 100755 -- -2.51.1 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-sysext-Create-mutable-directory-with-the-right-mode.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-sysext-Create-mutable-directory-with-the-right-mode.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch index b9cfd819a8..6e9fa16df4 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-sysext-Create-mutable-directory-with-the-right-mode.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch @@ -1,7 +1,7 @@ -From cf36f845e6a806161e008def40a271e9e9746c4f Mon Sep 17 00:00:00 2001 +From 773073faa6582a0bbb6f3c4d3b35a1a81fbffd81 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 3 Dec 2025 00:02:32 +0900 -Subject: [PATCH 5/7] sysext: Create mutable directory with the right mode +Subject: [PATCH 13/20] sysext: Create mutable directory with the right mode When the mutable directory didn't exist but gets created with --mutable=yes then it used to get mode 700 and later it got patched by @@ -41,5 +41,5 @@ index 72da02cd89..d63cf39fbb 100644 if (atfd < 0) return log_error_errno(errno, "Failed to open directory '%s': %m", path_in_root); -- -2.51.1 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-sysext-Skip-refresh-if-no-changes-are-found.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-sysext-Skip-refresh-if-no-changes-are-found.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch index 066717d5b6..ca3f277310 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-sysext-Skip-refresh-if-no-changes-are-found.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch @@ -1,7 +1,7 @@ -From 34f3aeb2b92388e26cabe51e48dea99845e0930f Mon Sep 17 00:00:00 2001 +From d8ccdfe333a2eda7770371112cf5dea0ae67598c Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 26 Nov 2025 00:04:43 +0900 -Subject: [PATCH 1/3] sysext: Skip refresh if no changes are found +Subject: [PATCH 14/20] sysext: Skip refresh if no changes are found When the extensions for the final system are already set up from the initrd we should avoid disrupting the boot process with the remount @@ -292,7 +292,7 @@ index 5f1d90ad79..f244ffa9f1 100644 +#define AT_HANDLE_MNT_ID_UNIQUE 0x001 /* Return the u64 unique mount ID. */ +#endif diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c -index d6d41b4ecf..ddb2edaa33 100644 +index 2801793d6d..192ed18687 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -35,6 +35,9 @@ diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-sysext-Get-verity-user-certs-from-given-root.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-sysext-Get-verity-user-certs-from-given-root.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch index 8df4af8a14..494a0e8dbe 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-sysext-Get-verity-user-certs-from-given-root.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch @@ -1,7 +1,7 @@ -From 439fb373b7360ba3759b8978d0354d4fe760c8f2 Mon Sep 17 00:00:00 2001 +From a228e6433b6febd4d252a3cb71bb0c2e63156b93 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 27 Nov 2025 17:49:15 +0900 -Subject: [PATCH 2/3] sysext: Get verity user certs from given --root= +Subject: [PATCH 15/20] sysext: Get verity user certs from given --root= The verity user certs weren't looked up in the given --root= for systemd-sysext which made it fail to set up extensions with a strict @@ -18,16 +18,16 @@ Signed-off-by: Kai Lueke src/machine/machined-varlink.c | 2 +- src/mountfsd/mountwork.c | 1 + src/portable/portabled-image-bus.c | 2 +- - src/shared/discover-image.c | 2 +- + src/shared/discover-image.c | 3 +- src/shared/discover-image.h | 2 +- src/shared/dissect-image.c | 22 ++++++----- src/shared/dissect-image.h | 2 +- src/sysext/sysext.c | 4 +- test/units/TEST-50-DISSECT.sysext.sh | 58 ++++++++++++++++++++++++++++ - 11 files changed, 84 insertions(+), 20 deletions(-) + 11 files changed, 85 insertions(+), 20 deletions(-) diff --git a/src/core/namespace.c b/src/core/namespace.c -index 283a1108ce..97cf008194 100644 +index 2e3b2a4177..95f8714ea6 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -2593,6 +2593,7 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) { @@ -79,7 +79,7 @@ index 8bc6565079..2857cd18be 100644 return sd_bus_error_set_errnof(error, r, "Failed to read image metadata: %m"); } diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c -index 52b1fc12d2..1e8f4ce9a8 100644 +index 064ffab137..f3676e625c 100644 --- a/src/machine/machined-varlink.c +++ b/src/machine/machined-varlink.c @@ -621,7 +621,7 @@ static int list_image_one_and_maybe_read_metadata(sd_varlink *link, Image *image @@ -117,7 +117,7 @@ index e8bcb900ef..380a6d5d45 100644 return sd_bus_error_set_errnof(error, r, "Failed to read image metadata: %m"); } diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c -index 9ce5f028fc..822ea2bd24 100644 +index 192ed18687..925bc6010b 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -1766,7 +1766,7 @@ int image_set_pool_limit(ImageClass class, uint64_t referenced_max) { @@ -129,6 +129,14 @@ index 9ce5f028fc..822ea2bd24 100644 _cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT; int r; +@@ -1892,6 +1892,7 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) { + + r = dissected_image_decrypt( + m, ++ root, + /* passphrase= */ NULL, + &verity, + flags); diff --git a/src/shared/discover-image.h b/src/shared/discover-image.h index 7b5593f08d..4d64a306c8 100644 --- a/src/shared/discover-image.h @@ -143,10 +151,10 @@ index 7b5593f08d..4d64a306c8 100644 bool image_in_search_path(RuntimeScope scope, ImageClass class, const char *root, const char *image); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c -index 715afc8882..8ffb63e1d3 100644 +index 64639000b1..cec4225e92 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c -@@ -2611,7 +2611,7 @@ static char* dm_deferred_remove_clean(char *name) { +@@ -2740,7 +2740,7 @@ static char* dm_deferred_remove_clean(char *name) { } DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean); @@ -155,7 +163,7 @@ index 715afc8882..8ffb63e1d3 100644 int r; if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) { -@@ -2656,7 +2656,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma +@@ -2785,7 +2785,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma /* Because installing a signature certificate into the kernel chain is so messy, let's optionally do * userspace validation. */ @@ -164,7 +172,7 @@ index 715afc8882..8ffb63e1d3 100644 if (r < 0) return log_debug_errno(r, "Failed to enumerate certificates: %m"); if (strv_isempty(certs)) { -@@ -2718,6 +2718,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma +@@ -2847,6 +2847,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma static int do_crypt_activate_verity( struct crypt_device *cd, @@ -172,7 +180,7 @@ index 715afc8882..8ffb63e1d3 100644 const char *name, const VeritySettings *verity, DissectImageFlags flags) { -@@ -2765,7 +2766,7 @@ static int do_crypt_activate_verity( +@@ -2894,7 +2895,7 @@ static int do_crypt_activate_verity( /* Preferably propagate the original kernel error, so that the fallback logic can work, * as the device-mapper is finicky around concurrent activations of the same volume */ @@ -181,7 +189,7 @@ index 715afc8882..8ffb63e1d3 100644 if (k < 0) return r < 0 ? r : k; if (k == 0) -@@ -2805,8 +2806,9 @@ static usec_t verity_timeout(void) { +@@ -2934,8 +2935,9 @@ static usec_t verity_timeout(void) { static int verity_partition( PartitionDesignator designator, @@ -193,7 +201,7 @@ index 715afc8882..8ffb63e1d3 100644 const VeritySettings *verity, DissectImageFlags flags, DecryptedImage *d) { -@@ -2886,7 +2888,7 @@ static int verity_partition( +@@ -3015,7 +3017,7 @@ static int verity_partition( goto check; /* The device already exists. Let's check it. */ /* The symlink to the device node does not exist yet. Assume not activated, and let's activate it. */ @@ -202,7 +210,7 @@ index 715afc8882..8ffb63e1d3 100644 if (r >= 0) goto try_open; /* The device is activated. Let's open it. */ /* libdevmapper can return EINVAL when the device is already in the activation stage. -@@ -2980,7 +2982,7 @@ static int verity_partition( +@@ -3109,7 +3111,7 @@ static int verity_partition( */ sym_crypt_free(cd); cd = NULL; @@ -211,7 +219,7 @@ index 715afc8882..8ffb63e1d3 100644 } return log_debug_errno(SYNTHETIC_ERRNO(EBUSY), "All attempts to activate verity device %s failed.", name); -@@ -3000,6 +3002,7 @@ success: +@@ -3129,6 +3131,7 @@ success: int dissected_image_decrypt( DissectedImage *m, @@ -219,7 +227,7 @@ index 715afc8882..8ffb63e1d3 100644 const char *passphrase, const VeritySettings *verity, DissectImageFlags flags) { -@@ -3047,7 +3050,7 @@ int dissected_image_decrypt( +@@ -3176,7 +3179,7 @@ int dissected_image_decrypt( if (k >= 0) { flags |= getenv_bool("SYSTEMD_VERITY_SHARING") != 0 ? DISSECT_IMAGE_VERITY_SHARE : 0; @@ -228,7 +236,7 @@ index 715afc8882..8ffb63e1d3 100644 if (r < 0) return r; } -@@ -3080,7 +3083,7 @@ int dissected_image_decrypt_interactively( +@@ -3209,7 +3212,7 @@ int dissected_image_decrypt_interactively( n--; for (;;) { @@ -237,7 +245,7 @@ index 715afc8882..8ffb63e1d3 100644 if (r >= 0) return r; if (r == -EKEYREJECTED) -@@ -4367,6 +4370,7 @@ int verity_dissect_and_mount( +@@ -4455,6 +4458,7 @@ int verity_dissect_and_mount( r = dissected_image_decrypt( dissected_image, NULL, @@ -259,7 +267,7 @@ index 97431bca67..004dc46dc3 100644 int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift, uid_t uid_range, int userns_fd, DissectImageFlags flags); int dissected_image_mount_and_warn(DissectedImage *m, const char *where, uid_t uid_shift, uid_t uid_range, int userns_fd, DissectImageFlags flags); diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c -index c33ce0d0a4..dbd6df63b4 100644 +index bfe71f2267..20acc60724 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -1888,7 +1888,7 @@ static int merge_subprocess( @@ -271,7 +279,7 @@ index c33ce0d0a4..dbd6df63b4 100644 if (r < 0) return r; -@@ -2308,7 +2308,7 @@ static int image_discover_and_read_metadata(ImageClass image_class, Hashmap **re +@@ -2312,7 +2312,7 @@ static int image_discover_and_read_metadata(ImageClass image_class, Hashmap **re return log_error_errno(r, "Failed to discover images: %m"); HASHMAP_FOREACH(img, images) { diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-sysext-introduce-global-config-file.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-sysext-introduce-global-config-file.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch index 9efede3748..784f4fdbc5 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-sysext-introduce-global-config-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch @@ -1,7 +1,7 @@ -From d711880914fe0e32f3fbc946d8b8ee54031727b1 Mon Sep 17 00:00:00 2001 +From aeacbbca05e0479c0768c4b368a2ea68668d20bc Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 17 Jul 2025 05:03:54 -0400 -Subject: [PATCH 1/4] sysext: introduce global config file +Subject: [PATCH 16/20] sysext: introduce global config file Introduce systemd/{sysext/confext}.conf and systemd/{sysext/confext}.conf.d to provide an alternative way of setting the cmdline options in systemd-sysext. @@ -85,5 +85,5 @@ index 20acc60724..332fc55bb3 100644 if (r <= 0) return r; -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-man-sysext.conf-add-systemd-sysext-config-files.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-man-sysext.conf-add-systemd-sysext-config-files.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch index 94f19211be..e8b406a819 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-man-sysext.conf-add-systemd-sysext-config-files.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch @@ -1,7 +1,7 @@ -From 88943429fbf80cf55fc7307ea34b5942524c2f45 Mon Sep 17 00:00:00 2001 +From d8eabd012273376febada7ad6c9481a360c2e113 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 17 Jul 2025 05:28:21 -0400 -Subject: [PATCH 2/4] man/sysext.conf: add systemd-sysext config files +Subject: [PATCH 17/20] man/sysext.conf: add systemd-sysext config files Add sysext.conf, which similar to other configs like coredump, will be searched in: @@ -152,5 +152,5 @@ index 3f60c85dba..6df2d94e9f 100644 systemd-stub7 importctl1 -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-sysext-support-ImagePolicy-global-config-option.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-sysext-support-ImagePolicy-global-config-option.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch index 34979f46f1..9fe86a6d78 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-sysext-support-ImagePolicy-global-config-option.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch @@ -1,7 +1,7 @@ -From 363c849b4faed27449a0e3ee41c302709aec0807 Mon Sep 17 00:00:00 2001 +From dccee58738d9602dd62f482ed11152f51b4da896 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 17 Jul 2025 10:16:24 -0400 -Subject: [PATCH 3/4] sysext: support ImagePolicy global config option +Subject: [PATCH 18/20] sysext: support ImagePolicy global config option Just as Mutable=, support ImagePolicy in systemd/{sysext/confext}.conf and dropins in systemd/{sysext.confext}.conf.d/* configs. @@ -46,5 +46,5 @@ index 332fc55bb3..9656e975c4 100644 }; _cleanup_free_ char *config_file = NULL; -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Fix-config-file-support-with-root.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Fix-config-file-support-with-root.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch index 92ea3ec833..2620c76742 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Fix-config-file-support-with-root.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch @@ -1,7 +1,7 @@ -From 3498a462f517b024b3125e0bb79c8c6c54bb62c9 Mon Sep 17 00:00:00 2001 +From 5d8c8737ea0b44c50e4e60a9c93c7321051f7955 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 11 Dec 2025 19:49:20 +0900 -Subject: [PATCH] sysext: Fix config file support with --root= +Subject: [PATCH 19/20] sysext: Fix config file support with --root= Config files for --root= weren't picked up as expected because the --root= flag got parsed after the config file. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-handle-missing-machine-id.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch similarity index 72% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-handle-missing-machine-id.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch index 431957d827..001d72a057 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-handle-missing-machine-id.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch @@ -1,10 +1,8 @@ -This can be dropped in v285.5+. - -From b1d53ddea750f761234c2d8fb04b10f23f77347e Mon Sep 17 00:00:00 2001 +From 4bf1282faa430669eba4169837657f00f2cba019 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Wed, 8 Oct 2025 16:55:09 +0200 -Subject: [PATCH] Drop `machine-id` OSC event field if /etc/machine-id doesn't - exist +Subject: [PATCH 20/20] Drop `machine-id` OSC event field if /etc/machine-id + doesn't exist While we can safely assume that `/proc/sys/kernel/random/boot_id` exists, the same can't be said for `/etc/machine-id` in environments @@ -18,9 +16,15 @@ no such file or directory` with the OSC events introduced in dadbb34 [0] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/107 (cherry picked from commit 0fe45b98dd737da86fcbb703809ebf2163c397f3) +--- + profile.d/80-systemd-osc-context.sh | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/profile.d/80-systemd-osc-context.sh b/profile.d/80-systemd-osc-context.sh +index a0ac858828..ead61b6753 100644 --- a/profile.d/80-systemd-osc-context.sh +++ b/profile.d/80-systemd-osc-context.sh -@@ -32,7 +32,10 @@ __systemd_osc_context_escape() { +@@ -28,7 +28,10 @@ __systemd_osc_context_escape() { } __systemd_osc_context_common() { @@ -32,3 +36,6 @@ no such file or directory` with the OSC events introduced in dadbb34 } __systemd_osc_context_precmdline() { +-- +2.52.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md index 643b45fdaf..633e0c57a4 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md @@ -1,4 +1,4 @@ -Most of these patches are not really upstreamable. +Most of these patches are not really upstreamable: - `0001-wait-online-set-any-by-default.patch` - backward compat stuff @@ -18,3 +18,21 @@ Most of these patches are not really upstreamable. - workaround for issues with default k8s coredns config - `0008-units-Make-multi-user.target-the-default-target.patch` - change default.target to a suitable symlink for Flatcar + +These patches can be dropped after we update to systemd 260: + +- `0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch` +- `0010-discover-image-Follow-symlinks-in-a-given-root.patch` +- `0011-sysext-Use-correct-image-name-for-extension-release-.patch` +- `0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch` +- `0013-sysext-Create-mutable-directory-with-the-right-mode.patch` +- `0014-sysext-Skip-refresh-if-no-changes-are-found.patch` +- `0015-sysext-Get-verity-user-certs-from-given-root.patch` +- `0016-sysext-introduce-global-config-file.patch` +- `0017-man-sysext.conf-add-systemd-sysext-config-files.patch` +- `0018-sysext-support-ImagePolicy-global-config-option.patch` +- `0019-sysext-Fix-config-file-support-with-root.patch` + +This patch can be dropped after updating to systemd 258.5: + +- `0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch`