mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-30 18:12:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-apps/systemd: Apply Flatcar modifications

Browse Source 
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
This commit is contained in:
Sayan Chowdhury 2023-01-18 20:27:18 +05:30 committed by Krzesimir Nowak
parent 3eca5ac51d
commit 86b23cc1be
14 changed files with 603 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md vendored Normal file
View File

@ -0,0 +1,2 @@
- Check that the `systemd-sysext.service`'s `ConditionDirectoryNotEmpty` entries are correctly reflected in `flatcar/init:systemd/system/ensure-sysext.service`
- Check if our preset setup in `multilib_src_install_all` is in sync with `systemd/systemd:presets/90-systemd.preset`.

32
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From 02ebe43df912c7090a155484fbd1b422c4f438f4 Mon Sep 17 00:00:00 2001
From: David Michael <dm0@redhat.com>
Date: Tue, 16 Apr 2019 02:44:51 +0000
Subject: [PATCH 1/7] wait-online: set --any by default
The systemd-networkd-wait-online command would normally continue
waiting after a network interface is usable if other interfaces are
still configuring. There is a new flag --any to change this.
Preserve previous Container Linux behavior for compatibility by
setting the --any flag by default. See patches from v241 (or
earlier) for the original implementation.
---
src/network/wait-online/wait-online.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
index a679b858fa..3b6dad8d1d 100644
--- a/src/network/wait-online/wait-online.c
+++ b/src/network/wait-online/wait-online.c
@@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL;
static char **arg_ignore = NULL;
static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
static AddressFamily arg_required_family = ADDRESS_FAMILY_NO;
-static bool arg_any = false;
+static bool arg_any = true;
STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
--
2.25.1

24
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch vendored Normal file
View File

@ -0,0 +1,24 @@
From e124d3716ada4fc7c34278435a61d51b07b61024 Mon Sep 17 00:00:00 2001
From: Nick Owens <nick.owens@coreos.com>
Date: Tue, 2 Jun 2015 18:22:32 -0700
Subject: [PATCH 2/7] networkd: default to "kernel" IPForwarding setting
---
src/network/networkd-network.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index a6c5b44238..54f9d12fec 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -465,6 +465,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
.link_local = _ADDRESS_FAMILY_INVALID,
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
+ .ip_forward = _ADDRESS_FAMILY_INVALID,
.ipv4_accept_local = -1,
.ipv4_route_localnet = -1,
.ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
--
2.25.1

58
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch vendored Normal file
View File

@ -0,0 +1,58 @@
From a8366f0ddffabef08c010064ea62e64d7276a0f3 Mon Sep 17 00:00:00 2001
From: Alex Crawford <alex.crawford@coreos.com>
Date: Wed, 2 Mar 2016 10:46:33 -0800
Subject: [PATCH 3/7] needs-update: don't require strictly newer usr
Updates should be triggered whenever usr changes, not only when it is newer.
---
man/systemd-update-done.service.xml | 2 +-
src/shared/condition.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
index 3393010ff6..5478baca25 100644
--- a/man/systemd-update-done.service.xml
+++ b/man/systemd-update-done.service.xml
@@ -50,7 +50,7 @@
<varname>ConditionNeedsUpdate=</varname> (see
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
condition to make sure to run when <filename>/etc/</filename> or
- <filename>/var/</filename> are older than <filename>/usr/</filename>
+ <filename>/var/</filename> aren't the same age as <filename>/usr/</filename>
according to the modification times of the files described above.
This requires that updates to <filename>/usr/</filename> are always
followed by an update of the modification time of
diff --git a/src/shared/condition.c b/src/shared/condition.c
index a23d6a3e45..8ca1f4606f 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -792,7 +792,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* First, compare seconds as they are always accurate...
*/
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec;
+ return true;
/*
* ...then compare nanoseconds.
@@ -803,7 +803,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* (otherwise the filesystem supports nsec timestamps, see stat(2)).
*/
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec;
+ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec;
_cleanup_free_ char *timestamp_str = NULL;
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
@@ -823,7 +823,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
return true;
}
- return timespec_load_nsec(&usr.st_mtim) > timestamp;
+ return timespec_load_nsec(&usr.st_mtim) != timestamp;
}
static int condition_test_first_boot(Condition *c, char **env) {
--
2.25.1

64
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch vendored Normal file
View File

@ -0,0 +1,64 @@
From 7f71d79cc1cac4dc509cecb2f5c00b6dcfd7732b Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Thu, 22 Apr 2021 20:08:33 +0530
Subject: [PATCH 4/7] core: use max for DefaultTasksMax
Since systemd v228, systemd has a DefaultTasksMax which defaulted
to 512, later 15% of the system's maximum number of PIDs. This
limit is low and a change in behavior that people running services
in containers will hit frequently, so revert to previous behavior.
Though later the TasksMax was changed in the a dynamic property to
accommodate stale values.
This change is built on previous patch by David Michael(dm0-).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
---
man/systemd-system.conf.xml | 2 +-
src/core/main.c | 2 +-
src/core/system.conf.in | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index ac21c31d9a..39323f6a55 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -461,7 +461,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
- of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
+ of slice units. Defaults to 100% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
and root cgroup <varname>pids.max</varname>.
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/main.c b/src/core/main.c
index a3fdd1dfe1..9b79308397 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -100,7 +100,7 @@
#include <sanitizer/lsan_interface.h>
#endif
-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */
+#define DEFAULT_TASKS_MAX ((TasksMax) { 100U, 100U }) /* 100% */
static enum {
ACTION_RUN,
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 71a5869ec0..92fe35b2d6 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -56,7 +56,7 @@
#DefaultIPAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=100%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=
--
2.25.1

29
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From 0a5e52f5511cd7a5312d06abff12bc432bdedc96 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 20 Dec 2016 16:43:22 +0000
Subject: [PATCH 5/7] systemd: Disable SELinux permissions checks
We don't care about the interaction between systemd and SELinux policy, so
let's just disable these checks rather than having to incorporate policy
support. This has no impact on our SELinux use-case, which is purely intended
to limit containers and not anything running directly on the host.
---
src/core/selinux-access.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 11dbf4640e..c839a4f39e 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -2,7 +2,7 @@
#include "selinux-access.h"
-#if HAVE_SELINUX
+#if 0
#include <errno.h>
#include <selinux/avc.h>
--
2.25.1

95
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch vendored Normal file
View File

@ -0,0 +1,95 @@
From ede353ea720f07b7b19fa638d5a59a7471237e2d Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 16 Dec 2022 16:28:26 +0530
Subject: [PATCH 6/7] Revert "getty: Pass tty to use by agetty via stdin"
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
This is to work around a SELinux denial that happens when setting up standard
input for serial consoles (which is used for SSH connections).
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
units/console-getty.service.in | 4 +---
units/container-getty@.service.in | 4 +---
units/getty@.service.in | 4 +---
units/serial-getty@.service.in | 4 +---
4 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/units/console-getty.service.in b/units/console-getty.service.in
index 606b7dbe16..54fd7c292d 100644
--- a/units/console-getty.service.in
+++ b/units/console-getty.service.in
@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
# followed by '--' for safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM
Type=idle
Restart=always
UtmpIdentifier=cons
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/console
TTYReset=yes
TTYVHangup=yes
diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
index 8d7e20d5ec..5f095f48b0 100644
--- a/units/container-getty@.service.in
+++ b/units/container-getty@.service.in
@@ -27,13 +27,11 @@ Before=rescue.service
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
# followed by '--' for safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=pts/%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/pts/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/getty@.service.in b/units/getty@.service.in
index 21d66f9367..78deb7cffe 100644
--- a/units/getty@.service.in
+++ b/units/getty@.service.in
@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
index 2433124c55..bb7af3105d 100644
--- a/units/serial-getty@.service.in
+++ b/units/serial-getty@.service.in
@@ -33,12 +33,10 @@ Before=rescue.service
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM
Type=idle
Restart=always
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
--
2.25.1

40
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From ff9f1aa2ab7d707c57008f406186c45cd9858228 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 7 Feb 2023 11:33:44 +0100
Subject: [PATCH 7/7] units: Keep using old journal file format
Systemd 252 made an incompatible change in journal file format. Temporarily
force journald to use the old journal format to give logging containers more
time to adapt to the new format.
---
units/systemd-journald.service.in | 1 +
units/systemd-journald@.service.in | 1 +
2 files changed, 2 insertions(+)
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 38ba3e2856..e7f671e070 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ IgnoreOnIsolate=yes
[Service]
DeviceAllow=char-* rw
+Environment=SYSTEMD_JOURNAL_COMPACT=0
ExecStart={{ROOTLIBEXECDIR}}/systemd-journald
FileDescriptorStoreMax=4224
IPAddressDeny=any
diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in
index 35c998285f..9f7c6a2b3f 100644
--- a/units/systemd-journald@.service.in
+++ b/units/systemd-journald@.service.in
@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
DevicePolicy=closed
+Environment=SYSTEMD_JOURNAL_COMPACT=0
ExecStart={{ROOTLIBEXECDIR}}/systemd-journald %i
FileDescriptorStoreMax=4224
Group=systemd-journal
--
2.25.1

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset vendored Normal file
View File

@ -0,0 +1,2 @@
# Do not enable any services if /etc is detected as empty.
disable *

27
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf vendored
View File

@ -1,27 +0,0 @@
# Sample nss configuration for systemd
# systemd-specific modules
# See the manual pages fore further information.
# nss-myhostname - host resolution for the local hostname
# nss-mymachines - host, user, group resolution for containers
# nss-resolve - host resolution using resolved
# nss-systemd - dynamic user/group resolution (DynamicUser in unit files)
passwd: files mymachines systemd
shadow: files
group: files mymachines systemd
gshadow: files
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
networks: files
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files

19
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf vendored Normal file
View File

@ -0,0 +1,19 @@
# The list of directories is taken from Gentoo ebuild, where they use
# keepdir. The list isn't sorted, but tries to preserve the order of
# keepdir lines from Gentoo ebuild for easier comparisons. We skip the
# directories in /usr, though.
d /etc/binfmt.d - - - - -
d /etc/modules-load.d - - - - -
d /etc/tmpfiles.d - - - - -
d /etc/kernel/install.d - - - - -
d /etc/systemd/network - - - - -
d /etc/systemd/system - - - - -
d /etc/systemd/user - - - - -
d /etc/udev/rules.d - - - - -
d /etc/udev/hwdb.d - - - - -
d /var/lib/systemd - - - - -
d /var/log/journal - - - - -
d /etc/sysctl.d - - - - -
# This seems to be our own addition.
d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - -

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf vendored Normal file
View File

@ -0,0 +1,2 @@
d /run/systemd/network - - - - -
L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf

5
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam vendored
View File

@ -1,5 +0,0 @@
account include system-auth
session required pam_loginuid.so
session include system-auth
session optional pam_systemd.so

274
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.5.ebuild vendored
View File

@ -23,11 +23,14 @@ else
MY_P=${MY_PN}-${MY_PV} MY_P=${MY_PN}-${MY_PV}
S=${WORKDIR}/${MY_P} S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" # Flatcar: Mark as stable.
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi fi
inherit bash-completion-r1 linux-info meson-multilib pam inherit bash-completion-r1 linux-info meson-multilib pam
inherit python-any-r1 systemd toolchain-funcs udev usr-ldscript # Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
# Adding tmpfiles, since we use it for installing some files.
inherit python-any-r1 systemd tmpfiles toolchain-funcs udev usr-ldscript
DESCRIPTION="System and service manager for Linux" DESCRIPTION="System and service manager for Linux"
HOMEPAGE="http://systemd.io/" HOMEPAGE="http://systemd.io/"
@ -93,6 +96,11 @@ DEPEND="${COMMON_DEPEND}
" "
# baselayout-2.2 has /run # baselayout-2.2 has /run
#
# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
# flag). The image stage fails with "Failed to resolve
# typeattributeset statement at
# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120"
RDEPEND="${COMMON_DEPEND} RDEPEND="${COMMON_DEPEND}
>=acct-group/adm-0-r1 >=acct-group/adm-0-r1
>=acct-group/wheel-0-r1 >=acct-group/wheel-0-r1
@ -123,7 +131,6 @@ RDEPEND="${COMMON_DEPEND}
>=sys-apps/baselayout-2.2 >=sys-apps/baselayout-2.2
selinux? ( selinux? (
sec-policy/selinux-base-policy[systemd] sec-policy/selinux-base-policy[systemd]
sec-policy/selinux-ntp
) )
sysv-utils? ( sysv-utils? (
!sys-apps/openrc[sysv-utils(-)] !sys-apps/openrc[sysv-utils(-)]
@ -138,8 +145,9 @@ RDEPEND="${COMMON_DEPEND}
" "
# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) # sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
#
# Flatcar: We don't have sys-fs/udev-init-scripts-34, so it's dropped.
PDEPEND=">=sys-apps/dbus-1.9.8[systemd] PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
>=sys-fs/udev-init-scripts-34
policykit? ( sys-auth/polkit ) policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )" !vanilla? ( sys-apps/gentoo-systemd-integration )"
@ -232,6 +240,14 @@ src_unpack() {
src_prepare() { src_prepare() {
local PATCHES=( local PATCHES=(
"${FILESDIR}/252-no-stack-protector-bpf.patch" "${FILESDIR}/252-no-stack-protector-bpf.patch"
# Flatcar: Adding our own patches here.
"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
) )
if ! use vanilla; then if ! use vanilla; then
@ -245,6 +261,21 @@ src_prepare() {
# Fails with split-usr. # Fails with split-usr.
sed -i -e '2i exit 77' test/test-rpm-macros.sh || die sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
# CoreDNS which has dnsPolicy "default", but unless the
# kubelet --resolv-conf flag is set to point to
# /run/systemd/resolve/resolv.conf this won't work with
# /etc/resolv.conf pointing to
# /run/systemd/resolve/stub-resolv.conf which configures
# 127.0.0.53. See
# https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
# This means that users who need split DNS to work should
# point /etc/resolv.conf back to
# /run/systemd/resolve/stub-resolv.conf (and if using K8s
# configure the kubelet resolvConf variable/--resolv-conf flag
# to /run/systemd/resolve/resolv.conf).
sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
default default
} }
@ -257,16 +288,27 @@ src_configure() {
multilib-minimal_src_configure multilib-minimal_src_configure
} }
# Flatcar: Our function, we use it in some places below.
get_rootprefix() {
usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
}
multilib_src_configure() { multilib_src_configure() {
local myconf=( local myconf=(
--localstatedir="${EPREFIX}/var" --localstatedir="${EPREFIX}/var"
-Dsupport-url="https://gentoo.org/support/" # Flatcar: Point to our user mailing list.
-Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user"
-Dpamlibdir="$(getpam_mod_dir)" -Dpamlibdir="$(getpam_mod_dir)"
# avoid bash-completion dep # avoid bash-completion dep
-Dbashcompletiondir="$(get_bashcompdir)" -Dbashcompletiondir="$(get_bashcompdir)"
$(meson_use split-usr) $(meson_use split-usr)
$(meson_use split-usr split-bin) # Flatcar: Always set split-bin to true, we always
-Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" # have separate bin and sbin directories
-Dsplit-bin=true
# Flatcar: Use get_rootprefix. No functional change
# from upstream, just refactoring the common code used
# in some places.
-Drootprefix="$(get_rootprefix)"
-Drootlibdir="${EPREFIX}/usr/$(get_libdir)" -Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
# Avoid infinite exec recursion, bug 642724 # Avoid infinite exec recursion, bug 642724
-Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit"
@ -310,9 +352,11 @@ multilib_src_configure() {
$(meson_native_use_bool tpm tpm2) $(meson_native_use_bool tpm tpm2)
$(meson_native_use_bool test dbus) $(meson_native_use_bool test dbus)
$(meson_native_use_bool xkb xkbcommon) $(meson_native_use_bool xkb xkbcommon)
-Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" # Flatcar: Use our ntp servers.
-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
# Breaks screen, tmux, etc. # Breaks screen, tmux, etc.
-Ddefault-kill-user-processes=false -Ddefault-kill-user-processes=false
# Flatcar: TODO: Investigate if we want this.
-Dcreate-log-dirs=false -Dcreate-log-dirs=false
# multilib options # multilib options
@ -335,6 +379,39 @@ multilib_src_configure() {
$(meson_native_true timesyncd) $(meson_native_true timesyncd)
$(meson_native_true tmpfiles) $(meson_native_true tmpfiles)
$(meson_native_true vconsole) $(meson_native_true vconsole)
# Flatcar: Specify this, or meson breaks due to no
# /etc/login.defs.
-Dsystem-gid-max=999
-Dsystem-uid-max=999
# Flatcar: DBus paths.
-Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
-Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
# Flatcar: PAM config directory.
-Dpamconfdir=/usr/share/pam.d
# Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC
# 2013. Used by timesyncd as a sanity check for the
# minimum acceptable time. Explicitly set to avoid
# using the current build time.
-Dtime-epoch=1372636800
# Flatcar: No default name servers.
-Ddns-servers=
# Flatcar: Disable the "First Boot Wizard", it isn't
# very applicable to us.
-Dfirstboot=false
# Flatcar: Set latest network interface naming scheme
# for https://github.com/flatcar/Flatcar/issues/36
-Ddefault-net-naming-scheme=latest
# Flatcar: Unported options, still needed?
-Dquotaon-path=/usr/sbin/quotaon
-Dquotacheck-path=/usr/sbin/quotacheck
) )
meson_src_configure "${myconf[@]}" meson_src_configure "${myconf[@]}"
@ -347,13 +424,17 @@ multilib_src_test() {
multilib_src_install_all() { multilib_src_install_all() {
local rootprefix=$(usex split-usr '' /usr) local rootprefix=$(usex split-usr '' /usr)
local sbin=$(usex split-usr sbin bin) # Flatcar: We always have bin separate from sbin
# local sbin=$(usex split-usr sbin bin)
local sbin='sbin'
# meson doesn't know about docdir # meson doesn't know about docdir
mv "${ED}"/usr/share/doc/{systemd,${PF}} || die mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
einstalldocs einstalldocs
dodoc "${FILESDIR}"/nsswitch.conf # Flatcar: Do not install sample nsswitch.conf, we don't
# provide it.
# dodoc "${FILESDIR}"/nsswitch.conf
if ! use resolvconf; then if ! use resolvconf; then
rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die
@ -368,33 +449,39 @@ multilib_src_install_all() {
rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die
fi fi
if ! use resolvconf && ! use sysv-utils && use split-usr; then # Flatcar: We always have bin separate from sbin, so drop the
# "&& use split-usr" part.
if ! use resolvconf && ! use sysv-utils; then
rmdir "${ED}${rootprefix}"/sbin || die rmdir "${ED}${rootprefix}"/sbin || die
fi fi
# https://bugs.gentoo.org/761763 # https://bugs.gentoo.org/761763
rm -r "${ED}"/usr/lib/sysusers.d || die rm -r "${ED}"/usr/lib/sysusers.d || die
# Preserve empty dirs in /etc & /var, bug #437008 # Flatcar: Upstream uses keepdir commands to keep some empty
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} # directories. We use tmpfiles.
keepdir /etc/kernel/install.d # # Preserve empty dirs in /etc & /var, bug #437008
keepdir /etc/systemd/{network,system,user} # keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
keepdir /etc/udev/rules.d # keepdir /etc/kernel/install.d
# keepdir /etc/systemd/{network,system,user}
# keepdir /etc/udev/rules.d
#
# keepdir /etc/udev/hwdb.d
#
# keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
# keepdir /usr/lib/{binfmt.d,modules-load.d}
# keepdir /usr/lib/systemd/user-generators
# keepdir /var/lib/systemd
# keepdir /var/log/journal
keepdir /etc/udev/hwdb.d # Flatcar: No migrations happening here.
# # Symlink /etc/sysctl.conf for easy migration.
# dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} # Flatcar: Do not install a pam policy, we have our own.
keepdir /usr/lib/{binfmt.d,modules-load.d} # if use pam; then
keepdir /usr/lib/systemd/user-generators # newpamd "${FILESDIR}"/systemd-user.pam systemd-user
keepdir /var/lib/systemd # fi
keepdir /var/log/journal
# Symlink /etc/sysctl.conf for easy migration.
dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
if use pam; then
newpamd "${FILESDIR}"/systemd-user.pam systemd-user
fi
if use split-usr; then if use split-usr; then
# Avoid breaking boot/reboot # Avoid breaking boot/reboot
@ -402,7 +489,115 @@ multilib_src_install_all() {
dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown
fi fi
gen_usr_ldscript -a systemd udev # Flatcar: gen_usr_ldscript is likely for static libs, so we
# dropped it.
# gen_usr_ldscript -a systemd udev
# Flatcar: Ensure journal directory has correct ownership/mode
# in inital image. This is fixed by systemd-tmpfiles *but*
# journald starts before that and will create the journal if
# the filesystem is already read-write. Conveniently the
# systemd Makefile sets this up completely wrong.
#
# Flatcar: TODO: Is this still a problem?
dodir /var/log/journal
fowners root:systemd-journal /var/log/journal
fperms 2755 /var/log/journal
# Flatcar: Don't prune systemd dirs.
dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
# Flatcar: Add tmpfiles rule for resolv.conf. This path has
# changed after v213 so it must be handled here instead of
# baselayout now.
dotmpfiles "${FILESDIR}"/systemd-resolv.conf
# Flatcar: Don't default to graphical.target.
local unitdir=$(builddir_systemd_get_systemunitdir)
dosym multi-user.target "${unitdir}"/default.target
# Flatcar: Don't set any extra environment variables by default.
rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
# Flatcar: These lines more or less follow the systemd's
# preset file (90-systemd.preset). We do it that way, to avoid
# putting symlinks in /etc. Please keep the lines in the same
# order as the "enable" lines appear in the preset file. For a
# single enable line in preset, there may be more lines if the
# unit file had Also: clause which has units we enable here
# too.
# Flatcar: enable remote-fs.target
builddir_systemd_enable_service multi-user.target remote-fs.target
# Flatcar: enable remote-cryptsetup.target
if use cryptsetup; then
builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
fi
# Flatcar: enable machines.target
builddir_systemd_enable_service multi-user.target machines.target
# Flatcar: enable getty@.service
dodir "${unitdir}/getty.target.wants"
dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
# Flatcar: enable systemd-timesyncd.service
builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
builddir_systemd_enable_service multi-user.target systemd-networkd.service
builddir_systemd_enable_service sockets.target systemd-networkd.socket
builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
# Flatcar: enable systemd-network-generator.service
builddir_systemd_enable_service sysinit.target systemd-network-generator.service
# Flatcar: enable systemd-resolved.service
builddir_systemd_enable_service multi-user.target systemd-resolved.service
# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
if use homed; then
builddir_systemd_enable_service multi-user.target systemd-homed.target
fi
# Flatcar: enable systemd-userdbd.socket
builddir_systemd_enable_service sockets.target systemd-userdbd.socket
# Flatcar: enable systemd-pstore.service
builddir_systemd_enable_service sysinit.target systemd-pstore.service
# Flatcar: enable systemd-boot-update.service
if use gnuefi; then
builddir_systemd_enable_service sysinit.target systemd-boot-update.service
fi
# Flatcar: enable reboot.target (not enabled - has no WantedBy
# entry)
# Flatcar: enable systemd-sysext.service by default
builddir_systemd_enable_service sysinit.target systemd-sysext.service
# Flatcar: Use an empty preset file, because systemctl
# preset-all puts symlinks in /etc, not in /usr. We don't use
# /etc, because it is not autoupdated. We do the "preset" above.
rm "${ED}$(usex split-usr '' /usr)/lib/systemd/system-preset/90-systemd.preset" || die
insinto $(usex split-usr '' /usr)/lib/systemd/system-preset
doins "${FILESDIR}"/99-default.preset
# Flatcar: Do not ship distro-specific files (nsswitch.conf
# pam.d). This conflicts with our own configuration provided
# by baselayout.
rm -rf "${ED}"/usr/share/factory
sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
-e '/^C!* \/etc\/nsswitch\.conf/d' \
-e '/^C!* \/etc\/pam\.d/d' \
-e '/^C!* \/etc\/issue/d'
}
# Flatcar: Our own version of systemd_get_systemunitdir, that returns
# a path inside /usr, not /etc.
builddir_systemd_get_systemunitdir() {
echo "$(get_rootprefix)/lib/systemd/system"
}
# Flatcar: Our own version of systemd_enable_service, that does
# operations inside /usr, not /etc.
builddir_systemd_enable_service() {
local target=${1}
local service=${2}
local ud=$(builddir_systemd_get_systemunitdir)
local destname=${service##*/}
dodir "${ud}"/"${target}".wants && \
dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
} }
migrate_locale() { migrate_locale() {
@ -452,7 +647,8 @@ migrate_locale() {
pkg_preinst() { pkg_preinst() {
if ! use split-usr; then if ! use split-usr; then
local dir local dir
for dir in bin sbin lib usr/sbin; do # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
for dir in bin sbin lib; do
if [[ ! -L ${EROOT}/${dir} ]]; then if [[ ! -L ${EROOT}/${dir} ]]; then
eerror "'${EROOT}/${dir}' is not a symbolic link." eerror "'${EROOT}/${dir}' is not a symbolic link."
FAIL=1 FAIL=1
@ -479,13 +675,15 @@ pkg_postinst() {
# between OpenRC & systemd # between OpenRC & systemd
migrate_locale migrate_locale
if [[ -z ${REPLACING_VERSIONS} ]]; then # Flatcar: We enable getty and remote-fs targets in /usr
if type systemctl &>/dev/null; then # ourselves above.
systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 # if [[ -z ${REPLACING_VERSIONS} ]]; then
fi # if type systemctl &>/dev/null; then
elog "To enable a useful set of services, run the following:" # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
elog " systemctl preset-all --preset-mode=enable-only" # fi
fi # elog "To enable a useful set of services, run the following:"
# elog " systemctl preset-all --preset-mode=enable-only"
# fi
if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
rm "${EROOT}/var/lib/systemd/timesync" rm "${EROOT}/var/lib/systemd/timesync"