mirror of
https://github.com/flatcar/scripts.git
synced 2026-05-04 19:56:32 +02:00
overlay coreos/user-patches: Drop systemd patches related to SELinux issues
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
This commit is contained in:
Krzesimir Nowak
parent
42ea00ec5e
commit
88c7bcb097
@ -1,7 +1,7 @@
|
||||
From 6055d8b50c4a39d3e5f4fa0cf017a3b04786c5ba Mon Sep 17 00:00:00 2001
|
||||
From: David Michael <dm0@redhat.com>
|
||||
Date: Tue, 16 Apr 2019 02:44:51 +0000
|
||||
Subject: [PATCH 01/20] wait-online: set --any by default
|
||||
Subject: [PATCH 01/18] wait-online: set --any by default
|
||||
|
||||
The systemd-networkd-wait-online command would normally continue
|
||||
waiting after a network interface is usable if other interfaces are
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 5bff53a23228b10d93d342510f0ffd41185e3011 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Crawford <alex.crawford@coreos.com>
|
||||
Date: Wed, 2 Mar 2016 10:46:33 -0800
|
||||
Subject: [PATCH 02/20] needs-update: don't require strictly newer usr
|
||||
Subject: [PATCH 02/18] needs-update: don't require strictly newer usr
|
||||
|
||||
Updates should be triggered whenever usr changes, not only when it is newer.
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From df56cf2ad0c6c84a22e9fca8893c610b82b78377 Mon Sep 17 00:00:00 2001
|
||||
From: Adrian Vladu <avladu@cloudbasesolutions.com>
|
||||
Date: Fri, 16 Feb 2024 11:22:08 +0000
|
||||
Subject: [PATCH 03/20] core: use max for DefaultTasksMax
|
||||
Subject: [PATCH 03/18] core: use max for DefaultTasksMax
|
||||
|
||||
Since systemd v228, systemd has a DefaultTasksMax which defaulted
|
||||
to 512, later 15% of the system's maximum number of PIDs. This
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From 38ef166d85928d1f806bc48f3d29f45563d1abde Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Tue, 20 Dec 2016 16:43:22 +0000
|
||||
Subject: [PATCH 04/20] systemd: Disable SELinux permissions checks
|
||||
|
||||
We don't care about the interaction between systemd and SELinux policy, so
|
||||
let's just disable these checks rather than having to incorporate policy
|
||||
support. This has no impact on our SELinux use-case, which is purely intended
|
||||
to limit containers and not anything running directly on the host.
|
||||
---
|
||||
src/core/selinux-access.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
|
||||
index 8ccc31630d..34e9cebee8 100644
|
||||
--- a/src/core/selinux-access.c
|
||||
+++ b/src/core/selinux-access.c
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
#include "selinux-access.h"
|
||||
|
||||
-#if HAVE_SELINUX
|
||||
+#if 0
|
||||
|
||||
#include <selinux/avc.h>
|
||||
#include <selinux/selinux.h>
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b097e139801009d722c33a9580bcda23a4a7a1e1 Mon Sep 17 00:00:00 2001
|
||||
From 5f21dbd3b2b7a006fcd6a3912e391bf74650d433 Mon Sep 17 00:00:00 2001
|
||||
From: Adrian Vladu <avladu@cloudbasesolutions.com>
|
||||
Date: Fri, 16 Feb 2024 11:29:04 +0000
|
||||
Subject: [PATCH 06/20] units: Keep using old journal file format
|
||||
Subject: [PATCH 04/18] units: Keep using old journal file format
|
||||
|
||||
Systemd 252 made an incompatible change in journal file format. Temporarily
|
||||
force journald to use the old journal format to give logging containers more
|
||||
@ -1,103 +0,0 @@
|
||||
From 4e071bef0713099cfe2540a5576744c0e5c41723 Mon Sep 17 00:00:00 2001
|
||||
From: Sayan Chowdhury <schowdhury@microsoft.com>
|
||||
Date: Fri, 16 Dec 2022 16:28:26 +0530
|
||||
Subject: [PATCH 05/20] Revert "getty: Pass tty to use by agetty via stdin"
|
||||
|
||||
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
|
||||
|
||||
This is to work around a SELinux denial that happens when setting up standard
|
||||
input for serial consoles (which is used for SSH connections).
|
||||
|
||||
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
|
||||
---
|
||||
units/console-getty.service.in | 6 +++---
|
||||
units/container-getty@.service.in | 6 +++---
|
||||
units/getty@.service.in | 6 +++---
|
||||
units/serial-getty@.service.in | 6 +++---
|
||||
4 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/units/console-getty.service.in b/units/console-getty.service.in
|
||||
index 967d8337ab..1f2d8b910f 100644
|
||||
--- a/units/console-getty.service.in
|
||||
+++ b/units/console-getty.service.in
|
||||
@@ -20,12 +20,12 @@ Before=getty.target
|
||||
ConditionPathExists=/dev/console
|
||||
|
||||
[Service]
|
||||
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
|
||||
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
|
||||
+# safety, and then the entered username.
|
||||
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
|
||||
Type=idle
|
||||
Restart=always
|
||||
UtmpIdentifier=cons
|
||||
-StandardInput=tty
|
||||
-StandardOutput=tty
|
||||
TTYPath=/dev/console
|
||||
TTYReset=yes
|
||||
TTYVHangup=yes
|
||||
diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
|
||||
index e0b27613df..5f27653d1f 100644
|
||||
--- a/units/container-getty@.service.in
|
||||
+++ b/units/container-getty@.service.in
|
||||
@@ -25,13 +25,13 @@ Conflicts=rescue.service
|
||||
Before=rescue.service
|
||||
|
||||
[Service]
|
||||
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
|
||||
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
|
||||
+# safety, and then the entered username.
|
||||
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
|
||||
Type=idle
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
UtmpIdentifier=pts/%I
|
||||
-StandardInput=tty
|
||||
-StandardOutput=tty
|
||||
TTYPath=/dev/pts/%I
|
||||
TTYReset=yes
|
||||
TTYVHangup=yes
|
||||
diff --git a/units/getty@.service.in b/units/getty@.service.in
|
||||
index 104c4acc96..1819627d1c 100644
|
||||
--- a/units/getty@.service.in
|
||||
+++ b/units/getty@.service.in
|
||||
@@ -34,13 +34,13 @@ Before=rescue.service
|
||||
ConditionPathExists=/dev/tty0
|
||||
|
||||
[Service]
|
||||
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
|
||||
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
|
||||
+# safety, and then the entered username.
|
||||
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
|
||||
Type=idle
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
UtmpIdentifier=%I
|
||||
-StandardInput=tty
|
||||
-StandardOutput=tty
|
||||
TTYPath=/dev/%I
|
||||
TTYReset=yes
|
||||
TTYVHangup=yes
|
||||
diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
|
||||
index 0134c83d48..ba4cbc0edb 100644
|
||||
--- a/units/serial-getty@.service.in
|
||||
+++ b/units/serial-getty@.service.in
|
||||
@@ -30,12 +30,12 @@ Conflicts=rescue.service
|
||||
Before=rescue.service
|
||||
|
||||
[Service]
|
||||
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
|
||||
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
|
||||
+# safety, and then the entered username.
|
||||
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
|
||||
Type=idle
|
||||
Restart=always
|
||||
UtmpIdentifier=%I
|
||||
-StandardInput=tty
|
||||
-StandardOutput=tty
|
||||
TTYPath=/dev/%I
|
||||
TTYReset=yes
|
||||
TTYVHangup=yes
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0ba9b9356861f8012c0e7794d9c61ebf21a9c6d7 Mon Sep 17 00:00:00 2001
|
||||
From 1a12c68a331d4343ddc747428c80c4e8ec9a4831 Mon Sep 17 00:00:00 2001
|
||||
From: Krzesimir Nowak <knowak@microsoft.com>
|
||||
Date: Wed, 22 Oct 2025 10:39:42 +0200
|
||||
Subject: [PATCH 07/20] tmpfiles.d: Fix DNS issues with default k8s
|
||||
Subject: [PATCH 05/18] tmpfiles.d: Fix DNS issues with default k8s
|
||||
configuration
|
||||
|
||||
The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy
|
||||
@ -1,7 +1,7 @@
|
||||
From b3430348f5ae93251076fb4e3b4aecbfa02513b5 Mon Sep 17 00:00:00 2001
|
||||
From 31f24142e91c9ef656d23d1b85c6fbabbb71b4b0 Mon Sep 17 00:00:00 2001
|
||||
From: Krzesimir Nowak <knowak@microsoft.com>
|
||||
Date: Fri, 24 Oct 2025 11:06:57 +0200
|
||||
Subject: [PATCH 08/20] units: Make multi-user.target the default target
|
||||
Subject: [PATCH 06/18] units: Make multi-user.target the default target
|
||||
|
||||
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
|
||||
---
|
||||
@ -1,7 +1,7 @@
|
||||
From 42b6a55f8d2bdf68ff93764219b3bedffb11f4e0 Mon Sep 17 00:00:00 2001
|
||||
From c5dd7db23332534f315d30c36e7bc78191f98741 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Thu, 20 Nov 2025 23:43:55 +0900
|
||||
Subject: [PATCH 09/20] vpick: Don't use openat directly but resolve symlinks
|
||||
Subject: [PATCH 07/18] vpick: Don't use openat directly but resolve symlinks
|
||||
in given root
|
||||
|
||||
With systemd-sysext --root= all symlinks should be followed relative to
|
||||
@ -1,7 +1,7 @@
|
||||
From 530ffcd9e3212e0c93002e752b682dd41a8889b1 Mon Sep 17 00:00:00 2001
|
||||
From f69c462fc34896c9b365bd6a1bd4589193f3c1c8 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Thu, 20 Nov 2025 23:43:55 +0900
|
||||
Subject: [PATCH 10/20] discover-image: Follow symlinks in a given root
|
||||
Subject: [PATCH 08/18] discover-image: Follow symlinks in a given root
|
||||
|
||||
So far systemd-sysext with --root= specified didn't follow extension
|
||||
symlinks (such as the "current" symlinks managed by systemd-sysupdate).
|
||||
@ -1,7 +1,7 @@
|
||||
From 6a95919888a99d92636e0aa28c68d0f95f16e48e Mon Sep 17 00:00:00 2001
|
||||
From 15c0eb34ccdeba791e7ac41b7a7f48dc210326c8 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Thu, 20 Nov 2025 23:43:55 +0900
|
||||
Subject: [PATCH 11/20] sysext: Use correct image name for extension release
|
||||
Subject: [PATCH 09/18] sysext: Use correct image name for extension release
|
||||
checks
|
||||
|
||||
For the extension release check the image name is needed and was derived
|
||||
@ -1,7 +1,7 @@
|
||||
From 187e60032a26fb58b8944aac5c48a495f9de2644 Mon Sep 17 00:00:00 2001
|
||||
From c1b9d59876d3a225e01c0ef357cc630e5abbc1c5 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Thu, 20 Nov 2025 23:43:55 +0900
|
||||
Subject: [PATCH 12/20] test: Add tests for handling symlinks with
|
||||
Subject: [PATCH 10/18] test: Add tests for handling symlinks with
|
||||
systemd-sysext
|
||||
|
||||
When we now allow following symlinks inside a --root= we should also
|
||||
@ -1,7 +1,7 @@
|
||||
From 773073faa6582a0bbb6f3c4d3b35a1a81fbffd81 Mon Sep 17 00:00:00 2001
|
||||
From 50a97e1ca2b454e1bf930d4e1d7d062adab41702 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Wed, 3 Dec 2025 00:02:32 +0900
|
||||
Subject: [PATCH 13/20] sysext: Create mutable directory with the right mode
|
||||
Subject: [PATCH 11/18] sysext: Create mutable directory with the right mode
|
||||
|
||||
When the mutable directory didn't exist but gets created with
|
||||
--mutable=yes then it used to get mode 700 and later it got patched by
|
||||
@ -1,7 +1,7 @@
|
||||
From d8ccdfe333a2eda7770371112cf5dea0ae67598c Mon Sep 17 00:00:00 2001
|
||||
From 55f0a48977fa987c0fc381bd9307fb29373d2611 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Wed, 26 Nov 2025 00:04:43 +0900
|
||||
Subject: [PATCH 14/20] sysext: Skip refresh if no changes are found
|
||||
Subject: [PATCH 12/18] sysext: Skip refresh if no changes are found
|
||||
|
||||
When the extensions for the final system are already set up from the
|
||||
initrd we should avoid disrupting the boot process with the remount
|
||||
@ -1,7 +1,7 @@
|
||||
From a228e6433b6febd4d252a3cb71bb0c2e63156b93 Mon Sep 17 00:00:00 2001
|
||||
From c74b5cf79f5c02c08494b3144193b3d9fac8c72f Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Thu, 27 Nov 2025 17:49:15 +0900
|
||||
Subject: [PATCH 15/20] sysext: Get verity user certs from given --root=
|
||||
Subject: [PATCH 13/18] sysext: Get verity user certs from given --root=
|
||||
|
||||
The verity user certs weren't looked up in the given --root= for
|
||||
systemd-sysext which made it fail to set up extensions with a strict
|
||||
@ -1,7 +1,7 @@
|
||||
From aeacbbca05e0479c0768c4b368a2ea68668d20bc Mon Sep 17 00:00:00 2001
|
||||
From 51f70f9d464b21799b9837829df54ac3d437c829 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Thu, 17 Jul 2025 05:03:54 -0400
|
||||
Subject: [PATCH 16/20] sysext: introduce global config file
|
||||
Subject: [PATCH 14/18] sysext: introduce global config file
|
||||
|
||||
Introduce systemd/{sysext/confext}.conf and systemd/{sysext/confext}.conf.d to provide an
|
||||
alternative way of setting the cmdline options in systemd-sysext.
|
||||
@ -1,7 +1,7 @@
|
||||
From d8eabd012273376febada7ad6c9481a360c2e113 Mon Sep 17 00:00:00 2001
|
||||
From 067a1c909f95fa7b3f30f95c3bae7303be74cca3 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Thu, 17 Jul 2025 05:28:21 -0400
|
||||
Subject: [PATCH 17/20] man/sysext.conf: add systemd-sysext config files
|
||||
Subject: [PATCH 15/18] man/sysext.conf: add systemd-sysext config files
|
||||
|
||||
Add sysext.conf, which similar to other configs like coredump, will be
|
||||
searched in:
|
||||
@ -1,7 +1,7 @@
|
||||
From dccee58738d9602dd62f482ed11152f51b4da896 Mon Sep 17 00:00:00 2001
|
||||
From 000c763e78f2d35e3fb40329dfcdbd7dcfe3bbd2 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Thu, 17 Jul 2025 10:16:24 -0400
|
||||
Subject: [PATCH 18/20] sysext: support ImagePolicy global config option
|
||||
Subject: [PATCH 16/18] sysext: support ImagePolicy global config option
|
||||
|
||||
Just as Mutable=, support ImagePolicy in systemd/{sysext/confext}.conf and
|
||||
dropins in systemd/{sysext.confext}.conf.d/* configs.
|
||||
@ -1,7 +1,7 @@
|
||||
From 5d8c8737ea0b44c50e4e60a9c93c7321051f7955 Mon Sep 17 00:00:00 2001
|
||||
From cfc96a7db2cafd9baae52717a7b9702ee7b3e538 Mon Sep 17 00:00:00 2001
|
||||
From: Kai Lueke <kailuke@microsoft.com>
|
||||
Date: Thu, 11 Dec 2025 19:49:20 +0900
|
||||
Subject: [PATCH 19/20] sysext: Fix config file support with --root=
|
||||
Subject: [PATCH 17/18] sysext: Fix config file support with --root=
|
||||
|
||||
Config files for --root= weren't picked up as expected because the
|
||||
--root= flag got parsed after the config file.
|
||||
@ -1,7 +1,7 @@
|
||||
From 4bf1282faa430669eba4169837657f00f2cba019 Mon Sep 17 00:00:00 2001
|
||||
From 971d5e977a542ad55d8abd9a641766e6d5357bdf Mon Sep 17 00:00:00 2001
|
||||
From: Justin Kromlinger <hashworks@archlinux.org>
|
||||
Date: Wed, 8 Oct 2025 16:55:09 +0200
|
||||
Subject: [PATCH 20/20] Drop `machine-id` OSC event field if /etc/machine-id
|
||||
Subject: [PATCH 18/18] Drop `machine-id` OSC event field if /etc/machine-id
|
||||
doesn't exist
|
||||
|
||||
While we can safely assume that `/proc/sys/kernel/random/boot_id`
|
||||
@ -6,17 +6,11 @@ Most of these patches are not really upstreamable:
|
||||
- trigger updates only when /usr changes
|
||||
- `0003-core-use-max-for-DefaultTasksMax.patch`
|
||||
- increase the too-low limits
|
||||
- `0004-systemd-Disable-SELinux-permissions-checks.patch`
|
||||
- disable interactions between systemd and SELinux policies
|
||||
- this will be dropped when we increase SELinux coverage also to a host system
|
||||
- `0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch`
|
||||
- SELinux denial workaround
|
||||
- this will be dropped when we increase SELinux coverage also to a host system
|
||||
- `0006-units-Keep-using-old-journal-file-format.patch`
|
||||
- `0004-units-Keep-using-old-journal-file-format.patch`
|
||||
- backward compat stuff
|
||||
- `0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch`
|
||||
- `0005-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch`
|
||||
- workaround for issues with default k8s coredns config
|
||||
- `0008-units-Make-multi-user.target-the-default-target.patch`
|
||||
- `0006-units-Make-multi-user.target-the-default-target.patch`
|
||||
- change default.target to a suitable symlink for Flatcar
|
||||
|
||||
These patches can be dropped after we update to systemd 260:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user