From 88c7bcb0978669251d4ad336a213d95ab86eac08 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 13 Nov 2025 13:05:03 +0100 Subject: [PATCH] overlay coreos/user-patches: Drop systemd patches related to SELinux issues Signed-off-by: Krzesimir Nowak --- .../0001-wait-online-set-any-by-default.patch | 2 +- ...ate-don-t-require-strictly-newer-usr.patch | 2 +- ...003-core-use-max-for-DefaultTasksMax.patch | 2 +- ...d-Disable-SELinux-permissions-checks.patch | 29 ----- ...-Keep-using-old-journal-file-format.patch} | 4 +- ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 103 ------------------ ...S-issues-with-default-k8s-configura.patch} | 4 +- ...ulti-user.target-the-default-target.patch} | 4 +- ...penat-directly-but-resolve-symlinks.patch} | 4 +- ...age-Follow-symlinks-in-a-given-root.patch} | 4 +- ...t-image-name-for-extension-release-.patch} | 4 +- ...r-handling-symlinks-with-systemd-sy.patch} | 4 +- ...table-directory-with-the-right-mode.patch} | 4 +- ...kip-refresh-if-no-changes-are-found.patch} | 4 +- ...t-verity-user-certs-from-given-root.patch} | 4 +- ...sysext-introduce-global-config-file.patch} | 4 +- ...onf-add-systemd-sysext-config-files.patch} | 4 +- ...rt-ImagePolicy-global-config-option.patch} | 4 +- ...t-Fix-config-file-support-with-root.patch} | 4 +- ...SC-event-field-if-etc-machine-id-do.patch} | 4 +- .../user-patches/sys-apps/systemd/README.md | 12 +- 21 files changed, 36 insertions(+), 174 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0006-units-Keep-using-old-journal-file-format.patch => 0004-units-Keep-using-old-journal-file-format.patch} (92%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch => 0005-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch} (91%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0008-units-Make-multi-user.target-the-default-target.patch => 0006-units-Make-multi-user.target-the-default-target.patch} (90%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch => 0007-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch} (90%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0010-discover-image-Follow-symlinks-in-a-given-root.patch => 0008-discover-image-Follow-symlinks-in-a-given-root.patch} (99%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0011-sysext-Use-correct-image-name-for-extension-release-.patch => 0009-sysext-Use-correct-image-name-for-extension-release-.patch} (94%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch => 0010-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch} (99%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0013-sysext-Create-mutable-directory-with-the-right-mode.patch => 0011-sysext-Create-mutable-directory-with-the-right-mode.patch} (93%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0014-sysext-Skip-refresh-if-no-changes-are-found.patch => 0012-sysext-Skip-refresh-if-no-changes-are-found.patch} (99%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0015-sysext-Get-verity-user-certs-from-given-root.patch => 0013-sysext-Get-verity-user-certs-from-given-root.patch} (99%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0016-sysext-introduce-global-config-file.patch => 0014-sysext-introduce-global-config-file.patch} (96%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0017-man-sysext.conf-add-systemd-sysext-config-files.patch => 0015-man-sysext.conf-add-systemd-sysext-config-files.patch} (98%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0018-sysext-support-ImagePolicy-global-config-option.patch => 0016-sysext-support-ImagePolicy-global-config-option.patch} (93%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0019-sysext-Fix-config-file-support-with-root.patch => 0017-sysext-Fix-config-file-support-with-root.patch} (98%) rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/{0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch => 0018-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch} (92%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index 3625fda73f..4a62d35428 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ From 6055d8b50c4a39d3e5f4fa0cf017a3b04786c5ba Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 01/20] wait-online: set --any by default +Subject: [PATCH 01/18] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch index d785014aea..5dd534ce75 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ From 5bff53a23228b10d93d342510f0ffd41185e3011 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 02/20] needs-update: don't require strictly newer usr +Subject: [PATCH 02/18] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch index 446428fbb6..ddda9aa426 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ From df56cf2ad0c6c84a22e9fca8893c610b82b78377 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 -Subject: [PATCH 03/20] core: use max for DefaultTasksMax +Subject: [PATCH 03/18] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch deleted file mode 100644 index 0903e0e3b7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 38ef166d85928d1f806bc48f3d29f45563d1abde Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 04/20] systemd: Disable SELinux permissions checks - -We don't care about the interaction between systemd and SELinux policy, so -let's just disable these checks rather than having to incorporate policy -support. This has no impact on our SELinux use-case, which is purely intended -to limit containers and not anything running directly on the host. ---- - src/core/selinux-access.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index 8ccc31630d..34e9cebee8 100644 ---- a/src/core/selinux-access.c -+++ b/src/core/selinux-access.c -@@ -2,7 +2,7 @@ - - #include "selinux-access.h" - --#if HAVE_SELINUX -+#if 0 - - #include - #include --- -2.52.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-units-Keep-using-old-journal-file-format.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-units-Keep-using-old-journal-file-format.patch index 38f780cec1..0493cb1ae5 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-units-Keep-using-old-journal-file-format.patch @@ -1,7 +1,7 @@ -From b097e139801009d722c33a9580bcda23a4a7a1e1 Mon Sep 17 00:00:00 2001 +From 5f21dbd3b2b7a006fcd6a3912e391bf74650d433 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 -Subject: [PATCH 06/20] units: Keep using old journal file format +Subject: [PATCH 04/18] units: Keep using old journal file format Systemd 252 made an incompatible change in journal file format. Temporarily force journald to use the old journal format to give logging containers more diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch deleted file mode 100644 index 0517aea527..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 4e071bef0713099cfe2540a5576744c0e5c41723 Mon Sep 17 00:00:00 2001 -From: Sayan Chowdhury -Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 05/20] Revert "getty: Pass tty to use by agetty via stdin" - -This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. - -This is to work around a SELinux denial that happens when setting up standard -input for serial consoles (which is used for SSH connections). - -Signed-off-by: Sayan Chowdhury ---- - units/console-getty.service.in | 6 +++--- - units/container-getty@.service.in | 6 +++--- - units/getty@.service.in | 6 +++--- - units/serial-getty@.service.in | 6 +++--- - 4 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/units/console-getty.service.in b/units/console-getty.service.in -index 967d8337ab..1f2d8b910f 100644 ---- a/units/console-getty.service.in -+++ b/units/console-getty.service.in -@@ -20,12 +20,12 @@ Before=getty.target - ConditionPathExists=/dev/console - - [Service] --ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM} -+# The '-o' option value tells agetty to replace 'login' arguments with '--' for -+# safety, and then the entered username. -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM} - Type=idle - Restart=always - UtmpIdentifier=cons --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/console - TTYReset=yes - TTYVHangup=yes -diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in -index e0b27613df..5f27653d1f 100644 ---- a/units/container-getty@.service.in -+++ b/units/container-getty@.service.in -@@ -25,13 +25,13 @@ Conflicts=rescue.service - Before=rescue.service - - [Service] --ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM} -+# The '-o' option value tells agetty to replace 'login' arguments with '--' for -+# safety, and then the entered username. -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM} - Type=idle - Restart=always - RestartSec=0 - UtmpIdentifier=pts/%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/pts/%I - TTYReset=yes - TTYVHangup=yes -diff --git a/units/getty@.service.in b/units/getty@.service.in -index 104c4acc96..1819627d1c 100644 ---- a/units/getty@.service.in -+++ b/units/getty@.service.in -@@ -34,13 +34,13 @@ Before=rescue.service - ConditionPathExists=/dev/tty0 - - [Service] --ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM} -+# The '-o' option value tells agetty to replace 'login' arguments with '--' for -+# safety, and then the entered username. -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM} - Type=idle - Restart=always - RestartSec=0 - UtmpIdentifier=%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes -diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in -index 0134c83d48..ba4cbc0edb 100644 ---- a/units/serial-getty@.service.in -+++ b/units/serial-getty@.service.in -@@ -30,12 +30,12 @@ Conflicts=rescue.service - Before=rescue.service - - [Service] --ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM} -+# The '-o' option value tells agetty to replace 'login' arguments with '--' for -+# safety, and then the entered username. -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM} - Type=idle - Restart=always - UtmpIdentifier=%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes --- -2.52.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch index 9925f0dfc6..864dafbe60 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch @@ -1,7 +1,7 @@ -From 0ba9b9356861f8012c0e7794d9c61ebf21a9c6d7 Mon Sep 17 00:00:00 2001 +From 1a12c68a331d4343ddc747428c80c4e8ec9a4831 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 22 Oct 2025 10:39:42 +0200 -Subject: [PATCH 07/20] tmpfiles.d: Fix DNS issues with default k8s +Subject: [PATCH 05/18] tmpfiles.d: Fix DNS issues with default k8s configuration The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Make-multi-user.target-the-default-target.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Make-multi-user.target-the-default-target.patch index 418a015c0c..fa3fc07c05 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Make-multi-user.target-the-default-target.patch @@ -1,7 +1,7 @@ -From b3430348f5ae93251076fb4e3b4aecbfa02513b5 Mon Sep 17 00:00:00 2001 +From 31f24142e91c9ef656d23d1b85c6fbabbb71b4b0 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:06:57 +0200 -Subject: [PATCH 08/20] units: Make multi-user.target the default target +Subject: [PATCH 06/18] units: Make multi-user.target the default target Signed-off-by: Krzesimir Nowak --- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch index cd41955840..0119cb614f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch @@ -1,7 +1,7 @@ -From 42b6a55f8d2bdf68ff93764219b3bedffb11f4e0 Mon Sep 17 00:00:00 2001 +From c5dd7db23332534f315d30c36e7bc78191f98741 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 09/20] vpick: Don't use openat directly but resolve symlinks +Subject: [PATCH 07/18] vpick: Don't use openat directly but resolve symlinks in given root With systemd-sysext --root= all symlinks should be followed relative to diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-discover-image-Follow-symlinks-in-a-given-root.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-discover-image-Follow-symlinks-in-a-given-root.patch index 3aa92e1e6c..0abcb0e48d 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-discover-image-Follow-symlinks-in-a-given-root.patch @@ -1,7 +1,7 @@ -From 530ffcd9e3212e0c93002e752b682dd41a8889b1 Mon Sep 17 00:00:00 2001 +From f69c462fc34896c9b365bd6a1bd4589193f3c1c8 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 10/20] discover-image: Follow symlinks in a given root +Subject: [PATCH 08/18] discover-image: Follow symlinks in a given root So far systemd-sysext with --root= specified didn't follow extension symlinks (such as the "current" symlinks managed by systemd-sysupdate). diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-sysext-Use-correct-image-name-for-extension-release-.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-sysext-Use-correct-image-name-for-extension-release-.patch index 01379577a9..d6e3c81273 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-sysext-Use-correct-image-name-for-extension-release-.patch @@ -1,7 +1,7 @@ -From 6a95919888a99d92636e0aa28c68d0f95f16e48e Mon Sep 17 00:00:00 2001 +From 15c0eb34ccdeba791e7ac41b7a7f48dc210326c8 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 11/20] sysext: Use correct image name for extension release +Subject: [PATCH 09/18] sysext: Use correct image name for extension release checks For the extension release check the image name is needed and was derived diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch index b6d24f7193..fdc910b0ee 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch @@ -1,7 +1,7 @@ -From 187e60032a26fb58b8944aac5c48a495f9de2644 Mon Sep 17 00:00:00 2001 +From c1b9d59876d3a225e01c0ef357cc630e5abbc1c5 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 -Subject: [PATCH 12/20] test: Add tests for handling symlinks with +Subject: [PATCH 10/18] test: Add tests for handling symlinks with systemd-sysext When we now allow following symlinks inside a --root= we should also diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Create-mutable-directory-with-the-right-mode.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Create-mutable-directory-with-the-right-mode.patch index 6e9fa16df4..c83e53f72e 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Create-mutable-directory-with-the-right-mode.patch @@ -1,7 +1,7 @@ -From 773073faa6582a0bbb6f3c4d3b35a1a81fbffd81 Mon Sep 17 00:00:00 2001 +From 50a97e1ca2b454e1bf930d4e1d7d062adab41702 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 3 Dec 2025 00:02:32 +0900 -Subject: [PATCH 13/20] sysext: Create mutable directory with the right mode +Subject: [PATCH 11/18] sysext: Create mutable directory with the right mode When the mutable directory didn't exist but gets created with --mutable=yes then it used to get mode 700 and later it got patched by diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-sysext-Skip-refresh-if-no-changes-are-found.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-sysext-Skip-refresh-if-no-changes-are-found.patch index ca3f277310..0f2a99928b 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-sysext-Skip-refresh-if-no-changes-are-found.patch @@ -1,7 +1,7 @@ -From d8ccdfe333a2eda7770371112cf5dea0ae67598c Mon Sep 17 00:00:00 2001 +From 55f0a48977fa987c0fc381bd9307fb29373d2611 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 26 Nov 2025 00:04:43 +0900 -Subject: [PATCH 14/20] sysext: Skip refresh if no changes are found +Subject: [PATCH 12/18] sysext: Skip refresh if no changes are found When the extensions for the final system are already set up from the initrd we should avoid disrupting the boot process with the remount diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Get-verity-user-certs-from-given-root.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Get-verity-user-certs-from-given-root.patch index 494a0e8dbe..5ea88e91b5 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Get-verity-user-certs-from-given-root.patch @@ -1,7 +1,7 @@ -From a228e6433b6febd4d252a3cb71bb0c2e63156b93 Mon Sep 17 00:00:00 2001 +From c74b5cf79f5c02c08494b3144193b3d9fac8c72f Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 27 Nov 2025 17:49:15 +0900 -Subject: [PATCH 15/20] sysext: Get verity user certs from given --root= +Subject: [PATCH 13/18] sysext: Get verity user certs from given --root= The verity user certs weren't looked up in the given --root= for systemd-sysext which made it fail to set up extensions with a strict diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-introduce-global-config-file.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-introduce-global-config-file.patch index 784f4fdbc5..213cb65c2d 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-introduce-global-config-file.patch @@ -1,7 +1,7 @@ -From aeacbbca05e0479c0768c4b368a2ea68668d20bc Mon Sep 17 00:00:00 2001 +From 51f70f9d464b21799b9837829df54ac3d437c829 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 17 Jul 2025 05:03:54 -0400 -Subject: [PATCH 16/20] sysext: introduce global config file +Subject: [PATCH 14/18] sysext: introduce global config file Introduce systemd/{sysext/confext}.conf and systemd/{sysext/confext}.conf.d to provide an alternative way of setting the cmdline options in systemd-sysext. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-man-sysext.conf-add-systemd-sysext-config-files.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-man-sysext.conf-add-systemd-sysext-config-files.patch index e8b406a819..553d361b99 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-man-sysext.conf-add-systemd-sysext-config-files.patch @@ -1,7 +1,7 @@ -From d8eabd012273376febada7ad6c9481a360c2e113 Mon Sep 17 00:00:00 2001 +From 067a1c909f95fa7b3f30f95c3bae7303be74cca3 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 17 Jul 2025 05:28:21 -0400 -Subject: [PATCH 17/20] man/sysext.conf: add systemd-sysext config files +Subject: [PATCH 15/18] man/sysext.conf: add systemd-sysext config files Add sysext.conf, which similar to other configs like coredump, will be searched in: diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-support-ImagePolicy-global-config-option.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-support-ImagePolicy-global-config-option.patch index 9fe86a6d78..2bba88053d 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-support-ImagePolicy-global-config-option.patch @@ -1,7 +1,7 @@ -From dccee58738d9602dd62f482ed11152f51b4da896 Mon Sep 17 00:00:00 2001 +From 000c763e78f2d35e3fb40329dfcdbd7dcfe3bbd2 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 17 Jul 2025 10:16:24 -0400 -Subject: [PATCH 18/20] sysext: support ImagePolicy global config option +Subject: [PATCH 16/18] sysext: support ImagePolicy global config option Just as Mutable=, support ImagePolicy in systemd/{sysext/confext}.conf and dropins in systemd/{sysext.confext}.conf.d/* configs. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-sysext-Fix-config-file-support-with-root.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-sysext-Fix-config-file-support-with-root.patch index 2620c76742..6a81ad551f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-sysext-Fix-config-file-support-with-root.patch @@ -1,7 +1,7 @@ -From 5d8c8737ea0b44c50e4e60a9c93c7321051f7955 Mon Sep 17 00:00:00 2001 +From cfc96a7db2cafd9baae52717a7b9702ee7b3e538 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 11 Dec 2025 19:49:20 +0900 -Subject: [PATCH 19/20] sysext: Fix config file support with --root= +Subject: [PATCH 17/18] sysext: Fix config file support with --root= Config files for --root= weren't picked up as expected because the --root= flag got parsed after the config file. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch index 001d72a057..1209cc7627 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch @@ -1,7 +1,7 @@ -From 4bf1282faa430669eba4169837657f00f2cba019 Mon Sep 17 00:00:00 2001 +From 971d5e977a542ad55d8abd9a641766e6d5357bdf Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Wed, 8 Oct 2025 16:55:09 +0200 -Subject: [PATCH 20/20] Drop `machine-id` OSC event field if /etc/machine-id +Subject: [PATCH 18/18] Drop `machine-id` OSC event field if /etc/machine-id doesn't exist While we can safely assume that `/proc/sys/kernel/random/boot_id` diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md index 633e0c57a4..5b61ff8c16 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md @@ -6,17 +6,11 @@ Most of these patches are not really upstreamable: - trigger updates only when /usr changes - `0003-core-use-max-for-DefaultTasksMax.patch` - increase the too-low limits -- `0004-systemd-Disable-SELinux-permissions-checks.patch` - - disable interactions between systemd and SELinux policies - - this will be dropped when we increase SELinux coverage also to a host system -- `0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch` - - SELinux denial workaround - - this will be dropped when we increase SELinux coverage also to a host system -- `0006-units-Keep-using-old-journal-file-format.patch` +- `0004-units-Keep-using-old-journal-file-format.patch` - backward compat stuff -- `0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch` +- `0005-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch` - workaround for issues with default k8s coredns config -- `0008-units-Make-multi-user.target-the-default-target.patch` +- `0006-units-Make-multi-user.target-the-default-target.patch` - change default.target to a suitable symlink for Flatcar These patches can be dropped after we update to systemd 260: