mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-28 00:51:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1679 from flatcar/ader1990/upgrade-to-systemd-255-v2

Browse Source 
sys-apps/systemd: upgrade from version 252 to version 255
This commit is contained in:
Adrian Vladu 2024-03-14 16:23:30 +02:00 committed by GitHub
commit 8b63d99bf7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
24 changed files with 643 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog/updates/2024-03-13-systemd-upgrade-from-252-to-255.md Normal file
View File

@ -0,0 +1 @@
- systemd ([255.3](https://github.com/systemd/systemd-stable/releases/tag/v255.3) (from 252.11))

1
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/packages vendored
View File

@ -1,5 +1,4 @@
-*sys-apps/busybox
-*sys-apps/kbd
*app-arch/lbzip2
*sys-libs/nss-usrfiles

2
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md vendored
View File

@ -1,2 +0,0 @@
- Check that the `systemd-sysext.service`'s `ConditionDirectoryNotEmpty` entries are correctly reflected in `flatcar/init:systemd/system/ensure-sysext.service`
- Check if our preset setup in `multilib_src_install_all` is in sync with `systemd/systemd:presets/90-systemd.preset`.

7
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest vendored
View File

@ -1 +1,6 @@
DIST systemd-stable-252.11.tar.gz 11845530 BLAKE2B 5c4492040640d09248d4ec775e8bfca5dbe81d42f4fbda6ecb120271624c19d84eeacd0e93dd018fbab714a29954d50898a93238179948927e466b345446bc9a SHA512 f64c452b028eb8c6342a7e3b943fc22adb04bcfe00790dd91827604bf8746b5cf87fbffd666f408b1a89ed999dec2629533b92d02bec560406ea03313fc41206
DIST systemd-stable-254.5.tar.gz 14334696 BLAKE2B 2f63d79ae93add69ac0b56dda9f67019340f84692de4da200557b9f5f1f16bebbad42a9a7e2d6ef7420aa37746d2ede0481fd8e39f03a31576c7e4e48e259ce3 SHA512 cac713670216add9e5473e2c86f04da441015e7cc0ac1500b9e1489a435f9b80c4c6ee24e9b22e4c4213a495bc1a0a908925df2045e344a2170d5aea6aafa16c
DIST systemd-stable-254.7.tar.gz 14411955 BLAKE2B 1213237a001fb0aef8912637f31d7d77888bc2505e1e8d8d295642a547bdebbc3a786eed095694e6a6fe2665d6e8e45e98cd883186eedeb1b4fd73daf2520dcf SHA512 2e859813f1f52fa693631ce43466875ac2ac42e09872011ee52fe4e44727663c3de9f128a47776899423188c1e99ce73a69059426a9356c930e275037d001685
DIST systemd-stable-254.8.tar.gz 14418468 BLAKE2B e5a151ece86e57c7224fc95bda1b4ede1277fce4a2ba28d3605ab0431a2aafe1088f90c49a20e3b53a5b56aeef7c0f1f5da0601db740150f5efdf6eae7bbde80 SHA512 a3f35d9fcafcccd8d9c33ab1047241f226146017be95562a67c7dcc9eeb4b77bded92ad80e92f4767f2bf2009df0172a621d4c54a805e07ed5a5ed03940ec28e
DIST systemd-stable-254.9.tar.gz 14423806 BLAKE2B ab39c0a00b8451b24b40e39f4bf7ecb912ff23d9cd6f8d30fd0545e895936baa635b1ff63c02a83761682b72f44244aac8338bf6506885c9b07cd0c5247b6693 SHA512 a0300693a044cfe4c76deb0e3e48a927125eb97c3952c07ba68936f1e093c93506d8044b249b534b8e778ade6143b43194f8d6b721a8cd520bc7bb4cb3d3e5c1
DIST systemd-stable-255.2.tar.gz 14864388 BLAKE2B 101da82a5d63eaa48c2dc4bad5ab713b4e8b544134de8216f315a97736eb699eaf756aef2d9a4e2126f0d248b3a7e28bc986ccc2154d5d110db733d114072eec SHA512 0a9a43adc6d23f52349d298cdff3f3ae6accd7e43a33253608f7a9d241699c7cba3c9f6a0fa6da3ae3cba0e246e272076bfa2cdf5bade7bc019406f407be0bb9
DIST systemd-stable-255.3.tar.gz 14873273 BLAKE2B e22ef391c691fcf1e765c5112e1a55096d3bba61a9dae3ea1a3958add4e355892a97d5214e63c516ba3b70e2a83bb5d21254812d870f06c16c74a58d4f957d75 SHA512 c2868a53df2176649b0d0c94e5d451c46ba783bcdbc89ce12434ed2d11dba44b4854ffe4c2430f3f64eef2e214cbb51d5f740170afbd9edd66761a8851157453

46
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch vendored
View File

@ -1,7 +1,7 @@
From 7f71d79cc1cac4dc509cecb2f5c00b6dcfd7732b Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Thu, 22 Apr 2021 20:08:33 +0530
Subject: [PATCH 4/7] core: use max for DefaultTasksMax
From 4cdbcf5df9a2fd165385465bd5be9b8cdb78f83a Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Fri, 16 Feb 2024 11:22:08 +0000
Subject: [PATCH] [PATCH 4/7] core: use max for DefaultTasksMax
Since systemd v228, systemd has a DefaultTasksMax which defaulted
to 512, later 15% of the system's maximum number of PIDs. This
@ -13,18 +13,18 @@ accommodate stale values.
This change is built on previous patch by David Michael(dm0-).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
---
man/systemd-system.conf.xml | 2 +-
src/core/main.c | 2 +-
src/core/manager.c | 2 +-
src/core/system.conf.in | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index ac21c31d9a..39323f6a55 100644
index 31b6421399..52819ae8b7 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -461,7 +461,7 @@
@@ -515,7 +515,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
@ -32,25 +32,25 @@ index ac21c31d9a..39323f6a55 100644
+ of slice units. Defaults to 100% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
and root cgroup <varname>pids.max</varname>.
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/main.c b/src/core/main.c
index a3fdd1dfe1..9b79308397 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -100,7 +100,7 @@
#include <sanitizer/lsan_interface.h>
#endif
For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/manager.c b/src/core/manager.c
index e8c747d96d..df9269aab8 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -114,7 +114,7 @@
/* How many units and jobs to process of the bus queue before returning to the event loop. */
#define MANAGER_BUS_MESSAGE_BUDGET 100U
-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */
+#define DEFAULT_TASKS_MAX ((TasksMax) { 100U, 100U }) /* 100% */
-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */
+#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */
static enum {
ACTION_RUN,
static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 71a5869ec0..92fe35b2d6 100644
index 9b89a6aa77..5a7e92ab5a 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -56,7 +56,7 @@
@@ -59,7 +59,7 @@
#DefaultIPAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes
@ -60,5 +60,5 @@ index 71a5869ec0..92fe35b2d6 100644
#DefaultLimitFSIZE=
#DefaultLimitDATA=
--
2.25.1
2.34.1

24
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch vendored
View File

@ -1,40 +1,42 @@
From ff9f1aa2ab7d707c57008f406186c45cd9858228 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 7 Feb 2023 11:33:44 +0100
Subject: [PATCH 7/7] units: Keep using old journal file format
From 44374d98fb65ff5fdbc2a7d07a076b50b8f2b003 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Fri, 16 Feb 2024 11:29:04 +0000
Subject: [PATCH] [PATCH 7/7] units: Keep using old journal file format
Systemd 252 made an incompatible change in journal file format. Temporarily
force journald to use the old journal format to give logging containers more
time to adapt to the new format.
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
---
units/systemd-journald.service.in | 1 +
units/systemd-journald@.service.in | 1 +
2 files changed, 2 insertions(+)
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 38ba3e2856..e7f671e070 100644
index 37eeabc510..e5030a81bd 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ IgnoreOnIsolate=yes
@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes
[Service]
DeviceAllow=char-* rw
+Environment=SYSTEMD_JOURNAL_COMPACT=0
ExecStart={{ROOTLIBEXECDIR}}/systemd-journald
ExecStart={{LIBEXECDIR}}/systemd-journald
FileDescriptorStoreMax=4224
IPAddressDeny=any
diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in
index 35c998285f..9f7c6a2b3f 100644
index c3bcb08533..8780783cf6 100644
--- a/units/systemd-journald@.service.in
+++ b/units/systemd-journald@.service.in
@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
DevicePolicy=closed
+Environment=SYSTEMD_JOURNAL_COMPACT=0
ExecStart={{ROOTLIBEXECDIR}}/systemd-journald %i
ExecStart={{LIBEXECDIR}}/systemd-journald %i
FileDescriptorStoreMax=4224
Group=systemd-journal
--
2.25.1
2.34.1

26
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/252-no-stack-protector-bpf.patch vendored
View File

@ -1,26 +0,0 @@
https://github.com/systemd/systemd/pull/26050
From d6a0784a350fb27698ed04f7ada17137324b31bb Mon Sep 17 00:00:00 2001
From: Sam James <sam@gentoo.org>
Date: Fri, 13 Jan 2023 05:17:56 +0000
Subject: [PATCH] bpf: disable -fstack-protector in meson
In Gentoo, we recently started making Clang behave the same way as
our GCC, with -fstack-protector and some friends enabled by default.
SSP doesn't make sense for BPF, so disable it explicitly.
See also e.g. https://www.spinics.net/lists/netdev/msg556400.html.
Bug: https://bugs.gentoo.org/890004
--- a/src/core/bpf/meson.build
+++ b/src/core/bpf/meson.build
@@ -7,6 +7,7 @@ endif
bpf_clang_flags = [
'-std=gnu11',
'-Wno-compare-distinct-pointer-types',
+ '-fno-stack-protector',
'-O2',
'-target',
'bpf',

242
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch vendored Normal file
View File

@ -0,0 +1,242 @@
https://bugs.gentoo.org/920331
https://github.com/systemd/systemd/issues/30535
From 4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaade Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 27 Sep 2023 11:55:59 +0200
Subject: [PATCH 1/2] core: Make private /dev read-only after populating it
---
src/core/namespace.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index e2304f5d066da..d1153f7690140 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -995,6 +995,11 @@ static int mount_private_dev(MountEntry *m) {
if (r < 0)
log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
+ /* Make the bind mount read-only. */
+ r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
+ if (r < 0)
+ return r;
+
/* Create the /dev directory if missing. It is more likely to be missing when the service is started
* with RootDirectory. This is consistent with mount units creating the mount points when missing. */
(void) mkdir_p_label(mount_entry_path(m), 0755);
From cd7f3702eb47c82a50bf74c2b7c15c2e4e1f5c79 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 27 Sep 2023 10:52:50 +0200
Subject: [PATCH 2/2] core: Use a subdirectory of /run/ for PrivateDevices=
When we're starting early boot services such as systemd-userdbd.service,
/tmp might not yet be mounted, so let's use a directory in /run instead
which is guaranteed to be available.
---
src/core/execute.c | 1 +
src/core/namespace.c | 61 +++++++++++++++++++++++++++++----------
src/core/namespace.h | 2 ++
src/test/test-namespace.c | 1 +
src/test/test-ns.c | 1 +
5 files changed, 50 insertions(+), 16 deletions(-)
diff --git a/src/core/execute.c b/src/core/execute.c
index a52df64d01081..89c3868d55f6c 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3307,6 +3307,7 @@ static int apply_mount_namespace(
extension_dir,
root_dir || root_image ? params->notify_socket : NULL,
host_os_release_stage,
+ params->runtime_scope,
error_path);
/* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
diff --git a/src/core/namespace.c b/src/core/namespace.c
index d1153f7690140..a0471ac8884bf 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -909,7 +909,19 @@ static int clone_device_node(
return 0;
}
-static int mount_private_dev(MountEntry *m) {
+static char *settle_runtime_dir(RuntimeScope scope) {
+ char *runtime_dir;
+
+ if (scope != RUNTIME_SCOPE_USER)
+ return strdup("/run/");
+
+ if (asprintf(&runtime_dir, "/run/user/" UID_FMT, geteuid()) < 0)
+ return NULL;
+
+ return runtime_dir;
+}
+
+static int mount_private_dev(MountEntry *m, RuntimeScope scope) {
static const char devnodes[] =
"/dev/null\0"
"/dev/zero\0"
@@ -918,13 +930,21 @@ static int mount_private_dev(MountEntry *m) {
"/dev/urandom\0"
"/dev/tty\0";
- char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
+ _cleanup_free_ char *runtime_dir = NULL, *temporary_mount = NULL;
const char *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
bool can_mknod = true;
int r;
assert(m);
+ runtime_dir = settle_runtime_dir(scope);
+ if (!runtime_dir)
+ return log_oom_debug();
+
+ temporary_mount = path_join(runtime_dir, "systemd/namespace-dev-XXXXXX");
+ if (!temporary_mount)
+ return log_oom_debug();
+
if (!mkdtemp(temporary_mount))
return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount);
@@ -1364,7 +1384,8 @@ static int apply_one_mount(
MountEntry *m,
const ImagePolicy *mount_image_policy,
const ImagePolicy *extension_image_policy,
- const NamespaceInfo *ns_info) {
+ const NamespaceInfo *ns_info,
+ RuntimeScope scope) {
_cleanup_free_ char *inaccessible = NULL;
bool rbind = true, make = false;
@@ -1379,8 +1400,7 @@ static int apply_one_mount(
switch (m->mode) {
case INACCESSIBLE: {
- _cleanup_free_ char *tmp = NULL;
- const char *runtime_dir;
+ _cleanup_free_ char *runtime_dir = NULL;
struct stat target;
/* First, get rid of everything that is below if there
@@ -1396,14 +1416,14 @@ static int apply_one_mount(
mount_entry_path(m));
}
- if (geteuid() == 0)
- runtime_dir = "/run";
- else {
- if (asprintf(&tmp, "/run/user/" UID_FMT, geteuid()) < 0)
- return -ENOMEM;
-
- runtime_dir = tmp;
- }
+ /* We don't pass the literal runtime scope through here but one based purely on our UID. This
+ * means that the root user's --user services will use the host's inaccessible inodes rather
+ * then root's private ones. This is preferable since it means device nodes that are
+ * overmounted to make them inaccessible will be overmounted with a device node, rather than
+ * an AF_UNIX socket inode. */
+ runtime_dir = settle_runtime_dir(geteuid() == 0 ? RUNTIME_SCOPE_SYSTEM : RUNTIME_SCOPE_USER);
+ if (!runtime_dir)
+ return log_oom_debug();
r = mode_to_inaccessible_node(runtime_dir, target.st_mode, &inaccessible);
if (r < 0)
@@ -1523,7 +1543,7 @@ static int apply_one_mount(
break;
case PRIVATE_DEV:
- return mount_private_dev(m);
+ return mount_private_dev(m, scope);
case BIND_DEV:
return mount_bind_dev(m);
@@ -1824,6 +1844,7 @@ static int apply_mounts(
const NamespaceInfo *ns_info,
MountEntry *mounts,
size_t *n_mounts,
+ RuntimeScope scope,
char **symlinks,
char **error_path) {
@@ -1875,7 +1896,7 @@ static int apply_mounts(
break;
}
- r = apply_one_mount(root, m, mount_image_policy, extension_image_policy, ns_info);
+ r = apply_one_mount(root, m, mount_image_policy, extension_image_policy, ns_info, scope);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
@@ -2030,6 +2051,7 @@ int setup_namespace(
const char *extension_dir,
const char *notify_socket,
const char *host_os_release_stage,
+ RuntimeScope scope,
char **error_path) {
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
@@ -2490,7 +2512,14 @@ int setup_namespace(
(void) base_filesystem_create(root, UID_INVALID, GID_INVALID);
/* Now make the magic happen */
- r = apply_mounts(root, mount_image_policy, extension_image_policy, ns_info, mounts, &n_mounts, symlinks, error_path);
+ r = apply_mounts(root,
+ mount_image_policy,
+ extension_image_policy,
+ ns_info,
+ mounts, &n_mounts,
+ scope,
+ symlinks,
+ error_path);
if (r < 0)
goto finish;
diff --git a/src/core/namespace.h b/src/core/namespace.h
index b6132154c5132..581403d89826d 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -16,6 +16,7 @@ typedef struct MountImage MountImage;
#include "fs-util.h"
#include "macro.h"
#include "namespace-util.h"
+#include "runtime-scope.h"
#include "string-util.h"
typedef enum ProtectHome {
@@ -134,6 +135,7 @@ int setup_namespace(
const char *extension_dir,
const char *notify_socket,
const char *host_os_release_stage,
+ RuntimeScope scope,
char **error_path);
#define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
index 25aafc35ca837..42ac65d08c87a 100644
--- a/src/test/test-namespace.c
+++ b/src/test/test-namespace.c
@@ -206,6 +206,7 @@ TEST(protect_kernel_logs) {
NULL,
NULL,
NULL,
+ RUNTIME_SCOPE_SYSTEM,
NULL);
assert_se(r == 0);
diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index 77afd2f6b9eb8..eb3afed9e1c66 100644
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -108,6 +108,7 @@ int main(int argc, char *argv[]) {
NULL,
NULL,
NULL,
+ RUNTIME_SCOPE_SYSTEM,
NULL);
if (r < 0) {
log_error_errno(r, "Failed to set up namespace: %m");

51
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit-r1.patch vendored Normal file
View File

@ -0,0 +1,51 @@
From 2de502ccff1cc780d9d29c4ff7e6c1e0f2d7a082 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Fri, 21 Aug 2020 13:16:17 -0400
Subject: [PATCH] journald: do not change the kernel audit setting by default
Bug: https://bugs.gentoo.org/736910
---
man/journald.conf.xml | 2 +-
src/journal/journald-server.c | 2 +-
src/journal/journald.conf | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index 50c33e4792..2e14674f42 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -427,7 +427,7 @@
kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
disable it, leaving the previous state unchanged. This means if another tool turns on auditing even
if <command>systemd-journald</command> left it off, it will still collect the generated
- messages. Defaults to on.</para>
+ messages.</para>
<para>Note that this option does not control whether <command>systemd-journald</command> collects
generated audit records, it just controls whether it tells the kernel to generate them. If you need
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 022e12d83d..6b3d261af6 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2367,7 +2367,7 @@ int server_init(Server *s, const char *namespace) {
.compress.threshold_bytes = UINT64_MAX,
.seal = true,
- .set_audit = true,
+ .set_audit = -1,
.watchdog_usec = USEC_INFINITY,
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 5a60a9d39c..64156d5463 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -44,4 +44,4 @@
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
-#Audit=yes
+#Audit=
--
2.39.1

40
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch vendored
View File

@ -1,40 +0,0 @@
From 593db1c78011ddce551051ce17eda6feac079b3d Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Fri, 21 Aug 2020 13:16:17 -0400
Subject: [PATCH] journald: do not change the kernel audit setting by default
Bug: https://bugs.gentoo.org/736910
---
man/journald.conf.xml | 2 +-
src/journal/journald-server.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index bfd359a903..7e93d4050e 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -411,7 +411,7 @@
<command>systemd-journald</command> collects generated audit records, it just controls whether it
tells the kernel to generate them. This means if another tool turns on auditing even if
<command>systemd-journald</command> left it off, it will still collect the generated
- messages. Defaults to on.</para></listitem>
+ messages.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 5865bf9809..163be685a8 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2208,7 +2208,7 @@ int server_init(Server *s, const char *namespace) {
.compress.threshold_bytes = (uint64_t) -1,
.seal = true,
- .set_audit = true,
+ .set_audit = -1,
.watchdog_usec = USEC_INFINITY,
--
2.28.0

25
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch vendored
View File

@ -1,25 +0,0 @@
From d9059d2ef1b0d6034267cc8ff44871d0f82f840f Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sun, 8 Nov 2020 12:34:11 -0500
Subject: [PATCH] systemctl: disable synchronizaion of sysv init scripts
---
src/systemctl/systemctl-sysv-compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/systemctl/systemctl-sysv-compat.c b/src/systemctl/systemctl-sysv-compat.c
index 2dca9e480f..5dcf13ba17 100644
--- a/src/systemctl/systemctl-sysv-compat.c
+++ b/src/systemctl/systemctl-sysv-compat.c
@@ -111,7 +111,7 @@ int parse_shutdown_time_spec(const char *t, usec_t *ret) {
int enable_sysv_units(const char *verb, char **args) {
int r = 0;
-#if HAVE_SYSV_COMPAT
+#if 0
_cleanup_(lookup_paths_free) LookupPaths paths = {};
unsigned f = 0;
--
2.29.0

3
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/legacy.conf vendored Normal file
View File

@ -0,0 +1,3 @@
# Based on legacy.conf from systemd
d /run/lock
L /var/lock - - - - ../run/lock

34
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-253-initrd-generators.patch vendored Normal file
View File

@ -0,0 +1,34 @@
https://bugs.gentoo.org/896364
Workaround for bug in sys-kernel/dracut.
From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 20 Feb 2023 12:00:30 +0900
Subject: [PATCH] core/manager: run generators directly when we are in initrd
Some initrd system write files at ourside of /run, /etc, or other
allowed places. This is a kind of workaround, but in most cases, such
sandboxing is not necessary as the filesystem is on ramfs when we are in
initrd.
Fixes #26488.
---
src/core/manager.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index 7b394794b0d4..306477c6e6c2 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
/* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
* we are the user manager, let's just execute the generators directly. We might not have the
* necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
- */
- if (MANAGER_IS_USER(m)) {
+ * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
+ if (MANAGER_IS_USER(m) || in_initrd()) {
r = manager_execute_generators(m, paths, /* remount_ro= */ false);
goto finish;
}

9
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf vendored
View File

@ -2,15 +2,6 @@
# keepdir. The list isn't sorted, but tries to preserve the order of
# keepdir lines from Gentoo ebuild for easier comparisons. We skip the
# directories in /usr, though.
d /etc/binfmt.d - - - - -
d /etc/modules-load.d - - - - -
d /etc/tmpfiles.d - - - - -
d /etc/kernel/install.d - - - - -
d /etc/systemd/network - - - - -
d /etc/systemd/system - - - - -
d /etc/systemd/user - - - - -
d /etc/udev/rules.d - - - - -
d /etc/udev/hwdb.d - - - - -
d /var/lib/systemd - - - - -
d /var/log/journal - - - - -
d /etc/sysctl.d - - - - -

4
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml vendored
View File

@ -10,11 +10,11 @@
</slots>
<use>
<flag name="audit">Enable support for <pkg>sys-process/audit</pkg></flag>
<flag name="boot">Enable EFI boot manager and stub loader</flag>
<flag name="cgroup-hybrid">Default to hybrid (legacy) cgroup hierarchy instead of unified (modern).</flag>
<flag name="curl">Enable support for uploading journals</flag>
<flag name="cryptsetup">Enable cryptsetup tools (includes unit generator for crypttab)</flag>
<flag name="dns-over-tls">Enable DNS-over-TLS support</flag>
<flag name="gnuefi">Enable EFI boot manager and stub loader (built using <pkg>sys-boot/gnu-efi</pkg>)</flag>
<flag name="elfutils">Enable coredump stacktraces in the journal</flag>
<flag name="fido2">Enable FIDO2 support</flag>
<flag name="gcrypt">Enable use of <pkg>dev-libs/libgcrypt</pkg> for various features</flag>
@ -22,6 +22,7 @@
<flag name="http">Enable embedded HTTP server in journald</flag>
<flag name="importd">Enable import daemon</flag>
<flag name="iptables">Use libiptc from <pkg>net-firewall/iptables</pkg> for NAT support in systemd-networkd; this is used only if the running kernel does not support nftables</flag>
<flag name="kernel-install">Enable kernel-install</flag>
<flag name="kmod">Enable kernel module loading via <pkg>sys-apps/kmod</pkg></flag>
<flag name="lz4">Enable lz4 compression for the journal</flag>
<flag name="openssl">Enable use of <pkg>dev-libs/openssl</pkg> for various features</flag>
@ -31,6 +32,7 @@
<flag name="resolvconf">Install resolvconf symlink for systemd-resolve</flag>
<flag name="sysv-utils">Install sysvinit compatibility symlinks and manpages for init, telinit, halt, poweroff, reboot, runlevel, and shutdown</flag>
<flag name="tpm">Enable TPM support</flag>
<flag name="ukify">Enable systemd-ukify</flag>
<flag name="vanilla">Disable Gentoo-specific behavior and compatibility quirks</flag>
<flag name="xkb">Depend on <pkg>x11-libs/libxkbcommon</pkg> to allow logind to control the X11 keymap</flag>
</use>

187
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.11-r2.ebuild → sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.3.ebuild vendored
View File

@ -1,8 +1,8 @@
# Copyright 2011-2023 Gentoo Authors
# Copyright 2011-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
PYTHON_COMPAT=( python3_{9..11} )
EAPI=8
PYTHON_COMPAT=( python3_{10..12} )
# Avoid QA warnings
TMPFILES_OPTIONAL=1
@ -23,14 +23,13 @@ else
MY_P=${MY_PN}-${MY_PV}
S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
# Flatcar: Mark as stable.
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
# Flatcar: mark as stable
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi
inherit bash-completion-r1 linux-info meson-multilib pam
# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
# Adding tmpfiles, since we use it for installing some files.
inherit python-any-r1 systemd tmpfiles toolchain-funcs udev usr-ldscript
inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
inherit secureboot systemd tmpfiles toolchain-funcs udev
DESCRIPTION="System and service manager for Linux"
HOMEPAGE="http://systemd.io/"
@ -38,30 +37,34 @@ HOMEPAGE="http://systemd.io/"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
IUSE="
acl apparmor audit cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
fido2 +gcrypt gnuefi gnutls homed http idn importd iptables +kmod
acl apparmor audit boot cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod
+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd
"
REQUIRED_USE="
${PYTHON_REQUIRED_USE}
dns-over-tls? ( || ( gnutls openssl ) )
fido2? ( cryptsetup openssl )
homed? ( cryptsetup pam openssl )
importd? ( curl lzma || ( gcrypt openssl ) )
pwquality? ( homed )
boot? ( kernel-install )
ukify? ( boot )
"
RESTRICT="!test? ( test )"
MINKV="4.15"
COMMON_DEPEND="
>=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
sys-libs/libcap:0=[${MULTILIB_USEDEP}]
virtual/libcrypt:=[${MULTILIB_USEDEP}]
acl? ( sys-apps/acl:0= )
apparmor? ( sys-libs/libapparmor:0= )
apparmor? ( >=sys-libs/libapparmor-2.13:0= )
audit? ( >=sys-process/audit-2:0= )
cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
curl? ( net-misc/curl:0= )
curl? ( >=net-misc/curl-7.32.0:0= )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
fido2? ( dev-libs/libfido2:0= )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
@ -78,12 +81,12 @@ COMMON_DEPEND="
iptables? ( net-firewall/iptables:0= )
openssl? ( >=dev-libs/openssl-1.1.0:0= )
pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
pkcs11? ( app-crypt/p11-kit:0= )
pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
pcre? ( dev-libs/libpcre2 )
pwquality? ( dev-libs/libpwquality:0= )
qrcode? ( media-gfx/qrencode:0= )
pwquality? ( >=dev-libs/libpwquality-1.4.1:0= )
qrcode? ( >=media-gfx/qrencode-3:0= )
seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
selinux? ( sys-libs/libselinux:0= )
selinux? ( >=sys-libs/libselinux-2.1.9:0= )
tpm? ( app-crypt/tpm2-tss:0= )
xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
@ -92,9 +95,10 @@ COMMON_DEPEND="
# Newer linux-headers needed by ia64, bug #480218
DEPEND="${COMMON_DEPEND}
>=sys-kernel/linux-headers-${MINKV}
gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
"
PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'
# baselayout-2.2 has /run
#
# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
@ -129,6 +133,11 @@ RDEPEND="${COMMON_DEPEND}
>=acct-user/systemd-resolve-0-r1
>=acct-user/systemd-timesync-0-r1
>=sys-apps/baselayout-2.2
sys-apps/kbd
ukify? (
${PYTHON_DEPS}
$(python_gen_cond_dep "${PEFILE_DEPEND}")
)
selinux? (
sec-policy/selinux-base-policy[systemd]
)
@ -145,9 +154,8 @@ RDEPEND="${COMMON_DEPEND}
"
# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
#
# Flatcar: We don't have sys-fs/udev-init-scripts-34, so it's dropped.
PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
>=sys-fs/udev-init-scripts-34
policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )"
@ -167,15 +175,15 @@ BDEPEND="
app-text/docbook-xml-dtd:4.5
app-text/docbook-xsl-stylesheets
dev-libs/libxslt:0
$(python_gen_any_dep 'dev-python/jinja[${PYTHON_USEDEP}]')
$(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]')
${PYTHON_DEPS}
$(python_gen_cond_dep "
dev-python/jinja[\${PYTHON_USEDEP}]
dev-python/lxml[\${PYTHON_USEDEP}]
boot? ( >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] )
ukify? ( test? ( ${PEFILE_DEPEND} ) )
")
"
python_check_deps() {
python_has_version "dev-python/jinja[${PYTHON_USEDEP}]" &&
python_has_version "dev-python/lxml[${PYTHON_USEDEP}]"
}
QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
@ -186,7 +194,7 @@ pkg_pretend() {
ewarn "See https://bugs.gentoo.org/674458."
fi
local CONFIG_CHECK=" ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS
local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
@ -229,7 +237,7 @@ pkg_pretend() {
}
pkg_setup() {
:
use boot && secureboot_pkg_setup
}
src_unpack() {
@ -239,7 +247,6 @@ src_unpack() {
src_prepare() {
local PATCHES=(
"${FILESDIR}/252-no-stack-protector-bpf.patch"
# Flatcar: Adding our own patches here.
"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
@ -248,14 +255,12 @@ src_prepare() {
"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
"${FILESDIR}/0008-Revert-core-service-when-resetting-PID-also-reset-known.patch"
)
if ! use vanilla; then
PATCHES+=(
"${FILESDIR}/gentoo-generator-path-r2.patch"
"${FILESDIR}/gentoo-systemctl-disable-sysv-sync-r1.patch"
"${FILESDIR}/gentoo-journald-audit.patch"
"${FILESDIR}/gentoo-journald-audit-r1.patch"
)
fi
@ -276,7 +281,6 @@ src_prepare() {
# configure the kubelet resolvConf variable/--resolv-conf flag
# to /run/systemd/resolve/resolv.conf).
sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
default
}
@ -293,7 +297,6 @@ src_configure() {
get_rootprefix() {
usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
}
multilib_src_configure() {
local myconf=(
--localstatedir="${EPREFIX}/var"
@ -311,6 +314,9 @@ multilib_src_configure() {
# in some places.
-Drootprefix="$(get_rootprefix)"
-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
# Disable compatibility with sysvinit
-Dsysvinit-path=
-Dsysvrcnd-path=
# Avoid infinite exec recursion, bug 642724
-Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit"
# no deps
@ -320,25 +326,25 @@ multilib_src_configure() {
$(meson_native_use_bool acl)
$(meson_native_use_bool apparmor)
$(meson_native_use_bool audit)
$(meson_native_use_bool boot bootloader)
$(meson_native_use_bool cryptsetup libcryptsetup)
$(meson_native_use_bool curl libcurl)
$(meson_native_use_bool dns-over-tls dns-over-tls)
$(meson_native_use_bool elfutils)
$(meson_native_use_bool fido2 libfido2)
$(meson_use gcrypt)
$(meson_native_use_bool gnuefi gnu-efi)
$(meson_native_use_bool gnutls)
-Defi-includedir="${ESYSROOT}/usr/include/efi"
-Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
$(meson_native_use_bool homed)
$(meson_native_use_bool http microhttpd)
$(meson_native_use_bool idn)
$(meson_native_use_bool importd)
$(meson_native_use_bool importd bzip2)
$(meson_native_use_bool importd zlib)
$(meson_native_use_bool kernel-install)
$(meson_native_use_bool kmod)
$(meson_use lz4)
$(meson_use lzma xz)
$(meson_use test tests)
$(meson_use zstd)
$(meson_native_use_bool iptables libiptc)
$(meson_native_use_bool openssl)
@ -352,6 +358,7 @@ multilib_src_configure() {
$(meson_native_use_bool selinux)
$(meson_native_use_bool tpm tpm2)
$(meson_native_use_bool test dbus)
$(meson_native_use_bool ukify)
$(meson_native_use_bool xkb xkbcommon)
# Flatcar: Use our ntp servers.
-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
@ -380,7 +387,7 @@ multilib_src_configure() {
$(meson_native_true timesyncd)
$(meson_native_true tmpfiles)
$(meson_native_true vconsole)
$(meson_native_enabled vmspawn)
# Flatcar: Specify this, or meson breaks due to no
# /etc/login.defs.
-Dsystem-gid-max=999
@ -416,6 +423,7 @@ multilib_src_configure() {
# Flatcar: Unported options, still needed?
-Dquotaon-path=/usr/sbin/quotaon
-Dquotacheck-path=/usr/sbin/quotacheck
-Ddefault-mdns=no
)
meson_src_configure "${myconf[@]}"
@ -423,15 +431,14 @@ multilib_src_configure() {
multilib_src_test() {
unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
local -x COLUMNS=80
meson_src_test
}
multilib_src_install_all() {
local rootprefix=$(usex split-usr '' /usr)
# Flatcar: We always have bin separate from sbin
# local sbin=$(usex split-usr sbin bin)
local sbin='sbin'
# meson doesn't know about docdir
mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
@ -440,23 +447,17 @@ multilib_src_install_all() {
# provide it.
# dodoc "${FILESDIR}"/nsswitch.conf
if ! use resolvconf; then
rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die
fi
insinto /usr/lib/tmpfiles.d
doins "${FILESDIR}"/legacy.conf
rm "${ED}"/etc/init.d/README || die
rm "${ED}${rootprefix}"/lib/systemd/system-generators/systemd-sysv-generator || die
if ! use resolvconf; then
rm -f "${ED}"/usr/bin/resolvconf || die
fi
if ! use sysv-utils; then
rm "${ED}${rootprefix}/${sbin}"/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die
rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die
rm "${ED}"/usr/share/man/man1/init.1 || die
rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die
fi
# Flatcar: We always have bin separate from sbin, so drop the
# "&& use split-usr" part.
if ! use resolvconf && ! use sysv-utils; then
rmdir "${ED}${rootprefix}"/sbin || die
rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die
fi
# https://bugs.gentoo.org/761763
@ -464,39 +465,28 @@ multilib_src_install_all() {
# Flatcar: Upstream uses keepdir commands to keep some empty
# directories. We use tmpfiles.
# # Preserve empty dirs in /etc & /var, bug #437008
# keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
# keepdir /etc/kernel/install.d
# keepdir /etc/systemd/{network,system,user}
# keepdir /etc/udev/rules.d
#
# keepdir /etc/udev/hwdb.d
#
# keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
# Preserve empty dirs in /etc & /var, bug #437008
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
keepdir /etc/kernel/install.d
keepdir /etc/systemd/{network,system,user}
keepdir /etc/udev/rules.d
keepdir /etc/udev/hwdb.d
# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
# keepdir /usr/lib/{binfmt.d,modules-load.d}
# keepdir /usr/lib/systemd/user-generators
# keepdir /var/lib/systemd
# keepdir /var/log/journal
# Flatcar: No migrations happening here.
# # Symlink /etc/sysctl.conf for easy migration.
# dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
# Flatcar: Do not install a pam policy, we have our own.
# if use pam; then
# newpamd "${FILESDIR}"/systemd-user.pam systemd-user
# fi
if use split-usr; then
# Avoid breaking boot/reboot
dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd
dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown
if use kernel-install; then
# Dummy config, remove to make room for sys-kernel/installkernel
rm "${ED}/usr/lib/kernel/install.conf" || die
fi
# Flatcar: gen_usr_ldscript is likely for static libs, so we
# dropped it.
# gen_usr_ldscript -a systemd udev
# Flatcar: Ensure journal directory has correct ownership/mode
# in inital image. This is fixed by systemd-tmpfiles *but*
# journald starts before that and will create the journal if
@ -560,7 +550,7 @@ multilib_src_install_all() {
# Flatcar: enable systemd-pstore.service
builddir_systemd_enable_service sysinit.target systemd-pstore.service
# Flatcar: enable systemd-boot-update.service
if use gnuefi; then
if use boot; then
builddir_systemd_enable_service sysinit.target systemd-boot-update.service
fi
# Flatcar: enable reboot.target (not enabled - has no WantedBy
@ -572,8 +562,8 @@ multilib_src_install_all() {
# Flatcar: Use an empty preset file, because systemctl
# preset-all puts symlinks in /etc, not in /usr. We don't use
# /etc, because it is not autoupdated. We do the "preset" above.
rm "${ED}$(usex split-usr '' /usr)/lib/systemd/system-preset/90-systemd.preset" || die
insinto $(usex split-usr '' /usr)/lib/systemd/system-preset
rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
insinto /usr/lib/systemd/system-preset
doins "${FILESDIR}"/99-default.preset
# Flatcar: Do not ship distro-specific files (nsswitch.conf
@ -584,6 +574,9 @@ multilib_src_install_all() {
-e '/^C!* \/etc\/nsswitch\.conf/d' \
-e '/^C!* \/etc\/pam\.d/d' \
-e '/^C!* \/etc\/issue/d'
use ukify && python_fix_shebang "${ED}"
use boot && secureboot_auto_sign
}
# Flatcar: Our own version of systemd_get_systemunitdir, that returns
@ -602,8 +595,12 @@ builddir_systemd_enable_service() {
dodir "${ud}"/"${target}".wants && \
dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
}
if use boot; then
python_fix_shebang "${ED}"
secureboot_auto_sign
fi
}
migrate_locale() {
local envd_locale_def="${EROOT}/etc/env.d/02locale"
local envd_locale=( "${EROOT}"/etc/env.d/??locale )
@ -649,6 +646,11 @@ migrate_locale() {
}
pkg_preinst() {
if [[ -e ${EROOT}/etc/sysctl.conf ]]; then
# Symlink /etc/sysctl.conf for easy migration.
dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
fi
if ! use split-usr; then
local dir
# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
@ -664,6 +666,10 @@ pkg_preinst() {
die "System layout with split directories still used"
fi
fi
if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
fi
}
pkg_postinst() {
@ -693,12 +699,27 @@ pkg_postinst() {
rm "${EROOT}/var/lib/systemd/timesync"
fi
if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
ebegin "Reexecuting system manager (systemd)"
systemctl daemon-reexec
eend $? || FAIL=1
fi
if [[ ${FAIL} ]]; then
eerror "One of the postinst commands failed. Please check the postinst output"
eerror "for errors. You may need to clean up your system and/or try installing"
eerror "systemd again."
eerror
fi
if use boot; then
optfeature "automatically installing the kernels in systemd-boot's native layout and updating the bootloader configuration" \
"sys-kernel/installkernel[systemd-boot]"
fi
if use ukify; then
optfeature "automatically generating an unified kernel image on each kernel installation" \
"sys-kernel/installkernel[ukify]"
fi
}
pkg_prerm() {

1
sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST udev-init-scripts-35.tar.gz 3666 BLAKE2B fddae466428605ea930519e8a47e0ea91f89f9eacc1fd97c137d175142125b12c3d045aec68db35a463de444ac6d8c037cca55f9628f10576c968259d566a9e4 SHA512 da9d2093149967e2e1b9bc7190ddfd55a87c9ae2177e3216f7cb2694fc9b64037eb6f2599ad8a4b7594ef32ced88fbb319c92904bc72a81ea5404945f8a8378a

7
sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/metadata.xml vendored Normal file
View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>systemd@gentoo.org</email>
</maintainer>
</pkgmetadata>

50
sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-35.ebuild vendored Normal file
View File

@ -0,0 +1,50 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
OLD_PN=udev-gentoo-scripts
OLD_P=${OLD_PN}-${PV}
if [ "${PV}" = "9999" ]; then
EGIT_REPO_URI="https://anongit.gentoo.org/proj/${OLD_PN}.git"
inherit git-r3
else
SRC_URI="https://gitweb.gentoo.org/proj/${OLD_PN}.git/snapshot/${OLD_P}.tar.gz -> ${P}.tar.gz"
S="${WORKDIR}/${OLD_P}"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
fi
DESCRIPTION="udev startup scripts for openrc"
HOMEPAGE="https://wiki.gentoo.org/wiki/No_homepage"
LICENSE="GPL-2"
SLOT="0"
RESTRICT="test"
RDEPEND=">=virtual/udev-217
!<sys-apps/openrc-0.14"
src_install() {
local -x SYSCONFDIR="${EPREFIX}/etc"
default
}
pkg_postinst() {
# Add udev and udev-trigger to the sysinit runlevel automatically.
for f in udev udev-trigger; do
if [[ -x "${EROOT}/etc/init.d/${f}" &&
-d "${EROOT}/etc/runlevels/sysinit" &&
! -L "${EROOT}/etc/runlevels/sysinit/${f}" ]]; then
ln -snf "${EPREFIX}/etc/init.d/${f}" "${EROOT}/etc/runlevels/sysinit/${f}"
ewarn "Adding ${f} to the sysinit runlevel"
fi
done
if ! has_version "sys-fs/eudev[rule-generator]" && \
[[ -x $(type -P rc-update) ]] && rc-update show | grep udev-postmount | grep -qs 'boot\|default\|sysinit'; then
ewarn "The udev-postmount service has been removed because the reasons for"
ewarn "its existance have been removed upstream."
ewarn "Please remove it from your runlevels."
fi
}

50
sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-9999.ebuild vendored Normal file
View File

@ -0,0 +1,50 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
OLD_PN=udev-gentoo-scripts
OLD_P=${OLD_PN}-${PV}
if [ "${PV}" = "9999" ]; then
EGIT_REPO_URI="https://anongit.gentoo.org/proj/${OLD_PN}.git"
inherit git-r3
else
SRC_URI="https://gitweb.gentoo.org/proj/${OLD_PN}.git/snapshot/${OLD_P}.tar.gz -> ${P}.tar.gz"
S="${WORKDIR}/${OLD_P}"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi
DESCRIPTION="udev startup scripts for openrc"
HOMEPAGE="https://wiki.gentoo.org/wiki/No_homepage"
LICENSE="GPL-2"
SLOT="0"
RESTRICT="test"
RDEPEND=">=virtual/udev-217
!<sys-apps/openrc-0.14"
src_install() {
local -x SYSCONFDIR="${EPREFIX}/etc"
default
}
pkg_postinst() {
# Add udev and udev-trigger to the sysinit runlevel automatically.
for f in udev udev-trigger; do
if [[ -x "${EROOT}/etc/init.d/${f}" &&
-d "${EROOT}/etc/runlevels/sysinit" &&
! -L "${EROOT}/etc/runlevels/sysinit/${f}" ]]; then
ln -snf "${EPREFIX}/etc/init.d/${f}" "${EROOT}/etc/runlevels/sysinit/${f}"
ewarn "Adding ${f} to the sysinit runlevel"
fi
done
if ! has_version "sys-fs/eudev[rule-generator]" && \
[[ -x $(type -P rc-update) ]] && rc-update show | grep udev-postmount | grep -qs 'boot\|default\|sysinit'; then
ewarn "The udev-postmount service has been removed because the reasons for"
ewarn "its existance have been removed upstream."
ewarn "Please remove it from your runlevels."
fi
}

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild vendored
View File

@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
else
CROS_WORKON_COMMIT="ea430ee8ada8f3415228c185c1205d1f681c8ca4" # flatcar-master
CROS_WORKON_COMMIT="19245b06d7634f1d2cea30c49f2a92e2462d8551" # flatcar-master
KEYWORDS="amd64 arm arm64 x86"
fi

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/dracut-053-r1.ebuild vendored
View File

@ -69,6 +69,8 @@ PATCHES=(
"${FILESDIR}"/050-change-network-dep-iscsi.patch
# Add required systemd 255 binary
"${FILESDIR}"/059-systemd-executor.patch
# Add systemd vconsole setup fix using i118n
"${FILESDIR}"/0001-systemd-initrd-install-only-keymap-required-by-syste.patch
)
src_configure() {

51
sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/files/0001-systemd-initrd-install-only-keymap-required-by-syste.patch vendored Normal file
View File

@ -0,0 +1,51 @@
From 6d7e4b88c21f45cf1695e4495004a12cacd58d0c Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Thu, 7 Mar 2024 11:17:54 +0000
Subject: [PATCH] systemd: initrd: install only keymap required by
systemd-vconsole-setup
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
---
modules.d/10i18n/module-setup.sh | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/modules.d/10i18n/module-setup.sh b/modules.d/10i18n/module-setup.sh
index d6688b47..516883be 100755
--- a/modules.d/10i18n/module-setup.sh
+++ b/modules.d/10i18n/module-setup.sh
@@ -4,7 +4,7 @@
check() {
[[ "$mount_needs" ]] && return 1
- require_binaries setfont loadkeys kbd_mode || return 1
+ require_binaries loadkeys || return 1
return 0
}
@@ -164,6 +164,10 @@ install() {
fi
shopt -q -u nocasematch
+ # install only one keymap: us
+ KEYMAP=us
+
+
# Gentoo user may have KEYMAP set to something like "-u pl2",
KEYMAP=${KEYMAP#-* }
@@ -267,10 +271,7 @@ install() {
inst_simple ${VCONFIG_CONF}
fi
- if [[ ${hostonly} ]] && ! [[ ${i18n_install_all} == "yes" ]]; then
- install_local_i18n || install_all_kbd
- else
- install_all_kbd
- fi
+ # install only one keyboard map
+ install_local_i18n
fi
}
--
2.43.0

1
sdk_container/src/third_party/portage-stable/profiles/features/prefix/packages vendored
View File

@ -15,7 +15,6 @@
-*net-misc/iputils
-*sys-apps/iproute2
-*sys-apps/kbd
-*sys-fs/e2fsprogs
-*virtual/dev-manager
-*sys-apps/shadow