diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index 50671ce19e..7ebfbe6b1f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ From e228bd8a939e77f4ebc37aa029f8a89e8b9d4807 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/7] wait-online: set --any by default +Subject: [PATCH 1/9] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch index f538682a5b..3684985fe8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ From b8139561768e6745405461e1a765b262ece8f959 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 2/7] needs-update: don't require strictly newer usr +Subject: [PATCH 2/9] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch index 9ebd5e3129..fc40376e7a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ From f5635c6b5153d894cf1bf6dca92219150d4252d5 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 -Subject: [PATCH 3/7] core: use max for DefaultTasksMax +Subject: [PATCH 3/9] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch index 445fdc2728..a66305caa6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ From f55e6415307ce77b3376a2bf9cc96b924c6ec52e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 4/7] systemd: Disable SELinux permissions checks +Subject: [PATCH 4/9] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index f189765e9a..eeb66a75ff 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ From cf500f14557926259b58ee641fffb38b707494d6 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 5/7] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH 5/9] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch index 033ccf2f5f..8e76b1b1b1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch @@ -1,7 +1,7 @@ From 1bf0301376df8e82593efccb80cd4e43638666c0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 -Subject: [PATCH 6/7] units: Keep using old journal file format +Subject: [PATCH 6/9] units: Keep using old journal file format Systemd 252 made an incompatible change in journal file format. Temporarily force journald to use the old journal format to give logging containers more diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch index 4c12dc2f6e..e399b5401c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch @@ -1,7 +1,7 @@ From 93775241c5f873a5862c2e7b06532bd3969341a0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Wed, 25 Sep 2024 15:51:02 +0000 -Subject: [PATCH 7/7] Revert "Revert "initrd-parse-etc: override argv[0] to +Subject: [PATCH 7/9] Revert "Revert "initrd-parse-etc: override argv[0] to avoid dracut issue"" This reverts commit 1c585a4ccda3258088d7bc27b27a314e7ed8be80. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch new file mode 100644 index 0000000000..66ec8d3311 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch @@ -0,0 +1,36 @@ +From 3938b8d561e747ef1dea83afc9f254d594291dc1 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 22 Oct 2025 10:39:42 +0200 +Subject: [PATCH 8/9] tmpfiles.d: Fix DNS issues with default k8s configuration + +The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy +"default", but unless the kubelet `--resolv-conf` flag is set to point to +`/run/systemd/resolve/resolv.conf` this won't work with `/etc/resolv.conf` +pointing to `/run/systemd/resolve/stub-resolv.conf` which configures +`127.0.0.53`. See: + +https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues + +This means that users who need split DNS to work should point +`/etc/resolv.conf` back to `/run/systemd/resolve/stub-resolv.conf` (and if +using K8s configure the kubelet `resolvConf` variable/`--resolv-conf` flag to +`/run/systemd/resolve/resolv.conf`). + +Signed-off-by: Krzesimir Nowak +--- + tmpfiles.d/systemd-resolve.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +index be5edc98e0..bea686682a 100644 +--- a/tmpfiles.d/systemd-resolve.conf ++++ b/tmpfiles.d/systemd-resolve.conf +@@ -7,4 +7,4 @@ + + # See tmpfiles.d(5) for details. + +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf ++L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch new file mode 100644 index 0000000000..93a640f414 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch @@ -0,0 +1,35 @@ +From 946db05da46d3c453b129c6413d1fd0b3794d038 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Fri, 24 Oct 2025 11:06:57 +0200 +Subject: [PATCH 9/9] units: Make multi-user.target the default target + +Signed-off-by: Krzesimir Nowak +--- + units/meson.build | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 96f4852741..4b1efbc4b1 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -46,7 +46,7 @@ units = [ + }, + { + 'file' : 'graphical.target', +- 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []), ++ 'symlinks' : with_runlevels ? ['runlevel5.target'] : [], + }, + { 'file' : 'halt.target' }, + { +@@ -140,7 +140,7 @@ units = [ + { 'file' : 'modprobe@.service' }, + { + 'file' : 'multi-user.target', +- 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [], ++ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : []), + }, + { 'file' : 'network-online.target' }, + { 'file' : 'network-pre.target' }, +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md new file mode 100644 index 0000000000..c81b881d9f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md @@ -0,0 +1,23 @@ +Most of these patches are not really upstreamable. + +- `0001-wait-online-set-any-by-default.patch` + - backward compat stuff +- `0002-needs-update-don-t-require-strictly-newer-usr.patch` + - trigger updates only when /usr changes +- `0003-core-use-max-for-DefaultTasksMax.patch` + - increase the too-low limits +- `0004-systemd-Disable-SELinux-permissions-checks.patch` + - disable interactions between systemd and SELinux policies + - this will be dropped when we increase SELinux coverage also to a host system +- `0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch` + - SELinux denial workaround + - this will be dropped when we increase SELinux coverage also to a host system +- `0006-units-Keep-using-old-journal-file-format.patch` + - backward compat stuff +- `0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch` + - dracut issue workaround + - should be dropped when we update dracut to a version without the issue +- `0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch` + - workaround for issues with default k8s coredns config +- `0009-units-Make-multi-user.target-the-default-target.patch` + - change default.target to a suitable symlink for Flatcar diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index a315604985..54a029ac1c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -282,14 +282,6 @@ src_unpack() { src_prepare() { local PATCHES=( "${FILESDIR}"/systemd-257-cred-util-tpm2.patch - # Flatcar: Adding our own patches here. - "${FILESDIR}/0001-wait-online-set-any-by-default.patch" - "${FILESDIR}/0002-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0003-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0004-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" - "${FILESDIR}/0006-units-Keep-using-old-journal-file-format.patch" - "${FILESDIR}/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch" ) if ! use vanilla; then @@ -298,20 +290,6 @@ src_prepare() { ) fi - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., - # CoreDNS which has dnsPolicy "default", but unless the - # kubelet --resolv-conf flag is set to point to - # /run/systemd/resolve/resolv.conf this won't work with - # /etc/resolv.conf pointing to - # /run/systemd/resolve/stub-resolv.conf which configures - # 127.0.0.53. See - # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues - # This means that users who need split DNS to work should - # point /etc/resolv.conf back to - # /run/systemd/resolve/stub-resolv.conf (and if using K8s - # configure the kubelet resolvConf variable/--resolv-conf flag - # to /run/systemd/resolve/resolv.conf). - sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die default } @@ -538,10 +516,6 @@ multilib_src_install_all() { # baselayout now. dotmpfiles "${FILESDIR}"/systemd-resolv.conf - # Flatcar: Don't default to graphical.target. - local unitdir=$(builddir_systemd_get_systemunitdir) - dosym multi-user.target "${unitdir}"/default.target - # Flatcar: Don't set any extra environment variables by default. rm "${ED}/usr/lib/environment.d/99-environment.conf" || die