diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest new file mode 100644 index 0000000000..755d27a01c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -0,0 +1 @@ +DIST systemd-stable-246.6.tar.gz 9545237 BLAKE2B 5290736b30ca1a3188335a74d49b4f3e8b48007d9563efac1985ea6428a8b8fd6cad7ae87c35e13a32f851ebd27821829738274d35cfbff9340750bd3b086621 SHA512 1936b291d9831cf61f800fe718a4c2c2fe9b2a11fd817fe32bd48da2087a675dfc91013209a3478ea52e8ada593300ed906e248b8081dcf9141bf1cc17483ea9 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch new file mode 100644 index 0000000000..82feee1111 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch @@ -0,0 +1,57 @@ +From 25b772a9ec9b4f36e9cd97948c6bafb7765d5113 Mon Sep 17 00:00:00 2001 +From: Thilo Fromm +Date: Thu, 10 Sep 2020 11:16:01 +0200 +Subject: [PATCH 1/3] sysctl.d/50-default.conf: remove *, .all source route + settings + +The rules were added in systemd-245 and break cluster +networking, e.g. cilium. Please see +https://github.com/flatcar-linux/Flatcar/issues/181 +for details. + +Signed-off-by: Thilo Fromm +--- + sysctl.d/50-default.conf | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 14378b24af..82cc49587b 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -23,18 +23,27 @@ kernel.core_uses_pid = 1 + + # Source route verification + net.ipv4.conf.default.rp_filter = 2 +-net.ipv4.conf.*.rp_filter = 2 +--net.ipv4.conf.all.rp_filter ++# the below deviates from upstream systemd-245 (and later) since the default ++# rule causes a regression with cluster networking (e.g. cilium; see ++# https://github.com/flatcar-linux/Flatcar/issues/181) ++#net.ipv4.conf.*.rp_filter = 2 ++#-net.ipv4.conf.all.rp_filter + + # Do not accept source routing + net.ipv4.conf.default.accept_source_route = 0 +-net.ipv4.conf.*.accept_source_route = 0 +--net.ipv4.conf.all.accept_source_route ++# the below deviates from upstream systemd-245 (and later) since the default ++# rule causes a regression with cluster networking (e.g. cilium; see ++# https://github.com/flatcar-linux/Flatcar/issues/181) ++#net.ipv4.conf.*.accept_source_route = 0 ++#-net.ipv4.conf.all.accept_source_route + + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.default.promote_secondaries = 1 +-net.ipv4.conf.*.promote_secondaries = 1 +--net.ipv4.conf.all.promote_secondaries ++# the below deviates from upstream systemd-245 (and later) since the default ++# rule causes a regression with cluster networking (e.g. cilium; see ++# https://github.com/flatcar-linux/Flatcar/issues/181) ++#net.ipv4.conf.*.promote_secondaries = 1 ++#-net.ipv4.conf.all.promote_secondaries + + # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW + # The upper limit is set to 2^31-1. Values greater than that get rejected by +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch new file mode 100644 index 0000000000..6bd574055d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch @@ -0,0 +1,58 @@ +From 1e608a8f47e0472e910c08d06014d1ef9ddd0cfc Mon Sep 17 00:00:00 2001 +From: Thilo Fromm +Date: Thu, 10 Sep 2020 11:47:53 +0200 +Subject: [PATCH 2/3] sysctl.d/50-default: better comments, re-activate + promote_secondaries + +This change updates comments as well as re-activates the +promote_secondaries wildcard since networkd's DHCP relies on this +(see https://github.com/systemd/systemd/issues/7163) + +Signed-off-by: Thilo Fromm +--- + sysctl.d/50-default.conf | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 82cc49587b..8457fb38aa 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -23,27 +23,24 @@ kernel.core_uses_pid = 1 + + # Source route verification + net.ipv4.conf.default.rp_filter = 2 +-# the below deviates from upstream systemd-245 (and later) since the default +-# rule causes a regression with cluster networking (e.g. cilium; see +-# https://github.com/flatcar-linux/Flatcar/issues/181) ++# We deviate from upstream systemd-245 (and later) since the new default ++# rp_filter wildcard rule causes a regression with cluster networking ++# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) + #net.ipv4.conf.*.rp_filter = 2 + #-net.ipv4.conf.all.rp_filter + + # Do not accept source routing + net.ipv4.conf.default.accept_source_route = 0 +-# the below deviates from upstream systemd-245 (and later) since the default +-# rule causes a regression with cluster networking (e.g. cilium; see +-# https://github.com/flatcar-linux/Flatcar/issues/181) ++# We deviate from upstream systemd-245 (and later) since the new default ++# source route wildcard rule causes a regression with cluster networking ++# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) + #net.ipv4.conf.*.accept_source_route = 0 + #-net.ipv4.conf.all.accept_source_route + + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.default.promote_secondaries = 1 +-# the below deviates from upstream systemd-245 (and later) since the default +-# rule causes a regression with cluster networking (e.g. cilium; see +-# https://github.com/flatcar-linux/Flatcar/issues/181) +-#net.ipv4.conf.*.promote_secondaries = 1 +-#-net.ipv4.conf.all.promote_secondaries ++net.ipv4.conf.*.promote_secondaries = 1 ++-net.ipv4.conf.all.promote_secondaries + + # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW + # The upper limit is set to 2^31-1. Values greater than that get rejected by +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch new file mode 100644 index 0000000000..4a87ad1f01 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch @@ -0,0 +1,32 @@ +From 5b1ed0e98a8a8225dc3f662483287a380643ab96 Mon Sep 17 00:00:00 2001 +From: Thilo Fromm +Date: Thu, 10 Sep 2020 13:39:14 +0200 +Subject: [PATCH 3/3] sysctl.d/50-default.conf: re-activate default + accept_source_route + +Signed-off-by: Thilo Fromm +--- + sysctl.d/50-default.conf | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 8457fb38aa..b7dd7c7ef3 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -31,11 +31,8 @@ net.ipv4.conf.default.rp_filter = 2 + + # Do not accept source routing + net.ipv4.conf.default.accept_source_route = 0 +-# We deviate from upstream systemd-245 (and later) since the new default +-# source route wildcard rule causes a regression with cluster networking +-# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) +-#net.ipv4.conf.*.accept_source_route = 0 +-#-net.ipv4.conf.all.accept_source_route ++net.ipv4.conf.*.accept_source_route = 0 ++-net.ipv4.conf.all.accept_source_route + + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.default.promote_secondaries = 1 +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch new file mode 100644 index 0000000000..23670cd96f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch @@ -0,0 +1,32 @@ +From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 16 Apr 2019 02:44:51 +0000 +Subject: [PATCH 1/5] wait-online: set --any by default + +The systemd-networkd-wait-online command would normally continue +waiting after a network interface is usable if other interfaces are +still configuring. There is a new flag --any to change this. + +Preserve previous Container Linux behavior for compatibility by +setting the --any flag by default. See patches from v241 (or +earlier) for the original implementation. +--- + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index cfd9093f1a..3c67e3a379 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -19,7 +19,7 @@ static usec_t arg_timeout = 120 * USEC_PER_SEC; + static Hashmap *arg_interfaces = NULL; + static char **arg_ignore = NULL; + static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; +-static bool arg_any = false; ++static bool arg_any = true; + + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); + STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch new file mode 100644 index 0000000000..c9eece6f56 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch @@ -0,0 +1,25 @@ +From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001 +From: Nick Owens +Date: Tue, 2 Jun 2015 18:22:32 -0700 +Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting + +--- + src/network/networkd-network.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 97f5551ee5..d12072665a 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -461,6 +461,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + + .ipv4_accept_local = -1, + ++ .ip_forward = _ADDRESS_FAMILY_INVALID, ++ + .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, + .ipv6_accept_ra = -1, + .ipv6_dad_transmits = -1, +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch new file mode 100644 index 0000000000..2c10a67d58 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch @@ -0,0 +1,58 @@ +From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001 +From: Alex Crawford +Date: Wed, 2 Mar 2016 10:46:33 -0800 +Subject: [PATCH 3/5] needs-update: don't require strictly newer usr + +Updates should be triggered whenever usr changes, not only when it is newer. +--- + man/systemd-update-done.service.xml | 2 +- + src/shared/condition.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml +index 91196dff30..14cffbd042 100644 +--- a/man/systemd-update-done.service.xml ++++ b/man/systemd-update-done.service.xml +@@ -50,7 +50,7 @@ + ConditionNeedsUpdate= (see + systemd.unit5) + condition to make sure to run when /etc or +- /var are older than /usr ++ /var aren't the same age as /usr + according to the modification times of the files described above. + This requires that updates to /usr are always + followed by an update of the modification time of +diff --git a/src/shared/condition.c b/src/shared/condition.c +index bf3b5fa162..749f134328 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -592,7 +592,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * First, compare seconds as they are always accurate... + */ + if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) +- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; ++ return true; + + /* + * ...then compare nanoseconds. +@@ -603,7 +603,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * (otherwise the filesystem supports nsec timestamps, see stat(2)). + */ + if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) +- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; ++ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; + + _cleanup_free_ char *timestamp_str = NULL; + r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); +@@ -622,7 +622,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + return true; + } + +- return timespec_load_nsec(&usr.st_mtim) > timestamp; ++ return timespec_load_nsec(&usr.st_mtim) != timestamp; + } + + static int condition_test_first_boot(Condition *c, char **env) { +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch new file mode 100644 index 0000000000..1f2aae96f8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch @@ -0,0 +1,60 @@ +From 7bbbac4b335e4dbb2afa5029f9e1f7dcee493d32 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Mon, 25 Jul 2016 15:46:40 -0700 +Subject: [PATCH 4/5] core: use max for DefaultTasksMax + +Since systemd v228, systemd has a DefaultTasksMax which defaulted +to 512, later 15% of the system's maximum number of PIDs. This +limit is low and a change in behavior that people running services +in containers will hit frequently, so revert to previous behavior. +--- + man/systemd-system.conf.xml | 3 +-- + src/basic/cgroup-util.h | 4 ++++ + src/core/system.conf.in | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index c64e57c277..e03e67b2f5 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -361,8 +361,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller +- in OS containers. ++ of slice units. Defaults to 100%. + + + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index 2b88571bc1..598bfc1a45 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -129,6 +129,10 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) { + (x >= CGROUP_BLKIO_WEIGHT_MIN && x <= CGROUP_BLKIO_WEIGHT_MAX); + } + ++/* Default resource limits */ ++#define DEFAULT_TASKS_MAX_PERCENTAGE 100U /* 100% of PIDs */ ++#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */ ++ + typedef enum CGroupUnified { + CGROUP_UNIFIED_UNKNOWN = -1, + CGROUP_UNIFIED_NONE = 0, /* Both systemd and controllers on legacy */ +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 40bb548887..c6cddf4f79 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -52,7 +52,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=100% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch new file mode 100644 index 0000000000..e4891b4f70 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch @@ -0,0 +1,29 @@ +From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 20 Dec 2016 16:43:22 +0000 +Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks + +We don't care about the interaction between systemd and SELinux policy, so +let's just disable these checks rather than having to incorporate policy +support. This has no impact on our SELinux use-case, which is purely intended +to limit containers and not anything running directly on the host. +--- + src/core/selinux-access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index 1d52b5ff04..1653d241f6 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -2,7 +2,7 @@ + + #include "selinux-access.h" + +-#if HAVE_SELINUX ++#if 0 + + #include + #include +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.6.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.6.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index b3149162dc..a7ad60dc8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -1,35 +1,31 @@ # Copyright 2011-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -# Flatcar: Based on systemd-246-r1.ebuild from commit -# 431a568d06963207495c099b5a64f85442017507 in gentoo repo (see -# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/systemd/systemd-246-r1.ebuild?id=431a568d06963207495c099b5a64f85442017507). +# Flatcar: Based on systemd-246-r2.ebuild from commit +# 4bf7b81548f70cbf7ce5ae377e85fd21ae259ce7 in gentoo repo (see +# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/systemd/systemd-246-r2.ebuild?id=4bf7b81548f70cbf7ce5ae377e85fd21ae259ce7). EAPI=7 -# Flatcar: Use cros setup -CROS_WORKON_PROJECT="flatcar-linux/systemd" -CROS_WORKON_REPO="git://github.com" - if [[ ${PV} == 9999 ]]; then - # Flatcar: Use cros setup - # Use ~arch instead of empty keywords for compatibility with cros-workon - KEYWORDS="~amd64 ~arm64 ~arm ~x86" + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 else - # Flatcar: Use cros setup - CROS_WORKON_COMMIT="5b1ed0e98a8a8225dc3f662483287a380643ab96" # v246-flatcar - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" + if [[ ${PV} == *.* ]]; then + MY_PN=systemd-stable + else + MY_PN=systemd + fi + MY_PV=${PV/_/-} + MY_P=${MY_PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 sparc x86" fi # Flatcar: We still have python 3.5, and have no python3.8 yet. PYTHON_COMPAT=( python3_{5,6,7} ) -# Flatcar: cros-workon must be imported first, in cases where -# cros-workon and another eclass exports the same function (say -# src_compile) we want the later eclass's version to win. Only need -# src_unpack from workon. -inherit cros-workon - inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user DESCRIPTION="System and service manager for Linux" @@ -40,7 +36,7 @@ SLOT="0/2" # Flatcar: Dropped cgroup-hybrid. We use legacy hierarchy by default # to keep docker working. Dropped static-libs, we don't care about # static libraries. -IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb" +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb +zstd" REQUIRED_USE=" homed? ( cryptsetup ) @@ -84,7 +80,9 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] repart? ( ${OPENSSL_DEP} ) seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) selinux? ( sys-libs/libselinux:0= ) - xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) + zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) +" RDEPEND="${COMMON_DEPEND} sysv-utils? ( !sys-apps/sysvinit ) @@ -173,12 +171,31 @@ pkg_setup() { src_unpack() { default - # Flatcar: Use cros setup. - cros-workon_src_unpack + [[ ${PV} != 9999 ]] || git-r3_src_unpack } src_prepare() { - # Flatcar: We don't have separate patches, so no patching code here. + # Do NOT add patches here + local PATCHES=() + + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + # Add local patches here + PATCHES+=( + # Flatcar: Adding our own patches here. + "${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch" + "${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch" + "${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch" + "${FILESDIR}/0004-wait-online-set-any-by-default.patch" + "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch" + ) + + # Flatcar: We carry our own patches, we don't use the ones + # from Gentoo. Thus we dropped the `if ! use vanilla` code + # here. # # Flatcar: Use the resolv.conf managed by systemd-resolved. # This shouldn't be necessary anymore. Added because of a bug @@ -267,6 +284,7 @@ multilib_src_configure() { -Dkmod=$(meson_multilib_native_use kmod) -Dlz4=$(meson_use lz4) -Dxz=$(meson_use lzma) + -Dzstd=$(meson_use zstd) -Dlibiptc=$(meson_multilib_native_use nat) -Dpam=$(meson_use pam) -Dp11kit=$(meson_multilib_native_use pkcs11)