From c4f0e7e4371b9c025d47770340a7a44163797e2e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Oct 2020 14:17:18 +0100 Subject: [PATCH 1/5] sys-apps/systemd: Sync with Gentoo This brings in a dependency on app-arch/zstd, which will be pulled into portage-stable. --- .../sys-apps/systemd/systemd-9999.ebuild | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index b3149162dc..f725612faf 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -1,9 +1,9 @@ # Copyright 2011-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -# Flatcar: Based on systemd-246-r1.ebuild from commit -# 431a568d06963207495c099b5a64f85442017507 in gentoo repo (see -# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/systemd/systemd-246-r1.ebuild?id=431a568d06963207495c099b5a64f85442017507). +# Flatcar: Based on systemd-246-r2.ebuild from commit +# 4bf7b81548f70cbf7ce5ae377e85fd21ae259ce7 in gentoo repo (see +# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/systemd/systemd-246-r2.ebuild?id=4bf7b81548f70cbf7ce5ae377e85fd21ae259ce7). EAPI=7 @@ -40,7 +40,7 @@ SLOT="0/2" # Flatcar: Dropped cgroup-hybrid. We use legacy hierarchy by default # to keep docker working. Dropped static-libs, we don't care about # static libraries. -IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb" +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb +zstd" REQUIRED_USE=" homed? ( cryptsetup ) @@ -84,7 +84,9 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] repart? ( ${OPENSSL_DEP} ) seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) selinux? ( sys-libs/libselinux:0= ) - xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) + zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) +" RDEPEND="${COMMON_DEPEND} sysv-utils? ( !sys-apps/sysvinit ) @@ -267,6 +269,7 @@ multilib_src_configure() { -Dkmod=$(meson_multilib_native_use kmod) -Dlz4=$(meson_use lz4) -Dxz=$(meson_use lzma) + -Dzstd=$(meson_use zstd) -Dlibiptc=$(meson_multilib_native_use nat) -Dpam=$(meson_use pam) -Dp11kit=$(meson_multilib_native_use pkcs11) From 37c8517551de7ade312aa3abae7912003f2e0f8f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Oct 2020 14:29:41 +0100 Subject: [PATCH 2/5] sys-apps/systemd: Move away from cros-workon Our current cros-workon setup was awkward to use when a new patch release happened on upstream. In this case we would go to our `v-flatcar` branch and merge/cherry-pick the commits from upstream that appeared between the release we have been using so far and the new release. In such case, our non-upstreamed patches were hidden somewhere in history. To fix that, I proposed having a branch for each patch release, so the branch would always be based on an upstream tag and have our patches on top of that. An alternative proposition was to just use the Gentoo workflow for patches, and this is what we are doing here. This also slightly minimizes the difference between the Gentoo recipe and ours. --- ...ult.conf-remove-.all-source-route-se.patch | 57 ++++++++++++++++++ ...ult-better-comments-re-activate-prom.patch | 58 +++++++++++++++++++ ...ult.conf-re-activate-default-accept_.patch | 32 ++++++++++ .../sys-apps/systemd/systemd-9999.ebuild | 48 +++++++++------ 4 files changed, 176 insertions(+), 19 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch new file mode 100644 index 0000000000..82feee1111 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch @@ -0,0 +1,57 @@ +From 25b772a9ec9b4f36e9cd97948c6bafb7765d5113 Mon Sep 17 00:00:00 2001 +From: Thilo Fromm +Date: Thu, 10 Sep 2020 11:16:01 +0200 +Subject: [PATCH 1/3] sysctl.d/50-default.conf: remove *, .all source route + settings + +The rules were added in systemd-245 and break cluster +networking, e.g. cilium. Please see +https://github.com/flatcar-linux/Flatcar/issues/181 +for details. + +Signed-off-by: Thilo Fromm +--- + sysctl.d/50-default.conf | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 14378b24af..82cc49587b 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -23,18 +23,27 @@ kernel.core_uses_pid = 1 + + # Source route verification + net.ipv4.conf.default.rp_filter = 2 +-net.ipv4.conf.*.rp_filter = 2 +--net.ipv4.conf.all.rp_filter ++# the below deviates from upstream systemd-245 (and later) since the default ++# rule causes a regression with cluster networking (e.g. cilium; see ++# https://github.com/flatcar-linux/Flatcar/issues/181) ++#net.ipv4.conf.*.rp_filter = 2 ++#-net.ipv4.conf.all.rp_filter + + # Do not accept source routing + net.ipv4.conf.default.accept_source_route = 0 +-net.ipv4.conf.*.accept_source_route = 0 +--net.ipv4.conf.all.accept_source_route ++# the below deviates from upstream systemd-245 (and later) since the default ++# rule causes a regression with cluster networking (e.g. cilium; see ++# https://github.com/flatcar-linux/Flatcar/issues/181) ++#net.ipv4.conf.*.accept_source_route = 0 ++#-net.ipv4.conf.all.accept_source_route + + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.default.promote_secondaries = 1 +-net.ipv4.conf.*.promote_secondaries = 1 +--net.ipv4.conf.all.promote_secondaries ++# the below deviates from upstream systemd-245 (and later) since the default ++# rule causes a regression with cluster networking (e.g. cilium; see ++# https://github.com/flatcar-linux/Flatcar/issues/181) ++#net.ipv4.conf.*.promote_secondaries = 1 ++#-net.ipv4.conf.all.promote_secondaries + + # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW + # The upper limit is set to 2^31-1. Values greater than that get rejected by +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch new file mode 100644 index 0000000000..6bd574055d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch @@ -0,0 +1,58 @@ +From 1e608a8f47e0472e910c08d06014d1ef9ddd0cfc Mon Sep 17 00:00:00 2001 +From: Thilo Fromm +Date: Thu, 10 Sep 2020 11:47:53 +0200 +Subject: [PATCH 2/3] sysctl.d/50-default: better comments, re-activate + promote_secondaries + +This change updates comments as well as re-activates the +promote_secondaries wildcard since networkd's DHCP relies on this +(see https://github.com/systemd/systemd/issues/7163) + +Signed-off-by: Thilo Fromm +--- + sysctl.d/50-default.conf | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 82cc49587b..8457fb38aa 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -23,27 +23,24 @@ kernel.core_uses_pid = 1 + + # Source route verification + net.ipv4.conf.default.rp_filter = 2 +-# the below deviates from upstream systemd-245 (and later) since the default +-# rule causes a regression with cluster networking (e.g. cilium; see +-# https://github.com/flatcar-linux/Flatcar/issues/181) ++# We deviate from upstream systemd-245 (and later) since the new default ++# rp_filter wildcard rule causes a regression with cluster networking ++# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) + #net.ipv4.conf.*.rp_filter = 2 + #-net.ipv4.conf.all.rp_filter + + # Do not accept source routing + net.ipv4.conf.default.accept_source_route = 0 +-# the below deviates from upstream systemd-245 (and later) since the default +-# rule causes a regression with cluster networking (e.g. cilium; see +-# https://github.com/flatcar-linux/Flatcar/issues/181) ++# We deviate from upstream systemd-245 (and later) since the new default ++# source route wildcard rule causes a regression with cluster networking ++# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) + #net.ipv4.conf.*.accept_source_route = 0 + #-net.ipv4.conf.all.accept_source_route + + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.default.promote_secondaries = 1 +-# the below deviates from upstream systemd-245 (and later) since the default +-# rule causes a regression with cluster networking (e.g. cilium; see +-# https://github.com/flatcar-linux/Flatcar/issues/181) +-#net.ipv4.conf.*.promote_secondaries = 1 +-#-net.ipv4.conf.all.promote_secondaries ++net.ipv4.conf.*.promote_secondaries = 1 ++-net.ipv4.conf.all.promote_secondaries + + # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW + # The upper limit is set to 2^31-1. Values greater than that get rejected by +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch new file mode 100644 index 0000000000..4a87ad1f01 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch @@ -0,0 +1,32 @@ +From 5b1ed0e98a8a8225dc3f662483287a380643ab96 Mon Sep 17 00:00:00 2001 +From: Thilo Fromm +Date: Thu, 10 Sep 2020 13:39:14 +0200 +Subject: [PATCH 3/3] sysctl.d/50-default.conf: re-activate default + accept_source_route + +Signed-off-by: Thilo Fromm +--- + sysctl.d/50-default.conf | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 8457fb38aa..b7dd7c7ef3 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -31,11 +31,8 @@ net.ipv4.conf.default.rp_filter = 2 + + # Do not accept source routing + net.ipv4.conf.default.accept_source_route = 0 +-# We deviate from upstream systemd-245 (and later) since the new default +-# source route wildcard rule causes a regression with cluster networking +-# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181) +-#net.ipv4.conf.*.accept_source_route = 0 +-#-net.ipv4.conf.all.accept_source_route ++net.ipv4.conf.*.accept_source_route = 0 ++-net.ipv4.conf.all.accept_source_route + + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.default.promote_secondaries = 1 +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index f725612faf..9589b9e66b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -7,29 +7,25 @@ EAPI=7 -# Flatcar: Use cros setup -CROS_WORKON_PROJECT="flatcar-linux/systemd" -CROS_WORKON_REPO="git://github.com" - if [[ ${PV} == 9999 ]]; then - # Flatcar: Use cros setup - # Use ~arch instead of empty keywords for compatibility with cros-workon - KEYWORDS="~amd64 ~arm64 ~arm ~x86" + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 else - # Flatcar: Use cros setup - CROS_WORKON_COMMIT="5b1ed0e98a8a8225dc3f662483287a380643ab96" # v246-flatcar - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" + if [[ ${PV} == *.* ]]; then + MY_PN=systemd-stable + else + MY_PN=systemd + fi + MY_PV=${PV/_/-} + MY_P=${MY_PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 sparc x86" fi # Flatcar: We still have python 3.5, and have no python3.8 yet. PYTHON_COMPAT=( python3_{5,6,7} ) -# Flatcar: cros-workon must be imported first, in cases where -# cros-workon and another eclass exports the same function (say -# src_compile) we want the later eclass's version to win. Only need -# src_unpack from workon. -inherit cros-workon - inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user DESCRIPTION="System and service manager for Linux" @@ -175,12 +171,26 @@ pkg_setup() { src_unpack() { default - # Flatcar: Use cros setup. - cros-workon_src_unpack + [[ ${PV} != 9999 ]] || git-r3_src_unpack } src_prepare() { - # Flatcar: We don't have separate patches, so no patching code here. + # Do NOT add patches here + local PATCHES=() + + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + # Add local patches here + PATCHES+=( + # Flatcar: Adding our own patches here. + "${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch" + "${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch" + "${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch" + ) + + # Flatcar: We carry our own patches, we don't use the ones + # from Gentoo. Thus we dropped the `if ! use vanilla` code + # here. # # Flatcar: Use the resolv.conf managed by systemd-resolved. # This shouldn't be necessary anymore. Added because of a bug From cfd6c15d51be3a1114f67dd30545d737e290c1bd Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Oct 2020 14:39:06 +0100 Subject: [PATCH 3/5] sys-apps/systemd: Bring the rest of missing patches We have these patches in v245 too. I have missed them when doing the update to v246, because apparently I have assumed that our flatcar branches are more or less some upstream branch/tag + our patches on top. That assumption was wrong and it surfaced when I rebased the v245-flatcar branch to the v245.8 tag. --- .../0004-wait-online-set-any-by-default.patch | 32 ++++++++++ ...fault-to-kernel-IPForwarding-setting.patch | 25 ++++++++ ...ate-don-t-require-strictly-newer-usr.patch | 58 ++++++++++++++++++ ...007-core-use-max-for-DefaultTasksMax.patch | 60 +++++++++++++++++++ ...d-Disable-SELinux-permissions-checks.patch | 29 +++++++++ .../sys-apps/systemd/systemd-9999.ebuild | 5 ++ 6 files changed, 209 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch new file mode 100644 index 0000000000..23670cd96f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch @@ -0,0 +1,32 @@ +From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 16 Apr 2019 02:44:51 +0000 +Subject: [PATCH 1/5] wait-online: set --any by default + +The systemd-networkd-wait-online command would normally continue +waiting after a network interface is usable if other interfaces are +still configuring. There is a new flag --any to change this. + +Preserve previous Container Linux behavior for compatibility by +setting the --any flag by default. See patches from v241 (or +earlier) for the original implementation. +--- + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index cfd9093f1a..3c67e3a379 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -19,7 +19,7 @@ static usec_t arg_timeout = 120 * USEC_PER_SEC; + static Hashmap *arg_interfaces = NULL; + static char **arg_ignore = NULL; + static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; +-static bool arg_any = false; ++static bool arg_any = true; + + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); + STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch new file mode 100644 index 0000000000..c9eece6f56 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch @@ -0,0 +1,25 @@ +From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001 +From: Nick Owens +Date: Tue, 2 Jun 2015 18:22:32 -0700 +Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting + +--- + src/network/networkd-network.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 97f5551ee5..d12072665a 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -461,6 +461,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + + .ipv4_accept_local = -1, + ++ .ip_forward = _ADDRESS_FAMILY_INVALID, ++ + .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, + .ipv6_accept_ra = -1, + .ipv6_dad_transmits = -1, +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch new file mode 100644 index 0000000000..2c10a67d58 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch @@ -0,0 +1,58 @@ +From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001 +From: Alex Crawford +Date: Wed, 2 Mar 2016 10:46:33 -0800 +Subject: [PATCH 3/5] needs-update: don't require strictly newer usr + +Updates should be triggered whenever usr changes, not only when it is newer. +--- + man/systemd-update-done.service.xml | 2 +- + src/shared/condition.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml +index 91196dff30..14cffbd042 100644 +--- a/man/systemd-update-done.service.xml ++++ b/man/systemd-update-done.service.xml +@@ -50,7 +50,7 @@ + ConditionNeedsUpdate= (see + systemd.unit5) + condition to make sure to run when /etc or +- /var are older than /usr ++ /var aren't the same age as /usr + according to the modification times of the files described above. + This requires that updates to /usr are always + followed by an update of the modification time of +diff --git a/src/shared/condition.c b/src/shared/condition.c +index bf3b5fa162..749f134328 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -592,7 +592,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * First, compare seconds as they are always accurate... + */ + if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) +- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; ++ return true; + + /* + * ...then compare nanoseconds. +@@ -603,7 +603,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * (otherwise the filesystem supports nsec timestamps, see stat(2)). + */ + if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) +- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; ++ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; + + _cleanup_free_ char *timestamp_str = NULL; + r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); +@@ -622,7 +622,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + return true; + } + +- return timespec_load_nsec(&usr.st_mtim) > timestamp; ++ return timespec_load_nsec(&usr.st_mtim) != timestamp; + } + + static int condition_test_first_boot(Condition *c, char **env) { +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch new file mode 100644 index 0000000000..1f2aae96f8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch @@ -0,0 +1,60 @@ +From 7bbbac4b335e4dbb2afa5029f9e1f7dcee493d32 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Mon, 25 Jul 2016 15:46:40 -0700 +Subject: [PATCH 4/5] core: use max for DefaultTasksMax + +Since systemd v228, systemd has a DefaultTasksMax which defaulted +to 512, later 15% of the system's maximum number of PIDs. This +limit is low and a change in behavior that people running services +in containers will hit frequently, so revert to previous behavior. +--- + man/systemd-system.conf.xml | 3 +-- + src/basic/cgroup-util.h | 4 ++++ + src/core/system.conf.in | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index c64e57c277..e03e67b2f5 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -361,8 +361,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller +- in OS containers. ++ of slice units. Defaults to 100%. + + + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index 2b88571bc1..598bfc1a45 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -129,6 +129,10 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) { + (x >= CGROUP_BLKIO_WEIGHT_MIN && x <= CGROUP_BLKIO_WEIGHT_MAX); + } + ++/* Default resource limits */ ++#define DEFAULT_TASKS_MAX_PERCENTAGE 100U /* 100% of PIDs */ ++#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */ ++ + typedef enum CGroupUnified { + CGROUP_UNIFIED_UNKNOWN = -1, + CGROUP_UNIFIED_NONE = 0, /* Both systemd and controllers on legacy */ +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 40bb548887..c6cddf4f79 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -52,7 +52,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=100% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch new file mode 100644 index 0000000000..e4891b4f70 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch @@ -0,0 +1,29 @@ +From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 20 Dec 2016 16:43:22 +0000 +Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks + +We don't care about the interaction between systemd and SELinux policy, so +let's just disable these checks rather than having to incorporate policy +support. This has no impact on our SELinux use-case, which is purely intended +to limit containers and not anything running directly on the host. +--- + src/core/selinux-access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index 1d52b5ff04..1653d241f6 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -2,7 +2,7 @@ + + #include "selinux-access.h" + +-#if HAVE_SELINUX ++#if 0 + + #include + #include +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index 9589b9e66b..a7ad60dc8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -186,6 +186,11 @@ src_prepare() { "${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch" "${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch" "${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch" + "${FILESDIR}/0004-wait-online-set-any-by-default.patch" + "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch" ) # Flatcar: We carry our own patches, we don't use the ones From e9b2cee708ed9fa12d30e24928b9bcea391ee65f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Oct 2020 14:43:21 +0100 Subject: [PATCH 4/5] sys-apps/systemd: Rename the ebuild to pick the patch release With this change `PV` variable will become 246.6, thus it will try to download the archive from the systemd-stable repo. --- .../sys-apps/systemd/{systemd-246.ebuild => systemd-246.6.ebuild} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-246.ebuild => systemd-246.6.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.6.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.6.ebuild From 1d7053e8a1760b381095d92bdbcf989111172f9f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Oct 2020 15:03:46 +0100 Subject: [PATCH 5/5] sys-apps/systemd: Add Manifest Otherwise the build fails at the verification stage. --- .../src/third_party/coreos-overlay/sys-apps/systemd/Manifest | 1 + 1 file changed, 1 insertion(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest new file mode 100644 index 0000000000..755d27a01c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -0,0 +1 @@ +DIST systemd-stable-246.6.tar.gz 9545237 BLAKE2B 5290736b30ca1a3188335a74d49b4f3e8b48007d9563efac1985ea6428a8b8fd6cad7ae87c35e13a32f851ebd27821829738274d35cfbff9340750bd3b086621 SHA512 1936b291d9831cf61f800fe718a4c2c2fe9b2a11fd817fe32bd48da2087a675dfc91013209a3478ea52e8ada593300ed906e248b8081dcf9141bf1cc17483ea9