Merge pull request #659 from flatcar-linux/krnowak/systemd-gentoo

Update systemd (sync, use gentoo workflow, add missing patches)

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest

@@ -0,0 +1 @@
+DIST systemd-stable-246.6.tar.gz 9545237 BLAKE2B 5290736b30ca1a3188335a74d49b4f3e8b48007d9563efac1985ea6428a8b8fd6cad7ae87c35e13a32f851ebd27821829738274d35cfbff9340750bd3b086621 SHA512 1936b291d9831cf61f800fe718a4c2c2fe9b2a11fd817fe32bd48da2087a675dfc91013209a3478ea52e8ada593300ed906e248b8081dcf9141bf1cc17483ea9

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch

@@ -0,0 +1,57 @@
+From 25b772a9ec9b4f36e9cd97948c6bafb7765d5113 Mon Sep 17 00:00:00 2001
+From: Thilo Fromm <thilo@kinvolk.io>
+Date: Thu, 10 Sep 2020 11:16:01 +0200
+Subject: [PATCH 1/3] sysctl.d/50-default.conf: remove *, .all source route
+ settings
+
+The rules were added in systemd-245 and break cluster
+networking, e.g. cilium. Please see
+https://github.com/flatcar-linux/Flatcar/issues/181
+for details.
+
+Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
+---
+ sysctl.d/50-default.conf | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
+index 14378b24af..82cc49587b 100644
+--- a/sysctl.d/50-default.conf
++++ b/sysctl.d/50-default.conf
+@@ -23,18 +23,27 @@ kernel.core_uses_pid = 1
+ 
+ # Source route verification
+ net.ipv4.conf.default.rp_filter = 2
+-net.ipv4.conf.*.rp_filter = 2
+--net.ipv4.conf.all.rp_filter
++# the below deviates from upstream systemd-245 (and later) since the default
++# rule causes a regression with cluster networking (e.g. cilium; see
++# https://github.com/flatcar-linux/Flatcar/issues/181)
++#net.ipv4.conf.*.rp_filter = 2
++#-net.ipv4.conf.all.rp_filter
+ 
+ # Do not accept source routing
+ net.ipv4.conf.default.accept_source_route = 0
+-net.ipv4.conf.*.accept_source_route = 0
+--net.ipv4.conf.all.accept_source_route
++# the below deviates from upstream systemd-245 (and later) since the default
++# rule causes a regression with cluster networking (e.g. cilium; see
++# https://github.com/flatcar-linux/Flatcar/issues/181)
++#net.ipv4.conf.*.accept_source_route = 0
++#-net.ipv4.conf.all.accept_source_route
+ 
+ # Promote secondary addresses when the primary address is removed
+ net.ipv4.conf.default.promote_secondaries = 1
+-net.ipv4.conf.*.promote_secondaries = 1
+--net.ipv4.conf.all.promote_secondaries
++# the below deviates from upstream systemd-245 (and later) since the default
++# rule causes a regression with cluster networking (e.g. cilium; see
++# https://github.com/flatcar-linux/Flatcar/issues/181)
++#net.ipv4.conf.*.promote_secondaries = 1
++#-net.ipv4.conf.all.promote_secondaries
+ 
+ # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+ # The upper limit is set to 2^31-1. Values greater than that get rejected by
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch

@@ -0,0 +1,58 @@
+From 1e608a8f47e0472e910c08d06014d1ef9ddd0cfc Mon Sep 17 00:00:00 2001
+From: Thilo Fromm <thilo@kinvolk.io>
+Date: Thu, 10 Sep 2020 11:47:53 +0200
+Subject: [PATCH 2/3] sysctl.d/50-default: better comments, re-activate
+ promote_secondaries
+
+This change updates comments as well as re-activates the
+promote_secondaries wildcard since networkd's DHCP relies on this
+(see https://github.com/systemd/systemd/issues/7163)
+
+Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
+---
+ sysctl.d/50-default.conf | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
+index 82cc49587b..8457fb38aa 100644
+--- a/sysctl.d/50-default.conf
++++ b/sysctl.d/50-default.conf
+@@ -23,27 +23,24 @@ kernel.core_uses_pid = 1
+ 
+ # Source route verification
+ net.ipv4.conf.default.rp_filter = 2
+-# the below deviates from upstream systemd-245 (and later) since the default
+-# rule causes a regression with cluster networking (e.g. cilium; see
+-# https://github.com/flatcar-linux/Flatcar/issues/181)
++# We deviate from upstream systemd-245 (and later) since the new default
++# rp_filter wildcard rule causes a regression with cluster networking
++# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181)
+ #net.ipv4.conf.*.rp_filter = 2
+ #-net.ipv4.conf.all.rp_filter
+ 
+ # Do not accept source routing
+ net.ipv4.conf.default.accept_source_route = 0
+-# the below deviates from upstream systemd-245 (and later) since the default
+-# rule causes a regression with cluster networking (e.g. cilium; see
+-# https://github.com/flatcar-linux/Flatcar/issues/181)
++# We deviate from upstream systemd-245 (and later) since the new default
++# source route wildcard rule causes a regression with cluster networking
++# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181)
+ #net.ipv4.conf.*.accept_source_route = 0
+ #-net.ipv4.conf.all.accept_source_route
+ 
+ # Promote secondary addresses when the primary address is removed
+ net.ipv4.conf.default.promote_secondaries = 1
+-# the below deviates from upstream systemd-245 (and later) since the default
+-# rule causes a regression with cluster networking (e.g. cilium; see
+-# https://github.com/flatcar-linux/Flatcar/issues/181)
+-#net.ipv4.conf.*.promote_secondaries = 1
+-#-net.ipv4.conf.all.promote_secondaries
++net.ipv4.conf.*.promote_secondaries = 1
++-net.ipv4.conf.all.promote_secondaries
+ 
+ # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+ # The upper limit is set to 2^31-1. Values greater than that get rejected by
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch

@@ -0,0 +1,32 @@
+From 5b1ed0e98a8a8225dc3f662483287a380643ab96 Mon Sep 17 00:00:00 2001
+From: Thilo Fromm <thilo@kinvolk.io>
+Date: Thu, 10 Sep 2020 13:39:14 +0200
+Subject: [PATCH 3/3] sysctl.d/50-default.conf: re-activate default
+ accept_source_route
+
+Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
+---
+ sysctl.d/50-default.conf | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
+index 8457fb38aa..b7dd7c7ef3 100644
+--- a/sysctl.d/50-default.conf
++++ b/sysctl.d/50-default.conf
+@@ -31,11 +31,8 @@ net.ipv4.conf.default.rp_filter = 2
+ 
+ # Do not accept source routing
+ net.ipv4.conf.default.accept_source_route = 0
+-# We deviate from upstream systemd-245 (and later) since the new default
+-# source route wildcard rule causes a regression with cluster networking
+-# (e.g. cilium; see https://github.com/flatcar-linux/Flatcar/issues/181)
+-#net.ipv4.conf.*.accept_source_route = 0
+-#-net.ipv4.conf.all.accept_source_route
++net.ipv4.conf.*.accept_source_route = 0
++-net.ipv4.conf.all.accept_source_route
+ 
+ # Promote secondary addresses when the primary address is removed
+ net.ipv4.conf.default.promote_secondaries = 1
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch

@@ -0,0 +1,32 @@
+From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001
+From: David Michael <dm0@redhat.com>
+Date: Tue, 16 Apr 2019 02:44:51 +0000
+Subject: [PATCH 1/5] wait-online: set --any by default
+
+The systemd-networkd-wait-online command would normally continue
+waiting after a network interface is usable if other interfaces are
+still configuring.  There is a new flag --any to change this.
+
+Preserve previous Container Linux behavior for compatibility by
+setting the --any flag by default.  See patches from v241 (or
+earlier) for the original implementation.
+---
+ src/network/wait-online/wait-online.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
+index cfd9093f1a..3c67e3a379 100644
+--- a/src/network/wait-online/wait-online.c
++++ b/src/network/wait-online/wait-online.c
+@@ -19,7 +19,7 @@ static usec_t arg_timeout = 120 * USEC_PER_SEC;
+ static Hashmap *arg_interfaces = NULL;
+ static char **arg_ignore = NULL;
+ static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
+-static bool arg_any = false;
++static bool arg_any = true;
+ 
+ STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch

@@ -0,0 +1,25 @@
+From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001
+From: Nick Owens <nick.owens@coreos.com>
+Date: Tue, 2 Jun 2015 18:22:32 -0700
+Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting
+
+---
+ src/network/networkd-network.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
+index 97f5551ee5..d12072665a 100644
+--- a/src/network/networkd-network.c
++++ b/src/network/networkd-network.c
+@@ -461,6 +461,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
+ 
+                 .ipv4_accept_local = -1,
+ 
++                .ip_forward = _ADDRESS_FAMILY_INVALID,
++
+                 .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
+                 .ipv6_accept_ra = -1,
+                 .ipv6_dad_transmits = -1,
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch

@@ -0,0 +1,58 @@
+From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001
+From: Alex Crawford <alex.crawford@coreos.com>
+Date: Wed, 2 Mar 2016 10:46:33 -0800
+Subject: [PATCH 3/5] needs-update: don't require strictly newer usr
+
+Updates should be triggered whenever usr changes, not only when it is newer.
+---
+ man/systemd-update-done.service.xml | 2 +-
+ src/shared/condition.c              | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
+index 91196dff30..14cffbd042 100644
+--- a/man/systemd-update-done.service.xml
++++ b/man/systemd-update-done.service.xml
+@@ -50,7 +50,7 @@
+     <varname>ConditionNeedsUpdate=</varname> (see
+     <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+     condition to make sure to run when <filename>/etc</filename> or
+-    <filename>/var</filename> are older than <filename>/usr</filename>
++    <filename>/var</filename> aren't the same age as <filename>/usr</filename>
+     according to the modification times of the files described above.
+     This requires that updates to <filename>/usr</filename> are always
+     followed by an update of the modification time of
+diff --git a/src/shared/condition.c b/src/shared/condition.c
+index bf3b5fa162..749f134328 100644
+--- a/src/shared/condition.c
++++ b/src/shared/condition.c
+@@ -592,7 +592,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+          * First, compare seconds as they are always accurate...
+          */
+         if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
+-                return usr.st_mtim.tv_sec > other.st_mtim.tv_sec;
++                return true;
+ 
+         /*
+          * ...then compare nanoseconds.
+@@ -603,7 +603,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+          * (otherwise the filesystem supports nsec timestamps, see stat(2)).
+          */
+         if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
+-                return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec;
++                return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec;
+ 
+         _cleanup_free_ char *timestamp_str = NULL;
+         r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
+@@ -622,7 +622,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+                 return true;
+         }
+ 
+-        return timespec_load_nsec(&usr.st_mtim) > timestamp;
++        return timespec_load_nsec(&usr.st_mtim) != timestamp;
+ }
+ 
+ static int condition_test_first_boot(Condition *c, char **env) {
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch

@@ -0,0 +1,60 @@
+From 7bbbac4b335e4dbb2afa5029f9e1f7dcee493d32 Mon Sep 17 00:00:00 2001
+From: David Michael <david.michael@coreos.com>
+Date: Mon, 25 Jul 2016 15:46:40 -0700
+Subject: [PATCH 4/5] core: use max for DefaultTasksMax
+
+Since systemd v228, systemd has a DefaultTasksMax which defaulted
+to 512, later 15% of the system's maximum number of PIDs.  This
+limit is low and a change in behavior that people running services
+in containers will hit frequently, so revert to previous behavior.
+---
+ man/systemd-system.conf.xml | 3 +--
+ src/basic/cgroup-util.h     | 4 ++++
+ src/core/system.conf.in     | 2 +-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
+index c64e57c277..e03e67b2f5 100644
+--- a/man/systemd-system.conf.xml
++++ b/man/systemd-system.conf.xml
+@@ -361,8 +361,7 @@
+         <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
+         <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+         for details. This setting applies to all unit types that support resource control settings, with the exception
+-        of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller
+-        in OS containers.</para></listitem>
++        of slice units. Defaults to 100%.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
+index 2b88571bc1..598bfc1a45 100644
+--- a/src/basic/cgroup-util.h
++++ b/src/basic/cgroup-util.h
+@@ -129,6 +129,10 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
+             (x >= CGROUP_BLKIO_WEIGHT_MIN && x <= CGROUP_BLKIO_WEIGHT_MAX);
+ }
+ 
++/* Default resource limits */
++#define DEFAULT_TASKS_MAX_PERCENTAGE            100U /* 100% of PIDs */
++#define DEFAULT_USER_TASKS_MAX_PERCENTAGE       33U /* 33% of PIDs, 10813 on default settings */
++
+ typedef enum CGroupUnified {
+         CGROUP_UNIFIED_UNKNOWN = -1,
+         CGROUP_UNIFIED_NONE = 0,        /* Both systemd and controllers on legacy */
+diff --git a/src/core/system.conf.in b/src/core/system.conf.in
+index 40bb548887..c6cddf4f79 100644
+--- a/src/core/system.conf.in
++++ b/src/core/system.conf.in
+@@ -52,7 +52,7 @@
+ #DefaultBlockIOAccounting=no
+ #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@
+ #DefaultTasksAccounting=yes
+-#DefaultTasksMax=15%
++#DefaultTasksMax=100%
+ #DefaultLimitCPU=
+ #DefaultLimitFSIZE=
+ #DefaultLimitDATA=
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch

@@ -0,0 +1,29 @@
+From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 20 Dec 2016 16:43:22 +0000
+Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks
+
+We don't care about the interaction between systemd and SELinux policy, so
+let's just disable these checks rather than having to incorporate policy
+support. This has no impact on our SELinux use-case, which is purely intended
+to limit containers and not anything running directly on the host.
+---
+ src/core/selinux-access.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
+index 1d52b5ff04..1653d241f6 100644
+--- a/src/core/selinux-access.c
++++ b/src/core/selinux-access.c
+@@ -2,7 +2,7 @@
+ 
+ #include "selinux-access.h"
+ 
+-#if HAVE_SELINUX
++#if 0
+ 
+ #include <errno.h>
+ #include <selinux/avc.h>
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild

@@ -1,35 +1,31 @@
 # Copyright 2011-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-# Flatcar: Based on systemd-246-r1.ebuild from commit
-# 431a568d06963207495c099b5a64f85442017507 in gentoo repo (see
-# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/systemd/systemd-246-r1.ebuild?id=431a568d06963207495c099b5a64f85442017507).
+# Flatcar: Based on systemd-246-r2.ebuild from commit
+# 4bf7b81548f70cbf7ce5ae377e85fd21ae259ce7 in gentoo repo (see
+# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/systemd/systemd-246-r2.ebuild?id=4bf7b81548f70cbf7ce5ae377e85fd21ae259ce7).
 
 EAPI=7
 
-# Flatcar: Use cros setup
-CROS_WORKON_PROJECT="flatcar-linux/systemd"
-CROS_WORKON_REPO="git://github.com"
-
 if [[ ${PV} == 9999 ]]; then
-	# Flatcar: Use cros setup
-	# Use ~arch instead of empty keywords for compatibility with cros-workon
-	KEYWORDS="~amd64 ~arm64 ~arm ~x86"
+	EGIT_REPO_URI="https://github.com/systemd/systemd.git"
+	inherit git-r3
 else
-	# Flatcar: Use cros setup
-	CROS_WORKON_COMMIT="5b1ed0e98a8a8225dc3f662483287a380643ab96" # v246-flatcar
-	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+	if [[ ${PV} == *.* ]]; then
+		MY_PN=systemd-stable
+	else
+		MY_PN=systemd
+	fi
+	MY_PV=${PV/_/-}
+	MY_P=${MY_PN}-${MY_PV}
+	S=${WORKDIR}/${MY_P}
+	SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 sparc x86"
 fi
 
 # Flatcar: We still have python 3.5, and have no python3.8 yet.
 PYTHON_COMPAT=( python3_{5,6,7} )
 
-# Flatcar: cros-workon must be imported first, in cases where
-# cros-workon and another eclass exports the same function (say
-# src_compile) we want the later eclass's version to win. Only need
-# src_unpack from workon.
-inherit cros-workon
-
 inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user
 
 DESCRIPTION="System and service manager for Linux"
@@ -40,7 +36,7 @@ SLOT="0/2"
 # Flatcar: Dropped cgroup-hybrid. We use legacy hierarchy by default
 # to keep docker working. Dropped static-libs, we don't care about
 # static libraries.
-IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb"
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb +zstd"
 
 REQUIRED_USE="
 	homed? ( cryptsetup )
@@ -84,7 +80,9 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
 	repart? ( ${OPENSSL_DEP} )
 	seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
 	selinux? ( sys-libs/libselinux:0= )
-	xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )"
+	xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
+	zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
+"
 
 RDEPEND="${COMMON_DEPEND}
 	sysv-utils? ( !sys-apps/sysvinit )
@@ -173,12 +171,31 @@ pkg_setup() {
 
 src_unpack() {
 	default
-	# Flatcar: Use cros setup.
-	cros-workon_src_unpack
+	[[ ${PV} != 9999 ]] || git-r3_src_unpack
 }
 
 src_prepare() {
-	# Flatcar: We don't have separate patches, so no patching code here.
+	# Do NOT add patches here
+	local PATCHES=()
+
+	[[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
+
+	# Add local patches here
+	PATCHES+=(
+		# Flatcar: Adding our own patches here.
+		"${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch"
+		"${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch"
+		"${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch"
+		"${FILESDIR}/0004-wait-online-set-any-by-default.patch"
+		"${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch"
+		"${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch"
+		"${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch"
+		"${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch"
+	)
+
+	# Flatcar: We carry our own patches, we don't use the ones
+	# from Gentoo. Thus we dropped the `if ! use vanilla` code
+	# here.
 	#
 	# Flatcar: Use the resolv.conf managed by systemd-resolved.
 	# This shouldn't be necessary anymore. Added because of a bug
@@ -267,6 +284,7 @@ multilib_src_configure() {
 		-Dkmod=$(meson_multilib_native_use kmod)
 		-Dlz4=$(meson_use lz4)
 		-Dxz=$(meson_use lzma)
+		-Dzstd=$(meson_use zstd)
 		-Dlibiptc=$(meson_multilib_native_use nat)
 		-Dpam=$(meson_use pam)
 		-Dp11kit=$(meson_multilib_native_use pkcs11)