From cfd6c15d51be3a1114f67dd30545d737e290c1bd Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Oct 2020 14:39:06 +0100 Subject: [PATCH] sys-apps/systemd: Bring the rest of missing patches We have these patches in v245 too. I have missed them when doing the update to v246, because apparently I have assumed that our flatcar branches are more or less some upstream branch/tag + our patches on top. That assumption was wrong and it surfaced when I rebased the v245-flatcar branch to the v245.8 tag. --- .../0004-wait-online-set-any-by-default.patch | 32 ++++++++++ ...fault-to-kernel-IPForwarding-setting.patch | 25 ++++++++ ...ate-don-t-require-strictly-newer-usr.patch | 58 ++++++++++++++++++ ...007-core-use-max-for-DefaultTasksMax.patch | 60 +++++++++++++++++++ ...d-Disable-SELinux-permissions-checks.patch | 29 +++++++++ .../sys-apps/systemd/systemd-9999.ebuild | 5 ++ 6 files changed, 209 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch new file mode 100644 index 0000000000..23670cd96f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch @@ -0,0 +1,32 @@ +From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 16 Apr 2019 02:44:51 +0000 +Subject: [PATCH 1/5] wait-online: set --any by default + +The systemd-networkd-wait-online command would normally continue +waiting after a network interface is usable if other interfaces are +still configuring. There is a new flag --any to change this. + +Preserve previous Container Linux behavior for compatibility by +setting the --any flag by default. See patches from v241 (or +earlier) for the original implementation. +--- + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index cfd9093f1a..3c67e3a379 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -19,7 +19,7 @@ static usec_t arg_timeout = 120 * USEC_PER_SEC; + static Hashmap *arg_interfaces = NULL; + static char **arg_ignore = NULL; + static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; +-static bool arg_any = false; ++static bool arg_any = true; + + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); + STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch new file mode 100644 index 0000000000..c9eece6f56 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch @@ -0,0 +1,25 @@ +From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001 +From: Nick Owens +Date: Tue, 2 Jun 2015 18:22:32 -0700 +Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting + +--- + src/network/networkd-network.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 97f5551ee5..d12072665a 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -461,6 +461,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + + .ipv4_accept_local = -1, + ++ .ip_forward = _ADDRESS_FAMILY_INVALID, ++ + .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, + .ipv6_accept_ra = -1, + .ipv6_dad_transmits = -1, +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch new file mode 100644 index 0000000000..2c10a67d58 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch @@ -0,0 +1,58 @@ +From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001 +From: Alex Crawford +Date: Wed, 2 Mar 2016 10:46:33 -0800 +Subject: [PATCH 3/5] needs-update: don't require strictly newer usr + +Updates should be triggered whenever usr changes, not only when it is newer. +--- + man/systemd-update-done.service.xml | 2 +- + src/shared/condition.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml +index 91196dff30..14cffbd042 100644 +--- a/man/systemd-update-done.service.xml ++++ b/man/systemd-update-done.service.xml +@@ -50,7 +50,7 @@ + ConditionNeedsUpdate= (see + systemd.unit5) + condition to make sure to run when /etc or +- /var are older than /usr ++ /var aren't the same age as /usr + according to the modification times of the files described above. + This requires that updates to /usr are always + followed by an update of the modification time of +diff --git a/src/shared/condition.c b/src/shared/condition.c +index bf3b5fa162..749f134328 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -592,7 +592,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * First, compare seconds as they are always accurate... + */ + if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) +- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; ++ return true; + + /* + * ...then compare nanoseconds. +@@ -603,7 +603,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * (otherwise the filesystem supports nsec timestamps, see stat(2)). + */ + if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) +- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; ++ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; + + _cleanup_free_ char *timestamp_str = NULL; + r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); +@@ -622,7 +622,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + return true; + } + +- return timespec_load_nsec(&usr.st_mtim) > timestamp; ++ return timespec_load_nsec(&usr.st_mtim) != timestamp; + } + + static int condition_test_first_boot(Condition *c, char **env) { +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch new file mode 100644 index 0000000000..1f2aae96f8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch @@ -0,0 +1,60 @@ +From 7bbbac4b335e4dbb2afa5029f9e1f7dcee493d32 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Mon, 25 Jul 2016 15:46:40 -0700 +Subject: [PATCH 4/5] core: use max for DefaultTasksMax + +Since systemd v228, systemd has a DefaultTasksMax which defaulted +to 512, later 15% of the system's maximum number of PIDs. This +limit is low and a change in behavior that people running services +in containers will hit frequently, so revert to previous behavior. +--- + man/systemd-system.conf.xml | 3 +-- + src/basic/cgroup-util.h | 4 ++++ + src/core/system.conf.in | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index c64e57c277..e03e67b2f5 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -361,8 +361,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller +- in OS containers. ++ of slice units. Defaults to 100%. + + + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index 2b88571bc1..598bfc1a45 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -129,6 +129,10 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) { + (x >= CGROUP_BLKIO_WEIGHT_MIN && x <= CGROUP_BLKIO_WEIGHT_MAX); + } + ++/* Default resource limits */ ++#define DEFAULT_TASKS_MAX_PERCENTAGE 100U /* 100% of PIDs */ ++#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */ ++ + typedef enum CGroupUnified { + CGROUP_UNIFIED_UNKNOWN = -1, + CGROUP_UNIFIED_NONE = 0, /* Both systemd and controllers on legacy */ +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 40bb548887..c6cddf4f79 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -52,7 +52,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=100% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch new file mode 100644 index 0000000000..e4891b4f70 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch @@ -0,0 +1,29 @@ +From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 20 Dec 2016 16:43:22 +0000 +Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks + +We don't care about the interaction between systemd and SELinux policy, so +let's just disable these checks rather than having to incorporate policy +support. This has no impact on our SELinux use-case, which is purely intended +to limit containers and not anything running directly on the host. +--- + src/core/selinux-access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index 1d52b5ff04..1653d241f6 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -2,7 +2,7 @@ + + #include "selinux-access.h" + +-#if HAVE_SELINUX ++#if 0 + + #include + #include +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index 9589b9e66b..a7ad60dc8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -186,6 +186,11 @@ src_prepare() { "${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch" "${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch" "${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch" + "${FILESDIR}/0004-wait-online-set-any-by-default.patch" + "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch" ) # Flatcar: We carry our own patches, we don't use the ones