sys-apps/systemd: Bring the rest of missing patches

We have these patches in v245 too. I have missed them when doing the
update to v246, because apparently I have assumed that our flatcar
branches are more or less some upstream branch/tag + our patches on
top. That assumption was wrong and it surfaced when I rebased the
v245-flatcar branch to the v245.8 tag.

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch

@@ -0,0 +1,32 @@
+From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001
+From: David Michael <dm0@redhat.com>
+Date: Tue, 16 Apr 2019 02:44:51 +0000
+Subject: [PATCH 1/5] wait-online: set --any by default
+
+The systemd-networkd-wait-online command would normally continue
+waiting after a network interface is usable if other interfaces are
+still configuring.  There is a new flag --any to change this.
+
+Preserve previous Container Linux behavior for compatibility by
+setting the --any flag by default.  See patches from v241 (or
+earlier) for the original implementation.
+---
+ src/network/wait-online/wait-online.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
+index cfd9093f1a..3c67e3a379 100644
+--- a/src/network/wait-online/wait-online.c
++++ b/src/network/wait-online/wait-online.c
+@@ -19,7 +19,7 @@ static usec_t arg_timeout = 120 * USEC_PER_SEC;
+ static Hashmap *arg_interfaces = NULL;
+ static char **arg_ignore = NULL;
+ static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
+-static bool arg_any = false;
++static bool arg_any = true;
+ 
+ STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch

@@ -0,0 +1,25 @@
+From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001
+From: Nick Owens <nick.owens@coreos.com>
+Date: Tue, 2 Jun 2015 18:22:32 -0700
+Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting
+
+---
+ src/network/networkd-network.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
+index 97f5551ee5..d12072665a 100644
+--- a/src/network/networkd-network.c
++++ b/src/network/networkd-network.c
+@@ -461,6 +461,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
+ 
+                 .ipv4_accept_local = -1,
+ 
++                .ip_forward = _ADDRESS_FAMILY_INVALID,
++
+                 .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
+                 .ipv6_accept_ra = -1,
+                 .ipv6_dad_transmits = -1,
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch

@@ -0,0 +1,58 @@
+From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001
+From: Alex Crawford <alex.crawford@coreos.com>
+Date: Wed, 2 Mar 2016 10:46:33 -0800
+Subject: [PATCH 3/5] needs-update: don't require strictly newer usr
+
+Updates should be triggered whenever usr changes, not only when it is newer.
+---
+ man/systemd-update-done.service.xml | 2 +-
+ src/shared/condition.c              | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
+index 91196dff30..14cffbd042 100644
+--- a/man/systemd-update-done.service.xml
++++ b/man/systemd-update-done.service.xml
+@@ -50,7 +50,7 @@
+     <varname>ConditionNeedsUpdate=</varname> (see
+     <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+     condition to make sure to run when <filename>/etc</filename> or
+-    <filename>/var</filename> are older than <filename>/usr</filename>
++    <filename>/var</filename> aren't the same age as <filename>/usr</filename>
+     according to the modification times of the files described above.
+     This requires that updates to <filename>/usr</filename> are always
+     followed by an update of the modification time of
+diff --git a/src/shared/condition.c b/src/shared/condition.c
+index bf3b5fa162..749f134328 100644
+--- a/src/shared/condition.c
++++ b/src/shared/condition.c
+@@ -592,7 +592,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+          * First, compare seconds as they are always accurate...
+          */
+         if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
+-                return usr.st_mtim.tv_sec > other.st_mtim.tv_sec;
++                return true;
+ 
+         /*
+          * ...then compare nanoseconds.
+@@ -603,7 +603,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+          * (otherwise the filesystem supports nsec timestamps, see stat(2)).
+          */
+         if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
+-                return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec;
++                return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec;
+ 
+         _cleanup_free_ char *timestamp_str = NULL;
+         r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
+@@ -622,7 +622,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+                 return true;
+         }
+ 
+-        return timespec_load_nsec(&usr.st_mtim) > timestamp;
++        return timespec_load_nsec(&usr.st_mtim) != timestamp;
+ }
+ 
+ static int condition_test_first_boot(Condition *c, char **env) {
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch

@@ -0,0 +1,60 @@
+From 7bbbac4b335e4dbb2afa5029f9e1f7dcee493d32 Mon Sep 17 00:00:00 2001
+From: David Michael <david.michael@coreos.com>
+Date: Mon, 25 Jul 2016 15:46:40 -0700
+Subject: [PATCH 4/5] core: use max for DefaultTasksMax
+
+Since systemd v228, systemd has a DefaultTasksMax which defaulted
+to 512, later 15% of the system's maximum number of PIDs.  This
+limit is low and a change in behavior that people running services
+in containers will hit frequently, so revert to previous behavior.
+---
+ man/systemd-system.conf.xml | 3 +--
+ src/basic/cgroup-util.h     | 4 ++++
+ src/core/system.conf.in     | 2 +-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
+index c64e57c277..e03e67b2f5 100644
+--- a/man/systemd-system.conf.xml
++++ b/man/systemd-system.conf.xml
+@@ -361,8 +361,7 @@
+         <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
+         <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+         for details. This setting applies to all unit types that support resource control settings, with the exception
+-        of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller
+-        in OS containers.</para></listitem>
++        of slice units. Defaults to 100%.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
+index 2b88571bc1..598bfc1a45 100644
+--- a/src/basic/cgroup-util.h
++++ b/src/basic/cgroup-util.h
+@@ -129,6 +129,10 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
+             (x >= CGROUP_BLKIO_WEIGHT_MIN && x <= CGROUP_BLKIO_WEIGHT_MAX);
+ }
+ 
++/* Default resource limits */
++#define DEFAULT_TASKS_MAX_PERCENTAGE            100U /* 100% of PIDs */
++#define DEFAULT_USER_TASKS_MAX_PERCENTAGE       33U /* 33% of PIDs, 10813 on default settings */
++
+ typedef enum CGroupUnified {
+         CGROUP_UNIFIED_UNKNOWN = -1,
+         CGROUP_UNIFIED_NONE = 0,        /* Both systemd and controllers on legacy */
+diff --git a/src/core/system.conf.in b/src/core/system.conf.in
+index 40bb548887..c6cddf4f79 100644
+--- a/src/core/system.conf.in
++++ b/src/core/system.conf.in
+@@ -52,7 +52,7 @@
+ #DefaultBlockIOAccounting=no
+ #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@
+ #DefaultTasksAccounting=yes
+-#DefaultTasksMax=15%
++#DefaultTasksMax=100%
+ #DefaultLimitCPU=
+ #DefaultLimitFSIZE=
+ #DefaultLimitDATA=
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch

@@ -0,0 +1,29 @@
+From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 20 Dec 2016 16:43:22 +0000
+Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks
+
+We don't care about the interaction between systemd and SELinux policy, so
+let's just disable these checks rather than having to incorporate policy
+support. This has no impact on our SELinux use-case, which is purely intended
+to limit containers and not anything running directly on the host.
+---
+ src/core/selinux-access.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
+index 1d52b5ff04..1653d241f6 100644
+--- a/src/core/selinux-access.c
++++ b/src/core/selinux-access.c
+@@ -2,7 +2,7 @@
+ 
+ #include "selinux-access.h"
+ 
+-#if HAVE_SELINUX
++#if 0
+ 
+ #include <errno.h>
+ #include <selinux/avc.h>
+-- 
+2.26.2
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild

@@ -186,6 +186,11 @@ src_prepare() {
 		"${FILESDIR}/0001-sysctl.d-50-default.conf-remove-.all-source-route-se.patch"
 		"${FILESDIR}/0002-sysctl.d-50-default-better-comments-re-activate-prom.patch"
 		"${FILESDIR}/0003-sysctl.d-50-default.conf-re-activate-default-accept_.patch"
+		"${FILESDIR}/0004-wait-online-set-any-by-default.patch"
+		"${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch"
+		"${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch"
+		"${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch"
+		"${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch"
 	)
 
 	# Flatcar: We carry our own patches, we don't use the ones