diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-12-19-systemd-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-12-19-systemd-update.md
new file mode 100644
index 0000000000..2fa3997667
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-12-19-systemd-update.md
@@ -0,0 +1 @@
+- systemd ([250.7](https://github.com/systemd/systemd-stable/releases/tag/v250.7))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
index fd6075de2a..e32127fa26 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
@@ -20,7 +20,7 @@ sys-libs/ncurses minimal
sys-libs/pam audit
# enable journal gateway, bootctl and container features
-sys-apps/systemd audit gnuefi importd http nat
+sys-apps/systemd audit gnuefi importd http iptables
# epoll is needed for systemd-journal-remote to work. coreos/bugs#919
net-libs/libmicrohttpd epoll
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
index 11fad23078..414ac1a206 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
@@ -1 +1 @@
-DIST systemd-stable-250.3.tar.gz 11125151 BLAKE2B 659c39994e76f94407dd9079e28fc644981d3475a0ed440b9895e8f201c3ce1fc47aa8c4d599ad85ed89ddfb6ca8e514aee2a739e93640745cf46647f99efe56 SHA512 81847fb088ff271138b1ea318995a2ca2ee5d4c5d839c9dd81f0210d366198049199d59c49b25ef8783df2c6b8dd9fcdf2d916777788b1a6d42deec9da8e9da5
+DIST systemd-stable-250.7.tar.gz 11214975 BLAKE2B 5d94b4b1f8b0cd6e8284a89ac0d4bd373eccdad2c3d6e6c453df79c8df47ee0f9cfbde764b72b1f9d172d07e2d9f1f1f41c1ab254cf4abd0722469ebc3ad7cf8 SHA512 99bc6f0c9757b280cb694f3fb4d6fe04d5ce55583eb2bae5ddeb324bb5ee9930c1720fcc27293d90cddba188473653ec541a471ae8115710a5850c26d0ba215d
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml
index 1e7d92356b..d9f94345f7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml
@@ -18,18 +18,17 @@
Enable EFI boot manager and stub loader (built using sys-boot/gnu-efi)
Enable coredump stacktraces in the journal
Enable FIDO2 support
- Enable sealing of journal files using gcrypt
+ Enable use of dev-libs/libgcrypt for various features
Enable portable home directories
Enable setting hostname with networkd/hostnamed without polkit (requires running sys-apps/dbus-broker)
Enable embedded HTTP server in journald
Enable import daemon
+ Use libiptc from net-firewall/iptables for NAT support in systemd-networkd; this is used only if the running kernel does not support nftables
Enable kernel module loading via sys-apps/kmod
Enable lz4 compression for the journal
- Enable support for network address translation in networkd
- Enable use of dev-libs/openssl
+ Enable use of dev-libs/openssl for various features
Enable PKCS#11 support for cryptsetup and homed
Enable password quality checking in homed
- Enable support for growing/adding partitions
Enable qrcode output support in journal
Install resolvconf symlink for systemd-resolve
Install sysvinit compatibility symlinks and manpages for init, telinit, halt, poweroff, reboot, runlevel, and shutdown
@@ -39,5 +38,6 @@
systemd/systemd
+ systemd/systemd-stable
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3-r1.ebuild
deleted file mode 120000
index 5446582e48..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3-r1.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-systemd-250.3.ebuild
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild
index b8f1582d7d..ef9c3041bd 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-250.7.ebuild
@@ -6,6 +6,9 @@ PYTHON_COMPAT=( python3_{8..10} )
# Avoid QA warnings
TMPFILES_OPTIONAL=1
+UDEV_OPTIONAL=1
+
+QA_PKGCONFIG_VERSION=$(ver_cut 1)
if [[ ${PV} == 9999 ]]; then
EGIT_REPO_URI="https://github.com/systemd/systemd.git"
@@ -20,23 +23,22 @@ else
MY_P=${MY_PN}-${MY_PV}
S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
- # Flatcar: Stabilize for amd64 and arm64.
- KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86"
fi
# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
# Adding tmpfiles, since we use it for installing some files.
-inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles
+inherit bash-completion-r1 flag-o-matic linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev tmpfiles
DESCRIPTION="System and service manager for Linux"
-HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
+HOMEPAGE="http://systemd.io/"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
IUSE="
acl apparmor audit build cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
- fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd +kmod
- +lz4 lzma nat +openssl pam pcre pkcs11 policykit pwquality qrcode
+ fido2 +gcrypt gnuefi gnutls homed hostnamed-fallback http idn importd iptables +kmod
+ +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd
"
REQUIRED_USE="
@@ -72,7 +74,7 @@ COMMON_DEPEND="
kmod? ( >=sys-apps/kmod-15:0= )
lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
- nat? ( net-firewall/iptables:0= )
+ iptables? ( net-firewall/iptables:0= )
openssl? ( >=dev-libs/openssl-1.1.0:0= )
pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
pkcs11? ( app-crypt/p11-kit:0= )
@@ -93,6 +95,11 @@ DEPEND="${COMMON_DEPEND}
"
# baselayout-2.2 has /run
+#
+# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
+# flag). The image stage fails with "Failed to resolve
+# typeattributeset statement at
+# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120"
RDEPEND="${COMMON_DEPEND}
>=acct-group/adm-0-r1
>=acct-group/wheel-0-r1
@@ -125,7 +132,9 @@ RDEPEND="${COMMON_DEPEND}
acct-group/systemd-hostname
sys-apps/dbus-broker
)
- selinux? ( sec-policy/selinux-base-policy[systemd] )
+ selinux? (
+ sec-policy/selinux-base-policy[systemd]
+ )
sysv-utils? (
!sys-apps/openrc[sysv-utils(-)]
!sys-apps/sysvinit
@@ -185,7 +194,7 @@ pkg_pretend() {
ewarn "See https://bugs.gentoo.org/674458."
fi
- local CONFIG_CHECK="~AUTOFS4_FS ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS
+ local CONFIG_CHECK=" ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS
~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
@@ -199,10 +208,16 @@ pkg_pretend() {
kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES"
kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF"
- if kernel_is -lt 5 10 20; then
- CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
- else
+ if kernel_is -ge 5 10 20; then
CONFIG_CHECK+=" ~KCMP"
+ else
+ CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
+ fi
+
+ if kernel_is -ge 4 18; then
+ CONFIG_CHECK+=" ~AUTOFS_FS"
+ else
+ CONFIG_CHECK+=" ~AUTOFS4_FS"
fi
if linux_config_exists; then
@@ -281,6 +296,22 @@ src_configure() {
# Prevent conflicts with i686 cross toolchain, bug 559726
tc-export AR CC NM OBJCOPY RANLIB
+ # Broken with FORTIFY_SOURCE=3 without a patch. And the patch
+ # wasn't backported to 250.x, but it turns out to break Clang
+ # anyway: bug #841770.
+ #
+ # Our toolchain sets F_S=2 by default w/ >= -O2, so we need
+ # to unset F_S first, then explicitly set 2, to negate any default
+ # and anything set by the user if they're choosing 3 (or if they've
+ # modified GCC to set 3).
+ #
+ if is-flagq '-O[23]' || is-flagq '-Ofast' ; then
+ # We can't unconditionally do this b/c we fortify needs
+ # some level of optimisation.
+ filter-flags -D_FORTIFY_SOURCE=3
+ append-cppflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
+ fi
+
python_setup
multilib-minimal_src_configure
@@ -333,7 +364,7 @@ multilib_src_configure() {
$(meson_use lz4)
$(meson_use lzma xz)
$(meson_use zstd)
- $(meson_native_use_bool nat libiptc)
+ $(meson_native_use_bool iptables libiptc)
$(meson_native_use_bool openssl)
$(meson_use pam)
$(meson_native_use_bool pkcs11 p11kit)
@@ -400,8 +431,7 @@ multilib_src_configure() {
-Dfirstboot=false
# Flatcar: Set latest network interface naming scheme
- # for
- # https://github.com/flatcar/Flatcar/issues/36
+ # for https://github.com/flatcar/Flatcar/issues/36
-Ddefault-net-naming-scheme=latest
# Flatcar: Unported options, still needed?
@@ -696,6 +726,14 @@ pkg_postinst() {
eerror "systemd again."
eerror
fi
+
+ if use hostnamed-fallback; then
+ if ! systemctl --root="${ROOT:-/}" is-enabled --quiet dbus-broker.service 2>/dev/null; then
+ ewarn "dbus-broker.service is not enabled, systemd-hostnamed will fail to run."
+ ewarn "To enable dbus-broker.service run the next command as root:"
+ ewarn "systemctl enable dbus-broker.service"
+ fi
+ fi
}
pkg_prerm() {