diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
index 755d27a01c..82c65e1417 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
@@ -1 +1 @@
-DIST systemd-stable-246.6.tar.gz 9545237 BLAKE2B 5290736b30ca1a3188335a74d49b4f3e8b48007d9563efac1985ea6428a8b8fd6cad7ae87c35e13a32f851ebd27821829738274d35cfbff9340750bd3b086621 SHA512 1936b291d9831cf61f800fe718a4c2c2fe9b2a11fd817fe32bd48da2087a675dfc91013209a3478ea52e8ada593300ed906e248b8081dcf9141bf1cc17483ea9
+DIST systemd-stable-247.2.tar.gz 9890845 BLAKE2B 5363f429f4e629b9a05248b77f7c102da37e23c5678e14621ca67edeea59d7995064d037f04eb0ce57dd17a1b3a40a04e00619f77dbde82a61aabbc02f5bc412 SHA512 220739bedb7ccbb35d9d2ff441a52e0615fbe80da5141f7e0420d469f4d66d3604ea72ce70c3deaa2afa5a32b3c7eec4340738337c96891b471e23ed43cd6a82
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch
index c9eece6f56..053617f485 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch
@@ -4,22 +4,21 @@ Date: Tue, 2 Jun 2015 18:22:32 -0700
Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting
---
- src/network/networkd-network.c | 2 ++
- 1 file changed, 2 insertions(+)
+ src/network/networkd-network.c | 1 +
+ 1 file changed, 1 insertion(+)
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
-index 97f5551ee5..d12072665a 100644
+index 3254641461..4f34daa919 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
-@@ -461,6 +461,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
-
+@@ -410,6 +410,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
+ .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
+
.ipv4_accept_local = -1,
-
+ .ip_forward = _ADDRESS_FAMILY_INVALID,
-+
.ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
.ipv6_accept_ra = -1,
.ipv6_dad_transmits = -1,
---
+--
2.26.2
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch
index 2c10a67d58..c8f1460902 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch
@@ -10,49 +10,49 @@ Updates should be triggered whenever usr changes, not only when it is newer.
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
-index 91196dff30..14cffbd042 100644
+index 3393010ff6..5478baca25 100644
--- a/man/systemd-update-done.service.xml
+++ b/man/systemd-update-done.service.xml
@@ -50,7 +50,7 @@
ConditionNeedsUpdate= (see
systemd.unit5)
- condition to make sure to run when /etc or
-- /var are older than /usr
-+ /var aren't the same age as /usr
+ condition to make sure to run when /etc/ or
+- /var/ are older than /usr/
++ /var/ aren't the same age as /usr/
according to the modification times of the files described above.
- This requires that updates to /usr are always
+ This requires that updates to /usr/ are always
followed by an update of the modification time of
diff --git a/src/shared/condition.c b/src/shared/condition.c
-index bf3b5fa162..749f134328 100644
+index b2ec690bc3..4cf6523b90 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
-@@ -592,7 +592,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -593,7 +593,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* First, compare seconds as they are always accurate...
*/
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec;
+ return true;
-
+
/*
* ...then compare nanoseconds.
-@@ -603,7 +603,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -604,7 +604,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* (otherwise the filesystem supports nsec timestamps, see stat(2)).
*/
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec;
+ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec;
-
+
_cleanup_free_ char *timestamp_str = NULL;
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str);
-@@ -622,7 +622,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -623,7 +623,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
return true;
}
-
+
- return timespec_load_nsec(&usr.st_mtim) > timestamp;
+ return timespec_load_nsec(&usr.st_mtim) != timestamp;
}
-
+
static int condition_test_first_boot(Condition *c, char **env) {
---
+--
2.26.2
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch
index 1f2aae96f8..27c5147a96 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch
@@ -8,33 +8,32 @@ to 512, later 15% of the system's maximum number of PIDs. This
limit is low and a change in behavior that people running services
in containers will hit frequently, so revert to previous behavior.
---
- man/systemd-system.conf.xml | 3 +--
+ man/systemd-system.conf.xml | 2 +-
src/basic/cgroup-util.h | 4 ++++
src/core/system.conf.in | 2 +-
- 3 files changed, 6 insertions(+), 3 deletions(-)
+ 3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index c64e57c277..e03e67b2f5 100644
+index 0dea50f2fe..3847118881 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
-@@ -361,8 +361,7 @@
+@@ -361,7 +361,7 @@
Configure the default value for the per-unit TasksMax= setting. See
systemd.resource-control5
for details. This setting applies to all unit types that support resource control settings, with the exception
-- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller
-- in OS containers.
+- of slice units. Defaults to 15% of the sysctl setting kernel.pid_max= or root cgroup pids.max.
+ of slice units. Defaults to 100%.
-
-
-
+ Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores.
+ For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915,
+ but might be greater in other systems or smaller in OS containers.
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
-index 2b88571bc1..598bfc1a45 100644
+index bdc0d0d086..345a99aa5c 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -129,6 +129,10 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
(x >= CGROUP_BLKIO_WEIGHT_MIN && x <= CGROUP_BLKIO_WEIGHT_MAX);
}
-
+
+/* Default resource limits */
+#define DEFAULT_TASKS_MAX_PERCENTAGE 100U /* 100% of PIDs */
+#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */
@@ -55,6 +54,6 @@ index 40bb548887..c6cddf4f79 100644
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=
---
+--
2.26.2
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-247.2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-246.6.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-247.2.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
index a8653850d5..8b1a642e79 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
@@ -401,16 +401,16 @@ multilib_src_install_all() {
rmdir "${ED}${rootprefix}"/sbin || die
fi
- if use hwdb; then
- rm -r "${ED}${rootprefix}"/lib/udev/hwdb.d || die
- fi
-
# Flatcar: Upstream uses keepdir commands to keep some empty
# directories.
#
# Flatcar: TODO: Consider using that instead of
# systemd_dotmpfilesd "${FILESDIR}"/systemd-flatcar.conf below.
+ if use hwdb; then
+ rm -r "${ED}${rootprefix}"/lib/udev/hwdb.d || die
+ fi
+
if use split-usr; then
# Avoid breaking boot/reboot
dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd
@@ -570,20 +570,22 @@ pkg_preinst() {
}
pkg_postinst() {
- newusergroup() {
- enewgroup "$1"
- enewuser "$1" -1 -1 -1 "$1"
- }
+ newusergroup() {
+ enewgroup "$1"
+ enewuser "$1" -1 -1 -1 "$1"
+ }
+
+ enewgroup input
+ enewgroup kvm 78
+ enewgroup render 30
+ enewgroup systemd-journal
+ newusergroup systemd-coredump
+ newusergroup systemd-journal-remote
+ newusergroup systemd-network
+ newusergroup systemd-resolve
+ newusergroup systemd-timesync
+ newusergroup systemd-oom
- enewgroup input
- enewgroup kvm 78
- enewgroup render 30
- enewgroup systemd-journal
- newusergroup systemd-coredump
- newusergroup systemd-journal-remote
- newusergroup systemd-network
- newusergroup systemd-resolve
- newusergroup systemd-timesync
systemd_update_catalog