From fafa0f3d42b60a3f56366a323d46e0803393b34f Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 24 Oct 2025 11:28:52 +0200
Subject: [PATCH] overlay sys-apps/systemd: Move our modifications to config
 overrides

The most significant change here is to drop our manual service
enabling in favor of invoking systemctl preset-all and moving the
generated symlinks to /usr.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
---
 .../coreos/config/env/sys-apps/systemd        | 193 +++++++++++++++++-
 .../sys-apps/systemd/systemd-257.7-r1.ebuild  | 185 ++---------------
 2 files changed, 201 insertions(+), 177 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
index f5f1ad0bbb..b543740cd5 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
@@ -1,20 +1,192 @@
-cros_post_src_install_timesync() {
-  local dir="${D}$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
-  mkdir -p "${dir}"
-  pushd "${dir}"
-  cat <<EOF >flatcar.conf || die
+flatcar_systemd_meson_args_array=(
+    # Point to our user mailing list.
+    -Dsupport-url='https://groups.google.com/forum/#!forum/flatcar-linux-user'
+
+    # Use our ntp servers.
+    -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
+
+    # Specify this, or meson breaks due to no /etc/login.defs.
+    -Dsystem-gid-max=999
+    -Dsystem-uid-max=999
+
+    # PAM config directory.
+    -Dpamconfdir="${EPREFIX}/usr/share/pam.d"
+
+    # The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd
+    # as a sanity check for the minimum acceptable time. Explicitly
+    # set to avoid using the current build time.
+    -Dtime-epoch=1372636800
+
+    # No default name servers.
+    -Ddns-servers=
+
+    # Disable the "First Boot Wizard", it isn't very applicable to us.
+    -Dfirstboot=false
+
+    # Set latest network interface naming scheme for
+    # https://github.com/flatcar/Flatcar/issues/36
+    -Ddefault-net-naming-scheme=latest
+
+    # Combined log format: name plus description
+    -Dstatus-unit-format-default=combined
+
+    # Disable multicast-dns, Link-Local Multicast Name Resolution and
+    # dnssec
+    -Ddefault-mdns=no
+    -Ddefault-llmnr=no
+    -Ddefault-dnssec=no
+)
+export MYMESONARGS="${flatcar_systemd_meson_args_array[*]@Q}"
+unset 'flatcar_systemd_meson_args_array'
+
+# Save the original path to systemctl command, so we can use it for
+# presetting, even after stubbing systemctl out below.
+if [[ -z ${flatcar_hacked_systemctl} ]]; then
+    flatcar_hacked_systemctl=$(command -v systemctl) || die "systemctl not found"
+fi
+# Stubbed out completely - it is being invoked in the pkg_postinst to
+# enable getty service and do some reexecs/reloads. None of these are
+# necessary for us.
+systemctl() {
+    :
+}
+
+flatcar_systemctl_preset() {
+    local scope=${1}
+
+    local systemctl_scope_arg
+    case ${scope} in
+        system) systemctl_scope_arg=--system;;
+        user) systemctl_scope_arg=--global;; # don't ask, using --user
+                                             # results in an "invalid
+                                             # argument" error
+        *) die "wrong scope ${scope@Q}, ought to be either system or user";;
+    esac
+
+    "${flatcar_hacked_systemctl}" --root="${ED}" "${systemctl_scope_arg}" --preset-mode=enable-only preset-all || die
+
+    local escaped_path
+    escaped_path=$(printf '%s' "${ED}/etc/systemd/" | sed -e 's/[#\&]/\\&/g') || die
+
+    # make symlinks relative
+    find "${ED}/etc/systemd/${scope}" -type l -lname "/usr/lib/systemd/${scope}/*" -printf "%l\0%p\0" | \
+        sed -z -e "s#^/usr/lib/systemd/#${escaped_path}#" | \
+        xargs -0 -n2 ln -sfTr || die
+
+    # We can't do just:
+    #
+    # mv "${ED}/etc/systemd/${scope}"/* "${ED}/usr/lib/systemd/${scope}/"
+    #
+    # Some directories already exist in both /etc/systemd/${scope} and
+    # /usr/lib/systemd/${scope}, but with different contents. "mv"
+    # complains that it can't overwrite them.
+
+    # create directories in /usr/lib/systemd/${scope} that match ones
+    # in /etc/systemd/${scope}
+    find "${ED}/etc/systemd/${scope}" ! -type d -printf '%h\0' | \
+        sort -z -u | \
+        sed -z -e "s#/etc/systemd/${scope}/#/usr/lib/systemd/${scope}/#" |
+        xargs -0 mkdir -p || die
+    # move files from /etc/systemd/${scope} to
+    # /usr/lib/systemd/${scope}
+    find "${ED}/etc/systemd/${scope}" ! -type d -print | \
+        sed -e "s#\(.*\)\(/etc/systemd/${scope}/\)\(.*\)#\1\2\3\n\1/usr/lib/systemd/${scope}/\3#" | \
+        xargs -n2 mv || die
+    # remove empty directories in /etc/systemd/${scope}
+    find "${ED}/etc/systemd/${scope}" -type d -printf '%d %p\0' | \
+        sort -z -k 1nr,1 -k2b | \
+        cut -z -d' ' -f2- | \
+        xargs -0 rmdir || die
+}
+
+cros_post_src_install_flatcar_stuff() {
+    # We provide our own systemd-user config file in baselayout.
+    #
+    # This one is installed by systemd build system regardless of
+    # USE=pam (the ebuild ought to pass -Dpamconfdir=no to disable the
+    # installation).
+    rm "${ED}/usr/share/pam.d/systemd-user" || die
+    # This one is installed by Gentoo's systemd ebuild only if USE=pam
+    # is enabled.
+    if use pam; then
+        rm "${ED}/etc/pam.d/systemd-user" || die
+    fi
+
+    # Ensure journal directory has correct ownership/mode in inital
+    # image. This is fixed by systemd-tmpfiles *but* journald starts
+    # before that and will create the journal if the filesystem is
+    # already read-write. Conveniently the systemd build system sets
+    # this up completely wrong.
+    keepdir /var/log/journal
+    fowners root:systemd-journal /var/log/journal
+    fperms 2755 /var/log/journal
+
+    keepdir /var/log/journal/remote
+    fowners systemd-journal-remote:systemd-journal-remote /var/log/journal/remote
+
+    (
+        insopts -m 0644
+        insinto /usr/lib/tmpfiles.d
+        # Add tmpfiles rule for resolv.conf. This path has changed
+        # after v213 so it must be handled here instead of baselayout
+        # now.
+        newins - systemd-resolv.conf <<'EOF'
+d   /run/systemd/network                -   -   -   -   -
+L   /run/systemd/network/resolv.conf    -   -   -   -   ../resolve/resolv.conf
+EOF
+    )
+
+    # Don't set any extra environment variables by default.
+    rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
+
+    # enable system units
+    flatcar_systemctl_preset system
+    # enable user units
+    flatcar_systemctl_preset user
+
+    # Use an empty preset file, because systemctl preset-all puts
+    # symlinks in /etc, not in /usr. We don't use /etc, because it is
+    # not autoupdated. We do the "preset" above.
+    rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
+    rm "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" || die
+    (
+        insinto /usr/lib/systemd/system-preset
+        newins - 99-default.preset <<'EOF'
+# Do not enable any services if /etc is detected as empty.
+disable *
+EOF
+        insinto /usr/lib/systemd/user-preset
+        newins - 99-default.preset <<'EOF'
+# Do not enable any services if /etc is detected as empty.
+disable *
+EOF
+    )
+
+    # Do not ship distro-specific files (nsswitch.conf pam.d). This
+    # conflicts with our own configuration provided by baselayout.
+    rm -r "${ED}"/usr/share/factory || die
+    sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
+        -e '/^C!* \/etc\/nsswitch\.conf/d' \
+        -e '/^C!* \/etc\/pam\.d/d' \
+        -e '/^C!* \/etc\/issue/d' || die
+
+    (
+        # Some OEMs prefer chronyd, so allow them to replace
+        # systemd-timesyncd with it.
+        insinto "$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
+        newins - flatcar.conf <<'EOF'
 # Allow sysexts to ship timesyncd replacements which can have
 # a Conflicts=systemd-timesyncd directive that would result
 # in systemd-timesyncd not being started.
 [Unit]
 After=ensure-sysext.service
 EOF
-  popd
-}
+    )
 
-cros_post_src_install_udev() {
-  insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
-  newins - flatcar.conf <<EOF
+    (
+        # Allow @mount syscalls for systemd-udevd.service
+        insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
+        newins - flatcar.conf <<'EOF'
 # In Flatcar we are using modprobe helpers that run depmod in temporary
 # overlay. systemd-udevd.service may try to load drivers for some block devices
 # (e.g. ZFS), which ends up calling our helpers, which invoke mount command.
@@ -23,4 +195,5 @@ cros_post_src_install_udev() {
 [Service]
 SystemCallFilter=@mount
 EOF
+    )
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild
index 58c53da515..e4e8dd7891 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild
@@ -25,8 +25,7 @@ else
 fi
 
 inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
-# Flatcar: Inherited tmpfiles
-inherit secureboot systemd tmpfiles toolchain-funcs udev
+inherit secureboot systemd toolchain-funcs udev
 
 DESCRIPTION="System and service manager for Linux"
 HOMEPAGE="https://systemd.io/"
@@ -300,8 +299,7 @@ multilib_src_configure() {
 		-Ddocdir="share/doc/${PF}"
 		# default is developer, bug 918671
 		-Dmode=release
-		# Flatcar: Point to our user mailing list.
-		-Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user"
+		-Dsupport-url="https://gentoo.org/support/"
 		-Dpamlibdir="$(getpam_mod_dir)"
 		# avoid bash-completion dep
 		-Dbashcompletiondir="$(get_bashcompdir)"
@@ -354,8 +352,7 @@ multilib_src_configure() {
 		$(meson_native_use_feature test dbus)
 		$(meson_native_use_feature ukify)
 		$(meson_native_use_feature xkb xkbcommon)
-		# Flatcar: Use our ntp servers.
-		-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
+		-Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
 		# Breaks screen, tmux, etc.
 		-Ddefault-kill-user-processes=false
 		-Dcreate-log-dirs=false
@@ -380,42 +377,6 @@ multilib_src_configure() {
 		$(meson_native_true timesyncd)
 		$(meson_native_true tmpfiles)
 		$(meson_native_true vconsole)
-		# Flatcar: Specify this, or meson breaks due to no
-		# /etc/login.defs.
-		-Dsystem-gid-max=999
-		-Dsystem-uid-max=999
-
-		# Flatcar: DBus paths.
-		-Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
-		-Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
-
-		# Flatcar: PAM config directory.
-		-Dpamconfdir=/usr/share/pam.d
-
-		# Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC
-		# 2013. Used by timesyncd as a sanity check for the
-		# minimum acceptable time. Explicitly set to avoid
-		# using the current build time.
-		-Dtime-epoch=1372636800
-
-		# Flatcar: No default name servers.
-		-Ddns-servers=
-
-		# Flatcar: Disable the "First Boot Wizard", it isn't
-		# very applicable to us.
-		-Dfirstboot=false
-
-		# Flatcar: Set latest network interface naming scheme
-		# for https://github.com/flatcar/Flatcar/issues/36
-		-Ddefault-net-naming-scheme=latest
-
-		# Flatcar: Combined log format: name plus description
-		-Dstatus-unit-format-default=combined
-
-		# Flatcar: Disable multicast-dns, Link-Local Multicast Name Resolution and dnssec
-		-Ddefault-mdns=no
-		-Ddefault-llmnr=no
-		-Ddefault-dnssec=no
 	)
 
 	case $(tc-arch) in
@@ -443,9 +404,7 @@ multilib_src_test() {
 
 multilib_src_install_all() {
 	einstalldocs
-	# Flatcar: Do not install sample nsswitch.conf, we don't
-	# provide it.
-	# dodoc "${FILESDIR}"/nsswitch.conf
+	dodoc "${FILESDIR}"/nsswitch.conf
 
 	insinto /usr/lib/tmpfiles.d
 	doins "${FILESDIR}"/legacy.conf
@@ -477,129 +436,23 @@ multilib_src_install_all() {
 	keepdir /var/lib/systemd
 	keepdir /var/log/journal
 
-	# Flatcar: We provide our own systemd-user config file in baselayout.
-	# if use pam; then
-	# 	if use selinux; then
-	# 		newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
-	#	else
-	#		newpamd "${FILESDIR}"/systemd-user.pam systemd-user
-	#	fi
-	# fi
+	if use pam; then
+		if use selinux; then
+			newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
+		else
+			newpamd "${FILESDIR}"/systemd-user.pam systemd-user
+		fi
+	fi
 
 	if use kernel-install; then
 		# Dummy config, remove to make room for sys-kernel/installkernel
 		rm "${ED}/usr/lib/kernel/install.conf" || die
 	fi
-	# Flatcar: Ensure journal directory has correct ownership/mode
-	# in inital image.  This is fixed by systemd-tmpfiles *but*
-	# journald starts before that and will create the journal if
-	# the filesystem is already read-write.  Conveniently the
-	# systemd Makefile sets this up completely wrong.
-	#
-	# Flatcar: TODO: Is this still a problem?
-	dodir /var/log/journal
-	fowners root:systemd-journal /var/log/journal
-	fperms 2755 /var/log/journal
-
-	# Flatcar: Don't prune systemd dirs.
-	dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
-	# Flatcar: Add tmpfiles rule for resolv.conf. This path has
-	# changed after v213 so it must be handled here instead of
-	# baselayout now.
-	dotmpfiles "${FILESDIR}"/systemd-resolv.conf
-
-	# Flatcar: Don't set any extra environment variables by default.
-	rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
-
-	# Flatcar: These lines more or less follow the systemd's
-	# preset file (90-systemd.preset). We do it that way, to avoid
-	# putting symlinks in /etc. Please keep the lines in the same
-	# order as the "enable" lines appear in the preset file. For a
-	# single enable line in preset, there may be more lines if the
-	# unit file had Also: clause which has units we enable here
-	# too.
-
-	# Flatcar: enable remote-fs.target
-	builddir_systemd_enable_service multi-user.target remote-fs.target
-	# Flatcar: enable remote-cryptsetup.target
-	if use cryptsetup; then
-		builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
-	fi
-	# Flatcar: enable machines.target
-	builddir_systemd_enable_service multi-user.target machines.target
-	# Flatcar: enable getty@.service
-	dodir "${unitdir}/getty.target.wants"
-	dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
-	# Flatcar: enable systemd-timesyncd.service
-	builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
-	# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
-	builddir_systemd_enable_service multi-user.target systemd-networkd.service
-	builddir_systemd_enable_service sockets.target systemd-networkd.socket
-	builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
-	# Flatcar: enable systemd-network-generator.service
-	builddir_systemd_enable_service sysinit.target systemd-network-generator.service
-	# Flatcar: enable systemd-resolved.service
-	builddir_systemd_enable_service multi-user.target systemd-resolved.service
-	# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
-	if use homed; then
-		builddir_systemd_enable_service multi-user.target systemd-homed.target
-	fi
-	# Flatcar: enable systemd-userdbd.socket
-	builddir_systemd_enable_service sockets.target systemd-userdbd.socket
-	# Flatcar: enable systemd-pstore.service
-	builddir_systemd_enable_service sysinit.target systemd-pstore.service
-	# Flatcar: enable systemd-boot-update.service
-	if use boot; then
-		builddir_systemd_enable_service sysinit.target systemd-boot-update.service
-	fi
-	# Flatcar: enable reboot.target (not enabled - has no WantedBy
-	# entry)
-
-	# Flatcar: enable systemd-sysext.service by default
-	builddir_systemd_enable_service sysinit.target systemd-sysext.service
-
-	# Flatcar: Use an empty preset file, because systemctl
-	# preset-all puts symlinks in /etc, not in /usr. We don't use
-	# /etc, because it is not autoupdated. We do the "preset" above.
-	rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
-	insinto /usr/lib/systemd/system-preset
-	doins "${FILESDIR}"/99-default.preset
-
-	# Flatcar: Do not ship distro-specific files (nsswitch.conf
-	# pam.d). This conflicts with our own configuration provided
-	# by baselayout.
-	rm -rf "${ED}"/usr/share/factory
-	sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
-		-e '/^C!* \/etc\/nsswitch\.conf/d' \
-		-e '/^C!* \/etc\/pam\.d/d' \
-		-e '/^C!* \/etc\/issue/d'
 
 	use ukify && python_fix_shebang "${ED}"
 	use boot && secureboot_auto_sign
 }
 
-# Flatcar: Our own version of systemd_get_systemunitdir, that returns
-# a path inside /usr, not /etc.
-builddir_systemd_get_systemunitdir() {
-	echo "${EPREFIX}/usr/lib/systemd/system"
-}
-
-# Flatcar: Our own version of systemd_enable_service, that does
-# operations inside /usr, not /etc.
-builddir_systemd_enable_service() {
-	local target=${1}
-	local service=${2}
-	local ud=$(builddir_systemd_get_systemunitdir)
-	local destname=${service##*/}
-
-	dodir "${ud}"/"${target}".wants && \
-	dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
-
-	if use boot; then
-		python_fix_shebang "${ED}"
-		secureboot_auto_sign
-	fi
-}
 migrate_locale() {
 	local envd_locale_def="${EROOT}/etc/env.d/02locale"
 	local envd_locale=( "${EROOT}"/etc/env.d/??locale )
@@ -669,15 +522,13 @@ pkg_postinst() {
 	# between OpenRC & systemd
 	migrate_locale
 
-	# Flatcar: We enable getty and remote-fs targets in /usr
-	# ourselves above.
-	# if [[ -z ${REPLACING_VERSIONS} ]]; then
-	# 	if type systemctl &>/dev/null; then
-	# 		systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
-	# 	fi
-	# 	elog "To enable a useful set of services, run the following:"
-	# 	elog "  systemctl preset-all --preset-mode=enable-only"
-	# fi
+	if [[ -z ${REPLACING_VERSIONS} ]]; then
+		if type systemctl &>/dev/null; then
+			systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
+		fi
+		elog "To enable a useful set of services, run the following:"
+		elog "  systemctl preset-all --preset-mode=enable-only"
+	fi
 
 	if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
 		rm "${EROOT}/var/lib/systemd/timesync"