From 16964ed34fc28e293cec8cb5b8951bb94a72cda3 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 12 Jan 2026 07:16:58 +0000 Subject: [PATCH 1/5] sys-apps/systemd: Sync with Gentoo It's from Gentoo commit 3d18471f16a601c177b659ea569fe042c69ea64b. Signed-off-by: Flatcar Buildbot Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/sys-apps/systemd/Manifest | 2 + ...2.patch => gentoo-journald-audit-r4.patch} | 38 +- .../systemd-258.3-kernel-install-test.patch | 16 + .../sys-apps/systemd/systemd-257.10.ebuild | 2 +- .../sys-apps/systemd/systemd-258.3.ebuild | 578 ++++++++++++++++++ .../sys-apps/systemd/systemd-259.ebuild | 576 +++++++++++++++++ .../sys-apps/systemd/systemd-9999.ebuild | 2 +- 7 files changed, 1193 insertions(+), 21 deletions(-) rename sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/{gentoo-journald-audit-r2.patch => gentoo-journald-audit-r4.patch} (50%) create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258.3-kernel-install-test.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-258.3.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-259.ebuild diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest index 33b33288f91..7a4e6ea6a65 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest @@ -1,3 +1,5 @@ DIST systemd-257.10.tar.gz 16425661 BLAKE2B c8fef145933810110f5470f64dd41213864cc1cae889fb306c817d7a16cc300adbcab27e3a3be91428f0a7d354041f7f9ca431f7745bce9c7cc1e3bb065be84a SHA512 49a2c8cc1cd91363d90165a1145dcc417d524afd428917dad332e4b057ed9fc3ddb5b4beafab094b02a85d930c8aef9b63c8c9c1bc76ef3bdf0ce38a7d46466f DIST systemd-257.9.tar.gz 16401765 BLAKE2B c3ad528d37b89de8f82548807e950b59aab43f875a533ad983169eb539594e5e8230b6b562caee5297dcec4572e27df0e53ebee04f79e85f429f47862031592e SHA512 23b3d2764e0f990d8373068ccb41177793413bc193f7bd34e38b03d6fc3cd32d07c86e9dcbf07e32904075bb5eeca208f65beab04d628ac0e0b81ba87a975c1b DIST systemd-258.2.tar.gz 16989522 BLAKE2B 55c8a134d2c80241ed654fab6bf2df0a2139313dbbb905f3abf07c9f86940ff03c8787fe7c4604c34bbb84088c15cd73ae5e013929b290b92808b5473550235e SHA512 1dc016a5a037aec2682e08d2add0dcf8d03db15b45ce8c6b677898f734aefd4694ce18e588d579e42514071fc4c167b2bf53808478b2bd3856b257c9fbcde45d +DIST systemd-258.3.tar.gz 17034328 BLAKE2B 668f5829d78412b256f49c3f46dffad5cf70fa335de3e5ca822bdc13e4f67874ac28005b616e7fdc0f3235f760c68809ae3ac97e1f53d3ca43fb7e0934ec0de9 SHA512 9f4261e1703efd1f38c90e4166e6d85fa9379c99ac7f3c66caa62955c3cbe8a43ab259c261ab20bce0dd84dd682258192ace66b4dee0390bf3740c32f4569fed +DIST systemd-259.tar.gz 17250241 BLAKE2B 59ba6edea59338fc30d4cf72b197e8eda2ccd4fc7d53f016c0b9bd4422433839696fe553b58dcf1f31345ec92080a426a04a2878fd97cb17b3b1e3f92f08e135 SHA512 ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50 diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r4.patch similarity index 50% rename from sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r4.patch index 0b1b16e6969..e7906f4137d 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r4.patch @@ -1,4 +1,4 @@ -From 7b9ee7375ca9a1521ff36dd9ceb8a26e59572a6e Mon Sep 17 00:00:00 2001 +From 0f16422e52ef793407d1cbef0c38eff29d6e251c Mon Sep 17 00:00:00 2001 From: Mike Gilbert Date: Wed, 17 Sep 2025 15:40:57 -0400 Subject: [PATCH] journald: do not change the kernel audit setting by default @@ -7,45 +7,45 @@ Bug: https://bugs.gentoo.org/736910 --- man/journald.conf.xml | 2 +- src/journal/journald-config.c | 2 +- - src/journal/journald.conf | 2 +- + src/journal/journald.conf.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/journald.conf.xml b/man/journald.conf.xml -index 1a68ba8698..a9a77a51d1 100644 +index 1d615b110d..4676d674a2 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml -@@ -482,7 +482,7 @@ - kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor - disable it, leaving the previous state unchanged. This means if another tool turns on auditing even - if systemd-journald left it off, it will still collect the generated -- messages. Defaults to on in the default journal namespace, and unset otherwise. -+ messages. +@@ -483,7 +483,7 @@ + turn it off. When keep it will neither enable nor disable it, leaving the previous + state unchanged. This means if another tool turns on auditing even if + systemd-journald left it off, it will still collect the generated messages. +- Defaults to yes in the default journal namespace, and keep otherwise. ++ Defaults to keep. + + - Note that this option does not control whether systemd-journald collects - generated audit records, it just controls whether it tells the kernel to generate them. If you need diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c -index dd2e29e296..4160fa2ab9 100644 +index 8cffec880b..ea3bb34a76 100644 --- a/src/journal/journald-config.c +++ b/src/journal/journald-config.c -@@ -122,7 +122,7 @@ void manager_merge_configs(Manager *m) { +@@ -123,7 +123,7 @@ void manager_merge_configs(Manager *m) { MERGE_NON_NEGATIVE(read_kmsg, !m->namespace); /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by * non-default namespace instances. */ -- MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true); -+ MERGE_NON_NEGATIVE(set_audit, -1); +- MERGE_NON_NEGATIVE(set_audit, m->namespace ? AUDIT_KEEP : AUDIT_YES); ++ MERGE_NON_NEGATIVE(set_audit, AUDIT_KEEP); MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC); /* TODO: also merge them when comdline or credentials support to configure them. */ diff --git a/src/journal/journald.conf b/src/journal/journald.conf -index 9a12ca7657..e42efbcf84 100644 ---- a/src/journal/journald.conf -+++ b/src/journal/journald.conf +index 9a12ca7657..3be3ed7327 100644 +--- a/src/journal/journald.conf.in ++++ b/src/journal/journald.conf.in @@ -47,4 +47,4 @@ #MaxLevelSocket=debug #LineMax=48K #ReadKMsg=yes -#Audit=yes -+#Audit= ++#Audit=keep -- 2.51.0 diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258.3-kernel-install-test.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258.3-kernel-install-test.patch new file mode 100644 index 00000000000..b67c9a87f8d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258.3-kernel-install-test.patch @@ -0,0 +1,16 @@ +Revert for 258.3 of https://github.com/systemd/systemd/pull/39945 as that +commit got backported. It fails because master has the kernel install moved +to /var/tmp and this test change assumed that. + +--- a/src/kernel-install/test-kernel-install.sh ++++ b/src/kernel-install/test-kernel-install.sh +@@ -318,7 +318,7 @@ diff -u <(echo "$output") - >&2 <=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] + test? ( ${PEFILE_DEPEND} ) + ) + ") +" + +QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" +QA_EXECSTACK="usr/lib/systemd/boot/efi/*" + +check_cgroup_layout() { + # https://bugs.gentoo.org/935261 + [[ ${MERGE_TYPE} != buildonly ]] || return + [[ -z ${ROOT} ]] || return + [[ -e /sys/fs/cgroup/unified ]] || return + grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return + + eerror "This system appears to be booted with the 'hybrid' cgroup layout." + eerror "This layout obsolete and is disabled in systemd." + + if grep -qF 'systemd.unified_cgroup_hierarchy'; then + eerror "Remove the systemd.unified_cgroup_hierarchy option" + eerror "from the kernel command line and reboot." + die "hybrid cgroup layout detected" + fi +} + +pkg_pretend() { + if use split-usr; then + eerror "Please complete the migration to merged-usr." + eerror "https://wiki.gentoo.org/wiki/Merge-usr" + die "systemd no longer supports split-usr" + fi + + check_cgroup_layout + + if use cgroup-hybrid; then + eerror "Disable the 'cgroup-hybrid' USE flag." + eerror "Rebuild any initramfs images after rebuilding systemd." + die "cgroup-hybrid is no longer supported" + fi + + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS + ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + + if kernel_is -ge 5 10 20; then + CONFIG_CHECK+=" ~KCMP" + else + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + fi + + if kernel_is -ge 4 18; then + CONFIG_CHECK+=" ~AUTOFS_FS" + else + CONFIG_CHECK+=" ~AUTOFS4_FS" + fi + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + use boot && secureboot_pkg_setup +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + local PATCHES=( + "${FILESDIR}/systemd-258-shared-add-missing-alloc-util.patch" + "${FILESDIR}/systemd-258.3-kernel-install-test.patch" + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-journald-audit-r3.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Ddocdir="share/doc/${PF}" + # default is developer, bug 918671 + -Dmode=release + -Dsupport-url="https://gentoo.org/support/" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + -Dsplit-bin=false + # Disable compatibility with sysvinit + -Dsysvinit-path= + -Dsysvrcnd-path= + # no deps + -Dima=true + # Match /etc/shells, bug 919749 + -Ddebug-shell="${EPREFIX}/bin/sh" + -Ddefault-user-shell="${EPREFIX}/bin/bash" + # Optional components/dependencies + $(meson_native_use_feature acl) + $(meson_native_use_feature apparmor) + $(meson_native_use_feature audit) + $(meson_native_use_feature boot bootloader) + $(meson_native_use_feature bpf bpf-framework) + -Dbpf-compiler=gcc + $(meson_native_use_feature cryptsetup libcryptsetup) + $(meson_native_use_feature curl libcurl) + $(meson_native_use_bool dns-over-tls dns-over-tls) + $(meson_native_use_feature elfutils) + $(meson_native_use_feature fido2 libfido2) + $(meson_feature gcrypt) + $(meson_native_use_feature gnutls) + $(meson_native_use_feature homed) + $(meson_native_use_feature http microhttpd) + $(meson_native_use_bool idn) + $(meson_native_use_feature importd) + $(meson_native_use_feature importd bzip2) + $(meson_native_use_feature importd zlib) + $(meson_native_use_bool kernel-install) + $(meson_native_use_feature kmod) + $(meson_feature lz4) + $(meson_feature lzma xz) + $(meson_use test tests) + $(meson_feature zstd) + $(meson_native_use_feature iptables libiptc) + $(meson_native_use_feature openssl) + $(meson_feature pam) + $(meson_native_use_feature passwdqc) + $(meson_native_use_feature pkcs11 p11kit) + $(meson_native_use_feature pcre pcre2) + $(meson_native_use_feature policykit polkit) + $(meson_native_use_feature pwquality) + $(meson_native_use_feature qrcode qrencode) + $(meson_native_use_feature seccomp) + $(meson_native_use_feature selinux) + $(meson_native_use_feature tpm tpm2) + $(meson_native_use_feature test dbus) + $(meson_native_use_feature ukify) + $(meson_native_use_feature xkb xkbcommon) + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + -Dcreate-log-dirs=false + + # multilib options + $(meson_native_true backlight) + $(meson_native_true binfmt) + $(meson_native_true coredump) + $(meson_native_true environment-d) + $(meson_native_true firstboot) + $(meson_native_true hibernate) + $(meson_native_true hostnamed) + $(meson_native_true ldconfig) + $(meson_native_true localed) + $(meson_native_enabled man) + $(meson_native_true networkd) + $(meson_native_true quotacheck) + $(meson_native_true randomseed) + $(meson_native_true rfkill) + $(meson_native_true sysusers) + $(meson_native_true timedated) + $(meson_native_true timesyncd) + $(meson_native_true tmpfiles) + $(meson_native_true vconsole) + ) + + case $(tc-arch) in + amd64|arm|arm64|loong|ppc|ppc64|riscv|s390|x86) + # src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE + myconf+=( $(meson_native_enabled vmspawn) ) ;; + *) + myconf+=( -Dvmspawn=disabled ) ;; + esac + + meson_src_configure "${myconf[@]}" +} + +multilib_src_test() { + ( + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + export COLUMNS=80 + addpredict /dev + addpredict /proc + addpredict /run + addpredict /sys/fs/cgroup + meson_src_test --timeout-multiplier=10 + ) || die +} + +multilib_src_install_all() { + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + insinto /usr/lib/tmpfiles.d + doins "${FILESDIR}"/legacy.conf + + if ! use resolvconf; then + rm -f "${ED}"/usr/bin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die + fi + + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,system,user} + keepdir /etc/udev/rules.d + + keepdir /etc/udev/hwdb.d + + keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + + if use pam; then + if use selinux; then + newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user + else + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi + fi + + if use kernel-install; then + # Dummy config, remove to make room for sys-kernel/installkernel + rm "${ED}/usr/lib/kernel/install.conf" || die + fi + + use ukify && python_fix_shebang "${ED}" + use boot && secureboot_auto_sign +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_preinst() { + if [[ -e ${EROOT}/etc/sysctl.conf ]]; then + # Symlink /etc/sysctl.conf for easy migration. + dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + fi + + if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then + ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." + ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." + fi +} + +pkg_postinst() { + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. + systemd-hwdb --root="${ROOT}" update + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respected, and ensure consistency + # between OpenRC & systemd + migrate_locale + + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi + + if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then + rm "${EROOT}/var/lib/systemd/timesync" + fi + + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then + ebegin "Reexecuting system manager (systemd)" + systemctl daemon-reexec + eend $? || FAIL=1 + + # https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html + ebegin "Signaling user managers to reexec" + systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service' + eend $? + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi + + if use boot; then + optfeature "installing kernels in systemd-boot's native layout and update loader entries" \ + "sys-kernel/installkernel[systemd-boot]" + fi + if use ukify; then + optfeature "generating unified kernel image on each kernel installation" \ + "sys-kernel/installkernel[ukify]" + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-259.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-259.ebuild new file mode 100644 index 00000000000..f17ee9848ec --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-259.ebuild @@ -0,0 +1,576 @@ +# Copyright 2011-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +PYTHON_COMPAT=( python3_{11..14} ) + +# Avoid QA warnings +TMPFILES_OPTIONAL=1 +UDEV_OPTIONAL=1 + +QA_PKGCONFIG_VERSION=$(ver_cut 1) + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 +else + MY_PV=${PV/_/-} + MY_P=${PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" + + if [[ ${PV} != *rc* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + fi +fi + +inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 +inherit secureboot systemd toolchain-funcs udev + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="https://systemd.io/" + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE=" + acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod + +lz4 lzma +openssl pam passwdqc pcre pkcs11 policykit pwquality qrcode + +resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd +" +REQUIRED_USE=" + ${PYTHON_REQUIRED_USE} + dns-over-tls? ( openssl ) + fido2? ( cryptsetup openssl ) + homed? ( cryptsetup pam openssl ) + importd? ( curl lzma openssl ) + ?? ( passwdqc pwquality ) + passwdqc? ( homed ) + pwquality? ( homed ) + boot? ( kernel-install ) + ukify? ( boot ) +" +RESTRICT="!test? ( test )" + +MINKV="4.15" + +COMMON_DEPEND=" + >=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + virtual/libcrypt:=[${MULTILIB_USEDEP}] + acl? ( sys-apps/acl:0= ) + apparmor? ( >=sys-libs/libapparmor-2.13:0= ) + audit? ( >=sys-process/audit-2:0= ) + bpf? ( >=dev-libs/libbpf-1.4.0:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) + curl? ( >=net-misc/curl-7.32.0:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + fido2? ( + dev-libs/libfido2:0= + ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + gnutls? ( >=net-libs/gnutls-3.6.0:0= ) + http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) + idn? ( net-dns/libidn2:= ) + importd? ( + app-arch/bzip2:0= + virtual/zlib:= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + iptables? ( net-firewall/iptables:0= ) + openssl? ( >=dev-libs/openssl-1.1.0:0= ) + pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) + passwdqc? ( sys-auth/passwdqc:0= ) + pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= ) + pcre? ( dev-libs/libpcre2 ) + pwquality? ( >=dev-libs/libpwquality-1.4.1:0= ) + qrcode? ( >=media-gfx/qrencode-3:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( >=sys-libs/libselinux-2.1.9:0= ) + tpm? ( app-crypt/tpm2-tss:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) + zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) +" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-${MINKV} +" + +PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=acct-group/adm-0-r1 + >=acct-group/wheel-0-r1 + >=acct-group/kmem-0-r1 + >=acct-group/tty-0-r1 + >=acct-group/utmp-0-r1 + >=acct-group/audio-0-r1 + >=acct-group/cdrom-0-r1 + acct-group/clock + >=acct-group/dialout-0-r1 + >=acct-group/disk-0-r1 + >=acct-group/input-0-r1 + >=acct-group/kvm-0-r1 + >=acct-group/lp-0-r1 + >=acct-group/render-0-r1 + acct-group/sgx + >=acct-group/tape-0-r1 + acct-group/users + >=acct-group/video-0-r1 + >=acct-group/systemd-journal-0-r1 + >=acct-user/root-0-r1 + acct-user/nobody + >=acct-user/systemd-journal-remote-0-r1 + >=acct-user/systemd-coredump-0-r1 + >=acct-user/systemd-network-0-r1 + acct-user/systemd-oom + >=acct-user/systemd-resolve-0-r1 + >=acct-user/systemd-timesync-0-r1 + >=sys-apps/baselayout-2.2 + ukify? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep "${PEFILE_DEPEND}") + ) + selinux? ( + sec-policy/selinux-base-policy[systemd] + sec-policy/selinux-ntp + ) + sysv-utils? ( + !sys-apps/openrc[sysv-utils(-)] + !sys-apps/sysvinit + ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !sys-apps/hwids[udev] + !sys-auth/nss-myhostname + !sys-fs/eudev + !sys-fs/udev +" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-fs/udev-init-scripts-34 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +BDEPEND=" + app-arch/xz-utils:0 + dev-util/gperf + >=dev-build/meson-0.46 + >=sys-apps/coreutils-8.16 + sys-devel/gettext + virtual/pkgconfig + bpf? ( + >=dev-util/bpftool-7.0.0 + sys-devel/bpf-toolchain + ) + test? ( + app-text/tree + dev-lang/perl + sys-apps/dbus + ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + ${PYTHON_DEPS} + $(python_gen_cond_dep " + dev-python/jinja2[\${PYTHON_USEDEP}] + dev-python/lxml[\${PYTHON_USEDEP}] + boot? ( + >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] + test? ( ${PEFILE_DEPEND} ) + ) + ") +" + +QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" +QA_EXECSTACK="usr/lib/systemd/boot/efi/*" + +check_cgroup_layout() { + # https://bugs.gentoo.org/935261 + [[ ${MERGE_TYPE} != buildonly ]] || return + [[ -z ${ROOT} ]] || return + [[ -e /sys/fs/cgroup/unified ]] || return + grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return + + eerror "This system appears to be booted with the 'hybrid' cgroup layout." + eerror "This layout obsolete and is disabled in systemd." + + if grep -qF 'systemd.unified_cgroup_hierarchy'; then + eerror "Remove the systemd.unified_cgroup_hierarchy option" + eerror "from the kernel command line and reboot." + die "hybrid cgroup layout detected" + fi +} + +pkg_pretend() { + if use split-usr; then + eerror "Please complete the migration to merged-usr." + eerror "https://wiki.gentoo.org/wiki/Merge-usr" + die "systemd no longer supports split-usr" + fi + + check_cgroup_layout + + if use cgroup-hybrid; then + eerror "Disable the 'cgroup-hybrid' USE flag." + eerror "Rebuild any initramfs images after rebuilding systemd." + die "cgroup-hybrid is no longer supported" + fi + + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS + ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + + if kernel_is -ge 5 10 20; then + CONFIG_CHECK+=" ~KCMP" + else + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + fi + + if kernel_is -ge 4 18; then + CONFIG_CHECK+=" ~AUTOFS_FS" + else + CONFIG_CHECK+=" ~AUTOFS4_FS" + fi + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + use boot && secureboot_pkg_setup +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + local PATCHES=( + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-journald-audit-r4.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Ddocdir="share/doc/${PF}" + # default is developer, bug 918671 + -Dmode=release + -Dsupport-url="https://gentoo.org/support/" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + -Dsplit-bin=false + # Disable compatibility with sysvinit + -Dsysvinit-path= + -Dsysvrcnd-path= + # no deps + -Dima=true + # Match /etc/shells, bug 919749 + -Ddebug-shell="${EPREFIX}/bin/sh" + -Ddefault-user-shell="${EPREFIX}/bin/bash" + # Optional components/dependencies + $(meson_native_use_feature acl) + $(meson_native_use_feature apparmor) + $(meson_native_use_feature audit) + $(meson_native_use_feature boot bootloader) + $(meson_native_use_feature bpf bpf-framework) + -Dbpf-compiler=gcc + $(meson_native_use_feature cryptsetup libcryptsetup) + $(meson_native_use_feature curl libcurl) + $(meson_native_use_bool dns-over-tls dns-over-tls) + $(meson_native_use_feature elfutils) + $(meson_native_use_feature fido2 libfido2) + $(meson_feature gcrypt) + $(meson_native_use_feature gnutls) + $(meson_native_use_feature homed) + $(meson_native_use_feature http microhttpd) + $(meson_native_use_bool idn) + $(meson_native_use_feature importd) + $(meson_native_use_feature importd bzip2) + $(meson_native_use_feature importd zlib) + $(meson_native_use_bool kernel-install) + $(meson_native_use_feature kmod) + $(meson_feature lz4) + $(meson_feature lzma xz) + $(meson_use test tests) + $(meson_feature zstd) + $(meson_native_use_feature iptables libiptc) + $(meson_native_use_feature openssl) + $(meson_feature pam) + $(meson_native_use_feature passwdqc) + $(meson_native_use_feature pkcs11 p11kit) + $(meson_native_use_feature pcre pcre2) + $(meson_native_use_feature policykit polkit) + $(meson_native_use_feature pwquality) + $(meson_native_use_feature qrcode qrencode) + $(meson_native_use_feature seccomp) + $(meson_native_use_feature selinux) + $(meson_native_use_feature tpm tpm2) + $(meson_native_use_feature test dbus) + $(meson_native_use_feature ukify) + $(meson_native_use_feature xkb xkbcommon) + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + -Dcreate-log-dirs=false + + # multilib options + $(meson_native_true backlight) + $(meson_native_true binfmt) + $(meson_native_true coredump) + $(meson_native_true environment-d) + $(meson_native_true firstboot) + $(meson_native_true hibernate) + $(meson_native_true hostnamed) + $(meson_native_true ldconfig) + $(meson_native_true localed) + $(meson_native_enabled man) + $(meson_native_true networkd) + $(meson_native_true quotacheck) + $(meson_native_true randomseed) + $(meson_native_true rfkill) + $(meson_native_true sysusers) + $(meson_native_true timedated) + $(meson_native_true timesyncd) + $(meson_native_true tmpfiles) + $(meson_native_true vconsole) + ) + + case $(tc-arch) in + amd64|arm|arm64|loong|ppc|ppc64|riscv|s390|x86) + # src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE + myconf+=( $(meson_native_enabled vmspawn) ) ;; + *) + myconf+=( -Dvmspawn=disabled ) ;; + esac + + meson_src_configure "${myconf[@]}" +} + +multilib_src_test() { + ( + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + export COLUMNS=80 + addpredict /dev + addpredict /proc + addpredict /run + addpredict /sys/fs/cgroup + meson_src_test --timeout-multiplier=10 + ) || die +} + +multilib_src_install_all() { + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + insinto /usr/lib/tmpfiles.d + doins "${FILESDIR}"/legacy.conf + + if ! use resolvconf; then + rm -f "${ED}"/usr/bin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die + fi + + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,system,user} + keepdir /etc/udev/rules.d + + keepdir /etc/udev/hwdb.d + + keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + + if use pam; then + if use selinux; then + newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user + else + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi + fi + + if use kernel-install; then + # Dummy config, remove to make room for sys-kernel/installkernel + rm "${ED}/usr/lib/kernel/install.conf" || die + fi + + use ukify && python_fix_shebang "${ED}" + use boot && secureboot_auto_sign +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_preinst() { + if [[ -e ${EROOT}/etc/sysctl.conf ]]; then + # Symlink /etc/sysctl.conf for easy migration. + dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + fi + + if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then + ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." + ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." + fi +} + +pkg_postinst() { + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. + systemd-hwdb --root="${ROOT}" update + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respected, and ensure consistency + # between OpenRC & systemd + migrate_locale + + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi + + if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then + rm "${EROOT}/var/lib/systemd/timesync" + fi + + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then + ebegin "Reexecuting system manager (systemd)" + systemctl daemon-reexec + eend $? || FAIL=1 + + # https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html + ebegin "Signaling user managers to reexec" + systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service' + eend $? + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi + + if use boot; then + optfeature "installing kernels in systemd-boot's native layout and update loader entries" \ + "sys-kernel/installkernel[systemd-boot]" + fi + if use ukify; then + optfeature "generating unified kernel image on each kernel installation" \ + "sys-kernel/installkernel[ukify]" + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild index e0d808b2954..ade9936865f 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild @@ -282,7 +282,7 @@ src_prepare() { if ! use vanilla; then PATCHES+=( - "${FILESDIR}/gentoo-journald-audit-r2.patch" + "${FILESDIR}/gentoo-journald-audit-r4.patch" ) fi From 938e8d8eca7005632236eeb7b31272e00a8db8be Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 20 Jan 2026 14:14:53 +0100 Subject: [PATCH 2/5] overlay coreos/user-patches: Regenerate patches for sys-apps/systemd Signed-off-by: Krzesimir Nowak Signed-off-by: Mathieu Tortuyaux --- .../systemd/0001-wait-online-set-any-by-default.patch | 4 ++-- ...0002-needs-update-don-t-require-strictly-newer-usr.patch | 4 ++-- .../systemd/0003-core-use-max-for-DefaultTasksMax.patch | 6 +++--- .../0004-systemd-Disable-SELinux-permissions-checks.patch | 4 ++-- ...5-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch | 4 ++-- .../0006-units-Keep-using-old-journal-file-format.patch | 4 ++-- ...pfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch | 4 ++-- ...08-units-Make-multi-user.target-the-default-target.patch | 4 ++-- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index 1ba8f645005..d76dabff1cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,4 +1,4 @@ -From 83043596b6cc74b6f049999fa660afd983dc493a Mon Sep 17 00:00:00 2001 +From 4f4420815e5b51a481245db012a70e0d872ae368 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 Subject: [PATCH 1/8] wait-online: set --any by default @@ -28,5 +28,5 @@ index 6f5aef903a..0acb3e76b9 100644 STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch index ad1045e8b1d..b2b93ebb853 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,4 +1,4 @@ -From 3d6bfde35c8ce5c21ca55104852a319246a92bb8 Mon Sep 17 00:00:00 2001 +From 5097368cb45b455355165706876509272e49d538 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 Subject: [PATCH 2/8] needs-update: don't require strictly newer usr @@ -54,5 +54,5 @@ index 1a03fdbe37..8577c35fa0 100644 static bool in_first_boot(void) { -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch index c5c316fe6ad..e11beb5457a 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,4 +1,4 @@ -From 6f691278df570cc87cb863a98fe320a1997c6dad Mon Sep 17 00:00:00 2001 +From 18ce110c4a4a5065ac9003ef67ccd58ada6d3c38 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 Subject: [PATCH 3/8] core: use max for DefaultTasksMax @@ -34,7 +34,7 @@ index f7b414da5c..9c07e235ab 100644 Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/manager.c b/src/core/manager.c -index 4ccaba9054..3ab59c5bb3 100644 +index e9fa84079d..af8d3c7b41 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -117,7 +117,7 @@ @@ -60,5 +60,5 @@ index 1c08aa4d22..2faea3605e 100644 #DefaultLimitFSIZE= #DefaultLimitDATA= -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch index 6949d9fc5e6..d22e57f1833 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,4 +1,4 @@ -From 78b2d8b1a6df073003d64cffa532c3a320e96ad4 Mon Sep 17 00:00:00 2001 +From 1716754b1f3ea3d5d3f232d9fe50ba1df0c5eff7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 Subject: [PATCH 4/8] systemd: Disable SELinux permissions checks @@ -25,5 +25,5 @@ index a67a520a3b..3365b920eb 100644 #include #include -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index d380b96a9cc..a47608148db 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,4 +1,4 @@ -From 8064e1544a2b89f8389c0469ed4879a287a045a7 Mon Sep 17 00:00:00 2001 +From c3ff2dca5d6148a4d09237923aba7b4bd334cddb Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 Subject: [PATCH 5/8] Revert "getty: Pass tty to use by agetty via stdin" @@ -91,5 +91,5 @@ index 20a5eb2754..ba4cbc0edb 100644 TTYReset=yes TTYVHangup=yes -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch index 9a3456cc510..7cdedc6ba62 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch @@ -1,4 +1,4 @@ -From c2924cc57c9e4aa836021ec2567c0fdbebecf944 Mon Sep 17 00:00:00 2001 +From 63fe9e7a742c070c83919be74c383f74420e6777 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 Subject: [PATCH 6/8] units: Keep using old journal file format @@ -38,5 +38,5 @@ index b705ce08ff..874701dac4 100644 FileDescriptorStoreMax=4224 Group=systemd-journal -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch index ec1ef720251..28215448a31 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch @@ -1,4 +1,4 @@ -From 7ee314dc08ea65e6951c7007a5f872fd32f0399a Mon Sep 17 00:00:00 2001 +From a31573ecdeff40d109951750c7adf086c52c2869 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 22 Oct 2025 10:39:42 +0200 Subject: [PATCH 7/8] tmpfiles.d: Fix DNS issues with default k8s configuration @@ -32,5 +32,5 @@ index be5edc98e0..bea686682a 100644 -L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf +L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf -- -2.51.0 +2.52.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch index de0aa6eb46e..3225638c205 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch @@ -1,4 +1,4 @@ -From f0ab1c6c59056afe1650f749d1af6ecc6ee8f5ec Mon Sep 17 00:00:00 2001 +From 3d702165a3517eb23657d613bbbbb0ec45fd672e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:06:57 +0200 Subject: [PATCH 8/8] units: Make multi-user.target the default target @@ -31,5 +31,5 @@ index ef18dcae4a..887231840f 100644 { 'file' : 'network-online.target' }, { 'file' : 'network-pre.target' }, -- -2.51.0 +2.52.0 From 84546e626efba3d2c2d2ee519ac9451b319ae42c Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 8 Dec 2025 15:27:18 +0900 Subject: [PATCH 3/5] acct-group/clock: New package From 7f0d7d0eb24afe14cd62bfa78cb9e139b9f824d1 Signed-off-by: Kai Lueke Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/acct-group/clock/clock-0.ebuild | 8 ++++++++ .../portage-stable/acct-group/clock/metadata.xml | 7 +++++++ 2 files changed, 15 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/clock/clock-0.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/clock/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/acct-group/clock/clock-0.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/clock/clock-0.ebuild new file mode 100644 index 00000000000..57a7ba93f17 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/clock/clock-0.ebuild @@ -0,0 +1,8 @@ +# Copyright 2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit acct-group + +ACCT_GROUP_ID=550 diff --git a/sdk_container/src/third_party/portage-stable/acct-group/clock/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/clock/metadata.xml new file mode 100644 index 00000000000..31123d01cb4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/clock/metadata.xml @@ -0,0 +1,7 @@ + + + + + systemd@gentoo.org + + From 8972a09e8d928d1a9f575c84efd44d4701966779 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 8 Dec 2025 12:18:08 +0900 Subject: [PATCH 4/5] sys-apps/systemd: Update to 258.2 Signed-off-by: Kai Lueke Signed-off-by: Mathieu Tortuyaux --- .../updates/2025-12-08-update-systemd.md | 1 + .../0001-wait-online-set-any-by-default.patch | 18 +++---- ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 54 +++++++++---------- ...multi-user.target-the-default-target.patch | 37 +++++++------ .../coreos/base/package.accept_keywords | 3 ++ 5 files changed, 60 insertions(+), 53 deletions(-) create mode 100644 changelog/updates/2025-12-08-update-systemd.md diff --git a/changelog/updates/2025-12-08-update-systemd.md b/changelog/updates/2025-12-08-update-systemd.md new file mode 100644 index 00000000000..62c801457db --- /dev/null +++ b/changelog/updates/2025-12-08-update-systemd.md @@ -0,0 +1 @@ +- systemd (258.2) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index d76dabff1cd..6cbf8caa1b1 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ -From 4f4420815e5b51a481245db012a70e0d872ae368 Mon Sep 17 00:00:00 2001 +From 61ae07bbf1d7032eef32137b1fe299647602e3de Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/8] wait-online: set --any by default +Subject: [PATCH] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are @@ -11,22 +11,22 @@ Preserve previous Container Linux behavior for compatibility by setting the --any flag by default. See patches from v241 (or earlier) for the original implementation. --- - src/network/wait-online/wait-online.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + src/network/wait-online/wait-online.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c -index 6f5aef903a..0acb3e76b9 100644 +index b1d0b9cde2..e07c11d807 100644 --- a/src/network/wait-online/wait-online.c +++ b/src/network/wait-online/wait-online.c -@@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL; +@@ -24,7 +24,7 @@ static Hashmap *arg_interfaces = NULL; static char **arg_ignore = NULL; static LinkOperationalStateRange arg_required_operstate = LINK_OPERSTATE_RANGE_INVALID; static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; -static bool arg_any = false; +static bool arg_any = true; + static bool arg_requires_dns = false; - STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); - STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_freep); -- -2.52.0 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index a47608148db..0bbf3aff06d 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ -From c3ff2dca5d6148a4d09237923aba7b4bd334cddb Mon Sep 17 00:00:00 2001 +From 306da1d06e84a721ac34fbc303b4629b2c1c7257 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 5/8] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. @@ -17,15 +17,15 @@ Signed-off-by: Sayan Chowdhury 4 files changed, 4 insertions(+), 12 deletions(-) diff --git a/units/console-getty.service.in b/units/console-getty.service.in -index 33e6368db1..1f2d8b910f 100644 +index 967d8337ab..cde822afc8 100644 --- a/units/console-getty.service.in +++ b/units/console-getty.service.in -@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console +@@ -20,12 +20,10 @@ Before=getty.target + ConditionPathExists=/dev/console + [Service] - # The '-o' option value tells agetty to replace 'login' arguments with '--' for - # safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM} +-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM} ++ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 console ${TERM} Type=idle Restart=always UtmpIdentifier=cons @@ -35,15 +35,15 @@ index 33e6368db1..1f2d8b910f 100644 TTYReset=yes TTYVHangup=yes diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in -index 7573532d6d..5f27653d1f 100644 +index e0b27613df..2868d56ad0 100644 --- a/units/container-getty@.service.in +++ b/units/container-getty@.service.in -@@ -27,13 +27,11 @@ Before=rescue.service +@@ -25,13 +25,11 @@ Conflicts=rescue.service + Before=rescue.service + [Service] - # The '-o' option value tells agetty to replace 'login' arguments with '--' for - # safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM} -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM} +-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM} ++ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d pts/%I ${TERM} Type=idle Restart=always RestartSec=0 @@ -54,15 +54,15 @@ index 7573532d6d..5f27653d1f 100644 TTYReset=yes TTYVHangup=yes diff --git a/units/getty@.service.in b/units/getty@.service.in -index f30bba406d..1819627d1c 100644 +index 104c4acc96..bedf0aae54 100644 --- a/units/getty@.service.in +++ b/units/getty@.service.in -@@ -36,13 +36,11 @@ ConditionPathExists=/dev/tty0 +@@ -34,13 +34,11 @@ Before=rescue.service + ConditionPathExists=/dev/tty0 + [Service] - # The '-o' option value tells agetty to replace 'login' arguments with '--' for - # safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM} -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM} +-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM} ++ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d %I ${TERM} Type=idle Restart=always RestartSec=0 @@ -73,15 +73,15 @@ index f30bba406d..1819627d1c 100644 TTYReset=yes TTYVHangup=yes diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in -index 20a5eb2754..ba4cbc0edb 100644 +index 0134c83d48..7e5c8797ca 100644 --- a/units/serial-getty@.service.in +++ b/units/serial-getty@.service.in -@@ -32,12 +32,10 @@ Before=rescue.service +@@ -30,12 +30,10 @@ Conflicts=rescue.service + Before=rescue.service + [Service] - # The '-o' option value tells agetty to replace 'login' arguments with '--' for - # safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} -+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM} +-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM} ++ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 %I ${TERM} Type=idle Restart=always UtmpIdentifier=%I @@ -91,5 +91,5 @@ index 20a5eb2754..ba4cbc0edb 100644 TTYReset=yes TTYVHangup=yes -- -2.52.0 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch index 3225638c205..a09e66cc703 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch @@ -1,35 +1,38 @@ -From 3d702165a3517eb23657d613bbbbb0ec45fd672e Mon Sep 17 00:00:00 2001 +From 3c13363e4b3f2e5bcc762a71460d84b93452f53f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:06:57 +0200 -Subject: [PATCH 8/8] units: Make multi-user.target the default target +Subject: [PATCH] units: Make multi-user.target the default target Signed-off-by: Krzesimir Nowak +Signed-off-by: Kai Lueke --- - units/meson.build | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + units/meson.build | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/units/meson.build b/units/meson.build -index ef18dcae4a..887231840f 100644 +index 4f47a3b2bd..9663e21e0c 100644 --- a/units/meson.build +++ b/units/meson.build -@@ -46,7 +46,7 @@ units = [ +@@ -48,8 +48,7 @@ units = [ + 'symlinks' : ['autovt@.service'], }, { - 'file' : 'graphical.target', -- 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []), -+ 'symlinks' : with_runlevels ? ['runlevel5.target'] : [], +- 'file' : 'graphical.target', +- 'symlinks' : ['default.target'], ++ 'file' : 'graphical.target' }, { 'file' : 'halt.target' }, { -@@ -140,7 +140,7 @@ units = [ - { 'file' : 'modprobe@.service' }, - { - 'file' : 'multi-user.target', -- 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [], -+ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : []), +@@ -142,7 +141,9 @@ units = [ + 'conditions' : ['ENABLE_MACHINED'], }, + { 'file' : 'modprobe@.service' }, +- { 'file' : 'multi-user.target' }, ++ { 'file' : 'multi-user.target' , ++ 'symlinks' : ['default.target'] ++ }, { 'file' : 'network-online.target' }, { 'file' : 'network-pre.target' }, + { 'file' : 'network.target' }, -- -2.52.0 - +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 0f5d73bca2c..08157c699f1 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -107,3 +107,6 @@ dev-db/etcd amd64 # Bump early for newer features. =sys-kernel/dracut-109* ~amd64 ~arm64 + +# Use new systemd +=sys-apps/systemd-258.2 ~amd64 ~arm64 From 1743e7873076b6dfc2c06f762b9defc0ddc43f49 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 10 Jun 2026 13:31:50 +0200 Subject: [PATCH 5/5] sys-apps/systemd: add upstream patch This fix the nested mount issue with sysext - adapted from upstream patch. Signed-off-by: Mathieu Tortuyaux --- .../user-patches/sys-apps/systemd/41875.patch | 182 ++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/41875.patch diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/41875.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/41875.patch new file mode 100644 index 00000000000..bf9bd681414 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/41875.patch @@ -0,0 +1,182 @@ +From a365c48a5bfc1ea17e7bc10f02b8f02a43e96367 Mon Sep 17 00:00:00 2001 +From: Mathieu Tortuyaux +Date: Mon, 8 Jun 2026 14:39:17 +0200 +Subject: [PATCH 1/2] mount-util: Compact list of sub mounts after dropping + +When nested mounts appear under a sysext hierarchy like this: + mkdir -p /opt/trigger/ + mount -t tmpfs tmpfs /opt/trigger + mkdir -p /opt/trigger/inner + mount -t tmpfs tmpfs /opt/trigger/inner +Then systemd-sysext merge hit an assertion reported in +https://github.com/flatcar/Flatcar/issues/2111 because when it iterates +over the list of sub mounts it doesn't expect entries with NULL in the +path from the dropped entries. +Instead of having to deal with entries with path NULL, better sort the +holes from dropping to the end and then reduce the array length. + +Authored-by: Kai Luke +Signed-off-by: Mathieu Tortuyaux +--- + src/shared/mount-util.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c +index 830ebe1c87..dbfd4e0df1 100644 +--- a/src/shared/mount-util.c ++++ b/src/shared/mount-util.c +@@ -1566,21 +1566,36 @@ void sub_mount_array_free(SubMount *s, size_t n) { + static int sub_mount_compare(const SubMount *a, const SubMount *b) { + assert(a); + assert(b); +- assert(a->path); +- assert(b->path); ++ /* sub_mount_drop() creates NULL paths which we order to the end so that after the sort we can ++ * truncate the array. */ ++ if (!a->path) ++ return b->path ? 1 : 0; ++ if (!b->path) ++ return -1; + + return path_compare(a->path, b->path); + } + +-static void sub_mount_drop(SubMount *s, size_t n) { +- assert(s || n == 0); ++static void sub_mount_drop(SubMount *s, size_t *n) { ++ assert(n); ++ assert(s || *n == 0); ++ ++ /* Works on a sorted array. Drops mounts that are covered by the preceding entry's recursive ++ * open_tree() clone, clearing the slot in place. Then sorts again for the NULL paths to be shifted ++ * past the kept count. */ + +- for (size_t m = 0, i = 1; i < n; i++) { ++ size_t kept = *n > 0; ++ for (size_t m = 0, i = 1; i < *n; i++) + if (path_startswith(s[i].path, s[m].path)) + sub_mount_clear(s + i); +- else ++ else { + m = i; +- } ++ kept++; ++ } ++ if (kept < *n) ++ typesafe_qsort(s, *n, sub_mount_compare); ++ ++ *n = kept; + } + + int get_sub_mounts(const char *prefix, SubMount **ret_mounts, size_t *ret_n_mounts) { +@@ -1656,7 +1671,7 @@ int get_sub_mounts(const char *prefix, SubMount **ret_mounts, size_t *ret_n_moun + } + + typesafe_qsort(mounts, n, sub_mount_compare); +- sub_mount_drop(mounts, n); ++ sub_mount_drop(mounts, &n); + + *ret_mounts = TAKE_PTR(mounts); + *ret_n_mounts = n; +-- +2.53.0 + + +From 16f73fe32f615cd6c7de45aa1321afa7af4401e1 Mon Sep 17 00:00:00 2001 +From: Mathieu Tortuyaux +Date: Mon, 8 Jun 2026 14:43:07 +0200 +Subject: [PATCH 2/2] mount-util/sysext: Clone sub mounts as private to + preserve nested ones + +When nested mounts appear under a sysext hierarchy like this: + mkdir -p /opt/trigger/ + mount -t tmpfs tmpfs /opt/trigger + mkdir -p /opt/trigger/inner + mount -t tmpfs tmpfs /opt/trigger/inner +Then systemd-sysext merge will lose the inner mount because it uses a +regular bind mount with propagation and then unmounts the source, +unmounting all children with it which propagates (as found out in +https://github.com/flatcar/Flatcar/issues/2111). +To solve this, clone the sub mount with MS_PRIVATE to decouple sub +mounts from the original mount. Then attach the cloned mount instead of +doing regular bind mounts. For old kernels we still attach the cloned +mount but we fallback to cloning without MS_PRIVATE. This change also +affects mount_private_apivfs which is used for private /proc, /sys, and +cgroupfs but I think it makes sense there, too, instead of only doing +mount_setattr for sysext alone because, e.g., a container and the host +should not be leaking mount actions into each other for these mounts. + +Authored-by: Kai Luke +Signed-off-by: Mathieu Tortuyaux +--- + src/shared/mount-util.c | 31 +++++++++++++++++++++++++++---- + src/sysext/sysext.c | 8 ++++++-- + 2 files changed, 33 insertions(+), 6 deletions(-) + +diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c +index dbfd4e0df1..11a82b93ba 100644 +--- a/src/shared/mount-util.c ++++ b/src/shared/mount-util.c +@@ -1649,12 +1649,35 @@ int get_sub_mounts(const char *prefix, SubMount **ret_mounts, size_t *ret_n_moun + continue; + } + +- mount_fd = open(path, O_CLOEXEC|O_PATH); +- if (mount_fd < 0) { +- if (errno == ENOENT) /* The path may be hidden by another over-mount or already unmounted. */ ++ /* If possible on a newer kernel, use MS_PRIVATE to decouple it from the original ++ * mount. Otherwise MNT_DETACH of the source path could propagate through and ++ * unmount the just-moved nested children at the destination (relevant for ++ * preserving nested mounts under sysext hierarchies). */ ++ static bool mount_attr_unsupported = false; ++ ++ if (!mount_attr_unsupported) { ++ mount_fd = open_tree_attr_with_fallback( ++ AT_FDCWD, path, ++ OPEN_TREE_CLONE|OPEN_TREE_CLOEXEC|AT_RECURSIVE, ++ &(struct mount_attr) { .propagation = MS_PRIVATE }); ++ if (mount_fd == -ENOENT) /* The path may be hidden by another over-mount or already unmounted. */ + continue; ++ if (mount_fd < 0 && ERRNO_IS_NEG_NOT_SUPPORTED(mount_fd)) { ++ /* On a kernel older than 5.12 without mount_setattr() we do the ++ * regular clone. Nested mounts under sysext and similar cases ++ * may get lost. */ ++ log_debug_errno(mount_fd, "open_tree_attr() not supported, falling back to plain open_tree() without MS_PRIVATE: %m"); ++ mount_attr_unsupported = true; ++ } else if (mount_fd < 0) ++ return log_debug_errno(mount_fd, "Failed to open subtree of mounted filesystem '%s': %m", path); ++ } + +- return log_debug_errno(errno, "Failed to open subtree of mounted filesystem '%s': %m", path); ++ if (mount_attr_unsupported) { ++ mount_fd = RET_NERRNO(open_tree(AT_FDCWD, path, OPEN_TREE_CLONE|OPEN_TREE_CLOEXEC|AT_RECURSIVE)); ++ if (mount_fd == -ENOENT) ++ continue; ++ if (mount_fd < 0) ++ return log_debug_errno(mount_fd, "Failed to open subtree of mounted filesystem '%s': %m", path); + } + + p = strdup(path); +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 5d432b42da..78453cd9d6 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -321,9 +321,13 @@ static int move_submounts(const char *src, const char *dst) { + if (child_fd < 0) + return log_error_errno(errno, "Failed to pin mountpoint %s: %m", t); + +- r = mount_follow_verbose(LOG_ERR, m->path, FORMAT_PROC_FD_PATH(child_fd), /* fstype= */ NULL, MS_BIND|MS_REC, /* options= */ NULL); ++ /* Instead of a bind mount we attach the detached clone produced by ++ * open_tree_attr_with_fallback() from get_sub_mounts() because that has no propagation ++ * relationship with the original anymore and the MNT_DETACH below won't propagate for ++ * nested mounts. */ ++ r = RET_NERRNO(move_mount(m->mount_fd, "", child_fd, "", MOVE_MOUNT_F_EMPTY_PATH|MOVE_MOUNT_T_EMPTY_PATH)); + if (r < 0) +- return r; ++ return log_error_errno(r, "Failed to move mount %s to %s: %m", m->path, t); + + (void) umount_verbose(LOG_WARNING, m->path, MNT_DETACH); + } +-- +2.53.0 +