Merge pull request #3409 from flatcar/krnowak/systemd-cleanups

overlay sys-apps/systemd: Move to portage-stable

Author: krnowak

.github/workflows/portage-stable-packages-list

@@ -625,6 +625,7 @@ sys-apps/sed
 sys-apps/semodule-utils
 sys-apps/shadow
 sys-apps/smartmontools
+sys-apps/systemd
 sys-apps/texinfo
 sys-apps/usbutils
 sys-apps/util-linux

changelog/updates/2025-10-29-systemd-update.md

@@ -0,0 +1 @@
+- systemd (257.9)

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd

@@ -1,20 +1,177 @@
-cros_post_src_install_timesync() {
-  local dir="${D}$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
-  mkdir -p "${dir}"
-  pushd "${dir}"
-  cat <<EOF >flatcar.conf || die
+flatcar_systemd_meson_args_array=(
+    # Point to our user mailing list.
+    -Dsupport-url='https://groups.google.com/forum/#!forum/flatcar-linux-user'
+
+    # Use our ntp servers.
+    -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
+
+    # Specify this, or meson breaks due to no /etc/login.defs.
+    -Dsystem-gid-max=999
+    -Dsystem-uid-max=999
+
+    # PAM config directory.
+    -Dpamconfdir="${EPREFIX}/usr/share/pam.d"
+
+    # The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd
+    # as a sanity check for the minimum acceptable time. Explicitly
+    # set to avoid using the current build time.
+    -Dtime-epoch=1372636800
+
+    # No default name servers.
+    -Ddns-servers=
+
+    # Disable the "First Boot Wizard", it isn't very applicable to us.
+    -Dfirstboot=false
+
+    # Set latest network interface naming scheme for
+    # https://github.com/flatcar/Flatcar/issues/36
+    -Ddefault-net-naming-scheme=latest
+
+    # Combined log format: name plus description
+    -Dstatus-unit-format-default=combined
+
+    # Disable multicast-dns, Link-Local Multicast Name Resolution and
+    # dnssec
+    -Ddefault-mdns=no
+    -Ddefault-llmnr=no
+    -Ddefault-dnssec=no
+)
+export MYMESONARGS="${flatcar_systemd_meson_args_array[*]@Q}"
+unset 'flatcar_systemd_meson_args_array'
+
+# Save the original path to systemctl command, so we can use it for
+# presetting, even after stubbing systemctl out below.
+if [[ -z ${flatcar_hacked_systemctl} ]]; then
+    flatcar_hacked_systemctl=$(command -v systemctl) || die "systemctl not found"
+fi
+# Stubbed out completely - it is being invoked in the pkg_postinst to
+# enable getty service and do some reexecs/reloads. None of these are
+# necessary for us.
+systemctl() {
+    :
+}
+
+flatcar_systemctl_preset() {
+    local scope=${1}
+
+    local systemctl_scope_arg
+    case ${scope} in
+        system) systemctl_scope_arg=--system;;
+        user) systemctl_scope_arg=--global;; # don't ask, using --user
+                                             # results in an "invalid
+                                             # argument" error
+        *) die "wrong scope ${scope@Q}, ought to be either system or user";;
+    esac
+
+    "${flatcar_hacked_systemctl}" --root="${ED}" "${systemctl_scope_arg}" --preset-mode=enable-only preset-all || die
+
+    local escaped_path
+    escaped_path=$(printf '%s' "${ED}/etc/systemd/" | sed -e 's/[#\&]/\\&/g') || die
+
+    # make symlinks relative
+    find "${ED}/etc/systemd/${scope}" -type l -lname "/usr/lib/systemd/${scope}/*" -printf "%l\0%p\0" | \
+        sed -z -e "s#^/usr/lib/systemd/#${escaped_path}#" | \
+        xargs -0 -n2 ln -sfTr || die
+
+    # This will print an error like:
+    #
+    # tar: <PATH TO /etc/systemd/${scope}: Cannot rmdir: Directory not empty
+    #
+    # It's fine, ignore it. We excluded .keep file from putting into
+    # tarball, so we can preserve the toplevel directory. Avoiding the
+    # warning only results in stupid complexity.
+    tar --create --exclude='.keep*' --remove-files --directory "${ED}/etc/systemd/${scope}" . | \
+        tar --extract --directory "${ED}/usr/lib/systemd/${scope}"
+}
+
+cros_post_src_install_flatcar_stuff() {
+    # We provide our own systemd-user config file in baselayout.
+    #
+    # This one is installed by systemd build system regardless of
+    # USE=pam (the ebuild ought to pass -Dpamconfdir=no to disable the
+    # installation).
+    rm "${ED}/usr/share/pam.d/systemd-user" || die
+    # This one is installed by Gentoo's systemd ebuild only if USE=pam
+    # is enabled.
+    if use pam; then
+        rm "${ED}/etc/pam.d/systemd-user" || die
+    fi
+
+    # Ensure journal directory has correct ownership/mode in inital
+    # image. This is fixed by systemd-tmpfiles *but* journald starts
+    # before that and will create the journal if the filesystem is
+    # already read-write. Conveniently the systemd build system sets
+    # this up completely wrong.
+    keepdir /var/log/journal
+    fowners root:systemd-journal /var/log/journal
+    fperms 2755 /var/log/journal
+
+    keepdir /var/log/journal/remote
+    fowners systemd-journal-remote:systemd-journal-remote /var/log/journal/remote
+
+    (
+        insopts -m 0644
+        insinto /usr/lib/tmpfiles.d
+        # Add tmpfiles rule for resolv.conf. This path has changed
+        # after v213 so it must be handled here instead of baselayout
+        # now.
+        newins - systemd-resolv.conf <<'EOF'
+d   /run/systemd/network                -   -   -   -   -
+L   /run/systemd/network/resolv.conf    -   -   -   -   ../resolve/resolv.conf
+EOF
+    )
+
+    # Don't set any extra environment variables by default.
+    rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
+
+    # enable system units
+    flatcar_systemctl_preset system
+    # enable user units
+    flatcar_systemctl_preset user
+
+    # Use an empty preset file, because systemctl preset-all puts
+    # symlinks in /etc, not in /usr. We don't use /etc, because it is
+    # not autoupdated. We do the "preset" above.
+    rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
+    rm "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" || die
+    (
+        insinto /usr/lib/systemd/system-preset
+        newins - 99-default.preset <<'EOF'
+# Do not enable any services if /etc is detected as empty.
+disable *
+EOF
+        insinto /usr/lib/systemd/user-preset
+        newins - 99-default.preset <<'EOF'
+# Do not enable any services if /etc is detected as empty.
+disable *
+EOF
+    )
+
+    # Do not ship distro-specific files (nsswitch.conf pam.d). This
+    # conflicts with our own configuration provided by baselayout.
+    rm -r "${ED}"/usr/share/factory || die
+    sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
+        -e '/^C!* \/etc\/nsswitch\.conf/d' \
+        -e '/^C!* \/etc\/pam\.d/d' \
+        -e '/^C!* \/etc\/issue/d' || die
+
+    (
+        # Some OEMs prefer chronyd, so allow them to replace
+        # systemd-timesyncd with it.
+        insinto "$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
+        newins - flatcar.conf <<'EOF'
 # Allow sysexts to ship timesyncd replacements which can have
 # a Conflicts=systemd-timesyncd directive that would result
 # in systemd-timesyncd not being started.
 [Unit]
 After=ensure-sysext.service
 EOF
-  popd
-}
+    )
 
-cros_post_src_install_udev() {
-  insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
-  newins - flatcar.conf <<EOF
+    (
+        # Allow @mount syscalls for systemd-udevd.service
+        insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
+        newins - flatcar.conf <<'EOF'
 # In Flatcar we are using modprobe helpers that run depmod in temporary
 # overlay. systemd-udevd.service may try to load drivers for some block devices
 # (e.g. ZFS), which ends up calling our helpers, which invoke mount command.
@@ -23,4 +180,5 @@ cros_post_src_install_udev() {
 [Service]
 SystemCallFilter=@mount
 EOF
+    )
 }

…001-wait-online-set-any-by-default.patch …001-wait-online-set-any-by-default.patchsdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch

@@ -1,4 +1,4 @@
-From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001
+From 83043596b6cc74b6f049999fa660afd983dc493a Mon Sep 17 00:00:00 2001
 From: David Michael <[email protected]>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
 Subject: [PATCH 1/8] wait-online: set --any by default
@@ -15,18 +15,18 @@ earlier) for the original implementation.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
-index 5328bba2d8..95294df607 100644
+index 6f5aef903a..0acb3e76b9 100644
 --- a/src/network/wait-online/wait-online.c
 +++ b/src/network/wait-online/wait-online.c
 @@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL;
  static char **arg_ignore = NULL;
- static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
+ static LinkOperationalStateRange arg_required_operstate = LINK_OPERSTATE_RANGE_INVALID;
  static AddressFamily arg_required_family = ADDRESS_FAMILY_NO;
 -static bool arg_any = false;
 +static bool arg_any = true;
 
  STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
  STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
 -- 
-2.34.1
+2.51.0
 

…e-don-t-require-strictly-newer-usr.patch …e-don-t-require-strictly-newer-usr.patchsdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch

@@ -1,7 +1,7 @@
-From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001
+From 3d6bfde35c8ce5c21ca55104852a319246a92bb8 Mon Sep 17 00:00:00 2001
 From: Alex Crawford <[email protected]>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 3/8] needs-update: don't require strictly newer usr
+Subject: [PATCH 2/8] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -10,7 +10,7 @@ Updates should be triggered whenever usr changes, not only when it is newer.
  2 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
-index 3393010ff6..5478baca25 100644
+index 6b863ecff3..c166c5e7ab 100644
 --- a/man/systemd-update-done.service.xml
 +++ b/man/systemd-update-done.service.xml
 @@ -50,7 +50,7 @@
@@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index d3446e8a9d..3f7cc9ea58 100644
+index 1a03fdbe37..8577c35fa0 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
-@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * First, compare seconds as they are always accurate...
           */
          if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@@ -35,7 +35,7 @@ index d3446e8a9d..3f7cc9ea58 100644
 
          /*
           * ...then compare nanoseconds.
-@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * (otherwise the filesystem supports nsec timestamps, see stat(2)).
           */
          if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@@ -44,7 +44,7 @@ index d3446e8a9d..3f7cc9ea58 100644
 
          _cleanup_free_ char *timestamp_str = NULL;
          r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
-@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
                  return true;
          }
 
@@ -54,5 +54,5 @@ index d3446e8a9d..3f7cc9ea58 100644
 
  static bool in_first_boot(void) {
 -- 
-2.34.1
+2.51.0
 

…4-core-use-max-for-DefaultTasksMax.patch …3-core-use-max-for-DefaultTasksMax.patchsdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch

@@ -1,7 +1,7 @@
-From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001
+From 6f691278df570cc87cb863a98fe320a1997c6dad Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <[email protected]>
 Date: Fri, 16 Feb 2024 11:22:08 +0000
-Subject: [PATCH 4/8] core: use max for DefaultTasksMax
+Subject: [PATCH 3/8] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu <[email protected]>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index 3c06b65f93..71f38692b6 100644
+index f7b414da5c..9c07e235ab 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
-@@ -501,7 +501,7 @@
+@@ -230,7 +230,7 @@
          <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
          <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details. This setting applies to all unit types that support resource control settings, with the exception
@@ -34,10 +34,10 @@ index 3c06b65f93..71f38692b6 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 88eebfc626..8992c8c3e3 100644
+index 4ccaba9054..3ab59c5bb3 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -114,7 +114,7 @@
+@@ -117,7 +117,7 @@
  /* How many units and jobs to process of the bus queue before returning to the event loop. */
  #define MANAGER_BUS_MESSAGE_BUDGET 100U
 
@@ -47,10 +47,10 @@ index 88eebfc626..8992c8c3e3 100644
  static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
  static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 05eb681270..94d0365244 100644
+index 1c08aa4d22..2faea3605e 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
-@@ -58,7 +58,7 @@
+@@ -59,7 +59,7 @@
  #DefaultIPAccounting=no
  #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
  #DefaultTasksAccounting=yes
@@ -60,5 +60,5 @@ index 05eb681270..94d0365244 100644
  #DefaultLimitFSIZE=
  #DefaultLimitDATA=
 -- 
-2.34.1
+2.51.0
 

…Disable-SELinux-permissions-checks.patch …Disable-SELinux-permissions-checks.patchsdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch

@@ -1,7 +1,7 @@
-From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001
+From 78b2d8b1a6df073003d64cffa532c3a320e96ad4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <[email protected]>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks
+Subject: [PATCH 4/8] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 62181a6309..448f9211d6 100644
+index a67a520a3b..3365b920eb 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@
@@ -25,5 +25,5 @@ index 62181a6309..448f9211d6 100644
  #include <errno.h>
  #include <selinux/avc.h>
 -- 
-2.34.1
+2.51.0
 

…tty-to-use-by-agetty-via-stdin-257.patch …ass-tty-to-use-by-agetty-via-stdin.patchsdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch renamed to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch

@@ -1,7 +1,7 @@
-From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
+From 8064e1544a2b89f8389c0469ed4879a287a045a7 Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <[email protected]>
 Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
+Subject: [PATCH 5/8] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
@@ -90,3 +90,6 @@ index 20a5eb2754..ba4cbc0edb 100644
  TTYPath=/dev/%I
  TTYReset=yes
  TTYVHangup=yes
+-- 
+2.51.0
+