overlay sys-apps/systemd: Regenerate patches and add mutable overlays

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch

@@ -1,7 +1,7 @@
-From 02ebe43df912c7090a155484fbd1b422c4f438f4 Mon Sep 17 00:00:00 2001
+From 709544b1ab229f035b4848e134da1aab53d0cbed Mon Sep 17 00:00:00 2001
 From: David Michael <dm0@redhat.com>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
-Subject: [PATCH 1/7] wait-online: set --any by default
+Subject: [PATCH 01/20] wait-online: set --any by default
 
 The systemd-networkd-wait-online command would normally continue
 waiting after a network interface is usable if other interfaces are
@@ -15,10 +15,10 @@ earlier) for the original implementation.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
-index a679b858fa..3b6dad8d1d 100644
+index 5328bba2d8..95294df607 100644
 --- a/src/network/wait-online/wait-online.c
 +++ b/src/network/wait-online/wait-online.c
-@@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL;
+@@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL;
  static char **arg_ignore = NULL;
  static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
  static AddressFamily arg_required_family = ADDRESS_FAMILY_NO;
@@ -28,5 +28,5 @@ index a679b858fa..3b6dad8d1d 100644
  STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
  STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
 -- 
-2.25.1
+2.34.1
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch

@@ -1,24 +1,24 @@
-From e124d3716ada4fc7c34278435a61d51b07b61024 Mon Sep 17 00:00:00 2001
+From 29e0d59627227fc490a1492ac8496d1e5811b13f Mon Sep 17 00:00:00 2001
 From: Nick Owens <nick.owens@coreos.com>
 Date: Tue, 2 Jun 2015 18:22:32 -0700
-Subject: [PATCH 2/7] networkd: default to "kernel" IPForwarding setting
+Subject: [PATCH 02/20] networkd: default to "kernel" IPForwarding setting
 
 ---
  src/network/networkd-network.c | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
-index a6c5b44238..54f9d12fec 100644
+index dcd3e5ae12..2ae481d1ec 100644
 --- a/src/network/networkd-network.c
 +++ b/src/network/networkd-network.c
-@@ -465,6 +465,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
+@@ -461,6 +461,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                  .link_local = _ADDRESS_FAMILY_INVALID,
                  .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
 
 +                .ip_forward = _ADDRESS_FAMILY_INVALID,
                  .ipv4_accept_local = -1,
                  .ipv4_route_localnet = -1,
-                 .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
+                 .ipv6_privacy_extensions = _IPV6_PRIVACY_EXTENSIONS_INVALID,
 -- 
-2.25.1
+2.34.1
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch

@@ -1,7 +1,7 @@
-From a8366f0ddffabef08c010064ea62e64d7276a0f3 Mon Sep 17 00:00:00 2001
+From 9bb87764a626c6c1d49dd13f403e71d96df5173a Mon Sep 17 00:00:00 2001
 From: Alex Crawford <alex.crawford@coreos.com>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 3/7] needs-update: don't require strictly newer usr
+Subject: [PATCH 03/20] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index a23d6a3e45..8ca1f4606f 100644
+index d3446e8a9d..3f7cc9ea58 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
-@@ -792,7 +792,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * First, compare seconds as they are always accurate...
           */
          if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@@ -35,7 +35,7 @@ index a23d6a3e45..8ca1f4606f 100644
 
          /*
           * ...then compare nanoseconds.
-@@ -803,7 +803,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * (otherwise the filesystem supports nsec timestamps, see stat(2)).
           */
          if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@@ -44,15 +44,15 @@ index a23d6a3e45..8ca1f4606f 100644
 
          _cleanup_free_ char *timestamp_str = NULL;
          r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
-@@ -823,7 +823,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
                  return true;
          }
 
 -        return timespec_load_nsec(&usr.st_mtim) > timestamp;
 +        return timespec_load_nsec(&usr.st_mtim) != timestamp;
  }
 
- static int condition_test_first_boot(Condition *c, char **env) {
+ static bool in_first_boot(void) {
 -- 
-2.25.1
+2.34.1
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch

@@ -1,7 +1,7 @@
-From 4cdbcf5df9a2fd165385465bd5be9b8cdb78f83a Mon Sep 17 00:00:00 2001
+From d14138ed97694a29ae7d51f291d7baa68d5ac5df Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:22:08 +0000
-Subject: [PATCH] [PATCH 4/7] core: use max for DefaultTasksMax
+Subject: [PATCH 04/20] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index 31b6421399..52819ae8b7 100644
+index 3c06b65f93..71f38692b6 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
-@@ -515,7 +515,7 @@
+@@ -501,7 +501,7 @@
          <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
          <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details. This setting applies to all unit types that support resource control settings, with the exception
@@ -34,7 +34,7 @@ index 31b6421399..52819ae8b7 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/manager.c b/src/core/manager.c
-index e8c747d96d..df9269aab8 100644
+index 88eebfc626..8992c8c3e3 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
 @@ -114,7 +114,7 @@
@@ -47,10 +47,10 @@ index e8c747d96d..df9269aab8 100644
  static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
  static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 9b89a6aa77..5a7e92ab5a 100644
+index 05eb681270..94d0365244 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
-@@ -59,7 +59,7 @@
+@@ -58,7 +58,7 @@
  #DefaultIPAccounting=no
  #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
  #DefaultTasksAccounting=yes

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch

@@ -1,7 +1,7 @@
-From 0a5e52f5511cd7a5312d06abff12bc432bdedc96 Mon Sep 17 00:00:00 2001
+From f87a20a092938497efd6b510cc942a142b3eb56b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 5/7] systemd: Disable SELinux permissions checks
+Subject: [PATCH 05/20] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 11dbf4640e..c839a4f39e 100644
+index 62181a6309..448f9211d6 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@
@@ -25,5 +25,5 @@ index 11dbf4640e..c839a4f39e 100644
  #include <errno.h>
  #include <selinux/avc.h>
 -- 
-2.25.1
+2.34.1
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch

@@ -1,7 +1,7 @@
-From ede353ea720f07b7b19fa638d5a59a7471237e2d Mon Sep 17 00:00:00 2001
+From 3640a636f29063d4d409a185ec595a8413f2fa2e Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <schowdhury@microsoft.com>
 Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 6/7] Revert "getty: Pass tty to use by agetty via stdin"
+Subject: [PATCH 06/20] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
@@ -17,7 +17,7 @@ Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
  4 files changed, 4 insertions(+), 12 deletions(-)
 
 diff --git a/units/console-getty.service.in b/units/console-getty.service.in
-index 606b7dbe16..54fd7c292d 100644
+index d64112be5e..b908708d8c 100644
 --- a/units/console-getty.service.in
 +++ b/units/console-getty.service.in
 @@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
@@ -35,7 +35,7 @@ index 606b7dbe16..54fd7c292d 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
-index 8d7e20d5ec..5f095f48b0 100644
+index 8847d735fb..8be25663f5 100644
 --- a/units/container-getty@.service.in
 +++ b/units/container-getty@.service.in
 @@ -27,13 +27,11 @@ Before=rescue.service
@@ -54,7 +54,7 @@ index 8d7e20d5ec..5f095f48b0 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/getty@.service.in b/units/getty@.service.in
-index 21d66f9367..78deb7cffe 100644
+index 80b8f3e922..b57666c123 100644
 --- a/units/getty@.service.in
 +++ b/units/getty@.service.in
 @@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0
@@ -73,7 +73,7 @@ index 21d66f9367..78deb7cffe 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
-index 2433124c55..bb7af3105d 100644
+index 6bf101eac9..479b8759a9 100644
 --- a/units/serial-getty@.service.in
 +++ b/units/serial-getty@.service.in
 @@ -33,12 +33,10 @@ Before=rescue.service
@@ -91,5 +91,5 @@ index 2433124c55..bb7af3105d 100644
  TTYReset=yes
  TTYVHangup=yes
 -- 
-2.25.1
+2.34.1
 

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch

@@ -1,7 +1,7 @@
-From 44374d98fb65ff5fdbc2a7d07a076b50b8f2b003 Mon Sep 17 00:00:00 2001
+From ba276e3ee8f31e8a5abb59cb168681502aa075ce Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:29:04 +0000
-Subject: [PATCH] [PATCH 7/7] units: Keep using old journal file format
+Subject: [PATCH 07/20] units: Keep using old journal file format
 
 Systemd 252 made an incompatible change in journal file format. Temporarily
 force journald to use the old journal format to give logging containers more

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-mount-util-Add-a-helper-for-remounting-a-bind-mount.patch

@@ -0,0 +1,77 @@
+From c98027ec7424c336df9e1065121fb5d911cc0dd8 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <knowak@microsoft.com>
+Date: Tue, 23 Jan 2024 10:44:23 +0100
+Subject: [PATCH 08/20] mount-util: Add a helper for remounting a bind mount
+
+---
+ src/shared/mount-util.c    | 10 ++++++++++
+ src/shared/mount-util.h    |  1 +
+ src/test/test-mount-util.c | 19 +++++++++++++++++++
+ 3 files changed, 30 insertions(+)
+
+diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
+index 4f2acce513..dd9a995fb6 100644
+--- a/src/shared/mount-util.c
++++ b/src/shared/mount-util.c
+@@ -453,6 +453,16 @@ int bind_remount_one_with_mountinfo(
+         return 0;
+ }
+
++int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask) {
++        _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
++
++        proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
++        if (!proc_self_mountinfo)
++                return log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m");
++
++        return bind_remount_one_with_mountinfo(path, new_flags, flags_mask, proc_self_mountinfo);
++}
++
+ static int mount_switch_root_pivot(int fd_newroot, const char *path) {
+         assert(fd_newroot >= 0);
+         assert(path);
+diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h
+index ef31104900..679c94c950 100644
+--- a/src/shared/mount-util.h
++++ b/src/shared/mount-util.h
+@@ -26,6 +26,7 @@ static inline int bind_remount_recursive(const char *prefix, unsigned long new_f
+ }
+
+ int bind_remount_one_with_mountinfo(const char *path, unsigned long new_flags, unsigned long flags_mask, FILE *proc_self_mountinfo);
++int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask);
+
+ int mount_switch_root_full(const char *path, unsigned long mount_propagation_flag, bool force_ms_move);
+ static inline int mount_switch_root(const char *path, unsigned long mount_propagation_flag) {
+diff --git a/src/test/test-mount-util.c b/src/test/test-mount-util.c
+index c3d0acb6af..73152ffd55 100644
+--- a/src/test/test-mount-util.c
++++ b/src/test/test-mount-util.c
+@@ -213,6 +213,25 @@ TEST(bind_remount_one) {
+                 _exit(EXIT_SUCCESS);
+         }
+
++        assert_se(wait_for_terminate_and_check("test-remount-one-with-mountinfo", pid, WAIT_LOG) == EXIT_SUCCESS);
++
++        pid = fork();
++        assert_se(pid >= 0);
++
++        if (pid == 0) {
++                /* child */
++
++                assert_se(detach_mount_namespace() >= 0);
++
++                assert_se(bind_remount_one("/run", MS_RDONLY, MS_RDONLY) >= 0);
++                assert_se(bind_remount_one("/run", MS_NOEXEC, MS_RDONLY|MS_NOEXEC) >= 0);
++                assert_se(bind_remount_one("/proc/idontexist", MS_RDONLY, MS_RDONLY) == -ENOENT);
++                assert_se(bind_remount_one("/proc/self", MS_RDONLY, MS_RDONLY) == -EINVAL);
++                assert_se(bind_remount_one("/", MS_RDONLY, MS_RDONLY) >= 0);
++
++                _exit(EXIT_SUCCESS);
++        }
++
+         assert_se(wait_for_terminate_and_check("test-remount-one", pid, WAIT_LOG) == EXIT_SUCCESS);
+ }
+
+-- 
+2.34.1
+

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-sysext-Do-not-log-failed-unmount-error-again.patch

@@ -0,0 +1,26 @@
+From 02f43475f4ffe39e48edfe5a2b40cd1f28d5fab8 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <knowak@microsoft.com>
+Date: Thu, 15 Feb 2024 14:59:19 +0100
+Subject: [PATCH 09/20] sysext: Do not log failed unmount error again
+
+umount_verbose is already doing it for us.
+---
+ src/sysext/sysext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
+index 8dc515e4d5..afd79c3868 100644
+--- a/src/sysext/sysext.c
++++ b/src/sysext/sysext.c
+@@ -264,7 +264,7 @@ static int unmerge_hierarchy(
+
+                 r = umount_verbose(LOG_ERR, p, MNT_DETACH|UMOUNT_NOFOLLOW);
+                 if (r < 0)
+-                        return log_error_errno(r, "Failed to unmount file system '%s': %m", p);
++                        return r;
+
+                 log_info("Unmerged '%s'.", p);
+         }
+-- 
+2.34.1
+