From f709d08304823c97f08b4bf3a20ce01d893f7f7d Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 26 Mar 2024 15:51:18 +0100 Subject: [PATCH] overlay sys-apps/systemd: Apply Flatcar modifications --- .../0001-wait-online-set-any-by-default.patch | 32 ++ ...fault-to-kernel-IPForwarding-setting.patch | 24 + ...ate-don-t-require-strictly-newer-usr.patch | 58 ++ ...004-core-use-max-for-DefaultTasksMax.patch | 64 +++ ...d-Disable-SELinux-permissions-checks.patch | 29 + ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 95 ++++ ...s-Keep-using-old-journal-file-format.patch | 42 ++ ...a-helper-for-remounting-a-bind-mount.patch | 77 +++ ...o-not-log-failed-unmount-error-again.patch | 26 + ...t-Factor-out-adding-overlayfs-option.patch | 68 +++ ...xt-Refactor-the-merge-hierarchy-code.patch | 449 +++++++++++++++ ...al-support-for-optional-mutability-f.patch | 533 ++++++++++++++++++ .../0013-sysext-Add-mutable-mode-flag.patch | 169 ++++++ ...ing-mutable-mode-to-a-separate-funct.patch | 63 +++ ...rt-for-mutable-mode-environment-vari.patch | 69 +++ ...-missing-mutable-mode-in-help-output.patch | 25 + ...0017-sysext-Implement-ephemeral-mode.patch | 205 +++++++ ...sext-Implement-ephemeral-import-mode.patch | 237 ++++++++ ...fail-the-whole-operation-if-sd-merge.patch | 30 + ...-trying-to-import-mutable-layer-that.patch | 43 ++ .../sys-apps/systemd/files/99-default.preset | 2 + .../sys-apps/systemd/files/nsswitch.conf | 27 - .../systemd/files/systemd-flatcar.conf | 10 + .../systemd/files/systemd-resolv.conf | 2 + .../sys-apps/systemd/files/systemd-user.pam | 5 - .../sys-apps/systemd/systemd-255.4.ebuild | 279 ++++++++- 26 files changed, 2603 insertions(+), 60 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-mount-util-Add-a-helper-for-remounting-a-bind-mount.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-sysext-Do-not-log-failed-unmount-error-again.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-sysext-Factor-out-adding-overlayfs-option.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-sysext-Refactor-the-merge-hierarchy-code.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0012-sysext-Add-minimal-support-for-optional-mutability-f.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0013-sysext-Add-mutable-mode-flag.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0014-sysext-Move-parsing-mutable-mode-to-a-separate-funct.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0015-sysext-Add-support-for-mutable-mode-environment-vari.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0016-sysext-Add-missing-mutable-mode-in-help-output.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0017-sysext-Implement-ephemeral-mode.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0018-sysext-Implement-ephemeral-import-mode.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0019-sysext-Actually-fail-the-whole-operation-if-sd-merge.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0020-sysext-Fail-when-trying-to-import-mutable-layer-that.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch new file mode 100644 index 00000000000..e52eb019fa5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch @@ -0,0 +1,32 @@ +From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 16 Apr 2019 02:44:51 +0000 +Subject: [PATCH 01/20] wait-online: set --any by default + +The systemd-networkd-wait-online command would normally continue +waiting after a network interface is usable if other interfaces are +still configuring. There is a new flag --any to change this. + +Preserve previous Container Linux behavior for compatibility by +setting the --any flag by default. See patches from v241 (or +earlier) for the original implementation. +--- + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index 5328bba2d8..95294df607 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL; + static char **arg_ignore = NULL; + static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; + static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; +-static bool arg_any = false; ++static bool arg_any = true; + + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); + STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch new file mode 100644 index 00000000000..7cc5ea3be51 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch @@ -0,0 +1,24 @@ +From e3fd50ec704b5d48e9d756c1cc5c40e72b7d1fa4 Mon Sep 17 00:00:00 2001 +From: Nick Owens +Date: Tue, 2 Jun 2015 18:22:32 -0700 +Subject: [PATCH 02/20] networkd: default to "kernel" IPForwarding setting + +--- + src/network/networkd-network.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index dcd3e5ae12..2ae481d1ec 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -461,6 +461,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + .link_local = _ADDRESS_FAMILY_INVALID, + .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, + ++ .ip_forward = _ADDRESS_FAMILY_INVALID, + .ipv4_accept_local = -1, + .ipv4_route_localnet = -1, + .ipv6_privacy_extensions = _IPV6_PRIVACY_EXTENSIONS_INVALID, +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch new file mode 100644 index 00000000000..f25144513a8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch @@ -0,0 +1,58 @@ +From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001 +From: Alex Crawford +Date: Wed, 2 Mar 2016 10:46:33 -0800 +Subject: [PATCH 03/20] needs-update: don't require strictly newer usr + +Updates should be triggered whenever usr changes, not only when it is newer. +--- + man/systemd-update-done.service.xml | 2 +- + src/shared/condition.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml +index 3393010ff6..5478baca25 100644 +--- a/man/systemd-update-done.service.xml ++++ b/man/systemd-update-done.service.xml +@@ -50,7 +50,7 @@ + ConditionNeedsUpdate= (see + systemd.unit5) + condition to make sure to run when /etc/ or +- /var/ are older than /usr/ ++ /var/ aren't the same age as /usr/ + according to the modification times of the files described above. + This requires that updates to /usr/ are always + followed by an update of the modification time of +diff --git a/src/shared/condition.c b/src/shared/condition.c +index d3446e8a9d..3f7cc9ea58 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * First, compare seconds as they are always accurate... + */ + if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) +- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; ++ return true; + + /* + * ...then compare nanoseconds. +@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * (otherwise the filesystem supports nsec timestamps, see stat(2)). + */ + if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) +- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; ++ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; + + _cleanup_free_ char *timestamp_str = NULL; + r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); +@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + return true; + } + +- return timespec_load_nsec(&usr.st_mtim) > timestamp; ++ return timespec_load_nsec(&usr.st_mtim) != timestamp; + } + + static bool in_first_boot(void) { +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch new file mode 100644 index 00000000000..f02587254fa --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch @@ -0,0 +1,64 @@ +From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001 +From: Adrian Vladu +Date: Fri, 16 Feb 2024 11:22:08 +0000 +Subject: [PATCH 04/20] core: use max for DefaultTasksMax + +Since systemd v228, systemd has a DefaultTasksMax which defaulted +to 512, later 15% of the system's maximum number of PIDs. This +limit is low and a change in behavior that people running services +in containers will hit frequently, so revert to previous behavior. + +Though later the TasksMax was changed in the a dynamic property to +accommodate stale values. + +This change is built on previous patch by David Michael(dm0-). + +Signed-off-by: Adrian Vladu +--- + man/systemd-system.conf.xml | 2 +- + src/core/manager.c | 2 +- + src/core/system.conf.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index 3c06b65f93..71f38692b6 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -501,7 +501,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 100% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. + For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, +diff --git a/src/core/manager.c b/src/core/manager.c +index 88eebfc626..8992c8c3e3 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -114,7 +114,7 @@ + /* How many units and jobs to process of the bus queue before returning to the event loop. */ + #define MANAGER_BUS_MESSAGE_BUDGET 100U + +-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */ + + static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); + static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 05eb681270..94d0365244 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -58,7 +58,7 @@ + #DefaultIPAccounting=no + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=100% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch new file mode 100644 index 00000000000..b5a91c6dca9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch @@ -0,0 +1,29 @@ +From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 20 Dec 2016 16:43:22 +0000 +Subject: [PATCH 05/20] systemd: Disable SELinux permissions checks + +We don't care about the interaction between systemd and SELinux policy, so +let's just disable these checks rather than having to incorporate policy +support. This has no impact on our SELinux use-case, which is purely intended +to limit containers and not anything running directly on the host. +--- + src/core/selinux-access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index 62181a6309..448f9211d6 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -2,7 +2,7 @@ + + #include "selinux-access.h" + +-#if HAVE_SELINUX ++#if 0 + + #include + #include +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch new file mode 100644 index 00000000000..5395c142b0a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -0,0 +1,95 @@ +From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001 +From: Sayan Chowdhury +Date: Fri, 16 Dec 2022 16:28:26 +0530 +Subject: [PATCH 06/20] Revert "getty: Pass tty to use by agetty via stdin" + +This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. + +This is to work around a SELinux denial that happens when setting up standard +input for serial consoles (which is used for SSH connections). + +Signed-off-by: Sayan Chowdhury +--- + units/console-getty.service.in | 4 +--- + units/container-getty@.service.in | 4 +--- + units/getty@.service.in | 4 +--- + units/serial-getty@.service.in | 4 +--- + 4 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/units/console-getty.service.in b/units/console-getty.service.in +index d64112be5e..b908708d8c 100644 +--- a/units/console-getty.service.in ++++ b/units/console-getty.service.in +@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console + [Service] + # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), + # followed by '--' for safety, and then the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM + Type=idle + Restart=always + UtmpIdentifier=cons +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/console + TTYReset=yes + TTYVHangup=yes +diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in +index 8847d735fb..8be25663f5 100644 +--- a/units/container-getty@.service.in ++++ b/units/container-getty@.service.in +@@ -27,13 +27,11 @@ Before=rescue.service + [Service] + # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), + # followed by '--' for safety, and then the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM + Type=idle + Restart=always + RestartSec=0 + UtmpIdentifier=pts/%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/pts/%I + TTYReset=yes + TTYVHangup=yes +diff --git a/units/getty@.service.in b/units/getty@.service.in +index 80b8f3e922..b57666c123 100644 +--- a/units/getty@.service.in ++++ b/units/getty@.service.in +@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0 + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM + Type=idle + Restart=always + RestartSec=0 + UtmpIdentifier=%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes +diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in +index 6bf101eac9..479b8759a9 100644 +--- a/units/serial-getty@.service.in ++++ b/units/serial-getty@.service.in +@@ -33,12 +33,10 @@ Before=rescue.service + # The '-o' option value tells agetty to replace 'login' arguments with an + # option to preserve environment (-p), followed by '--' for safety, and then + # the entered username. +-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM ++ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM + Type=idle + Restart=always + UtmpIdentifier=%I +-StandardInput=tty +-StandardOutput=tty + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch new file mode 100644 index 00000000000..677566e016f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch @@ -0,0 +1,42 @@ +From 6a4c6f97742afc9ca5de40335b2d041095990aa2 Mon Sep 17 00:00:00 2001 +From: Adrian Vladu +Date: Fri, 16 Feb 2024 11:29:04 +0000 +Subject: [PATCH 07/20] units: Keep using old journal file format + +Systemd 252 made an incompatible change in journal file format. Temporarily +force journald to use the old journal format to give logging containers more +time to adapt to the new format. + +Signed-off-by: Adrian Vladu +--- + units/systemd-journald.service.in | 1 + + units/systemd-journald@.service.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 37eeabc510..e5030a81bd 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes + + [Service] + DeviceAllow=char-* rw ++Environment=SYSTEMD_JOURNAL_COMPACT=0 + ExecStart={{LIBEXECDIR}}/systemd-journald + FileDescriptorStoreMax=4224 + IPAddressDeny=any +diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in +index c3bcb08533..8780783cf6 100644 +--- a/units/systemd-journald@.service.in ++++ b/units/systemd-journald@.service.in +@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target + [Service] + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + DevicePolicy=closed ++Environment=SYSTEMD_JOURNAL_COMPACT=0 + ExecStart={{LIBEXECDIR}}/systemd-journald %i + FileDescriptorStoreMax=4224 + Group=systemd-journal +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-mount-util-Add-a-helper-for-remounting-a-bind-mount.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-mount-util-Add-a-helper-for-remounting-a-bind-mount.patch new file mode 100644 index 00000000000..616a0bc6591 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-mount-util-Add-a-helper-for-remounting-a-bind-mount.patch @@ -0,0 +1,77 @@ +From 48479e038f60347c2dd318887d9b787bb04a512d Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Tue, 23 Jan 2024 10:44:23 +0100 +Subject: [PATCH 08/20] mount-util: Add a helper for remounting a bind mount + +--- + src/shared/mount-util.c | 10 ++++++++++ + src/shared/mount-util.h | 1 + + src/test/test-mount-util.c | 19 +++++++++++++++++++ + 3 files changed, 30 insertions(+) + +diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c +index 4f2acce513..dd9a995fb6 100644 +--- a/src/shared/mount-util.c ++++ b/src/shared/mount-util.c +@@ -453,6 +453,16 @@ int bind_remount_one_with_mountinfo( + return 0; + } + ++int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask) { ++ _cleanup_fclose_ FILE *proc_self_mountinfo = NULL; ++ ++ proc_self_mountinfo = fopen("/proc/self/mountinfo", "re"); ++ if (!proc_self_mountinfo) ++ return log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m"); ++ ++ return bind_remount_one_with_mountinfo(path, new_flags, flags_mask, proc_self_mountinfo); ++} ++ + static int mount_switch_root_pivot(int fd_newroot, const char *path) { + assert(fd_newroot >= 0); + assert(path); +diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h +index ef31104900..679c94c950 100644 +--- a/src/shared/mount-util.h ++++ b/src/shared/mount-util.h +@@ -26,6 +26,7 @@ static inline int bind_remount_recursive(const char *prefix, unsigned long new_f + } + + int bind_remount_one_with_mountinfo(const char *path, unsigned long new_flags, unsigned long flags_mask, FILE *proc_self_mountinfo); ++int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask); + + int mount_switch_root_full(const char *path, unsigned long mount_propagation_flag, bool force_ms_move); + static inline int mount_switch_root(const char *path, unsigned long mount_propagation_flag) { +diff --git a/src/test/test-mount-util.c b/src/test/test-mount-util.c +index c3d0acb6af..73152ffd55 100644 +--- a/src/test/test-mount-util.c ++++ b/src/test/test-mount-util.c +@@ -213,6 +213,25 @@ TEST(bind_remount_one) { + _exit(EXIT_SUCCESS); + } + ++ assert_se(wait_for_terminate_and_check("test-remount-one-with-mountinfo", pid, WAIT_LOG) == EXIT_SUCCESS); ++ ++ pid = fork(); ++ assert_se(pid >= 0); ++ ++ if (pid == 0) { ++ /* child */ ++ ++ assert_se(detach_mount_namespace() >= 0); ++ ++ assert_se(bind_remount_one("/run", MS_RDONLY, MS_RDONLY) >= 0); ++ assert_se(bind_remount_one("/run", MS_NOEXEC, MS_RDONLY|MS_NOEXEC) >= 0); ++ assert_se(bind_remount_one("/proc/idontexist", MS_RDONLY, MS_RDONLY) == -ENOENT); ++ assert_se(bind_remount_one("/proc/self", MS_RDONLY, MS_RDONLY) == -EINVAL); ++ assert_se(bind_remount_one("/", MS_RDONLY, MS_RDONLY) >= 0); ++ ++ _exit(EXIT_SUCCESS); ++ } ++ + assert_se(wait_for_terminate_and_check("test-remount-one", pid, WAIT_LOG) == EXIT_SUCCESS); + } + +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-sysext-Do-not-log-failed-unmount-error-again.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-sysext-Do-not-log-failed-unmount-error-again.patch new file mode 100644 index 00000000000..119c5809c3b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-sysext-Do-not-log-failed-unmount-error-again.patch @@ -0,0 +1,26 @@ +From d6533bce4a4ead63f720d7fff523a41533c0089b Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 15 Feb 2024 14:59:19 +0100 +Subject: [PATCH 09/20] sysext: Do not log failed unmount error again + +umount_verbose is already doing it for us. +--- + src/sysext/sysext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 8dc515e4d5..afd79c3868 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -264,7 +264,7 @@ static int unmerge_hierarchy( + + r = umount_verbose(LOG_ERR, p, MNT_DETACH|UMOUNT_NOFOLLOW); + if (r < 0) +- return log_error_errno(r, "Failed to unmount file system '%s': %m", p); ++ return r; + + log_info("Unmerged '%s'.", p); + } +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-sysext-Factor-out-adding-overlayfs-option.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-sysext-Factor-out-adding-overlayfs-option.patch new file mode 100644 index 00000000000..e92a267a66a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-sysext-Factor-out-adding-overlayfs-option.patch @@ -0,0 +1,68 @@ +From ef70e823fb8c306efeb334bd88c438402ebc2fbc Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 15 Feb 2024 15:01:20 +0100 +Subject: [PATCH 10/20] sysext: Factor out adding overlayfs option + +We will use it later when adding workdir and upperdir options for overlayfs +mount operation. +--- + src/sysext/sysext.c | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index afd79c3868..1c65bd5f65 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -474,6 +474,31 @@ static int verb_status(int argc, char **argv, void *userdata) { + return ret; + } + ++static int append_overlayfs_path_option( ++ char **options, ++ const char *separator, ++ const char *option, ++ const char *path) { ++ ++ _cleanup_free_ char *escaped = NULL; ++ ++ assert(options); ++ assert(separator); ++ assert(path); ++ ++ escaped = shell_escape(path, ",:"); ++ if (!escaped) ++ return log_oom(); ++ ++ if (option) { ++ if (!strextend(options, separator, option, "=", escaped)) ++ return log_oom(); ++ } else if (!strextend(options, separator, escaped)) ++ return log_oom(); ++ ++ return 0; ++} ++ + static int mount_overlayfs( + ImageClass image_class, + int noexec, +@@ -492,14 +517,9 @@ static int mount_overlayfs( + return log_oom(); + + STRV_FOREACH(l, layers) { +- _cleanup_free_ char *escaped = NULL; +- +- escaped = shell_escape(*l, ",:"); +- if (!escaped) +- return log_oom(); +- +- if (!strextend(&options, separator ? ":" : "", escaped)) +- return log_oom(); ++ r = append_overlayfs_path_option(&options, separator ? ":" : "", NULL, *l); ++ if (r < 0) ++ return r; + + separator = true; + } +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-sysext-Refactor-the-merge-hierarchy-code.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-sysext-Refactor-the-merge-hierarchy-code.patch new file mode 100644 index 00000000000..519f3c01a34 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-sysext-Refactor-the-merge-hierarchy-code.patch @@ -0,0 +1,449 @@ +From af3710dfc4ce605a45ae9204077f83bcd8e5d964 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 15 Feb 2024 15:12:24 +0100 +Subject: [PATCH 11/20] sysext: Refactor the merge hierarchy code + +Divide the merge_hierarchy function into code that: + +- determines the lower directories for overlayfs + + - determination of lower directories was further split into top, middle and + bottom directories: + + - bottom - possibly the hierarchy itself + + - middle - hierarchies from extensions + + - top - metadata directory + +- mounts the overlayfs using determined directories + +- writes information to the metadata directory + +- makes the merged hierarchy read-only +--- + src/sysext/sysext.c | 343 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 285 insertions(+), 58 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 1c65bd5f65..481707848b 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -536,129 +536,356 @@ static int mount_overlayfs( + return 0; + } + +-static int merge_hierarchy( +- ImageClass image_class, +- const char *hierarchy, +- int noexec, +- char **extensions, +- char **paths, +- const char *meta_path, +- const char *overlay_path) { ++typedef struct OverlayFSPaths { ++ char *hierarchy; ++ char *resolved_hierarchy; + +- _cleanup_free_ char *resolved_hierarchy = NULL, *f = NULL, *buf = NULL; +- _cleanup_strv_free_ char **layers = NULL; +- struct stat st; ++ /* lowest index is top lowerdir, highest index is bottom lowerdir */ ++ char **lower_dirs; ++} OverlayFSPaths; ++ ++static OverlayFSPaths *overlayfs_paths_free(OverlayFSPaths *op) { ++ if (!op) ++ return NULL; ++ ++ free(op->hierarchy); ++ free(op->resolved_hierarchy); ++ ++ strv_free(op->lower_dirs); ++ ++ free(op); ++ return NULL; ++} ++DEFINE_TRIVIAL_CLEANUP_FUNC(OverlayFSPaths *, overlayfs_paths_free); ++ ++static int resolve_hierarchy(const char *hierarchy, char **ret_resolved_hierarchy) { ++ _cleanup_free_ char *resolved_path = NULL; + int r; + + assert(hierarchy); +- assert(meta_path); +- assert(overlay_path); ++ assert(ret_resolved_hierarchy); + +- /* Resolve the path of the host's version of the hierarchy, i.e. what we want to use as lowest layer +- * in the overlayfs stack. */ +- r = chase(hierarchy, arg_root, CHASE_PREFIX_ROOT, &resolved_hierarchy, NULL); +- if (r == -ENOENT) +- log_debug_errno(r, "Hierarchy '%s' on host doesn't exist, not merging.", hierarchy); +- else if (r < 0) +- return log_error_errno(r, "Failed to resolve host hierarchy '%s': %m", hierarchy); +- else { +- r = dir_is_empty(resolved_hierarchy, /* ignore_hidden_or_backup= */ false); +- if (r < 0) +- return log_error_errno(r, "Failed to check if host hierarchy '%s' is empty: %m", resolved_hierarchy); +- if (r > 0) { +- log_debug("Host hierarchy '%s' is empty, not merging.", resolved_hierarchy); +- resolved_hierarchy = mfree(resolved_hierarchy); +- } +- } ++ r = chase(hierarchy, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); ++ if (r < 0 && r != -ENOENT) ++ return log_error_errno(r, "Failed to resolve hierarchy '%s': %m", hierarchy); + +- /* Let's generate a metadata file that lists all extensions we took into account for this +- * hierarchy. We include this in the final fs, to make things nicely discoverable and +- * recognizable. */ +- f = path_join(meta_path, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural); +- if (!f) +- return log_oom(); ++ *ret_resolved_hierarchy = TAKE_PTR(resolved_path); ++ return 0; ++} + +- buf = strv_join(extensions, "\n"); +- if (!buf) ++static int overlayfs_paths_new(const char *hierarchy, OverlayFSPaths **ret_op) { ++ _cleanup_free_ char *hierarchy_copy = NULL, *resolved_hierarchy = NULL, *resolved_mutable_directory = NULL; ++ int r; ++ ++ assert (hierarchy); ++ assert (ret_op); ++ ++ hierarchy_copy = strdup(hierarchy); ++ if (!hierarchy_copy) + return log_oom(); + +- r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755); ++ r = resolve_hierarchy(hierarchy, &resolved_hierarchy); + if (r < 0) +- return log_error_errno(r, "Failed to write extension meta file '%s': %m", f); ++ return r; ++ ++ OverlayFSPaths *op; ++ op = new(OverlayFSPaths, 1); ++ if (!op) ++ return log_oom(); ++ ++ *op = (OverlayFSPaths) { ++ .hierarchy = TAKE_PTR(hierarchy_copy), ++ .resolved_hierarchy = TAKE_PTR(resolved_hierarchy), ++ }; ++ ++ *ret_op = TAKE_PTR(op); ++ return 0; ++} ++ ++static int determine_top_lower_dirs(OverlayFSPaths *op, const char *meta_path) { ++ int r; ++ ++ assert(op); ++ assert(meta_path); + + /* Put the meta path (i.e. our synthesized stuff) at the top of the layer stack */ +- layers = strv_new(meta_path); +- if (!layers) ++ r = strv_extend(&op->lower_dirs, meta_path); ++ if (r < 0) + return log_oom(); + ++ return 0; ++} ++ ++static int determine_middle_lower_dirs(OverlayFSPaths *op, char **paths, size_t *ret_extensions_used) { ++ size_t n = 0; ++ int r; ++ ++ assert(op); ++ assert(paths); ++ assert(ret_extensions_used); ++ + /* Put the extensions in the middle */ + STRV_FOREACH(p, paths) { + _cleanup_free_ char *resolved = NULL; + +- r = chase(hierarchy, *p, CHASE_PREFIX_ROOT, &resolved, NULL); ++ r = chase(op->hierarchy, *p, CHASE_PREFIX_ROOT, &resolved, NULL); + if (r == -ENOENT) { +- log_debug_errno(r, "Hierarchy '%s' in extension '%s' doesn't exist, not merging.", hierarchy, *p); ++ log_debug_errno(r, "Hierarchy '%s' in extension '%s' doesn't exist, not merging.", op->hierarchy, *p); + continue; + } + if (r < 0) +- return log_error_errno(r, "Failed to resolve hierarchy '%s' in extension '%s': %m", hierarchy, *p); ++ return log_error_errno(r, "Failed to resolve hierarchy '%s' in extension '%s': %m", op->hierarchy, *p); + + r = dir_is_empty(resolved, /* ignore_hidden_or_backup= */ false); + if (r < 0) + return log_error_errno(r, "Failed to check if hierarchy '%s' in extension '%s' is empty: %m", resolved, *p); + if (r > 0) { +- log_debug("Hierarchy '%s' in extension '%s' is empty, not merging.", hierarchy, *p); ++ log_debug("Hierarchy '%s' in extension '%s' is empty, not merging.", op->hierarchy, *p); + continue; + } + +- r = strv_consume(&layers, TAKE_PTR(resolved)); ++ r = strv_consume(&op->lower_dirs, TAKE_PTR(resolved)); + if (r < 0) + return log_oom(); ++ ++n; + } + +- if (!layers[1]) /* No extension with files in this hierarchy? Then don't do anything. */ +- return 0; ++ *ret_extensions_used = n; ++ return 0; ++} ++ ++static int hierarchy_as_lower_dir(OverlayFSPaths *op) { ++ int r; ++ ++ /* return 0 if hierarchy should be used as lower dir, >0, if not */ ++ ++ assert(op); ++ ++ if (!op->resolved_hierarchy) { ++ log_debug("Host hierarchy '%s' does not exist, will not be used as lowerdir", op->hierarchy); ++ return 1; ++ } ++ ++ r = dir_is_empty(op->resolved_hierarchy, /* ignore_hidden_or_backup= */ false); ++ if (r < 0) ++ return log_error_errno(r, "Failed to check if host hierarchy '%s' is empty: %m", op->resolved_hierarchy); ++ if (r > 0) { ++ log_debug("Host hierarchy '%s' is empty, will not be used as lower dir.", op->resolved_hierarchy); ++ return 1; ++ } + +- if (resolved_hierarchy) { +- /* Add the host hierarchy as last (lowest) layer in the stack */ +- r = strv_consume(&layers, TAKE_PTR(resolved_hierarchy)); ++ return 0; ++} ++ ++static int determine_bottom_lower_dirs(OverlayFSPaths *op) { ++ int r; ++ ++ assert(op); ++ ++ r = hierarchy_as_lower_dir(op); ++ if (r < 0) ++ return r; ++ if (!r) { ++ r = strv_extend(&op->lower_dirs, op->resolved_hierarchy); + if (r < 0) +- return log_oom(); ++ return r; + } + ++ return 0; ++} ++ ++static int determine_lower_dirs( ++ OverlayFSPaths *op, ++ char **paths, ++ const char *meta_path, ++ size_t *ret_extensions_used) { ++ ++ int r; ++ ++ assert(op); ++ assert(paths); ++ assert(meta_path); ++ assert(ret_extensions_used); ++ ++ r = determine_top_lower_dirs(op, meta_path); ++ if (r < 0) ++ return r; ++ ++ r = determine_middle_lower_dirs(op, paths, ret_extensions_used); ++ if (r < 0) ++ return r; ++ ++ r = determine_bottom_lower_dirs(op); ++ if (r < 0) ++ return r; ++ ++ return 0; ++} ++ ++static int mount_overlayfs_with_op( ++ OverlayFSPaths *op, ++ ImageClass image_class, ++ int noexec, ++ const char *overlay_path, ++ const char *meta_path) { ++ ++ int r; ++ ++ assert(op); ++ assert(overlay_path); ++ + r = mkdir_p(overlay_path, 0700); + if (r < 0) + return log_error_errno(r, "Failed to make directory '%s': %m", overlay_path); + +- r = mount_overlayfs(image_class, noexec, overlay_path, layers); ++ r = mkdir_p(meta_path, 0700); ++ if (r < 0) ++ return log_error_errno(r, "Failed to make directory '%s': %m", meta_path); ++ ++ r = mount_overlayfs(image_class, noexec, overlay_path, op->lower_dirs); + if (r < 0) + return r; + +- /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra turbo safety 😎 */ +- r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); ++ return 0; ++} ++ ++static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) { ++ _cleanup_free_ char *f = NULL, *buf = NULL; ++ int r; ++ ++ assert(extensions); ++ assert(meta_path); ++ ++ /* Let's generate a metadata file that lists all extensions we took into account for this ++ * hierarchy. We include this in the final fs, to make things nicely discoverable and ++ * recognizable. */ ++ f = path_join(meta_path, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural); ++ if (!f) ++ return log_oom(); ++ ++ buf = strv_join(extensions, "\n"); ++ if (!buf) ++ return log_oom(); ++ ++ r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755); + if (r < 0) +- return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); ++ return log_error_errno(r, "Failed to write extension meta file '%s': %m", f); ++ ++ return 0; ++} ++ ++static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) { ++ _cleanup_free_ char *f = NULL; ++ struct stat st; ++ int r; ++ ++ assert(meta_path); ++ assert(overlay_path); + + /* Now we have mounted the new file system. Let's now figure out its .st_dev field, and make that + * available in the metadata directory. This is useful to detect whether the metadata dir actually + * belongs to the fs it is found on: if .st_dev of the top-level mount matches it, it's pretty likely + * we are looking at a live tree, and not an unpacked tar or so of one. */ + if (stat(overlay_path, &st) < 0) +- return log_error_errno(r, "Failed to stat mount '%s': %m", overlay_path); ++ return log_error_errno(errno, "Failed to stat mount '%s': %m", overlay_path); + +- free(f); + f = path_join(meta_path, image_class_info[image_class].dot_directory_name, "dev"); + if (!f) + return log_oom(); + ++ /* Modifying the underlying layers while the overlayfs is mounted is technically undefined, but at ++ * least it won't crash or deadlock, as per the kernel docs about overlayfs: ++ * https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#changes-to-underlying-filesystems */ + r = write_string_file(f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE); + if (r < 0) + return log_error_errno(r, "Failed to write '%s': %m", f); + ++ return 0; ++} ++ ++static int store_info_in_meta( ++ ImageClass image_class, ++ char **extensions, ++ const char *meta_path, ++ const char *overlay_path) { ++ ++ int r; ++ ++ assert(extensions); ++ assert(meta_path); ++ assert(overlay_path); ++ ++ r = write_extensions_file(image_class, extensions, meta_path); ++ if (r < 0) ++ return r; ++ ++ r = write_dev_file(image_class, meta_path, overlay_path); ++ if (r < 0) ++ return r; ++ + /* Make sure the top-level dir has an mtime marking the point we established the merge */ + if (utimensat(AT_FDCWD, meta_path, NULL, AT_SYMLINK_NOFOLLOW) < 0) + return log_error_errno(r, "Failed fix mtime of '%s': %m", meta_path); + ++ return 0; ++} ++ ++static int make_mounts_read_only(ImageClass image_class, const char *overlay_path) { ++ int r; ++ ++ assert(overlay_path); ++ ++ /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra turbo ++ * safety 😎 */ ++ r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); ++ if (r < 0) ++ return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); ++ ++ return 0; ++} ++ ++static int merge_hierarchy( ++ ImageClass image_class, ++ const char *hierarchy, ++ int noexec, ++ char **extensions, ++ char **paths, ++ const char *meta_path, ++ const char *overlay_path) { ++ ++ _cleanup_(overlayfs_paths_freep) OverlayFSPaths *op = NULL; ++ size_t extensions_used = 0; ++ int r; ++ ++ assert(hierarchy); ++ assert(extensions); ++ assert(paths); ++ assert(meta_path); ++ assert(overlay_path); ++ ++ r = overlayfs_paths_new(hierarchy, &op); ++ if (r < 0) ++ return r; ++ ++ r = determine_lower_dirs(op, paths, meta_path, &extensions_used); ++ if (r < 0) ++ return r; ++ ++ if (extensions_used == 0) /* No extension with files in this hierarchy? Then don't do anything. */ ++ return 0; ++ ++ r = mount_overlayfs_with_op(op, image_class, noexec, overlay_path, meta_path); ++ if (r < 0) ++ return r; ++ ++ r = store_info_in_meta(image_class, extensions, meta_path, overlay_path); ++ if (r < 0) ++ return r; ++ ++ r = make_mounts_read_only(image_class, overlay_path); ++ if (r < 0) ++ return r; ++ + return 1; + } + +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0012-sysext-Add-minimal-support-for-optional-mutability-f.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0012-sysext-Add-minimal-support-for-optional-mutability-f.patch new file mode 100644 index 00000000000..1d66ae986b7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0012-sysext-Add-minimal-support-for-optional-mutability-f.patch @@ -0,0 +1,533 @@ +From d38a93062db007f29ecdeb9eaf2a4d8cf4ee11f4 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 15 Feb 2024 17:46:08 +0100 +Subject: [PATCH 12/20] sysext: Add minimal support for optional mutability for + extensions + +systemd-sysext will check if /var/lib/extensions.mutable/${hierarchy} exists +and use it as an overlayfs upperdir for storing writes. This allows having +mutable hierarchy after merging the extension images. + +The implementation is following a proposed update to the Extension Images +specification at https://github.com/uapi-group/specifications/pull/78. +--- + src/sysext/sysext.c | 339 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 327 insertions(+), 12 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 481707848b..30614612c2 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -39,9 +39,12 @@ + #include "pager.h" + #include "parse-argument.h" + #include "parse-util.h" ++#include "path-util.h" + #include "pretty-print.h" + #include "process-util.h" ++#include "rm-rf.h" + #include "sort-util.h" ++#include "string-util.h" + #include "terminal-util.h" + #include "user-util.h" + #include "varlink.h" +@@ -248,11 +251,22 @@ static int unmerge_hierarchy( + ImageClass image_class, + const char *p) { + ++ _cleanup_free_ char *dot_dir = NULL, *work_dir_info_file = NULL; + int r; + + assert(p); + ++ dot_dir = path_join(p, image_class_info[image_class].dot_directory_name); ++ if (!dot_dir) ++ return log_oom(); ++ ++ work_dir_info_file = path_join(dot_dir, "work_dir"); ++ if (!work_dir_info_file) ++ return log_oom(); ++ + for (;;) { ++ _cleanup_free_ char *escaped_work_dir_in_root = NULL, *work_dir = NULL; ++ + /* We only unmount /usr/ if it is a mount point and really one of ours, in order not to break + * systems where /usr/ is a mount point of its own already. */ + +@@ -262,10 +276,41 @@ static int unmerge_hierarchy( + if (r == 0) + break; + ++ r = read_one_line_file(work_dir_info_file, &escaped_work_dir_in_root); ++ if (r < 0) { ++ if (r != -ENOENT) ++ return log_error_errno(r, "Failed to read '%s': %m", work_dir_info_file); ++ } else { ++ _cleanup_free_ char *work_dir_in_root = NULL; ++ ssize_t l; ++ ++ l = cunescape_length(escaped_work_dir_in_root, r, 0, &work_dir_in_root); ++ if (l < 0) ++ return log_error_errno(l, "Failed to unescape work directory path: %m"); ++ work_dir = path_join(arg_root, work_dir_in_root); ++ if (!work_dir) ++ return log_oom(); ++ } ++ ++ r = umount_verbose(LOG_DEBUG, dot_dir, MNT_DETACH|UMOUNT_NOFOLLOW); ++ if (r < 0) { ++ /* EINVAL is possibly "not a mount point". Let it slide as it's expected to occur if ++ * the whole hierarchy was read-only, so the dot directory inside it was not ++ * bind-mounted as read-only. */ ++ if (r != -EINVAL) ++ return log_error_errno(r, "Failed to unmount '%s': %m", dot_dir); ++ } ++ + r = umount_verbose(LOG_ERR, p, MNT_DETACH|UMOUNT_NOFOLLOW); + if (r < 0) + return r; + ++ if (work_dir) { ++ r = rm_rf(work_dir, REMOVE_ROOT | REMOVE_MISSING_OK | REMOVE_PHYSICAL); ++ if (r < 0) ++ return log_error_errno(r, "Failed to remove '%s': %m", work_dir); ++ } ++ + log_info("Unmerged '%s'.", p); + } + +@@ -503,7 +548,9 @@ static int mount_overlayfs( + ImageClass image_class, + int noexec, + const char *where, +- char **layers) { ++ char **layers, ++ const char *upper_dir, ++ const char *work_dir) { + + _cleanup_free_ char *options = NULL; + bool separator = false; +@@ -511,6 +558,7 @@ static int mount_overlayfs( + int r; + + assert(where); ++ assert((upper_dir && work_dir) || (!upper_dir && !work_dir)); + + options = strdup("lowerdir="); + if (!options) +@@ -528,6 +576,22 @@ static int mount_overlayfs( + if (noexec >= 0) + SET_FLAG(flags, MS_NOEXEC, noexec); + ++ if (upper_dir && work_dir) { ++ r = append_overlayfs_path_option(&options, ",", "upperdir", upper_dir); ++ if (r < 0) ++ return r; ++ ++ flags &= ~MS_RDONLY; ++ ++ r = append_overlayfs_path_option(&options, ",", "workdir", work_dir); ++ if (r < 0) ++ return r; ++ /* redirect_dir=on and noatime prevent unnecessary upcopies, metacopy=off prevents broken ++ * files from partial upcopies after umount. */ ++ if (!strextend(&options, ",redirect_dir=on,noatime,metacopy=off")) ++ return log_oom(); ++ } ++ + /* Now mount the actual overlayfs */ + r = mount_nofollow_verbose(LOG_ERR, image_class_info[image_class].short_identifier, where, "overlay", flags, options); + if (r < 0) +@@ -536,10 +600,104 @@ static int mount_overlayfs( + return 0; + } + ++static char *hierarchy_as_single_path_component(const char *hierarchy) { ++ /* We normally expect hierarchy to be /usr, /opt or /etc, but for debugging purposes the hierarchy ++ * could very well be like /foo/bar/baz/. So for a given hierarchy we generate a directory name by ++ * stripping the leading and trailing separators and replacing the rest of separators with dots. This ++ * makes the generated name to be the same for /foo/bar/baz and for /foo/bar.baz, but, again, ++ * speciyfing a different hierarchy is a debugging feature, so non-unique mapping should not be an ++ * issue in general case. */ ++ const char *stripped = hierarchy; ++ _cleanup_free_ char *dir_name = NULL; ++ ++ assert(hierarchy); ++ ++ stripped += strspn(stripped, "/"); ++ ++ dir_name = strdup(stripped); ++ if (!dir_name) ++ return NULL; ++ delete_trailing_chars(dir_name, "/"); ++ string_replace_char(dir_name, '/', '.'); ++ return TAKE_PTR(dir_name); ++} ++ ++static char *determine_mutable_directory_path_for_hierarchy(const char *hierarchy) { ++ _cleanup_free_ char *dir_name = NULL; ++ ++ assert(hierarchy); ++ dir_name = hierarchy_as_single_path_component(hierarchy); ++ if (!dir_name) ++ return NULL; ++ ++ return path_join("/var/lib/extensions.mutable", dir_name); ++} ++ ++static int paths_on_same_fs(const char *path1, const char *path2) { ++ struct stat st1, st2; ++ ++ assert(path1); ++ assert(path2); ++ ++ if (stat(path1, &st1)) ++ return log_error_errno(errno, "Failed to stat '%s': %m", path1); ++ ++ if (stat(path2, &st2)) ++ return log_error_errno(errno, "Failed to stat '%s': %m", path2); ++ ++ return st1.st_dev == st2.st_dev; ++} ++ ++static int work_dir_for_hierarchy( ++ const char *hierarchy, ++ const char *resolved_upper_dir, ++ char **ret_work_dir) { ++ ++ _cleanup_free_ char *parent = NULL; ++ int r; ++ ++ assert(hierarchy); ++ assert(resolved_upper_dir); ++ assert(ret_work_dir); ++ ++ r = path_extract_directory(resolved_upper_dir, &parent); ++ if (r < 0) ++ return log_error_errno(r, "Failed to get parent directory of upperdir '%s': %m", resolved_upper_dir); ++ ++ /* TODO: paths_in_same_superblock? partition? device? */ ++ r = paths_on_same_fs(resolved_upper_dir, parent); ++ if (r < 0) ++ return r; ++ if (!r) ++ return log_error_errno(SYNTHETIC_ERRNO(EXDEV), "Unable to find a suitable workdir location for upperdir '%s' for host hierarchy '%s' - parent directory of the upperdir is in a different filesystem", resolved_upper_dir, hierarchy); ++ ++ _cleanup_free_ char *f = NULL, *dir_name = NULL; ++ ++ f = hierarchy_as_single_path_component(hierarchy); ++ if (!f) ++ return log_oom(); ++ dir_name = strjoin(".systemd-", f, "-workdir"); ++ if (!dir_name) ++ return log_oom(); ++ ++ free(f); ++ f = path_join(parent, dir_name); ++ if (!f) ++ return log_oom(); ++ ++ *ret_work_dir = TAKE_PTR(f); ++ return 0; ++} ++ + typedef struct OverlayFSPaths { + char *hierarchy; + char *resolved_hierarchy; ++ char *resolved_mutable_directory; + ++ /* NULL if merged fs is read-only */ ++ char *upper_dir; ++ /* NULL if merged fs is read-only */ ++ char *work_dir; + /* lowest index is top lowerdir, highest index is bottom lowerdir */ + char **lower_dirs; + } OverlayFSPaths; +@@ -550,7 +708,10 @@ static OverlayFSPaths *overlayfs_paths_free(OverlayFSPaths *op) { + + free(op->hierarchy); + free(op->resolved_hierarchy); ++ free(op->resolved_mutable_directory); + ++ free(op->upper_dir); ++ free(op->work_dir); + strv_free(op->lower_dirs); + + free(op); +@@ -573,6 +734,25 @@ static int resolve_hierarchy(const char *hierarchy, char **ret_resolved_hierarch + return 0; + } + ++static int resolve_mutable_directory(const char *hierarchy, char **ret_resolved_mutable_directory) { ++ _cleanup_free_ char *path = NULL, *resolved_path = NULL; ++ int r; ++ ++ assert(hierarchy); ++ assert(ret_resolved_mutable_directory); ++ ++ path = determine_mutable_directory_path_for_hierarchy(hierarchy); ++ if (!path) ++ return log_oom(); ++ ++ r = chase(path, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); ++ if (r < 0 && r != -ENOENT) ++ return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); ++ ++ *ret_resolved_mutable_directory = TAKE_PTR(resolved_path); ++ return 0; ++} ++ + static int overlayfs_paths_new(const char *hierarchy, OverlayFSPaths **ret_op) { + _cleanup_free_ char *hierarchy_copy = NULL, *resolved_hierarchy = NULL, *resolved_mutable_directory = NULL; + int r; +@@ -585,6 +765,9 @@ static int overlayfs_paths_new(const char *hierarchy, OverlayFSPaths **ret_op) { + return log_oom(); + + r = resolve_hierarchy(hierarchy, &resolved_hierarchy); ++ if (r < 0) ++ return r; ++ r = resolve_mutable_directory(hierarchy, &resolved_mutable_directory); + if (r < 0) + return r; + +@@ -596,6 +779,7 @@ static int overlayfs_paths_new(const char *hierarchy, OverlayFSPaths **ret_op) { + *op = (OverlayFSPaths) { + .hierarchy = TAKE_PTR(hierarchy_copy), + .resolved_hierarchy = TAKE_PTR(resolved_hierarchy), ++ .resolved_mutable_directory = TAKE_PTR(resolved_mutable_directory), + }; + + *ret_op = TAKE_PTR(op); +@@ -674,6 +858,23 @@ static int hierarchy_as_lower_dir(OverlayFSPaths *op) { + return 1; + } + ++ if (!op->resolved_mutable_directory) { ++ log_debug("No mutable directory found, so host hierarchy '%s' will be used as lowerdir", op->resolved_hierarchy); ++ return 0; ++ } ++ ++ if (path_equal(op->resolved_hierarchy, op->resolved_mutable_directory)) { ++ log_debug("Host hierarchy '%s' will serve as upperdir.", op->resolved_hierarchy); ++ return 1; ++ } ++ r = inode_same(op->resolved_hierarchy, op->resolved_mutable_directory, 0); ++ if (r < 0) ++ return log_error_errno(r, "Failed to check inode equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); ++ if (r > 0) { ++ log_debug("Host hierarchy '%s' will serve as upperdir.", op->resolved_hierarchy); ++ return 1; ++ } ++ + return 0; + } + +@@ -722,6 +923,50 @@ static int determine_lower_dirs( + return 0; + } + ++static int determine_upper_dir(OverlayFSPaths *op) { ++ int r; ++ ++ assert(op); ++ assert(!op->upper_dir); ++ ++ if (!op->resolved_mutable_directory) { ++ log_debug("No mutable directory found for host hierarchy '%s', there will be no upperdir", op->hierarchy); ++ return 0; ++ } ++ ++ /* Require upper dir to be on writable filesystem if it's going to be used as an actual overlayfs ++ * upperdir, instead of a lowerdir as an imported path. */ ++ r = path_is_read_only_fs(op->resolved_mutable_directory); ++ if (r < 0) ++ return log_error_errno(r, "Failed to determine if mutable directory '%s' is on read-only filesystem: %m", op->resolved_mutable_directory); ++ if (r > 0) ++ return log_error_errno(SYNTHETIC_ERRNO(EROFS), "Can't use '%s' as an upperdir as it is read-only.", op->resolved_mutable_directory); ++ ++ op->upper_dir = strdup(op->resolved_mutable_directory); ++ if (!op->upper_dir) ++ return log_oom(); ++ ++ return 0; ++} ++ ++static int determine_work_dir(OverlayFSPaths *op) { ++ _cleanup_free_ char *work_dir = NULL; ++ int r; ++ ++ assert(op); ++ assert(!op->work_dir); ++ ++ if (!op->upper_dir) ++ return 0; ++ ++ r = work_dir_for_hierarchy(op->hierarchy, op->upper_dir, &work_dir); ++ if (r < 0) ++ return r; ++ ++ op->work_dir = TAKE_PTR(work_dir); ++ return 0; ++} ++ + static int mount_overlayfs_with_op( + OverlayFSPaths *op, + ImageClass image_class, +@@ -742,7 +987,13 @@ static int mount_overlayfs_with_op( + if (r < 0) + return log_error_errno(r, "Failed to make directory '%s': %m", meta_path); + +- r = mount_overlayfs(image_class, noexec, overlay_path, op->lower_dirs); ++ if (op->upper_dir && op->work_dir) { ++ r = mkdir_p(op->work_dir, 0700); ++ if (r < 0) ++ return log_error_errno(r, "Failed to make directory '%s': %m", op->work_dir); ++ } ++ ++ r = mount_overlayfs(image_class, noexec, overlay_path, op->lower_dirs, op->upper_dir, op->work_dir); + if (r < 0) + return r; + +@@ -803,17 +1054,49 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c + return 0; + } + ++static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) { ++ _cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL; ++ char *work_dir_in_root = NULL; ++ int r; ++ ++ assert(meta_path); ++ ++ if (!work_dir) ++ return 0; ++ ++ work_dir_in_root = path_startswith(work_dir, empty_to_root(arg_root)); ++ if (!work_dir_in_root) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Workdir '%s' must not be outside root '%s'", work_dir, empty_to_root(arg_root)); ++ ++ f = path_join(meta_path, image_class_info[image_class].dot_directory_name, "work_dir"); ++ if (!f) ++ return log_oom(); ++ ++ /* Paths can have newlines for whatever reason, so better escape them to really get a single ++ * line file. */ ++ escaped_work_dir_in_root = cescape(work_dir_in_root); ++ if (!escaped_work_dir_in_root) ++ return log_oom(); ++ r = write_string_file(f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE); ++ if (r < 0) ++ return log_error_errno(r, "Failed to write '%s': %m", f); ++ ++ return 0; ++} ++ + static int store_info_in_meta( + ImageClass image_class, + char **extensions, + const char *meta_path, +- const char *overlay_path) { ++ const char *overlay_path, ++ const char *work_dir) { + + int r; + + assert(extensions); + assert(meta_path); + assert(overlay_path); ++ /* work_dir may be NULL */ + + r = write_extensions_file(image_class, extensions, meta_path); + if (r < 0) +@@ -823,6 +1106,10 @@ static int store_info_in_meta( + if (r < 0) + return r; + ++ r = write_work_dir_file(image_class, meta_path, work_dir); ++ if (r < 0) ++ return r; ++ + /* Make sure the top-level dir has an mtime marking the point we established the merge */ + if (utimensat(AT_FDCWD, meta_path, NULL, AT_SYMLINK_NOFOLLOW) < 0) + return log_error_errno(r, "Failed fix mtime of '%s': %m", meta_path); +@@ -830,16 +1117,35 @@ static int store_info_in_meta( + return 0; + } + +-static int make_mounts_read_only(ImageClass image_class, const char *overlay_path) { ++static int make_mounts_read_only(ImageClass image_class, const char *overlay_path, bool mutable) { + int r; + + assert(overlay_path); + +- /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra turbo +- * safety 😎 */ +- r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); +- if (r < 0) +- return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); ++ if (mutable) { ++ /* Bind mount the meta path as read-only on mutable overlays to avoid accidental ++ * modifications of the contents of meta directory, which could lead to systemd thinking that ++ * this hierarchy is not our mount. */ ++ _cleanup_free_ char *f = NULL; ++ ++ f = path_join(overlay_path, image_class_info[image_class].dot_directory_name); ++ if (!f) ++ return log_oom(); ++ ++ r = mount_nofollow_verbose(LOG_ERR, f, f, NULL, MS_BIND, NULL); ++ if (r < 0) ++ return r; ++ ++ r = bind_remount_one(f, MS_RDONLY, MS_RDONLY); ++ if (r < 0) ++ return log_error_errno(r, "Failed to remount '%s' as read-only: %m", f); ++ } else { ++ /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra ++ * turbo safety 😎 */ ++ r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); ++ if (r < 0) ++ return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); ++ } + + return 0; + } +@@ -874,15 +1180,23 @@ static int merge_hierarchy( + if (extensions_used == 0) /* No extension with files in this hierarchy? Then don't do anything. */ + return 0; + ++ r = determine_upper_dir(op); ++ if (r < 0) ++ return r; ++ ++ r = determine_work_dir(op); ++ if (r < 0) ++ return r; ++ + r = mount_overlayfs_with_op(op, image_class, noexec, overlay_path, meta_path); + if (r < 0) + return r; + +- r = store_info_in_meta(image_class, extensions, meta_path, overlay_path); ++ r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir); + if (r < 0) + return r; + +- r = make_mounts_read_only(image_class, overlay_path); ++ r = make_mounts_read_only(image_class, overlay_path, op->upper_dir && op->work_dir); + if (r < 0) + return r; + +@@ -1201,7 +1515,8 @@ static int merge_subprocess( + if (r < 0) + return log_error_errno(r, "Failed to create hierarchy mount point '%s': %m", resolved); + +- r = mount_nofollow_verbose(LOG_ERR, p, resolved, NULL, MS_BIND, NULL); ++ /* Using MS_REC to potentially bring in our read-only bind mount of metadata. */ ++ r = mount_nofollow_verbose(LOG_ERR, p, resolved, NULL, MS_BIND|MS_REC, NULL); + if (r < 0) + return r; + +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0013-sysext-Add-mutable-mode-flag.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0013-sysext-Add-mutable-mode-flag.patch new file mode 100644 index 00000000000..1376c788950 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0013-sysext-Add-mutable-mode-flag.patch @@ -0,0 +1,169 @@ +From adbdb6a53e7e3fd7cf41c9f53dde9939f2436607 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 15 Feb 2024 15:16:08 +0100 +Subject: [PATCH 13/20] sysext: Add --mutable mode flag + +The flag takes "auto" or "import" or a boolean value. + +"auto" causes systemd-sysext to make a decision about mutability of the merged +hierarchy based on existence of the upper directory in +`/var/lib/extensions.mutable/${hierarchy}`. + +"import" causes the existing upper dir to be actually used as another lower +dir, which results in read-only merged hierarchy. + +True value makes systemd-sysext to create the upper dir if it's missing and to +make the merged hierarchy mutable. + +False value makes systemd-sysext to ignore upper dir completely, and create a +read-only merged hierarchy. + +The default is false value. +--- + src/sysext/sysext.c | 63 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 63 insertions(+) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 30614612c2..83c027d33b 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -51,6 +51,15 @@ + #include "varlink-io.systemd.sysext.h" + #include "verbs.h" + ++typedef enum MutableMode { ++ MUTABLE_YES, ++ MUTABLE_NO, ++ MUTABLE_AUTO, ++ MUTABLE_IMPORT, ++ _MUTABLE_MAX, ++ _MUTABLE_INVALID = -EINVAL, ++} MutableMode; ++ + static char **arg_hierarchies = NULL; /* "/usr" + "/opt" by default for sysext and /etc by default for confext */ + static char *arg_root = NULL; + static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; +@@ -61,6 +70,7 @@ static bool arg_no_reload = false; + static int arg_noexec = -1; + static ImagePolicy *arg_image_policy = NULL; + static bool arg_varlink = false; ++static MutableMode arg_mutable = MUTABLE_NO; + + /* Is set to IMAGE_CONFEXT when systemd is called with the confext functionality instead of the default */ + static ImageClass arg_image_class = IMAGE_SYSEXT; +@@ -741,10 +751,28 @@ static int resolve_mutable_directory(const char *hierarchy, char **ret_resolved_ + assert(hierarchy); + assert(ret_resolved_mutable_directory); + ++ if (arg_mutable == MUTABLE_NO) { ++ log_debug("Mutability for hierarchy '%s' is disabled, not resolving mutable directory.", hierarchy); ++ *ret_resolved_mutable_directory = NULL; ++ return 0; ++ } ++ + path = determine_mutable_directory_path_for_hierarchy(hierarchy); + if (!path) + return log_oom(); + ++ if (arg_mutable == MUTABLE_YES) { ++ _cleanup_free_ char *path_in_root = NULL; ++ ++ path_in_root = path_join(arg_root, path); ++ if (!path_in_root) ++ return log_oom(); ++ ++ r = mkdir_p(path_in_root, 0700); ++ if (r < 0) ++ return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root); ++ } ++ + r = chase(path, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); + if (r < 0 && r != -ENOENT) + return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); +@@ -797,6 +825,13 @@ static int determine_top_lower_dirs(OverlayFSPaths *op, const char *meta_path) { + if (r < 0) + return log_oom(); + ++ /* If importing mutable layer and it actually exists, add it just below the meta path */ ++ if (arg_mutable == MUTABLE_IMPORT && op->resolved_mutable_directory) { ++ r = strv_extend(&op->lower_dirs, op->resolved_mutable_directory); ++ if (r < 0) ++ return r; ++ } ++ + return 0; + } + +@@ -858,6 +893,11 @@ static int hierarchy_as_lower_dir(OverlayFSPaths *op) { + return 1; + } + ++ if (arg_mutable == MUTABLE_IMPORT) { ++ log_debug("Mutability for host hierarchy '%s' is disabled, so it will be a lowerdir", op->resolved_hierarchy); ++ return 0; ++ } ++ + if (!op->resolved_mutable_directory) { + log_debug("No mutable directory found, so host hierarchy '%s' will be used as lowerdir", op->resolved_hierarchy); + return 0; +@@ -929,6 +969,11 @@ static int determine_upper_dir(OverlayFSPaths *op) { + assert(op); + assert(!op->upper_dir); + ++ if (arg_mutable == MUTABLE_IMPORT) { ++ log_debug("Mutability is disabled, there will be no upperdir for host hierarchy '%s'", op->hierarchy); ++ return 0; ++ } ++ + if (!op->resolved_mutable_directory) { + log_debug("No mutable directory found for host hierarchy '%s', there will be no upperdir", op->hierarchy); + return 0; +@@ -959,6 +1004,9 @@ static int determine_work_dir(OverlayFSPaths *op) { + if (!op->upper_dir) + return 0; + ++ if (arg_mutable == MUTABLE_IMPORT) ++ return 0; ++ + r = work_dir_for_hierarchy(op->hierarchy, op->upper_dir, &work_dir); + if (r < 0) + return r; +@@ -1968,6 +2016,7 @@ static int parse_argv(int argc, char *argv[]) { + ARG_IMAGE_POLICY, + ARG_NOEXEC, + ARG_NO_RELOAD, ++ ARG_MUTABLE, + }; + + static const struct option options[] = { +@@ -1981,6 +2030,7 @@ static int parse_argv(int argc, char *argv[]) { + { "image-policy", required_argument, NULL, ARG_IMAGE_POLICY }, + { "noexec", required_argument, NULL, ARG_NOEXEC }, + { "no-reload", no_argument, NULL, ARG_NO_RELOAD }, ++ { "mutable", required_argument, NULL, ARG_MUTABLE }, + {} + }; + +@@ -2044,6 +2094,19 @@ static int parse_argv(int argc, char *argv[]) { + arg_no_reload = true; + break; + ++ case ARG_MUTABLE: ++ if (streq(optarg, "auto")) ++ arg_mutable = MUTABLE_AUTO; ++ else if (streq(optarg, "import")) ++ arg_mutable = MUTABLE_IMPORT; ++ else { ++ r = parse_boolean(optarg); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse argument to --mutable=: %s", optarg); ++ arg_mutable = r ? MUTABLE_YES : MUTABLE_NO; ++ } ++ break; ++ + case '?': + return -EINVAL; + +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0014-sysext-Move-parsing-mutable-mode-to-a-separate-funct.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0014-sysext-Move-parsing-mutable-mode-to-a-separate-funct.patch new file mode 100644 index 00000000000..48ddb7ca367 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0014-sysext-Move-parsing-mutable-mode-to-a-separate-funct.patch @@ -0,0 +1,63 @@ +From dd18fad35a1eceb2fd191ddea2e3778ab6f949a0 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Tue, 19 Mar 2024 13:20:46 +0100 +Subject: [PATCH 14/20] sysext: Move parsing mutable mode to a separate + function + +--- + src/sysext/sysext.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 83c027d33b..6fa2c72bd5 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -115,6 +115,24 @@ static const struct { + } + }; + ++static int parse_mutable_mode(const char *p) { ++ int r; ++ ++ assert(p); ++ ++ if (streq(p, "auto")) ++ return MUTABLE_AUTO; ++ ++ if (streq(p, "import")) ++ return MUTABLE_IMPORT; ++ ++ r = parse_boolean(p); ++ if (r < 0) ++ return r; ++ ++ return r ? MUTABLE_YES : MUTABLE_NO; ++} ++ + static int is_our_mount_point( + ImageClass image_class, + const char *p) { +@@ -2095,16 +2113,10 @@ static int parse_argv(int argc, char *argv[]) { + break; + + case ARG_MUTABLE: +- if (streq(optarg, "auto")) +- arg_mutable = MUTABLE_AUTO; +- else if (streq(optarg, "import")) +- arg_mutable = MUTABLE_IMPORT; +- else { +- r = parse_boolean(optarg); +- if (r < 0) +- return log_error_errno(r, "Failed to parse argument to --mutable=: %s", optarg); +- arg_mutable = r ? MUTABLE_YES : MUTABLE_NO; +- } ++ r = parse_mutable_mode(optarg); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse argument to --mutable=: %s", optarg); ++ arg_mutable = r; + break; + + case '?': +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0015-sysext-Add-support-for-mutable-mode-environment-vari.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0015-sysext-Add-support-for-mutable-mode-environment-vari.patch new file mode 100644 index 00000000000..97a6b3936a3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0015-sysext-Add-support-for-mutable-mode-environment-vari.patch @@ -0,0 +1,69 @@ +From dc31049133233015f186b3ca015d8871932ed16e Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Tue, 19 Mar 2024 14:01:00 +0100 +Subject: [PATCH 15/20] sysext: Add support for mutable mode environment + variables + +The environment variable names are SYSTEMD_SYSEXT_MUTABLE_MODE for +systemd-sysext and SYSTEMD_CONFEXT_MUTABLE_MODE for systemd-confext. These +override the default mutable mode setting, but can be still overridden by a +command-line flag. +--- + src/sysext/sysext.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 6fa2c72bd5..2b65f87830 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -88,6 +88,7 @@ static const struct { + const char *level_env; + const char *scope_env; + const char *name_env; ++ const char *mode_env; + const ImagePolicy *default_image_policy; + unsigned long default_mount_flags; + } image_class_info[_IMAGE_CLASS_MAX] = { +@@ -99,6 +100,7 @@ static const struct { + .level_env = "SYSEXT_LEVEL", + .scope_env = "SYSEXT_SCOPE", + .name_env = "SYSTEMD_SYSEXT_HIERARCHIES", ++ .mode_env = "SYSTEMD_SYSEXT_MUTABLE_MODE", + .default_image_policy = &image_policy_sysext, + .default_mount_flags = MS_RDONLY|MS_NODEV, + }, +@@ -110,6 +112,7 @@ static const struct { + .level_env = "CONFEXT_LEVEL", + .scope_env = "CONFEXT_SCOPE", + .name_env = "SYSTEMD_CONFEXT_HIERARCHIES", ++ .mode_env = "SYSTEMD_CONFEXT_MUTABLE_MODE", + .default_image_policy = &image_policy_confext, + .default_mount_flags = MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC, + } +@@ -2151,12 +2154,23 @@ static int sysext_main(int argc, char *argv[]) { + } + + static int run(int argc, char *argv[]) { ++ const char* env_var; + int r; + + log_setup(); + + arg_image_class = invoked_as(argv, "systemd-confext") ? IMAGE_CONFEXT : IMAGE_SYSEXT; + ++ env_var = getenv(image_class_info[arg_image_class].mode_env); ++ if (env_var) { ++ r = parse_mutable_mode(env_var); ++ if (r < 0) ++ log_warning("Failed to parse %s environment variable value '%s'. Ignoring.", ++ image_class_info[arg_image_class].mode_env, env_var); ++ else ++ arg_mutable = r; ++ } ++ + r = parse_argv(argc, argv); + if (r <= 0) + return r; +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0016-sysext-Add-missing-mutable-mode-in-help-output.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0016-sysext-Add-missing-mutable-mode-in-help-output.patch new file mode 100644 index 00000000000..9fa039e5c29 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0016-sysext-Add-missing-mutable-mode-in-help-output.patch @@ -0,0 +1,25 @@ +From 967bf4c5428040ffa7da5fee9a8a0f56664260f9 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Tue, 27 Feb 2024 16:29:08 +0100 +Subject: [PATCH 16/20] sysext: Add missing --mutable mode in help output + +--- + src/sysext/sysext.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 2b65f87830..9f17a13a92 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -2004,6 +2004,8 @@ static int verb_help(int argc, char **argv, void *userdata) { + " -h --help Show this help\n" + " --version Show package version\n" + "\n%3$sOptions:%4$s\n" ++ " --mutable=yes|no|auto|import\n" ++ " Specify a mutability mode of the merged hierarchy\n" + " --no-pager Do not pipe output into a pager\n" + " --no-legend Do not show the headers and footers\n" + " --root=PATH Operate relative to root path\n" +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0017-sysext-Implement-ephemeral-mode.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0017-sysext-Implement-ephemeral-mode.patch new file mode 100644 index 00000000000..26e5578e099 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0017-sysext-Implement-ephemeral-mode.patch @@ -0,0 +1,205 @@ +From 5d87d21e7abe2a783bf3db2ac52148475ac7af61 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 28 Feb 2024 09:17:27 +0100 +Subject: [PATCH 17/20] sysext: Implement ephemeral mode + +To enable it, use "ephemeral" either for mutable mode environment variable or +for value of "--mutable=" flag. + +Instead of using mutable dir in /var/lib/extensions.mutable/, we +create a directory for overlayfs upperdir and workdir in the same tmpfs mount +that sysext worker process creates in /run/systemd/sysext. As the path for the +workdir will be gone when the worker quits, there is no need to do any +additional cleanup. As such, there is also no need to store a path to workdir +in the metadata directory. +--- + src/sysext/sysext.c | 69 +++++++++++++++++++++++++++++---------------- + 1 file changed, 45 insertions(+), 24 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 9f17a13a92..c88eb88706 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -56,6 +56,7 @@ typedef enum MutableMode { + MUTABLE_NO, + MUTABLE_AUTO, + MUTABLE_IMPORT, ++ MUTABLE_EPHEMERAL, + _MUTABLE_MAX, + _MUTABLE_INVALID = -EINVAL, + } MutableMode; +@@ -129,6 +130,9 @@ static int parse_mutable_mode(const char *p) { + if (streq(p, "import")) + return MUTABLE_IMPORT; + ++ if (streq(p, "ephemeral")) ++ return MUTABLE_EPHEMERAL; ++ + r = parse_boolean(p); + if (r < 0) + return r; +@@ -653,17 +657,6 @@ static char *hierarchy_as_single_path_component(const char *hierarchy) { + return TAKE_PTR(dir_name); + } + +-static char *determine_mutable_directory_path_for_hierarchy(const char *hierarchy) { +- _cleanup_free_ char *dir_name = NULL; +- +- assert(hierarchy); +- dir_name = hierarchy_as_single_path_component(hierarchy); +- if (!dir_name) +- return NULL; +- +- return path_join("/var/lib/extensions.mutable", dir_name); +-} +- + static int paths_on_same_fs(const char *path1, const char *path2) { + struct stat st1, st2; + +@@ -765,8 +758,13 @@ static int resolve_hierarchy(const char *hierarchy, char **ret_resolved_hierarch + return 0; + } + +-static int resolve_mutable_directory(const char *hierarchy, char **ret_resolved_mutable_directory) { +- _cleanup_free_ char *path = NULL, *resolved_path = NULL; ++static int resolve_mutable_directory( ++ const char *hierarchy, ++ const char *workspace, ++ char **ret_resolved_mutable_directory) { ++ ++ _cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL; ++ const char *root = arg_root, *base = "/var/lib/extensions.mutable"; + int r; + + assert(hierarchy); +@@ -778,14 +776,25 @@ static int resolve_mutable_directory(const char *hierarchy, char **ret_resolved_ + return 0; + } + +- path = determine_mutable_directory_path_for_hierarchy(hierarchy); ++ if (arg_mutable == MUTABLE_EPHEMERAL) { ++ /* We create mutable directory inside the temporary tmpfs workspace, which is a fixed ++ * location that ignores arg_root. */ ++ root = NULL; ++ base = workspace; ++ } ++ ++ dir_name = hierarchy_as_single_path_component(hierarchy); ++ if (!dir_name) ++ return log_oom(); ++ ++ path = path_join(base, dir_name); + if (!path) + return log_oom(); + +- if (arg_mutable == MUTABLE_YES) { ++ if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_EPHEMERAL)) { + _cleanup_free_ char *path_in_root = NULL; + +- path_in_root = path_join(arg_root, path); ++ path_in_root = path_join(root, path); + if (!path_in_root) + return log_oom(); + +@@ -794,7 +803,7 @@ static int resolve_mutable_directory(const char *hierarchy, char **ret_resolved_ + return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root); + } + +- r = chase(path, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); ++ r = chase(path, root, CHASE_PREFIX_ROOT, &resolved_path, NULL); + if (r < 0 && r != -ENOENT) + return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); + +@@ -802,7 +811,7 @@ static int resolve_mutable_directory(const char *hierarchy, char **ret_resolved_ + return 0; + } + +-static int overlayfs_paths_new(const char *hierarchy, OverlayFSPaths **ret_op) { ++static int overlayfs_paths_new(const char *hierarchy, const char *workspace_path, OverlayFSPaths **ret_op) { + _cleanup_free_ char *hierarchy_copy = NULL, *resolved_hierarchy = NULL, *resolved_mutable_directory = NULL; + int r; + +@@ -816,7 +825,7 @@ static int overlayfs_paths_new(const char *hierarchy, OverlayFSPaths **ret_op) { + r = resolve_hierarchy(hierarchy, &resolved_hierarchy); + if (r < 0) + return r; +- r = resolve_mutable_directory(hierarchy, &resolved_mutable_directory); ++ r = resolve_mutable_directory(hierarchy, workspace_path, &resolved_mutable_directory); + if (r < 0) + return r; + +@@ -1133,6 +1142,10 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co + if (!work_dir) + return 0; + ++ /* Do not store work dir path for ephemeral mode, it will be gone once this process is done. */ ++ if (arg_mutable == MUTABLE_EPHEMERAL) ++ return 0; ++ + work_dir_in_root = path_startswith(work_dir, empty_to_root(arg_root)); + if (!work_dir_in_root) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Workdir '%s' must not be outside root '%s'", work_dir, empty_to_root(arg_root)); +@@ -1226,7 +1239,8 @@ static int merge_hierarchy( + char **extensions, + char **paths, + const char *meta_path, +- const char *overlay_path) { ++ const char *overlay_path, ++ const char *workspace_path) { + + _cleanup_(overlayfs_paths_freep) OverlayFSPaths *op = NULL; + size_t extensions_used = 0; +@@ -1237,8 +1251,9 @@ static int merge_hierarchy( + assert(paths); + assert(meta_path); + assert(overlay_path); ++ assert(workspace_path); + +- r = overlayfs_paths_new(hierarchy, &op); ++ r = overlayfs_paths_new(hierarchy, workspace_path, &op); + if (r < 0) + return r; + +@@ -1538,7 +1553,7 @@ static int merge_subprocess( + + /* Create overlayfs mounts for all hierarchies */ + STRV_FOREACH(h, hierarchies) { +- _cleanup_free_ char *meta_path = NULL, *overlay_path = NULL; ++ _cleanup_free_ char *meta_path = NULL, *overlay_path = NULL, *merge_hierarchy_workspace = NULL; + + meta_path = path_join(workspace, "meta", *h); /* The place where to store metadata about this instance */ + if (!meta_path) +@@ -1548,6 +1563,11 @@ static int merge_subprocess( + if (!overlay_path) + return log_oom(); + ++ /* Temporary directory for merge_hierarchy needs, like ephemeral directories. */ ++ merge_hierarchy_workspace = path_join(workspace, "mh_workspace", *h); ++ if (!merge_hierarchy_workspace) ++ return log_oom(); ++ + r = merge_hierarchy( + image_class, + *h, +@@ -1555,7 +1575,8 @@ static int merge_subprocess( + extensions, + paths, + meta_path, +- overlay_path); ++ overlay_path, ++ merge_hierarchy_workspace); + if (r < 0) + return r; + } +@@ -2004,7 +2025,7 @@ static int verb_help(int argc, char **argv, void *userdata) { + " -h --help Show this help\n" + " --version Show package version\n" + "\n%3$sOptions:%4$s\n" +- " --mutable=yes|no|auto|import\n" ++ " --mutable=yes|no|auto|import|ephemeral\n" + " Specify a mutability mode of the merged hierarchy\n" + " --no-pager Do not pipe output into a pager\n" + " --no-legend Do not show the headers and footers\n" +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0018-sysext-Implement-ephemeral-import-mode.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0018-sysext-Implement-ephemeral-import-mode.patch new file mode 100644 index 00000000000..f7bb30bcd99 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0018-sysext-Implement-ephemeral-import-mode.patch @@ -0,0 +1,237 @@ +From 027a767843fe235c74275d4358cef1b288e6c0df Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 28 Feb 2024 14:23:22 +0100 +Subject: [PATCH 18/20] sysext: Implement ephemeral import mode + +To enable it, use "ephemeral-import" either for mutable mode environment +variable or for value of "--mutable=" flag. + +This is a combination of "ephemeral" and "import" modes. It results in a +mutable hierarchy that includes contents of the mutable extension data, but the +modifications are thrown away when the hierarchy is unmerged. +--- + src/sysext/sysext.c | 123 +++++++++++++++++++++++++++++++++++++------- + 1 file changed, 104 insertions(+), 19 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index c88eb88706..fe01e9dac3 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -57,6 +57,7 @@ typedef enum MutableMode { + MUTABLE_AUTO, + MUTABLE_IMPORT, + MUTABLE_EPHEMERAL, ++ MUTABLE_EPHEMERAL_IMPORT, + _MUTABLE_MAX, + _MUTABLE_INVALID = -EINVAL, + } MutableMode; +@@ -76,6 +77,8 @@ static MutableMode arg_mutable = MUTABLE_NO; + /* Is set to IMAGE_CONFEXT when systemd is called with the confext functionality instead of the default */ + static ImageClass arg_image_class = IMAGE_SYSEXT; + ++static const char *mutable_extensions_base_dir = "/var/lib/extensions.mutable"; ++ + STATIC_DESTRUCTOR_REGISTER(arg_hierarchies, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_root, freep); + STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); +@@ -133,6 +136,9 @@ static int parse_mutable_mode(const char *p) { + if (streq(p, "ephemeral")) + return MUTABLE_EPHEMERAL; + ++ if (streq(p, "ephemeral-import")) ++ return MUTABLE_EPHEMERAL_IMPORT; ++ + r = parse_boolean(p); + if (r < 0) + return r; +@@ -764,7 +770,7 @@ static int resolve_mutable_directory( + char **ret_resolved_mutable_directory) { + + _cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL; +- const char *root = arg_root, *base = "/var/lib/extensions.mutable"; ++ const char *root = arg_root, *base = mutable_extensions_base_dir; + int r; + + assert(hierarchy); +@@ -776,7 +782,7 @@ static int resolve_mutable_directory( + return 0; + } + +- if (arg_mutable == MUTABLE_EPHEMERAL) { ++ if (IN_SET(arg_mutable, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) { + /* We create mutable directory inside the temporary tmpfs workspace, which is a fixed + * location that ignores arg_root. */ + root = NULL; +@@ -791,7 +797,7 @@ static int resolve_mutable_directory( + if (!path) + return log_oom(); + +- if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_EPHEMERAL)) { ++ if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) { + _cleanup_free_ char *path_in_root = NULL; + + path_in_root = path_join(root, path); +@@ -844,6 +850,83 @@ static int overlayfs_paths_new(const char *hierarchy, const char *workspace_path + return 0; + } + ++static int resolved_paths_equal(const char *resolved_a, const char *resolved_b) { ++ /* Returns true if paths are of the same entry, false if not, <0 on error. */ ++ ++ if (path_equal(resolved_a, resolved_b)) ++ return 1; ++ ++ if (!resolved_a || !resolved_b) ++ return 0; ++ ++ return inode_same(resolved_a, resolved_b, 0); ++} ++ ++static int maybe_import_mutable_directory(OverlayFSPaths *op) { ++ int r; ++ ++ assert(op); ++ ++ /* If importing mutable layer and it actually exists and is not a hierarchy itself, add it just below ++ * the meta path */ ++ ++ if (arg_mutable != MUTABLE_IMPORT || !op->resolved_mutable_directory) ++ return 0; ++ ++ r = resolved_paths_equal(op->resolved_hierarchy, op->resolved_mutable_directory); ++ if (r < 0) ++ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); ++ if (r > 0) { ++ log_debug("Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); ++ return 0; ++ } ++ ++ r = strv_extend(&op->lower_dirs, op->resolved_mutable_directory); ++ if (r < 0) ++ return log_oom(); ++ ++ return 0; ++} ++ ++static int maybe_import_ignored_mutable_directory(OverlayFSPaths *op) { ++ _cleanup_free_ char *dir_name = NULL, *path = NULL, *resolved_path = NULL; ++ int r; ++ ++ assert(op); ++ ++ /* If importing the ignored mutable layer and it actually exists and is not a hierarchy itself, add ++ * it just below the meta path */ ++ if (arg_mutable != MUTABLE_EPHEMERAL_IMPORT) ++ return 0; ++ ++ dir_name = hierarchy_as_single_path_component(op->hierarchy); ++ if (!dir_name) ++ return log_oom(); ++ ++ path = path_join(mutable_extensions_base_dir, dir_name); ++ if (!path) ++ return log_oom(); ++ ++ r = chase(path, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); ++ if (r < 0 && r != -ENOENT) ++ return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); ++ ++ r = resolved_paths_equal(op->resolved_hierarchy, resolved_path); ++ if (r < 0) ++ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); ++ ++ if (r > 0) { ++ log_debug("Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); ++ return 0; ++ } ++ ++ r = strv_consume(&op->lower_dirs, TAKE_PTR(resolved_path)); ++ if (r < 0) ++ return log_oom(); ++ ++ return 0; ++} ++ + static int determine_top_lower_dirs(OverlayFSPaths *op, const char *meta_path) { + int r; + +@@ -855,12 +938,13 @@ static int determine_top_lower_dirs(OverlayFSPaths *op, const char *meta_path) { + if (r < 0) + return log_oom(); + +- /* If importing mutable layer and it actually exists, add it just below the meta path */ +- if (arg_mutable == MUTABLE_IMPORT && op->resolved_mutable_directory) { +- r = strv_extend(&op->lower_dirs, op->resolved_mutable_directory); +- if (r < 0) +- return r; +- } ++ r = maybe_import_mutable_directory(op); ++ if (r < 0) ++ return r; ++ ++ r = maybe_import_ignored_mutable_directory(op); ++ if (r < 0) ++ return r; + + return 0; + } +@@ -924,7 +1008,12 @@ static int hierarchy_as_lower_dir(OverlayFSPaths *op) { + } + + if (arg_mutable == MUTABLE_IMPORT) { +- log_debug("Mutability for host hierarchy '%s' is disabled, so it will be a lowerdir", op->resolved_hierarchy); ++ log_debug("Mutability for host hierarchy '%s' is disabled, so host hierarchy will be a lowerdir", op->resolved_hierarchy); ++ return 0; ++ } ++ ++ if (arg_mutable == MUTABLE_EPHEMERAL_IMPORT) { ++ log_debug("Mutability for host hierarchy '%s' is ephemeral, so host hierarchy will be a lowerdir", op->resolved_hierarchy); + return 0; + } + +@@ -933,13 +1022,9 @@ static int hierarchy_as_lower_dir(OverlayFSPaths *op) { + return 0; + } + +- if (path_equal(op->resolved_hierarchy, op->resolved_mutable_directory)) { +- log_debug("Host hierarchy '%s' will serve as upperdir.", op->resolved_hierarchy); +- return 1; +- } +- r = inode_same(op->resolved_hierarchy, op->resolved_mutable_directory, 0); ++ r = resolved_paths_equal(op->resolved_hierarchy, op->resolved_mutable_directory); + if (r < 0) +- return log_error_errno(r, "Failed to check inode equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); ++ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); + if (r > 0) { + log_debug("Host hierarchy '%s' will serve as upperdir.", op->resolved_hierarchy); + return 1; +@@ -959,7 +1044,7 @@ static int determine_bottom_lower_dirs(OverlayFSPaths *op) { + if (!r) { + r = strv_extend(&op->lower_dirs, op->resolved_hierarchy); + if (r < 0) +- return r; ++ return log_oom(); + } + + return 0; +@@ -1143,7 +1228,7 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co + return 0; + + /* Do not store work dir path for ephemeral mode, it will be gone once this process is done. */ +- if (arg_mutable == MUTABLE_EPHEMERAL) ++ if (IN_SET(arg_mutable, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) + return 0; + + work_dir_in_root = path_startswith(work_dir, empty_to_root(arg_root)); +@@ -2025,7 +2110,7 @@ static int verb_help(int argc, char **argv, void *userdata) { + " -h --help Show this help\n" + " --version Show package version\n" + "\n%3$sOptions:%4$s\n" +- " --mutable=yes|no|auto|import|ephemeral\n" ++ " --mutable=yes|no|auto|import|ephemeral|ephemeral-import\n" + " Specify a mutability mode of the merged hierarchy\n" + " --no-pager Do not pipe output into a pager\n" + " --no-legend Do not show the headers and footers\n" +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0019-sysext-Actually-fail-the-whole-operation-if-sd-merge.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0019-sysext-Actually-fail-the-whole-operation-if-sd-merge.patch new file mode 100644 index 00000000000..abd4597a68d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0019-sysext-Actually-fail-the-whole-operation-if-sd-merge.patch @@ -0,0 +1,30 @@ +From 7b3f9900c2323331a3031600fa570ec56ee189e6 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 28 Feb 2024 15:41:46 +0100 +Subject: [PATCH 19/20] sysext: Actually fail the whole operation if sd-merge + worker failed + +This also fixes a wrong merge failure check. +--- + src/sysext/sysext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index fe01e9dac3..731467d13f 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -1729,9 +1729,10 @@ static int merge(ImageClass image_class, + r = wait_for_terminate_and_check("(sd-merge)", pid, WAIT_LOG_ABNORMAL); + if (r < 0) + return r; +- + if (r == 123) /* exit code 123 means: didn't do anything */ + return 0; ++ if (r > 0) ++ return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "Failed to merge hierarchies"); + + r = need_reload(image_class, hierarchies, no_reload); + if (r < 0) +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0020-sysext-Fail-when-trying-to-import-mutable-layer-that.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0020-sysext-Fail-when-trying-to-import-mutable-layer-that.patch new file mode 100644 index 00000000000..75769deb61e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0020-sysext-Fail-when-trying-to-import-mutable-layer-that.patch @@ -0,0 +1,43 @@ +From 90826d07ddee913adacf41205d6630036ea17c75 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 28 Feb 2024 16:34:05 +0100 +Subject: [PATCH 20/20] sysext: Fail when trying to import mutable layer that's + a symlink to hierarchy + +--- + src/sysext/sysext.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 731467d13f..378779cff8 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -876,10 +876,8 @@ static int maybe_import_mutable_directory(OverlayFSPaths *op) { + r = resolved_paths_equal(op->resolved_hierarchy, op->resolved_mutable_directory); + if (r < 0) + return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); +- if (r > 0) { +- log_debug("Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); +- return 0; +- } ++ if (r > 0) ++ return log_error_errno(SYNTHETIC_ERRNO(ELOOP), "Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); + + r = strv_extend(&op->lower_dirs, op->resolved_mutable_directory); + if (r < 0) +@@ -915,10 +913,8 @@ static int maybe_import_ignored_mutable_directory(OverlayFSPaths *op) { + if (r < 0) + return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); + +- if (r > 0) { +- log_debug("Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); +- return 0; +- } ++ if (r > 0) ++ return log_error_errno(SYNTHETIC_ERRNO(ELOOP), "Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); + + r = strv_consume(&op->lower_dirs, TAKE_PTR(resolved_path)); + if (r < 0) +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset new file mode 100644 index 00000000000..d2545d5d1d1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset @@ -0,0 +1,2 @@ +# Do not enable any services if /etc is detected as empty. +disable * diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf deleted file mode 100644 index 91dbe757f9f..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/nsswitch.conf +++ /dev/null @@ -1,27 +0,0 @@ -# Sample nss configuration for systemd - -# systemd-specific modules -# See the manual pages fore further information. -# nss-myhostname - host resolution for the local hostname -# nss-mymachines - host, user, group resolution for containers -# nss-resolve - host resolution using resolved -# nss-systemd - dynamic user/group resolution (DynamicUser in unit files) - -passwd: files mymachines systemd -shadow: files -group: files mymachines systemd -gshadow: files - -hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname -networks: files - -services: db files -protocols: db files -rpc: db files -ethers: db files -netmasks: files -netgroup: files -bootparams: files - -automount: files -aliases: files diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf new file mode 100644 index 00000000000..2b72383153a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf @@ -0,0 +1,10 @@ +# The list of directories is taken from Gentoo ebuild, where they use +# keepdir. The list isn't sorted, but tries to preserve the order of +# keepdir lines from Gentoo ebuild for easier comparisons. We skip the +# directories in /usr, though. +d /var/lib/systemd - - - - - +d /var/log/journal - - - - - +d /etc/sysctl.d - - - - - + +# This seems to be our own addition. +d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf new file mode 100644 index 00000000000..32b7e9d2144 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf @@ -0,0 +1,2 @@ +d /run/systemd/network - - - - - +L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam deleted file mode 100644 index 38ae3211f8d..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-user.pam +++ /dev/null @@ -1,5 +0,0 @@ -account include system-auth - -session required pam_loginuid.so -session include system-auth -session optional pam_systemd.so diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.4.ebuild index c1d288b695d..fbb10347c20 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.4.ebuild @@ -25,12 +25,13 @@ else SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" if [[ ${PV} != *rc* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + # Flatcar: mark as stable + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" fi fi inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 -inherit secureboot systemd toolchain-funcs udev +inherit secureboot systemd tmpfiles toolchain-funcs udev DESCRIPTION="System and service manager for Linux" HOMEPAGE="http://systemd.io/" @@ -101,6 +102,11 @@ DEPEND="${COMMON_DEPEND} PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' # baselayout-2.2 has /run +# +# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use +# flag). The image stage fails with "Failed to resolve +# typeattributeset statement at +# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120" RDEPEND="${COMMON_DEPEND} >=acct-group/adm-0-r1 >=acct-group/wheel-0-r1 @@ -129,13 +135,13 @@ RDEPEND="${COMMON_DEPEND} >=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-timesync-0-r1 >=sys-apps/baselayout-2.2 + sys-apps/kbd ukify? ( ${PYTHON_DEPS} $(python_gen_cond_dep "${PEFILE_DEPEND}") ) selinux? ( sec-policy/selinux-base-policy[systemd] - sec-policy/selinux-ntp ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] @@ -184,11 +190,6 @@ QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" QA_EXECSTACK="usr/lib/systemd/boot/efi/*" pkg_pretend() { - if use split-usr; then - eerror "Please complete the migration to merged-usr." - eerror "https://wiki.gentoo.org/wiki/Merge-usr" - die "systemd no longer supports split-usr" - fi if [[ ${MERGE_TYPE} != buildonly ]]; then if use test && has pid-sandbox ${FEATURES}; then ewarn "Tests are known to fail with PID sandboxing enabled." @@ -249,6 +250,28 @@ src_unpack() { src_prepare() { local PATCHES=( "${FILESDIR}"/255-install-format-overflow.patch + # Flatcar: Adding our own patches here. + "${FILESDIR}/0001-wait-online-set-any-by-default.patch" + "${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" + "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" + "${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch" + # Flatcar: These can be dropped when updating to 256. + "${FILESDIR}/0008-mount-util-Add-a-helper-for-remounting-a-bind-mount.patch" + "${FILESDIR}/0009-sysext-Do-not-log-failed-unmount-error-again.patch" + "${FILESDIR}/0010-sysext-Factor-out-adding-overlayfs-option.patch" + "${FILESDIR}/0011-sysext-Refactor-the-merge-hierarchy-code.patch" + "${FILESDIR}/0012-sysext-Add-minimal-support-for-optional-mutability-f.patch" + "${FILESDIR}/0013-sysext-Add-mutable-mode-flag.patch" + "${FILESDIR}/0014-sysext-Move-parsing-mutable-mode-to-a-separate-funct.patch" + "${FILESDIR}/0015-sysext-Add-support-for-mutable-mode-environment-vari.patch" + "${FILESDIR}/0016-sysext-Add-missing-mutable-mode-in-help-output.patch" + "${FILESDIR}/0017-sysext-Implement-ephemeral-mode.patch" + "${FILESDIR}/0018-sysext-Implement-ephemeral-import-mode.patch" + "${FILESDIR}/0019-sysext-Actually-fail-the-whole-operation-if-sd-merge.patch" + "${FILESDIR}/0020-sysext-Fail-when-trying-to-import-mutable-layer-that.patch" ) if ! use vanilla; then @@ -258,6 +281,23 @@ src_prepare() { ) fi + # Fails with split-usr. + sed -i -e '2i exit 77' test/test-rpm-macros.sh || die + + # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., + # CoreDNS which has dnsPolicy "default", but unless the + # kubelet --resolv-conf flag is set to point to + # /run/systemd/resolve/resolv.conf this won't work with + # /etc/resolv.conf pointing to + # /run/systemd/resolve/stub-resolv.conf which configures + # 127.0.0.53. See + # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues + # This means that users who need split DNS to work should + # point /etc/resolv.conf back to + # /run/systemd/resolve/stub-resolv.conf (and if using K8s + # configure the kubelet resolvConf variable/--resolv-conf flag + # to /run/systemd/resolve/resolv.conf). + sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die default } @@ -270,16 +310,28 @@ src_configure() { multilib-minimal_src_configure } +# Flatcar: Our function, we use it in some places below. +get_rootprefix() { + usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" +} multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" - # default is developer, bug 918671 -Dmode=release - -Dsupport-url="https://gentoo.org/support/" + # Flatcar: Point to our user mailing list. + -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" - -Dsplit-bin=false + $(meson_use split-usr) + # Flatcar: Always set split-bin to true, we always + # have separate bin and sbin directories + -Dsplit-bin=true + # Flatcar: Use get_rootprefix. No functional change + # from upstream, just refactoring the common code used + # in some places. + -Drootprefix="$(get_rootprefix)" + -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" # Disable compatibility with sysvinit -Dsysvinit-path= -Dsysvrcnd-path= @@ -329,9 +381,11 @@ multilib_src_configure() { $(meson_native_use_bool test dbus) $(meson_native_use_bool ukify) $(meson_native_use_bool xkb xkbcommon) - -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Flatcar: Use our ntp servers. + -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false + # Flatcar: TODO: Investigate if we want this. -Dcreate-log-dirs=false # multilib options @@ -355,6 +409,42 @@ multilib_src_configure() { $(meson_native_true tmpfiles) $(meson_native_true vconsole) $(meson_native_enabled vmspawn) + # Flatcar: Specify this, or meson breaks due to no + # /etc/login.defs. + -Dsystem-gid-max=999 + -Dsystem-uid-max=999 + + # Flatcar: DBus paths. + -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" + -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" + + # Flatcar: PAM config directory. + -Dpamconfdir=/usr/share/pam.d + + # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC + # 2013. Used by timesyncd as a sanity check for the + # minimum acceptable time. Explicitly set to avoid + # using the current build time. + -Dtime-epoch=1372636800 + + # Flatcar: No default name servers. + -Ddns-servers= + + # Flatcar: Disable the "First Boot Wizard", it isn't + # very applicable to us. + -Dfirstboot=false + + # Flatcar: Set latest network interface naming scheme + # for https://github.com/flatcar/Flatcar/issues/36 + -Ddefault-net-naming-scheme=latest + + # Flatcar: Combined log format: name plus description + -Dstatus-unit-format-default=combined + + # Flatcar: Unported options, still needed? + -Dquotaon-path=/usr/sbin/quotaon + -Dquotacheck-path=/usr/sbin/quotacheck + -Ddefault-mdns=no ) meson_src_configure "${myconf[@]}" @@ -367,11 +457,16 @@ multilib_src_test() { } multilib_src_install_all() { + # Flatcar: We always have bin separate from sbin + # local sbin=$(usex split-usr sbin bin) + local sbin='sbin' # meson doesn't know about docdir mv "${ED}"/usr/share/doc/{systemd,${PF}} || die einstalldocs - dodoc "${FILESDIR}"/nsswitch.conf + # Flatcar: Do not install sample nsswitch.conf, we don't + # provide it. + # dodoc "${FILESDIR}"/nsswitch.conf insinto /usr/lib/tmpfiles.d doins "${FILESDIR}"/legacy.conf @@ -389,6 +484,8 @@ multilib_src_install_all() { # https://bugs.gentoo.org/761763 rm -r "${ED}"/usr/lib/sysusers.d || die + # Flatcar: Upstream uses keepdir commands to keep some empty + # directories. We use tmpfiles. # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} keepdir /etc/kernel/install.d @@ -397,25 +494,134 @@ multilib_src_install_all() { keepdir /etc/udev/hwdb.d - keepdir /usr/lib/systemd/{system-sleep,system-shutdown} - keepdir /usr/lib/{binfmt.d,modules-load.d} - keepdir /usr/lib/systemd/user-generators - keepdir /var/lib/systemd - keepdir /var/log/journal + # keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + # keepdir /usr/lib/{binfmt.d,modules-load.d} + # keepdir /usr/lib/systemd/user-generators + # keepdir /var/lib/systemd + # keepdir /var/log/journal - if use pam; then - newpamd "${FILESDIR}"/systemd-user.pam systemd-user - fi + # if use pam; then + # newpamd "${FILESDIR}"/systemd-user.pam systemd-user + # fi if use kernel-install; then # Dummy config, remove to make room for sys-kernel/installkernel rm "${ED}/usr/lib/kernel/install.conf" || die fi + # Flatcar: Ensure journal directory has correct ownership/mode + # in inital image. This is fixed by systemd-tmpfiles *but* + # journald starts before that and will create the journal if + # the filesystem is already read-write. Conveniently the + # systemd Makefile sets this up completely wrong. + # + # Flatcar: TODO: Is this still a problem? + dodir /var/log/journal + fowners root:systemd-journal /var/log/journal + fperms 2755 /var/log/journal + + # Flatcar: Don't prune systemd dirs. + dotmpfiles "${FILESDIR}"/systemd-flatcar.conf + # Flatcar: Add tmpfiles rule for resolv.conf. This path has + # changed after v213 so it must be handled here instead of + # baselayout now. + dotmpfiles "${FILESDIR}"/systemd-resolv.conf + + # Flatcar: Don't default to graphical.target. + local unitdir=$(builddir_systemd_get_systemunitdir) + dosym multi-user.target "${unitdir}"/default.target + + # Flatcar: Don't set any extra environment variables by default. + rm "${ED}/usr/lib/environment.d/99-environment.conf" || die + + # Flatcar: These lines more or less follow the systemd's + # preset file (90-systemd.preset). We do it that way, to avoid + # putting symlinks in /etc. Please keep the lines in the same + # order as the "enable" lines appear in the preset file. For a + # single enable line in preset, there may be more lines if the + # unit file had Also: clause which has units we enable here + # too. + + # Flatcar: enable remote-fs.target + builddir_systemd_enable_service multi-user.target remote-fs.target + # Flatcar: enable remote-cryptsetup.target + if use cryptsetup; then + builddir_systemd_enable_service multi-user.target remote-cryptsetup.target + fi + # Flatcar: enable machines.target + builddir_systemd_enable_service multi-user.target machines.target + # Flatcar: enable getty@.service + dodir "${unitdir}/getty.target.wants" + dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" + # Flatcar: enable systemd-timesyncd.service + builddir_systemd_enable_service sysinit.target systemd-timesyncd.service + # Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service) + builddir_systemd_enable_service multi-user.target systemd-networkd.service + builddir_systemd_enable_service sockets.target systemd-networkd.socket + builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service + # Flatcar: enable systemd-network-generator.service + builddir_systemd_enable_service sysinit.target systemd-network-generator.service + # Flatcar: enable systemd-resolved.service + builddir_systemd_enable_service multi-user.target systemd-resolved.service + # Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry]) + if use homed; then + builddir_systemd_enable_service multi-user.target systemd-homed.target + fi + # Flatcar: enable systemd-userdbd.socket + builddir_systemd_enable_service sockets.target systemd-userdbd.socket + # Flatcar: enable systemd-pstore.service + builddir_systemd_enable_service sysinit.target systemd-pstore.service + # Flatcar: enable systemd-boot-update.service + if use boot; then + builddir_systemd_enable_service sysinit.target systemd-boot-update.service + fi + # Flatcar: enable reboot.target (not enabled - has no WantedBy + # entry) + + # Flatcar: enable systemd-sysext.service by default + builddir_systemd_enable_service sysinit.target systemd-sysext.service + + # Flatcar: Use an empty preset file, because systemctl + # preset-all puts symlinks in /etc, not in /usr. We don't use + # /etc, because it is not autoupdated. We do the "preset" above. + rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die + insinto /usr/lib/systemd/system-preset + doins "${FILESDIR}"/99-default.preset + + # Flatcar: Do not ship distro-specific files (nsswitch.conf + # pam.d). This conflicts with our own configuration provided + # by baselayout. + rm -rf "${ED}"/usr/share/factory + sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ + -e '/^C!* \/etc\/nsswitch\.conf/d' \ + -e '/^C!* \/etc\/pam\.d/d' \ + -e '/^C!* \/etc\/issue/d' use ukify && python_fix_shebang "${ED}" use boot && secureboot_auto_sign } +# Flatcar: Our own version of systemd_get_systemunitdir, that returns +# a path inside /usr, not /etc. +builddir_systemd_get_systemunitdir() { + echo "$(get_rootprefix)/lib/systemd/system" +} + +# Flatcar: Our own version of systemd_enable_service, that does +# operations inside /usr, not /etc. +builddir_systemd_enable_service() { + local target=${1} + local service=${2} + local ud=$(builddir_systemd_get_systemunitdir) + local destname=${service##*/} + + dodir "${ud}"/"${target}".wants && \ + dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}" + + if use boot; then + python_fix_shebang "${ED}" + secureboot_auto_sign + fi +} migrate_locale() { local envd_locale_def="${EROOT}/etc/env.d/02locale" local envd_locale=( "${EROOT}"/etc/env.d/??locale ) @@ -466,6 +672,21 @@ pkg_preinst() { dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf fi + if ! use split-usr; then + local dir + # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list. + for dir in bin sbin lib; do + if [[ ! -L ${EROOT}/${dir} ]]; then + eerror "'${EROOT}/${dir}' is not a symbolic link." + FAIL=1 + fi + done + if [[ ${FAIL} ]]; then + eerror "Migration to system layout with merged directories must be performed before" + eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." + die "System layout with split directories still used" + fi + fi if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." @@ -485,13 +706,15 @@ pkg_postinst() { # between OpenRC & systemd migrate_locale - if [[ -z ${REPLACING_VERSIONS} ]]; then - if type systemctl &>/dev/null; then - systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 - fi - elog "To enable a useful set of services, run the following:" - elog " systemctl preset-all --preset-mode=enable-only" - fi + # Flatcar: We enable getty and remote-fs targets in /usr + # ourselves above. + # if [[ -z ${REPLACING_VERSIONS} ]]; then + # if type systemctl &>/dev/null; then + # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + # fi + # elog "To enable a useful set of services, run the following:" + # elog " systemctl preset-all --preset-mode=enable-only" + # fi if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then rm "${EROOT}/var/lib/systemd/timesync"