-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
overlay sys-apps/systemd: Apply Flatcar modifications
Signed-off-by: Adrian Vladu <[email protected]>
- Loading branch information
Showing
14 changed files
with
1,921 additions
and
59 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
...ird_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001 | ||
From: David Michael <[email protected]> | ||
Date: Tue, 16 Apr 2019 02:44:51 +0000 | ||
Subject: [PATCH 1/8] wait-online: set --any by default | ||
|
||
The systemd-networkd-wait-online command would normally continue | ||
waiting after a network interface is usable if other interfaces are | ||
still configuring. There is a new flag --any to change this. | ||
|
||
Preserve previous Container Linux behavior for compatibility by | ||
setting the --any flag by default. See patches from v241 (or | ||
earlier) for the original implementation. | ||
--- | ||
src/network/wait-online/wait-online.c | 2 +- | ||
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c | ||
index 5328bba2d8..95294df607 100644 | ||
--- a/src/network/wait-online/wait-online.c | ||
+++ b/src/network/wait-online/wait-online.c | ||
@@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL; | ||
static char **arg_ignore = NULL; | ||
static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; | ||
static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; | ||
-static bool arg_any = false; | ||
+static bool arg_any = true; | ||
|
||
STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); | ||
STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); | ||
-- | ||
2.34.1 | ||
|
24 changes: 24 additions & 0 deletions
24
...overlay/sys-apps/systemd/files/0002-networkd-default-to-kernel-IPForwarding-setting.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
From e3fd50ec704b5d48e9d756c1cc5c40e72b7d1fa4 Mon Sep 17 00:00:00 2001 | ||
From: Nick Owens <[email protected]> | ||
Date: Tue, 2 Jun 2015 18:22:32 -0700 | ||
Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting | ||
|
||
--- | ||
src/network/networkd-network.c | 1 + | ||
1 file changed, 1 insertion(+) | ||
|
||
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c | ||
index dcd3e5ae12..2ae481d1ec 100644 | ||
--- a/src/network/networkd-network.c | ||
+++ b/src/network/networkd-network.c | ||
@@ -461,6 +461,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi | ||
.link_local = _ADDRESS_FAMILY_INVALID, | ||
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, | ||
|
||
+ .ip_forward = _ADDRESS_FAMILY_INVALID, | ||
.ipv4_accept_local = -1, | ||
.ipv4_route_localnet = -1, | ||
.ipv6_privacy_extensions = _IPV6_PRIVACY_EXTENSIONS_INVALID, | ||
-- | ||
2.34.1 | ||
|
58 changes: 58 additions & 0 deletions
58
...s-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001 | ||
From: Alex Crawford <[email protected]> | ||
Date: Wed, 2 Mar 2016 10:46:33 -0800 | ||
Subject: [PATCH 3/8] needs-update: don't require strictly newer usr | ||
|
||
Updates should be triggered whenever usr changes, not only when it is newer. | ||
--- | ||
man/systemd-update-done.service.xml | 2 +- | ||
src/shared/condition.c | 6 +++--- | ||
2 files changed, 4 insertions(+), 4 deletions(-) | ||
|
||
diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml | ||
index 3393010ff6..5478baca25 100644 | ||
--- a/man/systemd-update-done.service.xml | ||
+++ b/man/systemd-update-done.service.xml | ||
@@ -50,7 +50,7 @@ | ||
<varname>ConditionNeedsUpdate=</varname> (see | ||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | ||
condition to make sure to run when <filename>/etc/</filename> or | ||
- <filename>/var/</filename> are older than <filename>/usr/</filename> | ||
+ <filename>/var/</filename> aren't the same age as <filename>/usr/</filename> | ||
according to the modification times of the files described above. | ||
This requires that updates to <filename>/usr/</filename> are always | ||
followed by an update of the modification time of | ||
diff --git a/src/shared/condition.c b/src/shared/condition.c | ||
index d3446e8a9d..3f7cc9ea58 100644 | ||
--- a/src/shared/condition.c | ||
+++ b/src/shared/condition.c | ||
@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) { | ||
* First, compare seconds as they are always accurate... | ||
*/ | ||
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) | ||
- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; | ||
+ return true; | ||
|
||
/* | ||
* ...then compare nanoseconds. | ||
@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) { | ||
* (otherwise the filesystem supports nsec timestamps, see stat(2)). | ||
*/ | ||
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) | ||
- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; | ||
+ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; | ||
|
||
_cleanup_free_ char *timestamp_str = NULL; | ||
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); | ||
@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) { | ||
return true; | ||
} | ||
|
||
- return timespec_load_nsec(&usr.st_mtim) > timestamp; | ||
+ return timespec_load_nsec(&usr.st_mtim) != timestamp; | ||
} | ||
|
||
static bool in_first_boot(void) { | ||
-- | ||
2.34.1 | ||
|
64 changes: 64 additions & 0 deletions
64
...d_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001 | ||
From: Adrian Vladu <[email protected]> | ||
Date: Fri, 16 Feb 2024 11:22:08 +0000 | ||
Subject: [PATCH 4/8] core: use max for DefaultTasksMax | ||
|
||
Since systemd v228, systemd has a DefaultTasksMax which defaulted | ||
to 512, later 15% of the system's maximum number of PIDs. This | ||
limit is low and a change in behavior that people running services | ||
in containers will hit frequently, so revert to previous behavior. | ||
|
||
Though later the TasksMax was changed in the a dynamic property to | ||
accommodate stale values. | ||
|
||
This change is built on previous patch by David Michael(dm0-). | ||
|
||
Signed-off-by: Adrian Vladu <[email protected]> | ||
--- | ||
man/systemd-system.conf.xml | 2 +- | ||
src/core/manager.c | 2 +- | ||
src/core/system.conf.in | 2 +- | ||
3 files changed, 3 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml | ||
index 3c06b65f93..71f38692b6 100644 | ||
--- a/man/systemd-system.conf.xml | ||
+++ b/man/systemd-system.conf.xml | ||
@@ -501,7 +501,7 @@ | ||
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See | ||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> | ||
for details. This setting applies to all unit types that support resource control settings, with the exception | ||
- of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname> | ||
+ of slice units. Defaults to 100% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname> | ||
and root cgroup <varname>pids.max</varname>. | ||
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores. | ||
For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915, | ||
diff --git a/src/core/manager.c b/src/core/manager.c | ||
index 88eebfc626..8992c8c3e3 100644 | ||
--- a/src/core/manager.c | ||
+++ b/src/core/manager.c | ||
@@ -114,7 +114,7 @@ | ||
/* How many units and jobs to process of the bus queue before returning to the event loop. */ | ||
#define MANAGER_BUS_MESSAGE_BUDGET 100U | ||
|
||
-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */ | ||
+#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */ | ||
|
||
static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); | ||
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); | ||
diff --git a/src/core/system.conf.in b/src/core/system.conf.in | ||
index 05eb681270..94d0365244 100644 | ||
--- a/src/core/system.conf.in | ||
+++ b/src/core/system.conf.in | ||
@@ -58,7 +58,7 @@ | ||
#DefaultIPAccounting=no | ||
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} | ||
#DefaultTasksAccounting=yes | ||
-#DefaultTasksMax=15% | ||
+#DefaultTasksMax=100% | ||
#DefaultLimitCPU= | ||
#DefaultLimitFSIZE= | ||
#DefaultLimitDATA= | ||
-- | ||
2.34.1 | ||
|
29 changes: 29 additions & 0 deletions
29
...reos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001 | ||
From: Matthew Garrett <[email protected]> | ||
Date: Tue, 20 Dec 2016 16:43:22 +0000 | ||
Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks | ||
|
||
We don't care about the interaction between systemd and SELinux policy, so | ||
let's just disable these checks rather than having to incorporate policy | ||
support. This has no impact on our SELinux use-case, which is purely intended | ||
to limit containers and not anything running directly on the host. | ||
--- | ||
src/core/selinux-access.c | 2 +- | ||
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c | ||
index 62181a6309..448f9211d6 100644 | ||
--- a/src/core/selinux-access.c | ||
+++ b/src/core/selinux-access.c | ||
@@ -2,7 +2,7 @@ | ||
|
||
#include "selinux-access.h" | ||
|
||
-#if HAVE_SELINUX | ||
+#if 0 | ||
|
||
#include <errno.h> | ||
#include <selinux/avc.h> | ||
-- | ||
2.34.1 | ||
|
95 changes: 95 additions & 0 deletions
95
...verlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001 | ||
From: Sayan Chowdhury <[email protected]> | ||
Date: Fri, 16 Dec 2022 16:28:26 +0530 | ||
Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin" | ||
|
||
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. | ||
|
||
This is to work around a SELinux denial that happens when setting up standard | ||
input for serial consoles (which is used for SSH connections). | ||
|
||
Signed-off-by: Sayan Chowdhury <[email protected]> | ||
--- | ||
units/console-getty.service.in | 4 +--- | ||
units/[email protected] | 4 +--- | ||
units/[email protected] | 4 +--- | ||
units/[email protected] | 4 +--- | ||
4 files changed, 4 insertions(+), 12 deletions(-) | ||
|
||
diff --git a/units/console-getty.service.in b/units/console-getty.service.in | ||
index d64112be5e..b908708d8c 100644 | ||
--- a/units/console-getty.service.in | ||
+++ b/units/console-getty.service.in | ||
@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console | ||
[Service] | ||
# The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), | ||
# followed by '--' for safety, and then the entered username. | ||
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM | ||
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM | ||
Type=idle | ||
Restart=always | ||
UtmpIdentifier=cons | ||
-StandardInput=tty | ||
-StandardOutput=tty | ||
TTYPath=/dev/console | ||
TTYReset=yes | ||
TTYVHangup=yes | ||
diff --git a/units/[email protected] b/units/[email protected] | ||
index 8847d735fb..8be25663f5 100644 | ||
--- a/units/[email protected] | ||
+++ b/units/[email protected] | ||
@@ -27,13 +27,11 @@ Before=rescue.service | ||
[Service] | ||
# The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), | ||
# followed by '--' for safety, and then the entered username. | ||
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM | ||
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM | ||
Type=idle | ||
Restart=always | ||
RestartSec=0 | ||
UtmpIdentifier=pts/%I | ||
-StandardInput=tty | ||
-StandardOutput=tty | ||
TTYPath=/dev/pts/%I | ||
TTYReset=yes | ||
TTYVHangup=yes | ||
diff --git a/units/[email protected] b/units/[email protected] | ||
index 80b8f3e922..b57666c123 100644 | ||
--- a/units/[email protected] | ||
+++ b/units/[email protected] | ||
@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0 | ||
# The '-o' option value tells agetty to replace 'login' arguments with an | ||
# option to preserve environment (-p), followed by '--' for safety, and then | ||
# the entered username. | ||
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM | ||
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM | ||
Type=idle | ||
Restart=always | ||
RestartSec=0 | ||
UtmpIdentifier=%I | ||
-StandardInput=tty | ||
-StandardOutput=tty | ||
TTYPath=/dev/%I | ||
TTYReset=yes | ||
TTYVHangup=yes | ||
diff --git a/units/[email protected] b/units/[email protected] | ||
index 6bf101eac9..479b8759a9 100644 | ||
--- a/units/[email protected] | ||
+++ b/units/[email protected] | ||
@@ -33,12 +33,10 @@ Before=rescue.service | ||
# The '-o' option value tells agetty to replace 'login' arguments with an | ||
# option to preserve environment (-p), followed by '--' for safety, and then | ||
# the entered username. | ||
-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM | ||
+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM | ||
Type=idle | ||
Restart=always | ||
UtmpIdentifier=%I | ||
-StandardInput=tty | ||
-StandardOutput=tty | ||
TTYPath=/dev/%I | ||
TTYReset=yes | ||
TTYVHangup=yes | ||
-- | ||
2.34.1 | ||
|
42 changes: 42 additions & 0 deletions
42
...coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
From 6a4c6f97742afc9ca5de40335b2d041095990aa2 Mon Sep 17 00:00:00 2001 | ||
From: Adrian Vladu <[email protected]> | ||
Date: Fri, 16 Feb 2024 11:29:04 +0000 | ||
Subject: [PATCH 7/8] units: Keep using old journal file format | ||
|
||
Systemd 252 made an incompatible change in journal file format. Temporarily | ||
force journald to use the old journal format to give logging containers more | ||
time to adapt to the new format. | ||
|
||
Signed-off-by: Adrian Vladu <[email protected]> | ||
--- | ||
units/systemd-journald.service.in | 1 + | ||
units/[email protected] | 1 + | ||
2 files changed, 2 insertions(+) | ||
|
||
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in | ||
index 37eeabc510..e5030a81bd 100644 | ||
--- a/units/systemd-journald.service.in | ||
+++ b/units/systemd-journald.service.in | ||
@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes | ||
|
||
[Service] | ||
DeviceAllow=char-* rw | ||
+Environment=SYSTEMD_JOURNAL_COMPACT=0 | ||
ExecStart={{LIBEXECDIR}}/systemd-journald | ||
FileDescriptorStoreMax=4224 | ||
IPAddressDeny=any | ||
diff --git a/units/[email protected] b/units/[email protected] | ||
index c3bcb08533..8780783cf6 100644 | ||
--- a/units/[email protected] | ||
+++ b/units/[email protected] | ||
@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target | ||
[Service] | ||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE | ||
DevicePolicy=closed | ||
+Environment=SYSTEMD_JOURNAL_COMPACT=0 | ||
ExecStart={{LIBEXECDIR}}/systemd-journald %i | ||
FileDescriptorStoreMax=4224 | ||
Group=systemd-journal | ||
-- | ||
2.34.1 | ||
|
Oops, something went wrong.