Skip to content

Commit

Permalink
overlay sys-apps/systemd: Apply Flatcar modifications
Browse files Browse the repository at this point in the history
Signed-off-by: Adrian Vladu <[email protected]>
  • Loading branch information
krnowak authored and ader1990 committed Jul 3, 2024
1 parent 5081a66 commit 632c448
Show file tree
Hide file tree
Showing 14 changed files with 1,921 additions and 59 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001
From: David Michael <[email protected]>
Date: Tue, 16 Apr 2019 02:44:51 +0000
Subject: [PATCH 1/8] wait-online: set --any by default

The systemd-networkd-wait-online command would normally continue
waiting after a network interface is usable if other interfaces are
still configuring. There is a new flag --any to change this.

Preserve previous Container Linux behavior for compatibility by
setting the --any flag by default. See patches from v241 (or
earlier) for the original implementation.
---
src/network/wait-online/wait-online.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
index 5328bba2d8..95294df607 100644
--- a/src/network/wait-online/wait-online.c
+++ b/src/network/wait-online/wait-online.c
@@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL;
static char **arg_ignore = NULL;
static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
static AddressFamily arg_required_family = ADDRESS_FAMILY_NO;
-static bool arg_any = false;
+static bool arg_any = true;

STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
From e3fd50ec704b5d48e9d756c1cc5c40e72b7d1fa4 Mon Sep 17 00:00:00 2001
From: Nick Owens <[email protected]>
Date: Tue, 2 Jun 2015 18:22:32 -0700
Subject: [PATCH 2/8] networkd: default to "kernel" IPForwarding setting

---
src/network/networkd-network.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index dcd3e5ae12..2ae481d1ec 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -461,6 +461,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
.link_local = _ADDRESS_FAMILY_INVALID,
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,

+ .ip_forward = _ADDRESS_FAMILY_INVALID,
.ipv4_accept_local = -1,
.ipv4_route_localnet = -1,
.ipv6_privacy_extensions = _IPV6_PRIVACY_EXTENSIONS_INVALID,
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001
From: Alex Crawford <[email protected]>
Date: Wed, 2 Mar 2016 10:46:33 -0800
Subject: [PATCH 3/8] needs-update: don't require strictly newer usr

Updates should be triggered whenever usr changes, not only when it is newer.
---
man/systemd-update-done.service.xml | 2 +-
src/shared/condition.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
index 3393010ff6..5478baca25 100644
--- a/man/systemd-update-done.service.xml
+++ b/man/systemd-update-done.service.xml
@@ -50,7 +50,7 @@
<varname>ConditionNeedsUpdate=</varname> (see
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
condition to make sure to run when <filename>/etc/</filename> or
- <filename>/var/</filename> are older than <filename>/usr/</filename>
+ <filename>/var/</filename> aren't the same age as <filename>/usr/</filename>
according to the modification times of the files described above.
This requires that updates to <filename>/usr/</filename> are always
followed by an update of the modification time of
diff --git a/src/shared/condition.c b/src/shared/condition.c
index d3446e8a9d..3f7cc9ea58 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* First, compare seconds as they are always accurate...
*/
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec;
+ return true;

/*
* ...then compare nanoseconds.
@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* (otherwise the filesystem supports nsec timestamps, see stat(2)).
*/
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec;
+ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec;

_cleanup_free_ char *timestamp_str = NULL;
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
return true;
}

- return timespec_load_nsec(&usr.st_mtim) > timestamp;
+ return timespec_load_nsec(&usr.st_mtim) != timestamp;
}

static bool in_first_boot(void) {
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <[email protected]>
Date: Fri, 16 Feb 2024 11:22:08 +0000
Subject: [PATCH 4/8] core: use max for DefaultTasksMax

Since systemd v228, systemd has a DefaultTasksMax which defaulted
to 512, later 15% of the system's maximum number of PIDs. This
limit is low and a change in behavior that people running services
in containers will hit frequently, so revert to previous behavior.

Though later the TasksMax was changed in the a dynamic property to
accommodate stale values.

This change is built on previous patch by David Michael(dm0-).

Signed-off-by: Adrian Vladu <[email protected]>
---
man/systemd-system.conf.xml | 2 +-
src/core/manager.c | 2 +-
src/core/system.conf.in | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 3c06b65f93..71f38692b6 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -501,7 +501,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
- of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
+ of slice units. Defaults to 100% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
and root cgroup <varname>pids.max</varname>.
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/manager.c b/src/core/manager.c
index 88eebfc626..8992c8c3e3 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -114,7 +114,7 @@
/* How many units and jobs to process of the bus queue before returning to the event loop. */
#define MANAGER_BUS_MESSAGE_BUDGET 100U

-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */
+#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */

static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 05eb681270..94d0365244 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -58,7 +58,7 @@
#DefaultIPAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=100%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <[email protected]>
Date: Tue, 20 Dec 2016 16:43:22 +0000
Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks

We don't care about the interaction between systemd and SELinux policy, so
let's just disable these checks rather than having to incorporate policy
support. This has no impact on our SELinux use-case, which is purely intended
to limit containers and not anything running directly on the host.
---
src/core/selinux-access.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 62181a6309..448f9211d6 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -2,7 +2,7 @@

#include "selinux-access.h"

-#if HAVE_SELINUX
+#if 0

#include <errno.h>
#include <selinux/avc.h>
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <[email protected]>
Date: Fri, 16 Dec 2022 16:28:26 +0530
Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"

This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.

This is to work around a SELinux denial that happens when setting up standard
input for serial consoles (which is used for SSH connections).

Signed-off-by: Sayan Chowdhury <[email protected]>
---
units/console-getty.service.in | 4 +---
units/[email protected] | 4 +---
units/[email protected] | 4 +---
units/[email protected] | 4 +---
4 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/units/console-getty.service.in b/units/console-getty.service.in
index d64112be5e..b908708d8c 100644
--- a/units/console-getty.service.in
+++ b/units/console-getty.service.in
@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
# followed by '--' for safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM
Type=idle
Restart=always
UtmpIdentifier=cons
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/console
TTYReset=yes
TTYVHangup=yes
diff --git a/units/[email protected] b/units/[email protected]
index 8847d735fb..8be25663f5 100644
--- a/units/[email protected]
+++ b/units/[email protected]
@@ -27,13 +27,11 @@ Before=rescue.service
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p),
# followed by '--' for safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=pts/%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/pts/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/[email protected] b/units/[email protected]
index 80b8f3e922..b57666c123 100644
--- a/units/[email protected]
+++ b/units/[email protected]
@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/[email protected] b/units/[email protected]
index 6bf101eac9..479b8759a9 100644
--- a/units/[email protected]
+++ b/units/[email protected]
@@ -33,12 +33,10 @@ Before=rescue.service
# The '-o' option value tells agetty to replace 'login' arguments with an
# option to preserve environment (-p), followed by '--' for safety, and then
# the entered username.
-ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM
Type=idle
Restart=always
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
--
2.34.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
From 6a4c6f97742afc9ca5de40335b2d041095990aa2 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <[email protected]>
Date: Fri, 16 Feb 2024 11:29:04 +0000
Subject: [PATCH 7/8] units: Keep using old journal file format

Systemd 252 made an incompatible change in journal file format. Temporarily
force journald to use the old journal format to give logging containers more
time to adapt to the new format.

Signed-off-by: Adrian Vladu <[email protected]>
---
units/systemd-journald.service.in | 1 +
units/[email protected] | 1 +
2 files changed, 2 insertions(+)

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 37eeabc510..e5030a81bd 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes

[Service]
DeviceAllow=char-* rw
+Environment=SYSTEMD_JOURNAL_COMPACT=0
ExecStart={{LIBEXECDIR}}/systemd-journald
FileDescriptorStoreMax=4224
IPAddressDeny=any
diff --git a/units/[email protected] b/units/[email protected]
index c3bcb08533..8780783cf6 100644
--- a/units/[email protected]
+++ b/units/[email protected]
@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
DevicePolicy=closed
+Environment=SYSTEMD_JOURNAL_COMPACT=0
ExecStart={{LIBEXECDIR}}/systemd-journald %i
FileDescriptorStoreMax=4224
Group=systemd-journal
--
2.34.1

Loading

0 comments on commit 632c448

Please sign in to comment.