Skip to content

systemd/259 package update #76334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octo-sts wants to merge 6 commits into
base: main
Choose a base branch
from
Open

systemd/259 package update #76334

octo-sts wants to merge 6 commits into from
+22 −42

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 18, 2025

Commit: 9ca433482f2281d71718718705ca8cd3bf562ad6

Note: If you need to make manual changes to this PR, apply the skip:staging-update-bot label so the reconciler won't overwrite them.

@octo-sts octo-sts bot added automated pr request-version-update request for a newer version of a package systemd labels Dec 18, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 18, 2025

🩹 Build Failed: Patch Application Failed

Hunk #1 FAILED at 90. 1 out of 1 hunk FAILED -- saving rejects to file src/core/systemd.pc.in.rej

Build Details

Category Details
Build System melange
Failure Point patch step - applying pkgconf-expose-variables-for-system-alloc-uid-gid-min.patch

Root Cause Analysis 🔍

The patch file 'pkgconf-expose-variables-for-system-alloc-uid-gid-min.patch' failed to apply to the systemd source code at line 90 of src/core/systemd.pc.in. This indicates the target file has changed since the patch was created, causing a mismatch in the expected content structure. The patch was trying to add variables for system-alloc-uid-min and system-alloc-gid-min but the target location in the file no longer matches the patch's expectations.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: systemd.yaml

  • removal at line 76-78 (pipeline section)
    Original:
  - uses: patch
    with:
      patches: pkgconf-expose-variables-for-system-alloc-uid-gid-min.patch

Content:

Remove the patch step that is failing to apply since the functionality is now included upstream
Click to expand fix analysis

Analysis

No similar fixed build failures were provided, so I cannot analyze patterns from past fixes. However, the error indicates that a patch file 'pkgconf-expose-variables-for-system-alloc-uid-gid-min.patch' is failing to apply because the target file src/core/systemd.pc.in has changed since the patch was created. This is a common issue when upgrading to new upstream versions where the target file structure has been modified. Based on the upstream changelog, systemd v259 mentions that "system-alloc-{uid,gid}-min are now exported in systemd.pc", which suggests the functionality the patch was trying to add may now be included upstream.

Click to expand fix explanation

Explanation

The patch is failing because systemd v259 has upstream changes that conflict with the patch. According to the upstream changelog, "system-alloc-{uid,gid}-min are now exported in systemd.pc", which indicates that the functionality this patch was trying to add has been implemented upstream in version 259. Therefore, the patch is no longer needed and should be removed. This is a common scenario when upgrading packages where custom patches become obsolete due to upstream adoption of the functionality.

Click to expand alternative approaches

Alternative Approaches

  • If the patch content is still needed for some reason, update the patch file to match the new file structure in systemd v259
  • Verify that the upstream implementation provides the same functionality and adjust any dependent packages accordingly
  • If the patch contained additional customizations beyond what upstream provides, create a new patch that only includes the parts not covered upstream

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 18, 2025
@markusboehme markusboehme self-assigned this Dec 18, 2025
@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch 2 times, most recently from 05b525e to 3534080 Compare December 19, 2025 10:26
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. approver-bot/manual-review-needed manual/review-needed staging-approver-bot/manual-review-needed labels Dec 19, 2025
@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch from 3534080 to 5fb3ba0 Compare December 19, 2025 13:14
@markusboehme
Copy link
Member

markusboehme commented Dec 19, 2025

Fixed s/libacl/libacl1/ in the dependencies. Now there's the test-firewall-utils unit test that will fail with:

/* test_v6 */
src/test/test-firewall-util.c:31: Assertion failed: "r = fw_nftables_add_masquerade(nfnl, true, AF_INET6, &u1, 128)" failed with unexpected error: -2/ENOENT

I traced this back to the builder kernel configuring a few required bits as modules (and modules not being present on the builder). At a minimum, those are missing:

nf_nat
nft_chain_nat
nft_fib
nft_fib_ipv4
nft_fib_ipv6
nft_masq
nft_nat

They need to become built-ins for the builder kernel. I'll add them, and potentially a few others (so we don't play whack-a-mole later on again), to the kernel config shortly.

@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch from 5fb3ba0 to 5bb34b3 Compare December 20, 2025 21:00
staging-update-bot and others added 2 commits December 20, 2025 22:02
@markusboehme
systemd/259 package update
c0f8d3f
@markusboehme
systemd: drop superseded cherry-pick
1b2f599 
Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch from 5bb34b3 to 06145d9 Compare December 20, 2025 21:02
@markusboehme
systemd: add explicit dependencies for .so files hidden from SCA
d6951a7 
systemd v259 uses dlopen at runtime now for some libraries rather than
regular dynamic linking [1]. This means they will be invisible to the
software composition analysis performed by Melange at build time, and
corresponding dependencies will not automatically be added.

Explicitly add the dependencies that went missing to retain the original
feature set of the previous systemd release. A dependency on libcap is
intentionally left out, as the release notes state its functionality is
now directly implemented in systemd.

[1]: https://github.com/systemd/systemd/releases/tag/v259#:~:text=Shared%20library%20dependencies%3A

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch from 06145d9 to d6951a7 Compare December 20, 2025 21:03
@markusboehme
Copy link
Member

markusboehme commented Dec 20, 2025

Tested with the new builder kernel locally. Not yet deployed to Elastic Builds.

@markusboehme
systemd: skip unit test test-firewall-util temporarily
57c3fb0 
The unit test test-firewall-util depends on various netfilter NAT
modules being available. Skip the test for now until a new Elastic
Build kernel has been deployed that brings those modules built-in.

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch from 9efddef to 7d1e2f5 Compare December 22, 2025 17:32
@markusboehme
systemd: add dependency on libarchive
2a37a34 
According to the changelog [1], systemd v259 no longer depends on the
tar binary since it completed a rewrite of the functionality using
libarchive. Add an explicit dependency on libarchive since, like other
shared objects in v259, is only used via dlopen and escapes SCA.

[1]: https://github.com/systemd/systemd/releases/tag/v259

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme markusboehme force-pushed the staging-update-bot/systemd.yaml branch from 7d1e2f5 to 2a37a34 Compare December 22, 2025 17:32
@markusboehme
systemd: skip unit test test-hostname-setup
bfb65cf 
The unit test test-hostname-setup is trying to set up a new UTS
namespace, which does not work on the Docker Melange runner. Skip it.

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme
Copy link
Member

markusboehme commented Dec 22, 2025

Also had to skip the test-hostname-setup unit test, as it doesn't work on the Docker Melange runner that Elastic Build uses for aarch64:

Assertion failed: Expected "unshare(CLONE_NEWUTS)" to succeed, but got errno: 1/EPERM

@markusboehme markusboehme requested a review from a team December 22, 2025 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@markusboehme markusboehme

Labels

ai/skip-comment Stop AI from commenting on PR approver-bot/manual-review-needed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed request-version-update request for a newer version of a package staging-approver-bot/manual-review-needed systemd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@markusboehme