Use systemd-confext instead of custom /etc overlay mount

This pulls in ...

Signed-off-by: Kai Lueke <kailuke@microsoft.com>

Author: pothos

build_library/build_image_util.sh

@@ -737,8 +737,30 @@ EOF
   if [[ $(sudo find "${root_fs_dir}/usr/share/flatcar/etc" -size +0 ! -type d 2>/dev/null | wc -l) -gt 0 ]]; then
     die "Unexpected non-empty files in ${root_fs_dir}/usr/share/flatcar/etc"
   fi
+  # Some backwards-compat symlinks still use this folder as target,
+  # we can't remove it yet
   sudo rm -rf "${root_fs_dir}/usr/share/flatcar/etc"
   sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/share/flatcar/etc"
+  # Now set up a default confext and enable it.
+  # It's important to use dm-verity not only for stricter image policies
+  # but also because it allows us the refresh to identify this image and
+  # skip setting it up again in the final boot, which not only saves us
+  # a daemon-reload during boot but also from /etc contents shortly
+  # disappearing until systemd-sysext uses mount beneath for an atomic
+  # remount. Instead of a temporary directory we first prepare it as
+  # folder and then convert it to a DDI and remove the folder.
+  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
+  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
+  sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc"
+  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/"
+  echo ID=_any | sudo tee "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/extension-release.00-flatcar-default" > /dev/null
+  sudo systemd-repart \
+    --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
+    --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
+    --make-ddi=confext \
+    --copy-source="${root_fs_dir}/usr/lib/confexts/00-flatcar-default" \
+    "${root_fs_dir}/usr/lib/confexts/00-flatcar-default.raw"
+  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
 
   # Remove the rootfs state as it should be recreated through the
   # tmpfiles and may not be present on updating machines. This

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -8,7 +8,8 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	EGIT_COMMIT="8bd8a82fb22bc46ea2cf7da94d58655e102ca26d" # flatcar-master
+	#EGIT_COMMIT="8bd8a82fb22bc46ea2cf7da94d58655e102ca26d" # flatcar-master
+	EGIT_BRANCH="kai/default-confext"
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd

@@ -160,19 +160,6 @@ EOF
         -e '/^C!* \/etc\/pam\.d/d' \
         -e '/^C!* \/etc\/issue/d' || die
 
-    (
-        # Some OEMs prefer chronyd, so allow them to replace
-        # systemd-timesyncd with it.
-        insinto "$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
-        newins - flatcar.conf <<'EOF'
-# Allow sysexts to ship timesyncd replacements which can have
-# a Conflicts=systemd-timesyncd directive that would result
-# in systemd-timesyncd not being started.
-[Unit]
-After=ensure-sysext.service
-EOF
-    )
-
     (
         # Allow @mount syscalls for systemd-udevd.service
         insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch

@@ -0,0 +1,33 @@
+From 6f4b065b626edd8a06ff0c8028173e060b5e444b Mon Sep 17 00:00:00 2001
+From: Kai Lueke <kailuke@microsoft.com>
+Date: Thu, 20 Nov 2025 23:43:55 +0900
+Subject: [PATCH 03/10] vpick: Don't use openat directly but resolve symlinks
+ in given root
+
+With systemd-sysext --root= all symlinks should be followed relative to
+the given root and direct openat usage doesn't work.
+Change the openat call to use the chase helper function to resolve the
+symlink in the given root.
+---
+ src/shared/vpick.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/vpick.c b/src/shared/vpick.c
+index b1b2d93054..dfe58cafa5 100644
+--- a/src/shared/vpick.c
++++ b/src/shared/vpick.c
+@@ -471,9 +471,9 @@ static int make_choice(
+         if (!p)
+                 return log_oom_debug();
+ 
+-        object_fd = openat(dir_fd, best_filename, O_CLOEXEC|O_PATH);
++        object_fd = chase_and_openat(toplevel_fd, p, CHASE_AT_RESOLVE_IN_ROOT, O_PATH|O_CLOEXEC, NULL);
+         if (object_fd < 0)
+-                return log_debug_errno(errno, "Failed to open '%s/%s': %m",
++                return log_debug_errno(object_fd, "Failed to open '%s/%s': %m",
+                                        empty_to_root(toplevel_path), skip_leading_slash(inode_path));
+ 
+         return pin_choice(
+-- 
+2.52.0
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-discover-image-Follow-symlinks-in-a-given-root.patch

@@ -0,0 +1,57 @@
+From 5480f56002399069f74f30ce3ef620ec44ecf527 Mon Sep 17 00:00:00 2001
+From: Kai Lueke <kailuke@microsoft.com>
+Date: Thu, 20 Nov 2025 23:43:55 +0900
+Subject: [PATCH 3/7] sysext: Use correct image name for extension release
+ checks
+
+For the extension release check the image name is needed and was derived
+from the backing file of the loop device. However, this can have a
+different name when symlinks were resolved. The surprising behavior was
+that it worked when the target name started with the extension name and
+_ because that's what's supported to chop off version suffixes. However,
+we should not have such strict requirements for the target name and also
+allow - as version separator and entirely different names/prefixes, the
+same way as we also do for directories instead of raw images.
+
+Do not use the image name derived from the backing file of the loop
+device but directly the extension name we have at hand.
+---
+ src/shared/discover-image.c | 5 +++++
+ src/sysext/sysext.c         | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
+index 91f4407b0e..480ffd221c 100644
+--- a/src/shared/discover-image.c
++++ b/src/shared/discover-image.c
+@@ -1822,6 +1822,11 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
+                 if (r < 0)
+                         return r;
+ 
++                /* Do not use the image name derived from the backing file of the loop device */
++                r = free_and_strdup(&m->image_name, i->name);
++                if (r < 0)
++                        return r;
++
+                 r = dissected_image_acquire_metadata(
+                                 m,
+                                 /* userns_fd= */ -EBADF,
+diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
+index 5d432b42da..72da02cd89 100644
+--- a/src/sysext/sysext.c
++++ b/src/sysext/sysext.c
+@@ -1819,6 +1819,11 @@ static int merge_subprocess(
+                         if (r < 0)
+                                 return r;
+ 
++                        /* Do not use the image name derived from the backing file of the loop device */
++                        r = free_and_strdup(&m->image_name, img->name);
++                        if (r < 0)
++                                return r;
++
+                         r = dissected_image_load_verity_sig_partition(
+                                         m,
+                                         d->fd,
+-- 
+2.51.1
+