flatcar · github-actions · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
@@ -553,6 +553,7 @@ net-libs/libpsl
 net-libs/libslirp
 net-libs/libtirpc
 net-libs/nghttp2
+net-libs/ngtcp2
 net-libs/rpcsvc-proto
 
 net-misc/bridge-utils

@@ -0,0 +1,3 @@
+- go ([CVE-2025-61726](https://www.cve.org/CVERecord?id=CVE-2025-61726), [CVE-2025-61728](https://www.cve.org/CVERecord?id=CVE-2025-61728), [CVE-2025-61730](https://www.cve.org/CVERecord?id=CVE-2025-61730), [CVE-2025-61731](https://www.cve.org/CVERecord?id=CVE-2025-61731), [CVE-2025-68119](https://www.cve.org/CVERecord?id=CVE-2025-68119), [CVE-2025-68121](https://www.cve.org/CVERecord?id=CVE-2025-68121), [CVE-2025-61732](https://www.cve.org/CVERecord?id=CVE-2025-61732), [CVE-2026-25679](https://www.cve.org/CVERecord?id=CVE-2026-25679), [CVE-2026-27139](https://www.cve.org/CVERecord?id=CVE-2026-27139), [CVE-2026-27142](https://www.cve.org/CVERecord?id=CVE-2026-27142))
+- expat ([CVE-2026-32776](https://www.cve.org/CVERecord?id=CVE-2026-32776), [CVE-2026-32777](https://www.cve.org/CVERecord?id=CVE-2026-32777), [CVE-2026-32778](https://www.cve.org/CVERecord?id=CVE-2026-32778))
+- systemd ([CVE-2026-40223](https://www.cve.org/CVERecord?id=CVE-2026-40223), [CVE-2026-40226](https://www.cve.org/CVERecord?id=CVE-2026-40226))
@@ -0,0 +1,18 @@
+- SDK: go ([1.25.8](https://go.dev/doc/devel/release#go1.25.8) (includes [1.25.7](https://go.dev/doc/devel/release#go1.25.7), [1.25.6](https://go.dev/doc/devel/release#go1.25.6)))
+- base, dev: cryptsetup ([2.8.4](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.4/docs/v2.8.4-ReleaseNotes))
+- base, dev: expat ([2.7.5](https://github.com/libexpat/libexpat/blob/R_2_7_5/expat/Changes))
+- base, dev: less ([692](https://greenwoodsoftware.com/less/news.692.html) (includes [691](https://greenwoodsoftware.com/less/news.691.html)))
+- base, dev: lvm2 ([2.03.37](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_37) (includes [2.03.36](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_36), [2.03.35](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_35), [2.03.34](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_34), [2.03.33](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_33), [2.03.32](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_32), [2.03.31](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_31), [2.03.30](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_30), [2.03.29](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_29), [2.03.28](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_28), [2.03.27](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_27), [2.03.26](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_26), [2.03.25](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_25), [2.03.24](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_24), [2.03.23](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_23), [2.03.22](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_22)))
+- base, dev: mdadm ([4.5](https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=mdadm-4.5))
+- base, dev: multipath-tools ([0.14.3](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.3/NEWS.md) (includes [0.14.2](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.2/NEWS.md), [0.14.1](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.1/NEWS.md), [0.14.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.0/NEWS.md), [0.13.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.13.0/NEWS.md), [0.12.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.12.0/NEWS.md), [0.11.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.11.0/NEWS.md), [0.10.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.10.0/NEWS.md), [0.9.9](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.9.9/NEWS.md)))
+- base, dev: nfs-utils ([2.8.5](https://lwn.net/Articles/1056938/) (includes [2.8.4](https://lwn.net/Articles/1037951/), [2.8.3](https://lwn.net/Articles/1015990/), [2.8.2](https://lwn.net/Articles/1001669/), [2.8.1](https://lwn.net/Articles/994839/))
+- base, dev: samba ([4.23.6](https://www.samba.org/samba/history/samba-4.23.6.html) (includes [4.23.5](https://www.samba.org/samba/history/samba-4.23.5.html), [4.23.4](https://www.samba.org/samba/history/samba-4.23.4.html), [4.23.3](https://www.samba.org/samba/history/samba-4.23.3.html), [4.23.2](https://www.samba.org/samba/history/samba-4.23.2.html), [4.23.1](https://www.samba.org/samba/history/samba-4.23.1.html), [4.23.0](https://www.samba.org/samba/history/samba-4.23.0.html)))
+- base, dev: shadow ([4.19.3](https://github.com/shadow-maint/shadow/releases/tag/4.19.3) (includes [4.19.2](https://github.com/shadow-maint/shadow/releases/tag/4.19.2), [4.19.1](https://github.com/shadow-maint/shadow/releases/tag/4.19.1), [4.19.0](https://github.com/shadow-maint/shadow/releases/tag/4.19.0), [4.18.0](https://github.com/shadow-maint/shadow/releases/tag/4.18.0), [4.17.0](https://github.com/shadow-maint/shadow/releases/tag/4.17.0), [4.16.0](https://github.com/shadow-maint/shadow/releases/tag/4.16.0), [4.15.0](https://github.com/shadow-maint/shadow/releases/tag/4.15.0)))
+- base, dev: socat ([1.8.1.1](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.8.1.1:/CHANGES))
+- base, dev: strace ([6.19](https://github.com/strace/strace/releases/tag/v6.19))
+- base, dev: systemd ([259.4](https://raw.githubusercontent.com/systemd/systemd/refs/tags/v259.4/NEWS))
+- base, dev: tdb ([1.4.14](https://gitlab.com/samba-team/samba/-/commit/823ed52d5c561d8598da251154571402a307b367))
+- base, dev: tevent ([0.17.1](https://gitlab.com/samba-team/samba/-/commit/ebf4c4773733d2aae14c96f70681211ae40c1c18) (includes [0.17.0](https://gitlab.com/samba-team/samba/-/commit/2401f844c8beb7e856b79fb57f8e4c079b3fb0f0)))
+- base, dev: userspace-rcu ([0.15.6](https://lwn.net/Articles/1055984/))
+- dev: man-pages ([6.16](https://lwn.net/Articles/1044066/) (includes [6.15](https://sourceware.org/pipermail/libc-alpha/2025-July/168842.html), [6.14](https://lkml.org/lkml/2025/5/9/32), [6.13](https://lkml.org/lkml/2025/3/7/1714), [6.12](https://lkml.org/lkml/2025/2/24/432), [6.11](https://lwn.net/Articles/1009902/)))
+- sysext-zfs: zfs ([2.3.6](https://github.com/openzfs/zfs/releases/tag/zfs-2.3.6) (includes [2.3.5](https://github.com/openzfs/zfs/releases/tag/zfs-2.3.5)))
@@ -1,31 +1,27 @@
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-COREOS_GO_PACKAGE="${GITHUB_URI}"
+inherit go-env go-module sysroot systemd
 
-inherit coreos-go-depend golang-vcs-snapshot systemd
-
-EGO_PN="github.com/aws/${PN}"
 DESCRIPTION="AWS Systems Manager Agent"
 HOMEPAGE="https://github.com/aws/amazon-ssm-agent"
+SRC_URI="https://github.com/aws/amazon-ssm-agent/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
 LICENSE="Apache-2.0"
-SRC_URI="https://${EGO_PN}/archive/${PV}.tar.gz -> ${P}.tar.gz ${EGO_VENDOR_URI}"
 SLOT="0"
 KEYWORDS="amd64 arm64"
 
-S="${WORKDIR}/${PN}-${PV}/src/${EGO_PN}"
-
 src_prepare() {
 	default
-	ln -s ${PWD}/vendor/src/* ${PWD}/vendor/
+	# Drop clearing of GOARCH and GOOS - it causes go run to
+	# create a binary for CBUILD, but then go run also invokes the
+	# binary using qemu-CHOST, because we use -exec flag when
+	# cross-compiling
+	sed -i -e 's/GOARCH= GOOS= go run/go run/' makefile || die
 }
 
 src_compile() {
-	go_export
-
-	# set agent release version
-	BRAZIL_PACKAGE_VERSION=${PV} ${EGO} run ./agent/version/versiongenerator/version-gen.go
 	# build all the tools
 	if [[ "${ARCH}" == "arm64" ]]; then
 		emake build-arm64

@@ -1,7 +1,4 @@
 flatcar_systemd_meson_args_array=(
-    # Point to our user mailing list.
-    -Dsupport-url='https://groups.google.com/forum/#!forum/flatcar-linux-user'
-
     # Use our ntp servers.
     -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
 

@@ -2,12 +2,12 @@ cros_post_src_install_add_dropin() {
 	mkdir -p "${D}$(systemd_get_systemunitdir)/multipathd.service.d"
 	cat <<EOF >"${D}$(systemd_get_systemunitdir)/multipathd.service.d/flatcar.conf"
 [Service]
-# Multipathd sets itself to sched_rr with highest priority.
-# Cgroups2 doesn't support realtime processes outside the root cgroup,
+# Set LimitRTPRIO to zero to tell multipathd to not even attempt
+# enabling the real-time scheduling. We do this, because cgroups2
+# doesn't support real-time processes outside the root cgroup -
 # if any such process exists then cpu controller can't be enabled.
-# This poses a bit of a dilemma.
-# Block realtime control for the process, but give it highest non-rt priority.
-RestrictRealtime=yes
-Nice=-20
+# Upstream unit already sets CPUWeight to 1000 to have a sufficient
+# priority in case of normal scheduling.
+LimitRTPRIO=0
 EOF
 }
@@ -0,0 +1,42 @@
+From ab81f8e0860e2c47283415afd1713188b22127ea Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Mon, 13 Apr 2026 11:20:12 +0100
+Subject: [PATCH] Makefile: Don't explicitly pass GOFLAGS to go commands
+
+go automatically checks GOFLAGS and filters unknown flags for you, e.g.
+it will drop the go run -exec flag when doing go build. Explicitly
+passing GOFLAGS breaks this filtering.
+
+Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
+---
+ Makefile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 3576643c03..cf7eb37d0e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -100,7 +100,6 @@ critest: ## Build the critest binary.
+ $(CRITEST):
+ 	CGO_ENABLED=$(CGO_ENABLED) $(GO_TEST) -c -o $@ \
+ 		-ldflags '$(GO_LDFLAGS)' \
+-		$(GOFLAGS) \
+ 	     $(PROJECT)/cmd/critest
+
+ .PHONY: crictl
+@@ -110,7 +109,6 @@ crictl: ## Build the crictl binary.
+ $(CRICTL):
+ 	CGO_ENABLED=$(CGO_ENABLED) $(GO_BUILD) -o $@ \
+ 		-ldflags '$(GO_LDFLAGS)' \
+-		$(GOFLAGS) \
+ 		$(PROJECT)/cmd/crictl
+
+ .PHONY: clean
+@@ -200,7 +198,6 @@ test-crictl: $(GINKGO) ## Run the crictl test suite.
+ 	# Run go test for templates_test.go and util_test.go
+ 	CGO_ENABLED=$(CGO_ENABLED) $(GO_TEST) \
+ 		-ldflags '$(GO_LDFLAGS)' \
+-		$(GOFLAGS) \
+ 		$(PROJECT)/cmd/crictl
+ 	$(GINKGO) $(TESTFLAGS) \
+ 		-r -p \
@@ -0,0 +1,4 @@
+`0000-Do-not-explicitly-pass-GOFLAGS.patch` patch is taken from
+https://github.com/kubernetes-sigs/cri-tools/pull/2048/. Not currently
+merged, so it needs to be checked if updating to cri-tools >1.35.0
+(current release at the time of writing this message).
@@ -1,7 +1,7 @@
-From 6055d8b50c4a39d3e5f4fa0cf017a3b04786c5ba Mon Sep 17 00:00:00 2001
+From 3e713e019ab2e13e0d48bf30bab0ddaf3573458d Mon Sep 17 00:00:00 2001
 From: David Michael <dm0@redhat.com>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
-Subject: [PATCH 01/20] wait-online: set --any by default
+Subject: [PATCH 01/14] wait-online: set --any by default
 
 The systemd-networkd-wait-online command would normally continue
 waiting after a network interface is usable if other interfaces are

@@ -1,7 +1,7 @@
-From 5bff53a23228b10d93d342510f0ffd41185e3011 Mon Sep 17 00:00:00 2001
+From d34fa493e6d69b97633e329d55413a549da8239d Mon Sep 17 00:00:00 2001
 From: Alex Crawford <alex.crawford@coreos.com>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 02/20] needs-update: don't require strictly newer usr
+Subject: [PATCH 02/14] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -23,7 +23,7 @@ index d9d78262a1..761bbdecca 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index b09eff1bfb..3a170b1820 100644
+index 15e3ee9840..381378e77a 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
 @@ -817,7 +817,7 @@ static int condition_test_needs_update(Condition *c, char **env) {

@@ -1,7 +1,7 @@
-From df56cf2ad0c6c84a22e9fca8893c610b82b78377 Mon Sep 17 00:00:00 2001
+From 2cc519ebec4f01f76bcdcde61259ba23a810ea30 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:22:08 +0000
-Subject: [PATCH 03/20] core: use max for DefaultTasksMax
+Subject: [PATCH 03/14] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,7 +21,7 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index cf5a3612f6..a0f9f8ba57 100644
+index b7fe53dc9c..175fe67139 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
 @@ -227,7 +227,7 @@
@@ -34,10 +34,10 @@ index cf5a3612f6..a0f9f8ba57 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 20a535f2f4..be1c352045 100644
+index a5a51023c5..ef0ce9e31d 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -112,7 +112,7 @@
+@@ -113,7 +113,7 @@
  /* How many units and jobs to process of the bus queue before returning to the event loop. */
  #define MANAGER_BUS_MESSAGE_BUDGET 100U
 

@@ -1,7 +1,7 @@
-From 38ef166d85928d1f806bc48f3d29f45563d1abde Mon Sep 17 00:00:00 2001
+From a8c18ecc95e15af2d669649115826430698dcc5d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 04/20] systemd: Disable SELinux permissions checks
+Subject: [PATCH 04/14] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 8ccc31630d..34e9cebee8 100644
+index 7457b3d456..82afe343dd 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@
@@ -22,8 +22,8 @@ index 8ccc31630d..34e9cebee8 100644
 -#if HAVE_SELINUX
 +#if 0
 
- #include <selinux/avc.h>
- #include <selinux/selinux.h>
+ #include <unistd.h>
+
 -- 
 2.52.0
 
@@ -1,7 +1,7 @@
-From 4e071bef0713099cfe2540a5576744c0e5c41723 Mon Sep 17 00:00:00 2001
+From 33a603bb00fce6e4c3b4faf80157e8532932fb00 Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <schowdhury@microsoft.com>
 Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 05/20] Revert "getty: Pass tty to use by agetty via stdin"
+Subject: [PATCH 05/14] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
@@ -17,17 +17,17 @@ Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
  4 files changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/units/console-getty.service.in b/units/console-getty.service.in
-index 967d8337ab..1f2d8b910f 100644
+index 278048724f..5731e68d8f 100644
 --- a/units/console-getty.service.in
 +++ b/units/console-getty.service.in
 @@ -20,12 +20,12 @@ Before=getty.target
  ConditionPathExists=/dev/console
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
  Type=idle
  Restart=always
  UtmpIdentifier=cons
@@ -37,17 +37,17 @@ index 967d8337ab..1f2d8b910f 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
-index e0b27613df..5f27653d1f 100644
+index 18e5a98a7f..568fcd1e53 100644
 --- a/units/container-getty@.service.in
 +++ b/units/container-getty@.service.in
 @@ -25,13 +25,13 @@ Conflicts=rescue.service
  Before=rescue.service
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear pts/%I ${TERM}
  Type=idle
  Restart=always
  RestartSec=0
@@ -58,17 +58,17 @@ index e0b27613df..5f27653d1f 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/getty@.service.in b/units/getty@.service.in
-index 104c4acc96..1819627d1c 100644
+index 15f1a572fd..a3285d956e 100644
 --- a/units/getty@.service.in
 +++ b/units/getty@.service.in
 @@ -34,13 +34,13 @@ Before=rescue.service
  ConditionPathExists=/dev/tty0
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear %I ${TERM}
  Type=idle
  Restart=always
  RestartSec=0
@@ -79,17 +79,17 @@ index 104c4acc96..1819627d1c 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
-index 0134c83d48..ba4cbc0edb 100644
+index 8b5a63d681..29ab8a0533 100644
 --- a/units/serial-getty@.service.in
 +++ b/units/serial-getty@.service.in
 @@ -30,12 +30,12 @@ Conflicts=rescue.service
  Before=rescue.service
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
  Type=idle
  Restart=always
  UtmpIdentifier=%I

@@ -1,7 +1,7 @@
-From b097e139801009d722c33a9580bcda23a4a7a1e1 Mon Sep 17 00:00:00 2001
+From 6c83b73ac087aaa1f08551c064cbac119ad92490 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:29:04 +0000
-Subject: [PATCH 06/20] units: Keep using old journal file format
+Subject: [PATCH 06/14] units: Keep using old journal file format
 
 Systemd 252 made an incompatible change in journal file format. Temporarily
 force journald to use the old journal format to give logging containers more

@@ -1,7 +1,7 @@
-From 0ba9b9356861f8012c0e7794d9c61ebf21a9c6d7 Mon Sep 17 00:00:00 2001
+From 9d6db023c34d96b582e763da77c464629266f8e8 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Wed, 22 Oct 2025 10:39:42 +0200
-Subject: [PATCH 07/20] tmpfiles.d: Fix DNS issues with default k8s
+Subject: [PATCH 07/14] tmpfiles.d: Fix DNS issues with default k8s
  configuration
 
 The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy