3 files changed, 86 insertions, 1 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest
index d4778aa44920..7cb4aa17824e 100644
--- a/sys-apps/systemd/Manifest
+++ b/sys-apps/systemd/Manifest
@@ -3,6 +3,7 @@ AUX 238-0002-core-do-not-free-heap-allocated-strings-8391.patch 1664 BLAKE2B 6a3
 AUX 238-0003-udev-net-id-Fix-check-for-address-to-keep-interface-8458.patch 1688 BLAKE2B 19faeab810419669a6743ebc6a3051b2f5060f6de793a3f7c9c21fce26d395dcad95f6b8aee58fe133d11e2b02e8847d1df4cde30a5dc237f615a8656f823f30 SHA512 075f7d6f20f33f5e0b07ae993853e969e0d54d0a0683302ab1ab7c4047185397f39aaa894cbe4104e75ae65f8944fb5af47e9f8adb1e66c28b152c6d6e863eff
 AUX 238-initctl.patch 1497 BLAKE2B 7f916414a8bb92e5d8a2b47fc9adf90da73c9fb27bd32eb2a89c5d0b56215bac1ac8c7e9e011268b2f3126fa272c0a118f5e2916f6eca48f60e359a056cf6d92 SHA512 1963c653321fd69a66f75dc441e36d47d7eb15c193066845e43a6f62d436d9a7fefd98c6418cdb08fca823720fa62887c93e67de427e599ee19b1f72301cfe62
 AUX 238-libmount-include.patch 2164 BLAKE2B d9d86e8affb6a6d5cc8cb42b4f1744936b0773318d466a7f76b43a382ffc6aca7d863cbfef7ea8a114615db35d1a6f57b22a2fd451a82b71cfac3383bb019870 SHA512 4f1d82195623a213b6439aec6a2ff17b027f4ed079e6917957635503125a0917d4069c8055b5b9d1be235c47d62235f4c7baa0cfb9184d48f06bac356b69706a
+AUX 238-nspawn-wait.patch 3415 BLAKE2B db43b0128709bba3bd50199645e2e819d0b86eb6839f3bff34b21ce989f5e9301d541265fdb0dbaa76cae00df492581a624e9ca694d4d6d1f2d1cabf5a02612c SHA512 8f1c940da604d72948aa14e735f31ce6b349d274f18836233f15bdec7605e7a52a9ac1016cbd98fdd57d547e31ff882f3244029fba58ac4a408aad41f378a0a0
 AUX gentoo-Dont-enable-audit-by-default.patch 1027 BLAKE2B 9193a409db4e5c1dec6f6b66ee6e0a4cc1ada49d41ab758c788cf12534fffb67bd7370b8558a6af56572d7f2b73cf47db255fef105e56362c15f0a426f80b256 SHA512 44e512d8bbadbc5714192896a3ba262e460af034846e4e9b9832b4143fff772e2734e655316fd88d1ef386509bd234c195dce2087348f220836b3bf4f26790e0
 AUX gentoo-generator-path.patch 1046 BLAKE2B 648d1fff6874135267647ff6ffb52ddd9e991af64fb2b41909246c173e55709c49edd6e47245d566457ba9f55bf6d758ed837ff740f58004f2790b5565f8e462 SHA512 e9999afbf4d2d8a9e828d81dd0b54e2c2ba556e9778a4954dac3da885a15bc6dcc718f7e119c352eb2efd090e410735395ec20ce2eb3c84a481570bc8b5f66b3
 AUX gentoo-systemd-user-pam.patch 443 BLAKE2B fad5c24f35666313efbf1e33640320058022fe17acff869a80104ed87ce0ad7ebaa1498915f8e933985e9c2d66d77172eb21ab480fc4fa857e0e5b985735831a SHA512 0a47368b1b38995a4193492e3add5c716c063366a9bc53dec03b7cb59b524da644033e095344da6e15e01dc84d8f5b335e7510442eeaba26e06918403fed0e5c
@@ -14,6 +15,6 @@ DIST systemd-238-patches-0.tar.gz 30019 BLAKE2B 0f393865cd6bcd815c1a6e932c0e5a25
 DIST systemd-238.tar.gz 6954022 BLAKE2B 9b5cc36a7234c0d037a2656ee1e5ed54186a394b8be41771ebc29c903d3efcecf7f13f004a6d1695c022923bd0d540a243e897852f07e810f73fd3163f688dde SHA512 c0f272b022308d3bd94679184e102a8dc85de55310bda205a458ea33c77c7733e5c8c8e5b15f786ba3e0ce59e7c6a9bf0d5a0950517c6b91e0f345950129b9c8
 EBUILD systemd-236-r5.ebuild 13049 BLAKE2B e06a3d3d52778f00c7ad935ea674e76c19185adff4fcabfb08ad4ab77866256358d17a0c359d8d69d083f5c0a0adfb457d9abcd52bef71c9019c5cd005f51edc SHA512 d17627d55e3006fbcd2c6c91a51482c599788a3d96ba10bd5d4fc369fbb6ab7dbb2daf0f432402f422df21fb8bb1fa9416366853dde90710c51f23505be732c6
 EBUILD systemd-238-r2.ebuild 13272 BLAKE2B 1f24a5fb90f29640fd52b1c37d67180c733a5fea1a66ae855daaee797b9458bbf42db3fe915b10e0fd90ebfcbfe9cb415fec7d6d4c83cc529e284725b3463cc7 SHA512 537f5053ce876c4b57677768e249be492e1f8b238d96230ddca780ca1ca3785aeda5b61a805703f3efffa7c8e08196fb3022334d2efbb407178440cfae96b451
-EBUILD systemd-238-r3.ebuild 13136 BLAKE2B 6b020f91bd932475f372a372fbc1a20975117dd62ee170252b5056b518a2cfa19a7f8182716c64a63c807de82abaaea2bb8a7aba887fd08f207296eaf497f17c SHA512 866e86d1fb97c0f97a7738374633ba8300e287860554d08702f578a7f516505672f638fdd929757425350a2579670d103ab0ec64f2c3246abde25d1c2e6c468b
+EBUILD systemd-238-r4.ebuild 13174 BLAKE2B 712d300426c0463939f6684a0458aad3abbbbc473fbf830c1ecc2b8d75163cb25b1b97a712c39d4b4fa635863f0fb646a4993e164d8cd9f02abe56a55f6bef90 SHA512 a5894928bc22d1a420d56345dac8f8baaff11b3c308245f90585f6596ef6cc93ba64139c8ab94d6613ca7923bedf85a8bf44638302236fe46b45b14bc40645dc
 EBUILD systemd-9999.ebuild 13186 BLAKE2B 8de75e0c231da02f48ac6a886abc6014ede50b1761ad65e6fcdd3ade2f2cb38bef73bfd4b49f1e35f9b651057b18be886e39ce7d9c09ddbcaea52b7456ff84a4 SHA512 7d2d65b6c37479ebf5997540a35b39125fbb2a050021090c588acd1a38a3b1b09822c59887883b2cdffd518c5a3d4f980193fad23ac5baa6beb736317ea2fbda
 MISC metadata.xml 2036 BLAKE2B c2f3d74c0cdcf1a5d850c31d43085ab441523e025369c9ad07d9e518d01c7c585c2019c4365892dd6b395c1b4eebc3c7f31c8948c13cab78acf6a2f9528f614c SHA512 72d9f1db3a9cf681a7971d9ded4d73b8b56bf7c467e453f7599293bf3761c66daa7e80716b5c70adcd18a181521f6710267b92df78e8e9a3430a340f8d33fd47
diff --git a/sys-apps/systemd/files/238-nspawn-wait.patch b/sys-apps/systemd/files/238-nspawn-wait.patch
new file mode 100644
index 000000000000..a740e8933453
--- /dev/null
+++ b/sys-apps/systemd/files/238-nspawn-wait.patch
@@ -0,0 +1,83 @@
+From 7511655807e90aa33ea7b71991401a79ec36bb41 Mon Sep 17 00:00:00 2001
+From: Philip Sequeira <phsequei@gmail.com>
+Date: Thu, 5 Apr 2018 14:04:27 +0000
+Subject: [PATCH] nspawn: wait for network namespace creation before interface
+ setup (#8633)
+
+Otherwise, network interfaces can be "moved" into the container's
+namespace while it's still the same as the host namespace, in which case
+e.g. host0 for a veth ends up on the host side instead of inside the
+container.
+
+Regression introduced in 0441378080489e4ab6704cd0a2d78cb1ceaca899.
+
+Fixes #8599.
+---
+ src/nspawn/nspawn.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 810f1247ea2..a5bc50c1f4c 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -2329,6 +2329,9 @@ static int inner_child(
+                 r = unshare(CLONE_NEWNET);
+                 if (r < 0)
+                         return log_error_errno(errno, "Failed to unshare network namespace: %m");
++
++                /* Tell the parent that it can setup network interfaces. */
++                (void) barrier_place(barrier); /* #3 */
+         }
+ 
+         r = mount_sysfs(NULL, arg_mount_settings);
+@@ -2337,7 +2340,7 @@ static int inner_child(
+ 
+         /* Wait until we are cgroup-ified, so that we
+          * can mount the right cgroup path writable */
+-        if (!barrier_place_and_sync(barrier)) { /* #3 */
++        if (!barrier_place_and_sync(barrier)) { /* #4 */
+                 log_error("Parent died too early");
+                 return -ESRCH;
+         }
+@@ -2448,7 +2451,7 @@ static int inner_child(
+         /* Let the parent know that we are ready and
+          * wait until the parent is ready with the
+          * setup, too... */
+-        if (!barrier_place_and_sync(barrier)) { /* #4 */
++        if (!barrier_place_and_sync(barrier)) { /* #5 */
+                 log_error("Parent died too early");
+                 return -ESRCH;
+         }
+@@ -3533,6 +3536,14 @@ static int run(int master,
+ 
+         if (arg_private_network) {
+ 
++                if (!arg_network_namespace_path) {
++                        /* Wait until the child has unshared its network namespace. */
++                        if (!barrier_place_and_sync(&barrier)) { /* #3 */
++                                log_error("Child died too early");
++                                return -ESRCH;
++                        }
++                }
++
+                 r = move_network_interfaces(*pid, arg_network_interfaces);
+                 if (r < 0)
+                         return r;
+@@ -3656,7 +3667,7 @@ static int run(int master,
+          * its setup (including cgroup-ification), and that
+          * the child can now hand over control to the code to
+          * run inside the container. */
+-        (void) barrier_place(&barrier); /* #3 */
++        (void) barrier_place(&barrier); /* #4 */
+ 
+         /* Block SIGCHLD here, before notifying child.
+          * process_pty() will handle it with the other signals. */
+@@ -3684,7 +3695,7 @@ static int run(int master,
+                 return r;
+ 
+         /* Let the child know that we are ready and wait that the child is completely ready now. */
+-        if (!barrier_place_and_sync(&barrier)) { /* #4 */
++        if (!barrier_place_and_sync(&barrier)) { /* #5 */
+                 log_error("Child died too early.");
+                 return -ESRCH;
+         }
diff --git a/sys-apps/systemd/systemd-238-r3.ebuild b/sys-apps/systemd/systemd-238-r4.ebuild
index b68ed0bf92ab..0aca5fbb3029 100644
--- a/sys-apps/systemd/systemd-238-r3.ebuild
+++ b/sys-apps/systemd/systemd-238-r4.ebuild
@@ -155,6 +155,7 @@ src_prepare() {
 	PATCHES+=(
 		"${FILESDIR}/238-libmount-include.patch"
 		"${FILESDIR}/238-initctl.patch"
+		"${FILESDIR}/238-nspawn-wait.patch"
 	)
 
 	if ! use vanilla; then