From 28783b1e692cabb36c3159d26b0a15b7b9fab32f Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:51:53 +0100 Subject: [PATCH 01/10] net-fs/samba: update to 4.11.13, sync with Gentoo Update net-fs/samba to 4.11.13-r1, by syncing with upstream Gentoo. It is mainly to resolve CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, and CVE-2019-10218. See also https://security.gentoo.org/glsa/202003-52 and https://security.gentoo.org/glsa/202007-15 . --- .../coreos-overlay/net-fs/samba/Manifest | 2 +- .../net-fs/samba/files/4.4/samba4.confd | 23 +- .../net-fs/samba/files/4.4/samba4.initd-r1 | 4 +- .../samba/files/4.4/system-auth-winbind.pam | 18 + .../net-fs/samba/files/nmbd.service | 12 - ...ba-4.13-vfs_snapper_configure_option.patch | 56 +++ .../files/samba-4.13-winexe_option.patch | 67 ++++ .../files/samba-4.5.1-compile_et_fix.patch | 16 - .../samba/files/samba-4.9.2-timespec.patch | 21 ++ .../samba/files/samba-glibc-2.26-no_rpc.patch | 14 - .../net-fs/samba/files/samba.conf | 1 + .../net-fs/samba/files/samba.service | 10 - .../net-fs/samba/files/smbd.service | 12 - .../net-fs/samba/files/smbd.socket | 9 - .../net-fs/samba/files/smbd_at.service | 7 - .../net-fs/samba/files/winbindd.service | 12 - .../coreos-overlay/net-fs/samba/metadata.xml | 4 +- .../net-fs/samba/samba-4.11.13-r1.ebuild | 321 ++++++++++++++++++ .../net-fs/samba/samba-4.8.6.ebuild | 300 ---------------- 19 files changed, 505 insertions(+), 404 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/system-auth-winbind.pam delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-vfs_snapper_configure_option.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-winexe_option.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.5.1-compile_et_fix.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.9.2-timespec.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-glibc-2.26-no_rpc.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.8.6.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest index 7c9274a764..a467083b2b 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest @@ -1 +1 @@ -DIST samba-4.8.6.tar.gz 17723841 BLAKE2B 38da52e14b4417f26462eef2226c4498e54d2c276b4056e8c6d6c66079f33bcda24c1eab30b29bc7413280ec89a74a55e043e8274ac50f9a25bae7563717ff34 SHA512 f6afab5ca466bd8653a56c205b71ce94ecf0ad0c6e4c9d64cbba7b1e56f1987bc2022e6b629d87eb6078e3f6ba53833c19cfb41e40b6d589e4317ea9d85de273 +DIST samba-4.11.13.tar.gz 18598813 BLAKE2B 5671498058e61c1afbdb0976b6931dc4e13087792612d4fdc3073e8e40a60be82f578836e3baa48f111a600da5c6e0e08aa7ba638fbc1285bbb57644ae7e8b1d SHA512 396ab636db6f9583b772935d58a3cf1860109bb9e1ef841a38c08d7be9f3839d6e198d5cdc80ef0803fcbfa6c06f1173585f3b582937e8834857fc47d90f7181 diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd index 58b2c7827b..629a605021 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd @@ -6,6 +6,8 @@ # accordingly. daemon_list="smbd nmbd" +piddir="/run/samba" + #---------------------------------------------------------------------------- # Daemons calls: _ #---------------------------------------------------------------------------- @@ -17,22 +19,27 @@ my_service_POST="" # Daemons calls: _ #---------------------------------------------------------------------------- smbd_start_options="-D" -smbd_start="start-stop-daemon --start --exec /usr/sbin/smbd -- ${smbd_start_options}" -smbd_stop="start-stop-daemon --stop --exec /usr/sbin/smbd" +smbd_command="/usr/sbin/smbd" +smbd_start="start-stop-daemon --start --exec ${smbd_command} -- ${smbd_start_options}" +smbd_stop="start-stop-daemon --stop --exec ${smbd_command}" smbd_reload="killall -HUP smbd" nmbd_start_options="-D" -nmbd_start="start-stop-daemon --start --exec /usr/sbin/nmbd -- ${nmbd_start_options}" -nmbd_stop="start-stop-daemon --stop --exec /usr/sbin/nmbd" +nmbd_command="/usr/sbin/nmbd" +nmbd_start="start-stop-daemon --start --exec ${nmbd_command} -- ${nmbd_start_options}" +nmbd_stop="start-stop-daemon --stop --exec ${nmbd_command}" nmbd_reload="killall -HUP nmbd" samba4_start_options="" -samba4_start="start-stop-daemon --start --exec /usr/sbin/samba -- ${samba4_start_options}" -samba4_stop="start-stop-daemon --stop --exec /usr/sbin/samba" +samba4_command="/usr/sbin/samba" +samba4_pidfile="${piddir}/samba.pid" +samba4_start="start-stop-daemon --start --exec ${samba4_command} --pidfile ${samba4_pidfile} -- ${samba4_start_options}" +samba4_stop="start-stop-daemon --stop --exec ${samba4_command} --pidfile ${samba4_pidfile}" samba4_reload="killall -HUP samba" winbind_start_options="" -winbind_start="start-stop-daemon --start --exec /usr/sbin/winbindd -- ${winbind_start_options}" -winbind_stop="start-stop-daemon --stop --exec /usr/sbin/winbindd" +winbind_command="/usr/sbin/winbindd" +winbind_start="start-stop-daemon --start --exec ${winbind_command} -- ${winbind_start_options}" +winbind_stop="start-stop-daemon --stop --exec ${winbind_command}" winbind_reload="killall -HUP winbindd" diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1 b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1 index 52a9b68bba..05bd1fcfd6 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1 +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1 @@ -1,9 +1,9 @@ #!/sbin/openrc-run -# Copyright 1999-2016 Gentoo Foundation +# Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License, v2 or later extra_started_commands="reload" -piddir="/run/samba" +[ -z "${piddir}" ] && piddir="/run/samba" depend() { after slapd diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/system-auth-winbind.pam b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/system-auth-winbind.pam new file mode 100644 index 0000000000..8d6746b7ae --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/system-auth-winbind.pam @@ -0,0 +1,18 @@ +#%PAM-1.0 +# $Id$ + +auth required pam_env.so +auth sufficient pam_winbind.so +auth sufficient pam_unix.so likeauth nullok use_first_pass +auth required pam_deny.so + +account sufficient pam_winbind.so +account required pam_unix.so + +password required pam_cracklib.so retry=3 +password sufficient pam_unix.so nullok use_authtok md5 shadow +password required pam_deny.so + +session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 +session required pam_limits.so +session required pam_unix.so diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service deleted file mode 100644 index 44b4ffba1f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Samba NetBIOS name server -After=network.target - -[Service] -Type=forking -PIDFile=/var/run/samba/nmbd.pid -ExecStart=/usr/sbin/nmbd -D -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-vfs_snapper_configure_option.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-vfs_snapper_configure_option.patch new file mode 100644 index 0000000000..b472119956 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-vfs_snapper_configure_option.patch @@ -0,0 +1,56 @@ +From 7ae03a19b3ca895ba5f97a6bd4f9539d8daa6e0a Mon Sep 17 00:00:00 2001 +From: Matt Taylor +Date: Mon, 11 May 2020 15:26:41 -0400 +Subject: [PATCH] build: add configure option to control vfs_snapper build + +vfs_snapper is currently built if dbus development headers / libraries +are detected during configure. This commit adds new --disable-snapper +and --enable-snapper (default) configure parameters. When enabled, +configure will fail if the dbus development headers / libraries are +missing. + +Signed-off-by: Matt Taylor +Reviewed-by: David Disseldorp +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Mon May 25 01:16:46 UTC 2020 on sn-devel-184 +--- + source3/wscript | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/source3/wscript b/source3/wscript +index 07991806c63..24ade3b0a2b 100644 +--- a/source3/wscript ++++ b/source3/wscript +@@ -74,6 +74,7 @@ def options(opt): + + opt.samba_add_onoff_option('glusterfs', with_name="enable", without_name="disable", default=True) + opt.samba_add_onoff_option('cephfs', with_name="enable", without_name="disable", default=True) ++ opt.samba_add_onoff_option('snapper', with_name="enable", without_name="disable", default=True) + + opt.add_option('--enable-vxfs', + help=("enable support for VxFS (default=no)"), +@@ -1752,11 +1753,16 @@ main() { + if Options.options.enable_vxfs: + conf.DEFINE('HAVE_VXFS', '1') + +- if conf.CHECK_CFG(package='dbus-1', args='--cflags --libs', ++ if Options.options.with_snapper: ++ if conf.CHECK_CFG(package='dbus-1', args='--cflags --libs', + msg='Checking for dbus', uselib_store="DBUS-1"): +- if (conf.CHECK_HEADERS('dbus/dbus.h', lib='dbus-1') ++ if (conf.CHECK_HEADERS('dbus/dbus.h', lib='dbus-1') + and conf.CHECK_LIB('dbus-1', shlib=True)): +- conf.DEFINE('HAVE_DBUS', '1') ++ conf.DEFINE('HAVE_DBUS', '1') ++ else: ++ conf.fatal("vfs_snapper is enabled but prerequisite DBUS libraries " ++ "or headers not found. Use --disable-snapper to disable " ++ "vfs_snapper support."); + + if conf.CHECK_CFG(package='liburing', args='--cflags --libs', + msg='Checking for liburing package', uselib_store="URING"): +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-winexe_option.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-winexe_option.patch new file mode 100644 index 0000000000..63f8a9ec41 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-winexe_option.patch @@ -0,0 +1,67 @@ +From 54c21a99e6ca54bdb963c70d322f6778b57a384f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 4 Mar 2020 18:51:01 +0100 +Subject: [PATCH] winexe: add configure option to control whether to build it + (default: auto) + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Mon Mar 9 16:27:21 UTC 2020 on sn-devel-184 +--- + examples/winexe/wscript_build | 3 ++- + source3/wscript | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/examples/winexe/wscript_build b/examples/winexe/wscript_build +index 43c09717e3d..559ed3fc706 100644 +--- a/examples/winexe/wscript_build ++++ b/examples/winexe/wscript_build +@@ -106,4 +106,5 @@ if winexesvc_binaries != '': + LOADPARM_CTX + libsmb + msrpc3 +- ''') ++ ''', ++ enabled=bld.env.build_winexe) +diff --git a/source3/wscript b/source3/wscript +index 85466b493fa..6d5bd22ca49 100644 +--- a/source3/wscript ++++ b/source3/wscript +@@ -63,6 +63,7 @@ def options(opt): + opt.samba_add_onoff_option('cluster-support', default=False) + + opt.samba_add_onoff_option('regedit', default=None) ++ opt.samba_add_onoff_option('winexe', default=None) + + opt.samba_add_onoff_option('fake-kaserver', + help=("Include AFS fake-kaserver support"), default=False) +@@ -1782,6 +1783,22 @@ main() { + if conf.CHECK_HEADERS('ftw.h') and conf.CHECK_FUNCS('nftw'): + conf.env.build_mvxattr = True + ++ conf.env.build_winexe = False ++ if not Options.options.with_winexe == False: ++ if conf.CONFIG_SET('HAVE_WINEXE_CC_WIN32') or conf.CONFIG_SET('HAVE_WINEXE_CC_WIN64'): ++ conf.env.build_winexe = True ++ ++ if conf.env.build_winexe: ++ Logs.info("building winexe") ++ else: ++ if Options.options.with_winexe == False: ++ Logs.info("not building winexe (--without-winexe)") ++ elif Options.options.with_winexe == True: ++ Logs.error("mingw not available, cannot build winexe") ++ conf.fatal("mingw not available, but --with-winexe was specified") ++ else: ++ Logs.info("mingw not available, not building winexe") ++ + conf.CHECK_FUNCS_IN('DES_pcbc_encrypt', 'crypto') + if Options.options.with_fake_kaserver == True: + conf.CHECK_HEADERS('afs/param.h afs/stds.h', together=True) +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.5.1-compile_et_fix.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.5.1-compile_et_fix.patch deleted file mode 100644 index 463512f9a9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.5.1-compile_et_fix.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- samba-4.5.1/source4/heimdal_build/wscript_configure -+++ samba-4.5.1/source4/heimdal_build/wscript_configure -@@ -258,7 +258,11 @@ - - # With the proper checks in place we should be able to build against the system libtommath. - #if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'): - # conf.define('USING_SYSTEM_TOMMATH', 1) - --check_system_heimdal_binary("compile_et") --check_system_heimdal_binary("asn1_compile") -+# comment out next line to stop Gentoo Samba build from using the compile_et in e2fsprogs-libs -+# to compile the error tables. This produces a compile error later on. -+#check_system_heimdal_binary("compile_et") -+# -+# As a precaution do the same for asn1_compile -+#check_system_heimdal_binary("asn1_compile") diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.9.2-timespec.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.9.2-timespec.patch new file mode 100644 index 0000000000..c82f4af4e7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.9.2-timespec.patch @@ -0,0 +1,21 @@ +From 11e8c14b78e2423041f3846882f74cd6490a3e44 Mon Sep 17 00:00:00 2001 +From: Joan Karadimov +Date: Thu, 18 Oct 2018 18:16:17 +0300 +Subject: [PATCH] Fix compatibility issues with the timespec struct + +--- + source3/include/libsmbclient.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h +index 5e4a1715402..6487ea7a8aa 100644 +--- a/source3/include/libsmbclient.h ++++ b/source3/include/libsmbclient.h +@@ -78,6 +78,7 @@ extern "C" { + #include + #include + #include ++#include + #include + + #define SMBC_BASE_FD 10000 /* smallest file descriptor returned */ diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-glibc-2.26-no_rpc.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-glibc-2.26-no_rpc.patch deleted file mode 100644 index e66446845f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-glibc-2.26-no_rpc.patch +++ /dev/null @@ -1,14 +0,0 @@ -https://attachments.samba.org/attachment.cgi?id=13172 -https://bugs.gentoo.org/637320 - ---- a/lib/replace/wscript -+++ b/lib/replace/wscript -@@ -71,7 +71,7 @@ - conf.CHECK_HEADERS('sys/fileio.h sys/filesys.h sys/dustat.h sys/sysmacros.h') - conf.CHECK_HEADERS('xfs/libxfs.h netgroup.h') - -- conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') -+ conf.CHECK_CODE('ypstat s;', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') - - conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') - conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf index e0a6f325cf..a7f4946fb0 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf @@ -1,2 +1,3 @@ D /run/samba 0755 root root +D /run/ctdb 0755 root root D /run/lock/samba 0755 root root diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service deleted file mode 100644 index 8214ff8631..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Samba AD server -After=network.target winbindd.service -Conflicts=nmbd.service smbd.service - -[Service] -ExecStart=/usr/sbin/samba --interactive - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service deleted file mode 100644 index 5c006a44ed..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Samba SMB/CIFS server -After=network.target nmbd.service winbindd.service - -[Service] -Type=forking -PIDFile=/var/run/samba/smbd.pid -ExecStart=/usr/sbin/smbd -D -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket deleted file mode 100644 index 833bf43883..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Samba SMB/CIFS server socket - -[Socket] -ListenStream=445 -Accept=yes - -[Install] -WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service deleted file mode 100644 index e1f71be3f7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Samba SMB/CIFS server instance - -[Service] -ExecStart=/usr/sbin/smbd -F -ExecReload=/bin/kill -HUP $MAINPID -StandardInput=socket diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service deleted file mode 100644 index 67a778fc76..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Samba Winbind daemon -After=network.target nmbd.service - -[Service] -Type=forking -PIDFile=/var/run/samba/winbindd.pid -ExecStart=/usr/sbin/winbindd -D -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml index 2a3bd677e0..d1bb8bfdd5 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml @@ -12,14 +12,16 @@ Enable Active Directory Domain Controller support Enable AD DNS integration Enable Active Directory support - Enable asynchronous IO support Enable support for Ceph distributed filesystem via sys-cluster/ceph Enables the client part Enable support for clustering Enable support for DMAPI. This currently works only in combination with XFS. Use app-crypt/gpgme for AD DC + Enable json audit support through dev-libs/jansson Enabling iPrint technology by Novell + Enables support for collecting profiling data Enables support for user quotas + Enable vfs_snapper module (requires sys-apps/dbus) Use app-crypt/heimdal instead of bundled heimdal. Use app-crypt/mit-krb5 instead of diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild new file mode 100644 index 0000000000..da8a4c8a60 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild @@ -0,0 +1,321 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python3_{6,7} ) +PYTHON_REQ_USE='threads(+),xml(+)' +inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam + +MY_PV="${PV/_rc/rc}" +MY_P="${PN}-${MY_PV}" + +SRC_PATH="stable" +[[ ${PV} = *_rc* ]] && SRC_PATH="rc" + +SRC_URI="mirror://samba/${SRC_PATH}/${MY_P}.tar.gz" +[[ ${PV} = *_rc* ]] || \ +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ppc ppc64 sparc x86" + +DESCRIPTION="Samba Suite Version 4" +HOMEPAGE="https://www.samba.org/" +LICENSE="GPL-3" + +SLOT="0" + +IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam gpg iprint +json ldap pam profiling-data python quota selinux snapper syslog +system-heimdal +system-mitkrb5 systemd test winbind zeroconf" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/samba-4.0/policy.h + /usr/include/samba-4.0/dcerpc_server.h + /usr/include/samba-4.0/ctdb.h + /usr/include/samba-4.0/ctdb_client.h + /usr/include/samba-4.0/ctdb_protocol.h + /usr/include/samba-4.0/ctdb_private.h + /usr/include/samba-4.0/ctdb_typesafe_cb.h + /usr/include/samba-4.0/ctdb_version.h +) + +CDEPEND=" + >=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}] + dev-lang/perl:= + dev-libs/libbsd[${MULTILIB_USEDEP}] + dev-libs/libtasn1[${MULTILIB_USEDEP}] + dev-libs/popt[${MULTILIB_USEDEP}] + >=net-libs/gnutls-3.2.0[${MULTILIB_USEDEP}] + net-libs/libnsl:=[${MULTILIB_USEDEP}] + sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}] + >=sys-libs/ldb-2.0.12[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] + =sys-libs/talloc-2.2.0[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] + >=sys-libs/tdb-1.4.2[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] + >=sys-libs/tevent-0.10.0[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] + sys-libs/zlib[${MULTILIB_USEDEP}] + virtual/libiconv + pam? ( sys-libs/pam ) + acl? ( virtual/acl ) + $(python_gen_cond_dep " + dev-python/subunit[\${PYTHON_MULTI_USEDEP},${MULTILIB_USEDEP}] + addns? ( + net-dns/bind-tools[gssapi] + dev-python/dnspython:=[\${PYTHON_MULTI_USEDEP}] + ) + ") + ceph? ( sys-cluster/ceph ) + cluster? ( + net-libs/rpcsvc-proto + !dev-db/ctdb + ) + cups? ( net-print/cups ) + debug? ( dev-util/lttng-ust ) + dmapi? ( sys-apps/dmapi ) + fam? ( virtual/fam ) + gpg? ( app-crypt/gpgme ) + json? ( dev-libs/jansson ) + ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) + snapper? ( sys-apps/dbus ) + system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] ) + system-mitkrb5? ( >=app-crypt/mit-krb5-1.15.1[${MULTILIB_USEDEP}] ) + systemd? ( sys-apps/systemd:0= ) + zeroconf? ( net-dns/avahi[dbus] ) +" +DEPEND="${CDEPEND} + ${PYTHON_DEPS} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + >=dev-util/cmocka-1.1.1[${MULTILIB_USEDEP}] + net-libs/libtirpc[${MULTILIB_USEDEP}] + virtual/pkgconfig + || ( + net-libs/rpcsvc-proto + =sys-libs/nss_wrapper-1.1.3 + >=net-dns/resolv_wrapper-1.1.4 + >=net-libs/socket_wrapper-1.1.9 + >=sys-libs/uid_wrapper-1.2.1 + ) + )" +RDEPEND="${CDEPEND} + python? ( ${PYTHON_DEPS} ) + client? ( net-fs/cifs-utils[ads?] ) + selinux? ( sec-policy/selinux-samba ) + !dev-perl/Parse-Yapp +" + +REQUIRED_USE=" + addc? ( python json winbind ) + addns? ( python ) + ads? ( acl ldap winbind ) + cluster? ( ads ) + gpg? ( addc ) + test? ( python ) + ?? ( system-heimdal system-mitkrb5 ) + ${PYTHON_REQUIRED_USE} +" + +# the test suite is messed, it uses system-installed samba +# bits instead of what was built, tests things disabled via use +# flags, and generally just fails to work in a way ebuilds could +# rely on in its current state +RESTRICT="test" + +S="${WORKDIR}/${MY_P}" + +PATCHES=( + "${FILESDIR}/${PN}-4.4.0-pam.patch" + "${FILESDIR}/${PN}-4.9.2-timespec.patch" + "${FILESDIR}/${PN}-4.13-winexe_option.patch" + "${FILESDIR}/${PN}-4.13-vfs_snapper_configure_option.patch" +) + +#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)" +CONFDIR="${FILESDIR}/4.4" + +WAF_BINARY="${S}/buildtools/bin/waf" + +SHAREDMODS="" + +pkg_setup() { + # Package fails to build with distcc + export DISTCC_DISABLE=1 + + python-single-r1_pkg_setup + if use cluster ; then + SHAREDMODS="idmap_rid,idmap_tdb2,idmap_ad" + elif use ads ; then + SHAREDMODS="idmap_ad" + fi +} + +src_prepare() { + default + + # un-bundle dnspython + sed -i -e '/"dns.resolver":/d' "${S}"/third_party/wscript || die + + # unbundle iso8601 unless tests are enabled + if ! use test ; then + sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die + fi + + ## ugly hackaround for bug #592502 + #cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die + + sed -e 's:::' \ + -i source4/dsdb/samdb/ldb_modules/password_hash.c \ + || die + + # Friggin' WAF shit + multilib_copy_sources +} + +multilib_src_configure() { + # when specifying libs for samba build you must append NONE to the end to + # stop it automatically including things + local bundled_libs="NONE" + if ! use system-heimdal && ! use system-mitkrb5 ; then + bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE" + fi + + local myconf=( + --enable-fhs + --sysconfdir="${EPREFIX}/etc" + --localstatedir="${EPREFIX}/var" + --with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba" + --with-piddir="${EPREFIX}/run/${PN}" + --bundled-libraries="${bundled_libs}" + --builtin-libraries=NONE + --disable-rpath + --disable-rpath-install + --nopyc + --nopyo + --without-winexe + $(multilib_native_use_with acl acl-support) + $(multilib_native_usex addc '' '--without-ad-dc') + $(multilib_native_use_with addns dnsupdate) + $(multilib_native_use_with ads) + $(multilib_native_use_enable ceph cephfs) + $(multilib_native_use_with cluster cluster-support) + $(multilib_native_use_enable cups) + $(multilib_native_use_with dmapi) + $(multilib_native_use_with fam) + $(multilib_native_use_with gpg gpgme) + $(multilib_native_use_with json) + $(multilib_native_use_enable iprint) + $(multilib_native_use_with pam) + $(multilib_native_usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '') + $(multilib_native_use_with quota quotas) + $(multilib_native_use_enable snapper) + $(multilib_native_use_with syslog) + $(multilib_native_use_with systemd) + --systemd-install-services + --with-systemddir="$(systemd_get_systemunitdir)" + $(multilib_native_use_with winbind) + $(multilib_native_usex python '' '--disable-python') + $(multilib_native_use_enable zeroconf avahi) + $(multilib_native_usex test '--enable-selftest' '') + $(usex system-mitkrb5 "--with-system-mitkrb5 $(multilib_native_usex addc --with-experimental-mit-ad-dc '')" '') + $(use_with debug lttng) + $(use_with ldap) + $(use_with profiling-data) + # bug #683148 + --jobs 1 + ) + + multilib_is_native_abi && myconf+=( --with-shared-modules=${SHAREDMODS} ) + + CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \ + waf-utils_src_configure ${myconf[@]} +} + +multilib_src_compile() { + waf-utils_src_compile +} + +multilib_src_install() { + waf-utils_src_install + + # Make all .so files executable + find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die + + if multilib_is_native_abi ; then + # install ldap schema for server (bug #491002) + if use ldap ; then + insinto /etc/openldap/schema + doins examples/LDAP/samba.schema + fi + + # create symlink for cups (bug #552310) + if use cups ; then + dosym ../../../bin/smbspool /usr/libexec/cups/backend/smb + fi + + # install example config file + insinto /etc/samba + doins examples/smb.conf.default + + # Fix paths in example file (#603964) + sed \ + -e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \ + -e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \ + -e '/path =/s@/usr/local/samba/lib/@/var/lib/samba/@' \ + -e '/path =/s@/usr/local/samba/@/var/lib/samba/@' \ + -e '/path =/s@/usr/spool/samba@/var/spool/samba@' \ + -i "${ED%/}"/etc/samba/smb.conf.default || die + + # Install init script and conf.d file + newinitd "${CONFDIR}/samba4.initd-r1" samba + newconfd "${CONFDIR}/samba4.confd" samba + + systemd_dotmpfilesd "${FILESDIR}"/samba.conf + use addc || rm "${D}/$(systemd_get_systemunitdir)/samba.service" || die + + # Preserve functionality for old gentoo-specific unit names + dosym nmb.service "$(systemd_get_systemunitdir)/nmbd.service" + dosym smb.service "$(systemd_get_systemunitdir)/smbd.service" + dosym winbind.service "$(systemd_get_systemunitdir)/winbindd.service" + fi + + if use pam && use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf + fi + + keepdir /var/cache/samba + keepdir /var/lib/ctdb + keepdir /var/lib/samba/{bind-dns,private} + keepdir /var/log/samba +} + +multilib_src_install_all() { + # Attempt to fix bug #673168 + find "${ED}" -type d -name "Yapp" -print0 \ + | xargs -0 --no-run-if-empty rm -r || die +} + +multilib_src_test() { + if multilib_is_native_abi ; then + "${WAF_BINARY}" test || die "test failed" + fi +} + +pkg_postinst() { + ewarn "Be aware that this release contains the best of all of Samba's" + ewarn "technology parts, both a file server (that you can reasonably expect" + ewarn "to upgrade existing Samba 3.x releases to) and the AD domain" + ewarn "controller work previously known as 'samba4'." + + elog "For further information and migration steps make sure to read " + elog "https://samba.org/samba/history/${P}.html " + elog "https://wiki.samba.org/index.php/Samba4/HOWTO " +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.8.6.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.8.6.ebuild deleted file mode 100644 index 171a126f4d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.8.6.ebuild +++ /dev/null @@ -1,300 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -PYTHON_COMPAT=( python2_7 ) -PYTHON_REQ_USE='threads(+),xml(+)' - -inherit python-single-r1 waf-utils multilib-minimal linux-info systemd eutils - -MY_PV="${PV/_rc/rc}" -MY_P="${PN}-${MY_PV}" - -SRC_PATH="stable" -[[ ${PV} = *_rc* ]] && SRC_PATH="rc" - -SRC_URI="mirror://samba/${SRC_PATH}/${MY_P}.tar.gz" -[[ ${PV} = *_rc* ]] || \ -KEYWORDS="alpha amd64 arm arm64 ~hppa ia64 ppc ppc64 sparc x86" - -DESCRIPTION="Samba Suite Version 4" -HOMEPAGE="http://www.samba.org/" -LICENSE="GPL-3" - -SLOT="0" - -IUSE="acl addc addns ads client cluster cups dmapi fam gnutls gpg iprint ldap pam -quota selinux syslog system-heimdal +system-mitkrb5 systemd test winbind zeroconf" -IUSE+=" +minimal" # COREOS: Only install libraries, not executables. - -# the test suite is messed, it uses system-installed samba -# bits instead of what was built, tests things disabled via use -# flags, and generally just fails to work in a way ebuilds could -# rely on in its current state -RESTRICT="test" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/samba-4.0/policy.h - /usr/include/samba-4.0/dcerpc_server.h - /usr/include/samba-4.0/ctdb.h - /usr/include/samba-4.0/ctdb_client.h - /usr/include/samba-4.0/ctdb_protocol.h - /usr/include/samba-4.0/ctdb_private.h - /usr/include/samba-4.0/ctdb_typesafe_cb.h - /usr/include/samba-4.0/ctdb_version.h -) - -# sys-apps/attr is an automagic dependency (see bug #489748) -CDEPEND=" - >=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}] - dev-libs/libaio[${MULTILIB_USEDEP}] - dev-libs/libbsd[${MULTILIB_USEDEP}] - dev-libs/iniparser:0 - dev-libs/popt[${MULTILIB_USEDEP}] - sys-apps/attr[${MULTILIB_USEDEP}] - sys-libs/libcap - sys-libs/ncurses:0=[${MULTILIB_USEDEP}] - sys-libs/readline:0= - sys-libs/zlib[${MULTILIB_USEDEP}] - virtual/libiconv - pam? ( virtual/pam ) - acl? ( virtual/acl ) - addns? ( net-dns/bind-tools[gssapi] ) - cluster? ( - net-libs/rpcsvc-proto - !dev-db/ctdb - ) - cups? ( net-print/cups ) - dmapi? ( sys-apps/dmapi ) - fam? ( virtual/fam ) - gnutls? ( - dev-libs/libgcrypt:0 - >=net-libs/gnutls-1.4.0 - ) - gpg? ( app-crypt/gpgme ) - ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) - system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] ) - system-mitkrb5? ( app-crypt/mit-krb5[${MULTILIB_USEDEP}] ) - systemd? ( sys-apps/systemd:0= )" -DEPEND="${CDEPEND} - ${PYTHON_DEPS} - app-text/docbook-xsl-stylesheets - dev-lang/perl:= - dev-libs/libxslt - virtual/pkgconfig - test? ( - >=sys-libs/nss_wrapper-1.1.3 - >=net-dns/resolv_wrapper-1.1.4 - >=net-libs/socket_wrapper-1.1.7 - >=sys-libs/uid_wrapper-1.2.1 - )" -RDEPEND="${CDEPEND} - client? ( net-fs/cifs-utils[ads?] ) - selinux? ( sec-policy/selinux-samba ) - !dev-perl/Parse-Yapp -" - -REQUIRED_USE=" - addc? ( gnutls !system-mitkrb5 ) - ads? ( acl gnutls ldap ) - cluster? ( ads ) - gpg? ( addc ) - ?? ( system-heimdal system-mitkrb5 ) - ${PYTHON_REQUIRED_USE}" - -S="${WORKDIR}/${MY_P}" - -PATCHES=( - "${FILESDIR}/${PN}-4.4.0-pam.patch" - "${FILESDIR}/${PN}-4.5.1-compile_et_fix.patch" -) - -#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)" -CONFDIR="${FILESDIR}/4.4" - -WAF_BINARY="${S}/buildtools/bin/waf" - -SHAREDMODS="" - -pkg_setup() { - python-single-r1_pkg_setup - if use cluster ; then - SHAREDMODS="idmap_rid,idmap_tdb2,idmap_ad" - elif use ads ; then - SHAREDMODS="idmap_ad" - fi -} - -src_prepare() { - default - - sed -e 's:::' \ - -i source4/dsdb/samdb/ldb_modules/password_hash.c \ - || die - - # Friggin' WAF shit - multilib_copy_sources -} - -multilib_src_configure() { - # when specifying libs for samba build you must append NONE to the end to - # stop it automatically including things - local bundled_libs="NONE" - if ! use system-heimdal && ! use system-mitkrb5 ; then - bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE" - fi - - # COREOS: Don't depend on tons of new packages with broken cross-compilation support. - bundled_libs=ALL - - local myconf=() - myconf=( - --enable-fhs - --sysconfdir="${EPREFIX}/etc" - --localstatedir="${EPREFIX}/var" - --with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba" - --with-piddir="${EPREFIX}/run/${PN}" - --without-lttng - --bundled-libraries="${bundled_libs}" - --builtin-libraries=NONE - --disable-rpath - --disable-rpath-install - --nopyc - --nopyo - --disable-cephfs - --disable-python # COREOS: Don't build libraries requiring Python. - ) - if multilib_is_native_abi ; then - myconf+=( - $(use_with acl acl-support) - $(usex addc '' '--without-ad-dc') - $(use_with addns dnsupdate) - $(use_with ads) - $(use_with cluster cluster-support) - $(use_enable cups) - $(use_with dmapi) - $(use_with fam) - $(use_enable gnutls) - $(use_with gpg gpgme) - $(use_enable iprint) - $(use_with ldap) - $(use_with pam) - $(usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '') - $(use_with quota quotas) - $(use_with syslog) - $(use_with systemd) - $(usex system-mitkrb5 '--with-system-mitkrb5' '') - $(use_with winbind) - $(usex test '--enable-selftest' '') - $(use_enable zeroconf avahi) - --with-shared-modules=${SHAREDMODS} - ) - else - myconf+=( - --without-acl-support - --without-ad-dc - --without-dnsupdate - --without-ads - --disable-avahi - --without-cluster-support - --disable-cups - --without-dmapi - --without-fam - --disable-gnutls - --without-gpgme - --disable-iprint - $(use_with ldap) - --without-pam - --without-quotas - --without-syslog - --without-systemd - $(usex system-mitkrb5 '--with-system-mitkrb5' '') - --without-winbind - --disable-python - ) - fi - - CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \ - waf-utils_src_configure ${myconf[@]} -} - -multilib_src_compile() { - waf-utils_src_compile -} - -multilib_src_install() { - waf-utils_src_install - - # Make all .so files executable - find "${D}" -type f -name "*.so" -exec chmod +x {} + - - if multilib_is_native_abi; then - # install ldap schema for server (bug #491002) - if use ldap ; then - insinto /etc/openldap/schema - doins examples/LDAP/samba.schema - fi - - # create symlink for cups (bug #552310) - if use cups ; then - dosym ../../../bin/smbspool /usr/libexec/cups/backend/smb - fi - - # install example config file - insinto /etc/samba - doins examples/smb.conf.default - - # Fix paths in example file (#603964) - sed \ - -e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \ - -e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \ - -e '/path =/s@/usr/local/samba/lib/@/var/lib/samba/@' \ - -e '/path =/s@/usr/local/samba/@/var/lib/samba/@' \ - -e '/path =/s@/usr/spool/samba@/var/spool/samba@' \ - -i "${ED%/}"/etc/samba/smb.conf.default || die - - # Install init script and conf.d file - newinitd "${CONFDIR}/samba4.initd-r1" samba - newconfd "${CONFDIR}/samba4.confd" samba - - if ! use minimal ; then - systemd_dotmpfilesd "${FILESDIR}"/samba.conf - fi - systemd_dounit "${FILESDIR}"/nmbd.service - systemd_dounit "${FILESDIR}"/smbd.{service,socket} - systemd_newunit "${FILESDIR}"/smbd_at.service 'smbd@.service' - systemd_dounit "${FILESDIR}"/winbindd.service - systemd_dounit "${FILESDIR}"/samba.service - fi - - rm -f "${ED%/}"/etc/samba/* - rm -f "${ED%/}"/usr/lib*/samba/ldb/* - if use minimal ; then - mv "${ED%/}"/usr/bin/net "${T}"/ - rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/* - mv "${T}"/net "${ED%/}"/usr/bin/net - rm -rf ${ED%/}/lib*/security - rm -rf ${ED%/}/usr/lib/systemd - rm -rf ${ED%/}/usr/lib*/perl* - rm -rf ${ED%/}/usr/lib*/python* - rm -rf ${ED%/}/var - fi -} - -multilib_src_test() { - if multilib_is_native_abi ; then - "${WAF_BINARY}" test || die "test failed" - fi -} - -pkg_postinst() { - ewarn "Be aware the this release contains the best of all of Samba's" - ewarn "technology parts, both a file server (that you can reasonably expect" - ewarn "to upgrade existing Samba 3.x releases to) and the AD domain" - ewarn "controller work previously known as 'samba4'." - - elog "For further information and migration steps make sure to read " - elog "http://samba.org/samba/history/${P}.html " - elog "http://samba.org/samba/history/${PN}-4.5.0.html and" - elog "http://wiki.samba.org/index.php/Samba4/HOWTO " -} From a5e2bf4282cad7c963303e9a5b3ceeaebc6eaf10 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:51:55 +0100 Subject: [PATCH 02/10] net-fs/samba: Apply Flatcar changes - Add a minimal USE flag for only installing libraries - Change the Perl and Python run-time deps to build-time only - Drop a bunch of dependencies with broken cross-compilation - Enable using bundled libraries in their place - Disable building libraries requiring Python Original-by: David Michael https://github.com/flatcar-linux/coreos-overlay/commit/8445f8b4386a --- .../net-fs/samba/samba-4.11.13-r1.ebuild | 46 +++++++++++-------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild index da8a4c8a60..616a3c56f8 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild @@ -26,6 +26,7 @@ SLOT="0" IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam gpg iprint json ldap pam profiling-data python quota selinux snapper syslog system-heimdal +system-mitkrb5 systemd test winbind zeroconf" +IUSE+=" +minimal" # Flatcar: Only install libraries, not executables. MULTILIB_WRAPPED_HEADERS=( /usr/include/samba-4.0/policy.h @@ -40,32 +41,22 @@ MULTILIB_WRAPPED_HEADERS=( CDEPEND=" >=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}] - dev-lang/perl:= dev-libs/libbsd[${MULTILIB_USEDEP}] - dev-libs/libtasn1[${MULTILIB_USEDEP}] + !minimal? ( dev-libs/libtasn1[${MULTILIB_USEDEP}] ) dev-libs/popt[${MULTILIB_USEDEP}] >=net-libs/gnutls-3.2.0[${MULTILIB_USEDEP}] - net-libs/libnsl:=[${MULTILIB_USEDEP}] sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}] - >=sys-libs/ldb-2.0.12[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] - =sys-libs/talloc-2.2.0[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] - >=sys-libs/tdb-1.4.2[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] - >=sys-libs/tevent-0.10.0[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}] sys-libs/zlib[${MULTILIB_USEDEP}] virtual/libiconv pam? ( sys-libs/pam ) acl? ( virtual/acl ) - $(python_gen_cond_dep " - dev-python/subunit[\${PYTHON_MULTI_USEDEP},${MULTILIB_USEDEP}] - addns? ( - net-dns/bind-tools[gssapi] - dev-python/dnspython:=[\${PYTHON_MULTI_USEDEP}] - ) - ") + addns? ( + net-dns/bind-tools[gssapi] + dev-python/dnspython + ) ceph? ( sys-cluster/ceph ) cluster? ( net-libs/rpcsvc-proto @@ -87,6 +78,7 @@ CDEPEND=" DEPEND="${CDEPEND} ${PYTHON_DEPS} app-text/docbook-xsl-stylesheets + dev-lang/perl:= dev-libs/libxslt >=dev-util/cmocka-1.1.1[${MULTILIB_USEDEP}] net-libs/libtirpc[${MULTILIB_USEDEP}] @@ -166,9 +158,6 @@ src_prepare() { sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die fi - ## ugly hackaround for bug #592502 - #cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die - sed -e 's:::' \ -i source4/dsdb/samdb/ldb_modules/password_hash.c \ || die @@ -185,6 +174,9 @@ multilib_src_configure() { bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE" fi + # Flatcar: Don't depend on tons of new packages with broken cross-compilation support. + bundled_libs=ALL + local myconf=( --enable-fhs --sysconfdir="${EPREFIX}/etc" @@ -198,6 +190,7 @@ multilib_src_configure() { --nopyc --nopyo --without-winexe + --disable-python # Flatcar: Don't build libraries requiring Python. $(multilib_native_use_with acl acl-support) $(multilib_native_usex addc '' '--without-ad-dc') $(multilib_native_use_with addns dnsupdate) @@ -275,7 +268,9 @@ multilib_src_install() { newinitd "${CONFDIR}/samba4.initd-r1" samba newconfd "${CONFDIR}/samba4.confd" samba - systemd_dotmpfilesd "${FILESDIR}"/samba.conf + if ! use minimal ; then + systemd_dotmpfilesd "${FILESDIR}"/samba.conf + fi use addc || rm "${D}/$(systemd_get_systemunitdir)/samba.service" || die # Preserve functionality for old gentoo-specific unit names @@ -295,6 +290,19 @@ multilib_src_install() { keepdir /var/lib/ctdb keepdir /var/lib/samba/{bind-dns,private} keepdir /var/log/samba + + rm -f "${ED%/}"/etc/samba/* + rm -f "${ED%/}"/usr/lib*/samba/ldb/* + if use minimal ; then + mv "${ED%/}"/usr/bin/net "${T}"/ + rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/* + mv "${T}"/net "${ED%/}"/usr/bin/net + rm -rf ${ED%/}/lib*/security + rm -rf ${ED%/}/usr/lib/systemd + rm -rf ${ED%/}/usr/lib*/perl* + rm -rf ${ED%/}/usr/lib*/python* + rm -rf ${ED%/}/var + fi } multilib_src_install_all() { From 40ac654c208b5ccbeb54bc06dcca6a433030d5c0 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:51:57 +0100 Subject: [PATCH 03/10] profiles: set python_single_target_python3.6 for net-fs/samba --- .../third_party/coreos-overlay/profiles/coreos/base/package.use | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 78d62bcf5b..4633182c40 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -28,6 +28,7 @@ sys-apps/portage -python_targets_python3_6 # python3 only dev-util/gdbus-codegen python_single_target_python3_6 dev-util/glib-utils python_single_target_python3_6 +net-fs/samba python_single_target_python3_6 sys-apps/gptfdisk -icu From 6c6aa8be0728072dd55da459f17714bac31a6265 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:51:59 +0100 Subject: [PATCH 04/10] sys-auth/sssd: update to 2.2.0 sync with Gentoo Update sys-auth/sssd, by syncing with upstream Gentoo. Mainly needed by net-fs/samba 4.11. Also resolves CVE-2018-16883, CVE-2019-3811, CVE-2018-16838. --- .../coreos-overlay/sys-auth/sssd/Manifest | 2 +- ...-libsofthsm2.so-in-usr-libdir-sofths.patch | 32 ++ .../sssd/files/sssd-curl-macros.patch | 34 -- .../sssd/files/sssd-fix-CVE-2019-3811.patch | 96 ------ .../sys-auth/sssd/files/sssd.service | 9 +- .../sys-auth/sssd/files/tmpfiles.d/sssd.conf | 13 - .../coreos-overlay/sys-auth/sssd/metadata.xml | 14 +- .../sys-auth/sssd/sssd-1.16.3-r3.ebuild | 233 -------------- .../sys-auth/sssd/sssd-2.3.1-r2.ebuild | 291 ++++++++++++++++++ 9 files changed, 342 insertions(+), 382 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest index 8cb22a3997..ea7605714c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest @@ -1 +1 @@ -DIST sssd-1.16.3.tar.gz 6217114 BLAKE2B eefaf8de466d0d76e9a4b60aefef6eb63c17a55b9a1f2e07e973a61d71cbe5432e92357656a1eb353d45bbc2fa92290cef45898d0b315d4a4c4074652ff25a23 SHA512 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728 +DIST sssd-2.3.1.tar.gz 7186526 BLAKE2B 6d630fe75b9b426ef54adbe1704fde8e01fc34df7861028c07ce2985db8a151ce743d633061386fea6460fe8eabb89242b816d4bac87975bb9b7b2064ad1d547 SHA512 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch new file mode 100644 index 0000000000..b84df9a91c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch @@ -0,0 +1,32 @@ +From fc79d035ccc4c1a5da26bbd780aeb7e0a0afebf5 Mon Sep 17 00:00:00 2001 +From: Matt Turner +Date: Fri, 14 Aug 2020 13:36:30 -0700 +Subject: [PATCH] test_ca: Look for libsofthsm2.so in /usr/${libdir}/softhsm + too + +Signed-off-by: Matt Turner +--- + src/external/test_ca.m4 | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4 +index 4d45a5a16..d318789bc 100644 +--- a/src/external/test_ca.m4 ++++ b/src/external/test_ca.m4 +@@ -33,9 +33,10 @@ AC_DEFUN([AM_CHECK_TEST_CA], + AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"]) + else + +- for p in /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so; do +- if test -f "${p}"; then +- SOFTHSM2_PATH="${p}" ++ for p in /usr/lib{64,}/{softhsm,pkcs11} /usr/lib/x86_64-linux-gnu/softhsm; do ++ f="${p}/libsofthsm2.so" ++ if test -f "${f}"; then ++ SOFTHSM2_PATH="${f}" + break; + fi + done +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch deleted file mode 100644 index 91e71e8378..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d3cdf9cbfbace4874c6e5c96f1e5ef5b342c813e Mon Sep 17 00:00:00 2001 -From: Mikle Kolyada -Date: Sun, 16 Dec 2018 20:42:39 +0300 -Subject: [PATCH] tev_curl.c: remove case duplication - -CURLE_SSL_CACERT and CURLE_PEER_FAILED_VERIFICATION macros are provided -by net-misc/curl-7.62.0 and older ---- - tev_curl.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/tev_curl.c b/tev_curl.c -index 6a7a580..ce6fdba 100644 ---- a/src/util/tev_curl.c -+++ b/src/util/tev_curl.c -@@ -97,7 +97,6 @@ static errno_t curl_code2errno(CURLcode crv) - return ETIMEDOUT; - case CURLE_SSL_ISSUER_ERROR: - case CURLE_SSL_CACERT_BADFILE: -- case CURLE_SSL_CACERT: - case CURLE_SSL_CERTPROBLEM: - return ERR_INVALID_CERT; - -@@ -110,8 +109,6 @@ static errno_t curl_code2errno(CURLcode crv) - case CURLE_SSL_ENGINE_NOTFOUND: - case CURLE_SSL_CONNECT_ERROR: - return ERR_SSL_FAILURE; -- case CURLE_PEER_FAILED_VERIFICATION: -- return ERR_UNABLE_TO_VERIFY_PEER; - case CURLE_COULDNT_RESOLVE_HOST: - return ERR_UNABLE_TO_RESOLVE_HOST; - default: --- -2.19.2 \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch deleted file mode 100644 index 87db45fd24..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 28792523a01a7d21bcc8931794164f253e691a68 Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Mon, 3 Dec 2018 14:11:31 +0100 -Subject: [PATCH] nss: sssd returns '/' for emtpy home directories - -For empty home directory in passwd file sssd returns "/". Sssd -should respect system behaviour and return the same as nsswitch -"files" module - return empty string. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3901 - -Reviewed-by: Simo Sorce -Reviewed-by: Jakub Hrozek -(cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49) ---- - src/confdb/confdb.c | 9 +++++++++ - src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++ - src/responder/nss/nss_protocol_pwent.c | 2 +- - src/tests/intg/test_files_provider.py | 2 +- - 4 files changed, 30 insertions(+), 2 deletions(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index a3eb9c66d9..17bb4f8274 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1301,6 +1301,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - ret = ENOMEM; - goto done; - } -+ } else { -+ if (strcasecmp(domain->provider, "ad") == 0) { -+ /* ad provider default */ -+ domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u"); -+ if (!domain->fallback_homedir) { -+ ret = ENOMEM; -+ goto done; -+ } -+ } - } - - tmp = ldb_msg_find_attr_as_string(res->msgs[0], -diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml -index 818a2bf787..425b7e8ee0 100644 ---- a/src/man/include/ad_modified_defaults.xml -+++ b/src/man/include/ad_modified_defaults.xml -@@ -76,4 +76,23 @@ - - - -+ -+ NSS configuration -+ -+ -+ -+ fallback_homedir = /home/%d/%u -+ -+ -+ The AD provider automatically sets -+ "fallback_homedir = /home/%d/%u" to provide personal -+ home directories for users without the homeDirectory -+ attribute. If your AD Domain is properly -+ populated with Posix attributes, and you want to avoid -+ this fallback behavior, you can explicitly -+ set "fallback_homedir = %o". -+ -+ -+ -+ - -diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c -index af9e74fc86..86fa4ec465 100644 ---- a/src/responder/nss/nss_protocol_pwent.c -+++ b/src/responder/nss/nss_protocol_pwent.c -@@ -118,7 +118,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, - - homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx); - if (homedir == NULL) { -- return "/"; -+ return ""; - } - - return homedir; -diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py -index ead1cc4c34..4761f1bd15 100644 ---- a/src/tests/intg/test_files_provider.py -+++ b/src/tests/intg/test_files_provider.py -@@ -678,7 +678,7 @@ def test_user_no_dir(setup_pw_with_canary, files_domain_only): - Test that resolving a user without a homedir defined works and returns - a fallback value - """ -- check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/')) -+ check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '')) - - - def test_user_no_gecos(setup_pw_with_canary, files_domain_only): diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service index a6afb4682c..1821089a60 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service @@ -1,10 +1,15 @@ [Unit] Description=System Security Services Daemon -After=nscd.service +# SSSD will not be started until syslog is +After=syslog.target [Service] -ExecStart=/usr/sbin/sssd -i +ExecStart=/usr/sbin/sssd -D -f +# These two should be used with traditional UNIX forking daemons +# consult systemd.service(5) for more details +Type=forking PIDFile=/run/sssd.pid [Install] WantedBy=multi-user.target + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf deleted file mode 100644 index f8074a4332..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf +++ /dev/null @@ -1,13 +0,0 @@ -d /etc/sssd 0700 root root - - -C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf -d /var/lib/sss - root root - - -d /var/lib/sss/deskprofile 0755 root root - - -d /var/lib/sss/db 0700 root root - - -d /var/lib/sss/gpo_cache 0755 root root - - -d /var/lib/sss/keytabs 0700 root root - - -d /var/lib/sss/mc 0700 root root - - -d /var/lib/sss/pipes - root root - - -d /var/lib/sss/pipes/private 0700 root root - - -d /var/lib/sss/pubconf 0700 root root - - -d /var/lib/sss/pubconf/krb5.include.d 0700 root root - - -d /var/lib/sss/secrets 0755 root root - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml index 5b5f4a6f7a..5b808c16ef 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml @@ -1,21 +1,29 @@ + + base-system@gentoo.org + Gentoo Base System + alexxy@gentoo.org Alexey Shvetsov Build and use the cifsidmap plugin + Build helper to let net-fs/autofs use sssd provided information Install sssd's Kerberos plugin + Build man pages with dev-libs/libxslt + Build man pages with dev-libs/libxslt Add support for netlink protocol via dev-libs/libnl Add support for the nfsv4 idmapd plugin provided by net-libs/libnfsidmap - Build man pages with dev-libs/libxslt - Build helper to let net-fs/autofs use sssd provided information + Add Privileged Attribute Certificate Support for Kerberos Build helper to let net-misc/openssh use sssd provided information Build helper to let app-admin/sudo use sssd provided information + Depend on dev-util/valgrind for test suite - cpe:/a:fedorahosted:sssd + cpe:/a:fedoraproject:sssd + SSSD/sssd diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild deleted file mode 100644 index 089931addb..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Flatcar modifications: -# - changed files/sssd.service -# - added files/tmpfiles.d/sssd.conf -# - other ebuild modifications marked below -# -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools flag-o-matic linux-info multilib-minimal pam systemd toolchain-funcs - -DESCRIPTION="System Security Services Daemon provides access to identity and authentication" -HOMEPAGE="https://pagure.io/SSSD/sssd" -SRC_URI="http://releases.pagure.org/SSSD/${PN}/${P}.tar.gz" -# Flatcar: stabilize arm64 -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" - -LICENSE="GPL-3" -SLOT="0" -IUSE="acl autofs +locator +netlink nfsv4 nls +manpages samba selinux sudo ssh test" -RESTRICT="!test? ( test )" - -# Flatcar: don't force gssapi for >=net-dns/bind-tools-9.9 -COMMON_DEP=" - >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] - >=dev-libs/popt-1.16 - dev-libs/glib:2 - >=dev-libs/ding-libs-0.2 - >=sys-libs/talloc-2.0.7 - >=sys-libs/tdb-1.2.9 - >=sys-libs/tevent-0.9.16 - >=sys-libs/ldb-1.1.17-r1:= - >=net-nds/openldap-2.4.30[sasl] - net-libs/http-parser - >=dev-libs/libpcre-8.30 - >=app-crypt/mit-krb5-1.10.3 - dev-libs/jansson - net-misc/curl - locator? ( - >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] - >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] - ) - >=sys-apps/keyutils-1.5:= - >=net-dns/c-ares-1.7.4 - >=dev-libs/nss-3.12.9 - selinux? ( - >=sys-libs/libselinux-2.1.9 - >=sys-libs/libsemanage-2.1 - ) - >=net-dns/bind-tools-9.9 - >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] - >=sys-apps/dbus-1.6 - acl? ( net-fs/cifs-utils[acl] ) - nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) - nls? ( >=sys-devel/gettext-0.18 ) - virtual/libintl - netlink? ( dev-libs/libnl:3 ) - samba? ( >=net-fs/samba-4.5 ) - " - -RDEPEND="${COMMON_DEP} - >=sys-libs/glibc-2.17[nscd] - selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) - " -DEPEND="${COMMON_DEP} - test? ( dev-libs/check ) - manpages? ( - >=dev-libs/libxslt-1.1.26 - app-text/docbook-xml-dtd:4.4 - )" - -CONFIG_CHECK="~KEYS" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/ipa_hbac.h - /usr/include/sss_idmap.h - /usr/include/sss_nss_idmap.h - /usr/include/wbclient_sssd.h - # --with-ifp - /usr/include/sss_sifp.h - /usr/include/sss_sifp_dbus.h - # from 1.15.3 - /usr/include/sss_certmap.h -) - -pkg_setup() { - linux-info_pkg_setup -} - -src_prepare() { - sed -i 's:#!/sbin/runscript:#!/sbin/openrc-run:' \ - "${S}"/src/sysv/gentoo/sssd.in || die "sed sssd.in" - - eapply "${FILESDIR}"/${PN}-curl-macros.patch - eapply "${FILESDIR}"/${PN}-fix-CVE-2019-3811.patch - - default - eautoreconf - multilib_copy_sources -} - -src_configure() { - local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) - - multilib-minimal_src_configure -} - -multilib_src_configure() { - # Flatcar: delete, use systemd and not sysv - - #Work around linker dependency problem. - append-ldflags "-Wl,--allow-shlib-undefined" - - myconf+=( - --localstatedir="${EPREFIX}"/var - --enable-nsslibdir="${EPREFIX}"/$(get_libdir) - --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd - --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) - --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb - --with-os=gentoo - --with-nscd - --with-unicode-lib="glib2" - --disable-rpath - # Flatcar: make nss lookups succeed when not running - --enable-sss-default-nss-plugin - # Flatcar: prevent cross-compilation error - # when autotools does not want to compile and run the test - $(use_with samba smb-idmap-interface-version=6) - # - --sbindir=/usr/sbin - --without-kcm - $(use_with samba libwbclient) - --with-secrets - $(multilib_native_use_with samba) - $(multilib_native_use_enable acl cifs-idmap-plugin) - $(multilib_native_use_with selinux) - $(multilib_native_use_with selinux semanage) - $(use_enable locator krb5-locator-plugin) - $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) - $(use_enable nls ) - $(multilib_native_use_with netlink libnl) - $(multilib_native_use_with manpages) - $(multilib_native_use_with sudo) - $(multilib_native_use_with autofs) - $(multilib_native_use_with ssh) - --with-crypto="nss" - --with-initscript="sysv" - --without-python2-bindings - --without-python3-bindings - # Flatcar: delete, fix krb5-config detection - ) - - if ! multilib_is_native_abi; then - # work-around all the libraries that are used for CLI and server - myconf+=( - {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' - # ldb headers are fine since native needs it - # ldb lib fails... but it does not seem to bother - {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1}}_{CFLAGS,LIBS}=' ' - {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO}_{CFLAGS,LIBS}=' ' - - # use native include path for dbus (needed for build) - DBUS_CFLAGS="${native_dbus_cflags}" - - # non-pkgconfig checks - ac_cv_lib_ldap_ldap_search=yes - --without-secrets - --without-libwbclient - --without-kcm - --with-crypto="" - ) - - use locator || myconf+=( - KRB5_CONFIG=/bin/true - ) - fi - - econf "${myconf[@]}" -} - -multilib_src_compile() { - if multilib_is_native_abi; then - default - else - emake libnss_sss.la pam_sss.la - use locator && emake sssd_krb5_locator_plugin.la - fi -} - -multilib_src_install() { - if multilib_is_native_abi; then - # Flatcar: add sysconfdir - emake -j1 DESTDIR="${D}" sysconfdir="/usr/share" "${_at_args[@]}" install - else - # easier than playing with automake... - dopammod .libs/pam_sss.so - - into / - dolib.so .libs/libnss_sss.so* - - if use locator; then - exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 - doexe .libs/sssd_krb5_locator_plugin.so - fi - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - - # Flatcar: store on /usr - insinto /usr/share/sssd - doins "${S}"/src/examples/sssd-example.conf - - # Flatcar: delete, remove /var files taken care of by tmpfiles - - systemd_dounit "${FILESDIR}/${PN}.service" - # Flatcar: add tmpfile directive and remove /etc/rc.d - systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/sssd.conf" - rm -rf "${D}/etc/rc.d" -} - -multilib_src_test() { - default -} - -pkg_postinst() { - elog "You must set up sssd.conf (default installed into /etc/sssd)" - elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" - elog "features. Please see howto in https://docs.pagure.org/SSSD.sssd/design_pages/index.html#implemented-in-1-16-x" -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild new file mode 100644 index 0000000000..c5c20e6794 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -0,0 +1,291 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_7 ) + +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs + +DESCRIPTION="System Security Services Daemon provides access to identity and authentication" +HOMEPAGE="https://github.com/SSSD/sssd" +SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" +KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" + +LICENSE="GPL-3" +SLOT="0" +IUSE="acl doc +locator +netlink nfsv4 nls +man pac python samba selinux sudo systemd test valgrind" +RESTRICT="!test? ( test )" + +REQUIRED_USE="pac? ( samba ) + python? ( ${PYTHON_REQUIRED_USE} )" + +DEPEND=" + >=app-crypt/mit-krb5-1.10.3 + app-crypt/p11-kit + >=dev-libs/ding-libs-0.2 + dev-libs/glib:2 + >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] + >=dev-libs/libpcre-8.30:= + >=dev-libs/popt-1.16 + >=dev-libs/openssl-1.0.2:0= + >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/c-ares-1.7.4 + >=net-nds/openldap-2.4.30[sasl] + >=sys-apps/dbus-1.6 + >=sys-apps/keyutils-1.5:= + >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] + >=sys-libs/talloc-2.0.7 + >=sys-libs/tdb-1.2.9 + >=sys-libs/tevent-0.9.16 + >=sys-libs/ldb-1.1.17-r1:= + virtual/libintl + locator? ( + >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] + >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] + ) + acl? ( net-fs/cifs-utils[acl] ) + netlink? ( dev-libs/libnl:3 ) + nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) + nls? ( >=sys-devel/gettext-0.18 ) + pac? ( + app-crypt/mit-krb5[${MULTILIB_USEDEP}] + net-fs/samba + ) + python? ( ${PYTHON_DEPS} ) + samba? ( >=net-fs/samba-4.10.2[winbind] ) + selinux? ( + >=sys-libs/libselinux-2.1.9 + >=sys-libs/libsemanage-2.1 + ) + systemd? ( + dev-libs/jansson:0= + net-libs/http-parser:0= + net-misc/curl:0= + ) + " + +RDEPEND="${DEPEND} + >=sys-libs/glibc-2.17[nscd] + selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) + " +BDEPEND="${DEPEND} + >=sys-devel/autoconf-2.69-r5 + doc? ( app-doc/doxygen ) + test? ( + dev-libs/check + dev-libs/softhsm:2 + dev-util/cmocka + net-libs/gnutls[pkcs11,tools] + sys-libs/libfaketime + sys-libs/nss_wrapper + sys-libs/pam_wrapper + sys-libs/uid_wrapper + valgrind? ( dev-util/valgrind ) + ) + man? ( + app-text/docbook-xml-dtd:4.4 + >=dev-libs/libxslt-1.1.26 + nls? ( app-text/po4a ) + )" + +CONFIG_CHECK="~KEYS" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/ipa_hbac.h + /usr/include/sss_idmap.h + /usr/include/sss_nss_idmap.h + # --with-ifp + /usr/include/sss_sifp.h + /usr/include/sss_sifp_dbus.h + # from 1.15.3 + /usr/include/sss_certmap.h +) + +PATCHES=( + "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch +) + +pkg_setup() { + linux-info_pkg_setup +} + +src_prepare() { + sed -i 's:/var/run:/run:' \ + "${S}"/src/examples/logrotate || die + + default + eautoreconf + multilib_copy_sources + if use python && multilib_is_native_abi; then + python_setup + fi +} + +src_configure() { + local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=() + + myconf+=( + --localstatedir="${EPREFIX}"/var + --runstatedir="${EPREFIX}"/run + --with-pid-path="${EPREFIX}"/run + --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd + --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) + --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb + --with-db-path="${EPREFIX}"/var/lib/sss/db + --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache + --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf + --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes + --with-mcache-path="${EPREFIX}"/var/lib/sss/mc + --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets + --with-log-path="${EPREFIX}"/var/log/sssd + --with-os=gentoo + --with-nscd="${EPREFIX}"/usr/sbin/nscd + --with-unicode-lib="glib2" + --disable-rpath + --sbindir=/usr/sbin + --with-crypto="libcrypto" + --enable-local-provider + $(multilib_native_use_with systemd kcm) + $(multilib_native_use_with systemd secrets) + $(use_with samba) + --with-smb-idmap-interface-version=6 + $(multilib_native_use_enable acl cifs-idmap-plugin) + $(multilib_native_use_with selinux) + $(multilib_native_use_with selinux semanage) + $(use_enable locator krb5-locator-plugin) + $(use_enable pac pac-responder) + $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) + $(use_enable nls) + $(multilib_native_use_with netlink libnl) + $(multilib_native_use_with man manpages) + $(multilib_native_use_with sudo) + $(multilib_native_with autofs) + $(multilib_native_with ssh) + $(use_enable valgrind) + --without-python2-bindings + $(multilib_native_use_with python python3-bindings) + ) + + # Annoyingly configure requires that you pick systemd XOR sysv + if use systemd; then + myconf+=( + --with-initscript="systemd" + --with-systemdunitdir=$(systemd_get_systemunitdir) + ) + else + myconf+=(--with-initscript="sysv") + fi + + if ! multilib_is_native_abi; then + # work-around all the libraries that are used for CLI and server + myconf+=( + {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' + # ldb headers are fine since native needs it + # ldb lib fails... but it does not seem to bother + {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' ' + {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' ' + {NDR_NBT,SMBCLIENT,NDR_KRB5PAC}_{CFLAGS,LIBS}=' ' + + # use native include path for dbus (needed for build) + DBUS_CFLAGS="${native_dbus_cflags}" + + # non-pkgconfig checks + ac_cv_lib_ldap_ldap_search=yes + --without-secrets + --without-kcm + ) + fi + + econf "${myconf[@]}" +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + use doc && emake docs + if use man || use nls; then + emake update-po + fi + else + emake libnss_sss.la pam_sss.la + use locator && emake sssd_krb5_locator_plugin.la + use pac && emake sssd_pac_plugin.la + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + if use python; then + python_optimize + python_fix_shebang "${ED}" + fi + + else + # easier than playing with automake... + dopammod .libs/pam_sss.so + + into / + dolib.so .libs/libnss_sss.so* + + if use locator; then + exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 + doexe .libs/sssd_krb5_locator_plugin.so + fi + + if use pac; then + exeinto /usr/$(get_libdir)/krb5/plugins/authdata + doexe .libs/sssd_pac_plugin.so + fi + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + + insinto /etc/sssd + insopts -m600 + doins "${S}"/src/examples/sssd-example.conf + + insinto /etc/logrotate.d + insopts -m644 + newins "${S}"/src/examples/logrotate sssd + + newconfd "${FILESDIR}"/sssd.conf sssd + + keepdir /var/lib/sss/db + keepdir /var/lib/sss/deskprofile + keepdir /var/lib/sss/gpo_cache + keepdir /var/lib/sss/keytabs + keepdir /var/lib/sss/mc + keepdir /var/lib/sss/pipes/private + keepdir /var/lib/sss/pubconf/krb5.include.d + keepdir /var/lib/sss/secrets + keepdir /var/log/sssd + + # strip empty dirs + if ! use doc ; then + rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die + rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap,sss_simpleifp}_doc || die + fi + + rm -r "${ED}"/run || die +} + +multilib_src_test() { + multilib_is_native_abi && emake check +} + +pkg_postinst() { + elog "You must set up sssd.conf (default installed into /etc/sssd)" + elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" + elog "features. Please see howto in https://sssd.io/docs/design_pages/smartcard_authentication_require.html" +} From 65cab2738cfb06a0e59984d21ec0b85b466e9c9f Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:52:01 +0100 Subject: [PATCH 05/10] sys-auth/sssd: Apply Flatcar patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apply Flatcar-specific changes. Original-by: Kai Lüke https://github.com/flatcar-linux/coreos-overlay/commit/59e7f7f6ed1b --- .../sys-auth/sssd/files/sssd.service | 9 +--- .../sys-auth/sssd/files/tmpfiles.d/sssd.conf | 13 +++++ .../sys-auth/sssd/sssd-2.3.1-r2.ebuild | 49 ++++++++++--------- 3 files changed, 42 insertions(+), 29 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service index 1821089a60..a6afb4682c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service @@ -1,15 +1,10 @@ [Unit] Description=System Security Services Daemon -# SSSD will not be started until syslog is -After=syslog.target +After=nscd.service [Service] -ExecStart=/usr/sbin/sssd -D -f -# These two should be used with traditional UNIX forking daemons -# consult systemd.service(5) for more details -Type=forking +ExecStart=/usr/sbin/sssd -i PIDFile=/run/sssd.pid [Install] WantedBy=multi-user.target - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf new file mode 100644 index 0000000000..f8074a4332 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf @@ -0,0 +1,13 @@ +d /etc/sssd 0700 root root - - +C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf +d /var/lib/sss - root root - - +d /var/lib/sss/deskprofile 0755 root root - - +d /var/lib/sss/db 0700 root root - - +d /var/lib/sss/gpo_cache 0755 root root - - +d /var/lib/sss/keytabs 0700 root root - - +d /var/lib/sss/mc 0700 root root - - +d /var/lib/sss/pipes - root root - - +d /var/lib/sss/pipes/private 0700 root root - - +d /var/lib/sss/pubconf 0700 root root - - +d /var/lib/sss/pubconf/krb5.include.d 0700 root root - - +d /var/lib/sss/secrets 0755 root root - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild index c5c20e6794..56e908a8fa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -1,3 +1,8 @@ +# Flatcar modifications: +# - changed files/sssd.service +# - added files/tmpfiles.d/sssd.conf +# - other ebuild modifications marked below +# # Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 @@ -10,7 +15,8 @@ inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam DESCRIPTION="System Security Services Daemon provides access to identity and authentication" HOMEPAGE="https://github.com/SSSD/sssd" SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" -KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" +# Flatcar: stabilize arm64 +KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" LICENSE="GPL-3" SLOT="0" @@ -20,6 +26,8 @@ RESTRICT="!test? ( test )" REQUIRED_USE="pac? ( samba ) python? ( ${PYTHON_REQUIRED_USE} )" +# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9 +# do not force winbind for net-fs/samba DEPEND=" >=app-crypt/mit-krb5-1.10.3 app-crypt/p11-kit @@ -29,7 +37,7 @@ DEPEND=" >=dev-libs/libpcre-8.30:= >=dev-libs/popt-1.16 >=dev-libs/openssl-1.0.2:0= - >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/bind-tools-9.9 >=net-dns/c-ares-1.7.4 >=net-nds/openldap-2.4.30[sasl] >=sys-apps/dbus-1.6 @@ -53,7 +61,7 @@ DEPEND=" net-fs/samba ) python? ( ${PYTHON_DEPS} ) - samba? ( >=net-fs/samba-4.10.2[winbind] ) + samba? ( >=net-fs/samba-4.10.2 ) selinux? ( >=sys-libs/libselinux-2.1.9 >=sys-libs/libsemanage-2.1 @@ -69,8 +77,9 @@ RDEPEND="${DEPEND} >=sys-libs/glibc-2.17[nscd] selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) " +# Flatcar: require only autoconf:2.69 BDEPEND="${DEPEND} - >=sys-devel/autoconf-2.69-r5 + sys-devel/autoconf:2.69 doc? ( app-doc/doxygen ) test? ( dev-libs/check @@ -149,6 +158,12 @@ multilib_src_configure() { --with-nscd="${EPREFIX}"/usr/sbin/nscd --with-unicode-lib="glib2" --disable-rpath + # Flatcar: make nss lookups succeed when not running + --enable-sss-default-nss-plugin + # Flatcar: prevent cross-compilation error + # when autotools does not want to compile and run the test + $(use_with samba smb-idmap-interface-version=6) + # --sbindir=/usr/sbin --with-crypto="libcrypto" --enable-local-provider @@ -222,7 +237,8 @@ multilib_src_compile() { multilib_src_install() { if multilib_is_native_abi; then - emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + # Flatcar: add sysconfdir + emake -j1 DESTDIR="${D}" sysconfdir="/usr/share" "${_at_args[@]}" install if use python; then python_optimize python_fix_shebang "${ED}" @@ -251,26 +267,15 @@ multilib_src_install_all() { einstalldocs find "${ED}" -type f -name '*.la' -delete || die - insinto /etc/sssd - insopts -m600 + # Flatcar: store on /usr + insinto /usr/share/sssd doins "${S}"/src/examples/sssd-example.conf - insinto /etc/logrotate.d - insopts -m644 - newins "${S}"/src/examples/logrotate sssd - - newconfd "${FILESDIR}"/sssd.conf sssd - - keepdir /var/lib/sss/db - keepdir /var/lib/sss/deskprofile - keepdir /var/lib/sss/gpo_cache - keepdir /var/lib/sss/keytabs - keepdir /var/lib/sss/mc - keepdir /var/lib/sss/pipes/private - keepdir /var/lib/sss/pubconf/krb5.include.d - keepdir /var/lib/sss/secrets - keepdir /var/log/sssd + # Flatcar: delete, remove /var files taken care of by tmpfiles + # Flatcar: add tmpfile directive and remove /etc/rc.d + systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/sssd.conf" + rm -rf "${D}/etc/rc.d" # strip empty dirs if ! use doc ; then rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die From 7dbd4ac6341291c45ffe92b835ea70a5133b82fe Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:52:04 +0100 Subject: [PATCH 06/10] sys-auth/sssd: make BDEPEND independent of DEPEND The `BDEPEND` is a build-time requirement, so it should not be included in the whole `DEPEND` list. If it does, an installation of `sys-auth/sssd` causes other dependencies to be installed not only in the `/build`, but also under the SDK. That's not what we want, so we need to exclude `BDEPEND` from the list. --- .../coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild index 56e908a8fa..68e6012f17 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -78,7 +78,7 @@ RDEPEND="${DEPEND} selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) " # Flatcar: require only autoconf:2.69 -BDEPEND="${DEPEND} +BDEPEND=" sys-devel/autoconf:2.69 doc? ( app-doc/doxygen ) test? ( From 58ccfd52081defd4b6b7fe91f3f698c6c0d11ef3 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:52:06 +0100 Subject: [PATCH 07/10] sys-auth/sssd: move runstatedir option from configure to make Now that the upstream sssd 2.3.1 does not support `--runstatedir` option from its configure script, we need to remove the option, to unblock the configure issue like `unrecognized option --runstatedir`. Instead we need to pass `runstatedir=` to emake commands. --- .../coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild index 68e6012f17..02d632db61 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -142,7 +142,6 @@ multilib_src_configure() { myconf+=( --localstatedir="${EPREFIX}"/var - --runstatedir="${EPREFIX}"/run --with-pid-path="${EPREFIX}"/run --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) @@ -223,7 +222,8 @@ multilib_src_configure() { multilib_src_compile() { if multilib_is_native_abi; then - default + # Flatcar: add runstatedir to make commands to avoid configure error + default runstatedir="${EPREFIX}"/run use doc && emake docs if use man || use nls; then emake update-po @@ -237,8 +237,9 @@ multilib_src_compile() { multilib_src_install() { if multilib_is_native_abi; then - # Flatcar: add sysconfdir - emake -j1 DESTDIR="${D}" sysconfdir="/usr/share" "${_at_args[@]}" install + # Flatcar: add runstatedir, sysconfdir + emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \ + sysconfdir="/usr/share" "${_at_args[@]}" install if use python; then python_optimize python_fix_shebang "${ED}" From 9b3d0ae4f2b3ea5d2b6c41a8ff4058e0df92158c Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:52:09 +0100 Subject: [PATCH 08/10] sys-auth/sssd: disable realm check for nsupdate At the moment bind-tools does not enable `gssapi`, so its `nsupdate` tool is also not able to run `realm` command. As a result, configure script of `sssd` fails when running `echo realm | nsupdate`, like `syntax error`. To avoid such issues, we need to disable the nsupdate check for now. After we could enable `gssapi` for the SDK correctly, we can bring back the nsupdate check in the future. --- .../sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch | 10 ++++++++++ .../coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild | 1 + 2 files changed, 11 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch new file mode 100644 index 0000000000..7d80dc8415 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch @@ -0,0 +1,10 @@ +--- a/src/external/nsupdate.m4 2020-11-05 16:27:14.661566136 +0100 ++++ b/src/external/nsupdate.m4 2020-11-05 16:27:30.060674381 +0100 +@@ -9,7 +9,6 @@ + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) + fi + + else diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild index 02d632db61..00c8fa484c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -113,6 +113,7 @@ MULTILIB_WRAPPED_HEADERS=( PATCHES=( "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch + "${FILESDIR}"/${P}-disable-nsupdate-realm.patch ) pkg_setup() { From 698e9e2a9f32b738c6579e759b7e68a43d516999 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:52:11 +0100 Subject: [PATCH 09/10] profiles: make net-mail/mailbase provided Although `dev-libs/cyrus-sasl` pulls in `net-mail/mailbase`, the mailbase package is not needed at all. Simply mark it as provided, to make it build without mailbase. Also enable python_single_target_python3_6 for tdb, talloc, tevent. Remove unnecessary arm64 keywords. Clean up unnecessary USE flags. --- .../profiles/coreos/arm64/package.accept_keywords | 2 -- .../profiles/coreos/base/package.accept_keywords | 3 --- .../coreos-overlay/profiles/coreos/base/package.provided | 3 +++ .../coreos-overlay/profiles/coreos/base/package.use | 5 ++++- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords index b6060b1d83..3e8b46617b 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords @@ -66,8 +66,6 @@ =sys-fs/quota-4.04-r1 ~arm64 =sys-libs/binutils-libs-2.29.1-r1 ~arm64 =sys-libs/libcap-ng-0.7.8 ~arm64 -=sys-libs/tdb-1.3.8 ~arm64 -=sys-libs/tevent-0.9.28 ~arm64 =virtual/krb5-0-r1 ~arm64 =virtual/libudev-232 ~arm64 =virtual/libusb-1-r2 ~arm64 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 6d3923b1d2..33f05607b8 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -20,9 +20,6 @@ dev-python/boto # no version marked stable upstream dev-util/checkbashisms -# Older versions of sssd fail to build -=sys-auth/sssd-1.13.1 ~amd64 ~arm64 - # jq 1.5-r2 for heap overflow fix # https://bugs.gentoo.org/show_bug.cgi?id=580606 # jq 1.6-r3 for CVE-2015-8863 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided index b537b2d65f..66239364b5 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided @@ -1,2 +1,5 @@ # Skip MTA dependencies. virtual/mta-1 + +# pulled in by dev-libs/cyrus-sasl +net-mail/mailbase-1.1 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 4633182c40..3decf29cb5 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -29,6 +29,9 @@ sys-apps/portage -python_targets_python3_6 dev-util/gdbus-codegen python_single_target_python3_6 dev-util/glib-utils python_single_target_python3_6 net-fs/samba python_single_target_python3_6 +sys-libs/talloc python_single_target_python3_6 +sys-libs/tdb python_single_target_python3_6 +sys-libs/tevent python_single_target_python3_6 sys-apps/gptfdisk -icu @@ -74,7 +77,7 @@ sys-libs/glibc nscd dev-libs/cyrus-sasl kerberos -berkdb -gdbm # don't build manpages for sssd -sys-auth/sssd -manpages -python samba kerberos gssapi ssh sudo +sys-auth/sssd -python samba kerberos gssapi ssh sudo # needed for realmd build sys-auth/polkit introspection From f24e7e43e893ddc4cc0ff712f0080fc09282cf59 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 6 Nov 2020 13:52:14 +0100 Subject: [PATCH 10/10] profiles: unmask gnutls from the masked packages Now that `net-libs/gnutls` needs to be included in the images, we also need to unmask gnutls from the generic target of profiles. --- .../profiles/coreos/targets/generic/prod/package.mask | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask index b01f1b0e92..7f198c44e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask @@ -7,9 +7,6 @@ dev-lang/perl dev-lang/python dev-lang/ruby -# Since all SSL/TLS implementations are bad we minimize the number we ship. -net-libs/gnutls - # We do not configure/install grub like other distros so shipping the user # space tools would have limited utility. sys-boot/grub