From 990b2749a3f6150da17e65ae84027503103407df Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 13:38:15 +0100 Subject: [PATCH 01/15] coreos/config: Update description for app-crypt/mit-krb5 overrides --- .../coreos-overlay/coreos/config/env/app-crypt/mit-krb5 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-crypt/mit-krb5 b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-crypt/mit-krb5 index 18e79e42f3..abb586975c 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-crypt/mit-krb5 +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-crypt/mit-krb5 @@ -1,4 +1,10 @@ -# work around configure test that cannot be cross compiled :( +# Work around configure test that cannot be cross compiled :( +# +# When checking if this is still applicable, try grepping the +# configure script for lines with "$cross_compiling", like +# +# grep -B 20 -F 'when cross compiling' configure + export krb5_cv_attr_constructor_destructor=yes,yes export ac_cv_func_regcomp=yes export ac_cv_printf_positional=yes From 33d5bace3fd7add850a1c84c78918db41cd55768 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:23:35 +0100 Subject: [PATCH 02/15] profiles: Do not pull in pip stuff from dev-lang/python --- .../coreos-overlay/profiles/coreos/base/package.use.mask | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask index e96fa19be4..6d9a8d9d1c 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask @@ -23,3 +23,6 @@ app-editors/nano unicode # libxcrypt -> glibc -> python), and also we need to update gcc to # version 10 or later. sys-libs/glibc -crypt + +# We don't use pip. +dev-lang/python ensurepip From f76441eaeb5eafdbb85aecda7e1ac26bb2263fe3 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:27:55 +0100 Subject: [PATCH 03/15] dev-lang/python-oem: Update dependency The `virtual/awk` package is replaced with `app-alternatives/awk`, so reflect that in the ebuild. --- .../coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild index 0cdb068420..2e4a1df3ff 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild @@ -43,7 +43,7 @@ DEPEND=" virtual/libintl " BDEPEND=" - virtual/awk + app-alternatives/awk virtual/pkgconfig sys-devel/autoconf-archive verify-sig? ( sec-keys/openpgp-keys-python ) From 4dc2f9a83d9b7b1e288053a2766c2dea293b55cb Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:31:49 +0100 Subject: [PATCH 04/15] dev-lang/python-oem: Reset to vanilla ebuild --- .../python-oem/python-oem-3.9.12.ebuild | 271 +++++++++++++++--- 1 file changed, 230 insertions(+), 41 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild index 2e4a1df3ff..110efb768a 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild @@ -4,7 +4,7 @@ EAPI="7" WANT_LIBTOOL="none" -inherit autotools check-reqs flag-o-matic multiprocessing \ +inherit autotools check-reqs flag-o-matic multiprocessing pax-utils \ python-utils-r1 toolchain-funcs verify-sig MY_PV=${PV/_rc/rc} @@ -26,29 +26,52 @@ S="${WORKDIR}/${MY_P}" LICENSE="PSF-2" SLOT="${PYVER}" KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc ~x86" -IUSE="hardened" +IUSE="bluetooth build examples gdbm hardened lto +ncurses pgo +readline +sqlite +ssl test tk wininst +xml" +RESTRICT="!test? ( test )" # Do not add a dependency on dev-lang/python to this ebuild. # If you need to apply a patch which requires python for bootstrapping, please # run the bootstrap code on your dev box and include the results in the # patchset. See bug 447752. -DEPEND=" +RDEPEND=" app-arch/bzip2:= app-arch/xz-utils:= dev-lang/python-exec[python_targets_python3_9(-)] + dev-libs/libffi:= sys-apps/util-linux:= >=sys-libs/zlib-1.1.3:= virtual/libcrypt:= virtual/libintl + gdbm? ( sys-libs/gdbm:=[berkdb] ) + ncurses? ( >=sys-libs/ncurses-5.2:= ) + readline? ( >=sys-libs/readline-4.1:= ) + sqlite? ( >=dev-db/sqlite-3.3.8:3= ) + ssl? ( >=dev-libs/openssl-1.1.1:= ) + tk? ( + >=dev-lang/tcl-8.0:= + >=dev-lang/tk-8.0:= + dev-tcltk/blt:= + dev-tcltk/tix + ) + xml? ( >=dev-libs/expat-2.1:= ) +" +# bluetooth requires headers from bluez +DEPEND=" + ${RDEPEND} + bluetooth? ( net-wireless/bluez ) + test? ( app-arch/xz-utils[extra-filters(+)] ) " BDEPEND=" - app-alternatives/awk + virtual/awk virtual/pkgconfig sys-devel/autoconf-archive verify-sig? ( sec-keys/openpgp-keys-python ) !sys-devel/gcc[libffi(-)] " +RDEPEND+=" + !build? ( app-misc/mime-types ) +" VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc @@ -57,6 +80,14 @@ CHECKREQS_DISK_BUILD=5500M QA_PKGCONFIG_VERSION=${PYVER} +pkg_pretend() { + use test && check-reqs_pkg_pretend +} + +pkg_setup() { + use test && check-reqs_pkg_setup +} + src_unpack() { if use verify-sig; then verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc} @@ -65,7 +96,9 @@ src_unpack() { } src_prepare() { - # Ensure that internal copies of zlib are not used. + # Ensure that internal copies of expat, libffi and zlib are not used. + rm -fr Modules/expat || die + rm -fr Modules/_ctypes/libffi* || die rm -fr Modules/zlib || die local PATCHES=( @@ -89,15 +122,22 @@ src_prepare() { src_configure() { local disable # disable automagic bluetooth headers detection - export ac_cv_header_bluetooth_bluetooth_h=no - disable+=" gdbm" - disable+=" _curses _curses_panel" - disable+=" readline" - disable+=" _sqlite3" - export PYTHON_DISABLE_SSL="1" - disable+=" _tkinter" + use bluetooth || export ac_cv_header_bluetooth_bluetooth_h=no + use gdbm || disable+=" gdbm" + use ncurses || disable+=" _curses _curses_panel" + use readline || disable+=" readline" + use sqlite || disable+=" _sqlite3" + use ssl || export PYTHON_DISABLE_SSL="1" + use tk || disable+=" _tkinter" + use xml || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat. export PYTHON_DISABLE_MODULES="${disable}" + if ! use xml; then + ewarn "You have configured Python without XML support." + ewarn "This is NOT a recommended configuration as you" + ewarn "may face problems parsing any XML documents." + fi + if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}" fi @@ -119,16 +159,31 @@ src_configure() { append-cflags $(test-flags-CC -ffat-lto-objects) fi - if tc-is-cross-compiler; then - # Force some tests that try to poke fs paths. - export ac_cv_file__dev_ptc=no - export ac_cv_file__dev_ptmx=yes - fi - # Export CXX so it ends up in /usr/lib/python3.X/config/Makefile. tc-export CXX + # Fix implicit declarations on cross and prefix builds. Bug #674070. + use ncurses && append-cppflags -I"${ESYSROOT}"/usr/include/ncursesw + local dbmliborder + if use gdbm; then + dbmliborder+="${dbmliborder:+:}gdbm" + fi + + if use pgo; then + local jobs=$(makeopts_jobs "${MAKEOPTS}" "$(get_nproc)") + export PROFILE_TASK="-m test -j${jobs} --pgo-extended -x test_gdb -u-network" + + # All of these seem to occasionally hang for PGO inconsistently + # They'll even hang here but be fine in src_test sometimes. + # bug #828535 (and related: bug #788022) + PROFILE_TASK+=" -x test_socket -x test_asyncio -x test_httpservers -x test_logging -x test_multiprocessing_fork -x test_xmlrpc" + + if has_version "app-arch/rpm" ; then + # Avoid sandbox failure (attempts to write to /var/lib/rpm) + PROFILE_TASK+=" -x test_distutils" + fi + fi local myeconfargs=( # glibc-2.30 removes it; since we can't cleanly force-rebuild @@ -136,22 +191,20 @@ src_configure() { # a chance for users rebuilding python before glibc ac_cv_header_stropts_h=no - --prefix=/usr/share/oem/python - --with-platlibdir=$(get_libdir) - --disable-shared + --enable-shared --enable-ipv6 - --infodir='/discard/info' - --mandir='/discard/man' - --includedir='/discard/include' + --infodir='${prefix}/share/info' + --mandir='${prefix}/share/man' --with-computed-gotos --with-dbmliborder="${dbmliborder}" --with-libc= --enable-loadable-sqlite-extensions --without-ensurepip - --without-system-expat - --without-system-ffi - --without-lto - --disable-optimizations + --with-system-expat + --with-system-ffi + + $(use_with lto) + $(use_enable pgo optimizations) ) # disable implicit optimization/debugging flags @@ -184,33 +237,169 @@ src_compile() { # bug #831897 local -x _PYTHONDONTWRITEBYTECODE=${PYTHONDONTWRITEBYTECODE} + if use pgo ; then + # bug 660358 + local -x COLUMNS=80 + local -x PYTHONDONTWRITEBYTECODE= + + addpredict /usr/lib/python3.9/site-packages + fi + # also need to clear the flags explicitly here or they end up # in _sysconfigdata* emake CPPFLAGS= CFLAGS= LDFLAGS= # Restore saved value from above. local -x PYTHONDONTWRITEBYTECODE=${_PYTHONDONTWRITEBYTECODE} + + # Work around bug 329499. See also bug 413751 and 457194. + if has_version dev-libs/libffi[pax-kernel]; then + pax-mark E python + else + pax-mark m python + fi +} + +src_test() { + # Tests will not work when cross compiling. + if tc-is-cross-compiler; then + elog "Disabling tests due to crosscompiling." + return + fi + + # Skip failing tests. + local skipped_tests="gdb" + + if use sparc ; then + # bug #788022 + skipped_tests+=" multiprocessing_fork" + skipped_tests+=" multiprocessing_forkserver" + fi + + for test in ${skipped_tests}; do + mv "${S}"/Lib/test/test_${test}.py "${T}" + done + + # bug 660358 + local -x COLUMNS=80 + local -x PYTHONDONTWRITEBYTECODE= + + local jobs=$(makeopts_jobs "${MAKEOPTS}" "$(get_nproc)") + + emake test EXTRATESTOPTS="-u-network -j${jobs}" \ + CPPFLAGS= CFLAGS= LDFLAGS= < /dev/tty + local result=$? + + for test in ${skipped_tests}; do + mv "${T}/test_${test}.py" "${S}"/Lib/test + done + + elog "The following tests have been skipped:" + for test in ${skipped_tests}; do + elog "test_${test}.py" + done + + elog "If you would like to run them, you may:" + elog "cd '${EPREFIX}/usr/lib/python${PYVER}/test'" + elog "and run the tests separately." + + if [[ ${result} -ne 0 ]]; then + die "emake test failed" + fi } src_install() { - local prefix=/usr/share/oem/python - local eprefix="${ED}${prefix}" - local elibdir="${eprefix}/$(get_libdir)" - local epythonplatlibdir="${elibdir}/python${PYVER}" - local bindir="${prefix}/bin" - local ebindir="${eprefix}/bin" + local libdir=${ED}/usr/lib/python${PYVER} emake DESTDIR="${D}" altinstall # Remove static library - rm "${elibdir}"/libpython*.a || die + rm "${ED}"/usr/$(get_libdir)/libpython*.a || die - rm -r "${epythonplatlibdir}/"{sqlite3,test/test_sqlite*} || die - rm -r "${ebindir}/idle${PYVER}" "${epythonplatlibdir}/"{idlelib,tkinter,test/test_tk*} || die + # Fix collisions between different slots of Python. + rm "${ED}/usr/$(get_libdir)/libpython3.so" || die - # create a simple versionless 'python' symlink - dosym "python${PYVER}" "${bindir}/python" - dosym "python${PYVER}" "${bindir}/python3" + # Cheap hack to get version with ABIFLAGS + local abiver=$(cd "${ED}/usr/include"; echo python*) + if [[ ${abiver} != python${PYVER} ]]; then + # Replace python3.X with a symlink to python3.Xm + rm "${ED}/usr/bin/python${PYVER}" || die + dosym "${abiver}" "/usr/bin/python${PYVER}" + # Create python3.X-config symlink + dosym "${abiver}-config" "/usr/bin/python${PYVER}-config" + # Create python-3.5m.pc symlink + dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc" + fi - rm -r "${ED}/discard" || die + # python seems to get rebuilt in src_install (bug 569908) + # Work around it for now. + if has_version dev-libs/libffi[pax-kernel]; then + pax-mark E "${ED}/usr/bin/${abiver}" + else + pax-mark m "${ED}/usr/bin/${abiver}" + fi + + use sqlite || rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die + use tk || rm -r "${ED}/usr/bin/idle${PYVER}" "${libdir}/"{idlelib,tkinter,test/test_tk*} || die + + dodoc Misc/{ACKS,HISTORY,NEWS} + + if use examples; then + docinto examples + find Tools -name __pycache__ -exec rm -fr {} + || die + dodoc -r Tools + fi + insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510 + local libname=$(printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' | \ + emake --no-print-directory -s -f - 2>/dev/null) + newins "${S}"/Tools/gdb/libpython.py "${libname}"-gdb.py + + newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER} + newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER} + sed \ + -e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \ + -e "s:@PYDOC@:pydoc${PYVER}:" \ + -i "${ED}/etc/conf.d/pydoc-${PYVER}" \ + "${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed" + + local -x EPYTHON=python${PYVER} + # if not using a cross-compiler, use the fresh binary + if ! tc-is-cross-compiler; then + local -x PYTHON=./python + local -x LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${PWD} + else + local -x PYTHON=${EPREFIX}/usr/bin/${EPYTHON} + fi + + echo "EPYTHON='${EPYTHON}'" > epython.py || die + python_domodule epython.py + + # python-exec wrapping support + local pymajor=${PYVER%.*} + local scriptdir=${D}$(python_get_scriptdir) + mkdir -p "${scriptdir}" || die + # python and pythonX + ln -s "../../../bin/${abiver}" \ + "${scriptdir}/python${pymajor}" || die + ln -s "python${pymajor}" "${scriptdir}/python" || die + # python-config and pythonX-config + # note: we need to create a wrapper rather than symlinking it due + # to some random dirname(argv[0]) magic performed by python-config + cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die + #!/bin/sh + exec "${abiver}-config" "\${@}" + EOF + chmod +x "${scriptdir}/python${pymajor}-config" || die + ln -s "python${pymajor}-config" \ + "${scriptdir}/python-config" || die + # 2to3, pydoc + ln -s "../../../bin/2to3-${PYVER}" \ + "${scriptdir}/2to3" || die + ln -s "../../../bin/pydoc${PYVER}" \ + "${scriptdir}/pydoc" || die + # idle + if use tk; then + ln -s "../../../bin/idle${PYVER}" \ + "${scriptdir}/idle" || die + fi } From a4326957dfcfbdc9d33ce7c30838593dc799bb80 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 30 Nov 2021 17:06:15 +0100 Subject: [PATCH 05/15] dev-lang/python-oem: Apply Flatcar modifications --- .../dev-lang/python-oem/README.md | 3 + .../python-oem/python-oem-3.9.12.ebuild | 271 +++--------------- 2 files changed, 44 insertions(+), 230 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md index 8b27d3d896..3e2e334d9a 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md +++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/README.md @@ -82,3 +82,6 @@ Modifications made: - Create versionless links (python and python3) to python executable. - Remove installed stuff in `/discard`. + +- Replace the dependency on `virtual/awk` with `app-alternatives/awk`. + The former is gone in favor of the latter. diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild index 110efb768a..2e4a1df3ff 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/python-oem/python-oem-3.9.12.ebuild @@ -4,7 +4,7 @@ EAPI="7" WANT_LIBTOOL="none" -inherit autotools check-reqs flag-o-matic multiprocessing pax-utils \ +inherit autotools check-reqs flag-o-matic multiprocessing \ python-utils-r1 toolchain-funcs verify-sig MY_PV=${PV/_rc/rc} @@ -26,52 +26,29 @@ S="${WORKDIR}/${MY_P}" LICENSE="PSF-2" SLOT="${PYVER}" KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc ~x86" -IUSE="bluetooth build examples gdbm hardened lto +ncurses pgo +readline +sqlite +ssl test tk wininst +xml" -RESTRICT="!test? ( test )" +IUSE="hardened" # Do not add a dependency on dev-lang/python to this ebuild. # If you need to apply a patch which requires python for bootstrapping, please # run the bootstrap code on your dev box and include the results in the # patchset. See bug 447752. -RDEPEND=" +DEPEND=" app-arch/bzip2:= app-arch/xz-utils:= dev-lang/python-exec[python_targets_python3_9(-)] - dev-libs/libffi:= sys-apps/util-linux:= >=sys-libs/zlib-1.1.3:= virtual/libcrypt:= virtual/libintl - gdbm? ( sys-libs/gdbm:=[berkdb] ) - ncurses? ( >=sys-libs/ncurses-5.2:= ) - readline? ( >=sys-libs/readline-4.1:= ) - sqlite? ( >=dev-db/sqlite-3.3.8:3= ) - ssl? ( >=dev-libs/openssl-1.1.1:= ) - tk? ( - >=dev-lang/tcl-8.0:= - >=dev-lang/tk-8.0:= - dev-tcltk/blt:= - dev-tcltk/tix - ) - xml? ( >=dev-libs/expat-2.1:= ) -" -# bluetooth requires headers from bluez -DEPEND=" - ${RDEPEND} - bluetooth? ( net-wireless/bluez ) - test? ( app-arch/xz-utils[extra-filters(+)] ) " BDEPEND=" - virtual/awk + app-alternatives/awk virtual/pkgconfig sys-devel/autoconf-archive verify-sig? ( sec-keys/openpgp-keys-python ) !sys-devel/gcc[libffi(-)] " -RDEPEND+=" - !build? ( app-misc/mime-types ) -" VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc @@ -80,14 +57,6 @@ CHECKREQS_DISK_BUILD=5500M QA_PKGCONFIG_VERSION=${PYVER} -pkg_pretend() { - use test && check-reqs_pkg_pretend -} - -pkg_setup() { - use test && check-reqs_pkg_setup -} - src_unpack() { if use verify-sig; then verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc} @@ -96,9 +65,7 @@ src_unpack() { } src_prepare() { - # Ensure that internal copies of expat, libffi and zlib are not used. - rm -fr Modules/expat || die - rm -fr Modules/_ctypes/libffi* || die + # Ensure that internal copies of zlib are not used. rm -fr Modules/zlib || die local PATCHES=( @@ -122,22 +89,15 @@ src_prepare() { src_configure() { local disable # disable automagic bluetooth headers detection - use bluetooth || export ac_cv_header_bluetooth_bluetooth_h=no - use gdbm || disable+=" gdbm" - use ncurses || disable+=" _curses _curses_panel" - use readline || disable+=" readline" - use sqlite || disable+=" _sqlite3" - use ssl || export PYTHON_DISABLE_SSL="1" - use tk || disable+=" _tkinter" - use xml || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat. + export ac_cv_header_bluetooth_bluetooth_h=no + disable+=" gdbm" + disable+=" _curses _curses_panel" + disable+=" readline" + disable+=" _sqlite3" + export PYTHON_DISABLE_SSL="1" + disable+=" _tkinter" export PYTHON_DISABLE_MODULES="${disable}" - if ! use xml; then - ewarn "You have configured Python without XML support." - ewarn "This is NOT a recommended configuration as you" - ewarn "may face problems parsing any XML documents." - fi - if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}" fi @@ -159,31 +119,16 @@ src_configure() { append-cflags $(test-flags-CC -ffat-lto-objects) fi + if tc-is-cross-compiler; then + # Force some tests that try to poke fs paths. + export ac_cv_file__dev_ptc=no + export ac_cv_file__dev_ptmx=yes + fi + # Export CXX so it ends up in /usr/lib/python3.X/config/Makefile. tc-export CXX - # Fix implicit declarations on cross and prefix builds. Bug #674070. - use ncurses && append-cppflags -I"${ESYSROOT}"/usr/include/ncursesw - local dbmliborder - if use gdbm; then - dbmliborder+="${dbmliborder:+:}gdbm" - fi - - if use pgo; then - local jobs=$(makeopts_jobs "${MAKEOPTS}" "$(get_nproc)") - export PROFILE_TASK="-m test -j${jobs} --pgo-extended -x test_gdb -u-network" - - # All of these seem to occasionally hang for PGO inconsistently - # They'll even hang here but be fine in src_test sometimes. - # bug #828535 (and related: bug #788022) - PROFILE_TASK+=" -x test_socket -x test_asyncio -x test_httpservers -x test_logging -x test_multiprocessing_fork -x test_xmlrpc" - - if has_version "app-arch/rpm" ; then - # Avoid sandbox failure (attempts to write to /var/lib/rpm) - PROFILE_TASK+=" -x test_distutils" - fi - fi local myeconfargs=( # glibc-2.30 removes it; since we can't cleanly force-rebuild @@ -191,20 +136,22 @@ src_configure() { # a chance for users rebuilding python before glibc ac_cv_header_stropts_h=no - --enable-shared + --prefix=/usr/share/oem/python + --with-platlibdir=$(get_libdir) + --disable-shared --enable-ipv6 - --infodir='${prefix}/share/info' - --mandir='${prefix}/share/man' + --infodir='/discard/info' + --mandir='/discard/man' + --includedir='/discard/include' --with-computed-gotos --with-dbmliborder="${dbmliborder}" --with-libc= --enable-loadable-sqlite-extensions --without-ensurepip - --with-system-expat - --with-system-ffi - - $(use_with lto) - $(use_enable pgo optimizations) + --without-system-expat + --without-system-ffi + --without-lto + --disable-optimizations ) # disable implicit optimization/debugging flags @@ -237,169 +184,33 @@ src_compile() { # bug #831897 local -x _PYTHONDONTWRITEBYTECODE=${PYTHONDONTWRITEBYTECODE} - if use pgo ; then - # bug 660358 - local -x COLUMNS=80 - local -x PYTHONDONTWRITEBYTECODE= - - addpredict /usr/lib/python3.9/site-packages - fi - # also need to clear the flags explicitly here or they end up # in _sysconfigdata* emake CPPFLAGS= CFLAGS= LDFLAGS= # Restore saved value from above. local -x PYTHONDONTWRITEBYTECODE=${_PYTHONDONTWRITEBYTECODE} - - # Work around bug 329499. See also bug 413751 and 457194. - if has_version dev-libs/libffi[pax-kernel]; then - pax-mark E python - else - pax-mark m python - fi -} - -src_test() { - # Tests will not work when cross compiling. - if tc-is-cross-compiler; then - elog "Disabling tests due to crosscompiling." - return - fi - - # Skip failing tests. - local skipped_tests="gdb" - - if use sparc ; then - # bug #788022 - skipped_tests+=" multiprocessing_fork" - skipped_tests+=" multiprocessing_forkserver" - fi - - for test in ${skipped_tests}; do - mv "${S}"/Lib/test/test_${test}.py "${T}" - done - - # bug 660358 - local -x COLUMNS=80 - local -x PYTHONDONTWRITEBYTECODE= - - local jobs=$(makeopts_jobs "${MAKEOPTS}" "$(get_nproc)") - - emake test EXTRATESTOPTS="-u-network -j${jobs}" \ - CPPFLAGS= CFLAGS= LDFLAGS= < /dev/tty - local result=$? - - for test in ${skipped_tests}; do - mv "${T}/test_${test}.py" "${S}"/Lib/test - done - - elog "The following tests have been skipped:" - for test in ${skipped_tests}; do - elog "test_${test}.py" - done - - elog "If you would like to run them, you may:" - elog "cd '${EPREFIX}/usr/lib/python${PYVER}/test'" - elog "and run the tests separately." - - if [[ ${result} -ne 0 ]]; then - die "emake test failed" - fi } src_install() { - local libdir=${ED}/usr/lib/python${PYVER} + local prefix=/usr/share/oem/python + local eprefix="${ED}${prefix}" + local elibdir="${eprefix}/$(get_libdir)" + local epythonplatlibdir="${elibdir}/python${PYVER}" + local bindir="${prefix}/bin" + local ebindir="${eprefix}/bin" emake DESTDIR="${D}" altinstall # Remove static library - rm "${ED}"/usr/$(get_libdir)/libpython*.a || die + rm "${elibdir}"/libpython*.a || die - # Fix collisions between different slots of Python. - rm "${ED}/usr/$(get_libdir)/libpython3.so" || die + rm -r "${epythonplatlibdir}/"{sqlite3,test/test_sqlite*} || die + rm -r "${ebindir}/idle${PYVER}" "${epythonplatlibdir}/"{idlelib,tkinter,test/test_tk*} || die - # Cheap hack to get version with ABIFLAGS - local abiver=$(cd "${ED}/usr/include"; echo python*) - if [[ ${abiver} != python${PYVER} ]]; then - # Replace python3.X with a symlink to python3.Xm - rm "${ED}/usr/bin/python${PYVER}" || die - dosym "${abiver}" "/usr/bin/python${PYVER}" - # Create python3.X-config symlink - dosym "${abiver}-config" "/usr/bin/python${PYVER}-config" - # Create python-3.5m.pc symlink - dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc" - fi + # create a simple versionless 'python' symlink + dosym "python${PYVER}" "${bindir}/python" + dosym "python${PYVER}" "${bindir}/python3" - # python seems to get rebuilt in src_install (bug 569908) - # Work around it for now. - if has_version dev-libs/libffi[pax-kernel]; then - pax-mark E "${ED}/usr/bin/${abiver}" - else - pax-mark m "${ED}/usr/bin/${abiver}" - fi - - use sqlite || rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die - use tk || rm -r "${ED}/usr/bin/idle${PYVER}" "${libdir}/"{idlelib,tkinter,test/test_tk*} || die - - dodoc Misc/{ACKS,HISTORY,NEWS} - - if use examples; then - docinto examples - find Tools -name __pycache__ -exec rm -fr {} + || die - dodoc -r Tools - fi - insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510 - local libname=$(printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' | \ - emake --no-print-directory -s -f - 2>/dev/null) - newins "${S}"/Tools/gdb/libpython.py "${libname}"-gdb.py - - newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER} - newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER} - sed \ - -e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \ - -e "s:@PYDOC@:pydoc${PYVER}:" \ - -i "${ED}/etc/conf.d/pydoc-${PYVER}" \ - "${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed" - - local -x EPYTHON=python${PYVER} - # if not using a cross-compiler, use the fresh binary - if ! tc-is-cross-compiler; then - local -x PYTHON=./python - local -x LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${PWD} - else - local -x PYTHON=${EPREFIX}/usr/bin/${EPYTHON} - fi - - echo "EPYTHON='${EPYTHON}'" > epython.py || die - python_domodule epython.py - - # python-exec wrapping support - local pymajor=${PYVER%.*} - local scriptdir=${D}$(python_get_scriptdir) - mkdir -p "${scriptdir}" || die - # python and pythonX - ln -s "../../../bin/${abiver}" \ - "${scriptdir}/python${pymajor}" || die - ln -s "python${pymajor}" "${scriptdir}/python" || die - # python-config and pythonX-config - # note: we need to create a wrapper rather than symlinking it due - # to some random dirname(argv[0]) magic performed by python-config - cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die - #!/bin/sh - exec "${abiver}-config" "\${@}" - EOF - chmod +x "${scriptdir}/python${pymajor}-config" || die - ln -s "python${pymajor}-config" \ - "${scriptdir}/python-config" || die - # 2to3, pydoc - ln -s "../../../bin/2to3-${PYVER}" \ - "${scriptdir}/2to3" || die - ln -s "../../../bin/pydoc${PYVER}" \ - "${scriptdir}/pydoc" || die - # idle - if use tk; then - ln -s "../../../bin/idle${PYVER}" \ - "${scriptdir}/idle" || die - fi + rm -r "${ED}/discard" || die } From 43ccab8e9d7dbae701cf17873e5b3d34df1cf54c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:36:47 +0100 Subject: [PATCH 06/15] sys-libs/glibc: Reset to vanilla ebuild --- .../coreos-overlay/sys-libs/glibc/README.md | 9 -------- .../sys-libs/glibc/files/nscd-conf.tmpfiles | 2 -- .../sys-libs/glibc/glibc-2.35-r8.ebuild | 22 ++----------------- 3 files changed, 2 insertions(+), 31 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md deleted file mode 100644 index 0bcb9dd9ee..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# GLibc - -The system's C library, sometimes referred to as "service pack for the C -language". The build recipe has a single modification over the one Gentoo -upstream uses: in the installation callback `glibc_do_src_install`, we remove -all of glibc's `/etc` files right after the stock glibc build diligently -installed them, since we ship our own `/etc` stuff via the `baseimage` recipe. -The addition sits at the end of the `glibc_do_src_install` function and is duly -labelled `## Flatcar Container Linux: ...`. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles deleted file mode 100644 index 0cf43dcb7a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles +++ /dev/null @@ -1,2 +0,0 @@ -L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf -d /var/db/nscd - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild index f7eb387963..4c73a826a4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild @@ -1274,13 +1274,12 @@ glibc_do_src_install() { # '#define VERSION "2.26.90"' -> '2.26.90' local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h) - # Flatcar: override this and strip everything to keep image size at bay # Avoid stripping binaries not targeted by ${CHOST}. Or else # ${CHOST}-strip would break binaries build for ${CTARGET}. - # is_crosscompile && dostrip -x / + is_crosscompile && dostrip -x / # gdb thread introspection relies on local libpthreas symbols. stripping breaks it # See Note [Disable automatic stripping] - # dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so + dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then # Move versioned .a file out of libdir to evade portage QA checks @@ -1463,23 +1462,6 @@ glibc_do_src_install() { run_locale_gen --inplace-glibc "${ED}/" sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die fi - - ## Flatcar Container Linux: Add some local changes: - # - Config files are installed by baselayout, not glibc. - # - Install nscd/systemd stuff in /usr. - - # Use tmpfiles to put nscd.conf in /etc and create directories. - insinto /usr/share/baselayout - if ! in_iuse nscd || use nscd ; then - doins "${S}"/nscd/nscd.conf || die - newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die - fi - - # Clean out any default configs. - rm -rf "${ED}"/etc - - # Restore this one for the SDK. - test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc } glibc_headers_install() { From 4bd509277a127b5bf83beeb61abd1583b2ef5c95 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 15 Dec 2021 20:48:57 +0100 Subject: [PATCH 07/15] sys-libs/glibc: Apply Flatcar modifications - take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles. - comment out 'dostrip -x' to force the OS image binaries to be stripped - remove everything glibc wants to put under /etc since we use baselayout to provide that - replace virtual/awk with app-alternatives/awk --- .../coreos-overlay/sys-libs/glibc/README.md | 9 ++++++ .../sys-libs/glibc/files/nscd-conf.tmpfiles | 2 ++ .../sys-libs/glibc/glibc-2.35-r8.ebuild | 28 +++++++++++++++---- 3 files changed, 34 insertions(+), 5 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md new file mode 100644 index 0000000000..0bcb9dd9ee --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md @@ -0,0 +1,9 @@ +# GLibc + +The system's C library, sometimes referred to as "service pack for the C +language". The build recipe has a single modification over the one Gentoo +upstream uses: in the installation callback `glibc_do_src_install`, we remove +all of glibc's `/etc` files right after the stock glibc build diligently +installed them, since we ship our own `/etc` stuff via the `baseimage` recipe. +The addition sits at the end of the `glibc_do_src_install` function and is duly +labelled `## Flatcar Container Linux: ...`. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles new file mode 100644 index 0000000000..0cf43dcb7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles @@ -0,0 +1,2 @@ +L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf +d /var/db/nscd - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild index 4c73a826a4..19c1440db7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild @@ -110,7 +110,7 @@ BDEPEND=" !compile-locales? ( app-arch/gzip sys-apps/grep - virtual/awk + app-alternatives/awk ) " COMMON_DEPEND=" @@ -127,14 +127,14 @@ DEPEND="${COMMON_DEPEND} compile-locales? ( app-arch/gzip sys-apps/grep - virtual/awk + app-alternatives/awk ) test? ( >=net-dns/libidn2-2.3.0 ) " RDEPEND="${COMMON_DEPEND} app-arch/gzip sys-apps/grep - virtual/awk + app-alternatives/awk sys-apps/gentoo-functions ! '2.26.90' local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h) + # Flatcar: override this and strip everything to keep image size at bay # Avoid stripping binaries not targeted by ${CHOST}. Or else # ${CHOST}-strip would break binaries build for ${CTARGET}. - is_crosscompile && dostrip -x / + # is_crosscompile && dostrip -x / # gdb thread introspection relies on local libpthreas symbols. stripping breaks it # See Note [Disable automatic stripping] - dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so + # dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then # Move versioned .a file out of libdir to evade portage QA checks @@ -1462,6 +1463,23 @@ glibc_do_src_install() { run_locale_gen --inplace-glibc "${ED}/" sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die fi + + ## Flatcar Container Linux: Add some local changes: + # - Config files are installed by baselayout, not glibc. + # - Install nscd/systemd stuff in /usr. + + # Use tmpfiles to put nscd.conf in /etc and create directories. + insinto /usr/share/baselayout + if ! in_iuse nscd || use nscd ; then + doins "${S}"/nscd/nscd.conf || die + newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die + fi + + # Clean out any default configs. + rm -rf "${ED}"/etc + + # Restore this one for the SDK. + test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc } glibc_headers_install() { From 0a0f1733f410788d9c1f3f8f5d970fc32070608e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:40:14 +0100 Subject: [PATCH 08/15] app-shells/bash: Reset to vanilla ebuild --- .../app-shells/bash/bash-5.1_p8.ebuild | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild index 19bb8a51ad..88199a177a 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild @@ -130,10 +130,10 @@ src_configure() { # For descriptions of these, see config-top.h # bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426 append-cppflags \ - -DDEFAULT_PATH_VALUE=\'\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\' \ - -DSTANDARD_UTILS_PATH=\'\"/bin:/usr/bin:/sbin:/usr/sbin\"\' \ - -DSYS_BASHRC=\'\"/etc/bash/bashrc\"\' \ - -DSYS_BASH_LOGOUT=\'\"/etc/bash/bash_logout\"\' \ + -DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \ + -DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \ + -DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \ + -DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \ -DNON_INTERACTIVE_LOGIN_SHELLS \ -DSSH_SOURCE_BASHRC \ $(use bashlogger && echo -DSYSLOG_HISTORY) @@ -194,16 +194,15 @@ src_install() { mv "${ED}"/usr/bin/bash "${ED}"/bin/ || die dosym bash /bin/rbash - insinto /usr/share/bash - for f in bash{_logout,rc} ; do - doins "${FILESDIR}"/${f} - dosym ../../usr/share/bash/${f} /etc/bash/${f} - done + insinto /etc/bash + doins "${FILESDIR}"/bash_logout + doins "$(prefixify_ro "${FILESDIR}"/bashrc)" - insinto /usr/share/skel + keepdir /etc/bash/bashrc.d + + insinto /etc/skel for f in bash{_logout,_profile,rc} ; do newins "${FILESDIR}"/dot-${f} .${f} - dosym ../../usr/share/skel/.${f} /etc/skel/.${f} done local sed_args=( @@ -221,8 +220,8 @@ src_install() { sed -i \ "${sed_args[@]}" \ - "${ED}"/usr/share/skel/.bashrc \ - "${ED}"/usr/share/bash/bashrc || die + "${ED}"/etc/skel/.bashrc \ + "${ED}"/etc/bash/bashrc || die if use plugins ; then exeinto /usr/$(get_libdir)/bash From b621893c2e61dff1fb3da1073e9aae0d91afcb12 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 29 Sep 2021 12:26:48 +0530 Subject: [PATCH 09/15] app-shells/bash: Apply Flatcar patches Signed-off-by: Sayan Chowdhury --- .../app-shells/bash/bash-5.1_p8.ebuild | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild index 88199a177a..818073754c 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild @@ -59,7 +59,7 @@ RDEPEND=" ${DEPEND} " # We only need yacc when the .y files get patched (bash42-005) -#BDEPEND="virtual/yacc" +#BDEPEND="app-alternatives/yacc" S="${WORKDIR}/${MY_P}" @@ -130,10 +130,10 @@ src_configure() { # For descriptions of these, see config-top.h # bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426 append-cppflags \ - -DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \ - -DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \ - -DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \ - -DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \ + -DDEFAULT_PATH_VALUE=\'\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\' \ + -DSTANDARD_UTILS_PATH=\'\"/bin:/usr/bin:/sbin:/usr/sbin\"\' \ + -DSYS_BASHRC=\'\"/etc/bash/bashrc\"\' \ + -DSYS_BASH_LOGOUT=\'\"/etc/bash/bash_logout\"\' \ -DNON_INTERACTIVE_LOGIN_SHELLS \ -DSSH_SOURCE_BASHRC \ $(use bashlogger && echo -DSYSLOG_HISTORY) @@ -194,15 +194,16 @@ src_install() { mv "${ED}"/usr/bin/bash "${ED}"/bin/ || die dosym bash /bin/rbash - insinto /etc/bash - doins "${FILESDIR}"/bash_logout - doins "$(prefixify_ro "${FILESDIR}"/bashrc)" + insinto /usr/share/bash + for f in bash{_logout,rc} ; do + doins "${FILESDIR}"/${f} + dosym ../../usr/share/bash/${f} /etc/bash/${f} + done - keepdir /etc/bash/bashrc.d - - insinto /etc/skel + insinto /usr/share/skel for f in bash{_logout,_profile,rc} ; do newins "${FILESDIR}"/dot-${f} .${f} + dosym ../../usr/share/skel/.${f} /etc/skel/.${f} done local sed_args=( @@ -220,8 +221,8 @@ src_install() { sed -i \ "${sed_args[@]}" \ - "${ED}"/etc/skel/.bashrc \ - "${ED}"/etc/bash/bashrc || die + "${ED}"/usr/share/skel/.bashrc \ + "${ED}"/usr/share/bash/bashrc || die if use plugins ; then exeinto /usr/$(get_libdir)/bash From fd2b43d9cf1afee9762c2eb446c5a7e225e22af1 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:42:47 +0100 Subject: [PATCH 10/15] net-firewall/iptables: Reset to vanilla ebuild --- .../iptables/files/systemd/ip6tables.service | 6 ---- .../iptables/files/systemd/iptables.service | 6 ---- .../iptables/iptables-1.8.7.ebuild | 36 ++++++++++--------- 3 files changed, 20 insertions(+), 28 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service deleted file mode 100644 index 0a6d7fa1c8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Store and restore ip6tables firewall rules - -[Install] -Also=ip6tables-store.service -Also=ip6tables-restore.service diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service deleted file mode 100644 index 3643a3e310..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Store and restore iptables firewall rules - -[Install] -Also=iptables-store.service -Also=iptables-restore.service diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild index bcf9182795..a6ba56cb35 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild @@ -40,12 +40,11 @@ BDEPEND="${BUILD_DEPEND} virtual/yacc ) " -# Flatcar: Drop BUILD_DEPEND, as we would not like to ship -# eselect in the final image. Also, drop net-firewall/arptables as we don't -# ship arptables RDEPEND="${COMMON_DEPEND} + ${BUILD_DEPEND} nftables? ( net-misc/ethertypes ) !/dev/null; then elog "Current iptables implementation is unset, setting to ${default_iptables}" eselect iptables set "${default_iptables}" fi - # Flatcar: Drop the arptables, but retain the `for` structure in favor of lesser diff - # to upstream + if use nftables; then local tables - for tables in ebtables; do + for tables in {arp,eb}tables; do if ! eselect ${tables} show &>/dev/null; then elog "Current ${tables} implementation is unset, setting to ${default_iptables}" - eselect ${tables} set "${default_iptables}" + eselect ${tables} set xtables-nft-multi fi done fi @@ -168,6 +161,17 @@ pkg_prerm() { if ! has_version 'net-firewall/ebtables'; then elog "Unsetting ebtables symlinks before removal" eselect ebtables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting ebtables symlinks to ebtables-legacy" + eselect ebtables set ebtables-legacy + fi + + if ! has_version 'net-firewall/arptables'; then + elog "Unsetting arptables symlinks before removal" + eselect arptables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting arptables symlinks to arptables-legacy" + eselect arptables set arptables-legacy fi # the eselect module failing should not be fatal From f6efb50cb644c3773030dd6768687cd0a3f15756 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Mon, 14 Jun 2021 20:54:27 +0530 Subject: [PATCH 11/15] net-firewall/iptables: Apply the Flatcar patches Signed-off-by: Sayan Chowdhury --- .../iptables/files/systemd/ip6tables.service | 6 +++ .../iptables/files/systemd/iptables.service | 6 +++ .../iptables/iptables-1.8.7.ebuild | 41 +++++++++---------- 3 files changed, 32 insertions(+), 21 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service new file mode 100644 index 0000000000..0a6d7fa1c8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore ip6tables firewall rules + +[Install] +Also=ip6tables-store.service +Also=ip6tables-restore.service diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service new file mode 100644 index 0000000000..3643a3e310 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore iptables firewall rules + +[Install] +Also=iptables-store.service +Also=iptables-restore.service diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild index a6ba56cb35..69ab247e39 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild @@ -32,19 +32,23 @@ DEPEND="${COMMON_DEPEND} virtual/os-headers >=sys-kernel/linux-headers-4.4:0 " +# Flatcar: Rename virtual/yacc to app-alternatives/yacc. The former is +# gone in favor of the latter in Gentoo. This modification will be +# dropped when we update this ebuild from Gentoo. BDEPEND="${BUILD_DEPEND} app-eselect/eselect-iptables virtual/pkgconfig nftables? ( sys-devel/flex - virtual/yacc + app-alternatives/yacc ) " +# Flatcar: Drop BUILD_DEPEND, as we would not like to ship +# eselect in the final image. Also, drop net-firewall/arptables as we don't +# ship arptables RDEPEND="${COMMON_DEPEND} - ${BUILD_DEPEND} nftables? ( net-misc/ethertypes ) !/dev/null; then elog "Current iptables implementation is unset, setting to ${default_iptables}" eselect iptables set "${default_iptables}" fi - + # Flatcar: Drop the arptables, but retain the `for` structure in favor of lesser diff + # to upstream if use nftables; then local tables - for tables in {arp,eb}tables; do + for tables in ebtables; do if ! eselect ${tables} show &>/dev/null; then elog "Current ${tables} implementation is unset, setting to ${default_iptables}" - eselect ${tables} set xtables-nft-multi + eselect ${tables} set "${default_iptables}" fi done fi @@ -161,17 +171,6 @@ pkg_prerm() { if ! has_version 'net-firewall/ebtables'; then elog "Unsetting ebtables symlinks before removal" eselect ebtables unset - elif [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Resetting ebtables symlinks to ebtables-legacy" - eselect ebtables set ebtables-legacy - fi - - if ! has_version 'net-firewall/arptables'; then - elog "Unsetting arptables symlinks before removal" - eselect arptables unset - elif [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Resetting arptables symlinks to arptables-legacy" - eselect arptables set arptables-legacy fi # the eselect module failing should not be fatal From 1f88c934c0e349f6b9f01b3df905266c9c86244d Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 14:51:21 +0100 Subject: [PATCH 12/15] sys-devel/gdb: Reset to vanilla ebuild --- .../coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild | 9 --------- 1 file changed, 9 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild index 0130f4967b..a7deb85175 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild @@ -154,15 +154,6 @@ src_configure() { # Ideally we would like automagic-or-disabled here. # But the check does not quite work on i686: bug #760926. $(use_enable cet) - - # Flatcar: we need to set both configure options, --with-sysroot - # and --libdir, to fix cross build issues that happen when - # configuring gmp. We explicitly need --libdir. Having only - # --with-sysroot without --libdir would not fix the build issues. - # For some reason, it is not enough to set only --with-sysroot, - # also not enough to pass --with-gmp-xxx options. - --with-sysroot="${ESYSROOT}" - --libdir="${ESYSROOT}/usr/$(get_libdir)" ) local sysroot="${EPREFIX}/usr/${CTARGET}" From eec5d85328c90025f7bfaa6050fd386b4455773d Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 13 Jun 2022 14:39:19 +0200 Subject: [PATCH 13/15] sys-devel/gdb: Apply Flatcar modifications - Fix cross build issues with configuring gmp libs As gdb 11 or newer requires gmp libs as dependency, a cross build of gdb 11.2 started to fail when its configure scripts try to detect if gmp exists. The failure occurs mainly because the build still passes '-L/usr/lib64` to LDFLAGS. Let's say, for example, host toolchains outside of sysroot have amd64 libs, while the target inside of sysroot should have arm64 libs. However, configure scripts of gdb 11.2 still try to find its libs outside of sysroot, /usr/lib64, although it should find its libs inside of sysroot, e.g. /build/arm64/usr/lib64. To fix the cross build issues, pass --with-sysroot as well as --libdir, correctly with ${ESYSROOT}. As a side note, for some reason, upstream gdb configure scripts are not able to correctly make use of its gmp-specific options like --with-gmp or --with-gmp-lib. Passing those options does not bring anything. Also configure must have both --with-sysroot and --libdir, to make the build work. - Replace dependency on virtual/yacc with app-alternatives/yacc The former is gone in favor of the latter in Gentoo. This change will be dropped when we sync the package with Gentoo again. --- .../coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild index a7deb85175..242e651039 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/gdb/gdb-11.2.ebuild @@ -87,7 +87,7 @@ DEPEND="${RDEPEND}" BDEPEND=" app-arch/xz-utils sys-apps/texinfo - virtual/yacc + app-alternatives/yacc nls? ( sys-devel/gettext ) source-highlight? ( virtual/pkgconfig ) test? ( dev-util/dejagnu ) @@ -154,6 +154,15 @@ src_configure() { # Ideally we would like automagic-or-disabled here. # But the check does not quite work on i686: bug #760926. $(use_enable cet) + + # Flatcar: we need to set both configure options, --with-sysroot + # and --libdir, to fix cross build issues that happen when + # configuring gmp. We explicitly need --libdir. Having only + # --with-sysroot without --libdir would not fix the build issues. + # For some reason, it is not enough to set only --with-sysroot, + # also not enough to pass --with-gmp-xxx options. + --with-sysroot="${ESYSROOT}" + --libdir="${ESYSROOT}/usr/$(get_libdir)" ) local sysroot="${EPREFIX}/usr/${CTARGET}" From ef09c88d70456052067461b1da875cc21c3f3d00 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Dec 2022 15:03:29 +0100 Subject: [PATCH 14/15] sys-libs/pam: Reset to vanilla ebuild --- .../coreos-overlay/sys-libs/pam/README.md | 21 ------------------- .../pam/files/pam-1.5.0-locked-accounts.patch | 13 ------------ .../sys-libs/pam/files/tmpfiles.d/pam.conf | 11 ---------- .../pam/pam-1.5.1_p20210622-r1.ebuild | 18 +++++++--------- 4 files changed, 7 insertions(+), 56 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md deleted file mode 100644 index 9500945b40..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md +++ /dev/null @@ -1,21 +0,0 @@ -This is a fork of gentoo's sys-libs/pam package. The main reasons -for having our fork seem to be: - -1. We add a locked account functionality. If the account in - `/etc/shadow` has an exclamation mark (`!`) as a first character in - the password field, then the account is blocked. - -2. We install configuration in `/usr/lib/pam`, so the configuration in - `/etc` provided by administration can override the config we - install. - -3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc - pamc` from the recipe. - -4. We make the `/sbin/unix_chkpwd` binary a suid one instead of - overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop - between pam and libcap. The binary needs to be able to read - /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should - work. A suid binary is strictly less secure than capability - override, so in long-term we would prefer to avoid having this - hack. On the other hand - this is what we had so far. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch deleted file mode 100644 index a58d3eb28c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c ---- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200 -+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200 -@@ -847,6 +847,9 @@ - return retval; - } - -+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') -+ return PAM_PERM_DENIED; -+ - if (retval == PAM_SUCCESS && spent == NULL) - return PAM_SUCCESS; - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf deleted file mode 100644 index 6b8ebb4377..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf +++ /dev/null @@ -1,11 +0,0 @@ -d /etc/pam.d 0755 root root - - -d /etc/security 0755 root root - - -d /etc/security/limits.d 0755 root root - - -d /etc/security/namespace.d 0755 root root - - -f /etc/environment 0755 root root - - -L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf -L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf -L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf -L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf -L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf -L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild index 5b1351ead5..98f33edbb6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild @@ -7,7 +7,7 @@ EAPI=7 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 TMPFILES_OPTIONAL=1 -inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal +inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a" DOC_SNAPSHOT="20210610" @@ -47,7 +47,6 @@ PDEPEND=">=sys-auth/pambase-20200616" S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}" PATCHES=( - "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch "${FILESDIR}"/${PN}-1.5.1-musl.patch ) @@ -81,7 +80,6 @@ multilib_src_configure() { $(use_enable nis) $(use_enable selinux) --enable-isadir='.' #464016 - --enable-sconfigdir="/usr/lib/pam/" ) ECONF_SOURCE="${S}" econf "${myconf[@]}" } @@ -93,24 +91,18 @@ multilib_src_compile() { multilib_src_install() { emake DESTDIR="${D}" install \ sepermitlockdir="/run/sepermit" + + gen_usr_ldscript -a pam pam_misc pamc } multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die - # Flatcar: The pam_unix module needs to check the password of - # the user which requires read access to /etc/shadow - # only. Make it suid instead of using CAP_DAC_OVERRIDE to - # avoid a pam -> libcap -> pam dependency loop. - fperms 4711 /sbin/unix_chkpwd - # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop dodir /usr/lib/tmpfiles.d - rm "${D}/etc/environment" - cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ d /run/faillock 0755 root root _EOF_ @@ -136,4 +128,8 @@ pkg_postinst() { ewarn " lsof / | egrep -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps cap_dac_override sbin/unix_chkpwd } From bcf2bb0b772cf03eab872f956782f80b72b17900 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Thu, 17 Mar 2022 16:33:30 +0530 Subject: [PATCH 15/15] sys-libs/pam: Apply Flatcar patches - sys-libs/pam: Make /sbin/unix_chkpwd suid This is to avoid importing fcaps eclass which adds a dependency on sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of this conundrum, we could specify a "-filecaps" use flag for sys-libs/pam. Problem with this solution would be no capability override for the binary making it unable to read /etc/shadow. Thus we make the binary suid. This is strictly less secure than overriding its capabilities, but I have no idea how to solve it in a less hacky way. - sys-libs/pam: Install configuration into /usr Also provide a tmpfiles fragment to bring it back. - sys-libs/pam: Locked accounts functionality Signed-off-by: Sayan Chowdhury --- .../coreos-overlay/sys-libs/pam/README.md | 26 +++++++++++++++++++ .../pam/files/pam-1.5.0-locked-accounts.patch | 13 ++++++++++ .../sys-libs/pam/files/tmpfiles.d/pam.conf | 11 ++++++++ .../pam/pam-1.5.1_p20210622-r1.ebuild | 20 ++++++++------ 4 files changed, 62 insertions(+), 8 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md new file mode 100644 index 0000000000..d4e1d3a149 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md @@ -0,0 +1,26 @@ +This is a fork of gentoo's sys-libs/pam package. The main reasons +for having our fork seem to be: + +1. We add a locked account functionality. If the account in + `/etc/shadow` has an exclamation mark (`!`) as a first character in + the password field, then the account is blocked. + +2. We install configuration in `/usr/lib/pam`, so the configuration in + `/etc` provided by administration can override the config we + install. + +3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc + pamc` from the recipe. + +4. We make the `/sbin/unix_chkpwd` binary a suid one instead of + overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop + between pam and libcap. The binary needs to be able to read + /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should + work. A suid binary is strictly less secure than capability + override, so in long-term we would prefer to avoid having this + hack. On the other hand - this is what we had so far. + +5. We replace the dependency on `virtual/yacc` with + `app-alternatives/yacc`. The former was renamed to the latter in + Gentoo, so this modification will be gone next time we update this + package. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch new file mode 100644 index 0000000000..a58d3eb28c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch @@ -0,0 +1,13 @@ +diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c +--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200 ++++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200 +@@ -847,6 +847,9 @@ + return retval; + } + ++ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') ++ return PAM_PERM_DENIED; ++ + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf new file mode 100644 index 0000000000..6b8ebb4377 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf @@ -0,0 +1,11 @@ +d /etc/pam.d 0755 root root - - +d /etc/security 0755 root root - - +d /etc/security/limits.d 0755 root root - - +d /etc/security/namespace.d 0755 root root - - +f /etc/environment 0755 root root - - +L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf +L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf +L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf +L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf +L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf +L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild index 98f33edbb6..d91874ac48 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild @@ -7,7 +7,7 @@ EAPI=7 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 TMPFILES_OPTIONAL=1 -inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal +inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a" DOC_SNAPSHOT="20210610" @@ -24,11 +24,11 @@ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 s IUSE="audit berkdb debug nis selinux" BDEPEND=" + app-alternatives/yacc dev-libs/libxslt sys-devel/flex sys-devel/gettext virtual/pkgconfig - virtual/yacc " DEPEND=" @@ -47,6 +47,7 @@ PDEPEND=">=sys-auth/pambase-20200616" S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}" PATCHES=( + "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch "${FILESDIR}"/${PN}-1.5.1-musl.patch ) @@ -80,6 +81,7 @@ multilib_src_configure() { $(use_enable nis) $(use_enable selinux) --enable-isadir='.' #464016 + --enable-sconfigdir="/usr/lib/pam/" ) ECONF_SOURCE="${S}" econf "${myconf[@]}" } @@ -91,18 +93,24 @@ multilib_src_compile() { multilib_src_install() { emake DESTDIR="${D}" install \ sepermitlockdir="/run/sepermit" - - gen_usr_ldscript -a pam pam_misc pamc } multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die + # Flatcar: The pam_unix module needs to check the password of + # the user which requires read access to /etc/shadow + # only. Make it suid instead of using CAP_DAC_OVERRIDE to + # avoid a pam -> libcap -> pam dependency loop. + fperms 4711 /sbin/unix_chkpwd + # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop dodir /usr/lib/tmpfiles.d + rm "${D}/etc/environment" + cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ d /run/faillock 0755 root root _EOF_ @@ -128,8 +136,4 @@ pkg_postinst() { ewarn " lsof / | egrep -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." - - # The pam_unix module needs to check the password of the user which requires - # read access to /etc/shadow only. - fcaps cap_dac_override sbin/unix_chkpwd }