From 298fc4e97433ada56a7b499682aec71b9b460dde Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 21 Aug 2025 16:57:19 +0200
Subject: [PATCH] overlay coreos/config, profiles: Drop PKG_INSTALL_MASK

PKG_INSTALL_MASK is for binary packages like INSTALL_MASK is for
${ROOT} - whatever is added to PKG_INSTALL_MASK will be absent from
binary packages. But we may want to install different content to
different kind of images using the same binary packages. For example,
we may want to install some python selinux scripts to developer
container, but not to production image.

I started adding PKG_INSTALL_MASK before, because of a
misunderstanding - I thought that PKG_INSTALL_MASK is about filtering
files that are installed to ${ROOT} from binary packages. So in
reality, PKG_INSTALL_MASK is really unnecessary.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
---
 .../coreos/config/env/app-admin/sudo          |  5 +---
 .../coreos/config/env/app-containers/syft     |  5 +---
 .../coreos/config/env/dev-libs/glib           |  5 +---
 .../coreos/config/env/net-dns/bind            |  7 +----
 .../coreos/config/env/net-fs/nfs-utils        |  5 +---
 .../coreos/config/env/net-misc/ntp            | 27 +++++++++----------
 .../coreos/config/env/net-misc/openssh        |  5 +---
 .../coreos/config/env/sys-apps/lsb-release    |  5 +---
 .../coreos/config/env/sys-boot/grub           |  9 +++----
 .../coreos/config/env/sys-process/audit       |  5 +---
 .../profiles/coreos/base/make.defaults        |  4 ---
 11 files changed, 23 insertions(+), 59 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo
index 3bd9e65f86..c6dac3e850 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo
@@ -11,7 +11,4 @@ cros_post_src_install_flatcar_modifications() {
 
 # We don't ship OpenLDAP schemas (why?) and we provide sudo.conf
 # through baselayout.
-sudo_install_mask='/etc/openldap/schema /etc/sudo.conf'
-INSTALL_MASK+=" ${sudo_install_mask}"
-PKG_INSTALL_MASK+=" ${sudo_install_mask}"
-unset sudo_install_mask
+INSTALL_MASK+=' /etc/openldap/schema /etc/sudo.conf '
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/syft b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/syft
index 23f700402e..74f5a47797 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/syft
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/syft
@@ -1,5 +1,2 @@
 # there are only examples installed
-syft_install_mask=" /usr/share/syft/examples "
-INSTALL_MASK+="${syft_install_mask}"
-PKG_INSTALL_MASK+="${syft_install_mask}"
-unset syft_install_mask
+INSTALL_MASK+=' /usr/share/syft/examples '
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/glib b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/glib
index e6388c51ad..be015877fb 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/glib
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/glib
@@ -1,7 +1,4 @@
 # Do not install gobject-introspection binaries in production images.
 if [[ $(flatcar_target) != 'sdk' ]] ; then
-	glib_mask="/usr/bin/gi-* /usr/lib*/libgirepository-2.0*"
-	PKG_INSTALL_MASK+=" ${glib_mask}"
-	INSTALL_MASK+=" ${glib_mask}"
-	unset glib_mask
+	INSTALL_MASK+=" /usr/bin/gi-* /usr/lib*/libgirepository-2.0* "
 fi
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind
index b7c8dd0b88..1873ad91a0 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind
@@ -1,5 +1,5 @@
 # Keep only tool binaries and libraries those binaries need.
-ndb_install_mask="
+INSTALL_MASK+="
         /etc
         /var
         /usr/bin/arpaname
@@ -13,11 +13,6 @@ ndb_install_mask="
         /usr/sbin
 "
 
-INSTALL_MASK+="${ndb_install_mask}"
-PKG_INSTALL_MASK+="${ndb_install_mask}"
-
-unset ndb_install_mask
-
 # Override fowners to ignore changing owner or group to named. The
 # only files that this happens for are files that we have put into
 # {PKG_,}INSTALL_MASK. This will help us avoid installing
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/nfs-utils b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/nfs-utils
index e073862b5b..d632a7f99d 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/nfs-utils
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/nfs-utils
@@ -1,7 +1,4 @@
-nfs_utils_install_mask=" /etc/exports /etc/exports.d "
-INSTALL_MASK+=${nfs_utils_install_mask}
-PKG_INSTALL_MASK+=${nfs_utils_install_mask}
-unset nfs_utils_install_mask
+INSTALL_MASK+=" /etc/exports /etc/exports.d "
 
 cros_post_src_install_nfs_utils_flatcar_modifications() {
     (
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/ntp b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/ntp
index bc72eb5c0a..ea84736a5a 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/ntp
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/ntp
@@ -1,15 +1,12 @@
-ntp_install_mask=''
-# Do not install ntpdate or sntp systemd files in /etc.
-ntp_install_mask+=" /etc/systemd"
-# Do not install the default ntp.conf, we provide our own in
-# coreos-base/misc-files.
-ntp_install_mask+=" /etc/ntp.conf"
-# Do not install perl scripts to /usr/bin.
-ntp_install_mask+=" /usr/bin/calc_tickadj /usr/bin/ntp-wait /usr/bin/ntptrace /usr/bin/update-leap"
-# Do not install perl package to /usr/share/ntp.
-ntp_install_mask+=" /usr/share/ntp"
-
-ntp_install_mask+=' '
-INSTALL_MASK+=${ntp_install_mask}
-PKG_INSTALL_MASK+=${ntp_install_mask}
-unset ntp_install_mask
+# Do not install:
+#
+# - ntpdate or sntp systemd files in /etc,
+# - the default ntp.conf, we provide our own in coreos-base/misc-files,
+# - perl scripts to /usr/bin,
+# - perl package to /usr/share/ntp
+INSTALL_MASK+="
+        /etc/systemd
+        /etc/ntp.conf
+        /usr/bin/calc_tickadj /usr/bin/ntp-wait /usr/bin/ntptrace /usr/bin/update-leap
+        /usr/share/ntp
+"
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh
index 77a32cfa39..2f5c00289d 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh
@@ -3,10 +3,7 @@
 # Do not install the config snippet that defines a subsystem. We have
 # our own definition in coreos-init.
 if [[ $(flatcar_target) != 'sdk' ]] ; then
-	openssh_mask=" /usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf "
-	PKG_INSTALL_MASK+="${openssh_mask}"
-	INSTALL_MASK+="${openssh_mask}"
-	unset openssh_mask
+	INSTALL_MASK+=" /usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf "
 fi
 
 cros_post_src_install_vendorize_pam() {
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/lsb-release b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/lsb-release
index 3f4831cb45..3418a654ad 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/lsb-release
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/lsb-release
@@ -1,4 +1 @@
-lsb_release_install_mask=" /etc/lsb-release "
-INSTALL_MASK+="${lsb_release_install_mask}"
-PKG_INSTALL_MASK+="${lsb_release_install_mask}"
-unset lsb_release_install_mask
+INSTALL_MASK+=" /etc/lsb-release "
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
index 932b56a943..b8d7d082f5 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
@@ -48,9 +48,6 @@ cros_post_src_install_sbat() {
 	EOF
 }
 
-# Flatcar does not use grub-install or grub-mkconfig. All the files under /etc
-# relate to grub-mkconfig.
-grub_install_mask=" ${EPREFIX}/etc/ *grub-install* *mkconfig* "
-INSTALL_MASK+="${grub_install_mask}"
-PKG_INSTALL_MASK+="${grub_install_mask}"
-unset grub_install_mask
+# Flatcar does not use grub-install or grub-mkconfig. All the files
+# under /etc relate to grub-mkconfig.
+INSTALL_MASK+=" ${EPREFIX}/etc/ *grub-install* *mkconfig* "
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit
index 52fc0e0aad..198fa84ebf 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit
@@ -1,7 +1,4 @@
 # Do not install Gentoo-provided audit rules, we will install our own
 # in coreos-base/misc-files. Also skip installing legacy initscripts
 # stuff in /usr/libexec.
-audit_install_mask=" /etc/audit/audit.rules* /usr/libexec "
-INSTALL_MASK+="${audit_install_mask}"
-PKG_INSTALL_MASK+="${audit_install_mask}"
-unset audit_install_mask
+INSTALL_MASK+=" /etc/audit/audit.rules* /usr/libexec "
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index bf01d5e4c5..e1fbc82b97 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -94,10 +94,6 @@ INSTALL_MASK="
   /usr/share/portage/config/repos.conf
 "
 
-# Prevent binaries from being installed to rootfs from binary packages
-PKG_INSTALL_MASK="
-"
-
 # Keep the default languages small.
 # (not many things respect this though)
 LINGUAS="en"