mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-13 08:06:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3761 from flatcar/buildbot/weekly-portage-stable-package-updates-2026-03-02

Browse Source 
Weekly portage-stable package updates 2026-03-02
This commit is contained in:
Krzesimir Nowak 2026-03-06 16:42:54 +01:00 committed by GitHub
commit 3e6327fb87
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1043 changed files with 30407 additions and 37693 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/portage-stable-packages-list vendored
View File

@ -3,6 +3,7 @@
acct-group/adm
acct-group/audio
acct-group/cdrom
acct-group/clock
acct-group/cuse
acct-group/dialout
acct-group/disk
@ -379,6 +380,7 @@ dev-python/wheel
dev-util/bpftool
dev-util/bsdiff
dev-util/catalyst
dev-util/debugedit
dev-util/gdbus-codegen
dev-util/glib-utils
dev-util/gperf
@ -660,6 +662,7 @@ sys-devel/binutils
sys-devel/binutils-config
sys-devel/bison
sys-devel/crossdev
sys-devel/dwz
sys-devel/flex
sys-devel/gcc
sys-devel/gcc-config

17
changelog/security/2026-03-04-weekly-updates.md Normal file
View File

@ -0,0 +1,17 @@
- c-ares ([CVE-2025-62408](https://www.cve.org/CVERecord?id=CVE-2025-62408))
- curl ([CVE-2025-13034](https://www.cve.org/CVERecord?id=CVE-2025-13034), [CVE-2025-14017](https://www.cve.org/CVERecord?id=CVE-2025-14017), [CVE-2025-14524](https://www.cve.org/CVERecord?id=CVE-2025-14524), [CVE-2025-14819](https://www.cve.org/CVERecord?id=CVE-2025-14819), [CVE-2025-15079](https://www.cve.org/CVERecord?id=CVE-2025-15079), [CVE-2025-15224](https://www.cve.org/CVERecord?id=CVE-2025-15224))
- expat ([CVE-2026-24515](https://www.cve.org/CVERecord?id=CVE-2026-24515), [CVE-2026-25210](https://www.cve.org/CVERecord?id=CVE-2026-25210))
- glib ([CVE-2025-13601](https://www.cve.org/CVERecord?id=CVE-2025-13601), [CVE-2025-14087](https://www.cve.org/CVERecord?id=CVE-2025-14087))
- glibc ([CVE-2026-0861](https://www.cve.org/CVERecord?id=CVE-2026-0861), [CVE-2026-0915](https://www.cve.org/CVERecord?id=CVE-2026-0915), [CVE-2025-15281](https://www.cve.org/CVERecord?id=CVE-2025-15281))
- gnupg ([CVE-2026-24881](https://www.cve.org/CVERecord?id=CVE-2026-24881), [CVE-2026-24882](https://www.cve.org/CVERecord?id=CVE-2026-24882), [CVE-2026-24883](https://www.cve.org/CVERecord?id=CVE-2026-24883))
- gnutls ([CVE-2025-14831](https://www.cve.org/CVERecord?id=CVE-2025-14831), [CVE-2026-1584](https://www.cve.org/CVERecord?id=CVE-2026-1584))
- incus ([CVE-2026-23953](https://www.cve.org/CVERecord?id=CVE-2026-23953))
- intel-microcode ([CVE-2025-31648](https://www.cve.org/CVERecord?id=CVE-2025-31648))
- libpcap ([CVE-2025-11961](https://www.cve.org/CVERecord?id=CVE-2025-11961), [CVE-2025-11964](https://www.cve.org/CVERecord?id=CVE-2025-11964))
- libtasn1 ([CVE-2025-13151](https://www.cve.org/CVERecord?id=CVE-2025-13151))
- libxslt ([CVE-2025-10911](https://www.cve.org/CVERecord?id=CVE-2025-10911), [CVE-2025-11731](https://www.cve.org/CVERecord?id=CVE-2025-9714))
- nvidia-drivers ([CVE-2025-33219](https://www.cve.org/CVERecord?id=CVE-2025-33219))
- p11-kit ([CVE-2026-2100](https://www.cve.org/CVERecord?id=CVE-2026-2100))
- rsync ([CVE-2025-10158](https://www.cve.org/CVERecord?id=CVE-2025-10158))
- sssd ([CVE-2025-11561](https://www.cve.org/CVERecord?id=CVE-2025-11561))
- util-linux ([CVE-2025-14104](https://www.cve.org/CVERecord?id=CVE-2025-14104))

59
changelog/updates/2026-03-04-weekly-updates.md Normal file
View File

@ -0,0 +1,59 @@
- SDK: catalyst ([4.1.1](https://gitweb.gentoo.org/proj/catalyst.git/log/?h=4.1.1))
- SDK: gnu-efi ([4.0.4](https://github.com/ncroxon/gnu-efi/releases/tag/4.0.4) (includes [4.0.3](https://github.com/ncroxon/gnu-efi/releases/tag/4.0.3)))
- SDK: meson ([1.9.2](https://github.com/mesonbuild/meson/commits/1.9.2/))
- SDK: qemu ([10.2.0](https://wiki.qemu.org/ChangeLog/10.2) (includes [10.1.0](https://wiki.qemu.org/ChangeLog/10.1)))
- SDK: rust ([1.92.0_p1](https://blog.rust-lang.org/2025/12/11/Rust-1.92.0/))
- base, dev: c-ares ([1.34.6](https://github.com/c-ares/c-ares/releases/tag/v1.34.6))
- base, dev: cryptsetup ([2.8.3](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.3/docs/v2.8.3-ReleaseNotes) (includes [2.8.2](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.2/docs/v2.8.2-ReleaseNotes)))
- base, dev: curl ([8.18.0](https://curl.se/ch/8.18.0.html))
- base, dev: expat ([2.7.4](https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes))
- base, dev: gentoo-functions ([1.7.6](https://gitweb.gentoo.org/proj/gentoo-functions.git/log/?h=gentoo-functions-1.7.6))
- base, dev: glibc ([2.42](https://lists.gnu.org/archive/html/info-gnu/2025-07/msg00011.html))
- base, dev: gnupg ([2.5.17](https://files.gnupg.net/file/data/jiwtprsp56hruiqgobdo/PHID-FILE-xmky7kawpp72qwjjv3ss/NEWS))
- base, dev: gnutls ([3.8.12](https://lists.gnutls.org/pipermail/gnutls-help/2026-February/004914.html))
- base, dev: intel-microcode ([20260210_p20260211](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20260210-rev1))
- base, dev: iproute2 ([6.18.0](https://www.spinics.net/lists/netdev/msg1142134.html))
- base, dev: libgpg-error ([1.58](https://raw.githubusercontent.com/gpg/libgpg-error/refs/tags/libgpg-error-1.58/NEWS))
- base, dev: libpcap ([1.10.6](https://github.com/the-tcpdump-group/libpcap/blob/libpcap-1.10.6/CHANGES))
- base, dev: libsodium ([1.0.21_p20260122](https://github.com/jedisct1/libsodium/releases/tag/1.0.21-RELEASE))
- base, dev: libtasn1 ([4.21.0](https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00003.html))
- base, dev: linux-headers ([6.18](https://kernelnewbies.org/Linux_6.18))
- base, dev: nftables ([1.1.6](https://lwn.net/Articles/1049470/))
- base, dev: nghttp2 ([1.68.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.68.0) (includes [1.67.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.67.1), [1.67.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.67.0), [1.66.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.66.0)))
- base, dev: p11-kit ([0.26.2](https://github.com/p11-glue/p11-kit/releases/tag/0.26.2) (includes [0.26.1](https://github.com/p11-glue/p11-kit/releases/tag/0.26.1), [0.26.0](https://github.com/p11-glue/p11-kit/releases/tag/0.26.0), [0.25.10](https://github.com/p11-glue/p11-kit/releases/tag/0.25.10), [0.25.9](https://github.com/p11-glue/p11-kit/releases/tag/0.25.9), [0.25.8](https://github.com/p11-glue/p11-kit/releases/tag/0.25.8), [0.25.7](https://github.com/p11-glue/p11-kit/releases/tag/0.25.7), [0.25.6](https://github.com/p11-glue/p11-kit/releases/tag/0.25.6)))
- base, dev: pax-utils ([1.3.10](https://gitweb.gentoo.org/proj/pax-utils.git/log/?h=v1.3.10))
- base, dev: quota ([4.11](https://sourceforge.net/projects/linuxquota/files/quota-tools/4.11/))
- base, dev: socat ([1.8.1.0](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.8.1.0:/CHANGES))
- base, dev: sqlite ([3.51.2](https://sqlite.org/releaselog/3_51_2.html))
- base, dev: sssd ([2.9.8](https://sssd.io/release-notes/sssd-2.9.8.html))
- base, dev: strace ([6.18](https://github.com/strace/strace/releases/tag/v6.18))
- base, dev: systemd ([258.3](https://github.com/systemd/systemd/releases/tag/v258))
- base, dev: tcpdump ([4.99.6](https://raw.githubusercontent.com/the-tcpdump-group/tcpdump/refs/tags/tcpdump-4.99.6/CHANGES))
- base, dev: timezone-data ([2025c](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/))
- base, dev: util-linux ([2.41.3](https://raw.githubusercontent.com/util-linux/util-linux/refs/tags/v2.41.3/Documentation/releases/v2.41.3-ReleaseNotes))
- base, dev: wireguard-tools ([1.0.20250521](https://git.zx2c4.com/wireguard-tools/log/?h=v1.0.20250521))
- base, dev: xfsprogs ([6.18.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/plain/doc/CHANGES?h=v6.18.0))
- base, dev: xz-utils ([5.8.2](https://github.com/tukaani-project/xz/releases/tag/v5.8.2))
- dev: eselect ([1.4.31](https://gitweb.gentoo.org/proj/eselect.git/plain/NEWS?id=598206e66aa7c08192113249e13f4083a13deeae))
- dev: gdb ([17.1](https://sourceware.org/pipermail/gdb-announce/2025/000147.html))
- dev: gentoolkit ([0.7.1](https://gitweb.gentoo.org/proj/gentoolkit.git/log/?h=gentoolkit-0.7.1))
- dev: iperf ([3.20](https://github.com/esnet/iperf/releases/tag/3.20))
- dev: portage ([3.0.77](https://codeberg.org/gentoo/portage/raw/tag/portage-3.0.77/NEWS) (includes [3.0.76](https://codeberg.org/gentoo/portage/raw/tag/portage-3.0.76/NEWS), [3.0.75](https://codeberg.org/gentoo/portage/raw/tag/portage-3.0.75/NEWS), [3.0.74](https://codeberg.org/gentoo/portage/raw/tag/portage-3.0.74/NEWS), [3.0.73](https://codeberg.org/gentoo/portage/raw/tag/portage-3.0.73/NEWS)))
- sysext-containerd: containerd ([2.2.1](https://github.com/containerd/containerd/releases/tag/v2.2.1))
- sysext-incus, sysext-podman, vmware: fuse ([3.18.1](https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.1) (includes [3.18.0](https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.0)))
- sysext-nvidia-drivers-535, sysext-nvidia-drivers-535-open: nvidia-drivers ([535.288.01](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-288-01/index.html))
- sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers ([570.211.01](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-211-01/index.html))
- sysext-podman: aardvark-dns ([1.17.0](https://github.com/containers/aardvark-dns/releases/tag/v1.17.0) (includes [1.16.0](https://github.com/containers/aardvark-dns/releases/tag/v1.16.0)))
- sysext-podman: containers-common ([0.64.2](https://github.com/containers/common/releases/tag/v0.64.2) (includes [0.64.1](https://github.com/containers/common/releases/tag/v0.64.1), [0.64.0](https://github.com/containers/common/releases/tag/v0.64.0)))
- sysext-podman: containers-image ([5.36.2](https://github.com/containers/image/releases/tag/v5.36.2) (includes [5.36.1](https://github.com/containers/image/releases/tag/v5.36.1), [5.36.0](https://github.com/containers/image/releases/tag/v5.36.0)))
- sysext-podman: containers-storage ([1.59.1](https://github.com/containers/storage/releases/tag/v1.59.1) (includes [1.59.0](https://github.com/containers/storage/releases/tag/v1.59.0), [1.58.0](https://github.com/containers/storage/releases/tag/v1.58.0)))
- sysext-podman: fuse-overlayfs ([1.16](https://github.com/containers/fuse-overlayfs/releases/tag/v1.16))
- sysext-podman: netavark ([1.17.1](https://github.com/containers/netavark/releases/tag/v1.17.1) (includes [1.17.0](https://github.com/containers/netavark/releases/tag/v1.17.0)))
- sysext-podman: passt ([2025.12.15](https://archives.passt.top/passt-user/20251215183014.758802aa@elisabeth/T/#u))
- sysext-podman: podman ([5.7.1](https://github.com/containers/podman/releases/tag/v5.7.1))
- sysext-python: jaraco-context ([6.1.0](https://raw.githubusercontent.com/jaraco/jaraco.context/refs/tags/v6.1.0/NEWS.rst))
- sysext-python: jaraco-functools ([4.4.0](https://raw.githubusercontent.com/jaraco/jaraco.functools/refs/tags/v4.4.0/NEWS.rst))
- sysext-python: packaging ([26.0](https://github.com/pypa/packaging/releases/tag/26.0))
- sysext-python: trove-classifiers ([2026.1.14.14](https://github.com/pypa/trove-classifiers/releases/tag/2026.1.14.14))
- sysext-python: wheel ([0.46.2](https://github.com/pypa/wheel/releases/tag/0.46.2) (includes [0.46.1](https://github.com/pypa/wheel/releases/tag/0.46.1), [0.46.0](https://github.com/pypa/wheel/releases/tag/0.46.0)))
- vmware: libxslt ([1.1.45](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.45))

0
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-dev/coreos-dev-0.1.0-r87.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-dev/coreos-dev-0.1.0-r88.ebuild vendored
View File

12
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-dev/coreos-dev-0.1.0.ebuild vendored
View File

@ -1,14 +1,14 @@
# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
EAPI=8
DESCRIPTION="CoreOS developer images and containers (meta package)"
HOMEPAGE="http://coreos.com"
DESCRIPTION="Flatcar developer images and containers (meta package)"
HOMEPAGE="https://www.flatcar.org/"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 arm arm64 x86"
KEYWORDS="amd64 arm64"
# The dependencies here are meant to capture "all the packages
# developers want to use for development, test, or debug". This
@ -38,6 +38,7 @@ RDEPEND="
sys-apps/i2c-tools
sys-apps/kbd
sys-apps/less
sys-apps/man-pages
sys-apps/portage
sys-apps/smartmontools
sys-apps/which
@ -47,4 +48,5 @@ RDEPEND="
sys-fs/squashfs-tools
sys-process/procps
sys-process/psmisc
"
virtual/man
"

0
sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r56.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r57.ebuild vendored
View File

7
sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild vendored
View File

@ -79,4 +79,11 @@ DEPEND="${DEPEND}
virtual/ssh
"
# These packages tend to disappear for some reason from reports, even
# if they are a part of the default set of packages.
DEPEND="${DEPEND}
sys-apps/man-pages
virtual/man
"
RDEPEND="${DEPEND}"

12
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/docker vendored
View File

@ -1,12 +0,0 @@
# Fix cross-compilation by setting up the environment properly.
#
# This is what go-module_src_unpack does, but docker does not use it.
cros_pre_src_unpack_set_build_env() {
if use amd64 || use arm || use arm64 ||
( use ppc64 && [[ $(tc-endian) == "little" ]] ) || use s390 || use x86; then
GOFLAGS="-buildmode=pie ${GOFLAGS}"
fi
GOFLAGS="${GOFLAGS} -p=$(makeopts_jobs)"
go-env_set_compile_environment
}

21
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/incus vendored
View File

@ -1,21 +0,0 @@
# https://codeberg.org/gentoo/gentoo/pulls/36
cros_post_src_compile_move_agent_binaries() {
local bindir="_dist/bin"
local host_arch=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" = "${host_arch}" ]]; then
# nothing to fix
return 0
fi
local correct_bindir="_dist/bin/linux_${GOARCH}"
mv '_dist/bin/incus-agent.'* "${correct_bindir}" || die
}
# https://codeberg.org/gentoo/gentoo/pulls/36
cros_post_src_install_move_agent_binaries() {
if use amd64; then
# nothing to fix
return 0
fi
dodir '/usr/libexec/incus/agents'
mv "${ED}/usr/libexec/incus/incus-agent."* "${ED}/usr/libexec/incus/agents" || die
}

130
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-libs/libxml2/0001-ignore-next-prev-docs-xpath.patch vendored Normal file
View File

@ -0,0 +1,130 @@
From d583ca9bbfbfa58f8f2c400c7eade02dfc70bbbd Mon Sep 17 00:00:00 2001
From: Daniel Garcia Moreno <daniel.garcia@suse.com>
Date: Wed, 8 Oct 2025 09:18:51 +0200
Subject: [PATCH] Ignore next/prev of documents when traversing XPath
See https://gitlab.gnome.org/GNOME/libxml2/-/issues/996
---
xpath.c | 66 ++++++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 49 insertions(+), 17 deletions(-)
diff --git a/xpath.c b/xpath.c
index b8e197cc9..442ce02f8 100644
--- a/xpath.c
+++ b/xpath.c
@@ -6558,12 +6558,18 @@ xmlNode *
xmlXPathNextFollowingSibling(xmlXPathParserContext *ctxt, xmlNode *cur) {
if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
- (ctxt->context->node->type == XML_NAMESPACE_DECL))
- return(NULL);
+ (ctxt->context->node->type == XML_NAMESPACE_DECL))
+ return(NULL);
+
if (cur == (xmlNodePtr) ctxt->context->doc)
return(NULL);
+
if (cur == NULL)
- return(ctxt->context->node->next);
+ cur = ctxt->context->node;
+
+ if (cur->type == XML_DOCUMENT_NODE)
+ return(NULL);
+
return(cur->next);
}
@@ -6581,17 +6587,23 @@ xmlNode *
xmlXPathNextPrecedingSibling(xmlXPathParserContext *ctxt, xmlNode *cur) {
if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
- (ctxt->context->node->type == XML_NAMESPACE_DECL))
- return(NULL);
+ (ctxt->context->node->type == XML_NAMESPACE_DECL))
+ return(NULL);
+
if (cur == (xmlNodePtr) ctxt->context->doc)
return(NULL);
- if (cur == NULL)
- return(ctxt->context->node->prev);
- if ((cur->prev != NULL) && (cur->prev->type == XML_DTD_NODE)) {
- cur = cur->prev;
- if (cur == NULL)
- return(ctxt->context->node->prev);
+
+ if (cur == NULL) {
+ cur = ctxt->context->node;
+ } else if ((cur->prev != NULL) && (cur->prev->type == XML_DTD_NODE)) {
+ cur = cur->prev;
+ if (cur == NULL)
+ cur = ctxt->context->node;
}
+
+ if (cur->type == XML_DOCUMENT_NODE)
+ return(NULL);
+
return(cur->prev);
}
@@ -6626,14 +6638,27 @@ xmlXPathNextFollowing(xmlXPathParserContext *ctxt, xmlNode *cur) {
cur = (xmlNodePtr) ns->next;
}
}
- if (cur == NULL) return(NULL) ; /* ERROR */
- if (cur->next != NULL) return(cur->next) ;
+
+ /* ERROR */
+ if (cur == NULL)
+ return(NULL);
+
+ if (cur->type == XML_DOCUMENT_NODE)
+ return(NULL);
+
+ if (cur->next != NULL)
+ return(cur->next);
+
do {
cur = cur->parent;
- if (cur == NULL) break;
- if (cur == (xmlNodePtr) ctxt->context->doc) return(NULL);
- if (cur->next != NULL) return(cur->next);
+ if (cur == NULL)
+ break;
+ if (cur == (xmlNodePtr) ctxt->context->doc)
+ return(NULL);
+ if (cur->next != NULL && cur->type != XML_DOCUMENT_NODE)
+ return(cur->next);
} while (cur != NULL);
+
return(cur);
}
@@ -6746,10 +6771,13 @@ xmlXPathNextPrecedingInternal(xmlXPathParserContextPtr ctxt,
}
ctxt->ancestor = cur->parent;
}
- if (cur->type == XML_NAMESPACE_DECL)
+
+ if (cur->type == XML_NAMESPACE_DECL || cur->type == XML_DOCUMENT_NODE)
return(NULL);
+
if ((cur->prev != NULL) && (cur->prev->type == XML_DTD_NODE))
cur = cur->prev;
+
while (cur->prev == NULL) {
cur = cur->parent;
if (cur == NULL)
@@ -6760,6 +6788,10 @@ xmlXPathNextPrecedingInternal(xmlXPathParserContextPtr ctxt,
return (cur);
ctxt->ancestor = cur->parent;
}
+
+ if (cur->type == XML_DOCUMENT_NODE)
+ return(NULL);
+
cur = cur->prev;
while (cur->last != NULL)
cur = cur->last;
--
GitLab

3
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-libs/libxml2/README.md vendored Normal file
View File

@ -0,0 +1,3 @@
The `0001-ignore-next-prev-docs-xpath.patch` is for addressing
CVE-2025-10911 in libxslt. The patch can be dropped when updating
libxml2 to 2.15.2.

99
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-libs/libxslt/CVE-2025-7424.patch vendored
View File

@ -1,99 +0,0 @@
From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Sat, 24 May 2025 15:06:42 -0700
Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
and source nodes
* libxslt/functions.c:
(xsltDocumentFunctionLoadDocument):
- Implement fix suggested by Ivan Fratric. This copies the xmlDoc,
calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
xmlDoc to tctxt->docList.
- Add error handling for functions that may return NULL.
* libxslt/transform.c:
- Remove static keyword so this can be called from
xsltDocumentFunctionLoadDocument().
* libxslt/transformInternals.h: Add.
(xsltCleanupSourceDoc): Add declaration.
Fixes #139.
---
libxslt/functions.c | 16 +++++++++++++++-
libxslt/transform.c | 3 ++-
libxslt/transformInternals.h | 9 +++++++++
3 files changed, 26 insertions(+), 2 deletions(-)
create mode 100644 libxslt/transformInternals.h
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 72a58dc4..11ec039f 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -34,6 +34,7 @@
#include "numbersInternals.h"
#include "keys.h"
#include "documents.h"
+#include "transformInternals.h"
#ifdef WITH_XSLT_DEBUG
#define WITH_XSLT_DEBUG_FUNCTION
@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
/*
* This selects the stylesheet's doc itself.
*/
- doc = tctxt->style->doc;
+ doc = xmlCopyDoc(tctxt->style->doc, 1);
+ if (doc == NULL) {
+ xsltTransformError(tctxt, NULL, NULL,
+ "document() : failed to copy style doc\n");
+ goto out_fragment;
+ }
+ xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
+ idoc = xsltNewDocument(tctxt, doc);
+ if (idoc == NULL) {
+ xsltTransformError(tctxt, NULL, NULL,
+ "document() : failed to create xsltDocument\n");
+ xmlFreeDoc(doc);
+ goto out_fragment;
+ }
} else {
goto out_fragment;
}
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 54ef821b..38c2dce6 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -43,6 +43,7 @@
#include "xsltlocale.h"
#include "pattern.h"
#include "transform.h"
+#include "transformInternals.h"
#include "variables.h"
#include "numbersInternals.h"
#include "namespaces.h"
@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
*
* Resets source node flags and ids stored in 'psvi' member.
*/
-static void
+void
xsltCleanupSourceDoc(xmlDocPtr doc) {
xmlNodePtr cur = (xmlNodePtr) doc;
void **psviPtr;
diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
new file mode 100644
index 00000000..d0f42823
--- /dev/null
+++ b/libxslt/transformInternals.h
@@ -0,0 +1,9 @@
+/*
+ * Summary: set of internal interfaces for the XSLT engine transformation part.
+ *
+ * Copy: See Copyright for the status of this software.
+ *
+ * Author: David Kilzer <ddkilzer@apple.com>
+ */
+
+void xsltCleanupSourceDoc(xmlDocPtr doc);
--
2.39.5 (Apple Git-154)

2
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-libs/libxslt/README.md vendored
View File

@ -1,2 +0,0 @@
The libxslt project in unmaintained, so we will need to carry the
patch indefinitely.

47
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/catalyst/0001-Support-locale-gen-3-the-perl-version.patch vendored
View File

@ -1,47 +0,0 @@
From 2478055bf48a54c0fcb518bbd48a30b307db0009 Mon Sep 17 00:00:00 2001
From: Kerin Millar <kfm@plushkava.net>
Date: Mon, 18 Aug 2025 14:25:20 +0200
Subject: [PATCH 1/2] Support locale-gen-3 (the perl version)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
---
targets/stage1/chroot.sh | 6 +++++-
targets/support/chroot-functions.sh | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/targets/stage1/chroot.sh b/targets/stage1/chroot.sh
index e0587b59..541c060f 100755
--- a/targets/stage1/chroot.sh
+++ b/targets/stage1/chroot.sh
@@ -91,7 +91,11 @@ run_merge --implicit-system-deps=n --oneshot "${buildpkgs[@]}"
# not run locale-gen when ROOT is set. Since we've set LANG, we need to run
# locale-gen explicitly.
if [ -x "$(command -v locale-gen)" ]; then
- locale-gen --destdir "$ROOT"/ || die "locale-gen failed"
+ if ! locale-gen -V | grep -q '^locale-gen-2\.'; then
+ locale-gen --config /etc/locale.gen --prefix "$ROOT"/
+ else
+ locale-gen --destdir "$ROOT"/
+ fi || die "locale-gen failed"
fi
# Why are we removing these? Don't we need them for final make.conf?
diff --git a/targets/support/chroot-functions.sh b/targets/support/chroot-functions.sh
index d8472d46..08738d0a 100755
--- a/targets/support/chroot-functions.sh
+++ b/targets/support/chroot-functions.sh
@@ -284,7 +284,7 @@ show_debug() {
}
readonly locales="
-C.UTF8 UTF-8
+C.UTF-8 UTF-8
"
if [[ ${RUN_DEFAULT_FUNCS} != no ]]
--
2.51.0

41
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/catalyst/0002-Fix-UTF-8-spelling.patch vendored
View File

@ -1,41 +0,0 @@
From 8f3dad52ef6b7360f69f93554172d76aa5d59d8a Mon Sep 17 00:00:00 2001
From: Sam James <sam@gentoo.org>
Date: Mon, 15 Sep 2025 12:35:43 +0100
Subject: [PATCH 2/2] Fix UTF-8 spelling
Bug: https://bugs.gentoo.org/962878
Signed-off-by: Sam James <sam@gentoo.org>
---
catalyst/base/stagebase.py | 2 +-
targets/stage1/chroot.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 8a3d2af6..d09b3aad 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -1252,7 +1252,7 @@ class StageBase(TargetBase, ClearBase, GenBase):
'\n'
'# This sets the language of build output to English.\n'
'# Please keep this setting intact when reporting bugs.\n'
- 'LC_MESSAGES=C.utf8\n')
+ 'LC_MESSAGES=C.UTF-8\n')
def write_binrepos_conf(self):
# only if catalyst.conf defines the host and the spec defines the path...
diff --git a/targets/stage1/chroot.sh b/targets/stage1/chroot.sh
index 541c060f..dc8571bd 100755
--- a/targets/stage1/chroot.sh
+++ b/targets/stage1/chroot.sh
@@ -67,7 +67,7 @@ sed -i "/USE=\"${USE} build\"/d" ${clst_make_conf}
echo "$locales" > /etc/locale.gen
for etc in /etc "$ROOT"/etc; do
- echo "LANG=C.UTF8" > ${etc}/env.d/02locale
+ echo "LANG=C.UTF-8" > ${etc}/env.d/02locale
done
update_env_settings
--
2.51.0

3
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/catalyst/README.md vendored
View File

@ -1,3 +0,0 @@
The patches fix some locale generation issues in catalyst - they are
currently a part of the master branch, so there is no release that
contain those fixes yet.

4
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-analyzer/netperf/README.md vendored
View File

@ -1,4 +0,0 @@
The `0000-gcc15.patch` can be dropped when the PR below gets merged
and we pull the updated ebuild:
https://codeberg.org/gentoo/gentoo/pulls/36

10
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch vendored
View File

@ -1,7 +1,7 @@
From 61ae07bbf1d7032eef32137b1fe299647602e3de Mon Sep 17 00:00:00 2001
From 6055d8b50c4a39d3e5f4fa0cf017a3b04786c5ba Mon Sep 17 00:00:00 2001
From: David Michael <dm0@redhat.com>
Date: Tue, 16 Apr 2019 02:44:51 +0000
Subject: [PATCH] wait-online: set --any by default
Subject: [PATCH 01/20] wait-online: set --any by default
The systemd-networkd-wait-online command would normally continue
waiting after a network interface is usable if other interfaces are
@ -11,8 +11,8 @@ Preserve previous Container Linux behavior for compatibility by
setting the --any flag by default. See patches from v241 (or
earlier) for the original implementation.
---
src/network/wait-online/wait-online.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
src/network/wait-online/wait-online.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
index b1d0b9cde2..e07c11d807 100644
@ -28,5 +28,5 @@ index b1d0b9cde2..e07c11d807 100644
STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_freep);
--
2.51.0
2.52.0

16
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch vendored
View File

@ -1,7 +1,7 @@
From 5097368cb45b455355165706876509272e49d538 Mon Sep 17 00:00:00 2001
From 5bff53a23228b10d93d342510f0ffd41185e3011 Mon Sep 17 00:00:00 2001
From: Alex Crawford <alex.crawford@coreos.com>
Date: Wed, 2 Mar 2016 10:46:33 -0800
Subject: [PATCH 2/8] needs-update: don't require strictly newer usr
Subject: [PATCH 02/20] needs-update: don't require strictly newer usr
Updates should be triggered whenever usr changes, not only when it is newer.
---
@ -10,10 +10,10 @@ Updates should be triggered whenever usr changes, not only when it is newer.
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
index 6b863ecff3..c166c5e7ab 100644
index d9d78262a1..761bbdecca 100644
--- a/man/systemd-update-done.service.xml
+++ b/man/systemd-update-done.service.xml
@@ -50,7 +50,7 @@
@@ -49,7 +49,7 @@
<varname>ConditionNeedsUpdate=</varname> (see
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
condition to make sure to run when <filename>/etc/</filename> or
@ -23,10 +23,10 @@ index 6b863ecff3..c166c5e7ab 100644
This requires that updates to <filename>/usr/</filename> are always
followed by an update of the modification time of
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 1a03fdbe37..8577c35fa0 100644
index b09eff1bfb..3a170b1820 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
@@ -817,7 +817,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* First, compare seconds as they are always accurate...
*/
if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@ -35,7 +35,7 @@ index 1a03fdbe37..8577c35fa0 100644
/*
* ...then compare nanoseconds.
@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
@@ -828,7 +828,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
* (otherwise the filesystem supports nsec timestamps, see stat(2)).
*/
if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@ -44,7 +44,7 @@ index 1a03fdbe37..8577c35fa0 100644
_cleanup_free_ char *timestamp_str = NULL;
r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
@@ -848,7 +848,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
return true;
}

18
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch vendored
View File

@ -1,7 +1,7 @@
From 18ce110c4a4a5065ac9003ef67ccd58ada6d3c38 Mon Sep 17 00:00:00 2001
From df56cf2ad0c6c84a22e9fca8893c610b82b78377 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Fri, 16 Feb 2024 11:22:08 +0000
Subject: [PATCH 3/8] core: use max for DefaultTasksMax
Subject: [PATCH 03/20] core: use max for DefaultTasksMax
Since systemd v228, systemd has a DefaultTasksMax which defaulted
to 512, later 15% of the system's maximum number of PIDs. This
@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index f7b414da5c..9c07e235ab 100644
index cf5a3612f6..a0f9f8ba57 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -230,7 +230,7 @@
@@ -227,7 +227,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
@ -34,10 +34,10 @@ index f7b414da5c..9c07e235ab 100644
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
diff --git a/src/core/manager.c b/src/core/manager.c
index e9fa84079d..af8d3c7b41 100644
index 20a535f2f4..be1c352045 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -117,7 +117,7 @@
@@ -112,7 +112,7 @@
/* How many units and jobs to process of the bus queue before returning to the event loop. */
#define MANAGER_BUS_MESSAGE_BUDGET 100U
@ -45,12 +45,12 @@ index e9fa84079d..af8d3c7b41 100644
+#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */
static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 1c08aa4d22..2faea3605e 100644
index 54196e8489..b0b5c78b56 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -59,7 +59,7 @@
@@ -58,7 +58,7 @@
#DefaultIPAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes

8
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch vendored
View File

@ -1,7 +1,7 @@
From 1716754b1f3ea3d5d3f232d9fe50ba1df0c5eff7 Mon Sep 17 00:00:00 2001
From 38ef166d85928d1f806bc48f3d29f45563d1abde Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 20 Dec 2016 16:43:22 +0000
Subject: [PATCH 4/8] systemd: Disable SELinux permissions checks
Subject: [PATCH 04/20] systemd: Disable SELinux permissions checks
We don't care about the interaction between systemd and SELinux policy, so
let's just disable these checks rather than having to incorporate policy
@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index a67a520a3b..3365b920eb 100644
index 8ccc31630d..34e9cebee8 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -2,7 +2,7 @@
@ -22,8 +22,8 @@ index a67a520a3b..3365b920eb 100644
-#if HAVE_SELINUX
+#if 0
#include <errno.h>
#include <selinux/avc.h>
#include <selinux/selinux.h>
--
2.52.0

48
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch vendored
View File

@ -1,7 +1,7 @@
From 306da1d06e84a721ac34fbc303b4629b2c1c7257 Mon Sep 17 00:00:00 2001
From 4e071bef0713099cfe2540a5576744c0e5c41723 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 16 Dec 2022 16:28:26 +0530
Subject: [PATCH] Revert "getty: Pass tty to use by agetty via stdin"
Subject: [PATCH 05/20] Revert "getty: Pass tty to use by agetty via stdin"
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
@ -10,22 +10,24 @@ input for serial consoles (which is used for SSH connections).
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
units/console-getty.service.in | 4 +---
units/container-getty@.service.in | 4 +---
units/getty@.service.in | 4 +---
units/serial-getty@.service.in | 4 +---
4 files changed, 4 insertions(+), 12 deletions(-)
units/console-getty.service.in | 6 +++---
units/container-getty@.service.in | 6 +++---
units/getty@.service.in | 6 +++---
units/serial-getty@.service.in | 6 +++---
4 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/units/console-getty.service.in b/units/console-getty.service.in
index 967d8337ab..cde822afc8 100644
index 967d8337ab..1f2d8b910f 100644
--- a/units/console-getty.service.in
+++ b/units/console-getty.service.in
@@ -20,12 +20,10 @@ Before=getty.target
@@ -20,12 +20,12 @@ Before=getty.target
ConditionPathExists=/dev/console
[Service]
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 console ${TERM}
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
+# safety, and then the entered username.
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
Type=idle
Restart=always
UtmpIdentifier=cons
@ -35,15 +37,17 @@ index 967d8337ab..cde822afc8 100644
TTYReset=yes
TTYVHangup=yes
diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
index e0b27613df..2868d56ad0 100644
index e0b27613df..5f27653d1f 100644
--- a/units/container-getty@.service.in
+++ b/units/container-getty@.service.in
@@ -25,13 +25,11 @@ Conflicts=rescue.service
@@ -25,13 +25,13 @@ Conflicts=rescue.service
Before=rescue.service
[Service]
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d pts/%I ${TERM}
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
+# safety, and then the entered username.
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
Type=idle
Restart=always
RestartSec=0
@ -54,15 +58,17 @@ index e0b27613df..2868d56ad0 100644
TTYReset=yes
TTYVHangup=yes
diff --git a/units/getty@.service.in b/units/getty@.service.in
index 104c4acc96..bedf0aae54 100644
index 104c4acc96..1819627d1c 100644
--- a/units/getty@.service.in
+++ b/units/getty@.service.in
@@ -34,13 +34,11 @@ Before=rescue.service
@@ -34,13 +34,13 @@ Before=rescue.service
ConditionPathExists=/dev/tty0
[Service]
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d %I ${TERM}
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
+# safety, and then the entered username.
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
Type=idle
Restart=always
RestartSec=0
@ -73,15 +79,17 @@ index 104c4acc96..bedf0aae54 100644
TTYReset=yes
TTYVHangup=yes
diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
index 0134c83d48..7e5c8797ca 100644
index 0134c83d48..ba4cbc0edb 100644
--- a/units/serial-getty@.service.in
+++ b/units/serial-getty@.service.in
@@ -30,12 +30,10 @@ Conflicts=rescue.service
@@ -30,12 +30,12 @@ Conflicts=rescue.service
Before=rescue.service
[Service]
-ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
+ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 %I ${TERM}
+# The '-o' option value tells agetty to replace 'login' arguments with '--' for
+# safety, and then the entered username.
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
Type=idle
Restart=always
UtmpIdentifier=%I
@ -91,5 +99,5 @@ index 0134c83d48..7e5c8797ca 100644
TTYReset=yes
TTYVHangup=yes
--
2.51.0
2.52.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch vendored
View File

@ -1,7 +1,7 @@
From 63fe9e7a742c070c83919be74c383f74420e6777 Mon Sep 17 00:00:00 2001
From b097e139801009d722c33a9580bcda23a4a7a1e1 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Fri, 16 Feb 2024 11:29:04 +0000
Subject: [PATCH 6/8] units: Keep using old journal file format
Subject: [PATCH 06/20] units: Keep using old journal file format
Systemd 252 made an incompatible change in journal file format. Temporarily
force journald to use the old journal format to give logging containers more
@ -14,7 +14,7 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
2 files changed, 2 insertions(+)
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 4404af963b..323af7cfb0 100644
index 1fb080d268..960568aaff 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -30,6 +30,7 @@ IgnoreOnIsolate=yes

5
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch vendored
View File

@ -1,7 +1,8 @@
From a31573ecdeff40d109951750c7adf086c52c2869 Mon Sep 17 00:00:00 2001
From 0ba9b9356861f8012c0e7794d9c61ebf21a9c6d7 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 22 Oct 2025 10:39:42 +0200
Subject: [PATCH 7/8] tmpfiles.d: Fix DNS issues with default k8s configuration
Subject: [PATCH 07/20] tmpfiles.d: Fix DNS issues with default k8s
configuration
The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy
"default", but unless the kubelet `--resolv-conf` flag is set to point to

31
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-units-Make-multi-user.target-the-default-target.patch vendored
View File

@ -1,38 +1,41 @@
From 3c13363e4b3f2e5bcc762a71460d84b93452f53f Mon Sep 17 00:00:00 2001
From b3430348f5ae93251076fb4e3b4aecbfa02513b5 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 24 Oct 2025 11:06:57 +0200
Subject: [PATCH] units: Make multi-user.target the default target
Subject: [PATCH 08/20] units: Make multi-user.target the default target
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
---
units/meson.build | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
units/meson.build | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index 4f47a3b2bd..9663e21e0c 100644
index 4f47a3b2bd..63940a72be 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -48,8 +48,7 @@ units = [
@@ -47,10 +47,7 @@ units = [
'file' : 'getty@.service.in',
'symlinks' : ['autovt@.service'],
},
{
- {
- 'file' : 'graphical.target',
- 'symlinks' : ['default.target'],
+ 'file' : 'graphical.target'
},
- },
+ { 'file' : 'graphical.target' },
{ 'file' : 'halt.target' },
{
@@ -142,7 +141,9 @@ units = [
'file' : 'hibernate.target',
@@ -142,7 +139,10 @@ units = [
'conditions' : ['ENABLE_MACHINED'],
},
{ 'file' : 'modprobe@.service' },
- { 'file' : 'multi-user.target' },
+ { 'file' : 'multi-user.target' ,
+ 'symlinks' : ['default.target']
+ {
+ 'file' : 'multi-user.target',
+ 'symlinks' : ['default.target'],
+ },
{ 'file' : 'network-online.target' },
{ 'file' : 'network-pre.target' },
{ 'file' : 'network.target' },
--
2.51.0
2.52.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch vendored
View File

@ -1,7 +1,7 @@
From 6f4b065b626edd8a06ff0c8028173e060b5e444b Mon Sep 17 00:00:00 2001
From 42b6a55f8d2bdf68ff93764219b3bedffb11f4e0 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 20 Nov 2025 23:43:55 +0900
Subject: [PATCH 03/10] vpick: Don't use openat directly but resolve symlinks
Subject: [PATCH 09/20] vpick: Don't use openat directly but resolve symlinks
in given root
With systemd-sysext --root= all symlinks should be followed relative to
@ -13,7 +13,7 @@ symlink in the given root.
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/shared/vpick.c b/src/shared/vpick.c
index b1b2d93054..dfe58cafa5 100644
index 07d9d9ffd8..b203609cc9 100644
--- a/src/shared/vpick.c
+++ b/src/shared/vpick.c
@@ -471,9 +471,9 @@ static int make_choice(

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-discover-image-Follow-symlinks-in-a-given-root.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-discover-image-Follow-symlinks-in-a-given-root.patch vendored
View File

@ -1,7 +1,7 @@
From 9b6f1b1d8e1066a513a2939c613b36c9e887512c Mon Sep 17 00:00:00 2001
From 530ffcd9e3212e0c93002e752b682dd41a8889b1 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 20 Nov 2025 23:43:55 +0900
Subject: [PATCH 04/10] discover-image: Follow symlinks in a given root
Subject: [PATCH 10/20] discover-image: Follow symlinks in a given root
So far systemd-sysext with --root= specified didn't follow extension
symlinks (such as the "current" symlinks managed by systemd-sysupdate).
@ -25,7 +25,7 @@ is to do this for the final system which is trusted at this stage.
1 file changed, 122 insertions(+), 40 deletions(-)
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 1402303a8e..97c4284eca 100644
index 888f11f206..53ee30c3f8 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -356,6 +356,8 @@ static int image_make(

12
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-sysext-Use-correct-image-name-for-extension-release-.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Use-correct-image-name-for-extension-release-.patch vendored
View File

@ -1,7 +1,7 @@
From 5480f56002399069f74f30ce3ef620ec44ecf527 Mon Sep 17 00:00:00 2001
From 6a95919888a99d92636e0aa28c68d0f95f16e48e Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 20 Nov 2025 23:43:55 +0900
Subject: [PATCH 3/7] sysext: Use correct image name for extension release
Subject: [PATCH 11/20] sysext: Use correct image name for extension release
checks
For the extension release check the image name is needed and was derived
@ -21,12 +21,12 @@ device but directly the extension name we have at hand.
2 files changed, 10 insertions(+)
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 91f4407b0e..480ffd221c 100644
index 53ee30c3f8..2801793d6d 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -1822,6 +1822,11 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
@@ -1844,6 +1844,11 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
if (r < 0)
return r;
return log_debug_errno(r, "Failed to decrypt image '%s': %m", i->path);
+ /* Do not use the image name derived from the backing file of the loop device */
+ r = free_and_strdup(&m->image_name, i->name);
@ -53,5 +53,5 @@ index 5d432b42da..72da02cd89 100644
m,
d->fd,
--
2.51.1
2.52.0

7
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch vendored
View File

@ -1,7 +1,8 @@
From f2e3cd402e64528454d3825681ccf242ff1b46af Mon Sep 17 00:00:00 2001
From 187e60032a26fb58b8944aac5c48a495f9de2644 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 20 Nov 2025 23:43:55 +0900
Subject: [PATCH 4/7] test: Add tests for handling symlinks with systemd-sysext
Subject: [PATCH 12/20] test: Add tests for handling symlinks with
systemd-sysext
When we now allow following symlinks inside a --root= we should also
test that it works in various cases from simple relative and absolute
@ -330,5 +331,5 @@ index ecf0b83b1d..3eec224eb6 100755
--
2.51.1
2.52.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-sysext-Create-mutable-directory-with-the-right-mode.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0013-sysext-Create-mutable-directory-with-the-right-mode.patch vendored
View File

@ -1,7 +1,7 @@
From cf36f845e6a806161e008def40a271e9e9746c4f Mon Sep 17 00:00:00 2001
From 773073faa6582a0bbb6f3c4d3b35a1a81fbffd81 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Wed, 3 Dec 2025 00:02:32 +0900
Subject: [PATCH 5/7] sysext: Create mutable directory with the right mode
Subject: [PATCH 13/20] sysext: Create mutable directory with the right mode
When the mutable directory didn't exist but gets created with
--mutable=yes then it used to get mode 700 and later it got patched by
@ -41,5 +41,5 @@ index 72da02cd89..d63cf39fbb 100644
if (atfd < 0)
return log_error_errno(errno, "Failed to open directory '%s': %m", path_in_root);
--
2.51.1
2.52.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-sysext-Skip-refresh-if-no-changes-are-found.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0014-sysext-Skip-refresh-if-no-changes-are-found.patch vendored
View File

@ -1,7 +1,7 @@
From 34f3aeb2b92388e26cabe51e48dea99845e0930f Mon Sep 17 00:00:00 2001
From d8ccdfe333a2eda7770371112cf5dea0ae67598c Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Wed, 26 Nov 2025 00:04:43 +0900
Subject: [PATCH 1/3] sysext: Skip refresh if no changes are found
Subject: [PATCH 14/20] sysext: Skip refresh if no changes are found
When the extensions for the final system are already set up from the
initrd we should avoid disrupting the boot process with the remount
@ -292,7 +292,7 @@ index 5f1d90ad79..f244ffa9f1 100644
+#define AT_HANDLE_MNT_ID_UNIQUE 0x001 /* Return the u64 unique mount ID. */
+#endif
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index d6d41b4ecf..ddb2edaa33 100644
index 2801793d6d..192ed18687 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -35,6 +35,9 @@

50
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-sysext-Get-verity-user-certs-from-given-root.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0015-sysext-Get-verity-user-certs-from-given-root.patch vendored
View File

@ -1,7 +1,7 @@
From 439fb373b7360ba3759b8978d0354d4fe760c8f2 Mon Sep 17 00:00:00 2001
From a228e6433b6febd4d252a3cb71bb0c2e63156b93 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 27 Nov 2025 17:49:15 +0900
Subject: [PATCH 2/3] sysext: Get verity user certs from given --root=
Subject: [PATCH 15/20] sysext: Get verity user certs from given --root=
The verity user certs weren't looked up in the given --root= for
systemd-sysext which made it fail to set up extensions with a strict
@ -18,16 +18,16 @@ Signed-off-by: Kai Lueke <kailuke@microsoft.com>
src/machine/machined-varlink.c | 2 +-
src/mountfsd/mountwork.c | 1 +
src/portable/portabled-image-bus.c | 2 +-
src/shared/discover-image.c | 2 +-
src/shared/discover-image.c | 3 +-
src/shared/discover-image.h | 2 +-
src/shared/dissect-image.c | 22 ++++++-----
src/shared/dissect-image.h | 2 +-
src/sysext/sysext.c | 4 +-
test/units/TEST-50-DISSECT.sysext.sh | 58 ++++++++++++++++++++++++++++
11 files changed, 84 insertions(+), 20 deletions(-)
11 files changed, 85 insertions(+), 20 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 283a1108ce..97cf008194 100644
index 2e3b2a4177..95f8714ea6 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -2593,6 +2593,7 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
@ -79,7 +79,7 @@ index 8bc6565079..2857cd18be 100644
return sd_bus_error_set_errnof(error, r, "Failed to read image metadata: %m");
}
diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
index 52b1fc12d2..1e8f4ce9a8 100644
index 064ffab137..f3676e625c 100644
--- a/src/machine/machined-varlink.c
+++ b/src/machine/machined-varlink.c
@@ -621,7 +621,7 @@ static int list_image_one_and_maybe_read_metadata(sd_varlink *link, Image *image
@ -117,7 +117,7 @@ index e8bcb900ef..380a6d5d45 100644
return sd_bus_error_set_errnof(error, r, "Failed to read image metadata: %m");
}
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 9ce5f028fc..822ea2bd24 100644
index 192ed18687..925bc6010b 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -1766,7 +1766,7 @@ int image_set_pool_limit(ImageClass class, uint64_t referenced_max) {
@ -129,6 +129,14 @@ index 9ce5f028fc..822ea2bd24 100644
_cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
int r;
@@ -1892,6 +1892,7 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
r = dissected_image_decrypt(
m,
+ root,
/* passphrase= */ NULL,
&verity,
flags);
diff --git a/src/shared/discover-image.h b/src/shared/discover-image.h
index 7b5593f08d..4d64a306c8 100644
--- a/src/shared/discover-image.h
@ -143,10 +151,10 @@ index 7b5593f08d..4d64a306c8 100644
bool image_in_search_path(RuntimeScope scope, ImageClass class, const char *root, const char *image);
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 715afc8882..8ffb63e1d3 100644
index 64639000b1..cec4225e92 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -2611,7 +2611,7 @@ static char* dm_deferred_remove_clean(char *name) {
@@ -2740,7 +2740,7 @@ static char* dm_deferred_remove_clean(char *name) {
}
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
@ -155,7 +163,7 @@ index 715afc8882..8ffb63e1d3 100644
int r;
if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
@@ -2656,7 +2656,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
@@ -2785,7 +2785,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
/* Because installing a signature certificate into the kernel chain is so messy, let's optionally do
* userspace validation. */
@ -164,7 +172,7 @@ index 715afc8882..8ffb63e1d3 100644
if (r < 0)
return log_debug_errno(r, "Failed to enumerate certificates: %m");
if (strv_isempty(certs)) {
@@ -2718,6 +2718,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
@@ -2847,6 +2847,7 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
static int do_crypt_activate_verity(
struct crypt_device *cd,
@ -172,7 +180,7 @@ index 715afc8882..8ffb63e1d3 100644
const char *name,
const VeritySettings *verity,
DissectImageFlags flags) {
@@ -2765,7 +2766,7 @@ static int do_crypt_activate_verity(
@@ -2894,7 +2895,7 @@ static int do_crypt_activate_verity(
/* Preferably propagate the original kernel error, so that the fallback logic can work,
* as the device-mapper is finicky around concurrent activations of the same volume */
@ -181,7 +189,7 @@ index 715afc8882..8ffb63e1d3 100644
if (k < 0)
return r < 0 ? r : k;
if (k == 0)
@@ -2805,8 +2806,9 @@ static usec_t verity_timeout(void) {
@@ -2934,8 +2935,9 @@ static usec_t verity_timeout(void) {
static int verity_partition(
PartitionDesignator designator,
@ -193,7 +201,7 @@ index 715afc8882..8ffb63e1d3 100644
const VeritySettings *verity,
DissectImageFlags flags,
DecryptedImage *d) {
@@ -2886,7 +2888,7 @@ static int verity_partition(
@@ -3015,7 +3017,7 @@ static int verity_partition(
goto check; /* The device already exists. Let's check it. */
/* The symlink to the device node does not exist yet. Assume not activated, and let's activate it. */
@ -202,7 +210,7 @@ index 715afc8882..8ffb63e1d3 100644
if (r >= 0)
goto try_open; /* The device is activated. Let's open it. */
/* libdevmapper can return EINVAL when the device is already in the activation stage.
@@ -2980,7 +2982,7 @@ static int verity_partition(
@@ -3109,7 +3111,7 @@ static int verity_partition(
*/
sym_crypt_free(cd);
cd = NULL;
@ -211,7 +219,7 @@ index 715afc8882..8ffb63e1d3 100644
}
return log_debug_errno(SYNTHETIC_ERRNO(EBUSY), "All attempts to activate verity device %s failed.", name);
@@ -3000,6 +3002,7 @@ success:
@@ -3129,6 +3131,7 @@ success:
int dissected_image_decrypt(
DissectedImage *m,
@ -219,7 +227,7 @@ index 715afc8882..8ffb63e1d3 100644
const char *passphrase,
const VeritySettings *verity,
DissectImageFlags flags) {
@@ -3047,7 +3050,7 @@ int dissected_image_decrypt(
@@ -3176,7 +3179,7 @@ int dissected_image_decrypt(
if (k >= 0) {
flags |= getenv_bool("SYSTEMD_VERITY_SHARING") != 0 ? DISSECT_IMAGE_VERITY_SHARE : 0;
@ -228,7 +236,7 @@ index 715afc8882..8ffb63e1d3 100644
if (r < 0)
return r;
}
@@ -3080,7 +3083,7 @@ int dissected_image_decrypt_interactively(
@@ -3209,7 +3212,7 @@ int dissected_image_decrypt_interactively(
n--;
for (;;) {
@ -237,7 +245,7 @@ index 715afc8882..8ffb63e1d3 100644
if (r >= 0)
return r;
if (r == -EKEYREJECTED)
@@ -4367,6 +4370,7 @@ int verity_dissect_and_mount(
@@ -4455,6 +4458,7 @@ int verity_dissect_and_mount(
r = dissected_image_decrypt(
dissected_image,
NULL,
@ -259,7 +267,7 @@ index 97431bca67..004dc46dc3 100644
int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift, uid_t uid_range, int userns_fd, DissectImageFlags flags);
int dissected_image_mount_and_warn(DissectedImage *m, const char *where, uid_t uid_shift, uid_t uid_range, int userns_fd, DissectImageFlags flags);
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index c33ce0d0a4..dbd6df63b4 100644
index bfe71f2267..20acc60724 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -1888,7 +1888,7 @@ static int merge_subprocess(
@ -271,7 +279,7 @@ index c33ce0d0a4..dbd6df63b4 100644
if (r < 0)
return r;
@@ -2308,7 +2308,7 @@ static int image_discover_and_read_metadata(ImageClass image_class, Hashmap **re
@@ -2312,7 +2312,7 @@ static int image_discover_and_read_metadata(ImageClass image_class, Hashmap **re
return log_error_errno(r, "Failed to discover images: %m");
HASHMAP_FOREACH(img, images) {

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-sysext-introduce-global-config-file.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0016-sysext-introduce-global-config-file.patch vendored
View File

@ -1,7 +1,7 @@
From d711880914fe0e32f3fbc946d8b8ee54031727b1 Mon Sep 17 00:00:00 2001
From aeacbbca05e0479c0768c4b368a2ea68668d20bc Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 17 Jul 2025 05:03:54 -0400
Subject: [PATCH 1/4] sysext: introduce global config file
Subject: [PATCH 16/20] sysext: introduce global config file
Introduce systemd/{sysext/confext}.conf and systemd/{sysext/confext}.conf.d to provide an
alternative way of setting the cmdline options in systemd-sysext.
@ -85,5 +85,5 @@ index 20acc60724..332fc55bb3 100644
if (r <= 0)
return r;
--
2.51.0
2.52.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-man-sysext.conf-add-systemd-sysext-config-files.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0017-man-sysext.conf-add-systemd-sysext-config-files.patch vendored
View File

@ -1,7 +1,7 @@
From 88943429fbf80cf55fc7307ea34b5942524c2f45 Mon Sep 17 00:00:00 2001
From d8eabd012273376febada7ad6c9481a360c2e113 Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 17 Jul 2025 05:28:21 -0400
Subject: [PATCH 2/4] man/sysext.conf: add systemd-sysext config files
Subject: [PATCH 17/20] man/sysext.conf: add systemd-sysext config files
Add sysext.conf, which similar to other configs like coredump, will be
searched in:
@ -152,5 +152,5 @@ index 3f60c85dba..6df2d94e9f 100644
<member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>importctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
--
2.51.0
2.52.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0010-sysext-support-ImagePolicy-global-config-option.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0018-sysext-support-ImagePolicy-global-config-option.patch vendored
View File

@ -1,7 +1,7 @@
From 363c849b4faed27449a0e3ee41c302709aec0807 Mon Sep 17 00:00:00 2001
From dccee58738d9602dd62f482ed11152f51b4da896 Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 17 Jul 2025 10:16:24 -0400
Subject: [PATCH 3/4] sysext: support ImagePolicy global config option
Subject: [PATCH 18/20] sysext: support ImagePolicy global config option
Just as Mutable=, support ImagePolicy in systemd/{sysext/confext}.conf and
dropins in systemd/{sysext.confext}.conf.d/* configs.
@ -46,5 +46,5 @@ index 332fc55bb3..9656e975c4 100644
};
_cleanup_free_ char *config_file = NULL;
--
2.51.0
2.52.0

4
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0011-sysext-Fix-config-file-support-with-root.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0019-sysext-Fix-config-file-support-with-root.patch vendored
View File

@ -1,7 +1,7 @@
From 3498a462f517b024b3125e0bb79c8c6c54bb62c9 Mon Sep 17 00:00:00 2001
From 5d8c8737ea0b44c50e4e60a9c93c7321051f7955 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 11 Dec 2025 19:49:20 +0900
Subject: [PATCH] sysext: Fix config file support with --root=
Subject: [PATCH 19/20] sysext: Fix config file support with --root=
Config files for --root= weren't picked up as expected because the
--root= flag got parsed after the config file.

19
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-handle-missing-machine-id.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch vendored
View File

@ -1,10 +1,8 @@
This can be dropped in v285.5+.
From b1d53ddea750f761234c2d8fb04b10f23f77347e Mon Sep 17 00:00:00 2001
From 4bf1282faa430669eba4169837657f00f2cba019 Mon Sep 17 00:00:00 2001
From: Justin Kromlinger <hashworks@archlinux.org>
Date: Wed, 8 Oct 2025 16:55:09 +0200
Subject: [PATCH] Drop `machine-id` OSC event field if /etc/machine-id doesn't
exist
Subject: [PATCH 20/20] Drop `machine-id` OSC event field if /etc/machine-id
doesn't exist
While we can safely assume that `/proc/sys/kernel/random/boot_id`
exists, the same can't be said for `/etc/machine-id` in environments
@ -18,9 +16,15 @@ no such file or directory` with the OSC events introduced in dadbb34
[0] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/107
(cherry picked from commit 0fe45b98dd737da86fcbb703809ebf2163c397f3)
---
profile.d/80-systemd-osc-context.sh | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/profile.d/80-systemd-osc-context.sh b/profile.d/80-systemd-osc-context.sh
index a0ac858828..ead61b6753 100644
--- a/profile.d/80-systemd-osc-context.sh
+++ b/profile.d/80-systemd-osc-context.sh
@@ -32,7 +32,10 @@ __systemd_osc_context_escape() {
@@ -28,7 +28,10 @@ __systemd_osc_context_escape() {
}
__systemd_osc_context_common() {
@ -32,3 +36,6 @@ no such file or directory` with the OSC events introduced in dadbb34
}
__systemd_osc_context_precmdline() {
--
2.52.0

20
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md vendored
View File

@ -1,4 +1,4 @@
Most of these patches are not really upstreamable.
Most of these patches are not really upstreamable:
- `0001-wait-online-set-any-by-default.patch`
- backward compat stuff
@ -18,3 +18,21 @@ Most of these patches are not really upstreamable.
- workaround for issues with default k8s coredns config
- `0008-units-Make-multi-user.target-the-default-target.patch`
- change default.target to a suitable symlink for Flatcar
These patches can be dropped after we update to systemd 260:
- `0009-vpick-Don-t-use-openat-directly-but-resolve-symlinks.patch`
- `0010-discover-image-Follow-symlinks-in-a-given-root.patch`
- `0011-sysext-Use-correct-image-name-for-extension-release-.patch`
- `0012-test-Add-tests-for-handling-symlinks-with-systemd-sy.patch`
- `0013-sysext-Create-mutable-directory-with-the-right-mode.patch`
- `0014-sysext-Skip-refresh-if-no-changes-are-found.patch`
- `0015-sysext-Get-verity-user-certs-from-given-root.patch`
- `0016-sysext-introduce-global-config-file.patch`
- `0017-man-sysext.conf-add-systemd-sysext-config-files.patch`
- `0018-sysext-support-ImagePolicy-global-config-option.patch`
- `0019-sysext-Fix-config-file-support-with-root.patch`
This patch can be dropped after updating to systemd 258.5:
- `0020-Drop-machine-id-OSC-event-field-if-etc-machine-id-do.patch`

42
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -15,7 +15,7 @@
# Keep versions on both arches in sync.
=app-containers/cri-tools-1.33.0 ~arm64
=app-containers/incus-6.0.5 ~arm64
=app-containers/incus-6.0.5-r1 ~arm64
=app-containers/lxc-6.0.5 ~arm64
# We always want the latest version available.
@ -41,6 +41,9 @@ app-crypt/azure-keyvault-pkcs11
# Keep versions on both arches in sync.
=app-crypt/mit-krb5-1.21.3-r1 ~arm64
# Needed to address CVE-2026-2100.
=app-crypt/p11-kit-0.26.2
# No stable keywords yet because it's new.
=app-emulation/open-vmdk-0.3.12 ~amd64
@ -61,14 +64,13 @@ dev-db/etcd amd64
# Keep versions on both arches in sync.
=dev-libs/cowsql-1.15.9 ~arm64
=dev-libs/ding-libs-0.6.2-r1 ~arm64
=dev-libs/elfutils-0.194 ~amd64
# Needed to address CVE-2025-13601, CVE-2025-14087
=dev-libs/glib-2.84.4-r2
# The only available ebuild has ~amd64 and no keyword for arm64 yet.
=dev-libs/jose-14 **
# Keep versions on both arches in sync.
=dev-libs/libnl-3.11.0 ~amd64
# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
=dev-libs/luksmeta-9-r1 **
@ -78,29 +80,43 @@ dev-db/etcd amd64
# Used to be in sdk target profile, unversioned, so pinning it to a
# version used at a time of the move. Needed for building signed
# sysexts with systemd-repart
=dev-libs/xxhash-0.8.3-r1
=dev-libs/xxhash-0.8.3-r2
# No arm64 keyword in package.
=dev-util/bsdiff-4.3-r4 **
# Catalyst 4 is not stable yet, but earlier versions are masked now.
=dev-util/catalyst-4.0.0 ~amd64 ~arm64
=dev-util/catalyst-4.1.1 ~amd64 ~arm64
# Needed to build with gcc 15
=net-analyzer/netperf-2.7.0_p20210121-r1
# Keep versions on both arches in sync.
=net-firewall/conntrack-tools-1.4.8-r1 ~arm64
# Needed to address CVE-2025-14831, CVE-2026-1584
=net-libs/gnutls-3.8.12
# Keep versions on both arches in sync.
=net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
=net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
# Needed to address CVE-2025-10158
=net-misc/rsync-3.4.1-r2
# Packages are in Gentoo but not expected to be used outside Flatcar, so they
# are generally never stabilised. Thus an unusual form is used to pick up the
# latest version of the package with the unstable keywords.
sys-apps/azure-vm-utils
# Will be handy for arm64 sdk.
=sys-apps/iucode_tool-2.3.1-r2
# Keep versions on both arches in sync.
=sys-apps/zram-generator-1.2.1 ~arm64
=sys-auth/sssd-2.9.7 ~arm64
# Needed to address CVE-2025-11561
=sys-auth/sssd-2.9.8
# Keep versions on both arches in sync.
=sys-boot/mokutil-0.7.2 **
@ -108,15 +124,8 @@ sys-apps/azure-vm-utils
# Enable ipvsadm for arm64.
=sys-cluster/ipvsadm-1.31-r1 ~arm64
# Used to be in sdk target profile, unversioned, so pinning it to a
# version used at a time of the move. Needed for building signed
# sysexts with systemd-repart
=sys-fs/erofs-utils-1.8.10-r1
# Keep versions on both arches in sync.
=sys-fs/lxcfs-6.0.5 ~arm64
=sys-fs/zfs-2.3.4 ~arm64
=sys-fs/zfs-kmod-2.3.4 ~arm64
# Bump early for newer features.
=sys-kernel/dracut-109* ~amd64 ~arm64
@ -124,6 +133,3 @@ sys-apps/azure-vm-utils
# Our own ebuild fixing issues in Gentoo, hopefully will be fixed
# there too eventually.
=sys-libs/libselinux-3.8.1-r3 ~amd64 ~arm64
# Use new systemd
=sys-apps/systemd-258.2 ~amd64 ~arm64

8
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -15,7 +15,7 @@ dev-vcs/git webdav curl
# I'm not sure we really need it.)
# Disable websockets, we never had them, and now they are enabled by default.
net-misc/curl kerberos telnet -http3 -quic -curl_quic_openssl -websockets
net-misc/iputils arping tracepath
net-misc/iputils arping tracepath -suid
sys-devel/gettext -git
# for profile migration, needs to be enabled despite the fact it's
@ -143,7 +143,6 @@ sys-apps/findutils selinux
# Flatcar defaults formerly defined in coreos-overlay ebuilds
app-containers/containerd btrfs device-mapper
app-containers/docker btrfs overlay seccomp
app-containers/docker-cli hardened
# Drop python dependencies from some SELinux packages.
#
@ -197,3 +196,8 @@ app-emulation/open-vmdk -python
# Avoid pulling extra perl packages
dev-perl/File-Slurper minimal
# We don't need debuginfod support.
dev-debug/gdb -debuginfod
dev-util/elfutils -debuginfod -libarchive
sys-devel/binutils -debuginfod

0
sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/nvidia-drivers-service-535.274.02.ebuild → sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/nvidia-drivers-service-535.288.01.ebuild vendored
View File

0
sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/nvidia-drivers-service-570.195.03.ebuild → sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/nvidia-drivers-service-570.211.01.ebuild vendored
View File

4
sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-1.4.31.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -16,7 +16,7 @@ SRC_URI="https://dev.gentoo.org/~ulm/eselect/${P}.tar.xz"
LICENSE="GPL-2+ || ( GPL-2+ CC-BY-SA-4.0 )"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
IUSE="doc emacs vim-syntax"
# coreutils for realpath

28
sdk_container/src/third_party/portage-stable/app-alternatives/gpg/gpg-0-r2.ebuild vendored
View File

@ -1,28 +0,0 @@
# Copyright 2022-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
ALTERNATIVES=(
"reference:>=app-crypt/gnupg-2.4.8-r1[alternatives(-),nls?,ssl?]"
)
inherit app-alternatives
DESCRIPTION="gpg symlink"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
IUSE="nls ssl"
RDEPEND="
!app-crypt/gnupg[-alternatives(-)]
"
src_install() {
local alt=$(get_alternative)
dodir /usr/bin
dosym "gpg-${alt}" /usr/bin/gpg
dosym "gpgv-${alt}" /usr/bin/gpgv
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
}

35
sdk_container/src/third_party/portage-stable/app-alternatives/gpg/gpg-0-r3.ebuild vendored
View File

@ -1,35 +0,0 @@
# Copyright 2022-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
ALTERNATIVES=(
"reference:>=app-crypt/gnupg-2.4.8-r1[alternatives(-),nls?,ssl?]"
)
inherit app-alternatives
DESCRIPTION="gpg symlink"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
IUSE="nls ssl"
RDEPEND="
!app-crypt/gnupg[-alternatives(-)]
!=app-crypt/gnupg-2.4.8-r1
!=app-crypt/gnupg-2.5.13-r1
"
src_install() {
local alt=$(get_alternative)
dodir /usr/bin
dosym "gpg-${alt}" /usr/bin/gpg
dosym "gpgv-${alt}" /usr/bin/gpgv
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
newman - gpg.1 <<<".so gpg-${alt}.1"
newman - gpgv.1 <<<".so gpgv-${alt}.1"
newman - gpg2.1 <<<".so gpg.1"
newman - gpgv2.1 <<<".so gpgv.1"
}

36
sdk_container/src/third_party/portage-stable/app-alternatives/gpg/gpg-1-r2.ebuild vendored
View File

@ -1,36 +0,0 @@
# Copyright 2022-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
ALTERNATIVES=(
"reference:>=app-crypt/gnupg-2.4.8-r1[alternatives(-),nls?,ssl?]"
"freepg:app-crypt/freepg[nls?,ssl?]"
"sequoia:app-crypt/sequoia-chameleon-gnupg"
)
inherit app-alternatives
DESCRIPTION="gpg symlink"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ppc ppc64 ~riscv ~s390 ~sparc x86 ~x64-macos ~x64-solaris"
IUSE="nls ssl"
RDEPEND="
!app-crypt/gnupg[-alternatives(-)]
"
src_install() {
local alt=$(get_alternative)
case ${alt} in
sequoia)
alt=sq
;;
esac
dodir /usr/bin
dosym "gpg-${alt}" /usr/bin/gpg
dosym "gpgv-${alt}" /usr/bin/gpgv
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
}

2
sdk_container/src/third_party/portage-stable/app-alternatives/gpg/gpg-1-r3.ebuild vendored
View File

@ -12,7 +12,7 @@ ALTERNATIVES=(
inherit app-alternatives
DESCRIPTION="gpg symlink"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
IUSE="nls ssl"
RDEPEND="

4
sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.8.3.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -39,6 +39,7 @@ RDEPEND="
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}
elibc_musl? ( sys-libs/queue-standalone )
kernel_linux? (
virtual/os-headers
e2fsprogs? ( sys-fs/e2fsprogs[${MULTILIB_USEDEP}] )
@ -56,7 +57,6 @@ DEPEND="${RDEPEND}
BDEPEND="
virtual/pkgconfig
verify-sig? ( >=sec-keys/openpgp-keys-libarchive-20251118 )
elibc_musl? ( sys-libs/queue-standalone )
"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/libarchive.org.asc

4
sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.8.4.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -39,6 +39,7 @@ RDEPEND="
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}
elibc_musl? ( sys-libs/queue-standalone )
kernel_linux? (
virtual/os-headers
e2fsprogs? ( sys-fs/e2fsprogs[${MULTILIB_USEDEP}] )
@ -56,7 +57,6 @@ DEPEND="${RDEPEND}
BDEPEND="
virtual/pkgconfig
verify-sig? ( >=sec-keys/openpgp-keys-libarchive-20251118 )
elibc_musl? ( sys-libs/queue-standalone )
"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/libarchive.org.asc

2
sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.8.5.ebuild vendored
View File

@ -39,6 +39,7 @@ RDEPEND="
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}
elibc_musl? ( sys-libs/queue-standalone )
kernel_linux? (
virtual/os-headers
e2fsprogs? ( sys-fs/e2fsprogs[${MULTILIB_USEDEP}] )
@ -56,7 +57,6 @@ DEPEND="${RDEPEND}
BDEPEND="
virtual/pkgconfig
verify-sig? ( >=sec-keys/openpgp-keys-libarchive-20251118 )
elibc_musl? ( sys-libs/queue-standalone )
"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/libarchive.org.asc

4
sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.8.2.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# Remember: we cannot leverage autotools in this ebuild in order
@ -35,7 +35,7 @@ else
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}/${MY_P}"

1
sdk_container/src/third_party/portage-stable/app-arch/zstd/Manifest vendored
View File

@ -1 +1,2 @@
DIST zstd-1.5.7.tar.gz 2434947 BLAKE2B ef6bcf13bbb79edce2de21ef4860b01dcb4d2dd47ebd03657d5331c3bb1a207ef128e99ed907a32e787dca7bb51df225ebd8abb2097d03d02c003ca713e1e271 SHA512 b4de208f179b68d4c6454139ca60d66ed3ef3893a560d6159a056640f83d3ee67cdf6ffb88971cdba35449dba4b597eaa8b4ae908127ef7fd58c89f40bf9a705
DIST zstd-1.5.7.tar.gz.sig 858 BLAKE2B 4dd9e9a1df48f458d7b6f0d50cf6134f40e2b7e678108c8aad07ef4eac294ceafb06ebd4966bd4256c82dfe088df06c18ef9a37c8e5e3925f29cadeb97969a77 SHA512 9d88171296cffd9b02700999c86d3509dc0349a857fc8961bb1fe34b7dfec19bd0c8622c79e02a0165f067ba28a8430c48804a937e548aa7f52d8ff482ba586c

11
sdk_container/src/third_party/portage-stable/app-arch/zstd/zstd-1.5.7-r1.ebuild vendored
View File

@ -1,13 +1,17 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit dot-a meson-multilib
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/zstd.asc
inherit dot-a meson-multilib verify-sig
DESCRIPTION="zstd fast compression library"
HOMEPAGE="https://facebook.github.io/zstd/"
SRC_URI="https://github.com/facebook/zstd/releases/download/v${PV}/${P}.tar.gz"
SRC_URI="
https://github.com/facebook/zstd/releases/download/v${PV}/${P}.tar.gz
verify-sig? ( https://github.com/facebook/zstd/releases/download/v${PV}/${P}.tar.gz.sig )
"
S="${WORKDIR}"/${P}/build/meson
LICENSE="|| ( BSD GPL-2 )"
@ -22,6 +26,7 @@ RDEPEND="
zlib? ( virtual/zlib:= )
"
DEPEND="${RDEPEND}"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-zstd )"
MESON_PATCHES=(
# Workaround until Valgrind bugfix lands

4
sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/aardvark-dns-1.17.0.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2023-2025 Gentoo Authors
# Copyright 2023-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -16,7 +16,7 @@ if [[ ${PV} == 9999* ]]; then
else
SRC_URI="${CARGO_CRATE_URIS}"
SRC_URI+="https://github.com/containers/aardvark-dns/releases/download/v${PV}/${PN}-v${PV}-vendor.tar.gz"
KEYWORDS="~amd64 ~arm64 ~loong ~ppc64 ~riscv"
KEYWORDS="amd64 arm64 ~loong ~ppc64 ~riscv"
fi
# main

1
sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest vendored
View File

@ -6,3 +6,4 @@ DIST containerd-2.1.0.tar.gz 10610618 BLAKE2B 147c21b4650543af9b0e533e381a0505ba
DIST containerd-2.1.1.tar.gz 10610787 BLAKE2B acc2d769752c783643795d228c0d267b0802e09166dc783e84087da0029a822a64688f5e59c047c47b25f50ca2a1ccb7f5b6216ad6beeb4489df308e525e9716 SHA512 542f7cae61e1ef2e1b529b0bea66d7ad9016d4605de73de9c9c8a738e50ec6f470b939d1546482320515b77424bffe1cf24b721173ac0c0ecd0100c92817cfb1
DIST containerd-2.1.4.tar.gz 10614131 BLAKE2B b8f4007b4bb368a1fa04c913d606f65d2ea4a17a6419ce12f2b6112eee2574d7a09fb8e2500d1c2f21bef8792dc047df4d63446211ae006662e616facda91f24 SHA512 a9f84784e917621ee5ea38ad20b8106e642fbf463a00d319b73a1a8e4d1fdd5be2fba0789b6a5d31107ef239d3713eced99ce979d4b2764714271a63c0936c15
DIST containerd-2.2.0.tar.gz 11475770 BLAKE2B 154d7d547d52925ff46431cea20db38dc72ec87ef90fd112472cb3ec7f2ebd8cfb121f98a3bc3870f8452473b35c3e1c84671b9fc31347f98259b34a70e740f9 SHA512 3121a1e0401e0283ff9d8454e945b427bcb0214e7e67271815117cb82dee1488c4d963c2193eb9c0ab5d395dd2e2705975ac31ce3e400264933d05d62fd0faac
DIST containerd-2.2.1.tar.gz 11492859 BLAKE2B 5ee7a5388ec5a247a530be505068162318505741e77ab2a103ba8a33c3e76fbac55a64504429f9c636e41cb4826e1acc6b7f817398928a0d6b8ebd94797b8b7b SHA512 6bbfe356bdb0fd70c5b3ca0d932b790bb34b40832392e6a309a907351dc344e3b6059e2cd583145200aab218b4e8f5160d698f2b3a84d05bbf834d023eea4bd3

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.2.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -60,7 +60,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.3.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -60,7 +60,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.4.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -60,7 +60,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.0.5.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -60,7 +60,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.0.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -60,7 +60,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -60,7 +60,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.1.4.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -59,7 +59,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

5
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.2.0.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
@ -59,7 +59,6 @@ src_compile() {
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)

93
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.2.1.ebuild vendored Normal file
View File

@ -0,0 +1,93 @@
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module systemd toolchain-funcs
GIT_REVISION=dea7da592f5d1d2b7755e3a161be07f43fad8f75
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test"
COMMON_DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
DEPEND="
${COMMON_DEPEND}
"
# recommended minimum version of runc is found in script/setup/runc-version
RDEPEND="
${COMMON_DEPEND}
>=app-containers/runc-1.3.4[apparmor?,seccomp?]
"
BDEPEND="
dev-go/go-md2man
virtual/pkgconfig
"
# tests require root or docker
RESTRICT+="test"
src_prepare() {
default
sed -i \
-e "s/-s -w//" \
Makefile || die
sed -i \
-e "s:/usr/local:/usr:" \
containerd.service || die
}
src_compile() {
local options=(
$(usev apparmor)
$(usex btrfs "" "no_btrfs")
$(usex cri "" "no_cri")
$(usex device-mapper "" "no_devmapper")
$(usev seccomp)
$(usev selinux)
)
myemakeargs=(
BUILDTAGS="${options[*]}"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)
# The Go env is already set, but reset it for CBUILD in a subshell to allow
# building the man pages when cross-compiling.
(
CHOST="${CBUILD}" go-env_set_compile_environment
# race condition in man target https://bugs.gentoo.org/765100
tc-env_build emake "${myemakeargs[@]}" man -j1 #nowarn
)
emake "${myemakeargs[@]}" all
}
src_install() {
rm bin/gen-manpages || die
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
newinitd "${FILESDIR}"/${PN}.initd "${PN}"
systemd_dounit containerd.service
keepdir /var/lib/containerd
# we already installed manpages, remove markdown source
# before installing docs directory
rm -r docs/man || die
local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
einstalldocs
}

4
sdk_container/src/third_party/portage-stable/app-containers/containers-common/containers-common-0.64.2.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -14,7 +14,7 @@ if [[ ${PV} == 9999* ]]; then
else
SRC_URI="https://github.com/containers/common/archive/v${PV}.tar.gz -> ${P}.tar.gz"
S="${WORKDIR}/${P#containers-}"
KEYWORDS="~amd64 ~arm64 ~loong ~riscv"
KEYWORDS="amd64 arm64 ~loong ~riscv"
fi
LICENSE="Apache-2.0"

4
sdk_container/src/third_party/portage-stable/app-containers/containers-image/containers-image-5.36.2.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then
else
SRC_URI="https://github.com/containers/image/archive/v${PV}.tar.gz -> ${P}.tar.gz"
S="${WORKDIR}/${P#containers-}"
KEYWORDS="~amd64 ~arm64 ~loong ~riscv"
KEYWORDS="amd64 arm64 ~loong ~riscv"
fi
LICENSE="Apache-2.0"

4
sdk_container/src/third_party/portage-stable/app-containers/containers-storage/containers-storage-1.59.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then
else
SRC_URI="https://github.com/containers/storage/archive/v${PV}.tar.gz -> ${P}.tar.gz"
S="${WORKDIR}/${P#containers-}"
KEYWORDS="~amd64 ~arm64 ~loong ~riscv"
KEYWORDS="amd64 arm64 ~loong ~riscv"
fi
LICENSE="Apache-2.0"

16
sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.33.0.ebuild vendored
View File

@ -1,9 +1,9 @@
# Copyright 2021-2025 Gentoo Authors
# Copyright 2021-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module shell-completion toolchain-funcs
inherit go-env go-module shell-completion sysroot
DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)"
HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools"
@ -21,18 +21,14 @@ src_compile() {
CRICTL="build/bin/${GOOS}/${GOARCH}/crictl"
emake VERSION="${PV}"
if ! tc-is-cross-compiler; then
"${CRICTL}" completion bash > crictl.bash || die
"${CRICTL}" completion zsh > crictl.zsh || die
fi
sysroot_try_run_prefixed "${CRICTL}" completion bash > crictl.bash || die
sysroot_try_run_prefixed "${CRICTL}" completion zsh > crictl.zsh || die
}
src_install() {
einstalldocs
dobin "${CRICTL}"
if ! tc-is-cross-compiler; then
newbashcomp crictl.bash crictl
newzshcomp crictl.zsh _crictl
fi
[[ -s crictl.bash ]] && newbashcomp crictl.bash crictl
[[ -s crictl.zsh ]] && newzshcomp crictl.zsh _crictl
}

5
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-28.0.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -18,7 +18,7 @@ S="${WORKDIR}/cli-${PV}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86"
IUSE="hardened selinux"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-docker )"
@ -43,7 +43,6 @@ src_compile() {
CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary

5
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-28.0.4.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -24,7 +24,7 @@ S="${WORKDIR}/cli-${PV}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86"
IUSE="hardened selinux"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-docker )"
@ -49,7 +49,6 @@ src_compile() {
CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary

5
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-28.1.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -24,7 +24,7 @@ S="${WORKDIR}/cli-${PV}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
IUSE="hardened selinux"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-docker )"
@ -49,7 +49,6 @@ src_compile() {
CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary

5
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-28.2.2.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -24,7 +24,7 @@ S="${WORKDIR}/cli-${PV}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
IUSE="hardened selinux"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-docker )"
@ -49,7 +49,6 @@ src_compile() {
CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary

5
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-28.4.0.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -23,7 +23,7 @@ S="${WORKDIR}/cli-${PV}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86"
IUSE="hardened selinux"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-docker )"
@ -48,7 +48,6 @@ src_compile() {
CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary manpages

5
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-29.1.3.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -17,7 +17,7 @@ S="${WORKDIR}/cli-${PV}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
IUSE="hardened selinux"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-docker )"
@ -37,7 +37,6 @@ src_compile() {
CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary manpages

3
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-28.0.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -232,6 +232,7 @@ pkg_setup() {
src_unpack() {
default
go-module_src_unpack
cd "${S}"
[[ -f go.mod ]] || ln -s vendor.mod go.mod || die
[[ -f go.sum ]] || ln -s vendor.sum go.sum || die

3
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-28.1.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -232,6 +232,7 @@ pkg_setup() {
src_unpack() {
default
go-module_src_unpack
cd "${S}"
[[ -f go.mod ]] || ln -s vendor.mod go.mod || die
[[ -f go.sum ]] || ln -s vendor.sum go.sum || die

3
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-28.2.2.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -232,6 +232,7 @@ pkg_setup() {
src_unpack() {
default
go-module_src_unpack
cd "${S}"
[[ -f go.mod ]] || ln -s vendor.mod go.mod || die
[[ -f go.sum ]] || ln -s vendor.sum go.sum || die

3
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-28.4.0.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -239,6 +239,7 @@ pkg_setup() {
src_unpack() {
default
go-module_src_unpack
cd "${S}"
[[ -f go.mod ]] || ln -s vendor.mod go.mod || die
[[ -f go.sum ]] || ln -s vendor.sum go.sum || die

3
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-29.1.3-r1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -239,6 +239,7 @@ pkg_setup() {
src_unpack() {
default
go-module_src_unpack
cd "${S}"
[[ -f go.mod ]] || ln -s vendor.mod go.mod || die
[[ -f go.sum ]] || ln -s vendor.sum go.sum || die

18
sdk_container/src/third_party/portage-stable/app-containers/incus/Manifest vendored
View File

@ -1,16 +1,6 @@
DIST incus-6.0.3.tar.xz 11916020 BLAKE2B d3d998bd50124604c52ff007eefed586c216ce1a0a77d45724fd489db1d93f2fa304f5d6e1c368ff2dd4d1170b24605fd24bbf2a6e4506207686ca392936c200 SHA512 6a879e6634cf545b4c427800d923a32e5fe58a6eaf220ad8d0cb08e0ced5e6c4be09274ae095bb9dae25a55445462ea83d3d9235f67bbb9896944f596bf17e1a
DIST incus-6.0.3.tar.xz.asc 833 BLAKE2B 38835ab036709161150992cb40df4ff1ae1887d4f3e0b037d0415f75d2bb711cb3c5945bffe1b91d289acfb7e19e726964278e5c2ab31731ba9f7534f139dec7 SHA512 7d5360ab91aafe1d047a60e38a07e24c3c7b158e753087a943ec5e59d6a27c19a872080c9007b6cf592040d3408845bc188d76f6e732408d0680a3782cebce47
DIST incus-6.0.4.tar.xz 12000208 BLAKE2B 99a4ba40d2eea48515b88f4534c282adc925fe1b5487dc98901f000894b3781aec89f617d2246314cf9a95a7d65531e486c4092f8939722e1b3c2bf7d33063c8 SHA512 14a5cdad3f9365d58e526c8f451d9e7a57729010073caff31256e0b94d28206adc82ead4820278e7eac17b74d22a76d9f3b9f5f8424ddbfa6b74a5cea13e019f
DIST incus-6.0.4.tar.xz.asc 833 BLAKE2B 96c94cde55cd2e9f7f28db7adb098adf4895437d300dfd42aeac540cdab6677fb604831c28f40f8581e60b89b228557d81696cd64950a1c2147b445a5ec58b30 SHA512 1ef2063eab424467c805f8c86b5b0caca848f46d2ef7ebf602049fe32ee15a7e1006d5a2710b355604aef73802b4333cd0428c772e1c5fc4da588c2cd7ee1694
DIST incus-6.0.5.tar.xz 12532820 BLAKE2B a256c37c309d82f6326ede3d90e20522ff91317b1bce0a4dc1c391c2694599c7f3f6ab06368757a12e85133f82bd85ea4d50906dc250f43563a6ff765850b874 SHA512 b209dde671b13e101ccdf0daf975ae8547d050ec95e67ad1ee17aa99761e8ed3327e7edace0c4394aa79932d11b846e0f1edf5f95b2ad0b56eafca9905e844c8
DIST incus-6.0.5.tar.xz.asc 833 BLAKE2B 1e8818fdb2edf9ff0d0288d2a7d61585571a0fdfe514e1bdf05b27b607560115168c07d420f8384d07d216fdc8dc1f31113fa5afa4838042743636974bf76151 SHA512 d0412fe8850ff5783d4c3cee982ff8beac74f19c5dc538438fc210b9f7421bcb6e663e4c32f9a2604f1a5e2f42d8bb8d3f8e599f15a0fa1b5fa6f1bc1982b1dd
DIST incus-6.14.tar.xz 12509468 BLAKE2B ec3bb614088d82e07c13169a6b26d8c83214fddbdf30049d58f2cca2678a16ccb6acca7bba68d4e15a514dad71639a144a7b2f4b9f3efdf9c8ca8d750692e250 SHA512 186abb32dcfbe851f04131ea7a9256fafaa465d40379e825554275697e04f005920c09939a8cb199b499b60df667921900c4a2d5b9a7ab9bd20b3e473468dbf1
DIST incus-6.14.tar.xz.asc 833 BLAKE2B c9cfa631bb316234a6958f2aa3e708e32ea2fca34357700e7d1e38723be539f5b6b1484597c18baca1f22d922c7aca148463dfc0b818f7809126e6873e4826b5 SHA512 6a2f4ceeab44462cca74799a1c135eeb17cbece3d270c5195c3eacda8ea24419fc34cab6d157dbfed803bb269df42a02abc417b98887cec5f10b0ec70b430644
DIST incus-6.15.tar.xz 12716184 BLAKE2B bc821575f7f24b42054028ce628a29f38ef41b8a31a94f34381019306681f9279ae6c36cb00b7f84d62f5ddc89d27216d753e5c0f5ec1d327bbd283ab5fe1e15 SHA512 7561abce8eb9c01764aca9bb5477028439c05f6c1c20637f288028be93f4bc0d74a36af76f7ad0e35028dfe40e2a0bb2d7b4a363d1da35fe657072f5d847c78e
DIST incus-6.15.tar.xz.asc 833 BLAKE2B ccab84a2fd3f9d6971ff0fd7cba9afc23dbe0fc0bcb8738656f9071db7c773840566009d5014dc15d37be26bff018e3faf8af59dd5d50b629aebd2e79cf3dc5e SHA512 b1bf43ffff719a3f1c6be7a8d32e44f418efb8e926914dea5479ba1175768910fa38b4e5b83c51e90ec34d2d345629597beb286215b9658a611cf568b8e43122
DIST incus-6.17.tar.xz 12809024 BLAKE2B 5d6cb615b547430641faa716df5ce7c4d03aad436a4161c9d9dab99bd4fff7b8f93c8250d5b65237047c2baeeeac6f42a21b9a6970a41e79e7e6af9ceca2cf62 SHA512 ae744784ed676dcdcad3a284a0e16a816786cb87d78fae7f317baa4c75b193edb56ab2ec38b916c84930df5385e7b239c1cb9dc869672502be1e4d660a8d6113
DIST incus-6.17.tar.xz.asc 833 BLAKE2B a0fc3eaa51df6b77988cc331cf03fad982d0a735a2e751564d05bd6f929b422b8682b56ec9101b17000978ec7f919189b3721779ca299f7df0c46fa56275aaf6 SHA512 23cc6ed65bf99899bd3ed4dd7f79a1eada375e32ad0f9b91be1e3fcc0d2af5abeffe05b7c02f0b63a7eca7dfaeee030dbc27fce67e8952f42f18638ebfc9a2e2
DIST incus-6.18.tar.xz 13269284 BLAKE2B 5894d445d869ab280332f9874fc5e885495925c6408d003c972ef05b3d1bb89f8b9c5d95e5c0bb7cd20377e8e9d80673049e88d5d3d3d0b2d83ae0c2aaf6a79c SHA512 619fb28dbcfbd7fca93a5941b77c6106f8489f277167e44f131a2816ba3cab6519a7103cf92714fcd9c78ff06105bc1999982c6b6dcb4e8478646aac9c83fbec
DIST incus-6.18.tar.xz.asc 833 BLAKE2B 539759887221842b0b1be365e6eaa112317e77443627471725bc976d00efeb0e50ee6700a8d6dd15e50978fa72cfeab8186af0e7f6c66d9d4a1ac7cb9c2212f3 SHA512 b3803b3e16cdc1e916ac50d679b2e313ae4652ca5203b7b8090f4acc0b86f1070d107adf8f6f89e05e0502cd28f2d134588b9301ecffdae88ae75e84d431c0f3
DIST incus-6.19.1.tar.xz 13272476 BLAKE2B fac75836ed7d853b3deb28ee2f38a80ae392f8af444f37b29adf0868fdf3dea6a51e1ffef2bbb606cdc5f39d74b76ccced3f7e7f9d2c611d40e543f295fe2b01 SHA512 ad674c2da425deb5c59847b688e3aa053b1a401920caa25a775795b3cb36d1e30b74f790c719187d1b37dd5c12e4b1cb56f17b6fac946fd3ec83ea5b1000e157
DIST incus-6.19.1.tar.xz.asc 833 BLAKE2B 57cb2b8824e083143551ed756bb1a4af0294681f7f67cef405963852f676b6d933c2d066a60ad0366f134a496c1c166dc6a7c5dfb45483d78388716983bdeada SHA512 b645418f02337e7b2adadb278fc39d9cc53981b11654dee16f2945d0ba2c8304dbfcd255d95ba73ea124d28b56ec886e1a4c514606a06ab53e61692913384ee3
DIST incus-6.21.tar.xz 13298940 BLAKE2B ae898643c02e4e4ba41d7c9326ff67fdaed21f0583268cdd810602c5b244b00bfb9fdaa626149ca20782595ba35b3b820774605417f0c3c74ee2acda9494ff88 SHA512 eff179f176d4f2ccf7e6c2db57a63358370c53b4c8255d8d3a56ddca16df17339ec1f7455cc63b38dc9e28f7ae658349c325c92ba32687f9f4acd5573c56f06d
DIST incus-6.21.tar.xz.asc 833 BLAKE2B 14aad1deb9976528e0e75426cb46017525fba5f1a728dc34192e0defd417bf93f20fd12ef4005c7111a9be6891af1ff077f34abab9b824451b938ea7d1e92026 SHA512 6baaf74e7f4eb16fcd183ab435235b491081afa35f94b86ea63d4ac51aa63fe0a10f2aa493987c261664c8ef7fdcb2ed09e7265c5bf063e828b40d3618fd4f8c
DIST incus-6.22.tar.xz 13452548 BLAKE2B d55cde93ae4b0893eba177711e067c62101d29d9d65a6af043e301b9a6389d1d4ea3027365879777cb3d6cd4044e24d1bdfc044c55be632e25fa5d3ce51b91a7 SHA512 4c945a9ca7ecbbc0f833fb2b768f23ee79b4f3c0975ad6afe1f1887418adcd246c4b6c029238c5447930e2dcf675942552e4d8d33222417e4fef1f5e4b43a849
DIST incus-6.22.tar.xz.asc 833 BLAKE2B 628281aa44f521f44bc8e22725793b656a8b662f2a2ada724fb8b17b99352ab6d46ad85b99319840166d6c45ede11d72b2e69c535fd769411c5c750e30367ba5 SHA512 57dd75642f9875800da09b18995dac60e97f441caa82272fe22bff8120c412f646fae81e0d9e63996bb6945c5ebc2ce4ab820372337e36e04e3f2de4ccb0fe1a

42
sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-CVE-2026-23953.patch vendored Normal file
View File

@ -0,0 +1,42 @@
From d6f0a77dd26df4c1ced80ffa63848279fd4330cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 20 Jan 2026 23:27:25 -0500
Subject: [PATCH] internal/instance: Prevent line breaks in environment
variables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
LXC doesn't currently have a syntax to hold a multi-line environment
variable in its configuration. The use of multi-line environment
variables leads to a corrupted configuration file and to a security
issue where additional lines may be added by an unprivileged user to
escalate their privileges.
This fixes CVE-2026-23953.
Reported-by: Rory McNamara <rory.mcnamara@snyk.io>
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
internal/instance/config.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/internal/instance/config.go b/internal/instance/config.go
index a282f99e478..2c6c779205b 100644
--- a/internal/instance/config.go
+++ b/internal/instance/config.go
@@ -1376,7 +1376,13 @@ func ConfigKeyChecker(key string, instanceType api.InstanceType) (func(value str
// liveupdate: yes
// shortdesc: Free-form environment key/value
if strings.HasPrefix(key, "environment.") {
- return validate.IsAny, nil
+ return func(val string) error {
+ if strings.Contains(val, "\n") {
+ return errors.New("Environment variables cannot contain line breaks")
+ }
+
+ return nil
+ }, nil
}
// gendoc:generate(entity=instance, group=miscellaneous, key=user.*)

113
sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-CVE-2026-23954.patch vendored Normal file
View File

@ -0,0 +1,113 @@
From 92ac6ac999a4928cfdb92c485a048e4d51f471d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Wed, 21 Jan 2026 00:04:37 -0500
Subject: [PATCH] incusd/instance/lxc: Restrict path of template files and
targets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes three security issues related to file templates:
- The template target path could be made to be relative or gothrough
symlinks in a way that could lead to arbitrary write to the host
filesystem.
- The template directory could be relative, allowing for arbitrary read
from the host filesystem.
- The template file itself could be made relative, allowing for
arbitrary reads from the host filesystem.
In the case of the template target path, the new logic makes use of the
kernel's openat2 system call which brings a variety of flags that can be
used to restrict path resolution and detect potential issues.
For the template path itself, we now validate that it is a simple local
file and that the template directory isn't a symlink.
This fixes CVE-2026-23954
Reported-by: Rory McNamara <rory.mcnamara@snyk.io>
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
.../server/instance/drivers/driver_lxc.go | 58 ++++++++++++++++++-
1 file changed, 57 insertions(+), 1 deletion(-)
diff --git a/internal/server/instance/drivers/driver_lxc.go b/internal/server/instance/drivers/driver_lxc.go
index b6d8cb9a0a7..a1e4f6bbe0d 100644
--- a/internal/server/instance/drivers/driver_lxc.go
+++ b/internal/server/instance/drivers/driver_lxc.go
@@ -6841,6 +6841,32 @@ func (d *lxc) templateApplyNow(trigger instance.TemplateTrigger) error {
containerMeta["privileged"] = "false"
}
+ // Setup security check.
+ rootfsPath, err := os.OpenFile(d.RootfsPath(), unix.O_PATH, 0)
+ if err != nil {
+ return fmt.Errorf("Failed to open instance rootfs path: %w", err)
+ }
+
+ defer func() { _ = rootfsPath.Close() }()
+
+ checkBeneath := func(targetPath string) error {
+ fd, err := unix.Openat2(int(rootfsPath.Fd()), targetPath, &unix.OpenHow{
+ Flags: unix.O_PATH | unix.O_CLOEXEC,
+ Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS,
+ })
+ if err != nil {
+ if errors.Is(err, unix.EXDEV) {
+ return errors.New("Template is attempting access to path outside of container")
+ }
+
+ return nil
+ }
+
+ _ = unix.Close(fd)
+
+ return nil
+ }
+
// Go through the templates
for tplPath, tpl := range metadata.Templates {
err = func(tplPath string, tpl *api.ImageMetadataTemplate) error {
@@ -6853,8 +6879,38 @@ func (d *lxc) templateApplyNow(trigger instance.TemplateTrigger) error {
return nil
}
+ // Perform some security checks.
+ relPath := strings.TrimLeft(tplPath, "/")
+
+ err = checkBeneath(relPath)
+ if err != nil {
+ return err
+ }
+
+ if filepath.Base(tpl.Template) != tpl.Template {
+ return errors.New("Template path is attempting to read outside of template directory")
+ }
+
+ tplDirStat, err := os.Lstat(d.TemplatesPath())
+ if err != nil {
+ return fmt.Errorf("Couldn't access template directory: %w", err)
+ }
+
+ if !tplDirStat.IsDir() {
+ return errors.New("Template directory isn't a regular directory")
+ }
+
+ tplFileStat, err := os.Lstat(filepath.Join(d.TemplatesPath(), tpl.Template))
+ if err != nil {
+ return fmt.Errorf("Couldn't access template file: %w", err)
+ }
+
+ if tplFileStat.Mode()&os.ModeSymlink == os.ModeSymlink {
+ return errors.New("Template file is a symlink")
+ }
+
// Open the file to template, create if needed
- fullpath := filepath.Join(d.RootfsPath(), strings.TrimLeft(tplPath, "/"))
+ fullpath := filepath.Join(d.RootfsPath(), relPath)
if util.PathExists(fullpath) {
if tpl.CreateOnly {
return nil

228
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.0.3-r1.ebuild vendored
View File

@ -1,228 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module linux-info optfeature systemd toolchain-funcs verify-sig
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/lts"
KEYWORDS="amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
acct-group/incus-admin
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.6
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
net-dns/dnsmasq[dhcp]
sys-libs/libcap
virtual/udev"
RDEPEND="${DEPEND}
|| (
net-firewall/iptables
net-firewall/nftables
)
fuidshift? ( !app-containers/lxd )
sys-apps/iproute2
sys-fs/fuse:*
>=sys-fs/lxcfs-5.0.0
sys-fs/squashfs-tools[lzma]
virtual/acl
qemu? (
app-cdr/cdrtools
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
CONFIG_CHECK="
~AIO
~CGROUPS
~IPC_NS
~NET_NS
~PID_NS
~SECCOMP
~USER_NS
~UTS_NS
~KVM
~MACVTAP
~VHOST_VSOCK
"
ERROR_AIO="CONFIG_AIO is required."
ERROR_IPC_NS="CONFIG_IPC_NS is required."
ERROR_NET_NS="CONFIG_NET_NS is required."
ERROR_PID_NS="CONFIG_PID_NS is required."
ERROR_SECCOMP="CONFIG_SECCOMP is required."
ERROR_UTS_NS="CONFIG_UTS_NS is required."
WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
# Go magic.
QA_PREBUILT="/usr/bin/incus
/usr/bin/incus-agent
/usr/bin/incus-benchmark
/usr/bin/incus-migrate
/usr/bin/lxc-to-incus
/usr/sbin/fuidshift
/usr/sbin/incusd
/usr/sbin/lxd-to-incus"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
# The testsuite must be run as root.
# make: *** [Makefile:156: check] Error 1
RESTRICT="test"
GOPATH="${S}/_dist"
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
}
src_prepare() {
export GOPATH="${S}/_dist"
default
sed -i \
-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
-e "s:make:make ${MAKEOPTS}:g" \
Makefile || die
sed -i \
-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
# Fix hardcoded virtfs-proxy-helper file path, see bug 798924
sed -i \
-e "s:/usr/lib/qemu/virtfs-proxy-helper:/usr/libexec/virtfs-proxy-helper:g" \
internal/server/device/device_utils_disk.go || die "Failed to fix virtfs-proxy-helper path."
cp "${FILESDIR}"/incus-0.4.service "${T}"/incus.service || die
if use apparmor; then
sed -i \
'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
"${T}"/incus.service || die
fi
# Disable -Werror's from go modules.
find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
}
src_configure() { :; }
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
ego install -v -x "${S}/cmd/${k}"
done
if use fuidshift ; then
ego install -v -x "${S}/cmd/fuidshift"
fi
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags netgo "${S}"/cmd/incus-migrate
CGO_ENABLED=0 go install -v -tags agent,netgo "${S}"/cmd/incus-agent
use nls && emake build-mo
}
src_test() {
emake check
}
src_install() {
export GOPATH="${S}/_dist"
if tc-is-cross-compiler ; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
# Admin tools
for l in incusd incus-user lxd-to-incus ; do
dosbin ${bindir}/${l}
done
# User tools
for m in incus-agent incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
dobin ${bindir}/${m}
done
# fuidshift, should be moved under admin tools at some point
if use fuidshift ; then
dosbin ${bindir}/fuidshift
fi
newconfd "${FILESDIR}"/incus-6.0.confd incus
newinitd "${FILESDIR}"/incus-6.0.initd incus
newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
systemd_dounit "${T}"/incus.service
systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
if ! tc-is-cross-compiler; then
# Generate and install shell completion files.
mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
else
ewarn "Shell completion files not installed! Install them manually with incus completion --help"
fi
dodoc AUTHORS
dodoc -r doc/*
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184
newenvd - 90incus <<- _EOF_
INCUS_EDK2_PATH=${EPREFIX}/usr/share/edk2-ovmf
_EOF_
}
pkg_postinst() {
elog
elog "Please see"
elog " https://wiki.gentoo.org/wiki/Incus"
elog " https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
elog
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog
elog "Be sure to add your local user to the incus group."
elog
}

225
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.0.4-r1.ebuild vendored
View File

@ -1,225 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module linux-info optfeature systemd toolchain-funcs verify-sig
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/lts"
KEYWORDS="amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
acct-group/incus-admin
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.6
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
net-dns/dnsmasq[dhcp]
sys-libs/libcap
virtual/udev"
RDEPEND="${DEPEND}
|| (
net-firewall/iptables
net-firewall/nftables
)
fuidshift? ( !app-containers/lxd )
sys-apps/iproute2
sys-fs/fuse:*
>=sys-fs/lxcfs-5.0.0
sys-fs/squashfs-tools[lzma]
virtual/acl
qemu? (
app-cdr/cdrtools
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
CONFIG_CHECK="
~AIO
~CGROUPS
~IPC_NS
~NET_NS
~PID_NS
~SECCOMP
~USER_NS
~UTS_NS
~KVM
~MACVTAP
~VHOST_VSOCK
"
ERROR_AIO="CONFIG_AIO is required."
ERROR_IPC_NS="CONFIG_IPC_NS is required."
ERROR_NET_NS="CONFIG_NET_NS is required."
ERROR_PID_NS="CONFIG_PID_NS is required."
ERROR_SECCOMP="CONFIG_SECCOMP is required."
ERROR_UTS_NS="CONFIG_UTS_NS is required."
WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
# Go magic.
QA_PREBUILT="/usr/bin/incus
/usr/bin/incus-agent
/usr/bin/incus-benchmark
/usr/bin/incus-migrate
/usr/bin/lxc-to-incus
/usr/sbin/fuidshift
/usr/sbin/incusd
/usr/sbin/lxd-to-incus"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
# The testsuite must be run as root.
# make: *** [Makefile:156: check] Error 1
RESTRICT="test"
GOPATH="${S}/_dist"
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
}
src_prepare() {
export GOPATH="${S}/_dist"
default
sed -i \
-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
-e "s:make:make ${MAKEOPTS}:g" \
Makefile || die
sed -i \
-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
cp "${FILESDIR}"/incus-0.4.service "${T}"/incus.service || die
if use apparmor; then
sed -i \
'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
"${T}"/incus.service || die
fi
# Disable -Werror's from go modules.
find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
}
src_configure() { :; }
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
ego install -v -x "${S}/cmd/${k}"
done
if use fuidshift ; then
ego install -v -x "${S}/cmd/fuidshift"
fi
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags netgo "${S}"/cmd/incus-migrate
CGO_ENABLED=0 go install -v -tags agent,netgo "${S}"/cmd/incus-agent
use nls && emake build-mo
}
src_test() {
emake check
}
src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
# Admin tools
for l in incusd incus-user lxd-to-incus ; do
dosbin ${bindir}/${l}
done
# User tools
for m in incus-agent incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
dobin ${bindir}/${m}
done
# fuidshift, should be moved under admin tools at some point
if use fuidshift ; then
dosbin ${bindir}/fuidshift
fi
newconfd "${FILESDIR}"/incus-6.0.confd incus
newinitd "${FILESDIR}"/incus-6.0.initd incus
newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
systemd_dounit "${T}"/incus.service
systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
if ! tc-is-cross-compiler; then
# Generate and install shell completion files.
mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
else
ewarn "Shell completion files not installed! Install them manually with incus completion --help"
fi
dodoc AUTHORS
dodoc -r doc/*
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184
newenvd - 90incus <<- _EOF_
INCUS_EDK2_PATH=${EPREFIX}/usr/share/edk2-ovmf
_EOF_
}
pkg_postinst() {
elog
elog "Please see"
elog " https://wiki.gentoo.org/wiki/Incus"
elog " https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
elog
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "support for ACME certificate issuance" app-crypt/lego
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog
elog "Be sure to add your local user to the incus group."
elog
}

47
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.17.ebuild → sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.0.5-r1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -11,8 +11,8 @@ SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/stable"
KEYWORDS="~amd64 ~arm64"
SLOT="0/lts"
KEYWORDS="amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
@ -20,7 +20,7 @@ DEPEND="acct-group/incus
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.7
>=dev-libs/cowsql-1.15.9
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
@ -45,7 +45,7 @@ RDEPEND="${DEPEND}
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.24.7
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
@ -94,6 +94,9 @@ RESTRICT="test"
GOPATH="${S}/_dist"
PATCHES=( "${FILESDIR}"/incus-CVE-2026-23953.patch
"${FILESDIR}"/incus-CVE-2026-23954.patch )
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
@ -127,6 +130,15 @@ src_prepare() {
src_configure() { :; }
incus_get_bindir() {
local host_arch=${1}
if [[ "${GOARCH}" != "${host_arch}" ]]; then
echo "_dist/bin/linux_${GOARCH}"
else
echo "_dist/bin"
fi
}
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
@ -141,23 +153,24 @@ src_compile() {
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
local bindir=$(incus_get_bindir "$(go-env_goarch "${CBUILD}")")
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v \
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v \
GOARCH=386 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v \
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v \
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v \
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v \
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
@ -175,11 +188,7 @@ src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
local bindir=$(incus_get_bindir "${GOHOSTARCH}")
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
@ -201,7 +210,7 @@ src_install() {
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi
@ -248,9 +257,9 @@ pkg_postinst() {
elog
optfeature "OCI container images support" app-containers/skopeo app-containers/umoci
optfeature "support for ACME certificate issuance" app-crypt/lego
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog

39
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.0.5.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -127,6 +127,15 @@ src_prepare() {
src_configure() { :; }
incus_get_bindir() {
local host_arch=${1}
if [[ "${GOARCH}" != "${host_arch}" ]]; then
echo "_dist/bin/linux_${GOARCH}"
else
echo "_dist/bin"
fi
}
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
@ -143,15 +152,23 @@ src_compile() {
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
local bindir=$(incus_get_bindir "$(go-env_goarch "${CBUILD}")")
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
return
@ -168,11 +185,7 @@ src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
local bindir=$(incus_get_bindir "${GOHOSTARCH}")
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
@ -194,7 +207,7 @@ src_install() {
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi

255
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.14-r1.ebuild vendored
View File

@ -1,255 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module linux-info optfeature systemd toolchain-funcs verify-sig
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/stable"
KEYWORDS="~amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
acct-group/incus-admin
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.7
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
net-dns/dnsmasq[dhcp]
sys-libs/libcap
virtual/udev"
RDEPEND="${DEPEND}
|| (
net-firewall/iptables
net-firewall/nftables[json]
)
fuidshift? ( !app-containers/lxd )
net-firewall/ebtables
sys-apps/iproute2
sys-fs/fuse:*
>=sys-fs/lxcfs-5.0.0
sys-fs/squashfs-tools[lzma]
virtual/acl
apparmor? ( sec-policy/apparmor-profiles )
qemu? (
app-cdr/cdrtools
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
CONFIG_CHECK="
~AIO
~CGROUPS
~IPC_NS
~NET_NS
~PID_NS
~SECCOMP
~USER_NS
~UTS_NS
~KVM
~MACVTAP
~VHOST_VSOCK
"
ERROR_AIO="CONFIG_AIO is required."
ERROR_IPC_NS="CONFIG_IPC_NS is required."
ERROR_NET_NS="CONFIG_NET_NS is required."
ERROR_PID_NS="CONFIG_PID_NS is required."
ERROR_SECCOMP="CONFIG_SECCOMP is required."
ERROR_UTS_NS="CONFIG_UTS_NS is required."
WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
# Go magic.
QA_PREBUILT="/usr/bin/incus
/usr/bin/incus-agent
/usr/bin/incus-benchmark
/usr/bin/incus-migrate
/usr/bin/lxc-to-incus
/usr/sbin/fuidshift
/usr/sbin/incusd
/usr/sbin/lxd-to-incus"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
# The testsuite must be run as root.
# make: *** [Makefile:156: check] Error 1
RESTRICT="test"
GOPATH="${S}/_dist"
PATCHES=( "${FILESDIR}"/incus-6.14-fix-qemu-memory-calculation-logic.patch )
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
}
src_prepare() {
export GOPATH="${S}/_dist"
default
sed -i \
-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
-e "s:make:make ${MAKEOPTS}:g" \
Makefile || die
sed -i \
-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
cp "${FILESDIR}"/incus-0.4.service "${T}"/incus.service || die
if use apparmor; then
sed -i \
'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
"${T}"/incus.service || die
fi
# Disable -Werror's from go modules.
find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
}
src_configure() { :; }
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
ego install -v -x "${S}/cmd/${k}"
done
if use fuidshift ; then
ego install -v -x "${S}/cmd/fuidshift"
fi
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags netgo "${S}"/cmd/incus-migrate
# Build the VM agents, statically too
# 32-bit agents couldn't be built with the settings below, will need to investigate later - maybe
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v -tags agent,netgo "${S}"/cmd/incus-agent
# GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v -tags agent,netgo "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v -tags agent,netgo "${S}"/cmd/incus-agent
# GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v -tags agent,netgo "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v -tags agent,netgo "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v -tags agent,netgo "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
return
fi
use nls && emake build-mo
}
src_test() {
emake check
}
src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
# Admin tools
for l in incusd incus-user lxd-to-incus ; do
dosbin "${bindir}/${l}"
done
# User tools
for m in incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
dobin "${bindir}/${m}"
done
# VM Agents
if use amd64 ; then
dobin ${bindir}/incus-agent.linux.x86_64
# dobin ${bindir}/incus-agent.linux.i686
dobin ${bindir}/incus-agent.windows.x86_64
# dobin ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
dobin ${bindir}/incus-agent.linux.aarch64
dobin ${bindir}/incus-agent.windows.aarch64
fi
# fuidshift, should be moved under admin tools at some point
if use fuidshift ; then
dosbin ${bindir}/fuidshift
fi
newconfd "${FILESDIR}"/incus-6.0.confd incus
newinitd "${FILESDIR}"/incus-6.0.initd incus
newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
systemd_dounit "${T}"/incus.service
systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
if ! tc-is-cross-compiler; then
# Generate and install shell completion files.
mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
else
ewarn "Shell completion files not installed! Install them manually with incus completion --help"
fi
dodoc AUTHORS
dodoc -r doc/*
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184
newenvd - 90incus <<- _EOF_
INCUS_EDK2_PATH=${EPREFIX}/usr/share/edk2-ovmf
_EOF_
}
pkg_postinst() {
elog
elog "Please see"
elog " https://wiki.gentoo.org/wiki/Incus"
elog " https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
elog
optfeature "OCI container images support" app-containers/skopeo app-containers/umoci
optfeature "support for ACME certificate issuance" app-crypt/lego
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog
elog "Be sure to add your local user to the incus group."
elog
}

254
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.14-r2.ebuild vendored
View File

@ -1,254 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module linux-info optfeature systemd toolchain-funcs verify-sig
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/stable"
KEYWORDS="~amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
acct-group/incus-admin
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.7
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
net-dns/dnsmasq[dhcp]
sys-libs/libcap
virtual/udev"
RDEPEND="${DEPEND}
|| (
net-firewall/iptables
net-firewall/nftables[json]
)
fuidshift? ( !app-containers/lxd )
net-firewall/ebtables
sys-apps/iproute2
sys-fs/fuse:*
>=sys-fs/lxcfs-5.0.0
sys-fs/squashfs-tools[lzma]
virtual/acl
apparmor? ( sec-policy/apparmor-profiles )
qemu? (
app-cdr/cdrtools
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
CONFIG_CHECK="
~AIO
~CGROUPS
~IPC_NS
~NET_NS
~PID_NS
~SECCOMP
~USER_NS
~UTS_NS
~KVM
~MACVTAP
~VHOST_VSOCK
"
ERROR_AIO="CONFIG_AIO is required."
ERROR_IPC_NS="CONFIG_IPC_NS is required."
ERROR_NET_NS="CONFIG_NET_NS is required."
ERROR_PID_NS="CONFIG_PID_NS is required."
ERROR_SECCOMP="CONFIG_SECCOMP is required."
ERROR_UTS_NS="CONFIG_UTS_NS is required."
WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
# Go magic.
QA_PREBUILT="/usr/bin/incus
/usr/bin/incus-agent
/usr/bin/incus-benchmark
/usr/bin/incus-migrate
/usr/bin/lxc-to-incus
/usr/sbin/fuidshift
/usr/sbin/incusd
/usr/sbin/lxd-to-incus"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
# The testsuite must be run as root.
# make: *** [Makefile:156: check] Error 1
RESTRICT="test"
GOPATH="${S}/_dist"
PATCHES=( "${FILESDIR}"/incus-6.14-fix-qemu-memory-calculation-logic.patch )
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
}
src_prepare() {
export GOPATH="${S}/_dist"
default
sed -i \
-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
-e "s:make:make ${MAKEOPTS}:g" \
Makefile || die
sed -i \
-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
cp "${FILESDIR}"/incus-0.4.service "${T}"/incus.service || die
if use apparmor; then
sed -i \
'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
"${T}"/incus.service || die
fi
# Disable -Werror's from go modules.
find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
}
src_configure() { :; }
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
ego install -v -x "${S}/cmd/${k}"
done
if use fuidshift ; then
ego install -v -x "${S}/cmd/fuidshift"
fi
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
return
fi
use nls && emake build-mo
}
src_test() {
emake check
}
src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
# Admin tools
for l in incusd incus-user lxd-to-incus ; do
dosbin "${bindir}/${l}"
done
# User tools
for m in incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
dobin "${bindir}/${m}"
done
# VM Agents
if use amd64 ; then
dobin ${bindir}/incus-agent.linux.x86_64
dobin ${bindir}/incus-agent.linux.i686
dobin ${bindir}/incus-agent.windows.x86_64
dobin ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
dobin ${bindir}/incus-agent.linux.aarch64
dobin ${bindir}/incus-agent.windows.aarch64
fi
# fuidshift, should be moved under admin tools at some point
if use fuidshift ; then
dosbin ${bindir}/fuidshift
fi
newconfd "${FILESDIR}"/incus-6.0.confd incus
newinitd "${FILESDIR}"/incus-6.0.initd incus
newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
systemd_dounit "${T}"/incus.service
systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
if ! tc-is-cross-compiler; then
# Generate and install shell completion files.
mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
else
ewarn "Shell completion files not installed! Install them manually with incus completion --help"
fi
dodoc AUTHORS
dodoc -r doc/*
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184
newenvd - 90incus <<- _EOF_
INCUS_EDK2_PATH=${EPREFIX}/usr/share/edk2-ovmf
_EOF_
}
pkg_postinst() {
elog
elog "Please see"
elog " https://wiki.gentoo.org/wiki/Incus"
elog " https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
elog
optfeature "OCI container images support" app-containers/skopeo app-containers/umoci
optfeature "support for ACME certificate issuance" app-crypt/lego
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog
elog "Be sure to add your local user to the incus group."
elog
}

255
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.14-r4.ebuild vendored
View File

@ -1,255 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module linux-info optfeature systemd toolchain-funcs verify-sig
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/stable"
KEYWORDS="~amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
acct-group/incus-admin
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.7
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
net-dns/dnsmasq[dhcp]
sys-libs/libcap
virtual/udev"
RDEPEND="${DEPEND}
|| (
net-firewall/iptables
net-firewall/nftables[json]
)
fuidshift? ( !app-containers/lxd )
net-firewall/ebtables
sys-apps/iproute2
sys-fs/fuse:*
>=sys-fs/lxcfs-5.0.0
sys-fs/squashfs-tools[lzma]
virtual/acl
apparmor? ( sec-policy/apparmor-profiles )
qemu? (
app-cdr/cdrtools
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
CONFIG_CHECK="
~AIO
~CGROUPS
~IPC_NS
~NET_NS
~PID_NS
~SECCOMP
~USER_NS
~UTS_NS
~KVM
~MACVTAP
~VHOST_VSOCK
"
ERROR_AIO="CONFIG_AIO is required."
ERROR_IPC_NS="CONFIG_IPC_NS is required."
ERROR_NET_NS="CONFIG_NET_NS is required."
ERROR_PID_NS="CONFIG_PID_NS is required."
ERROR_SECCOMP="CONFIG_SECCOMP is required."
ERROR_UTS_NS="CONFIG_UTS_NS is required."
WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
# Go magic.
QA_PREBUILT="/usr/bin/incus
/usr/bin/incus-agent
/usr/bin/incus-benchmark
/usr/bin/incus-migrate
/usr/bin/lxc-to-incus
/usr/sbin/fuidshift
/usr/sbin/incusd
/usr/sbin/lxd-to-incus"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
# The testsuite must be run as root.
# make: *** [Makefile:156: check] Error 1
RESTRICT="test"
GOPATH="${S}/_dist"
PATCHES=( "${FILESDIR}"/incus-6.14-fix-qemu-memory-calculation-logic.patch )
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
}
src_prepare() {
export GOPATH="${S}/_dist"
default
sed -i \
-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
-e "s:make:make ${MAKEOPTS}:g" \
Makefile || die
sed -i \
-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
cp "${FILESDIR}"/incus-6.14-r1.service "${T}"/incus.service || die
if use apparmor; then
sed -i \
'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
"${T}"/incus.service || die
fi
# Disable -Werror's from go modules.
find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
}
src_configure() { :; }
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
ego install -v -x "${S}/cmd/${k}"
done
if use fuidshift ; then
ego install -v -x "${S}/cmd/fuidshift"
fi
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
return
fi
use nls && emake build-mo
}
src_test() {
emake check
}
src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
# Admin tools
for l in incusd incus-user lxd-to-incus ; do
dosbin "${bindir}/${l}"
done
# User tools
for m in incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
dobin "${bindir}/${m}"
done
# VM Agents
if use amd64 ; then
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.x86_64
doexe ${bindir}/incus-agent.linux.i686
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi
# fuidshift, should be moved under admin tools at some point
if use fuidshift ; then
dosbin ${bindir}/fuidshift
fi
newconfd "${FILESDIR}"/incus-6.0.confd incus
newinitd "${FILESDIR}"/incus-6.0.initd incus
newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
systemd_dounit "${T}"/incus.service
systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
if ! tc-is-cross-compiler; then
# Generate and install shell completion files.
mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
else
ewarn "Shell completion files not installed! Install them manually with incus completion --help"
fi
dodoc AUTHORS
dodoc -r doc/*
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184,
# and INCUS_AGENT_PATH to find multi-setup agents for VMs, #959878.
newenvd "${FILESDIR}"/90incus.envd 90incus
}
pkg_postinst() {
elog
elog "Please see"
elog " https://wiki.gentoo.org/wiki/Incus"
elog " https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
elog
optfeature "OCI container images support" app-containers/skopeo app-containers/umoci
optfeature "support for ACME certificate issuance" app-crypt/lego
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog
elog "Be sure to add your local user to the incus group."
elog
}

253
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.15.ebuild vendored
View File

@ -1,253 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-env go-module linux-info optfeature systemd toolchain-funcs verify-sig
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/stable"
KEYWORDS="~amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
DEPEND="acct-group/incus
acct-group/incus-admin
app-arch/xz-utils
>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
dev-db/sqlite:3
>=dev-libs/cowsql-1.15.7
dev-libs/lzo
>=dev-libs/raft-0.22.1:=[lz4]
>=dev-util/xdelta-3.0[lzma(+)]
net-dns/dnsmasq[dhcp]
sys-libs/libcap
virtual/udev"
RDEPEND="${DEPEND}
|| (
net-firewall/iptables
net-firewall/nftables[json]
)
fuidshift? ( !app-containers/lxd )
net-firewall/ebtables
sys-apps/iproute2
sys-fs/fuse:*
>=sys-fs/lxcfs-5.0.0
sys-fs/squashfs-tools[lzma]
virtual/acl
apparmor? ( sec-policy/apparmor-profiles )
qemu? (
app-cdr/cdrtools
app-emulation/qemu[spice,usbredir,virtfs]
sys-apps/gptfdisk
)"
BDEPEND=">=dev-lang/go-1.21
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
CONFIG_CHECK="
~AIO
~CGROUPS
~IPC_NS
~NET_NS
~PID_NS
~SECCOMP
~USER_NS
~UTS_NS
~KVM
~MACVTAP
~VHOST_VSOCK
"
ERROR_AIO="CONFIG_AIO is required."
ERROR_IPC_NS="CONFIG_IPC_NS is required."
ERROR_NET_NS="CONFIG_NET_NS is required."
ERROR_PID_NS="CONFIG_PID_NS is required."
ERROR_SECCOMP="CONFIG_SECCOMP is required."
ERROR_UTS_NS="CONFIG_UTS_NS is required."
WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
# Go magic.
QA_PREBUILT="/usr/bin/incus
/usr/bin/incus-agent
/usr/bin/incus-benchmark
/usr/bin/incus-migrate
/usr/bin/lxc-to-incus
/usr/sbin/fuidshift
/usr/sbin/incusd
/usr/sbin/lxd-to-incus"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
# The testsuite must be run as root.
# make: *** [Makefile:156: check] Error 1
RESTRICT="test"
GOPATH="${S}/_dist"
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
}
src_prepare() {
export GOPATH="${S}/_dist"
default
sed -i \
-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
-e "s:make:make ${MAKEOPTS}:g" \
Makefile || die
sed -i \
-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
cp "${FILESDIR}"/incus-6.14-r1.service "${T}"/incus.service || die
if use apparmor; then
sed -i \
'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
"${T}"/incus.service || die
fi
# Disable -Werror's from go modules.
find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
}
src_configure() { :; }
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
ego install -v -x "${S}/cmd/${k}"
done
if use fuidshift ; then
ego install -v -x "${S}/cmd/fuidshift"
fi
ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
return
fi
use nls && emake build-mo
}
src_test() {
emake check
}
src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
# Admin tools
for l in incusd incus-user lxd-to-incus ; do
dosbin "${bindir}/${l}"
done
# User tools
for m in incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
dobin "${bindir}/${m}"
done
# VM Agents
if use amd64 ; then
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.x86_64
doexe ${bindir}/incus-agent.linux.i686
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi
# fuidshift, should be moved under admin tools at some point
if use fuidshift ; then
dosbin ${bindir}/fuidshift
fi
newconfd "${FILESDIR}"/incus-6.0.confd incus
newinitd "${FILESDIR}"/incus-6.0.initd incus
newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
systemd_dounit "${T}"/incus.service
systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
if ! tc-is-cross-compiler; then
# Generate and install shell completion files.
mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
else
ewarn "Shell completion files not installed! Install them manually with incus completion --help"
fi
dodoc AUTHORS
dodoc -r doc/*
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184,
# and INCUS_AGENT_PATH to find multi-setup agents for VMs, #959878.
newenvd "${FILESDIR}"/90incus.envd 90incus
}
pkg_postinst() {
elog
elog "Please see"
elog " https://wiki.gentoo.org/wiki/Incus"
elog " https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
elog
optfeature "OCI container images support" app-containers/skopeo app-containers/umoci
optfeature "support for ACME certificate issuance" app-crypt/lego
optfeature "btrfs storage backend" sys-fs/btrfs-progs
optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
optfeature "full incus-migrate support" net-misc/rsync
optfeature "lvm2 storage backend" sys-fs/lvm2
optfeature "zfs storage backend" sys-fs/zfs
elog
elog "Be sure to add your local user to the incus group."
elog
}

34
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.19.1.ebuild → sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.21.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -104,6 +104,7 @@ src_unpack() {
if [[ "${PV}" == 9999* ]]; then
git-r3_src_unpack
go-module_live_vendor
go-env_set_compile_environment
else
verify-sig_src_unpack
go-module_src_unpack
@ -138,6 +139,15 @@ src_prepare() {
src_configure() { :; }
incus_get_bindir() {
local host_arch=${1}
if [[ "${GOARCH}" != "${host_arch}" ]]; then
echo "_dist/bin/linux_${GOARCH}"
else
echo "_dist/bin"
fi
}
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
@ -155,20 +165,22 @@ src_compile() {
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
local bindir=$(incus_get_bindir "$(go-env_goarch "${CBUILD}")")
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v \
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v \
GOARCH=386 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v \
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v \
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v \
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v \
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
@ -186,11 +198,7 @@ src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ -n "${GOARCH}" && "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
local bindir=$(incus_get_bindir "${GOHOSTARCH}")
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
@ -212,7 +220,7 @@ src_install() {
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi

63
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.18.ebuild → sdk_container/src/third_party/portage-stable/app-containers/incus/incus-6.22.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -7,13 +7,19 @@ inherit go-env go-module linux-info optfeature systemd toolchain-funcs verify-si
DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
if [[ "${PV}" == 9999* ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/lxc/incus.git"
else
SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
KEYWORDS="~amd64 ~arm64"
fi
LICENSE="Apache-2.0 BSD LGPL-3 MIT"
SLOT="0/stable"
KEYWORDS="~amd64 ~arm64"
IUSE="apparmor fuidshift nls qemu"
IUSE="apparmor fuidshift nls qemu selinux"
DEPEND="acct-group/incus
acct-group/incus-admin
@ -95,8 +101,14 @@ RESTRICT="test"
GOPATH="${S}/_dist"
src_unpack() {
verify-sig_src_unpack
go-module_src_unpack
if [[ "${PV}" == 9999* ]]; then
git-r3_src_unpack
go-module_live_vendor
go-env_set_compile_environment
else
verify-sig_src_unpack
go-module_src_unpack
fi
}
src_prepare() {
@ -127,6 +139,15 @@ src_prepare() {
src_configure() { :; }
incus_get_bindir() {
local host_arch=${1}
if [[ "${GOARCH}" != "${host_arch}" ]]; then
echo "_dist/bin/linux_${GOARCH}"
else
echo "_dist/bin"
fi
}
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
@ -144,20 +165,22 @@ src_compile() {
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
local bindir=$(incus_get_bindir "$(go-env_goarch "${CBUILD}")")
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v \
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v \
GOARCH=386 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v \
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v \
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v \
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v \
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
@ -175,11 +198,7 @@ src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
local bindir=$(incus_get_bindir "${GOHOSTARCH}")
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
@ -201,7 +220,7 @@ src_install() {
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi
@ -236,8 +255,12 @@ src_install() {
use nls && domo po/*.mo
# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184,
# and INCUS_AGENT_PATH to find multi-setup agents for VMs, #959878.
# and INCUS_AGENT_PATH to find multi-setup agents for VMs, #959878,
# and INCUS_SECURITY_SELINUX=true to enable selinux support (until its enabled by default)
newenvd "${FILESDIR}"/90incus.envd 90incus
if use selinux; then
echo "INCUS_SECURITY_SELINUX=true" >> "${D}"/etc/env.d/90incus
fi
}
pkg_postinst() {

34
sdk_container/src/third_party/portage-stable/app-containers/incus/incus-9999.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -104,6 +104,7 @@ src_unpack() {
if [[ "${PV}" == 9999* ]]; then
git-r3_src_unpack
go-module_live_vendor
go-env_set_compile_environment
else
verify-sig_src_unpack
go-module_src_unpack
@ -138,6 +139,15 @@ src_prepare() {
src_configure() { :; }
incus_get_bindir() {
local host_arch=${1}
if [[ "${GOARCH}" != "${host_arch}" ]]; then
echo "_dist/bin/linux_${GOARCH}"
else
echo "_dist/bin"
fi
}
src_compile() {
export GOPATH="${S}/_dist"
export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
@ -155,20 +165,22 @@ src_compile() {
# Needs to be built statically
CGO_ENABLED=0 go install -v -tags agent,netgo,static -buildmode default "${S}"/cmd/incus-migrate
local bindir=$(incus_get_bindir "$(go-env_goarch "${CBUILD}")")
# Build the VM agents, statically too
if use amd64 ; then
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.x86_64 -v \
GOARCH=amd64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.i686 -v \
GOARCH=386 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.x86_64 -v \
GOARCH=amd64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.x86_64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.i686 -v \
GOARCH=386 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.i686 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
elif use arm64 ; then
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.linux.aarch64 -v \
GOARCH=arm64 CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.linux.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${S}"/_dist/bin/incus-agent.windows.aarch64 -v \
GOARCH=arm64 GOOS=windows CGO_ENABLED=0 ego build -o "${bindir}"/incus-agent.windows.aarch64 -v \
-tags agent,netgo,static -buildmode default "${S}"/cmd/incus-agent
else
echo "No VM support for this arch."
@ -186,11 +198,7 @@ src_install() {
export GOPATH="${S}/_dist"
export GOHOSTARCH=$(go-env_goarch "${CBUILD}")
if [[ -n "${GOARCH}" && "${GOARCH}" != "${GOHOSTARCH}" ]]; then
local bindir="_dist/bin/linux_${GOARCH}"
else
local bindir="_dist/bin"
fi
local bindir=$(incus_get_bindir "${GOHOSTARCH}")
newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
@ -212,7 +220,7 @@ src_install() {
doexe ${bindir}/incus-agent.windows.x86_64
doexe ${bindir}/incus-agent.windows.i686
elif use arm64 ; then
exeinto /usr/libexec/incus
exeinto /usr/libexec/incus/agents
doexe ${bindir}/incus-agent.linux.aarch64
doexe ${bindir}/incus-agent.windows.aarch64
fi

2
sdk_container/src/third_party/portage-stable/app-containers/lxc/Manifest vendored
View File

@ -6,3 +6,5 @@ DIST lxc-6.0.4.tar.gz 964064 BLAKE2B f8911993ce333300e68fe3d817cceb49d6c18f83e5f
DIST lxc-6.0.4.tar.gz.asc 833 BLAKE2B 4600373e9534515fe3ec0c41ebe5b17ee8c4e7ab125e3a211ed300f0fdd79a04a9c183b903e1b6600d7b7ce4d9f2e66451326c473beb02b4a83a7200764e56e7 SHA512 2efe6e06b33a34fdf7ba1393b5e07aa1a18f189b2e43673b4f9bbdc7cf0fcb9ad47b99ebbd08e910e139047d54b1104f098cbbef586796767b9dd1a4a99ca748
DIST lxc-6.0.5.tar.gz 958966 BLAKE2B 74ee775f8a23467049f38f0973a24eb12b34b7c758549294342470b7b6b8e95eaef118c493f62b6394c435a5c86389fde4454199107e90743dd40d3a5bf373fd SHA512 3674397e789ed9eda7e37d4e22c42ab02687c0ab6a12f6c234a3393bdfb3f048aa0ded419c5c2f435d653d3dd70f47ae19d28b7a46838f12004d00b05c54a26d
DIST lxc-6.0.5.tar.gz.asc 833 BLAKE2B ac1480c0b5588b290ab1ec81bf7bf85990df98a650832363529e9ede8afb7594bd21b58a4a79e7fe9519c381d4860d7a33f4090582612ffff7c448c77e641929 SHA512 8c28da0ebc280ae491bab815105f3c58f2c9cd742586ce86f9b1d2032724db4893811d689f7278bfc8c5570dc45ca6071e4c25b77647d762c77eca59249a15b5
DIST lxc-6.0.6.tar.gz 963412 BLAKE2B 3bd9575f4c1a4b96ce5bea767e6a6b3c15a3021c62ebaf7421065ca55d2093ca467a8e9e86ce5d8316dab4fc9cde0c96dc1acedb73ccf167bd5c3e5484e5ceff SHA512 1d28aa749711be8a439de5e76019960d78e21bf576724bce7e8973ba4f6a3995c040cdc184e3c3a30814eb4cd2daec6851d26422c7d6d9d64ccd95add6c2eb30
DIST lxc-6.0.6.tar.gz.asc 833 BLAKE2B 622a7c53629b3e5117bad956923824662073955ca8c6b3c6fba61b9d37c3b76fa48d55ecfd460fad4a5fe88c074264ad4c97b4193342d9c3a5fa322814a212fd SHA512 3ddaf0796e6888c15a5124141439ffa09c2d611f185cf3c8b2106eea530485a013846548bf9bd5ea9d0b69ee52aad2de9281b293a323ba2510db925c38cce98f

25
sdk_container/src/third_party/portage-stable/app-containers/lxc/files/lxc-6.0.5-fix-openat2-include-typo.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From 511e4db8f2a5b47cdd41eef482647492ce5b0f77 Mon Sep 17 00:00:00 2001
From: Joonas Niilola <juippis@gentoo.org>
Date: Sun, 15 Feb 2026 17:42:39 +0200
Subject: [PATCH] meson.build: fix openat2 include typo, fix with glibc-2.43
+FORTIFY
Closes: https://github.com/lxc/lxc/issues/4641
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
---
meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meson.build b/meson.build
index eef4e6900c..df40d7516a 100644
--- a/meson.build
+++ b/meson.build
@@ -571,7 +571,7 @@ foreach ident: [
['move_mount', '''#include <sys/mount.h>'''],
['openat2', '''#include <sys/types.h>
#include <sys/stat.h>
- #include <fctnl.h>'''],
+ #include <fcntl.h>'''],
['open_tree', '''#include <sys/mount.h>'''],
['personality', '''#include <sys/personality.h>'''],
['pidfd_open', '''#include <stdlib.h>

4
sdk_container/src/third_party/portage-stable/app-containers/lxc/lxc-6.0.5.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 2022-2025 Gentoo Authors
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -72,6 +72,8 @@ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
DOCS=( AUTHORS CONTRIBUTING MAINTAINERS README.md doc/FAQ.txt )
PATCHES=( "${FILESDIR}"/lxc-6.0.5-fix-openat2-include-typo.patch )
pkg_setup() {
linux-info_pkg_setup
}

174
sdk_container/src/third_party/portage-stable/app-containers/lxc/lxc-6.0.6.ebuild vendored Normal file
View File

@ -0,0 +1,174 @@
# Copyright 2022-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit bash-completion-r1 linux-info meson optfeature systemd verify-sig
DESCRIPTION="A userspace interface for the Linux kernel containment features"
HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc"
SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz
verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )"
LICENSE="GPL-2 LGPL-2.1 LGPL-3" # LGPL-2.1+ is listed, but it's covered by "LGPL-3"
SLOT="0/1.606" # SONAME liblxc.so.1 + ${PV//./} _if_ breaking ABI change while bumping.
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor +caps doc examples io-uring man pam seccomp selinux ssl systemd test +tools"
RDEPEND="acct-group/lxc
acct-user/lxc
apparmor? ( sys-libs/libapparmor )
caps? ( sys-libs/libcap )
io-uring? ( >=sys-libs/liburing-2:= )
pam? ( sys-libs/pam )
seccomp? ( sys-libs/libseccomp )
selinux? ( sys-libs/libselinux )
ssl? ( dev-libs/openssl:0= )
systemd? (
sys-apps/dbus
sys-apps/systemd:=
)
tools? ( sys-libs/libcap )"
DEPEND="${RDEPEND}
caps? ( sys-libs/libcap[static-libs] )
tools? ( sys-libs/libcap[static-libs] )
sys-kernel/linux-headers"
BDEPEND="virtual/pkgconfig
doc? ( app-text/doxygen )
man? ( app-text/docbook2X )
verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
RESTRICT="!test? ( test )"
CONFIG_CHECK="~!NETPRIO_CGROUP
~CGROUPS
~CGROUP_CPUACCT
~CGROUP_DEVICE
~CGROUP_FREEZER
~CGROUP_SCHED
~CPUSETS
~IPC_NS
~MACVLAN
~MEMCG
~NAMESPACES
~NET_NS
~PID_NS
~POSIX_MQUEUE
~USER_NS
~UTS_NS
~VETH"
ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers"
ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking"
ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers"
ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network"
ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command"
ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info"
ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking"
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
DOCS=( AUTHORS MAINTAINERS README.md doc/FAQ.txt )
pkg_setup() {
linux-info_pkg_setup
}
src_configure() {
# -Dtools-multicall=false: will create a single binary called 'lxc' that conflicts with LXD.
local emesonargs=(
--localstatedir "${EPREFIX}/var"
-Dcoverity-build=false
-Dinstall-state-dirs=false
-Doss-fuzz=false
-Dspecfile=false
-Dtools-multicall=false
-Dcommands=true
-Dinstall-init-files=true
-Dmemfd-rexec=true
-Dthread-safety=true
$(meson_use apparmor)
$(meson_use caps capabilities)
$(meson_use doc api-docs)
$(meson_use examples)
$(meson_use io-uring io-uring-event-loop)
$(meson_use man)
$(meson_use pam pam-cgroup)
$(meson_use seccomp)
$(meson_use selinux)
$(meson_use ssl openssl)
$(meson_use test tests)
$(meson_use tools)
$(usex systemd -Ddbus=true -Ddbus=false)
$(usex systemd -Dinit-script="systemd" -Dinit-script="openrc")
-Ddata-path=/var/lib/lxc
-Ddoc-path=/usr/share/doc/${PF}
-Dlog-path=/var/log/lxc
-Drootfs-mount-path=/var/lib/lxc/rootfs
-Druntime-path=/run
)
use tools && local emesonargs+=( -Dcapabilities=true )
meson_src_configure
}
src_install() {
if use doc ; then
local HTML_DOCS=( "${BUILD_DIR}/html/"* )
fi
meson_src_install
# The main bash-completion file will collide with lxd, need to relocate and update symlinks.
local lxcbashcompdir="${D}/$(get_bashcompdir)"
mkdir -p "${lxcbashcompdir}" || die "Failed to create bashcompdir."
mv "${lxcbashcompdir}"/_lxc "${lxcbashcompdir}"/lxc-start || die "Failed to move _lxc bash completion file."
# Build system will install all bash completion files regardless of our 'tools' use flag.
# Though installing them all will add bash completions for commands that don't exist, it's
# cleaner than dealing with individual files based on the use flag status.
bashcomp_alias lxc-start lxc-{attach,autostart,cgroup,checkpoint,config,console,copy,create,destroy,device,execute,freeze,info,ls,monitor,snapshot,stop,top,unfreeze,unshare,update-config,usernsexec,wait}
find "${ED}" -name '*.la' -delete -o -name '*.a' -delete || die
# Replace upstream systemd files.
if use systemd ; then
rm -r "${D}$(systemd_get_systemunitdir)" || die "Failed to remove systemd lib dir"
else
# The openrc files aren't installed with correct permissions.
fperms 0755 /etc/init.d/lxc-{containers,net}
fi
newinitd "${FILESDIR}/${PN}.initd.9" ${PN}
systemd_newunit "${FILESDIR}"/lxc-monitord.service.5.0.0 lxc-monitord.service
systemd_newunit "${FILESDIR}"/lxc-net.service.5.0.0 lxc-net.service
systemd_newunit "${FILESDIR}"/lxc.service-5.0.0 lxc.service
systemd_newunit "${FILESDIR}"/lxc_at.service.5.0.0 "lxc@.service"
if ! use apparmor; then
sed -i '/lxc-apparmor-load/d' "${D}$(systemd_get_systemunitdir)/lxc.service" ||
die "Failed to remove apparmor references from lxc.service systemd unit."
fi
}
pkg_postinst() {
elog "Please refer to "
elog "https://wiki.gentoo.org/wiki/LXC for introduction and usage guide."
elog
elog "Run 'lxc-checkconfig' to see optional kernel features."
elog
optfeature "creating your own LXC containers" app-containers/distrobuilder
optfeature "automatic template scripts" app-containers/lxc-templates
optfeature "Debian-based distribution container image support" dev-util/debootstrap
optfeature "snapshot & restore functionality" sys-process/criu
}

4
sdk_container/src/third_party/portage-stable/app-containers/netavark/netavark-1.17.1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -16,7 +16,7 @@ if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="https://github.com/containers/netavark.git"
else
SRC_URI="${CARGO_CRATE_URIS} https://github.com/containers/netavark/releases/download/v${PV}/${PN}-v${PV}-vendor.tar.gz"
KEYWORDS="~amd64 ~arm64 ~loong ~ppc64 ~riscv"
KEYWORDS="amd64 arm64 ~loong ~ppc64 ~riscv"
fi
# main

10
sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-5.2.5-togglable-seccomp.patch vendored
View File

@ -1,10 +0,0 @@
--- a/Makefile
+++ b/Makefile
@@ -56,7 +56,6 @@ BUILDTAGS ?= \
$(shell hack/systemd_tag.sh) \
$(shell hack/libsubid_tag.sh) \
exclude_graphdriver_devicemapper \
- seccomp
# allow downstreams to easily add build tags while keeping our defaults
BUILDTAGS += ${EXTRA_BUILDTAGS}
# N/B: This value is managed by Renovate, manual changes are

4
sdk_container/src/third_party/portage-stable/app-containers/podman/metadata.xml vendored
View File

@ -24,10 +24,10 @@
</longdescription>
<use>
<flag name="btrfs">
Enables btrfs support (graph driver) in Podman
Enable btrfs support (graph driver) in Podman
</flag>
<flag name="wrapper">
Install wrapper which lets use podman for command `docker`
Install a wrapper to allow using `podman` as a drop-in replacement for `docker`
</flag>
</use>
<upstream>

Some files were not shown because too many files have changed in this diff Show More