mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-27 00:21:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #707 from flatcar/t-lo/merge-submodules-to-paths-main

Browse Source 
Merge submodules to paths main
This commit is contained in:
Thilo Fromm 2023-04-17 17:06:02 +02:00 committed by GitHub
commit 4922b986ab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10491 changed files with 650133 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/ci.yaml vendored
View File

@ -11,24 +11,6 @@ on:
Space-separated vendor formats to build.
required: true
default: qemu_uefi
portage_remote:
description: |
The remote we should pull portage-stable from. This defaults to whatever the submodule is set to in this repo.
If triggered by a change in the portage repo, please set this to the remote which is proposing a change.
required: false
portage_ref:
description: |
This is the ref we will use to pull the changes from the portage_remote.
required: false
coreos_remote:
description: |
The remote we should pull coreos-overlay from. This defaults to whatever the submodule is set to in this repo.
If triggered by a change in the portage repo, please set this to the remote which is proposing a change.
required: false
coreos_ref:
description: |
This is the ref we will use to pull the changes from the coreos_remote.
required: false
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
@ -75,7 +57,6 @@ jobs:
with:
path: scripts
fetch-depth: 0
submodules: true
# Hack alert: actions/checkout will check out the (disjunct) merge commit of a PR
# instead of its head commit. That commit is not connected to any branch.
@ -96,23 +77,10 @@ jobs:
shell: bash
run: |
arch="${{ matrix.arch }}"
COREOS_REMOTE=""
COREOS_REF=""
PORTAGE_REMOTE=""
PORTAGE_REF=""
IMAGE_FORMATS="qemu_uefi"
[ -z "${{ github.event.inputs.coreos_remote }}" ] || COREOS_REMOTE="${{ github.event.inputs.coreos_remote }}"
[ -z "${{ github.event.inputs.coreos_ref }}" ] || COREOS_REF="${{ github.event.inputs.coreos_ref }}"
[ -z "${{ github.event.inputs.portage_remote }}" ] || PORTAGE_REMOTE="${{ github.event.inputs.portage_remote }}"
[ -z "${{ github.event.inputs.portage_ref }}" ] || PORTAGE_REF="${{ github.event.inputs.portage_ref }}"
[ -z "${{ github.event.inputs.image_formats }}" ] || IMAGE_FORMATS="${{ github.event.inputs.image_formats }}"
echo "arch=${arch}" >> $GITHUB_ENV
echo "COREOS_REMOTE=${COREOS_REMOTE}" >> $GITHUB_ENV
echo "COREOS_REF=${COREOS_REF}" >> $GITHUB_ENV
echo "PORTAGE_REMOTE=${PORTAGE_REMOTE}" >> $GITHUB_ENV
echo "PORTAGE_REF=${PORTAGE_REF}" >> $GITHUB_ENV
IMAGE_FORMATS="qemu_uefi"
[ -z "${{ github.event.inputs.image_formats }}" ] || IMAGE_FORMATS="${{ github.event.inputs.image_formats }}"
echo "IMAGE_FORMATS=${IMAGE_FORMATS}" >> $GITHUB_ENV
# Artifact root for images and torcx tarball as seen from within the container
@ -124,29 +92,6 @@ jobs:
# this with its IP address.
echo "TORCX_TESTS_PACKAGE_URL=http://localhost:12345" >> $GITHUB_ENV
- name: Checkout submodules
shell: bash
run: |
if [ "${COREOS_REMOTE}" != "" -a "${COREOS_REF}" != "" ]
then
REMOTE="${COREOS_REMOTE}"
REPO_PATH="sdk_container/src/third_party/coreos-overlay"
[[ "$REMOTE" == "https:*" ]] || REMOTE="https://github.com/${COREOS_REMOTE}"
git -C "$REPO_PATH" remote add test "$REMOTE"
git -C "$REPO_PATH" fetch test
git -C "$REPO_PATH" checkout "test/${COREOS_REF}"
fi
if [ "${PORTAGE_REMOTE}" != "" -a "${PORTAGE_REF}" != "" ]
then
REMOTE="${PORTAGE_REMOTE}"
REPO_PATH="sdk_container/src/third_party/portage-stable"
[[ "$REMOTE" == "https:*" ]] || REMOTE="https://github.com/${PORTAGE_REMOTE}"
git -C "$REPO_PATH" remote add test "$REMOTE"
git -C "$REPO_PATH" fetch test
git -C "$REPO_PATH" checkout "test/${PORTAGE_REF}"
fi
- name: Build packages
shell: bash
run: |

1
.github/workflows/run-kola-tests.yaml vendored
View File

@ -58,7 +58,6 @@ jobs:
with:
path: scripts
fetch-depth: 0
submodules: true
# Hack alert: actions/checkout will check out the (disjunct) merge commit of a PR
# instead of its head commit. That commit is not connected to any branch.

6
.gitmodules vendored
View File

@ -1,6 +0,0 @@
[submodule "sdk_container/src/third_party/coreos-overlay"]
path = sdk_container/src/third_party/coreos-overlay
url = https://github.com/flatcar/coreos-overlay.git
[submodule "sdk_container/src/third_party/portage-stable"]
path = sdk_container/src/third_party/portage-stable
url = https://github.com/flatcar/portage-stable.git

22
README.md
View File

@ -11,12 +11,10 @@ The SDK can be used to
[flatcar-docs]: https://www.flatcar.org/docs/latest/reference/developer-guides/sdk-modifying-flatcar/
# Using the scripts repository: submodules and tags
# Using the scripts repository
The repository is meant to be the entry point for Flatcar builds and development.
For building packages, there are 2 additional repositories, [coreos-overlay](https://github.com/flatcar/coreos-overlay) and [portage-stable](https://github.com/flatcar/portage-stable), which contain all packages' `ebuild` (build configuration) files.
These repositories are included in `scripts` via git submodules and are used by the SDK container wrapper scripts detailed on further below.
The submodules reside in:
Ebuilds for all packages reside in one of 2 subdirectories - [coreos-overlay](sdk_container/src/third_party/coreos-overlay) and [portage-stable](sdk_container/src/third_party/portage-stable/):
```
scripts
+--sdk_container
@ -26,10 +24,10 @@ scripts
+------portage-stable
```
When working with the scripts repo always make sure to initialise and to update these submodules; otherwise builds will break because build configuration is missing:
```bash
$ git clone --recurse-submodules https://github.com/flatcar/scripts.git
```
`portage-stable` is kept in alignment with upstream Gentoo and should not contain any modifications (with only minor, well-justified exceptions).
Consider it a small sub-set of Gentoo.
`coreos-overlay` contains significantly modified or even entirely self-written ebuilds.
The `scripts` repository makes ample use of tags to mark releases.
Sometimes, local and origin tags can diverge (e.g. when re-tagging something locally to test a build).
@ -54,7 +52,7 @@ While work on a native ARM64 native SDK is ongoing, it's unfortunately not ready
The container can be run in one of two ways - "standalone", or integrated with the [scripts](https://github.com/flatcar/scripts) repo:
* Standalone mode will use no host volumes and will allow you to play with the SDK in a sandboxed throw-away environment. In standalone mode, you interface with Docker directly to use the SDK container.
* Integrated mode will closely integrate with the scripts repo directory and bind-mount it as well as the portage-stable and coreos-overlay gitmodules into the container. Integrated mode uses wrapper scripts to interact with the SDK container. This is the recommended way for developing patches for Flatcar.
* Integrated mode will closely integrate with the scripts repo directory and bind-mount it as well as the portage-stable and coreos-overlay directories into the container. Integrated mode uses wrapper scripts to interact with the SDK container. This is the recommended way for developing patches for Flatcar.
## Standalone mode
@ -67,7 +65,7 @@ In standalone mode, the SDK is just another Docker container. Interaction with t
* Start the image in interactive (tty) mode: `docker run -ti ghcr.io/flatcar/flatcar-sdk-all:3033.0.0`
You are now inside the SDK container (the hostname will likely differ):
`sdk@f236fda982a4 ~/trunk/src/scripts $`
* Initialise the SDK in self-contained mode. This needs to be done once per container and will check out the scripts, coreos-overlay, and portage-stable repositories into the container.
* Initialise the SDK in self-contained mode. This needs to be done once per container and will check out the scripts repository into the container.
`sdk@f236fda982a4 ../sdk_init_selfcontained.sh`
You can now work with the SDK container.
@ -84,7 +82,7 @@ To start a container in privileged mode with `/dev` available use:
This is the preferred mode of working with the SDK.
Interaction with the container happens via wrapper scripts from the scripts repository.
Both the host's scripts repo as well as its submodules (portage-stable and coreos-overlay) are made available in the container, allowing for work on these repos directly.
Both the host's scripts repo as well as the ebuild paths (portage-stable and coreos-overlay) are made available in the container, allowing for work on these directly.
The wrapper scripts will re-use existing containers instead of creating new ones to preserve your work in the container, enabling consistency.
To clone the scripts repo and pick a version:
@ -92,8 +90,6 @@ To clone the scripts repo and pick a version:
* Optionally, check out a release tag to base your work on
* list releases (e.g. all Alpha releases): `git tag -l alpha-*`
* check out the release version, e.g. `3033.0.0`: `git checkout 3033.0.0`
* Make sure to initialise and fetch git submodules - Flatcar's ebuilds are in 2 separate repositories, connected to `scripts` via submodules.
* `git submodule init; git submodule update`
To use the SDK container:
* Fetch image and start the SDK container: `./run_sdk_container -t`

54
bootstrap_sdk
View File

@ -23,9 +23,9 @@
# built in stage 1. See "stage_repo()" documentation further below for more.
# This stage uses:
# - portage-stable from the SDK's /var/lib/gentoo/repos/gentoo
# or a git ref via --stage1_portage_ref command line option
# or a custom path via --stage1_portage_path command line option
# - coreos-overlay from the SDK's /var/lib/gentoo/repos/coreos-overlay
# or a git ref via --stage1_overlay_ref command line option
# or a custom path via --stage1_overlay_path command line option
# Command line option refs need caution though, since
# stage1 must not contain updated ebuilds (see build_stage1 below).
#
@ -59,10 +59,10 @@ TYPE="flatcar-sdk"
. "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
DEFINE_string stage1_portage_ref "" \
"Custom portage repo git ref to use in stage 1 (USE WITH CAUTION)"
DEFINE_string stage1_overlay_ref "" \
"Custom overlay repo git ref to use in stage 1 (USE WITH CAUTION)"
DEFINE_string stage1_portage_path "" \
"Path to custom portage ebuilds tree to use in stage 1 (DANGEROUS; USE WITH CAUTION)"
DEFINE_string stage1_overlay_path "" \
"Path to custom overlay ebuilds tree to use in stage 1 (DANGEROUS; USE WITH CAUTION)"
## Define the stage4 config template
@ -113,11 +113,11 @@ chmod 1777 "${ROOT_OVERLAY}/tmp"
cp "${BUILD_LIBRARY_DIR}/toolchain_util.sh" "${ROOT_OVERLAY}/tmp"
# Stage 1 uses "known-good" ebuild repos (both coreos-overlay and portage-stable)
# Stage 1 uses "known-good" ebuilds (from both coreos-overlay and portage-stable)
# to build a minimal toolchain (USE="-*") for stage 2.
#
# No package updates must happen in stage 1, so we use the portage-stable and
# coreos-overlay repos included with the current SDK (from the SDK chroot's
# coreos-overlay paths included with the current SDK (from the SDK chroot's
# /var/lib/gentoo/repos/). "Current SDK" refers to the SDK we entered with
# 'cork enter', i.e. the SDK we run ./bootstrap_sdk in.
#
@ -125,21 +125,27 @@ cp "${BUILD_LIBRARY_DIR}/toolchain_util.sh" "${ROOT_OVERLAY}/tmp"
# a minimal stage 2 from known-good ebuild versions - the same ebuild versions
# that were used to build the very SDK we run ./bootstrap_sdk in.
#
# This is needed because stage 1 lacks proper isolation and will link all packages built for
# DANGER ZONE
#
# Stage 1 lacks proper isolation and will link all packages built for
# stage 2 against its own seed libraries ("/" in the catalyst chroot) instead of against libraries
# installed into the FS root of the stage 2 seed ("/tmp/stage1root" in the catalyst chroot).
# This is why we must prevent any updated package ebuilds to "leak" into stage 1, hence we use
# "known good" ebuild repo versions outlined above.
#
# In special circumstances it may be required to circumvent this and use git
# refs of either (or both) portage and overlay. The command line options
# --stage1-portage-ref and --stage1-overlay-ref may be used to specify
# a git ref known to work for stage1. In that case the stage1 seed (i.e. the seed SDK)
# In special circumstances it may be required to circumvent this and use custom paths
# for either (or both) portage and overlay. The command line options
# --stage1-portage-path and --stage1-overlay-path may be used to specify
# a repo path known to work for stage1. In that case the stage1 seed (i.e. the seed SDK)
# will be updated prior to starting to build stage 2.
# NOTE that this should never be used to introduce library updates in stage 1. All binaries
# produced in stage 1 are linked against libraries in the seed tarball, NOT libraries produced
# by stage one. Therefore, these binaries will cease to work in stage 2 when linked against
# outdated "seed tarball" libraries which have been updated to newer versions in stage 1.
stage_repo() {
local repo="$1"
local gitref="$2"
local path="$2"
local dest="$3"
local gitname="$repo"
@ -147,16 +153,14 @@ stage_repo() {
gitname="portage-stable"
fi
if [ -z "$gitref" ]; then
if [ -z "$path" ]; then
cp -R "/var/gentoo/repos/${repo}" "$dest"
info "Using local SDK's ebuild repo '$repo' ('$gitname') in stage 1."
else
info "Using git ref '$gitref' for ebuild repo '$repo' ('$gitname') in stage 1."
mkdir "$dest/$repo"
( cd "$dest/$repo" \
&& git clone "https://github.com/flatcar/$gitname.git" . \
&& git fetch --all \
&& git checkout "$gitref" )
cp -R "${path}/"* "$dest/${repo}/"
info "Using custom path '$path' for ebuild repo '$repo' ('$gitname') in stage 1."
info "This may break stage 2. YOU HAVE BEEN WARNED. You break it, you keep it."
fi
(
set -euo pipefail
@ -186,9 +190,9 @@ build_stage1() {
mkdir "$stage1_repos"
# prepare ebuild repos for stage 1, either from the local SDK (default)
# or from git refs specified via command line flags
stage_repo "gentoo" "${FLAGS_stage1_portage_ref}" "$stage1_repos"
stage_repo "coreos-overlay" "${FLAGS_stage1_overlay_ref}" "$stage1_repos"
# or from custom paths specified via command line flags
stage_repo "gentoo" "${FLAGS_stage1_portage_path}" "$stage1_repos"
stage_repo "coreos-overlay" "${FLAGS_stage1_overlay_path}" "$stage1_repos"
# Create a snapshot of "known-good" portage-stable repo copy for use in stage 1
# This requires us to create a custom catalyst config to point it to the
@ -209,8 +213,8 @@ build_stage1() {
-e "s,^portage_overlay:.*,portage_overlay: $stage1_repos/coreos-overlay," \
"$TEMPDIR/stage1.spec"
# If we are to use a git ref for either ebuild repo we want to update the stage1 seed SDK
if [ -n "${FLAGS_stage1_portage_ref}" -o -n "${FLAGS_stage1_overlay_ref}" ] ; then
# If we are to use a custom path for either ebuild repo we want to update the stage1 seed SDK
if [ -n "${FLAGS_stage1_portage_path}" -o -n "${FLAGS_stage1_overlay_path}" ] ; then
sed -i 's/^update_seed: no/update_seed: yes/' "$TEMPDIR/stage1.spec"
echo "update_seed_command: --update --deep --newuse --complete-graph --rebuild-if-new-ver --rebuild-exclude cross-*-cros-linux-gnu/* sys-devel/gcc " \
>>"$TEMPDIR/stage1.spec"

5
build_library/build_image_util.sh
View File

@ -400,8 +400,7 @@ get_metadata() {
# SRC_URI is empty for the special github.com/flatcar projects
if [ -z "${val}" ]; then
# The grep invocation gives errors when the ebuild file is not present.
# This can happen if a "scripts" branch does not match the "coreos-overlay" branch
# or when the binary packages from ./build_packages are outdated.
# This can happen when the binary packages from ./build_packages are outdated.
val="$(grep "CROS_WORKON_PROJECT=" "${ebuild_path}" | cut -d '"' -f 2)"
if [ -n "${val}" ]; then
val="https://github.com/${val}"
@ -541,8 +540,6 @@ You can read it with "less licenses.json.bz2" or convert it to a text format wit
bzcat licenses.json.bz2 | jq -r '.[] | "\(.project):\nDescription: \(.description)\nLicenses: \(.licenses)\nHomepage: \(.homepage)\nSource code: \(.source)\nFiles:\n\(.files)\n"'
The license texts are available under /usr/share/licenses/common/ and can be read with "less NAME.gz".
Build system files and patches used to build these projects are located at:
https://github.com/flatcar/coreos-overlay/
https://github.com/flatcar/portage-stable/
https://github.com/flatcar/scripts/
Information on how to build Flatcar Container Linux can be found under:
https://www.flatcar.org/docs/latest/reference/developer-guides/sdk-modifying-flatcar/

4
build_library/dev_container_util.sh
View File

@ -48,13 +48,9 @@ main-repo = portage-stable
[coreos]
location = /var/lib/portage/coreos-overlay
sync-type = git
sync-uri = https://github.com/flatcar/coreos-overlay.git
[portage-stable]
location = /var/lib/portage/portage-stable
sync-type = git
sync-uri = https://github.com/flatcar/portage-stable.git
EOF
# Now set the correct profile, we do not use the eselect tool - it

2
ci-automation/README.md
View File

@ -39,7 +39,7 @@ image_build amd64
### SDK bootstrap build
1. SDK Bootstrap (`sdk.sh`): Use a seed SDK tarball and seed SDK container image to build a new SDK tarball.
The resulting SDK tarball will use packages and versions pinned in the coreos-overlay and portage-stable submodules.
The resulting SDK tarball will ship packages and versions from the updated coreos-overlay and portage-stable ebuild directories.
This step updates the versionfile, recording the SDK container version just built.
It will generate and push a new version tag to the scripts repo.
2. SDK container build (`sdk_container.sh`) : use SDK tarball to build an SDK container image.

66
ci-automation/ci_automation_common.sh
View File

@ -12,23 +12,6 @@ source ci-automation/ci-config.env
: ${TEST_WORK_DIR:='__TESTS__'}
function init_submodules() {
git submodule init
git submodule update
}
# --
function update_submodule() {
local submodule="$1"
local commit_ish="$2"
cd "sdk_container/src/third_party/${submodule}"
git fetch --all --tags
git checkout "${commit_ish}"
cd -
}
# --
function check_version_string() {
local version="$1"
@ -39,16 +22,6 @@ function check_version_string() {
}
# --
function update_submodules() {
local coreos_git="$1"
local portage_git="$2"
init_submodules
update_submodule "coreos-overlay" "${coreos_git}"
update_submodule "portage-stable" "${portage_git}"
}
# --
function update_and_push_version() {
local version="$1"
local push_to_branch="${2:-false}"
@ -62,8 +35,6 @@ function update_and_push_version() {
fi
# Add and commit local changes
git add "sdk_container/src/third_party/coreos-overlay"
git add "sdk_container/src/third_party/portage-stable"
git add "sdk_container/.repo/manifests/version.txt"
git commit --allow-empty -m "New version: ${version}"
@ -77,7 +48,7 @@ function update_and_push_version() {
# - the remote tag has changes compared to the local tree (rc: 1)
if [ "$ret" = "0" ]; then
echo "Reusing existing tag" >&2
git checkout -f --recurse-submodules "${version}"
git checkout -f "${version}"
return
elif [ "$ret" = "1" ]; then
echo "Remote tag exists already and is not equal" >&2
@ -476,35 +447,20 @@ function list_files() {
}
# --
# Looks for ../scripts.patch, ../overlay.patch, ../portage.patch and
# applies them to the current repo or the respective sub-module checkout.
# Applies ../scripts.patch to the current repo.
function apply_local_patches() {
local patch_files=(../scripts.patch ../overlay.patch ../portage.patch)
local patch_file
local patch_file="../scripts.patch"
local patch_id
local dirarg
echo "Looking for local patches ${patch_files[*]}"
for patch_file in "${patch_files[@]}"; do
if [ "${patch_file}" = "../scripts.patch" ]; then
dirarg=()
elif [ "${patch_file}" = "../overlay.patch" ]; then
dirarg=("-C" "sdk_container/src/third_party/coreos-overlay/")
elif [ "${patch_file}" = "../portage.patch" ]; then
dirarg=("-C" "sdk_container/src/third_party/portage-stable/")
echo "Looking for local patches ${patch_file}"
patch_id=$(test -e "${patch_file}" && { cat "${patch_file}" | git patch-id | cut -d ' ' -f 1 ; } || true)
if [ "${patch_id}" != "" ]; then
if git "${dirarg[@]}" log --no-merges -p HEAD | git patch-id | cut -d ' ' -f 1 | grep -q "${patch_id}"; then
echo "Skipping already applied ${patch_file}"
else
echo "wrong case: unexpected ${patch_file}"
exit 1
echo "Applying ${patch_file}"
GIT_COMMITTER_NAME="Flatcar Buildbot" GIT_COMMITTER_EMAIL="buildbot@flatcar-linux.org" git am -3 "$PWD/${patch_file}"
fi
patch_id=$(test -e "${patch_file}" && { cat "${patch_file}" | git patch-id | cut -d ' ' -f 1 ; } || true)
if [ "${patch_id}" != "" ]; then
if git "${dirarg[@]}" log --no-merges -p HEAD | git patch-id | cut -d ' ' -f 1 | grep -q "${patch_id}"; then
echo "Skipping already applied ${patch_file}"
else
echo "Applying ${patch_file}"
GIT_COMMITTER_NAME="Flatcar Buildbot" GIT_COMMITTER_EMAIL="buildbot@flatcar-linux.org" git "${dirarg[@]}" am -3 "$PWD/${patch_file}"
fi
fi
done
fi
}
# --

5
ci-automation/image.sh
View File

@ -35,10 +35,6 @@
#
# 3. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# 4. A file ../overlay.patch to apply with "git am -3" for the coreos-overlay sub-module.
#
# 5. A file ../portage.patch to apply with "git am -3" for the portage-stable sub-module.
#
# OUTPUT:
#
# 1. OS image, dev container, related artifacts, and torcx packages pushed to buildcache.
@ -66,7 +62,6 @@ function _image_build_impl() {
channel="$(get_git_channel)"
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local vernum="${FLATCAR_VERSION}"

1
ci-automation/image_changes.sh
View File

@ -47,7 +47,6 @@ function _image_changes_impl() {
channel="$(get_git_channel)"
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local vernum="${FLATCAR_VERSION}"

37
ci-automation/packages-tag.sh
View File

@ -32,29 +32,15 @@
#
# OPTIONAL INPUT:
#
# 2. coreos-overlay repository tag to use (commit-ish).
# Optional - use scripts repo sub-modules as-is if not set.
# This version will be checked out / pulled from remote in the coreos-overlay git submodule.
# The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed.
# 1. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# 3. portage-stable repository tag to use (commit-ish).
# Optional - use scripts repo sub-modules as-is if not set.
# This version will be checked out / pulled from remote in the portage-stable git submodule.
# The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed.
#
# 4. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# 5. A file ../overlay.patch to apply with "git am -3" for the coreos-overlay sub-module.
#
# 6. A file ../portage.patch to apply with "git am -3" for the portage-stable sub-module.
#
# 7. AVOID_NIGHTLY_BUILD_SHORTCUTS. Environment variable. Tells the script to build the SDK even if nothing has changed since last nightly build.
# 2. AVOID_NIGHTLY_BUILD_SHORTCUTS. Environment variable. Tells the script to build the SDK even if nothing has changed since last nightly build.
# See the description in ci-config.env.
#
# OUTPUT:
#
# 1. Updated scripts repository
# - version tag w/ submodules
# - version tag
# - sdk_container/.repo/manifests/version.txt denotes new FLATCAR OS version
# 2. "./skip-build" as flag file to signal that the build should stop
@ -71,34 +57,21 @@ function packages_tag() {
function _packages_tag_impl() {
local version="$1"
local coreos_git="${2:-}"
local portage_git="${3:-}"
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
check_version_string "${version}"
source sdk_container/.repo/manifests/version.txt
local sdk_version="${FLATCAR_SDK_VERSION}"
if [ -n "${coreos_git}" ] ; then
update_submodule "coreos-overlay" "${coreos_git}"
fi
if [ -n "${portage_git}" ] ; then
update_submodule "portage-stable" "${portage_git}"
fi
# Create new tag in scripts repo w/ updated versionfile + submodules.
# Create new tag in scripts repo w/ updated versionfile
# Also push the changes to the branch ONLY IF we're doing a nightly
# build of the 'main'/'flatcar-MAJOR' branch AND we're definitely ON the respective branch
# (`scripts` and submodules).
local push_branch="false"
if [[ "${version}" =~ ^(stable|alpha|beta|lts)-[0-9.]+-nightly-[-0-9]+$ ]] \
&& [[ "$(git rev-parse --abbrev-ref HEAD)" =~ ^flatcar-[0-9]+$ ]] \
&& [[ "$(git -C sdk_container/src/third_party/coreos-overlay/ rev-parse --abbrev-ref HEAD)" =~ ^flatcar-[0-9]+$ ]] \
&& [[ "$(git -C sdk_container/src/third_party/portage-stable/ rev-parse --abbrev-ref HEAD)" =~ ^flatcar-[0-9]+$ ]] ; then
&& [[ "$(git rev-parse --abbrev-ref HEAD)" =~ ^flatcar-[0-9]+$ ]] ; then
push_branch="true"
local existing_tag=""
# Check for the existing tag only when we allow shortcutting

5
ci-automation/packages.sh
View File

@ -38,10 +38,6 @@
#
# 4. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# 5. A file ../overlay.patch to apply with "git am -3" for the coreos-overlay sub-module.
#
# 6. A file ../portage.patch to apply with "git am -3" for the portage-stable sub-module.
#
# OUTPUT:
#
# 1. Exported container image "flatcar-packages-[ARCH]-[VERSION].tar.gz" with binary packages
@ -68,7 +64,6 @@ function _packages_build_impl() {
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local sdk_version="${FLATCAR_SDK_VERSION}"

1
ci-automation/push_pkgs.sh
View File

@ -78,7 +78,6 @@ function _push_packages_impl() {
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local vernum="${FLATCAR_VERSION}"

1
ci-automation/release.sh
View File

@ -188,7 +188,6 @@ function _release_build_impl() {
source sdk_lib/sdk_container_common.sh
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
# Needed because we are not the SDK container here

43
ci-automation/sdk_bootstrap.sh
View File

@ -26,41 +26,27 @@
#
# OPTIONAL INPUT:
#
# 3. coreos-overlay repository tag to use (commit-ish).
# This version will be checked out / pulled from remote in the coreos-overlay git submodule.
# The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed.
# Leave empty to use coreos-overlay as-is.
#
# 4. portage-stable repository tag to use (commit-ish).
# This version will be checked out / pulled from remote in the portage-stable git submodule.
# The submodule config will be updated to point to this version before the TARGET SDK tag is created and pushed.
# Leave empty to use portage-stable as-is.
#
# 5. ARCH. Environment variable. Target architecture for the SDK to run on.
# 3. ARCH. Environment variable. Target architecture for the SDK to run on.
# Either "amd64" or "arm64"; defaults to "amd64" if not set.
#
# 6. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# 4. SIGNER. Environment variable. Name of the owner of the artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 7. SIGNING_KEY. Environment variable. The artifact signing key.
# 5. SIGNING_KEY. Environment variable. The artifact signing key.
# Defaults to nothing if not set - in such case, artifacts will not be signed.
# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
#
# 8. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
# 6. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# 9. A file ../overlay.patch to apply with "git am -3" for the coreos-overlay sub-module.
#
# 10. A file ../portage.patch to apply with "git am -3" for the portage-stable sub-module.
#
# 11. AVOID_NIGHTLY_BUILD_SHORTCUTS. Environment variable. Tells the script to build the SDK even if nothing has changed since last nightly build.
# 7. AVOID_NIGHTLY_BUILD_SHORTCUTS. Environment variable. Tells the script to build the SDK even if nothing has changed since last nightly build.
# See the description in ci-config.env.
#
# OUTPUT:
#
# 1. SDK tarball (gentoo catalyst output) of the new SDK, pushed to buildcache.
# 2. Updated scripts repository
# - version tag w/ submodules
# - version tag
# - sdk_container/.repo/manifests/version.txt denotes new SDK version
# 3. "./ci-cleanup.sh" with commands to clean up temporary build resources,
# to be run after this step finishes / when this step is aborted.
@ -81,32 +67,19 @@ function sdk_bootstrap() {
function _sdk_bootstrap_impl() {
local seed_version="$1"
local version="$2"
local coreos_git="${3-}"
local portage_git="${4-}"
: ${ARCH:="amd64"}
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
check_version_string "${version}"
if [ -n "${coreos_git}" ] ; then
update_submodule "coreos-overlay" "${coreos_git}"
fi
if [ -n "${portage_git}" ] ; then
update_submodule "portage-stable" "${portage_git}"
fi
# Create new tag in scripts repo w/ updated versionfile + submodules.
# Create new tag in scripts repo w/ updated versionfile.
# Also push the changes to the branch ONLY IF we're doing a nightly
# build of the 'main' branch AND we're definitely ON the main branch
# (`scripts` and submodules).
local push_branch="false"
if [[ "${version}" =~ ^main-[0-9.]+-nightly-[-0-9]+$ ]] \
&& [ "$(git rev-parse --abbrev-ref HEAD)" = "main" ] \
&& [ "$(git -C sdk_container/src/third_party/coreos-overlay/ rev-parse --abbrev-ref HEAD)" = "main" ] \
&& [ "$(git -C sdk_container/src/third_party/portage-stable/ rev-parse --abbrev-ref HEAD)" = "main" ] ; then
&& [ "$(git rev-parse --abbrev-ref HEAD)" = "main" ] ; then
push_branch="true"
local existing_tag=""
# Check for the existing tag only when we allow shortcutting

2
ci-automation/sdk_container.sh
View File

@ -56,8 +56,6 @@ function _sdk_container_build_impl() {
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local vernum="${FLATCAR_SDK_VERSION}"
local sdk_tarball="flatcar-sdk-${ARCH}-${vernum}.tar.bz2"

1
ci-automation/test.sh
View File

@ -140,7 +140,6 @@ function _test_run_impl() {
source ci-automation/tapfile_helper_lib.sh
source ci-automation/ci_automation_common.sh
source sdk_lib/sdk_container_common.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local vernum="${FLATCAR_VERSION}"

5
ci-automation/vms.sh
View File

@ -38,10 +38,6 @@
#
# 3. A file ../scripts.patch to apply with "git am -3" for the scripts repo.
#
# 4. A file ../overlay.patch to apply with "git am -3" for the coreos-overlay sub-module.
#
# 5. A file ../portage.patch to apply with "git am -3" for the portage-stable sub-module.
#
# OUTPUT:
#
# 1. Exported VM image(s), pushed to buildcache ( images/[ARCH]/[FLATCAR_VERSION]/ )
@ -68,7 +64,6 @@ function _vm_build_impl() {
source ci-automation/ci_automation_common.sh
source ci-automation/gpg_setup.sh
init_submodules
source sdk_container/.repo/manifests/version.txt
local vernum="${FLATCAR_VERSION}"

2
retag-for-jenkins
View File

@ -16,8 +16,6 @@ if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
echo "restart the leaf job after retagging. Note: Just starting a leaf job with your"
echo "branch as reference is not valid because it would overwrite the nightly build"
echo "artifacts!"
echo
echo "TODO: Add feature to update coreos-overlay/portage-stable submodule refs"
exit 1
fi

2
run_sdk_container
View File

@ -124,8 +124,6 @@ if [ -z "$stat" ] ; then
$docker create $tty -i \
-v /dev:/dev \
-v "$(pwd)/sdk_container:/mnt/host/source/" \
-v "$(pwd)/sdk_container/git-override/.git-coreos-overlay:/mnt/host/source/src/third_party/coreos-overlay/.git" \
-v "$(pwd)/sdk_container/git-override/.git-portage-stable:/mnt/host/source/src/third_party/portage-stable/.git" \
-v "$(pwd)/__build__/images:/mnt/host/source/src/build" \
-v "$(pwd):/mnt/host/source/src/scripts" \
$gpg_volumes \

1
sdk_container/git-override/.git-coreos-overlay
View File

@ -1 +0,0 @@
gitdir: ../../scripts/.git/modules/sdk_container/src/third_party/coreos-overlay

1
sdk_container/git-override/.git-portage-stable
View File

@ -1 +0,0 @@
gitdir: ../../scripts/.git/modules/sdk_container/src/third_party/portage-stable

5
sdk_container/git-override/README.md
View File

@ -1,5 +0,0 @@
# GIT overrides for submodules
In the SDK container, the scripts root is at a different relative path to the submodules.
The overrides in this directory are into `coreos-overlay/.git` and `portage-stable/.git` so the submodules can find their parents.

1
sdk_container/src/third_party/coreos-overlay vendored

@ -1 +0,0 @@
Subproject commit 3e7ea8c017e466a9133a4d64c5b6a0c16c9543dd

1
sdk_container/src/third_party/coreos-overlay/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
metadata/md5-cache

21
sdk_container/src/third_party/coreos-overlay/.travis.yml vendored Normal file
View File

@ -0,0 +1,21 @@
# Derived from https://github.com/mrueg/repoman-travis/
sudo: required
language: python
python:
- pypy
# For some reason portage is defaulting to lbzip2/lbunzip2 here and then complaining when they don't
# exist, so use plain old b{,un}zip2.
env:
- PORTAGE_VER="2.3.40" PORTAGE_BZIP2_COMMAND="bzip2" PORTAGE_BUNZIP2_COMMAND="bunzip2"
before_install:
- sudo apt-get -qq update
- pip install lxml pyyaml
before_script: ./.travis/setup_repoman.sh
script:
- cd /usr/coreos-overlay
- /tmp/portage/portage-${PORTAGE_VER}/repoman/bin/repoman --experimental-repository-modules=y -dx full

8
sdk_container/src/third_party/coreos-overlay/.travis/coreos.conf vendored Normal file
View File

@ -0,0 +1,8 @@
[DEFAULT]
main-repo = portage-stable
[coreos]
location = /usr/coreos-overlay
[portage-stable]
location = /usr/portage

23
sdk_container/src/third_party/coreos-overlay/.travis/setup_repoman.sh vendored Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
set -euo pipefail
# Set up directory permissions/portage user and group.
sudo chmod a+rwX /etc/passwd /etc/group /etc /usr
echo "portage:x:250:250:portage:/var/tmp/portage:/bin/false" >> /etc/passwd
echo "portage::250:portage,travis" >> /etc/group
# Shuffle portage repositories around into the right places.
mkdir -p /etc/portage/repos.conf /usr/coreos-overlay
mv * /usr/coreos-overlay/
mv .git /usr/coreos-overlay/
git clone https://github.com/coreos/portage-stable /usr/portage/
cp .travis/coreos.conf /etc/portage/repos.conf/
ln -s /usr/coreos-overlay/profiles/coreos/amd64/sdk /etc/portage/make.profile
mkdir -p /usr/portage/metadata/{dtd,xml-schema}
wget -O /usr/portage/metadata/dtd/metadata.dtd https://www.gentoo.org/dtd/metadata.dtd
wget -O /usr/portage/metadata/xml-schema/metadata.xsd https://www.gentoo.org/xml-schema/metadata.xsd
# Download portage.
mkdir /tmp/portage && cd /tmp/portage
wget -qO - "https://gitweb.gentoo.org/proj/portage.git/snapshot/portage-${PORTAGE_VER}.tar.gz" | tar xz

0
sdk_container/src/third_party/coreos-overlay/CHANGELOG.md vendored Normal file
View File

8
sdk_container/src/third_party/coreos-overlay/MAINTAINERS.md vendored Normal file
View File

@ -0,0 +1,8 @@
# Maintainers
* Krzesimir Nowak @krnowak
* Thilo Fromm @t-lo
See [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a committer as per governance definition.
The contents of this file are synchronized from [Flatcar/MAINTAINERS.md](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).

57
sdk_container/src/third_party/coreos-overlay/README.md vendored Normal file
View File

@ -0,0 +1,57 @@
# Overview
This overlay contains Container Linux specific packages and Gentoo packages
that differ from their upstream Gentoo versions.
See the [portage-stable](https://github.com/coreos/portage-stable) repo
for packages which do not have Container Linux specific changes.
Licensing information can be found in the respective files, so consult
them directly. Most ebuilds are licensed under the GPL version 2.
Upstream Gentoo sources: https://gitweb.gentoo.org/repo/gentoo.git
# Important packages
`coreos-base/coreos` is the package responsible for everything that gets
built into a production image and is not OEM specific.
`coreos-base/coreos-dev` is the package responsible for everything that
gets built into a developer image and is not OEM specific.
`coreos-devel/sdk-depends` is the package responsible for everything that
gets built into the Container Linux SDK.
`coreos-devel/board-packages` is everything that could be built into a
development or production image, plus any OEM specific packages.
`coreos-base/oem-*` are the OEM specific packages. They mostly install things
that belong in the OEM partition. Any RDEPENDS from these packages should
be copied to the RDEPENDS in `board-packages` to ensure they are built.
`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs.
# Updating
To update follow the following steps:
* Remove or rename the whole folder of the package to prepare the import from
upstream Gentoo, not only resetting the ebuild file but also any additional
files like patches or downstream additions under `files`.
* Run `~/trunk/src/scripts/update_ebuilds --portage_stable . CATEGORY/PACKAGE`
in the `coreos-overlay` folder to import a new version from upstream Gentoo.
Drop the ebuild files that you don't plan to use.
* Commit the changes with a message like `CATEGORY/PACKAGE: Sync from Gentoo`,
and mention the the commit ID in the body (`git show update_ebuilds/master`).
* Now find all downstream patches for the package by running
`git log CATEGORY/PACKAGE`. If everybody followed the process of resetting
before importing an upstream update, you only have to look for the commits
after the last update and port them to the new version. Otherwise you have
to compare the files manually to their upstream versions from older
[portage](https://github.com/gentoo/portage/) revisions.
* You can combine all old and new downstream patches into a single new commit
with the message `CATEGORY/PACKAGE: Apply Flatcar patches` to keep the number of
commits to port low, or have separate commits. Make sure that you explain
the changes and carry the explanations from old commits over, either in the
commit message, through comments in the ebuild file, or through a `README.md`
in the folder.

36
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0-r1.ebuild vendored Normal file
View File

@ -0,0 +1,36 @@
# Copyright (c) 2016 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=6
TMPFILES_OPTIONAL=1
inherit systemd tmpfiles
DESCRIPTION="etcd (System Application Container)"
HOMEPAGE="https://github.com/etcd-io/etcd"
KEYWORDS="amd64 arm64"
LICENSE="Apache-2.0"
IUSE=""
SLOT=0
DEPEND=""
RDEPEND=">=app-admin/sdnotify-proxy-0.1.0"
S=${WORKDIR}
src_install() {
local tag="v${PV}"
if [[ "${ARCH}" != "amd64" ]]; then
tag+="-${ARCH}"
fi
exeinto /usr/lib/flatcar
doexe "${FILESDIR}"/etcd-wrapper
sed "s|@ETCD_IMAGE_TAG@|${tag}|g" \
"${FILESDIR}"/etcd-member.service > ${T}/etcd-member.service
systemd_dounit ${T}/etcd-member.service
dotmpfiles "${FILESDIR}"/etcd-wrapper.conf
}

29
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-member.service vendored Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description=etcd (System Application Container)
Documentation=https://github.com/etcd-io/etcd
Wants=network-online.target network.target
After=network-online.target
Conflicts=etcd.service
Conflicts=etcd2.service
[Service]
Type=notify
NotifyAccess=all
Restart=always
RestartSec=10s
TimeoutStartSec=0
LimitNOFILE=40000
Environment="ETCD_IMAGE_URL=quay.io/coreos/etcd"
Environment="ETCD_IMAGE_TAG=@ETCD_IMAGE_TAG@"
Environment="ETCD_NAME=%m"
Environment="ETCD_USER=etcd"
Environment="ETCD_DATA_DIR=/var/lib/etcd"
Environment="ETCD_SSL_DIR=/etc/ssl/certs"
ExecStart=/usr/lib/flatcar/etcd-wrapper $ETCD_OPTS
ExecStop=/usr/bin/docker stop etcd-member
ExecStopPost=/usr/bin/docker rm etcd-member
[Install]
WantedBy=multi-user.target

36
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-wrapper vendored Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# The "etcd-wrapper" script can't be deleted because ct overwrites
# the ExecStart directive with etcd-wrapper. Do the new action of
# ExecStart here.
set -e
# Since etcd/v3 we can't use both `--name` and `ETCD_NAME` at the same time.
# We parse the etcd command line options to find a `--name/-name` flag if we found one,
# we unset the `ETCD_NAME` to not conflict with it.
for f in "${@}"; do
if [[ $f =~ ^-?-name=? ]]; then
unset ETCD_NAME
break
fi
done
# Do not pass ETCD_DATA_DIR through to the container. The default path,
# /var/lib/etcd is always used inside the container.
etcd_data_dir="${ETCD_DATA_DIR}"
ETCD_DATA_DIR="/var/lib/etcd"
mkdir -p ${etcd_data_dir}
chown -R etcd:etcd ${etcd_data_dir}
chmod 700 ${etcd_data_dir}
# A better way to run the Flannel/etcd container image is Podman because
# Flannel depends on etcd but wants to be run before Docker so that it
# can set up the Docker networking. Etcd and Flannel are part of the
# Container Linux Config specification and thus can't be dropped easily.
# For now we have to resort to running these services with Docker and try
# to restart Docker for the Flannel options to take effect.
/usr/bin/docker stop etcd-member || true
/usr/bin/docker rm -f etcd-member || true
# set umask so that sdnotify-proxy creates /run/etcd-notify with the same relaxed permissions as NOTIFY_SOCKET (/run/systemd/notify) normally has, to allow ETCD_USER to write to it
umask 000
# mapping only /run/etcd-notify does not work and we use the full /run, also we must set NOTIFY_SOCKET in the container but use the original for /usr/libexec/sdnotify-proxy
/usr/libexec/sdnotify-proxy /run/etcd-notify /usr/bin/docker run --name etcd-member --network=host --ipc=host -u $(id -u ${ETCD_USER}):$(id -g ${ETCD_USER}) -v /run:/run -v /usr/share/ca-certificates:/usr/share/ca-certificates:ro -v ${etcd_data_dir}:/var/lib/etcd:rw -v ${ETCD_SSL_DIR}:/etc/ssl/certs:ro --env-file <(env; echo PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; echo NOTIFY_SOCKET=/run/etcd-notify) --entrypoint /usr/local/bin/etcd ${ETCD_IMAGE:-${ETCD_IMAGE_URL}:${ETCD_IMAGE_TAG}} "$@"

1
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-wrapper.conf vendored Normal file
View File

@ -0,0 +1 @@
d /var/lib/etcd 0700 etcd etcd - -

4
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

5
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/50-flannel.link vendored Normal file
View File

@ -0,0 +1,5 @@
[Match]
OriginalName=flannel*
[Link]
MACAddressPolicy=none

5
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/50-flannel.network vendored Normal file
View File

@ -0,0 +1,5 @@
[Match]
Name=flannel*
[Link]
Unmanaged=yes

24
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flannel-docker-opts.service vendored Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=flannel docker export service - Network fabric for containers (System Application Container)
Documentation=https://github.com/coreos/flannel
PartOf=flanneld.service
Requires=flanneld.service
After=flanneld.service
[Service]
Type=oneshot
RemainAfterExit=true
Restart=on-failure
RestartSec=5s
Environment="FLANNEL_IMAGE_URL=quay.io/coreos/flannel"
Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@"
Environment="FLANNEL_CMD=/opt/bin/mk-docker-opts.sh"
Environment="FLANNEL_CONTAINER=flannel-docker-opts"
ExecStart=/usr/lib/flatcar/flannel-wrapper -d /run/flannel/flannel_docker_opts.env -i
ExecStop=/usr/bin/docker stop flannel-docker-opts
ExecStopPost=/usr/bin/docker rm flannel-docker-opts
[Install]
WantedBy=multi-user.target

42
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flannel-wrapper vendored Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# The "flannel-wrapper" script can't be deleted because ct overwrites
# the ExecStart directive with flannel-wrapper. Do the new action of
# ExecStart here.
set -e
ETCD_SSL_DIR="${ETCD_SSL_DIR:-/etc/ssl/etcd}"
RUN_ARGS=""
if [[ -d "${ETCD_SSL_DIR}" ]]; then
RUN_ARGS="-v ${ETCD_SSL_DIR}:${ETCD_SSL_DIR}:ro"
fi
mkdir --parents /run/flannel
WRAP=""
if [[ -S "${NOTIFY_SOCKET}" ]]; then
WRAP="/usr/libexec/sdnotify-proxy /run/${FLANNEL_CONTAINER}-notify"
fi
# A better way to run the Flannel/etcd container image is Podman because
# Flannel depends on etcd but wants to be run before Docker so that it
# can set up the Docker networking. Etcd and Flannel are part of the
# Container Linux Config specification and thus can't be dropped easily.
# For now we have to resort to running these services with Docker and try
# to restart Docker for the Flannel options to take effect (but that also
# terminates the etcd and flannel containers, causing the services to
# restart).
RESTART_DOCKER=0
if [ "${FLANNEL_CMD}" = "/opt/bin/mk-docker-opts.sh" ] && [ "$1" = "-d" ] && [ ! -f "$2" ]; then
# only restart Docker only on first run, propagating updates on later runs was not done before in the rkt version, so keep the behavior
# (which also helps to break the loop which otherwise exists because "restart docker" mentioned above)
RESTART_DOCKER=1
fi
/usr/bin/docker stop ${FLANNEL_CONTAINER} || true
/usr/bin/docker rm -f ${FLANNEL_CONTAINER} || true
# mapping only /run/${FLANNEL_CONTAINER}-notify does not work and we map the full /run (using /run:/run covers /run/flannel, too), also we must set NOTIFY_SOCKET in the container but use the original for /usr/libexec/sdnotify-proxy
${WRAP} /usr/bin/docker run --name ${FLANNEL_CONTAINER} --privileged --network=host --ipc=host ${RUN_ARGS} -v /run:/run:rw -v /etc/ssl/certs:/etc/ssl/certs:ro -v /usr/share/ca-certificates:/usr/share/ca-certificates:ro --env-file <(env; echo PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; echo NOTIFY_SOCKET=/run/${FLANNEL_CONTAINER}-notify) --entrypoint ${FLANNEL_CMD} ${FLANNEL_IMAGE:-${FLANNEL_IMAGE_URL}:${FLANNEL_IMAGE_TAG}} "$@"
if [ "${RESTART_DOCKER}" = 1 ]; then
systemctl restart docker
echo "Restarted Docker to apply Flannel options"
fi

29
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flanneld.service vendored Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description=flannel - Network fabric for containers (System Application Container)
Documentation=https://github.com/coreos/flannel
After=etcd.service etcd2.service etcd-member.service
Requires=flannel-docker-opts.service
[Service]
Type=notify
NotifyAccess=all
Restart=always
RestartSec=10s
TimeoutStartSec=300
LimitNOFILE=40000
LimitNPROC=1048576
Environment="FLANNEL_IMAGE_URL=quay.io/coreos/flannel"
Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@"
Environment="FLANNEL_OPTS=--ip-masq=true"
Environment="FLANNEL_CMD=/opt/bin/flanneld"
Environment="FLANNEL_CONTAINER=flannel"
EnvironmentFile=-/run/flannel/options.env
ExecStartPre=/sbin/modprobe ip_tables
ExecStart=/usr/lib/flatcar/flannel-wrapper $FLANNEL_OPTS
ExecStop=/usr/bin/docker stop flannel
ExecStopPost=/usr/bin/docker rm flannel
[Install]
WantedBy=multi-user.target

45
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/flannel-wrapper-0.14.0.ebuild vendored Normal file
View File

@ -0,0 +1,45 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit systemd
DESCRIPTION="flannel (System Application Container)"
HOMEPAGE="https://github.com/coreos/flannel"
KEYWORDS="amd64 arm64"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
RDEPEND="
!app-admin/flannel
>=app-admin/sdnotify-proxy-0.1.0
"
S="$WORKDIR"
src_install() {
local tag="v${PV}"
if [[ "${ARCH}" != "amd64" ]]; then
tag+="-${ARCH}"
fi
exeinto /usr/lib/flatcar
doexe "${FILESDIR}"/flannel-wrapper
sed "s|@FLANNEL_IMAGE_TAG@|${tag}|g" \
"${FILESDIR}"/flanneld.service > ${T}/flanneld.service
systemd_dounit ${T}/flanneld.service
sed "s|@FLANNEL_IMAGE_TAG@|${tag}|g" \
"${FILESDIR}"/flannel-docker-opts.service > ${T}/flannel-docker-opts.service
systemd_dounit ${T}/flannel-docker-opts.service
insinto /usr/lib/systemd/network
doins "${FILESDIR}"/50-flannel.network
doins "${FILESDIR}"/50-flannel.link
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/locksmith-0.7.0.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
locksmith-9999.ebuild

37
sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/locksmith-9999.ebuild vendored Normal file
View File

@ -0,0 +1,37 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/locksmith"
CROS_WORKON_LOCALNAME="locksmith"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/locksmith"
inherit cros-workon systemd coreos-go
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="c4cca93a15c7b7fd175e6687a83fc2725029a17a" # flatcar-master
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="locksmith"
HOMEPAGE="https://github.com/flatcar/locksmith"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_compile() {
COREOS_GO_MOD=vendor go_build "${COREOS_GO_PACKAGE}/locksmithctl"
}
src_install() {
dobin ${GOBIN}/locksmithctl
dodir /usr/lib/locksmith
dosym ../../../bin/locksmithctl /usr/lib/locksmith/locksmithd
systemd_dounit "${S}"/systemd/locksmithd.service
systemd_enable_service multi-user.target locksmithd.service
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

2
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST logrotate-3.20.1.tar.xz 166712 BLAKE2B 8481e0d746c6bcbe10f2686a921334c6f957c8d92520927de7bc8fb0b7631a444fedaa80f35bc2de7961b3d5833ce4ab885b1298b235b7f8b33cc3ae05438da6 SHA512 a9ed5796ab254f511d0029a8f29ef7557f62e12e3ea9af24e30b5b9f348b1c1a16df26d44314b78299916fb3b5000b9cd9eed7cee2cee8df11cfd8e40c79b092
DIST logrotate-3.20.1.tar.xz.asc 833 BLAKE2B afc02177335bcd580e0617af8c50846b371c2d00ecd8fe329c2e298dc8c48823137625f455cea3d983a0d9971733297fa2c4d98ba3c6f72d2c07f8f21108cfe4 SHA512 2dd207feec431b223ff12f09f6cce14409d45e5bb3abaf2275dd773c7ee7c59ed7d32395e5869bfed70c970be4158fd299e6e269838378843dcb63ca5ebfa029

14
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate-3.15.0-ignore-hidden.patch vendored Normal file
View File

@ -0,0 +1,14 @@
diff -Nuar a/config.c b/config.c
--- a/config.c 2018-10-05 17:01:21.000000000 +0200
+++ b/config.c 2018-12-19 16:33:52.280129804 +0100
@@ -417,7 +417,9 @@
int i;
/* Check if fname is '.' or '..'; if so, return false */
- if (fname[0] == '.' && (!fname[1] || (fname[1] == '.' && !fname[2])))
+ /* Don't include 'hidden' files either; this breaks Gentoo
+ portage config file management http://bugs.gentoo.org/87683 */
+ if (fname[0] == '.')
return 0;
/* Check if fname is ending in a taboo-extension; if so, return false */

147
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate-3.20.1-log-changes.patch vendored Normal file
View File

@ -0,0 +1,147 @@
https://bugs.gentoo.org/847382#c3
https://github.com/logrotate/logrotate/commit/31cf1099ab8514dfcae5a980bc77352edd5292f8
https://github.com/logrotate/logrotate/commit/7b1fa328bf70eb8434166f151bd075cd1440d0dc
From 31cf1099ab8514dfcae5a980bc77352edd5292f8 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 27 May 2022 09:56:07 +0200
Subject: [PATCH] lockState: do not print `error:` when exit code is unaffected
Closes: https://github.com/logrotate/logrotate/pull/448
--- a/logrotate.c
+++ b/logrotate.c
@@ -3050,8 +3050,8 @@ static int lockState(const char *stateFilename, int skip_state_lock)
}
if (sb.st_mode & S_IROTH) {
- message(MESS_ERROR, "state file %s is world-readable and thus can"
- " be locked from other unprivileged users."
+ message(MESS_NORMAL, "warning: state file %s is world-readable"
+ " and thus can be locked from other unprivileged users."
" Skipping lock acquisition...\n",
stateFilename);
close(lockFd);
From 7b1fa328bf70eb8434166f151bd075cd1440d0dc Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 27 May 2022 16:02:57 +0200
Subject: [PATCH] log: unify handling of log levels
Use MESS_WARN instead of MESS_NORMAL and make it always use
the `warning:` prefix. MESS_WARN is now mapped to LOG_WARNING
for syslog.
Also drop MESS_VERBOSE, which was not set anywhere.
Closes: https://github.com/logrotate/logrotate/pull/239
Closes: https://github.com/logrotate/logrotate/pull/449
--- a/config.c
+++ b/config.c
@@ -643,7 +643,7 @@ static void set_criterium(enum criterium *pDst, enum criterium src, int *pSet)
{
if (*pSet && (*pDst != src)) {
/* we are overriding a previously set criterium */
- message(MESS_VERBOSE, "warning: '%s' overrides previously specified '%s'\n",
+ message(MESS_DEBUG, "note: '%s' overrides previously specified '%s'\n",
crit_to_string(src), crit_to_string(*pDst));
}
*pDst = src;
@@ -1021,7 +1021,7 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
if (getuid() == ROOT_UID) {
if ((sb_config.st_mode & 07533) != 0400) {
- message(MESS_NORMAL,
+ message(MESS_WARN,
"Potentially dangerous mode on %s: 0%o\n",
configFile, (unsigned) (sb_config.st_mode & 07777));
}
@@ -1386,7 +1386,7 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
RAISE_ERROR();
}
} else if (!strcmp(key, "errors")) {
- message(MESS_NORMAL,
+ message(MESS_WARN,
"%s: %d: the errors directive is deprecated and no longer used.\n",
configFile, lineNum);
} else if (!strcmp(key, "mail")) {
--- a/log.c
+++ b/log.c
@@ -40,9 +40,12 @@ static void log_once(FILE *where, int level, const char *format, va_list args)
{
switch (level) {
case MESS_DEBUG:
- case MESS_NORMAL:
- case MESS_VERBOSE:
break;
+
+ case MESS_WARN:
+ fprintf(where, "warning: ");
+ break;
+
default:
fprintf(where, "error: ");
break;
@@ -78,10 +81,11 @@ void message(int level, const char *format, ...)
priority |= LOG_DEBUG;
break;
case MESS_DEBUG:
- case MESS_VERBOSE:
- case MESS_NORMAL:
priority |= LOG_INFO;
break;
+ case MESS_WARN:
+ priority |= LOG_WARNING;
+ break;
case MESS_ERROR:
priority |= LOG_ERR;
break;
--- a/log.h
+++ b/log.h
@@ -5,8 +5,7 @@
#define MESS_REALDEBUG 1
#define MESS_DEBUG 2
-#define MESS_VERBOSE 3
-#define MESS_NORMAL 4
+#define MESS_WARN 4
#define MESS_ERROR 5
#define MESS_FATAL 6
--- a/logrotate.c
+++ b/logrotate.c
@@ -3050,7 +3050,7 @@ static int lockState(const char *stateFilename, int skip_state_lock)
}
if (sb.st_mode & S_IROTH) {
- message(MESS_NORMAL, "warning: state file %s is world-readable"
+ message(MESS_WARN, "state file %s is world-readable"
" and thus can be locked from other unprivileged users."
" Skipping lock acquisition...\n",
stateFilename);
@@ -3106,7 +3106,7 @@ int main(int argc, const char **argv)
POPT_AUTOHELP { NULL, 0, 0, NULL, 0, NULL, NULL }
};
- logSetLevel(MESS_NORMAL);
+ logSetLevel(MESS_WARN);
setlocale (LC_ALL, "");
optCon = poptGetContext("logrotate", argc, argv, options, 0);
@@ -3117,7 +3117,7 @@ int main(int argc, const char **argv)
switch (arg) {
case 'd':
debug = 1;
- message(MESS_NORMAL, "WARNING: logrotate in debug mode does nothing"
+ message(MESS_WARN, "logrotate in debug mode does nothing"
" except printing debug messages! Consider using verbose"
" mode (-v) instead if this is not what you want.\n\n");
/* fallthrough */
--- a/test/test-0080.sh
+++ b/test/test-0080.sh
@@ -10,4 +10,4 @@ cleanup 80
preptest test.log 80 1 0
$RLR -d test-config.80 2>&1 | \
- grep -q "warning: 'daily' overrides previously specified 'size'"
+ grep -q "note: 'daily' overrides previously specified 'size'"

47
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.conf vendored Normal file
View File

@ -0,0 +1,47 @@
# Flatcar: This is a modified version of the default config that came
# with Gentoo Linux.
#
# Default logrotate(8) configuration file for Gentoo Linux.
# See "man logrotate" for details.
# rotate log files weekly.
#weekly
#daily
# keep 4 weeks worth of backlogs.
#rotate 4
# Flatcar: keep only the most recent old log.
rotate 1
# create new (empty) log files after rotating old ones.
create
# use date as a suffix of the rotated file.
dateext
# compress rotated log files.
compress
# Flatcar: If a file to rotate is missing, don't log an error.
missingok
notifempty
nomail
noolddir
# packages can drop log rotation information into this directory.
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here.
# must match creation rules in /usr/lib/tmpfiles.d/var.conf
/var/log/wtmp {
create 0664 root utmp
size 1M
}
/var/log/btmp {
create 0600 root utmp
size 1M
}
# system-specific logs may also be configured here.

5
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.service vendored Normal file
View File

@ -0,0 +1,5 @@
[Unit]
Description=Rotate and Compress System Logs
[Service]
ExecStart=/usr/bin/logrotate /usr/share/logrotate/logrotate.conf

2
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.tmpfiles vendored Normal file
View File

@ -0,0 +1,2 @@
d /var/lib/misc
d /etc/logrotate.d - - - - -

109
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/logrotate-3.20.1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,109 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/kamildudka.asc
inherit systemd tmpfiles verify-sig
DESCRIPTION="Rotates, compresses, and mails system logs"
HOMEPAGE="https://github.com/logrotate/logrotate"
SRC_URI="https://github.com/${PN}/${PN}/releases/download/${PV}/${P}.tar.xz"
SRC_URI+=" verify-sig? ( https://github.com/${PN}/${PN}/releases/download/${PV}/${P}.tar.xz.asc )"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
IUSE="acl +cron selinux"
DEPEND=">=dev-libs/popt-1.5
selinux? ( sys-libs/libselinux )
acl? ( virtual/acl )"
RDEPEND="${DEPEND}
selinux? ( sec-policy/selinux-logrotate )
cron? ( virtual/cron )"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-kamildudka )"
STATEFILE="${EPREFIX}/var/lib/misc/logrotate.status"
OLDSTATEFILE="${EPREFIX}/var/lib/logrotate.status"
PATCHES=(
"${FILESDIR}"/${PN}-3.15.0-ignore-hidden.patch
"${FILESDIR}"/${P}-log-changes.patch
)
move_old_state_file() {
elog "logrotate state file is now located at ${STATEFILE}"
elog "See bug #357275"
if [[ -e "${OLDSTATEFILE}" ]] ; then
elog "Moving your current state file to new location: ${STATEFILE}"
mv -n "${OLDSTATEFILE}" "${STATEFILE}" || die
fi
}
install_cron_file() {
exeinto /etc/cron.daily
newexe "${S}"/examples/logrotate.cron "${PN}"
}
src_prepare() {
default
sed -i -e 's#/usr/sbin/logrotate#/usr/bin/logrotate#' examples/logrotate.{cron,service} || die
}
src_configure() {
econf \
$(use_with acl) \
$(use_with selinux) \
--with-state-file-path="${STATEFILE}"
}
src_install() {
dobin logrotate
doman logrotate.8
dodoc ChangeLog.md
# Flatcar: Put our config under /usr. We will point logrotate
# to use this configuration in the systemd unit we install
# below. User can always customize logrotate configuration by
# using drop-ins to point to a different path or by adding
# logrotate config files to /etc/logrotate.d.
insinto /usr/share/logrotate
doins "${FILESDIR}"/logrotate.conf
use cron && install_cron_file
# Flatcar: Install our own systemd service file and enable it
# by default.
#
# TODO: We probably should just patch the example logrotate
# service unit, as it has a bunch of hardening and performance
# tuning stuff done.
systemd_dounit examples/logrotate.timer
systemd_dounit "${FILESDIR}"/logrotate.service
systemd_enable_service multi-user.target logrotate.timer
newtmpfiles "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
keepdir /etc/logrotate.d
}
pkg_postinst() {
elog
elog "The ${PN} binary is now installed under /usr/bin. Please"
elog "update your links"
elog
move_old_state_file
tmpfiles_process ${PN}.conf
if [[ -z ${REPLACING_VERSIONS} ]] ; then
elog "If you wish to have logrotate e-mail you updates, please"
elog "emerge virtual/mailx and configure logrotate in"
elog "/etc/logrotate.conf appropriately"
elog
elog "Additionally, /etc/logrotate.conf may need to be modified"
elog "for your particular needs. See man logrotate for details."
fi
}

30
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/metadata.xml vendored Normal file
View File

@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription lang="en">
Logrotate allows for the automatic rotation compression, removal
and mailing of log files. Logrotate can be set to handle a log
file daily, weekly, monthly or when the log file gets to a certain
size.
</longdescription>
<longdescription lang="es">
Logrotate permite la rotación, compresión, eliminación y
notificación por correo electrónico de forma automática de ficheros
de registro (logs). Logrotate se puede configurar para gestionar
estos ficheros diariamente, semanalmente, mensualmente o cuando
su tamaño alcanza cierto valor.
</longdescription>
<use>
<flag name="acl">Installs acl support</flag>
<flag name="cron">Installs cron file</flag>
<flag name="selinux">Installs Security Enhanced Linux support</flag>
</use>
<upstream>
<remote-id type="github">logrotate/logrotate</remote-id>
<remote-id type="cpe">cpe:/a:logrotate_project:logrotate</remote-id>
</upstream>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/mayday/mayday-1.0.0-r2.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
mayday-9999.ebuild

35
sdk_container/src/third_party/coreos-overlay/app-admin/mayday/mayday-9999.ebuild vendored Normal file
View File

@ -0,0 +1,35 @@
# Copyright (c) 2015 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/mayday"
CROS_WORKON_LOCALNAME="mayday"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/mayday"
inherit coreos-go cros-workon
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="9de08c8f9f4360fe52cb3a56a7fb8f4bc4e75dcc" # flatcar-master
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="mayday"
HOMEPAGE="https://github.com/flatcar/mayday"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_compile() {
COREOS_GO_MOD=vendor go_build "${COREOS_GO_PACKAGE}"
}
src_install() {
newbin ${GOBIN}/mayday mayday
insinto /usr/share/mayday
doins "${S}/default.json"
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/mayday/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

4
sdk_container/src/third_party/coreos-overlay/app-admin/sdnotify-proxy/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/sdnotify-proxy/sdnotify-proxy-0.1.0-r3.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
sdnotify-proxy-9999.ebuild

31
sdk_container/src/third_party/coreos-overlay/app-admin/sdnotify-proxy/sdnotify-proxy-9999.ebuild vendored Normal file
View File

@ -0,0 +1,31 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="kinvolk/sdnotify-proxy"
CROS_WORKON_LOCALNAME="sdnotify-proxy"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/coreos/sdnotify-proxy"
COREOS_GO_GO111MODULE="off"
inherit coreos-go cros-workon
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="0f8ef1aa86c59fc6d54eadaffb248feaccd1018b" # master
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="sdnotify-proxy"
HOMEPAGE="https://github.com/coreos/sdnotify-proxy"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_install() {
# Put sdnotify-proxy into its well-know location.
exeinto /usr/libexec
doexe ${GOBIN}/sdnotify-proxy
}

2
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST sudo-1.9.12p2.tar.gz 4909431 BLAKE2B 79eac710b757acae7aa98e6e6f495a475e5236be456e4687fb1441345ee296672ff80a5a60902cffcd257aa81a01fbc3857f3c52e51bb46f56c060fd299e0c05 SHA512 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45
DIST sudo-1.9.12p2.tar.gz.sig 566 BLAKE2B fa679038c33d2bf1476b56944872d3a18b66bf5c5fb2e660d1f8777cdb209928912ddd8d89d878bd2218df3acd1e7fee5aa850e8d01a1cfac6ab310c788149fa SHA512 0b2f10488c44bfcd94eed97002865d89f4a03a92ef3b890fac3121ef0f9e6c55387771ddead1a94dc92d85c35e3d28b4730f35cdc2aafb51128594555ea29876

8
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md vendored Normal file
View File

@ -0,0 +1,8 @@
## Flatcar changes
- Remove Perl Runtime Dependency
- Remove OpenLDAP schema files for sudo
```
insinto /etc/openldap/schema
newins doc/schema.OpenLDAP sudo.schema
```
- Remove sudo.conf file as it is shipped via baselayout

25
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml vendored Normal file
View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription lang="en">
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all)
commands as root or another user while logging the commands and
arguments.
</longdescription>
<use>
<flag name="gcrypt">Use message digest functions from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's</flag>
<flag name="offensive">Let sudo print insults when the user types the wrong password</flag>
<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
<flag name="sssd">Add System Security Services Daemon support</flag>
<flag name="secure-path">Replace PATH variable with compile time secure paths</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
<remote-id type="github">sudo-project/sudo</remote-id>
</upstream>
</pkgmetadata>

291
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.12_p2.ebuild vendored Normal file
View File

@ -0,0 +1,291 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit pam libtool tmpfiles toolchain-funcs
MY_P="${P/_/}"
MY_P="${MY_P/beta/b}"
DESCRIPTION="Allows users or groups to run commands as other users"
HOMEPAGE="https://www.sudo.ws/"
if [[ ${PV} == 9999 ]] ; then
inherit mercurial
EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
else
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sudo.ws.asc
inherit verify-sig
uri_prefix=
case ${P} in
*_beta*|*_rc*) uri_prefix=beta/ ;;
esac
SRC_URI="
https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
verify-sig? (
https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
)
"
if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~sparc-solaris"
fi
BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
fi
S="${WORKDIR}/${MY_P}"
# Basic license is ISC-style as-is, some files are released under
# 3-clause BSD license
LICENSE="ISC BSD"
SLOT="0"
IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
DEPEND="
sys-libs/zlib:=
virtual/libcrypt:=
gcrypt? ( dev-libs/libgcrypt:= )
ldap? (
>=net-nds/openldap-2.1.30-r1:=
sasl? (
dev-libs/cyrus-sasl
net-nds/openldap:=[sasl]
)
)
pam? ( sys-libs/pam )
sasl? ( dev-libs/cyrus-sasl )
selinux? ( sys-libs/libselinux )
skey? ( >=sys-auth/skey-1.1.5-r1 )
ssl? ( dev-libs/openssl:0= )
sssd? ( sys-auth/sssd[sudo] )
"
#Flatcar: Remove Perl runtime dependency
# ldap? ( dev-lang/perl )
RDEPEND="
${DEPEND}
>=app-misc/editor-wrapper-3
virtual/editor
pam? ( sys-auth/pambase )
selinux? ( sec-policy/selinux-sudo )
sendmail? ( virtual/mta )
"
BDEPEND+="
sys-devel/bison
virtual/pkgconfig
"
REQUIRED_USE="
?? ( pam skey )
?? ( gcrypt ssl )
"
MAKEOPTS+=" SAMPLES="
src_prepare() {
default
elibtoolize
}
set_secure_path() {
# First extract the default ROOTPATH from build env
SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
case "${SECURE_PATH}" in
*/usr/sbin*)
;;
*)
SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
;;
esac
if [[ -z ${SECURE_PATH} ]] ; then
ewarn " Failed to detect SECURE_PATH, please report this"
fi
# Then remove duplicate path entries
cleanpath() {
local newpath thisp IFS=:
for thisp in $1 ; do
if [[ :${newpath}: != *:${thisp}:* ]] ; then
newpath+=:${thisp}
else
einfo " Duplicate entry ${thisp} removed..."
fi
done
SECURE_PATH=${newpath#:}
}
cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
# Finally, strip gcc paths, bug #136027
rmpath() {
local e newpath thisp IFS=:
for thisp in ${SECURE_PATH} ; do
for e ; do
[[ ${thisp} == ${e} ]] && continue 2 ;
done
newpath+=:${thisp}
done
SECURE_PATH=${newpath#:}
}
rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
}
src_configure() {
local SECURE_PATH
set_secure_path
# bug #767712
tc-export PKG_CONFIG
# - audit: somebody got to explain me how I can test this before I
# enable it.. - Diego
# - plugindir: autoconf code is crappy and does not delay evaluation
# until `make` time, so we have to use a full path here rather than
# basing off other values.
local myeconfargs=(
# We set all of the relevant options by ourselves (patched
# into the toolchain) and setting these in the build system
# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
# (it'll downgrade to =2). So, this has no functional effect on
# the hardening for users. It's safe.
--disable-hardening
# requires some python eclass
--disable-python
--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
--enable-zlib=system
--with-editor="${EPREFIX}"/usr/libexec/editor
--with-env-editor
--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
--with-rundir="${EPREFIX}"/run/sudo
--with-vardir="${EPREFIX}"/var/db/sudo
--without-linux-audit
--without-opie
$(use_enable gcrypt)
$(use_enable nls)
$(use_enable sasl)
$(use_enable ssl openssl)
$(use_with ldap)
$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
$(use_with offensive insults)
$(use_with offensive all-insults)
$(use_with pam)
$(use_with pam pam-login)
$(use_with secure-path secure-path "${SECURE_PATH}")
$(use_with selinux)
$(use_with sendmail)
$(use_with skey)
$(use_with sssd)
)
econf "${myeconfargs[@]}"
}
src_install() {
default
if use ldap ; then
dodoc README.LDAP.md
cat <<-EOF > "${T}"/ldap.conf.sudo
# See ldap.conf(5) and README.LDAP.md for details
# This file should only be readable by root
# supported directives: host, port, ssl, ldap_version
# uri, binddn, bindpw, sudoers_base, sudoers_debug
# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
EOF
if use sasl ; then
cat <<-EOF >> "${T}"/ldap.conf.sudo
# SASL directives: use_sasl, sasl_mech, sasl_auth_id
# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
EOF
fi
insinto /etc
doins "${T}"/ldap.conf.sudo
fperms 0440 /etc/ldap.conf.sudo
#Flatcar: we don't ship OpenLDAP schemas
fi
if use pam ; then
pamd_mimic system-auth sudo auth account session
pamd_mimic system-auth sudo-i auth account session
fi
keepdir /var/db/sudo/lectured
fperms 0700 /var/db/sudo/lectured
# bug #652958
fperms 0711 /var/db/sudo
# Don't install into /run as that is a tmpfs most of the time
# (bug #504854)
rm -rf "${ED}"/run || die
# bug #697812
find "${ED}" -type f -name "*.la" -delete || die
# Flatcar: Remove sudo.conf as it is shipped via baselayout
rm "${ED}/etc/sudo.conf" || die
}
pkg_postinst() {
tmpfiles_process sudo.conf
# bug #652958
local sudo_db="${EROOT}/var/db/sudo"
if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
chmod 711 "${sudo_db}" || die
fi
if use ldap ; then
ewarn
ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
ewarn
if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
ewarn "configured in ${ROOT}/etc/nsswitch.conf."
ewarn
ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
ewarn " sudoers: ldap files"
ewarn
fi
fi
if use prefix ; then
ewarn
ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
ewarn "with root privileges, as follows:"
ewarn
ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
ewarn
fi
elog "To use the -A (askpass) option, you need to install a compatible"
elog "password program from the following list. Starred packages will"
elog "automatically register for the use with sudo (but will not force"
elog "the -A option):"
elog ""
elog " [*] net-misc/ssh-askpass-fullscreen"
elog " net-misc/x11-ssh-askpass"
elog ""
elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
elog "variable to the program you want to use."
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/toolbox/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/toolbox/toolbox-0.0.0-r16.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
toolbox-9999.ebuild

28
sdk_container/src/third_party/coreos-overlay/app-admin/toolbox/toolbox-9999.ebuild vendored Normal file
View File

@ -0,0 +1,28 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/toolbox"
CROS_WORKON_LOCALNAME="toolbox"
CROS_WORKON_REPO="https://github.com"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="9695c9b42036ac958fae10a6268f95ae5c3fcc2b" # flatcar-master
KEYWORDS="amd64 arm64"
fi
inherit cros-workon
DESCRIPTION="toolbox"
HOMEPAGE="https://github.com/flatcar/toolbox"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_install() {
dobin ${S}/toolbox
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/updateservicectl/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/updateservicectl/updateservicectl-2.1.0-r1.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
updateservicectl-9999.ebuild

32
sdk_container/src/third_party/coreos-overlay/app-admin/updateservicectl/updateservicectl-9999.ebuild vendored Normal file
View File

@ -0,0 +1,32 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/updateservicectl"
CROS_WORKON_LOCALNAME="updateservicectl"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/updateservicectl"
COREOS_GO_GO111MODULE="on"
inherit cros-workon coreos-go
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="446f13594465503a3fdfc9106fd8a0c3123249c2" # main
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="CoreUpdate Management CLI"
HOMEPAGE="https://github.com/flatcar/updateservicectl"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
RDEPEND="!app-admin/updatectl"
src_prepare() {
coreos-go_src_prepare
GOPATH+=":${S}/Godeps/_workspace"
}

33
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/compat-wrapper.sh vendored Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
set -e
bin=${0##*/}
seal=/run/metadata/torcx
if [ -z "${bin}" ]
then
echo 'Failed to determine the executed program name.' 1>&2
exit 1
fi
if [ -s "${seal}" ]
then
. "${seal}"
else
echo "The program ${bin} is managed by torcx, which did not run." 1>&2
exit 1
fi
if [ -z "${TORCX_BINDIR-}" ]
then
echo "The torcx seal file ${seal} is invalid." 1>&2
exit 1
fi
if [ ! -x "${TORCX_BINDIR}/${bin}" ]
then
echo "The current torcx profile did not install a ${bin} program." 1>&2
exit 1
fi
PATH="${TORCX_BINDIR}${PATH:+:${PATH}}" exec "${TORCX_BINDIR}/${bin}" "$@"

11
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-no.json vendored Normal file
View File

@ -0,0 +1,11 @@
{
"kind": "profile-manifest-v0",
"value": {
"images": [
{
"name": "docker",
"reference": "com.coreos.cl"
}
]
}
}

41
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/dockerd-wrapper.sh vendored Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
# Wrapper for launching docker daemons with selinux default on
# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
# for backwards compatibility.
set -e
parse_docker_args() {
local flag
while [[ $# -gt 0 ]]; do
flag="$1"
shift
# treat --flag=foo and --flag foo identically
if [[ "${flag}" == *=* ]]; then
set -- "${flag#*=}" "$@"
flag="${flag%=*}"
fi
case "${flag}" in
--selinux-enabled)
ARG_SELINUX="$1"
shift
;;
*)
# ignore everything else
;;
esac
done
}
parse_docker_args "$@"
USE_SELINUX=""
# Do not override selinux if it is already explicitly configured.
if [[ -z "${ARG_SELINUX}" ]]; then
# If unspecified, default off
USE_SELINUX="--selinux-enabled=false"
fi
exec dockerd "$@" ${USE_SELINUX}

7
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/torcx.target vendored Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Verify torcx succeeded
DefaultDependencies=no
AssertPathExists=/run/metadata/torcx
[Install]
WantedBy=basic.target

11
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/vendor.json vendored Normal file
View File

@ -0,0 +1,11 @@
{
"kind": "profile-manifest-v0",
"value": {
"images": [
{
"name": "docker",
"reference": "com.coreos.cl"
}
]
}
}

4
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-0.2.0-r8.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
torcx-9999.ebuild

58
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild vendored Normal file
View File

@ -0,0 +1,58 @@
# Copyright (c) 2017-2018 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/torcx"
CROS_WORKON_LOCALNAME="torcx"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/torcx"
COREOS_GO_GO111MODULE="off"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="3e7173395658a7e43ec0cb0dd2077795931d857f" # flatcar-master
KEYWORDS="amd64 arm64"
fi
inherit coreos-go cros-workon systemd
DESCRIPTION="torcx is a boot-time addon manager for immutable systems"
HOMEPAGE="https://github.com/flatcar/torcx"
LICENSE="Apache-2.0"
SLOT="0"
src_compile() {
CGO_ENABLED=0 go_export
${EGO} build -v \
-p "$(makeopts_jobs)" \
-ldflags "-X ${COREOS_GO_PACKAGE}/pkg/version.VERSION=${PV}" \
-o "bin/${ARCH}/torcx" \
-tags containers_image_openpgp \
"${COREOS_GO_PACKAGE}"
}
src_install() {
local generatordir=/usr/lib/systemd/system-generators
local vendordir=/usr/share/torcx
local libcoreosdir=/usr/lib/flatcar
# Install generator and userland.
exeinto "${generatordir}"
newexe "${S}/bin/${ARCH}/torcx" torcx-generator
dosym ../systemd/system-generators/torcx-generator "${libcoreosdir}/torcx"
systemd_dounit "${FILESDIR}/torcx.target"
insinto "${vendordir}/profiles"
doins "${FILESDIR}/docker-1.12-no.json"
doins "${FILESDIR}/vendor.json"
dodir "${vendordir}/store"
# Preserve program paths for torcx packages.
newbin "${FILESDIR}/compat-wrapper.sh" docker
for link in {docker-,}{containerd{,-shim},runc} ctr docker-{init,proxy} dockerd tini
do ln -fns docker "${ED}/usr/bin/${link}"
done
exeinto /usr/lib/flatcar
newexe "${FILESDIR}/dockerd-wrapper.sh" dockerd
}

2
sdk_container/src/third_party/coreos-overlay/app-containers/syft/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST syft-0.51.0-deps.tar.xz 632084588 BLAKE2B f9b3e4e41521c25b6e338f2b8f3bba0be08e7608d95de7dba6f5f104e22b8de8a4b419e574e19634099a3bbc55556f83949c68abd5ae52d14b5e97cb9306bf22 SHA512 819236c275762cc42c60339ee2d6886f0998f34609ab0bbef3150b23fbcf3cecaea63d92f6e2e161bf3ec30edae00ef467755900fd1c98389db2f9cd8113fbf4
DIST syft-0.51.0.tar.gz 3727474 BLAKE2B ae9f54f421faa530aabbbadd985071f603ccaa32c6cd5f0dd400ea9163a218e8ddd5e7035042a7eda6cd06910ce96ae0f42b7422c932992fad812431a42ac059 SHA512 fb844a76d3f3f303e781cea40ac6fb573927f6465a39da10fe9cffeb08ce7b1e8b8ed4acb219206e53159f802eaa12dce73ce5bc3b868f6f4270a30498b6b767

8
sdk_container/src/third_party/coreos-overlay/app-containers/syft/metadata.xml vendored Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
</pkgmetadata>

24
sdk_container/src/third_party/coreos-overlay/app-containers/syft/syft-0.51.0.ebuild vendored Normal file
View File

@ -0,0 +1,24 @@
# Copyright 2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module
DESCRIPTION="Generate a Software Bill of Materials from container images and filesystems"
HOMEPAGE="https://www.anchore.com"
SRC_URI="https://github.com/anchore/syft/archive/v${PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-deps.tar.xz"
LICENSE="Apache-2.0"
SLOT="0"
# Flatcar: keyword for arm64 and amd64
KEYWORDS="amd64 arm64"
src_compile() {
# Flatcar: add ldflags to set version
ego build -o bin/syft -ldflags "-X github.com/anchore/syft/internal/version.version=${PV}" ./cmd/syft
}
src_install() {
dobin bin/*
}

2
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2

33
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch vendored Normal file
View File

@ -0,0 +1,33 @@
From e3bdb7d17264b8d5bd9abab97c96d9c4a50e4f61 Mon Sep 17 00:00:00 2001
From: Kristian Fiskerstrand <kf@sumptuouscapital.com>
Date: Mon, 3 Apr 2017 23:44:56 +0300
Subject: [PATCH] gpgscm: Use shorter socket path lengts to improve test
reliability
--
As socket lengths are normally restricted to 108 characters
(UNIX_PATH_MAX variable in /usr/include/linux/un.h), using 42 characters
by default easily results in errors.
---
tests/gpgscm/tests.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/gpgscm/tests.scm b/tests/gpgscm/tests.scm
index 592b36f..f54a387 100644
--- a/tests/gpgscm/tests.scm
+++ b/tests/gpgscm/tests.scm
@@ -273,9 +273,9 @@
(canonical-path (_mkdtemp (if (null? components)
(path-join
(get-temp-path)
- (string-append "gpgscm-" (get-isotime) "-"
+ (string-append "gscm"
(basename-suffix *scriptname* ".scm")
- "-XXXXXX"))
+ "XXXXXX"))
(apply path-join components)))))
;; Make a temporary directory and remove it at interpreter shutdown.
--
2.10.2

45
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch vendored Normal file
View File

@ -0,0 +1,45 @@
https://bugs.gentoo.org/855395
https://marc.info/?l=oss-security&m=165657063921408&w=2
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+ for (esc=0, s=buffer, n=len; n; s++, n--)
{
if (*s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
if (wrap && ++count > wrap)
- {
- dowrap=1;
- break;
- }
- }
- if (esc)
- {
- s--; n++;
+ dowrap=1;
+ if (esc || dowrap)
+ break;
}
if (s != buffer)
es_fwrite (buffer, s-buffer, 1, statusfp);

32
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:43 +0200
Subject: gpg: accept subkeys with a good revocation but no self-sig during
import
* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
encounter a valid revocation signature. This allows import of subkey
revocation signatures, even in the absence of a corresponding subkey
binding signature.
--
This fixes the remaining test in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/g10/import.c b/g10/import.c
index f9acf95..9217911 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
/* It's valid, so is it newer? */
if (sig->timestamp >= rsdate)
{
+ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */
if (rsnode)
{
/* Delete the last revocation sig since

106
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch vendored Normal file
View File

@ -0,0 +1,106 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:42 +0200
Subject: gpg: allow import of previously known keys, even without UIDs
* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
has no user id, as long as we already have a local variant of the cert
that matches the primary key.
--
This fixes two of the three broken tests in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 5d3162c..f9acf95 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
- int any_filter = 0;
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
-
- if (!uidnode )
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
- return 0;
- }
-
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
}
}
- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
- return 0;
- }
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
- any_filter = 1;
}
if (import_filter.drop_sig)
{
apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
commit_kbnode (&keyblock);
- any_filter = 1;
- }
-
- /* If we ran any filter we need to check that at least one user id
- * is left in the keyring. Note that we do not use log_error in
- * this case. */
- if (any_filter && !any_uid_left (keyblock))
- {
- if (!opt.quiet )
- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
- stats->no_user_id++;
- return 0;
}
/* The keyblock is valid and ready for real import. */
@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}
+ else if (err && !any_uid_left (keyblock))
+ {
+ if (!silent)
+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
+ err = 0;
+ stats->no_user_id++;
+ }
else if (err) /* Insert this key. */
{
/* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */

165
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild vendored Normal file
View File

@ -0,0 +1,165 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# Flatcar: use EAPI=7, until EAPI 8 could be fully supported
EAPI=7
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
inherit flag-o-matic systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND=">=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.29
>=dev-libs/libksba-1.3.5
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:0= )
tofu? ( >=dev-db/sqlite-3.7 )"
RDEPEND="${DEPEND}
app-crypt/pinentry
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )"
BDEPEND="virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${P}-status-messages-garbled.patch
# Flatcar: the patches below are added only for Flatcar, to address the
# upstream gnupg issue https://dev.gnupg.org/T4393.
"${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch"
"${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch"
)
src_prepare() {
default
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
src_configure() {
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
econf "${myconf[@]}"
}
src_compile() {
default
use doc && emake -C doc html
}
src_test() {
# bug #638574
use tofu && export TESTFLAGS=--parallel
default
}
src_install() {
default
use tools &&
dobin \
tools/{convert-from-106,gpg-check-pattern} \
tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/* doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

40
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml vendored Normal file
View File

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>zlogene@gentoo.org</email>
<name>Mikle Kolyada</name>
</maintainer>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<use>
<flag name="smartcard">
Build scdaemon software. Enables usage of OpenPGP cards. For
other type of smartcards, try <pkg>app-crypt/gnupg-pkcs11-scd</pkg>.
Bring in <pkg>dev-libs/libusb</pkg> as a dependency; enable scdaemon.
</flag>
<flag name="usb">
Build direct CCID access for scdaemon; requires <pkg>dev-libs/libusb</pkg>.
</flag>
<flag name="user-socket">
try a socket directory which is not removed by init manager at session end
</flag>
<flag name="tofu">
Enable support for Trust on First use trust model; requires <pkg>dev-db/sqlite</pkg>.
</flag>
<flag name="tools">
Install extra tools (including gpgsplit and gpg-zip).
</flag>
<flag name="tpm">
Enable TPM support via <pkg>app-crypt/tpm2-tss</pkg> and build tpm2d.
</flag>
<flag name="wks-server">
Install the wks-server
</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:gnupg:gnupg</remote-id>
</upstream>
</pkgmetadata>

11
sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service vendored Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=TPM remote access daemon
Requires=tcsd.service
[Service]
ExecStart=/bin/tpmd 23179
Restart=always
RestartSec=0
[Install]
WantedBy=multi-user.target

1
sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-0.1-r4.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
go-tspi-9999.ebuild

31
sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild vendored Normal file
View File

@ -0,0 +1,31 @@
EAPI=7
inherit coreos-go eutils git-r3 systemd
COREOS_GO_PACKAGE="github.com/coreos/go-tspi"
COREOS_GO_GO111MODULE="off"
EGIT_REPO_URI="https://github.com/coreos/go-tspi.git"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
EGIT_COMMIT="27182e3e7b1dfcfb398b5408a619abc4f652a38b"
KEYWORDS="amd64 arm64"
fi
IUSE=""
LICENSE="Apache-2.0"
SLOT="0"
RDEPEND="app-crypt/trousers"
DEPEND="${RDEPEND}"
src_compile() {
go_build "${COREOS_GO_PACKAGE}/tpmd"
go_build "${COREOS_GO_PACKAGE}/tpmown"
}
src_install() {
dobin ${GOBIN}/*
systemd_dounit "${FILESDIR}"/tpmd.service
}

1
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST p11-kit-0.23.22.tar.xz 830016 BLAKE2B 4e1edfd9e2441d237c07a16c003aee5ffde38f1cf545c26e435645429f2cfa4fe7ca61cdc3c3940390aa040ba991f2ee3995b14cc31bb886d5eeffa8ed5e1721 SHA512 098819e6ca4ad9cc2a0bc2e478aea67354d051a4f03e6c7d75d13d2469b6dc7654f26b15530052f6ed51acb35531c2539e0f971b31e29e6673e857c903afb080

4
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md vendored Normal file
View File

@ -0,0 +1,4 @@
We forked this package to fix the systemd user unit directory and bash
completion directory detection in the cross-compilation scenario.
These fixes could be upstreamed to gentoo.

15
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml vendored Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>zlogene@gentoo.org</email>
<name>Mikle Kolyada</name>
</maintainer>
<use>
<flag name="asn1">Enable ASN.1 certificate support</flag>
<flag name="trust">Build the trust policy module</flag>
</use>
<upstream>
<remote-id type="github">p11-glue/p11-kit</remote-id>
</upstream>
</pkgmetadata>

69
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild vendored Normal file
View File

@ -0,0 +1,69 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
# Flatcar: inherit systemd eclass for the systemd user unit directory
# getter, and bash-completion-r1 for bash completion directory getter.
inherit multilib-minimal systemd bash-completion-r1
DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
LICENSE="MIT"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
IUSE="+asn1 debug +libffi systemd +trust"
REQUIRED_USE="trust? ( asn1 )"
RDEPEND="asn1? ( >=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}] )
libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
systemd? ( sys-apps/systemd:= )
trust? ( app-misc/ca-certificates )"
DEPEND="${RDEPEND}"
BDEPEND="virtual/pkgconfig"
pkg_setup() {
# disable unsafe tests, bug#502088
export FAKED_MODE=1
}
src_prepare() {
if [[ ${CHOST} == *-solaris2.* && ${CHOST##*-solaris2.} -lt 11 ]] ; then
# Solaris 10 and before doesn't know about XPG7 (XOPEN_SOURCE=700)
# drop to XPG6 to make feature_tests.h happy
sed -i -e '/define _XOPEN_SOURCE/s/700/600/' common/compat.c || die
# paths.h isn't available, oddly enough also not used albeit included
sed -i -e '/#include <paths.h>/d' trust/test-trust.c || die
# we don't have SUN_LEN here
sed -i -e 's/SUN_LEN \(([^)]\+)\)/strlen (\1->sun_path)/' \
p11-kit/server.c || die
fi
default
}
multilib_src_configure() {
# Flatcar: Override the detection of the systemd user unit
# directory and bash completion directory with these
# environment variables.
local -x systemduserunitdir=$(systemd_get_userunitdir)
local -x bashcompdir=$(get_bashcompdir)
ECONF_SOURCE="${S}" econf \
$(use_enable trust trust-module) \
$(use_with trust trust-paths ${EPREFIX}/etc/ssl/certs/ca-certificates.crt) \
$(use_enable debug) \
$(use_with libffi) \
$(use_with asn1 libtasn1) \
$(multilib_native_use_with systemd)
if multilib_is_native_abi; then
# re-use provided documentation
ln -s "${S}"/doc/manual/html doc/manual/html || die
fi
}
multilib_src_install_all() {
einstalldocs
find "${D}" -name '*.la' -delete || die
}

2
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B 8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8 SHA512 6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09
DIST sbsigntools-0.9.4.tar.gz 57714 BLAKE2B 94797af6c98a9c13cb71e52ba6f7ff07de70660af2194b14061e0cb618d6effff52ef7a4dd2fd4e44e75f022b979442d4290b1d65d63017b2fbebdca5951c5c9 SHA512 953d3d9a7f92b837da966eabe3572163a29c5292e792d5ef17cf842d7373ffaa901377cb4ec68006a6ef2f9c97d48db8ffdd3a6d2853be67016d3484a118bba9

15
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/openssl-3-compat.patch vendored Normal file
View File

@ -0,0 +1,15 @@
diff --git a/src/idc.c b/src/idc.c
index 6d87bd4..0a82218 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
idc->data->type = OBJ_nid2obj(peid_nid);
idc->data->value = ASN1_TYPE_new();
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
idc->digest->alg->parameter = ASN1_TYPE_new();
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
--
2.25.1

10
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/metadata.xml vendored Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>tamiko@gentoo.org</email>
</maintainer>
<upstream>
<remote-id type="launchpad">ubuntu</remote-id>
</upstream>
</pkgmetadata>

54
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild vendored Normal file
View File

@ -0,0 +1,54 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
MY_PN="${PN::-1}"
inherit autotools toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/"
SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz
https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz"
LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
SLOT="0"
KEYWORDS="amd64 arm64 ~x86"
IUSE=""
RDEPEND="
dev-libs/openssl:0=
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
PATCHES=(
"${FILESDIR}"/openssl-3-compat.patch
)
src_prepare() {
mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
rmdir "${WORKDIR}"/lib || die "rmdir failed"
local iarch
case ${ARCH} in
amd64) iarch=x86_64 ;;
arm64) iarch=aarch64 ;;
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
# Flatcar change required to compile with OpenSSLv3
sed -i "s/-Werror//g" src/Makefile.am || die
default
eautoreconf
}

Some files were not shown because too many files have changed in this diff Show More