diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask new file mode 100644 index 0000000000..a24662d0ea --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask @@ -0,0 +1,2 @@ +# Unmask selinux so it can be enabled selectively in package.use +-selinux diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force index aafa196b0c..e69de29bb2 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force @@ -1,2 +0,0 @@ -# Do not force this flag, we don't need XATTR_PAX -sys-apps/portage -xattr diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent deleted file mode 100644 index 16225a84d6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent +++ /dev/null @@ -1 +0,0 @@ -:coreos/amd64/generic diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force index 3d5dc12d3b..952d0233bd 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force @@ -1,6 +1,3 @@ -# Do not force this flag, we don't need XATTR_PAX -sys-apps/portage -xattr - sys-auth/polkit -introspection sys-apps/systemd -introspection sys-fs/udev-init-scripts -introspection diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask new file mode 100644 index 0000000000..1f68389902 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask @@ -0,0 +1,2 @@ +# TODO(marineam): remove after portage-stable/profiles is updated. +-seccomp diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent deleted file mode 100644 index 0989a17981..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent +++ /dev/null @@ -1 +0,0 @@ -:coreos/arm64/generic diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults index 228ca622e9..2244caca68 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults @@ -32,16 +32,13 @@ USE="${USE} -zeroconf" # No need for OpenMP support in GCC and other apps USE="${USE} -openmp" +# Test enabling some flags globally prior to syncing other profile changes. +# TODO(marineam): remove after portage-stable/profiles is updated. +USE="${USE} seccomp xattr" + # Set SELinux policy POLICY_TYPES="targeted mcs mls" -# Override upstream's python settings -USE="$USE python_targets_python2_7 python_single_target_python2_7" -USE="$USE -python_targets_python3_2 -python_single_target_python3_2" -USE="$USE -python_targets_python3_3 -python_single_target_python3_3" -BOOTSTRAP_USE="$BOOTSTRAP_USE -python_targets_python3_2" -BOOTSTRAP_USE="$BOOTSTRAP_USE -python_targets_python3_3" - # Disable packages or optional features with distribution issues. ACCEPT_RESTRICT="* -bindist -mirror" USE="${USE} bindist" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 5c27e283ec..732ded3933 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -36,8 +36,9 @@ net-analyzer/nmap ncat -lua # removes mta dependencies app-admin/sudo -sendmail -# use lzma which is the default on non-gentoo systems -sys-apps/systemd curl gcrypt lzma -lz4 +# use lzma which is the default on non-gentoo systems, avoid pulling in gnutls +sys-apps/systemd curl gcrypt lzma -lz4 -ssl +net-libs/libmicrohttpd -ssl # disable kernel config detection and module building net-firewall/ipset -modules @@ -79,3 +80,5 @@ dev-cpp/glog gflags # enable rpc for rpc.rquotad sys-fs/quota rpc +# Don't bother building portage w/xattr, we don't need XATTR_PAX +sys-apps/portage -xattr diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force index bd6530bb7e..b642673c60 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force @@ -1,2 +1,5 @@ # Copyright (c) 2014 The CoreOS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 + +# Do not force this flag, we don't need XATTR_PAX +sys-apps/portage -xattr diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask index 5fefecaa49..bed2a39fb4 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask @@ -1,2 +1,10 @@ +# Never enable experimental code kdbus --selinux + +# Block python3 for now +python_targets_python3_3 +python_targets_python3_4 +python_targets_python3_5 +python_single_target_python3_3 +python_single_target_python3_4 +python_single_target_python3_5 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index e6a81f1aac..24bf0ed15e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -22,11 +22,11 @@ sys-libs/ncurses minimal sys-libs/pam -berkdb sys-libs/gdbm berkdb -# enable journal gateway and container features, avoid pulling in gnutls -sys-apps/systemd audit importd http nat -ssl +# enable journal gateway and container features +sys-apps/systemd audit importd http nat # epoll is needed for systemd-journal-remote to work. coreos/bugs#919 -net-libs/libmicrohttpd epoll -ssl +net-libs/libmicrohttpd epoll sys-boot/syslinux -custom-cflags @@ -41,7 +41,8 @@ app-shells/bash -net vanilla # disable nss utilities dev-libs/nss -utils -# enable seccomp support in docker -app-emulation/docker seccomp -app-emulation/containerd seccomp +# needed by docker sys-libs/libseccomp static-libs + +# bind-tools' configure script breaks when cross-compiling with seccomp enabled +net-dns/bind-tools -seccomp