mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-07 04:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2835 from flatcar/chewi/pre-dracut

Browse Source 
Various changes in preparation for upgrading Dracut
This commit is contained in:
James Le Cuirot 2025-04-22 14:24:25 +01:00 committed by GitHub
commit 8fae246f25
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with 1069 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
build_dev_binpkgs
View File

@ -19,18 +19,18 @@ skip_packages_default="dev-lang/rust,dev-lang/rust-bin,dev-lang/go,dev-lang/go-b
# Developer-visible flags.
DEFINE_string board "${DEFAULT_BOARD}" \
"The board to build packages for."
DEFINE_string skip_packages "${skip_packages_default[@]}" \
DEFINE_string skip_packages "${skip_packages_default}" \
"Comma-separated list of packages in the dependency tree to skip."
DEFINE_boolean pretend "${FLAGS_FALSE}" \
"List packages that would be built but do not actually build."
"List packages that would be built but do not actually build."
FLAGS_HELP="usage: $(basename $0) [flags] [packages]
FLAGS_HELP="usage: $(basename "$0") [flags] [packages]
build_dev_binpkgs builds binary packages for all dependencies of [packages]
that are not present in '/build/<board>/var/lib/portage/pkgs/'.
Useful for publishing a complete set of packages to a binhost.
[packages] defaults to '${packages_default}' if not specified.
[packages] defaults to '${packages_default[*]}' if not specified.
"
# Parse command line
@ -46,43 +46,42 @@ fi
# --
function my_board_emerge() {
PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
}
# --
pkg_build_list="$(mktemp)"
pkg_skipped_list="${pkg_build_list}-skip"
trap 'rm -f "${pkg_build_list}" "${pkg_skipped_list}"' EXIT
pkg_build_list=()
pkg_skipped_list=()
info "Collecting list of binpkgs to build"
my_board_emerge --pretend --emptytree ${@} \
| grep '\[ebuild' \
| sed 's/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/' \
| while read pkg; do
if [ -f "/build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2" ] ; then
continue
fi
skip=""
for s in ${FLAGS_skip_packages//,/ }; do
if [[ ${pkg} = ${s}-* ]] ; then
echo -n "${pkg} " >> "${pkg_skipped_list}"
skip="true"
break
# Normally, BDEPENDs are only installed to the SDK, but the point of this script
# is to install them to the board root because the dev container uses a board
# profile. This is easily achieved using --root-deps. Since it is still the SDK
# doing the building, which might have different package versions available to
# the board profile, we have to be careful not to include SDK BDEPENDs in the
# list of binary packages to publish, hence the sed call.
while read -r pkg; do
[[ -f /build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2 ]] && continue
IFS=,
for s in ${FLAGS_skip_packages}; do
if [[ ${pkg} == ${s}-* ]] ; then
pkg_skipped_list+=("${pkg}")
continue 2
fi
done
[[ -z ${skip} ]] || continue
echo "=${pkg}" | tee -a "${pkg_build_list}" | sed 's/^/ /'
done
unset IFS
pkg_build_list+=("=${pkg}")
echo " =${pkg}"
done < <(my_board_emerge --pretend --emptytree --root-deps "${@}" |
sed -n "/\[ebuild .* to \/build\/${FLAGS_board}\/ /s/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/p")
# --
if [ -f "${pkg_skipped_list}" ] ; then
info "Skipping binpkgs '$(cat "${pkg_skipped_list}")' because these are in the skip list."
if [[ ${#pkg_skipped_list[@]} -gt 0 ]]; then
info "Skipping binpkgs '${pkg_skipped_list[*]}' because these are in the skip list."
fi
pretend=""
if [[ "${FLAGS_pretend}" -eq "${FLAGS_TRUE}" ]]; then
pretend="--pretend"
fi
[[ ${FLAGS_pretend} -eq ${FLAGS_TRUE} ]] && pretend="--pretend"
my_board_emerge --buildpkg ${pretend} $(cat "${pkg_build_list}")
my_board_emerge --buildpkg ${pretend} "${pkg_build_list[@]}"

103
build_library/extract-initramfs-from-vmlinuz.sh
View File

@ -7,51 +7,35 @@
# This will create one or more out-dir/rootfs-N directories that contain the contents of the initramfs.
set -euo pipefail
# check for unzstd. Will abort the script with an error message if the tool is not present.
unzstd -V >/dev/null
# check for xzcat. Will abort the script with an error message if the tool is not present.
xzcat -V >/dev/null
fail() {
echo "${*}" >&2
exit 1
}
# Stolen from extract-vmlinux and modified.
try_decompress() {
local header="${1}"
local no_idea="${2}"
local tool="${3}"
local image="${4}"
local tmp="${5}"
local output_basename="${6}"
local pos
local tool_filename=$(echo "${tool}" | cut -f1 -d' ')
# The obscure use of the "tr" filter is to work around older versions of
# "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header and decompress from here.
for pos in $(tr "${header}\n${no_idea}" "\n${no_idea}=" < "${image}" |
grep --text --byte-offset --only-matching "^${no_idea}")
do
pos=${pos%%:*}
# Disable error handling, because we will be potentially
# giving the tool garbage or a valid archive with some garbage
# appended to it. So let the tool extract the valid archive
# and then complain about the garbage at the end, but don't
# fail the script because of it.
set +e; tail "-c+${pos}" "${image}" | "${tool}" >"${tmp}/out" 2>/dev/null; set -e;
if [ -s "${tmp}/out" ]; then
mv "${tmp}/out" "${output_basename}-${tool_filename}-at-${pos}"
else
rm -f "${tmp}/out"
fi
done
find_xz_headers() {
grep --fixed-strings --text --byte-offset --only-matching $'\xFD\x37\x7A\x58\x5A\x00' "$1" | cut -d: -f1
}
try_unzstd_decompress() {
local image="${1}"
local tmp="${2}"
local output_basename="${3}"
try_decompress '(\265/\375' xxx unzstd "${image}" "${tmp}" "${output_basename}"
decompress_at() {
# Data may not really be a valid xz, so allow for errors.
tail "-c+$((${2%:*} + 1))" "$1" | xzcat 2>/dev/null || true
}
try_extract() {
# cpio can do strange things when given garbage, so do a basic check.
[[ $(head -c6 "$1") == 070701 ]] || return 0
# There may be multiple concatenated archives so try cpio till it fails.
while cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' 2>/dev/null; do
ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
done < "$1"
# Last cpio attempt may or may not leave an empty directory.
rmdir "${out}/rootfs-${ROOTFS_IDX}" 2>/dev/null || ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
}
me="${0##*/}"
@ -65,37 +49,22 @@ if [[ ! -s "${image}" ]]; then
fi
mkdir -p "${out}"
tmp=$(mktemp --directory /tmp/eifv-XXXXXX)
trap "rm -rf ${tmp}" EXIT
tmp_dec="${tmp}/decompress"
mkdir "${tmp_dec}"
fr_prefix="${tmp}/first-round"
tmp=$(mktemp --directory eifv-XXXXXX)
trap 'rm -rf -- "${tmp}"' EXIT
ROOTFS_IDX=0
perform_round() {
local image="${1}"
local tmp_dec="${2}"
local round_prefix="${3}"
try_unzstd_decompress "${image}" "${tmp_dec}" "${round_prefix}"
for rnd in "${round_prefix}"*; do
if [[ $(file --brief "${rnd}") =~ 'cpio archive' ]]; then
mkdir -p "${out}/rootfs-${ROOTFS_IDX}"
# On Linux 6.10, the first rootfs is an extra ghost rootfs of 336K, that has a corrupted CPIO
cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' < $rnd || true
ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
fi
done
}
shopt -s nullglob
perform_round "${image}" "${tmp_dec}" "${fr_prefix}"
for fr in "${fr_prefix}"*; do
fr_files="${fr}-files"
fr_dec="${fr_files}/decompress"
mkdir -p "${fr_dec}"
sr_prefix="${fr_files}/second-round"
perform_round "${fr}" "${fr_dec}" "${sr_prefix}"
# arm64 kernels are not compressed, so try decompressing once.
# Other kernels are compressed, so also try decompressing twice.
for OFF1 in $(find_xz_headers "${image}")
do
decompress_at "${image}" "${OFF1}" > "${tmp}/initrd.maybe_cpio_or_elf"
try_extract "${tmp}/initrd.maybe_cpio_or_elf"
for OFF2 in $(find_xz_headers "${tmp}/initrd.maybe_cpio_or_elf")
do
decompress_at "${tmp}/initrd.maybe_cpio_or_elf" "${OFF2}" > "${tmp}/initrd.maybe_cpio"
try_extract "${tmp}/initrd.maybe_cpio"
done
done
if [[ ${ROOTFS_IDX} -eq 0 ]]; then

1
changelog/changes/2025-04-17-vmlinuz-compression.md Normal file
View File

@ -0,0 +1 @@
- The kernel image and its embedded initrd are now compressed with xz rather than zstd. This gives greater compression at the cost of decompression performance. Systems may therefore now be ever so slightly slower to boot, but this was necessary to avoid running out of space in the /boot partition. Further measures to address the space issue are planned, and perhaps we can switch back to zstd in a later release.

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords vendored Normal file
View File

@ -0,0 +1,2 @@
# Temporarily put the SDK version ahead for sd-json support in Dracut.
=sys-apps/systemd-257.5 ~amd64 ~arm64

1
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest vendored
View File

@ -1 +1,2 @@
DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681
DIST systemd-257.5.tar.gz 16232112 BLAKE2B 142baef9b09217ea117ac09923604f7520a36d4c63cf04a78d1c4fbf7b057b977f5c77418168c0308a8dc6b48ccc6324438f30c87de8642e8e9cf12b47f90475 SHA512 9e5352c20c9edac53f302a534532035185139998628ed0a85411f440df47f1dd7cce6651aec787484809bb1aa2825008d062714c37936cbfd08451fbe29a998f

92
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch vendored Normal file
View File

@ -0,0 +1,92 @@
From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 16 Dec 2022 16:28:26 +0530
Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
This is to work around a SELinux denial that happens when setting up standard
input for serial consoles (which is used for SSH connections).
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
units/console-getty.service.in | 4 +---
units/container-getty@.service.in | 4 +---
units/getty@.service.in | 4 +---
units/serial-getty@.service.in | 4 +---
4 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/units/console-getty.service.in b/units/console-getty.service.in
index 33e6368db1..1f2d8b910f 100644
--- a/units/console-getty.service.in
+++ b/units/console-getty.service.in
@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with '--' for
# safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
Type=idle
Restart=always
UtmpIdentifier=cons
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/console
TTYReset=yes
TTYVHangup=yes
diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
index 7573532d6d..5f27653d1f 100644
--- a/units/container-getty@.service.in
+++ b/units/container-getty@.service.in
@@ -27,13 +27,11 @@ Before=rescue.service
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with '--' for
# safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM}
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=pts/%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/pts/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/getty@.service.in b/units/getty@.service.in
index f30bba406d..1819627d1c 100644
--- a/units/getty@.service.in
+++ b/units/getty@.service.in
@@ -36,13 +36,11 @@ ConditionPathExists=/dev/tty0
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with '--' for
# safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM}
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
index 20a5eb2754..ba4cbc0edb 100644
--- a/units/serial-getty@.service.in
+++ b/units/serial-getty@.service.in
@@ -32,12 +32,10 @@ Before=rescue.service
[Service]
# The '-o' option value tells agetty to replace 'login' arguments with '--' for
# safety, and then the entered username.
-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
Type=idle
Restart=always
UtmpIdentifier=%I
-StandardInput=tty
-StandardOutput=tty
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes

769
sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.5.ebuild vendored Normal file
View File

@ -0,0 +1,769 @@
# Copyright 2011-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{10..13} )
# Avoid QA warnings
TMPFILES_OPTIONAL=1
UDEV_OPTIONAL=1
QA_PKGCONFIG_VERSION=$(ver_cut 1)
if [[ ${PV} == 9999 ]]; then
EGIT_REPO_URI="https://github.com/systemd/systemd.git"
inherit git-r3
else
MY_PV=${PV/_/-}
MY_P=${PN}-${MY_PV}
S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz"
if [[ ${PV} != *rc* ]] ; then
# Flatcar: mark as stable
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi
fi
inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
inherit secureboot systemd tmpfiles toolchain-funcs udev
DESCRIPTION="System and service manager for Linux"
HOMEPAGE="https://systemd.io/"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
IUSE="
acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod
+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd
"
REQUIRED_USE="
${PYTHON_REQUIRED_USE}
dns-over-tls? ( || ( gnutls openssl ) )
fido2? ( cryptsetup openssl )
homed? ( cryptsetup pam openssl )
importd? ( curl lzma || ( gcrypt openssl ) )
pwquality? ( homed )
boot? ( kernel-install )
ukify? ( boot )
"
RESTRICT="!test? ( test )"
MINKV="4.15"
COMMON_DEPEND="
>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
sys-libs/libcap:0=[${MULTILIB_USEDEP}]
virtual/libcrypt:=[${MULTILIB_USEDEP}]
acl? ( sys-apps/acl:0= )
apparmor? ( >=sys-libs/libapparmor-2.13:0= )
audit? ( >=sys-process/audit-2:0= )
bpf? ( >=dev-libs/libbpf-1.4.0:0= )
cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
curl? ( >=net-misc/curl-7.32.0:0= )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
fido2? ( dev-libs/libfido2:0= )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
gnutls? ( >=net-libs/gnutls-3.6.0:0= )
http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
idn? ( net-dns/libidn2:= )
importd? (
app-arch/bzip2:0=
sys-libs/zlib:0=
)
kmod? ( >=sys-apps/kmod-15:0= )
lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
iptables? ( net-firewall/iptables:0= )
openssl? ( >=dev-libs/openssl-1.1.0:0= )
pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
pcre? ( dev-libs/libpcre2 )
pwquality? ( >=dev-libs/libpwquality-1.4.1:0= )
qrcode? ( >=media-gfx/qrencode-3:0= )
seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
selinux? ( >=sys-libs/libselinux-2.1.9:0= )
tpm? ( app-crypt/tpm2-tss:0= )
xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
"
# Newer linux-headers needed by ia64, bug #480218
DEPEND="${COMMON_DEPEND}
>=sys-kernel/linux-headers-${MINKV}
"
PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'
# baselayout-2.2 has /run
#
# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
# flag). The image stage fails with "Failed to resolve
# typeattributeset statement at
# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120"
#
# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary
# needed by dracut's systemd-vconsole-setup module.
RDEPEND="${COMMON_DEPEND}
>=acct-group/adm-0-r1
>=acct-group/wheel-0-r1
>=acct-group/kmem-0-r1
>=acct-group/tty-0-r1
>=acct-group/utmp-0-r1
>=acct-group/audio-0-r1
>=acct-group/cdrom-0-r1
>=acct-group/dialout-0-r1
>=acct-group/disk-0-r1
>=acct-group/input-0-r1
>=acct-group/kvm-0-r1
>=acct-group/lp-0-r1
>=acct-group/render-0-r1
acct-group/sgx
>=acct-group/tape-0-r1
acct-group/users
>=acct-group/video-0-r1
>=acct-group/systemd-journal-0-r1
>=acct-user/root-0-r1
acct-user/nobody
>=acct-user/systemd-journal-remote-0-r1
>=acct-user/systemd-coredump-0-r1
>=acct-user/systemd-network-0-r1
acct-user/systemd-oom
>=acct-user/systemd-resolve-0-r1
>=acct-user/systemd-timesync-0-r1
>=sys-apps/baselayout-2.2
sys-apps/kbd
ukify? (
${PYTHON_DEPS}
$(python_gen_cond_dep "${PEFILE_DEPEND}")
)
selinux? (
sec-policy/selinux-base-policy[systemd]
)
sysv-utils? (
!sys-apps/openrc[sysv-utils(-)]
!sys-apps/openrc-navi[sysv-utils(-)]
!sys-apps/sysvinit
)
!sysv-utils? ( sys-apps/sysvinit )
resolvconf? ( !net-dns/openresolv )
!sys-auth/nss-myhostname
!sys-fs/eudev
!sys-fs/udev
"
# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
>=sys-fs/udev-init-scripts-34
policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )"
BDEPEND="
app-arch/xz-utils:0
dev-util/gperf
>=dev-build/meson-0.46
>=sys-apps/coreutils-8.16
sys-devel/gettext
virtual/pkgconfig
bpf? (
dev-util/bpftool
sys-devel/bpf-toolchain
)
test? (
app-text/tree
dev-lang/perl
sys-apps/dbus
)
app-text/docbook-xml-dtd:4.2
app-text/docbook-xml-dtd:4.5
app-text/docbook-xsl-stylesheets
dev-libs/libxslt:0
${PYTHON_DEPS}
$(python_gen_cond_dep "
dev-python/jinja2[\${PYTHON_USEDEP}]
dev-python/lxml[\${PYTHON_USEDEP}]
boot? (
>=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}]
test? ( ${PEFILE_DEPEND} )
)
")
"
QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
pkg_pretend() {
# Flatcar: We keep using split-usr for SDK.
# if use split-usr; then
# eerror "Please complete the migration to merged-usr."
# eerror "https://wiki.gentoo.org/wiki/Merge-usr"
# die "systemd no longer supports split-usr"
# fi
if [[ ${MERGE_TYPE} != buildonly ]]; then
local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED
~!SYSFS_DEPRECATED_V2"
use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF"
use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
if kernel_is -ge 5 10 20; then
CONFIG_CHECK+=" ~KCMP"
else
CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
fi
if kernel_is -ge 4 18; then
CONFIG_CHECK+=" ~AUTOFS_FS"
else
CONFIG_CHECK+=" ~AUTOFS4_FS"
fi
if linux_config_exists; then
local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
ewarn "It's recommended to set an empty value to the following kernel config option:"
ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}"
fi
if linux_chkconfig_present X86; then
CONFIG_CHECK+=" ~DMIID"
fi
fi
if kernel_is -lt ${MINKV//./ }; then
ewarn "Kernel version at least ${MINKV} required"
fi
check_extra_config
fi
}
pkg_setup() {
use boot && secureboot_pkg_setup
}
src_unpack() {
default
[[ ${PV} != 9999 ]] || git-r3_src_unpack
}
src_prepare() {
local PATCHES=(
# Flatcar: Adding our own patches here.
"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch"
"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
"${FILESDIR}/0009-initrd-parse-etc.service.patch"
)
if ! use vanilla; then
PATCHES+=(
"${FILESDIR}/gentoo-journald-audit-r1.patch"
)
fi
# Fails with split-usr.
sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
# CoreDNS which has dnsPolicy "default", but unless the
# kubelet --resolv-conf flag is set to point to
# /run/systemd/resolve/resolv.conf this won't work with
# /etc/resolv.conf pointing to
# /run/systemd/resolve/stub-resolv.conf which configures
# 127.0.0.53. See
# https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
# This means that users who need split DNS to work should
# point /etc/resolv.conf back to
# /run/systemd/resolve/stub-resolv.conf (and if using K8s
# configure the kubelet resolvConf variable/--resolv-conf flag
# to /run/systemd/resolve/resolv.conf).
sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
default
}
src_configure() {
# Prevent conflicts with i686 cross toolchain, bug 559726
tc-export AR CC NM OBJCOPY RANLIB
python_setup
multilib-minimal_src_configure
}
# Flatcar: Our function, we use it in some places below.
get_rootprefix() {
usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
}
multilib_src_configure() {
local myconf=(
--localstatedir="${EPREFIX}/var"
# default is developer, bug 918671
-Dmode=release
# Flatcar: Point to our user mailing list.
-Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user"
-Dpamlibdir="$(getpam_mod_dir)"
# avoid bash-completion dep
-Dbashcompletiondir="$(get_bashcompdir)"
# Flatcar: We keep using split-usr in SDK.
$(meson_use split-usr)
# Flatcar: Always set split-bin to true, we always
# have separate bin and sbin directories
-Dsplit-bin=true
# Flatcar: Use get_rootprefix. No functional change
# from upstream, just refactoring the common code used
# in some places.
#
# TODO: Drop -Drootprefix and -Drootlibdir we get rid
# of split-usr in SDK
-Drootprefix="$(get_rootprefix)"
-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
# Disable compatibility with sysvinit
-Dsysvinit-path=
-Dsysvrcnd-path=
# no deps
-Dima=true
# Match /etc/shells, bug 919749
-Ddebug-shell="${EPREFIX}/bin/sh"
-Ddefault-user-shell="${EPREFIX}/bin/bash"
# Optional components/dependencies
$(meson_native_use_feature acl)
$(meson_native_use_feature apparmor)
$(meson_native_use_feature audit)
$(meson_native_use_feature boot bootloader)
$(meson_native_use_feature bpf bpf-framework)
-Dbpf-compiler=gcc
$(meson_native_use_feature cryptsetup libcryptsetup)
$(meson_native_use_feature curl libcurl)
$(meson_native_use_bool dns-over-tls dns-over-tls)
$(meson_native_use_feature elfutils)
$(meson_native_use_feature fido2 libfido2)
$(meson_feature gcrypt)
$(meson_native_use_feature gnutls)
$(meson_native_use_feature homed)
$(meson_native_use_feature http microhttpd)
$(meson_native_use_bool idn)
$(meson_native_use_feature importd)
$(meson_native_use_feature importd bzip2)
$(meson_native_use_feature importd zlib)
$(meson_native_use_bool kernel-install)
$(meson_native_use_feature kmod)
$(meson_feature lz4)
$(meson_feature lzma xz)
$(meson_use test tests)
$(meson_feature zstd)
$(meson_native_use_feature iptables libiptc)
$(meson_native_use_feature openssl)
$(meson_feature pam)
$(meson_native_use_feature pkcs11 p11kit)
$(meson_native_use_feature pcre pcre2)
$(meson_native_use_feature policykit polkit)
$(meson_native_use_feature pwquality)
$(meson_native_use_feature qrcode qrencode)
$(meson_native_use_feature seccomp)
$(meson_native_use_feature selinux)
$(meson_native_use_feature tpm tpm2)
$(meson_native_use_feature test dbus)
$(meson_native_use_feature ukify)
$(meson_native_use_feature xkb xkbcommon)
# Flatcar: Use our ntp servers.
-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
# Breaks screen, tmux, etc.
-Ddefault-kill-user-processes=false
# Flatcar: TODO: Investigate if we want this.
-Dcreate-log-dirs=false
# multilib options
$(meson_native_true backlight)
$(meson_native_true binfmt)
$(meson_native_true coredump)
$(meson_native_true environment-d)
$(meson_native_true firstboot)
$(meson_native_true hibernate)
$(meson_native_true hostnamed)
$(meson_native_true ldconfig)
$(meson_native_true localed)
$(meson_native_enabled man)
$(meson_native_true networkd)
$(meson_native_true quotacheck)
$(meson_native_true randomseed)
$(meson_native_true rfkill)
$(meson_native_true sysusers)
$(meson_native_true timedated)
$(meson_native_true timesyncd)
$(meson_native_true tmpfiles)
$(meson_native_true vconsole)
$(meson_native_enabled vmspawn)
# Flatcar: Specify this, or meson breaks due to no
# /etc/login.defs.
-Dsystem-gid-max=999
-Dsystem-uid-max=999
# Flatcar: DBus paths.
-Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
-Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
# Flatcar: PAM config directory.
-Dpamconfdir=/usr/share/pam.d
# Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC
# 2013. Used by timesyncd as a sanity check for the
# minimum acceptable time. Explicitly set to avoid
# using the current build time.
-Dtime-epoch=1372636800
# Flatcar: No default name servers.
-Ddns-servers=
# Flatcar: Disable the "First Boot Wizard", it isn't
# very applicable to us.
-Dfirstboot=false
# Flatcar: Set latest network interface naming scheme
# for https://github.com/flatcar/Flatcar/issues/36
-Ddefault-net-naming-scheme=latest
# Flatcar: Combined log format: name plus description
-Dstatus-unit-format-default=combined
# Flatcar: Unported options, still needed?
-Dquotaon-path=/usr/sbin/quotaon
-Dquotacheck-path=/usr/sbin/quotacheck
-Ddefault-mdns=no
)
case $(tc-arch) in
amd64|arm|arm64|loong|ppc|ppc64|riscv|s390|x86)
# src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE
myconf+=( $(meson_native_enabled vmspawn) ) ;;
*)
myconf+=( -Dvmspawn=disabled ) ;;
esac
meson_src_configure "${myconf[@]}"
}
multilib_src_test() {
(
unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
export COLUMNS=80
addpredict /dev
addpredict /proc
addpredict /run
addpredict /sys/fs/cgroup
meson_src_test --timeout-multiplier=10
) || die
}
multilib_src_install_all() {
# meson doesn't know about docdir
mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
einstalldocs
# Flatcar: Do not install sample nsswitch.conf, we don't
# provide it.
# dodoc "${FILESDIR}"/nsswitch.conf
insinto /usr/lib/tmpfiles.d
doins "${FILESDIR}"/legacy.conf
if ! use resolvconf; then
rm -f "${ED}"/usr/bin/resolvconf || die
fi
if ! use sysv-utils; then
rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die
rm "${ED}"/usr/share/man/man1/init.1 || die
rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die
fi
# https://bugs.gentoo.org/761763
rm -r "${ED}"/usr/lib/sysusers.d || die
# Flatcar: Upstream uses keepdir commands to keep some empty
# directories. We use tmpfiles.
# Preserve empty dirs in /etc & /var, bug #437008
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
keepdir /etc/kernel/install.d
keepdir /etc/systemd/{network,system,user}
keepdir /etc/udev/rules.d
keepdir /etc/udev/hwdb.d
# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
# keepdir /usr/lib/{binfmt.d,modules-load.d}
# keepdir /usr/lib/systemd/user-generators
# keepdir /var/lib/systemd
# keepdir /var/log/journal
# if use pam; then
# if use selinux; then
# newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
# else
# newpamd "${FILESDIR}"/systemd-user.pam systemd-user
# fi
# fi
if use kernel-install; then
# Dummy config, remove to make room for sys-kernel/installkernel
rm "${ED}/usr/lib/kernel/install.conf" || die
fi
# Flatcar: Ensure journal directory has correct ownership/mode
# in inital image. This is fixed by systemd-tmpfiles *but*
# journald starts before that and will create the journal if
# the filesystem is already read-write. Conveniently the
# systemd Makefile sets this up completely wrong.
#
# Flatcar: TODO: Is this still a problem?
dodir /var/log/journal
fowners root:systemd-journal /var/log/journal
fperms 2755 /var/log/journal
# Flatcar: Don't prune systemd dirs.
dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
# Flatcar: Add tmpfiles rule for resolv.conf. This path has
# changed after v213 so it must be handled here instead of
# baselayout now.
dotmpfiles "${FILESDIR}"/systemd-resolv.conf
# Flatcar: Don't default to graphical.target.
local unitdir=$(builddir_systemd_get_systemunitdir)
dosym multi-user.target "${unitdir}"/default.target
# Flatcar: Don't set any extra environment variables by default.
rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
# Flatcar: These lines more or less follow the systemd's
# preset file (90-systemd.preset). We do it that way, to avoid
# putting symlinks in /etc. Please keep the lines in the same
# order as the "enable" lines appear in the preset file. For a
# single enable line in preset, there may be more lines if the
# unit file had Also: clause which has units we enable here
# too.
# Flatcar: enable remote-fs.target
builddir_systemd_enable_service multi-user.target remote-fs.target
# Flatcar: enable remote-cryptsetup.target
if use cryptsetup; then
builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
fi
# Flatcar: enable machines.target
builddir_systemd_enable_service multi-user.target machines.target
# Flatcar: enable getty@.service
dodir "${unitdir}/getty.target.wants"
dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
# Flatcar: enable systemd-timesyncd.service
builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
builddir_systemd_enable_service multi-user.target systemd-networkd.service
builddir_systemd_enable_service sockets.target systemd-networkd.socket
builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
# Flatcar: enable systemd-network-generator.service
builddir_systemd_enable_service sysinit.target systemd-network-generator.service
# Flatcar: enable systemd-resolved.service
builddir_systemd_enable_service multi-user.target systemd-resolved.service
# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
if use homed; then
builddir_systemd_enable_service multi-user.target systemd-homed.target
fi
# Flatcar: enable systemd-userdbd.socket
builddir_systemd_enable_service sockets.target systemd-userdbd.socket
# Flatcar: enable systemd-pstore.service
builddir_systemd_enable_service sysinit.target systemd-pstore.service
# Flatcar: enable systemd-boot-update.service
if use boot; then
builddir_systemd_enable_service sysinit.target systemd-boot-update.service
fi
# Flatcar: enable reboot.target (not enabled - has no WantedBy
# entry)
# Flatcar: enable systemd-sysext.service by default
builddir_systemd_enable_service sysinit.target systemd-sysext.service
# Flatcar: Use an empty preset file, because systemctl
# preset-all puts symlinks in /etc, not in /usr. We don't use
# /etc, because it is not autoupdated. We do the "preset" above.
rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
insinto /usr/lib/systemd/system-preset
doins "${FILESDIR}"/99-default.preset
# Flatcar: Do not ship distro-specific files (nsswitch.conf
# pam.d). This conflicts with our own configuration provided
# by baselayout.
rm -rf "${ED}"/usr/share/factory
sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
-e '/^C!* \/etc\/nsswitch\.conf/d' \
-e '/^C!* \/etc\/pam\.d/d' \
-e '/^C!* \/etc\/issue/d'
use ukify && python_fix_shebang "${ED}"
use boot && secureboot_auto_sign
}
# Flatcar: Our own version of systemd_get_systemunitdir, that returns
# a path inside /usr, not /etc.
builddir_systemd_get_systemunitdir() {
echo "$(get_rootprefix)/lib/systemd/system"
}
# Flatcar: Our own version of systemd_enable_service, that does
# operations inside /usr, not /etc.
builddir_systemd_enable_service() {
local target=${1}
local service=${2}
local ud=$(builddir_systemd_get_systemunitdir)
local destname=${service##*/}
dodir "${ud}"/"${target}".wants && \
dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
if use boot; then
python_fix_shebang "${ED}"
secureboot_auto_sign
fi
}
migrate_locale() {
local envd_locale_def="${EROOT}/etc/env.d/02locale"
local envd_locale=( "${EROOT}"/etc/env.d/??locale )
local locale_conf="${EROOT}/etc/locale.conf"
if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then
# If locale.conf does not exist...
if [[ -e ${envd_locale} ]]; then
# ...either copy env.d/??locale if there's one
ebegin "Moving ${envd_locale} to ${locale_conf}"
mv "${envd_locale}" "${locale_conf}"
eend ${?} || FAIL=1
else
# ...or create a dummy default
ebegin "Creating ${locale_conf}"
cat > "${locale_conf}" <<-EOF
# This file has been created by the sys-apps/systemd ebuild.
# See locale.conf(5) and localectl(1).
# LANG=${LANG}
EOF
eend ${?} || FAIL=1
fi
fi
if [[ ! -L ${envd_locale} ]]; then
# now, if env.d/??locale is not a symlink (to locale.conf)...
if [[ -e ${envd_locale} ]]; then
# ...warn the user that he has duplicate locale settings
ewarn
ewarn "To ensure consistent behavior, you should replace ${envd_locale}"
ewarn "with a symlink to ${locale_conf}. Please migrate your settings"
ewarn "and create the symlink with the following command:"
ewarn "ln -s -n -f ../locale.conf ${envd_locale}"
ewarn
else
# ...or just create the symlink if there's nothing here
ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink"
ln -n -s ../locale.conf "${envd_locale_def}"
eend ${?} || FAIL=1
fi
fi
}
pkg_preinst() {
if [[ -e ${EROOT}/etc/sysctl.conf ]]; then
# Symlink /etc/sysctl.conf for easy migration.
dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
fi
# Flatcar: This used to be in upstream ebuild, but now it's
# gone. We should drop it once we get rid of split-usr in SDK.
if ! use split-usr; then
local dir
# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
for dir in bin sbin lib; do
if [[ ! -L ${EROOT}/${dir} ]]; then
eerror "'${EROOT}/${dir}' is not a symbolic link."
FAIL=1
fi
done
if [[ ${FAIL} ]]; then
eerror "Migration to system layout with merged directories must be performed before"
eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage."
die "System layout with split directories still used"
fi
fi
if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
fi
}
pkg_postinst() {
systemd_update_catalog
# Keep this here in case the database format changes so it gets updated
# when required.
systemd-hwdb --root="${ROOT}" update
udev_reload || FAIL=1
# Bug 465468, make sure locales are respected, and ensure consistency
# between OpenRC & systemd
migrate_locale
# Flatcar: We enable getty and remote-fs targets in /usr
# ourselves above.
# if [[ -z ${REPLACING_VERSIONS} ]]; then
# if type systemctl &>/dev/null; then
# systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
# fi
# elog "To enable a useful set of services, run the following:"
# elog " systemctl preset-all --preset-mode=enable-only"
# fi
if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
rm "${EROOT}/var/lib/systemd/timesync"
fi
if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
ebegin "Reexecuting system manager (systemd)"
systemctl daemon-reexec
eend $? || FAIL=1
# https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html
ebegin "Signaling user managers to reexec"
systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service'
eend $?
fi
if [[ ${FAIL} ]]; then
eerror "One of the postinst commands failed. Please check the postinst output"
eerror "for errors. You may need to clean up your system and/or try installing"
eerror "systemd again."
eerror
fi
if use boot; then
optfeature "installing kernels in systemd-boot's native layout and update loader entries" \
"sys-kernel/installkernel[systemd-boot]"
fi
if use ukify; then
optfeature "generating unified kernel image on each kernel installation" \
"sys-kernel/installkernel[ukify]"
fi
}
pkg_prerm() {
# If removing systemd completely, remove the catalog database.
if [[ ! ${REPLACED_BY_VERSION} ]]; then
rm -f -v "${EROOT}"/var/lib/systemd/catalog/database
fi
}

2
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest vendored
View File

@ -1 +1 @@
DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
DIST guest-oslogin-20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834

2
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf vendored
View File

@ -1,3 +1,3 @@
# Needed for google oslogin
AuthorizedKeysCommand /usr/libexec/google_authorized_keys
AuthorizedKeysCommand /usr/bin/google_authorized_keys
AuthorizedKeysCommandUser root

21
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch vendored Normal file
View File

@ -0,0 +1,21 @@
diff -Naur a/src/Makefile b/src/Makefile
--- a/src/Makefile 2020-09-10 17:51:08.000000000 -0000
+++ b/src/Makefile 2025-03-31 14:13:15.179579798 -0000
@@ -1,14 +1,14 @@
SHELL = /bin/sh
TOPDIR = $(realpath ..)
-CPPFLAGS = -Iinclude -I/usr/include/json-c
+CPPFLAGS := -Iinclude $(shell $(PKG_CONFIG) --cflags libcurl json-c pam)
FLAGS = -fPIC -Wall -g
CFLAGS = $(FLAGS) -Wstrict-prototypes
CXXFLAGS = $(FLAGS)
LDFLAGS = -shared -Wl,-soname,$(SONAME)
-LDLIBS = -lcurl -ljson-c
-PAMLIBS = -lpam $(LDLIBS)
+LDLIBS := $(shell $(PKG_CONFIG) --libs libcurl json-c)
+PAMLIBS := $(shell $(PKG_CONFIG) --libs pam) $(LDLIBS)
# Paths which should be overrideable.

16
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch → sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch vendored
View File

@ -4,14 +4,14 @@ Date: Fri, 6 Jul 2018 15:54:40 -0700
Subject: [PATCH] pam_module: use /var/lib/ instead of /var
---
guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +-
guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +-
src/pam/pam_oslogin_admin.cc | 2 +-
src/pam/pam_oslogin_login.cc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc
diff --git a/src/pam/pam_oslogin_admin.cc b/src/pam/pam_oslogin_admin.cc
index 04d0808..376916e 100644
--- a/guest-oslogin/src/pam/pam_oslogin_admin.cc
+++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc
--- a/src/pam/pam_oslogin_admin.cc
+++ b/src/pam/pam_oslogin_admin.cc
@@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
using oslogin_utils::UrlEncode;
using oslogin_utils::kMetadataServerUrl;
@ -21,10 +21,10 @@ index 04d0808..376916e 100644
extern "C" {
diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc
diff --git a/src/pam/pam_oslogin_login.cc b/src/pam/pam_oslogin_login.cc
index 9e708f4..428600b 100644
--- a/guest-oslogin/src/pam/pam_oslogin_login.cc
+++ b/guest-oslogin/src/pam/pam_oslogin_login.cc
--- a/src/pam/pam_oslogin_login.cc
+++ b/src/pam/pam_oslogin_login.cc
@@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
using oslogin_utils::UrlEncode;
using oslogin_utils::kMetadataServerUrl;

2
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config vendored
View File

@ -9,7 +9,7 @@ UsePAM yes
PrintLastLog no # handled by PAM
PrintMotd no # handled by PAM
# Needed for google oslogin
AuthorizedKeysCommand /usr/libexec/google_authorized_keys
AuthorizedKeysCommand /usr/bin/google_authorized_keys
AuthorizedKeysCommandUser root
# Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
# until most ssh clients could deprecate ssh-rsa.

57
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild vendored
View File

@ -1,57 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=8
DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64"
IUSE=""
inherit pam toolchain-funcs
DEPEND="
net-misc/curl[ssl]
dev-libs/json-c
sys-libs/pam
"
RDEPEND="${DEPEND}"
S=${WORKDIR}/guest-oslogin-${PV}/
src_prepare() {
eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch"
default
}
src_compile() {
emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \
VERSION=${PV} \
JSON_INCLUDE_PATH="${SYSROOT%/}/usr/include/json-c"
}
src_install() {
dolib.so src/libnss_cache_oslogin-${PV}.so
dolib.so src/libnss_oslogin-${PV}.so
exeinto /usr/libexec
doexe src/google_authorized_keys
doexe src/google_oslogin_nss_cache
dopammod src/pam_oslogin_admin.so
dopammod src/pam_oslogin_login.so
# config files the base Ignition config will create links to
insinto /usr/share/google-oslogin
doins "${FILESDIR}/sshd_config"
doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
doins "${FILESDIR}/nsswitch.conf"
doins "${FILESDIR}/pam_sshd"
doins "${FILESDIR}/oslogin-sudoers"
doins "${FILESDIR}/group.conf"
}

81
sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild vendored Normal file
View File

@ -0,0 +1,81 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=8
MY_P="guest-oslogin-${PV}"
DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> ${MY_P}.tar.gz"
S="${WORKDIR}/${MY_P}"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64"
IUSE="systemd"
inherit pam systemd toolchain-funcs
DEPEND="
net-misc/curl[ssl]
dev-libs/json-c
sys-libs/pam
"
RDEPEND="
${DEPEND}
systemd? ( sys-apps/systemd )
!systemd? ( virtual/cron )
"
BDEPEND="
virtual/pkgconfig
"
PATCHES=(
"${FILESDIR}"/${PN}-var-lib.patch
"${FILESDIR}"/${PN}-pkg-config.patch
)
my_emake() {
emake \
VERSION="${PV}" \
PKG_CONFIG="$(tc-getPKG_CONFIG)" \
"${@}"
}
src_compile() {
my_emake \
CC="$(tc-getCC)" \
CXX="$(tc-getCXX)"
}
src_install() {
my_emake \
DESTDIR="${D}" \
PREFIX="${EPREFIX}/usr" \
BINDIR="\$(PREFIX)/bin" \
CRONDIR="${EPREFIX}/etc/cron.d" \
LIBDIR="\$(PREFIX)/$(get_libdir)" \
MANDIR="\$(PREFIX)/share/man" \
PAMDIR="$(getpam_mod_dir)" \
PRESETDIR="$(systemd_get_systempresetdir)" \
SYSTEMDDIR="$(systemd_get_systemunitdir)" \
INSTALL_CRON=$(usex !systemd 1 '') \
install
# Flatcar doesn't need this script.
rm "${ED}"/usr/bin/google_oslogin_control || die
# man pages need fixing up for Gentoo QA but Flatcar drops them anyway.
rm -r "${ED}"/usr/share/man || die
# config files the base Ignition config will create links to
insinto /usr/share/google-oslogin
doins "${FILESDIR}/sshd_config"
doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
doins "${FILESDIR}/nsswitch.conf"
doins "${FILESDIR}/pam_sshd"
doins "${FILESDIR}/oslogin-sudoers"
doins "${FILESDIR}/group.conf"
}

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild vendored
View File

@ -10,15 +10,20 @@ KEYWORDS="amd64 arm64"
RDEPEND="=sys-kernel/coreos-modules-${PVR}"
DEPEND="${RDEPEND}
app-arch/gzip
app-alternatives/awk
app-alternatives/gzip
app-arch/xz-utils
app-arch/zstd
app-crypt/clevis
app-shells/bash
coreos-base/afterburn
coreos-base/coreos-init:=
sys-apps/baselayout
sys-apps/coreutils
sys-apps/findutils
sys-apps/grep
sys-apps/ignition:=
sys-apps/iproute2
sys-apps/less
sys-apps/nvme-cli
sys-apps/sed
@ -26,6 +31,7 @@ DEPEND="${RDEPEND}
sys-apps/systemd[cryptsetup]
sys-apps/seismograph
sys-apps/util-linux
sys-block/open-iscsi
sys-fs/btrfs-progs
sys-fs/e2fsprogs
sys-fs/mdadm

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 vendored
View File

@ -72,7 +72,7 @@ CONFIG_ISCSI_IBFT=y
CONFIG_ISCSI_IBFT_FIND=y
CONFIG_ITCO_VENDOR_SUPPORT=y
CONFIG_ITCO_WDT=m
CONFIG_KERNEL_ZSTD=y
CONFIG_KERNEL_XZ=y
CONFIG_KEXEC_FILE=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_KVM=m

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 vendored
View File

@ -292,7 +292,7 @@ CONFIG_INFINIBAND_MTHCA=m
CONFIG_INFINIBAND_OCRDMA=m
CONFIG_INFINIBAND_SRP=m
CONFIG_INFINIBAND_USER_MAD=m
CONFIG_INITRAMFS_COMPRESSION_ZSTD=y
CONFIG_INITRAMFS_COMPRESSION_XZ=y
CONFIG_INIT_STACK_NONE=y
CONFIG_INPUT_EVDEV=m
CONFIG_INPUT_MISC=y

18
setup_board
View File

@ -88,7 +88,11 @@ EOF
generate_all_wrappers() {
local cmds=() wrappers=()
local wrapper
local wrapper qemu
# If the QEMU user space emulator is missing for this board arch, that implies
# the board arch matches the SDK arch and therefore emulation is unnecessary.
qemu=$(type -P "qemu-${BOARD_CHOST%%-*}") || unset qemu
info "Generating wrapper scripts"
@ -111,6 +115,18 @@ exec ${BOARD_CHOST}-gdb -iex 'set sysroot ${BOARD_ROOT}' "\$@"
EOF
wrappers+=( "${wrapper}" )
# ldconfig cannot generate caches for non-native arches. Use QEMU and the
# native ldconfig to work around that.
wrapper="/usr/local/sbin/ldconfig-${BOARD_VARIANT}"
sudo_clobber "${wrapper}" <<EOF
#!/bin/sh
exec ${qemu-} "${BOARD_ROOT}"/sbin/ldconfig -r "${BOARD_ROOT}" "\$@"
EOF
wrappers+=( "${wrapper}" )
# Create a CHOST-based ldconfig symlink for Portage to call.
sudo ln -sfT "ldconfig-${BOARD_VARIANT}" "/usr/local/sbin/${BOARD_CHOST}-ldconfig"
cmds+=(
"chmod a+rx ${wrappers[*]}"
"chown root:root ${wrappers[*]}"