From 688bb56a3d8903c266327d2fa80203d4069063d9 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Mon, 31 Mar 2025 15:28:44 +0100
Subject: [PATCH 1/9] sys-auth/google-oslogin: Install soname symlinks and
 general tidy up

The missing soname symlinks were causing ldconfig to create them later,
breaking the sandbox. The upstream Makefile installs them for you, so
let's use it even though it needs some taming.

This adds the systemd timer to refresh the NSS cache. This seems
important, and I can't see any reason to omit it.

This also moves the binaries from /usr/libexec to /usr/bin. Upstream has
always put them in /usr/bin, and putting them elsewhere requires tweaks.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../sys-auth/google-oslogin/Manifest          |  2 +-
 .../files/60-flatcar-google-oslogin.conf      |  2 +-
 .../files/google-oslogin-pkg-config.patch     | 21 +++++
 ...var.patch => google-oslogin-var-lib.patch} | 16 ++--
 .../sys-auth/google-oslogin/files/sshd_config |  2 +-
 .../google-oslogin-20200910.00-r3.ebuild      | 57 -------------
 .../google-oslogin-20200910.00-r4.ebuild      | 81 +++++++++++++++++++
 7 files changed, 113 insertions(+), 68 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch
 rename sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/{0001-pam_module-use-var-lib-instead-of-var.patch => google-oslogin-var-lib.patch} (64%)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
index f1bedb2e82..f0f6c0f8e2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
@@ -1 +1 @@
-DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
+DIST guest-oslogin-20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf
index d9f62661bf..13806e51fa 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf
@@ -1,3 +1,3 @@
 # Needed for google oslogin
-AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommand /usr/bin/google_authorized_keys
 AuthorizedKeysCommandUser root
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch
new file mode 100644
index 0000000000..878a2216dc
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch
@@ -0,0 +1,21 @@
+diff -Naur a/src/Makefile b/src/Makefile
+--- a/src/Makefile	2020-09-10 17:51:08.000000000 -0000
++++ b/src/Makefile	2025-03-31 14:13:15.179579798 -0000
+@@ -1,14 +1,14 @@
+ SHELL = /bin/sh
+ TOPDIR = $(realpath ..)
+ 
+-CPPFLAGS = -Iinclude -I/usr/include/json-c
++CPPFLAGS := -Iinclude $(shell $(PKG_CONFIG) --cflags libcurl json-c pam)
+ FLAGS = -fPIC -Wall -g
+ CFLAGS = $(FLAGS) -Wstrict-prototypes
+ CXXFLAGS = $(FLAGS)
+ 
+ LDFLAGS = -shared -Wl,-soname,$(SONAME)
+-LDLIBS = -lcurl -ljson-c
+-PAMLIBS = -lpam $(LDLIBS)
++LDLIBS := $(shell $(PKG_CONFIG) --libs libcurl json-c)
++PAMLIBS := $(shell $(PKG_CONFIG) --libs pam) $(LDLIBS)
+ 
+ # Paths which should be overrideable.
+ 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch
similarity index 64%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch
index 65fae86284..e170e62240 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch
@@ -4,14 +4,14 @@ Date: Fri, 6 Jul 2018 15:54:40 -0700
 Subject: [PATCH] pam_module: use /var/lib/ instead of /var
 
 ---
- guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +-
- guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +-
+ src/pam/pam_oslogin_admin.cc | 2 +-
+ src/pam/pam_oslogin_login.cc | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc
+diff --git a/src/pam/pam_oslogin_admin.cc b/src/pam/pam_oslogin_admin.cc
 index 04d0808..376916e 100644
---- a/guest-oslogin/src/pam/pam_oslogin_admin.cc
-+++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc
+--- a/src/pam/pam_oslogin_admin.cc
++++ b/src/pam/pam_oslogin_admin.cc
 @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
  using oslogin_utils::UrlEncode;
  using oslogin_utils::kMetadataServerUrl;
@@ -21,10 +21,10 @@ index 04d0808..376916e 100644
  
  extern "C" {
  
-diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc
+diff --git a/src/pam/pam_oslogin_login.cc b/src/pam/pam_oslogin_login.cc
 index 9e708f4..428600b 100644
---- a/guest-oslogin/src/pam/pam_oslogin_login.cc
-+++ b/guest-oslogin/src/pam/pam_oslogin_login.cc
+--- a/src/pam/pam_oslogin_login.cc
++++ b/src/pam/pam_oslogin_login.cc
 @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
  using oslogin_utils::UrlEncode;
  using oslogin_utils::kMetadataServerUrl;
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config
index 7b51b214e4..59b661f9f0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config
@@ -9,7 +9,7 @@ UsePAM yes
 PrintLastLog no # handled by PAM
 PrintMotd no # handled by PAM
 # Needed for google oslogin
-AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommand /usr/bin/google_authorized_keys
 AuthorizedKeysCommandUser root
 # Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
 # until most ssh clients could deprecate ssh-rsa.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild
deleted file mode 100644
index 679e0c0b3a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild
+++ /dev/null
@@ -1,57 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
-HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
-SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64"
-IUSE=""
-
-inherit pam toolchain-funcs
-
-DEPEND="
-	net-misc/curl[ssl]
-	dev-libs/json-c
-	sys-libs/pam
-"
-
-RDEPEND="${DEPEND}"
-
-S=${WORKDIR}/guest-oslogin-${PV}/
-
-src_prepare() {
-	eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch"
-	default
-}
-
-src_compile() {
-	emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \
-            VERSION=${PV} \
-            JSON_INCLUDE_PATH="${SYSROOT%/}/usr/include/json-c"
-}
-
-src_install() {
-	dolib.so src/libnss_cache_oslogin-${PV}.so
-	dolib.so src/libnss_oslogin-${PV}.so
-
-	exeinto /usr/libexec
-	doexe src/google_authorized_keys
-	doexe src/google_oslogin_nss_cache
-
-	dopammod src/pam_oslogin_admin.so
-	dopammod src/pam_oslogin_login.so
-
-	# config files the base Ignition config will create links to
-	insinto /usr/share/google-oslogin
-	doins "${FILESDIR}/sshd_config"
-	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
-	doins "${FILESDIR}/nsswitch.conf"
-	doins "${FILESDIR}/pam_sshd"
-	doins "${FILESDIR}/oslogin-sudoers"
-	doins "${FILESDIR}/group.conf"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild
new file mode 100644
index 0000000000..f8624481d0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="guest-oslogin-${PV}"
+DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
+HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> ${MY_P}.tar.gz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="systemd"
+
+inherit pam systemd toolchain-funcs
+
+DEPEND="
+	net-misc/curl[ssl]
+	dev-libs/json-c
+	sys-libs/pam
+"
+
+RDEPEND="
+	${DEPEND}
+	systemd? ( sys-apps/systemd )
+	!systemd? ( virtual/cron )
+"
+
+BDEPEND="
+	virtual/pkgconfig
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-var-lib.patch
+	"${FILESDIR}"/${PN}-pkg-config.patch
+)
+
+my_emake() {
+	emake \
+		VERSION="${PV}" \
+		PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+		"${@}"
+}
+
+src_compile() {
+	my_emake \
+		CC="$(tc-getCC)" \
+		CXX="$(tc-getCXX)"
+}
+
+src_install() {
+	my_emake \
+		DESTDIR="${D}" \
+		PREFIX="${EPREFIX}/usr" \
+		BINDIR="\$(PREFIX)/bin" \
+		CRONDIR="${EPREFIX}/etc/cron.d" \
+		LIBDIR="\$(PREFIX)/$(get_libdir)" \
+		MANDIR="\$(PREFIX)/share/man" \
+		PAMDIR="$(getpam_mod_dir)" \
+		PRESETDIR="$(systemd_get_systempresetdir)" \
+		SYSTEMDDIR="$(systemd_get_systemunitdir)" \
+		INSTALL_CRON=$(usex !systemd 1 '') \
+		install
+
+	# Flatcar doesn't need this script.
+	rm "${ED}"/usr/bin/google_oslogin_control || die
+
+	# man pages need fixing up for Gentoo QA but Flatcar drops them anyway.
+	rm -r "${ED}"/usr/share/man || die
+
+	# config files the base Ignition config will create links to
+	insinto /usr/share/google-oslogin
+	doins "${FILESDIR}/sshd_config"
+	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
+	doins "${FILESDIR}/nsswitch.conf"
+	doins "${FILESDIR}/pam_sshd"
+	doins "${FILESDIR}/oslogin-sudoers"
+	doins "${FILESDIR}/group.conf"
+}

From 3c2a0527e038ae56b82b652067f52c7925a16d15 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Fri, 28 Mar 2025 12:57:11 +0000
Subject: [PATCH 2/9] setup_board: Add ldconfig wrapper for non-native arches

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 setup_board | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/setup_board b/setup_board
index 7073f2d037..f2c45188fe 100755
--- a/setup_board
+++ b/setup_board
@@ -88,7 +88,11 @@ EOF
 
 generate_all_wrappers() {
   local cmds=() wrappers=()
-  local wrapper
+  local wrapper qemu
+
+  # If the QEMU user space emulator is missing for this board arch, that implies
+  # the board arch matches the SDK arch and therefore emulation is unnecessary.
+  qemu=$(type -P "qemu-${BOARD_CHOST%%-*}") || unset qemu
 
   info "Generating wrapper scripts"
 
@@ -111,6 +115,18 @@ exec ${BOARD_CHOST}-gdb -iex 'set sysroot ${BOARD_ROOT}' "\$@"
 EOF
   wrappers+=( "${wrapper}" )
 
+  # ldconfig cannot generate caches for non-native arches. Use QEMU and the
+  # native ldconfig to work around that.
+  wrapper="/usr/local/sbin/ldconfig-${BOARD_VARIANT}"
+  sudo_clobber "${wrapper}" <<EOF
+#!/bin/sh
+exec ${qemu-} "${BOARD_ROOT}"/sbin/ldconfig -r "${BOARD_ROOT}" "\$@"
+EOF
+  wrappers+=( "${wrapper}" )
+
+  # Create a CHOST-based ldconfig symlink for Portage to call.
+  sudo ln -sfT "ldconfig-${BOARD_VARIANT}" "/usr/local/sbin/${BOARD_CHOST}-ldconfig"
+
   cmds+=(
     "chmod a+rx ${wrappers[*]}"
     "chown root:root ${wrappers[*]}"

From 7073a6a7b6894313be6f5f1599d7c398ffc835f9 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Mon, 7 Apr 2025 11:26:34 +0100
Subject: [PATCH 3/9] sys-kernel/coreos-kernel: Add missing dependencies

These dependencies are always present in CI by the time this package
gets built, but this may not be the case when building manually. This
leads to gaps in the initrd and ultimately failed boots.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild
index 5aad6bb286..51c20b07ae 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild
@@ -10,15 +10,19 @@ KEYWORDS="amd64 arm64"
 
 RDEPEND="=sys-kernel/coreos-modules-${PVR}"
 DEPEND="${RDEPEND}
-	app-arch/gzip
+	app-alternatives/awk
+	app-alternatives/gzip
 	app-arch/zstd
 	app-crypt/clevis
 	app-shells/bash
+	coreos-base/afterburn
 	coreos-base/coreos-init:=
+	sys-apps/baselayout
 	sys-apps/coreutils
 	sys-apps/findutils
 	sys-apps/grep
 	sys-apps/ignition:=
+	sys-apps/iproute2
 	sys-apps/less
 	sys-apps/nvme-cli
 	sys-apps/sed
@@ -26,6 +30,7 @@ DEPEND="${RDEPEND}
 	sys-apps/systemd[cryptsetup]
 	sys-apps/seismograph
 	sys-apps/util-linux
+	sys-block/open-iscsi
 	sys-fs/btrfs-progs
 	sys-fs/e2fsprogs
 	sys-fs/mdadm

From 78167629baf688eb82b2734f3e9d6e535c1acbd1 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 17 Apr 2025 11:22:17 +0100
Subject: [PATCH 4/9] build_dev_binpkgs: Refactor the script with better Bash
 techniques

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_dev_binpkgs | 53 ++++++++++++++++++++---------------------------
 1 file changed, 23 insertions(+), 30 deletions(-)

diff --git a/build_dev_binpkgs b/build_dev_binpkgs
index a3fdfe6b7f..f7a12dfa82 100755
--- a/build_dev_binpkgs
+++ b/build_dev_binpkgs
@@ -19,18 +19,18 @@ skip_packages_default="dev-lang/rust,dev-lang/rust-bin,dev-lang/go,dev-lang/go-b
 # Developer-visible flags.
 DEFINE_string board "${DEFAULT_BOARD}" \
   "The board to build packages for."
-DEFINE_string skip_packages "${skip_packages_default[@]}" \
+DEFINE_string skip_packages "${skip_packages_default}" \
   "Comma-separated list of packages in the dependency tree to skip."
 DEFINE_boolean pretend "${FLAGS_FALSE}" \
-	"List packages that would be built but do not actually build."
+  "List packages that would be built but do not actually build."
 
-FLAGS_HELP="usage: $(basename $0) [flags] [packages]
+FLAGS_HELP="usage: $(basename "$0") [flags] [packages]
 
 build_dev_binpkgs builds binary packages for all dependencies of [packages]
 that are not present in '/build/<board>/var/lib/portage/pkgs/'.
 Useful for publishing a complete set of packages to a binhost.
 
-[packages] defaults to '${packages_default}' if not specified.
+[packages] defaults to '${packages_default[*]}' if not specified.
 "
 
 # Parse command line
@@ -46,43 +46,36 @@ fi
 # --
 
 function my_board_emerge() {
-	PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
+  PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
 }
 # --
 
-pkg_build_list="$(mktemp)"
-pkg_skipped_list="${pkg_build_list}-skip"
-trap 'rm -f "${pkg_build_list}" "${pkg_skipped_list}"' EXIT
+pkg_build_list=()
+pkg_skipped_list=()
 
 info "Collecting list of binpkgs to build"
 
-my_board_emerge --pretend --emptytree ${@}  \
-  | grep '\[ebuild' \
-  | sed 's/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/' \
-  | while read pkg; do
-  if [ -f "/build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2" ] ; then
-		continue
-	fi
-  skip=""
-  for s in ${FLAGS_skip_packages//,/ }; do
-    if [[ ${pkg} = ${s}-* ]] ; then
-    	echo -n "${pkg} " >> "${pkg_skipped_list}"
-        skip="true"
-        break
+while read -r pkg; do
+  [[ -f /build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2 ]] && continue
+  IFS=,
+  for s in ${FLAGS_skip_packages}; do
+    if [[ ${pkg} == ${s}-* ]] ; then
+      pkg_skipped_list+=("${pkg}")
+      continue 2
     fi
   done
-  [[ -z ${skip} ]] || continue
-  echo "=${pkg}" | tee -a "${pkg_build_list}" | sed 's/^/      /'
-done
+  unset IFS
+  pkg_build_list+=("=${pkg}")
+  echo "      =${pkg}"
+done < <(my_board_emerge --pretend --emptytree "${@}" |
+         grep '\[ebuild' | sed 's/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/')
 # --
 
-if [ -f "${pkg_skipped_list}" ] ; then
-  info "Skipping binpkgs '$(cat "${pkg_skipped_list}")' because these are in the skip list."
+if [[ ${#pkg_skipped_list[@]} -gt 0 ]]; then
+  info "Skipping binpkgs '${pkg_skipped_list[*]}' because these are in the skip list."
 fi
 
 pretend=""
-if [[ "${FLAGS_pretend}" -eq "${FLAGS_TRUE}" ]]; then
-	pretend="--pretend"
-fi
+[[ ${FLAGS_pretend} -eq ${FLAGS_TRUE} ]] && pretend="--pretend"
 
-my_board_emerge --buildpkg ${pretend} $(cat "${pkg_build_list}")
+my_board_emerge --buildpkg ${pretend} "${pkg_build_list[@]}"

From 6237a609886573dd19692a3c32fbaa3bf06159a5 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 17 Apr 2025 11:24:05 +0100
Subject: [PATCH 5/9] build_dev_binpkgs: Only build packages available to the
 board profile

Updating only the SDK to systemd-257 caused this script to break, as it
saw this version being pulled in as a BDEPEND and then tried to build it
using the board profile. See the comment for details.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_dev_binpkgs | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/build_dev_binpkgs b/build_dev_binpkgs
index f7a12dfa82..33e9337075 100755
--- a/build_dev_binpkgs
+++ b/build_dev_binpkgs
@@ -55,6 +55,12 @@ pkg_skipped_list=()
 
 info "Collecting list of binpkgs to build"
 
+# Normally, BDEPENDs are only installed to the SDK, but the point of this script
+# is to install them to the board root because the dev container uses a board
+# profile. This is easily achieved using --root-deps. Since it is still the SDK
+# doing the building, which might have different package versions available to
+# the board profile, we have to be careful not to include SDK BDEPENDs in the
+# list of binary packages to publish, hence the sed call.
 while read -r pkg; do
   [[ -f /build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2 ]] && continue
   IFS=,
@@ -67,8 +73,8 @@ while read -r pkg; do
   unset IFS
   pkg_build_list+=("=${pkg}")
   echo "      =${pkg}"
-done < <(my_board_emerge --pretend --emptytree "${@}" |
-         grep '\[ebuild' | sed 's/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/')
+done < <(my_board_emerge --pretend --emptytree --root-deps "${@}" |
+         sed -n "/\[ebuild .* to \/build\/${FLAGS_board}\/ /s/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/p")
 # --
 
 if [[ ${#pkg_skipped_list[@]} -gt 0 ]]; then

From a072bde74c65b0660efd924039d104eb669eb8df Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Mon, 7 Apr 2025 18:01:41 +0100
Subject: [PATCH 6/9] sys-apps/systemd: Bump to v257.5 for the SDK only

We need this for dracut-install to have JSON support. It doesn't matter
that the Flatcar image will still have v256.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../targets/sdk/package.accept_keywords       |   2 +
 .../coreos-overlay/sys-apps/systemd/Manifest  |   1 +
 ...s-tty-to-use-by-agetty-via-stdin-257.patch |  92 +++
 .../sys-apps/systemd/systemd-257.5.ebuild     | 769 ++++++++++++++++++
 4 files changed, 864 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.5.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
new file mode 100644
index 0000000000..7b5df04972
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
@@ -0,0 +1,2 @@
+# Temporarily put the SDK version ahead for sd-json support in Dracut.
+=sys-apps/systemd-257.5 ~amd64 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
index 08c9ddc293..aef14a442a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
@@ -1 +1,2 @@
 DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681
+DIST systemd-257.5.tar.gz 16232112 BLAKE2B 142baef9b09217ea117ac09923604f7520a36d4c63cf04a78d1c4fbf7b057b977f5c77418168c0308a8dc6b48ccc6324438f30c87de8642e8e9cf12b47f90475 SHA512 9e5352c20c9edac53f302a534532035185139998628ed0a85411f440df47f1dd7cce6651aec787484809bb1aa2825008d062714c37936cbfd08451fbe29a998f
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch
new file mode 100644
index 0000000000..6f81ae8b68
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch
@@ -0,0 +1,92 @@
+From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
+From: Sayan Chowdhury <schowdhury@microsoft.com>
+Date: Fri, 16 Dec 2022 16:28:26 +0530
+Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
+
+This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
+
+This is to work around a SELinux denial that happens when setting up standard
+input for serial consoles (which is used for SSH connections).
+
+Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
+---
+ units/console-getty.service.in    | 4 +---
+ units/container-getty@.service.in | 4 +---
+ units/getty@.service.in           | 4 +---
+ units/serial-getty@.service.in    | 4 +---
+ 4 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/units/console-getty.service.in b/units/console-getty.service.in
+index 33e6368db1..1f2d8b910f 100644
+--- a/units/console-getty.service.in
++++ b/units/console-getty.service.in
+@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
+ Type=idle
+ Restart=always
+ UtmpIdentifier=cons
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/console
+ TTYReset=yes
+ TTYVHangup=yes
+diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
+index 7573532d6d..5f27653d1f 100644
+--- a/units/container-getty@.service.in
++++ b/units/container-getty@.service.in
+@@ -27,13 +27,11 @@ Before=rescue.service
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
+ Type=idle
+ Restart=always
+ RestartSec=0
+ UtmpIdentifier=pts/%I
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/pts/%I
+ TTYReset=yes
+ TTYVHangup=yes
+diff --git a/units/getty@.service.in b/units/getty@.service.in
+index f30bba406d..1819627d1c 100644
+--- a/units/getty@.service.in
++++ b/units/getty@.service.in
+@@ -36,13 +36,11 @@ ConditionPathExists=/dev/tty0
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
+ Type=idle
+ Restart=always
+ RestartSec=0
+ UtmpIdentifier=%I
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/%I
+ TTYReset=yes
+ TTYVHangup=yes
+diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
+index 20a5eb2754..ba4cbc0edb 100644
+--- a/units/serial-getty@.service.in
++++ b/units/serial-getty@.service.in
+@@ -32,12 +32,10 @@ Before=rescue.service
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
+ Type=idle
+ Restart=always
+ UtmpIdentifier=%I
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/%I
+ TTYReset=yes
+ TTYVHangup=yes
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.5.ebuild
new file mode 100644
index 0000000000..e4075f6c2a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.5.ebuild
@@ -0,0 +1,769 @@
+# Copyright 2011-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+PYTHON_COMPAT=( python3_{10..13} )
+
+# Avoid QA warnings
+TMPFILES_OPTIONAL=1
+UDEV_OPTIONAL=1
+
+QA_PKGCONFIG_VERSION=$(ver_cut 1)
+
+if [[ ${PV} == 9999 ]]; then
+	EGIT_REPO_URI="https://github.com/systemd/systemd.git"
+	inherit git-r3
+else
+	MY_PV=${PV/_/-}
+	MY_P=${PN}-${MY_PV}
+	S=${WORKDIR}/${MY_P}
+	SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz"
+
+	if [[ ${PV} != *rc* ]] ; then
+		# Flatcar: mark as stable
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+	fi
+fi
+
+inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
+inherit secureboot systemd tmpfiles toolchain-funcs udev
+
+DESCRIPTION="System and service manager for Linux"
+HOMEPAGE="https://systemd.io/"
+
+LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
+SLOT="0/2"
+IUSE="
+	acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
+	fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod
+	+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+	+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd
+"
+REQUIRED_USE="
+	${PYTHON_REQUIRED_USE}
+	dns-over-tls? ( || ( gnutls openssl ) )
+	fido2? ( cryptsetup openssl )
+	homed? ( cryptsetup pam openssl )
+	importd? ( curl lzma || ( gcrypt openssl ) )
+	pwquality? ( homed )
+	boot? ( kernel-install )
+	ukify? ( boot )
+"
+RESTRICT="!test? ( test )"
+
+MINKV="4.15"
+
+COMMON_DEPEND="
+	>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
+	sys-libs/libcap:0=[${MULTILIB_USEDEP}]
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	acl? ( sys-apps/acl:0= )
+	apparmor? ( >=sys-libs/libapparmor-2.13:0= )
+	audit? ( >=sys-process/audit-2:0= )
+	bpf? ( >=dev-libs/libbpf-1.4.0:0= )
+	cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
+	curl? ( >=net-misc/curl-7.32.0:0= )
+	elfutils? ( >=dev-libs/elfutils-0.158:0= )
+	fido2? ( dev-libs/libfido2:0= )
+	gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
+	gnutls? ( >=net-libs/gnutls-3.6.0:0= )
+	http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
+	idn? ( net-dns/libidn2:= )
+	importd? (
+		app-arch/bzip2:0=
+		sys-libs/zlib:0=
+	)
+	kmod? ( >=sys-apps/kmod-15:0= )
+	lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
+	iptables? ( net-firewall/iptables:0= )
+	openssl? ( >=dev-libs/openssl-1.1.0:0= )
+	pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
+	pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
+	pcre? ( dev-libs/libpcre2 )
+	pwquality? ( >=dev-libs/libpwquality-1.4.1:0= )
+	qrcode? ( >=media-gfx/qrencode-3:0= )
+	seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
+	selinux? ( >=sys-libs/libselinux-2.1.9:0= )
+	tpm? ( app-crypt/tpm2-tss:0= )
+	xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
+	zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
+"
+
+# Newer linux-headers needed by ia64, bug #480218
+DEPEND="${COMMON_DEPEND}
+	>=sys-kernel/linux-headers-${MINKV}
+"
+
+PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'
+
+# baselayout-2.2 has /run
+#
+# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
+# flag). The image stage fails with "Failed to resolve
+# typeattributeset statement at
+# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120"
+#
+# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary
+# needed by dracut's systemd-vconsole-setup module.
+RDEPEND="${COMMON_DEPEND}
+	>=acct-group/adm-0-r1
+	>=acct-group/wheel-0-r1
+	>=acct-group/kmem-0-r1
+	>=acct-group/tty-0-r1
+	>=acct-group/utmp-0-r1
+	>=acct-group/audio-0-r1
+	>=acct-group/cdrom-0-r1
+	>=acct-group/dialout-0-r1
+	>=acct-group/disk-0-r1
+	>=acct-group/input-0-r1
+	>=acct-group/kvm-0-r1
+	>=acct-group/lp-0-r1
+	>=acct-group/render-0-r1
+	acct-group/sgx
+	>=acct-group/tape-0-r1
+	acct-group/users
+	>=acct-group/video-0-r1
+	>=acct-group/systemd-journal-0-r1
+	>=acct-user/root-0-r1
+	acct-user/nobody
+	>=acct-user/systemd-journal-remote-0-r1
+	>=acct-user/systemd-coredump-0-r1
+	>=acct-user/systemd-network-0-r1
+	acct-user/systemd-oom
+	>=acct-user/systemd-resolve-0-r1
+	>=acct-user/systemd-timesync-0-r1
+	>=sys-apps/baselayout-2.2
+	sys-apps/kbd
+	ukify? (
+		${PYTHON_DEPS}
+		$(python_gen_cond_dep "${PEFILE_DEPEND}")
+	)
+	selinux? (
+		sec-policy/selinux-base-policy[systemd]
+	)
+	sysv-utils? (
+		!sys-apps/openrc[sysv-utils(-)]
+		!sys-apps/openrc-navi[sysv-utils(-)]
+		!sys-apps/sysvinit
+	)
+	!sysv-utils? ( sys-apps/sysvinit )
+	resolvconf? ( !net-dns/openresolv )
+	!sys-auth/nss-myhostname
+	!sys-fs/eudev
+	!sys-fs/udev
+"
+
+# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
+PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
+	>=sys-fs/udev-init-scripts-34
+	policykit? ( sys-auth/polkit )
+	!vanilla? ( sys-apps/gentoo-systemd-integration )"
+
+BDEPEND="
+	app-arch/xz-utils:0
+	dev-util/gperf
+	>=dev-build/meson-0.46
+	>=sys-apps/coreutils-8.16
+	sys-devel/gettext
+	virtual/pkgconfig
+	bpf? (
+		dev-util/bpftool
+		sys-devel/bpf-toolchain
+	)
+	test? (
+		app-text/tree
+		dev-lang/perl
+		sys-apps/dbus
+	)
+	app-text/docbook-xml-dtd:4.2
+	app-text/docbook-xml-dtd:4.5
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt:0
+	${PYTHON_DEPS}
+	$(python_gen_cond_dep "
+		dev-python/jinja2[\${PYTHON_USEDEP}]
+		dev-python/lxml[\${PYTHON_USEDEP}]
+		boot? (
+			>=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}]
+			test? ( ${PEFILE_DEPEND} )
+		)
+	")
+"
+
+QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
+QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
+
+pkg_pretend() {
+	# Flatcar: We keep using split-usr for SDK.
+	# if use split-usr; then
+	# 	eerror "Please complete the migration to merged-usr."
+	# 	eerror "https://wiki.gentoo.org/wiki/Merge-usr"
+	# 	die "systemd no longer supports split-usr"
+	# fi
+	if [[ ${MERGE_TYPE} != buildonly ]]; then
+		local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
+			~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
+			~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
+			~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
+			~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
+			~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED
+			~!SYSFS_DEPRECATED_V2"
+
+		use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
+		use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF"
+		use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
+
+		if kernel_is -ge 5 10 20; then
+			CONFIG_CHECK+=" ~KCMP"
+		else
+			CONFIG_CHECK+=" ~CHECKPOINT_RESTORE"
+		fi
+
+		if kernel_is -ge 4 18; then
+			CONFIG_CHECK+=" ~AUTOFS_FS"
+		else
+			CONFIG_CHECK+=" ~AUTOFS4_FS"
+		fi
+
+		if linux_config_exists; then
+			local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
+			if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
+				ewarn "It's recommended to set an empty value to the following kernel config option:"
+				ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}"
+			fi
+			if linux_chkconfig_present X86; then
+				CONFIG_CHECK+=" ~DMIID"
+			fi
+		fi
+
+		if kernel_is -lt ${MINKV//./ }; then
+			ewarn "Kernel version at least ${MINKV} required"
+		fi
+
+		check_extra_config
+	fi
+}
+
+pkg_setup() {
+	use boot && secureboot_pkg_setup
+}
+
+src_unpack() {
+	default
+	[[ ${PV} != 9999 ]] || git-r3_src_unpack
+}
+
+src_prepare() {
+	local PATCHES=(
+		# Flatcar: Adding our own patches here.
+		"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
+		"${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch"
+		"${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch"
+		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
+		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch"
+		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
+		"${FILESDIR}/0009-initrd-parse-etc.service.patch"
+	)
+
+	if ! use vanilla; then
+		PATCHES+=(
+			"${FILESDIR}/gentoo-journald-audit-r1.patch"
+		)
+	fi
+
+	# Fails with split-usr.
+	sed -i -e '2i exit 77' test/test-rpm-macros.sh || die
+
+	# Flatcar: The Kubelet takes /etc/resolv.conf for, e.g.,
+	# CoreDNS which has dnsPolicy "default", but unless the
+	# kubelet --resolv-conf flag is set to point to
+	# /run/systemd/resolve/resolv.conf this won't work with
+	# /etc/resolv.conf pointing to
+	# /run/systemd/resolve/stub-resolv.conf which configures
+	# 127.0.0.53.  See
+	# https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues
+	# This means that users who need split DNS to work should
+	# point /etc/resolv.conf back to
+	# /run/systemd/resolve/stub-resolv.conf (and if using K8s
+	# configure the kubelet resolvConf variable/--resolv-conf flag
+	# to /run/systemd/resolve/resolv.conf).
+	sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
+	default
+}
+
+src_configure() {
+	# Prevent conflicts with i686 cross toolchain, bug 559726
+	tc-export AR CC NM OBJCOPY RANLIB
+
+	python_setup
+
+	multilib-minimal_src_configure
+}
+
+# Flatcar: Our function, we use it in some places below.
+get_rootprefix() {
+	usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
+}
+
+multilib_src_configure() {
+	local myconf=(
+		--localstatedir="${EPREFIX}/var"
+		# default is developer, bug 918671
+		-Dmode=release
+		# Flatcar: Point to our user mailing list.
+		-Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user"
+		-Dpamlibdir="$(getpam_mod_dir)"
+		# avoid bash-completion dep
+		-Dbashcompletiondir="$(get_bashcompdir)"
+		# Flatcar: We keep using split-usr in SDK.
+		$(meson_use split-usr)
+		# Flatcar: Always set split-bin to true, we always
+		# have separate bin and sbin directories
+		-Dsplit-bin=true
+		# Flatcar: Use get_rootprefix. No functional change
+		# from upstream, just refactoring the common code used
+		# in some places.
+		#
+		# TODO: Drop -Drootprefix and -Drootlibdir we get rid
+		# of split-usr in SDK
+		-Drootprefix="$(get_rootprefix)"
+		-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
+		# Disable compatibility with sysvinit
+		-Dsysvinit-path=
+		-Dsysvrcnd-path=
+		# no deps
+		-Dima=true
+		# Match /etc/shells, bug 919749
+		-Ddebug-shell="${EPREFIX}/bin/sh"
+		-Ddefault-user-shell="${EPREFIX}/bin/bash"
+		# Optional components/dependencies
+		$(meson_native_use_feature acl)
+		$(meson_native_use_feature apparmor)
+		$(meson_native_use_feature audit)
+		$(meson_native_use_feature boot bootloader)
+		$(meson_native_use_feature bpf bpf-framework)
+		-Dbpf-compiler=gcc
+		$(meson_native_use_feature cryptsetup libcryptsetup)
+		$(meson_native_use_feature curl libcurl)
+		$(meson_native_use_bool dns-over-tls dns-over-tls)
+		$(meson_native_use_feature elfutils)
+		$(meson_native_use_feature fido2 libfido2)
+		$(meson_feature gcrypt)
+		$(meson_native_use_feature gnutls)
+		$(meson_native_use_feature homed)
+		$(meson_native_use_feature http microhttpd)
+		$(meson_native_use_bool idn)
+		$(meson_native_use_feature importd)
+		$(meson_native_use_feature importd bzip2)
+		$(meson_native_use_feature importd zlib)
+		$(meson_native_use_bool kernel-install)
+		$(meson_native_use_feature kmod)
+		$(meson_feature lz4)
+		$(meson_feature lzma xz)
+		$(meson_use test tests)
+		$(meson_feature zstd)
+		$(meson_native_use_feature iptables libiptc)
+		$(meson_native_use_feature openssl)
+		$(meson_feature pam)
+		$(meson_native_use_feature pkcs11 p11kit)
+		$(meson_native_use_feature pcre pcre2)
+		$(meson_native_use_feature policykit polkit)
+		$(meson_native_use_feature pwquality)
+		$(meson_native_use_feature qrcode qrencode)
+		$(meson_native_use_feature seccomp)
+		$(meson_native_use_feature selinux)
+		$(meson_native_use_feature tpm tpm2)
+		$(meson_native_use_feature test dbus)
+		$(meson_native_use_feature ukify)
+		$(meson_native_use_feature xkb xkbcommon)
+		# Flatcar: Use our ntp servers.
+		-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
+		# Breaks screen, tmux, etc.
+		-Ddefault-kill-user-processes=false
+		# Flatcar: TODO: Investigate if we want this.
+		-Dcreate-log-dirs=false
+
+		# multilib options
+		$(meson_native_true backlight)
+		$(meson_native_true binfmt)
+		$(meson_native_true coredump)
+		$(meson_native_true environment-d)
+		$(meson_native_true firstboot)
+		$(meson_native_true hibernate)
+		$(meson_native_true hostnamed)
+		$(meson_native_true ldconfig)
+		$(meson_native_true localed)
+		$(meson_native_enabled man)
+		$(meson_native_true networkd)
+		$(meson_native_true quotacheck)
+		$(meson_native_true randomseed)
+		$(meson_native_true rfkill)
+		$(meson_native_true sysusers)
+		$(meson_native_true timedated)
+		$(meson_native_true timesyncd)
+		$(meson_native_true tmpfiles)
+		$(meson_native_true vconsole)
+		$(meson_native_enabled vmspawn)
+		# Flatcar: Specify this, or meson breaks due to no
+		# /etc/login.defs.
+		-Dsystem-gid-max=999
+		-Dsystem-uid-max=999
+
+		# Flatcar: DBus paths.
+		-Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
+		-Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
+
+		# Flatcar: PAM config directory.
+		-Dpamconfdir=/usr/share/pam.d
+
+		# Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC
+		# 2013. Used by timesyncd as a sanity check for the
+		# minimum acceptable time. Explicitly set to avoid
+		# using the current build time.
+		-Dtime-epoch=1372636800
+
+		# Flatcar: No default name servers.
+		-Ddns-servers=
+
+		# Flatcar: Disable the "First Boot Wizard", it isn't
+		# very applicable to us.
+		-Dfirstboot=false
+
+		# Flatcar: Set latest network interface naming scheme
+		# for https://github.com/flatcar/Flatcar/issues/36
+		-Ddefault-net-naming-scheme=latest
+
+		# Flatcar: Combined log format: name plus description
+		-Dstatus-unit-format-default=combined
+
+		# Flatcar: Unported options, still needed?
+		-Dquotaon-path=/usr/sbin/quotaon
+		-Dquotacheck-path=/usr/sbin/quotacheck
+		-Ddefault-mdns=no
+	)
+
+	case $(tc-arch) in
+		amd64|arm|arm64|loong|ppc|ppc64|riscv|s390|x86)
+			# src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE
+			myconf+=( $(meson_native_enabled vmspawn) ) ;;
+		*)
+			myconf+=( -Dvmspawn=disabled ) ;;
+	esac
+
+	meson_src_configure "${myconf[@]}"
+}
+
+multilib_src_test() {
+	(
+		unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
+		export COLUMNS=80
+		addpredict /dev
+		addpredict /proc
+		addpredict /run
+		addpredict /sys/fs/cgroup
+		meson_src_test --timeout-multiplier=10
+	) || die
+}
+
+multilib_src_install_all() {
+	# meson doesn't know about docdir
+	mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
+
+	einstalldocs
+	# Flatcar: Do not install sample nsswitch.conf, we don't
+	# provide it.
+	# dodoc "${FILESDIR}"/nsswitch.conf
+
+	insinto /usr/lib/tmpfiles.d
+	doins "${FILESDIR}"/legacy.conf
+
+	if ! use resolvconf; then
+		rm -f "${ED}"/usr/bin/resolvconf || die
+	fi
+
+	if ! use sysv-utils; then
+		rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die
+		rm "${ED}"/usr/share/man/man1/init.1 || die
+		rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die
+	fi
+
+	# https://bugs.gentoo.org/761763
+	rm -r "${ED}"/usr/lib/sysusers.d || die
+
+	# Flatcar: Upstream uses keepdir commands to keep some empty
+	# directories. We use tmpfiles.
+	# Preserve empty dirs in /etc & /var, bug #437008
+	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
+	keepdir /etc/kernel/install.d
+	keepdir /etc/systemd/{network,system,user}
+	keepdir /etc/udev/rules.d
+
+	keepdir /etc/udev/hwdb.d
+
+	# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
+	# keepdir /usr/lib/{binfmt.d,modules-load.d}
+	# keepdir /usr/lib/systemd/user-generators
+	# keepdir /var/lib/systemd
+	# keepdir /var/log/journal
+
+	# if use pam; then
+	# 	if use selinux; then
+	# 		newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user
+	#	else
+	#		newpamd "${FILESDIR}"/systemd-user.pam systemd-user
+	#	fi
+	# fi
+
+	if use kernel-install; then
+		# Dummy config, remove to make room for sys-kernel/installkernel
+		rm "${ED}/usr/lib/kernel/install.conf" || die
+	fi
+	# Flatcar: Ensure journal directory has correct ownership/mode
+	# in inital image.  This is fixed by systemd-tmpfiles *but*
+	# journald starts before that and will create the journal if
+	# the filesystem is already read-write.  Conveniently the
+	# systemd Makefile sets this up completely wrong.
+	#
+	# Flatcar: TODO: Is this still a problem?
+	dodir /var/log/journal
+	fowners root:systemd-journal /var/log/journal
+	fperms 2755 /var/log/journal
+
+	# Flatcar: Don't prune systemd dirs.
+	dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
+	# Flatcar: Add tmpfiles rule for resolv.conf. This path has
+	# changed after v213 so it must be handled here instead of
+	# baselayout now.
+	dotmpfiles "${FILESDIR}"/systemd-resolv.conf
+
+	# Flatcar: Don't default to graphical.target.
+	local unitdir=$(builddir_systemd_get_systemunitdir)
+	dosym multi-user.target "${unitdir}"/default.target
+
+	# Flatcar: Don't set any extra environment variables by default.
+	rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
+
+	# Flatcar: These lines more or less follow the systemd's
+	# preset file (90-systemd.preset). We do it that way, to avoid
+	# putting symlinks in /etc. Please keep the lines in the same
+	# order as the "enable" lines appear in the preset file. For a
+	# single enable line in preset, there may be more lines if the
+	# unit file had Also: clause which has units we enable here
+	# too.
+
+	# Flatcar: enable remote-fs.target
+	builddir_systemd_enable_service multi-user.target remote-fs.target
+	# Flatcar: enable remote-cryptsetup.target
+	if use cryptsetup; then
+		builddir_systemd_enable_service multi-user.target remote-cryptsetup.target
+	fi
+	# Flatcar: enable machines.target
+	builddir_systemd_enable_service multi-user.target machines.target
+	# Flatcar: enable getty@.service
+	dodir "${unitdir}/getty.target.wants"
+	dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service"
+	# Flatcar: enable systemd-timesyncd.service
+	builddir_systemd_enable_service sysinit.target systemd-timesyncd.service
+	# Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service)
+	builddir_systemd_enable_service multi-user.target systemd-networkd.service
+	builddir_systemd_enable_service sockets.target systemd-networkd.socket
+	builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service
+	# Flatcar: enable systemd-network-generator.service
+	builddir_systemd_enable_service sysinit.target systemd-network-generator.service
+	# Flatcar: enable systemd-resolved.service
+	builddir_systemd_enable_service multi-user.target systemd-resolved.service
+	# Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry])
+	if use homed; then
+		builddir_systemd_enable_service multi-user.target systemd-homed.target
+	fi
+	# Flatcar: enable systemd-userdbd.socket
+	builddir_systemd_enable_service sockets.target systemd-userdbd.socket
+	# Flatcar: enable systemd-pstore.service
+	builddir_systemd_enable_service sysinit.target systemd-pstore.service
+	# Flatcar: enable systemd-boot-update.service
+	if use boot; then
+		builddir_systemd_enable_service sysinit.target systemd-boot-update.service
+	fi
+	# Flatcar: enable reboot.target (not enabled - has no WantedBy
+	# entry)
+
+	# Flatcar: enable systemd-sysext.service by default
+	builddir_systemd_enable_service sysinit.target systemd-sysext.service
+
+	# Flatcar: Use an empty preset file, because systemctl
+	# preset-all puts symlinks in /etc, not in /usr. We don't use
+	# /etc, because it is not autoupdated. We do the "preset" above.
+	rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
+	insinto /usr/lib/systemd/system-preset
+	doins "${FILESDIR}"/99-default.preset
+
+	# Flatcar: Do not ship distro-specific files (nsswitch.conf
+	# pam.d). This conflicts with our own configuration provided
+	# by baselayout.
+	rm -rf "${ED}"/usr/share/factory
+	sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
+		-e '/^C!* \/etc\/nsswitch\.conf/d' \
+		-e '/^C!* \/etc\/pam\.d/d' \
+		-e '/^C!* \/etc\/issue/d'
+
+	use ukify && python_fix_shebang "${ED}"
+	use boot && secureboot_auto_sign
+}
+
+# Flatcar: Our own version of systemd_get_systemunitdir, that returns
+# a path inside /usr, not /etc.
+builddir_systemd_get_systemunitdir() {
+	echo "$(get_rootprefix)/lib/systemd/system"
+}
+
+# Flatcar: Our own version of systemd_enable_service, that does
+# operations inside /usr, not /etc.
+builddir_systemd_enable_service() {
+	local target=${1}
+	local service=${2}
+	local ud=$(builddir_systemd_get_systemunitdir)
+	local destname=${service##*/}
+
+	dodir "${ud}"/"${target}".wants && \
+	dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
+
+	if use boot; then
+		python_fix_shebang "${ED}"
+		secureboot_auto_sign
+	fi
+}
+migrate_locale() {
+	local envd_locale_def="${EROOT}/etc/env.d/02locale"
+	local envd_locale=( "${EROOT}"/etc/env.d/??locale )
+	local locale_conf="${EROOT}/etc/locale.conf"
+
+	if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then
+		# If locale.conf does not exist...
+		if [[ -e ${envd_locale} ]]; then
+			# ...either copy env.d/??locale if there's one
+			ebegin "Moving ${envd_locale} to ${locale_conf}"
+			mv "${envd_locale}" "${locale_conf}"
+			eend ${?} || FAIL=1
+		else
+			# ...or create a dummy default
+			ebegin "Creating ${locale_conf}"
+			cat > "${locale_conf}" <<-EOF
+				# This file has been created by the sys-apps/systemd ebuild.
+				# See locale.conf(5) and localectl(1).
+
+				# LANG=${LANG}
+			EOF
+			eend ${?} || FAIL=1
+		fi
+	fi
+
+	if [[ ! -L ${envd_locale} ]]; then
+		# now, if env.d/??locale is not a symlink (to locale.conf)...
+		if [[ -e ${envd_locale} ]]; then
+			# ...warn the user that he has duplicate locale settings
+			ewarn
+			ewarn "To ensure consistent behavior, you should replace ${envd_locale}"
+			ewarn "with a symlink to ${locale_conf}. Please migrate your settings"
+			ewarn "and create the symlink with the following command:"
+			ewarn "ln -s -n -f ../locale.conf ${envd_locale}"
+			ewarn
+		else
+			# ...or just create the symlink if there's nothing here
+			ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink"
+			ln -n -s ../locale.conf "${envd_locale_def}"
+			eend ${?} || FAIL=1
+		fi
+	fi
+}
+
+pkg_preinst() {
+	if [[ -e ${EROOT}/etc/sysctl.conf ]]; then
+		# Symlink /etc/sysctl.conf for easy migration.
+		dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
+	fi
+
+	# Flatcar: This used to be in upstream ebuild, but now it's
+	# gone. We should drop it once we get rid of split-usr in SDK.
+	if ! use split-usr; then
+		local dir
+		# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
+		for dir in bin sbin lib; do
+			if [[ ! -L ${EROOT}/${dir} ]]; then
+				eerror "'${EROOT}/${dir}' is not a symbolic link."
+				FAIL=1
+			fi
+		done
+		if [[ ${FAIL} ]]; then
+			eerror "Migration to system layout with merged directories must be performed before"
+			eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage."
+			die "System layout with split directories still used"
+		fi
+	fi
+	if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
+		ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
+		ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
+	fi
+}
+
+pkg_postinst() {
+	systemd_update_catalog
+
+	# Keep this here in case the database format changes so it gets updated
+	# when required.
+	systemd-hwdb --root="${ROOT}" update
+
+	udev_reload || FAIL=1
+
+	# Bug 465468, make sure locales are respected, and ensure consistency
+	# between OpenRC & systemd
+	migrate_locale
+
+	# Flatcar: We enable getty and remote-fs targets in /usr
+	# ourselves above.
+	# if [[ -z ${REPLACING_VERSIONS} ]]; then
+	# 	if type systemctl &>/dev/null; then
+	# 		systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1
+	# 	fi
+	# 	elog "To enable a useful set of services, run the following:"
+	# 	elog "  systemctl preset-all --preset-mode=enable-only"
+	# fi
+
+	if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then
+		rm "${EROOT}/var/lib/systemd/timesync"
+	fi
+
+	if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
+		ebegin "Reexecuting system manager (systemd)"
+		systemctl daemon-reexec
+		eend $? || FAIL=1
+
+		# https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html
+		ebegin "Signaling user managers to reexec"
+		systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service'
+		eend $?
+	fi
+
+	if [[ ${FAIL} ]]; then
+		eerror "One of the postinst commands failed. Please check the postinst output"
+		eerror "for errors. You may need to clean up your system and/or try installing"
+		eerror "systemd again."
+		eerror
+	fi
+
+	if use boot; then
+		optfeature "installing kernels in systemd-boot's native layout and update loader entries" \
+			"sys-kernel/installkernel[systemd-boot]"
+	fi
+	if use ukify; then
+		optfeature "generating unified kernel image on each kernel installation" \
+			"sys-kernel/installkernel[ukify]"
+	fi
+}
+
+pkg_prerm() {
+	# If removing systemd completely, remove the catalog database.
+	if [[ ! ${REPLACED_BY_VERSION} ]]; then
+		rm -f -v "${EROOT}"/var/lib/systemd/catalog/database
+	fi
+}

From 48ba5fbc6df6934ea3922ceab6d9ae4cec8d3295 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 10 Apr 2025 17:39:31 +0100
Subject: [PATCH 7/9] sys-kernel/coreos-modules: Compress kernel with xz rather
 than zstd

zstd is faster but we're getting seriously short on space.
Unfortunately, the arm64 kernel still cannot be compressed, but it has
benefited from another space saving measure recently, and GRUB also
takes up less space in /boot.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild        | 1 +
 .../sys-kernel/coreos-modules/files/amd64_defconfig-6.6         | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild
index 51c20b07ae..f63fe81030 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.87.ebuild
@@ -12,6 +12,7 @@ RDEPEND="=sys-kernel/coreos-modules-${PVR}"
 DEPEND="${RDEPEND}
 	app-alternatives/awk
 	app-alternatives/gzip
+	app-arch/xz-utils
 	app-arch/zstd
 	app-crypt/clevis
 	app-shells/bash
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6
index 8214e055a1..1d171bc519 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6
@@ -72,7 +72,7 @@ CONFIG_ISCSI_IBFT=y
 CONFIG_ISCSI_IBFT_FIND=y
 CONFIG_ITCO_VENDOR_SUPPORT=y
 CONFIG_ITCO_WDT=m
-CONFIG_KERNEL_ZSTD=y
+CONFIG_KERNEL_XZ=y
 CONFIG_KEXEC_FILE=y
 CONFIG_KPROBES_ON_FTRACE=y
 CONFIG_KVM=m

From d1a38bfa9405986b63a7a11943e9b592f9af3875 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 10 Apr 2025 18:23:16 +0100
Subject: [PATCH 8/9] sys-kernel/coreos-modules: Compress initrd with xz rather
 than zstd

Again, zstd is faster but we're getting seriously short on space. Unlike
the kernel itself, this applies to both amd64 and arm64.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 changelog/changes/2025-04-17-vmlinuz-compression.md             | 1 +
 .../sys-kernel/coreos-modules/files/commonconfig-6.6            | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 changelog/changes/2025-04-17-vmlinuz-compression.md

diff --git a/changelog/changes/2025-04-17-vmlinuz-compression.md b/changelog/changes/2025-04-17-vmlinuz-compression.md
new file mode 100644
index 0000000000..707df0739e
--- /dev/null
+++ b/changelog/changes/2025-04-17-vmlinuz-compression.md
@@ -0,0 +1 @@
+- The kernel image and its embedded initrd are now compressed with xz rather than zstd. This gives greater compression at the cost of decompression performance. Systems may therefore now be ever so slightly slower to boot, but this was necessary to avoid running out of space in the /boot partition. Further measures to address the space issue are planned, and perhaps we can switch back to zstd in a later release.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6
index d5274957c3..841c800754 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6
@@ -292,7 +292,7 @@ CONFIG_INFINIBAND_MTHCA=m
 CONFIG_INFINIBAND_OCRDMA=m
 CONFIG_INFINIBAND_SRP=m
 CONFIG_INFINIBAND_USER_MAD=m
-CONFIG_INITRAMFS_COMPRESSION_ZSTD=y
+CONFIG_INITRAMFS_COMPRESSION_XZ=y
 CONFIG_INIT_STACK_NONE=y
 CONFIG_INPUT_EVDEV=m
 CONFIG_INPUT_MISC=y

From 14398067d5c78c5bbae163a14e5bd87bb5b36630 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Tue, 15 Apr 2025 09:40:01 +0100
Subject: [PATCH 9/9] build_library: Change extraction script to xz and rewrite
 to be simpler

This version writes fewer temporary files and tries cpio multiple times
for concatenated archives again.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../extract-initramfs-from-vmlinuz.sh         | 103 ++++++------------
 1 file changed, 36 insertions(+), 67 deletions(-)

diff --git a/build_library/extract-initramfs-from-vmlinuz.sh b/build_library/extract-initramfs-from-vmlinuz.sh
index 0ace26a610..50fbc9fea0 100755
--- a/build_library/extract-initramfs-from-vmlinuz.sh
+++ b/build_library/extract-initramfs-from-vmlinuz.sh
@@ -7,51 +7,35 @@
 # This will create one or more out-dir/rootfs-N directories that contain the contents of the initramfs.
 
 set -euo pipefail
-# check for unzstd. Will abort the script with an error message if the tool is not present.
-unzstd -V >/dev/null
+
+# check for xzcat. Will abort the script with an error message if the tool is not present.
+xzcat -V >/dev/null
+
 fail() {
     echo "${*}" >&2
     exit 1
 }
 
-# Stolen from extract-vmlinux and modified.
-try_decompress() {
-    local header="${1}"
-    local no_idea="${2}"
-    local tool="${3}"
-    local image="${4}"
-    local tmp="${5}"
-    local output_basename="${6}"
-
-    local pos
-    local tool_filename=$(echo "${tool}" | cut -f1 -d' ')
-    # The obscure use of the "tr" filter is to work around older versions of
-    # "grep" that report the byte offset of the line instead of the pattern.
-
-    # Try to find the header and decompress from here.
-    for pos in $(tr "${header}\n${no_idea}" "\n${no_idea}=" < "${image}" |
-                     grep --text --byte-offset --only-matching "^${no_idea}")
-    do
-        pos=${pos%%:*}
-        # Disable error handling, because we will be potentially
-        # giving the tool garbage or a valid archive with some garbage
-        # appended to it. So let the tool extract the valid archive
-        # and then complain about the garbage at the end, but don't
-        # fail the script because of it.
-        set +e; tail "-c+${pos}" "${image}" | "${tool}" >"${tmp}/out" 2>/dev/null; set -e;
-        if [ -s "${tmp}/out" ]; then
-            mv "${tmp}/out" "${output_basename}-${tool_filename}-at-${pos}"
-        else
-            rm -f "${tmp}/out"
-        fi
-    done
+find_xz_headers() {
+    grep --fixed-strings --text --byte-offset --only-matching $'\xFD\x37\x7A\x58\x5A\x00' "$1" | cut -d: -f1
 }
 
-try_unzstd_decompress() {
-    local image="${1}"
-    local tmp="${2}"
-    local output_basename="${3}"
-    try_decompress '(\265/\375' xxx unzstd "${image}" "${tmp}" "${output_basename}"
+decompress_at() {
+    # Data may not really be a valid xz, so allow for errors.
+    tail "-c+$((${2%:*} + 1))" "$1" | xzcat 2>/dev/null || true
+}
+
+try_extract() {
+    # cpio can do strange things when given garbage, so do a basic check.
+    [[ $(head -c6 "$1") == 070701 ]] || return 0
+
+    # There may be multiple concatenated archives so try cpio till it fails.
+    while cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' 2>/dev/null; do
+        ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
+    done < "$1"
+
+    # Last cpio attempt may or may not leave an empty directory.
+    rmdir "${out}/rootfs-${ROOTFS_IDX}" 2>/dev/null || ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
 }
 
 me="${0##*/}"
@@ -65,37 +49,22 @@ if [[ ! -s "${image}" ]]; then
 fi
 mkdir -p "${out}"
 
-tmp=$(mktemp --directory /tmp/eifv-XXXXXX)
-trap "rm -rf ${tmp}" EXIT
-
-tmp_dec="${tmp}/decompress"
-mkdir "${tmp_dec}"
-fr_prefix="${tmp}/first-round"
-
+tmp=$(mktemp --directory eifv-XXXXXX)
+trap 'rm -rf -- "${tmp}"' EXIT
 ROOTFS_IDX=0
-perform_round() {
-    local image="${1}"
-    local tmp_dec="${2}"
-    local round_prefix="${3}"
-    try_unzstd_decompress "${image}" "${tmp_dec}" "${round_prefix}"
-    for rnd in "${round_prefix}"*; do
-        if [[ $(file --brief "${rnd}") =~ 'cpio archive' ]]; then
-            mkdir -p "${out}/rootfs-${ROOTFS_IDX}"
-            # On Linux 6.10, the first rootfs is an extra ghost rootfs of 336K, that has a corrupted CPIO
-            cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' < $rnd || true
-            ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
-        fi
-    done
-}
 
-shopt -s nullglob
-perform_round "${image}" "${tmp_dec}" "${fr_prefix}"
-for fr in "${fr_prefix}"*; do
-    fr_files="${fr}-files"
-    fr_dec="${fr_files}/decompress"
-    mkdir -p "${fr_dec}"
-    sr_prefix="${fr_files}/second-round"
-    perform_round "${fr}" "${fr_dec}" "${sr_prefix}"
+# arm64 kernels are not compressed, so try decompressing once.
+# Other kernels are compressed, so also try decompressing twice.
+for OFF1 in $(find_xz_headers "${image}")
+do
+    decompress_at "${image}" "${OFF1}" > "${tmp}/initrd.maybe_cpio_or_elf"
+    try_extract "${tmp}/initrd.maybe_cpio_or_elf"
+
+    for OFF2 in $(find_xz_headers "${tmp}/initrd.maybe_cpio_or_elf")
+    do
+        decompress_at "${tmp}/initrd.maybe_cpio_or_elf" "${OFF2}" > "${tmp}/initrd.maybe_cpio"
+        try_extract "${tmp}/initrd.maybe_cpio"
+    done
 done
 
 if [[ ${ROOTFS_IDX} -eq 0 ]]; then