From d85bbc31a1056634f68c879dee7a99a8ec5b4b62 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 15 Apr 2026 16:50:23 +0100 Subject: [PATCH 1/6] overlay profiles: Don't complain when rm_masked_debug_files does nothing Signed-off-by: James Le Cuirot --- .../coreos-overlay/profiles/coreos/base/profile.bashrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc index c3299e9905..332ae8c341 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc @@ -128,7 +128,7 @@ cros_pre_pkg_setup_sysroot_build_bin_dir() { # and also remove their associated debug files to avoid wasting space. cros_post_pkg_preinst_rm_masked_debug_files() { local link debug dir=${ED}/usr/lib/debug - [[ -d ${dir}/.build-id ]] || return + [[ -d ${dir}/.build-id ]] || return 0 while read -d $'\n' -r link; do debug=$(realpath "${link}.debug") || die rm -f -- "${link}" "${link}.debug" "${debug}" || die From d121b9594ecff532fb948220b090dec767430f7e Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 15 Apr 2026 16:51:31 +0100 Subject: [PATCH 2/6] update_sdk_container_image: Don't truncate docker build output Signed-off-by: James Le Cuirot --- build_sdk_container_image | 4 ---- sdk_lib/sdk_container_common.sh | 5 +++++ update_sdk_container_image | 5 +++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/build_sdk_container_image b/build_sdk_container_image index 7bfa03de07..62146ab9b7 100755 --- a/build_sdk_container_image +++ b/build_sdk_container_image @@ -125,10 +125,6 @@ fi # -- -docker_build() { - PROGRESS_NO_TRUNC=1 $docker build --progress plain "${@}" -} - # build plain SDK container w/o board support # import_image="flatcar-sdk-import:${docker_vernum}" diff --git a/sdk_lib/sdk_container_common.sh b/sdk_lib/sdk_container_common.sh index b0f94cfbf6..b98be744af 100644 --- a/sdk_lib/sdk_container_common.sh +++ b/sdk_lib/sdk_container_common.sh @@ -41,6 +41,11 @@ docker=${docker_a[*]} function call_docker() { "${docker_a[@]}" "${@}" } + +function docker_build() { + PROGRESS_NO_TRUNC=1 call_docker build --progress plain "${@}" +} + # -- # Common "echo" function diff --git a/update_sdk_container_image b/update_sdk_container_image index b11f383f57..ab126021e2 100755 --- a/update_sdk_container_image +++ b/update_sdk_container_image @@ -75,7 +75,8 @@ fi yell "Creating new SDK container image ${new_sdk_version} from ${base_sdk_version}" create_versionfile "${new_sdk_version}" "${os_version}" -$docker build -t "${sdk_build_image}" \ +docker_build \ + -t "${sdk_build_image}" \ --build-arg BASE="$sdk_container_common_registry/flatcar-sdk-all:${base_sdk_version}" \ -f sdk_lib/Dockerfile.sdk-update \ . @@ -87,7 +88,7 @@ for a in all arm64 amd64; do arm64) rmarch="amd64-usr"; rmcross="x86_64-cros-linux-gnu";; amd64) rmarch="arm64-usr"; rmcross="aarch64-cros-linux-gnu";; esac - $docker build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \ + docker_build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \ --build-arg VERSION="${docker_vernum}" \ --build-arg RMARCH="${rmarch}" \ --build-arg RMCROSS="${rmcross}" \ From d42574d094a5f76c0197328678db9982e41b9550 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 15 Apr 2026 17:18:20 +0100 Subject: [PATCH 3/6] sdk_lib: Don't disable the Portage sandboxes most of the time We have long run with the ipc, network, and pid sandboxes disabled in the belief that these did not work in a container even if it was privileged. I suspect it really did work back then, but it certainly does work now regardless. update_sdk_container_image uses Portage in an unprivileged docker build environment, so it is still necessary to disable these here. However, this can be done more easily through the environment, and the regular sandbox should work fine. Signed-off-by: James Le Cuirot --- sdk_lib/Dockerfile.sdk-import | 5 ----- sdk_lib/Dockerfile.sdk-update | 13 ++----------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import index 10a625a319..a8e75e5d12 100644 --- a/sdk_lib/Dockerfile.sdk-import +++ b/sdk_lib/Dockerfile.sdk-import @@ -17,11 +17,6 @@ RUN if ! grep -q portage /etc/passwd; then \ echo "portage:x:250:250:portage:/var/tmp/portage:/bin/false" >>/etc/passwd; \ fi -# fix "Unable to unshare: EPERM ..." in containers -# (see https://github.com/gentoo/gentoo-docker-images/issues/81) -RUN echo 'export FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox"' \ - >> /etc/skel/.bashrc - RUN groupadd sdk RUN useradd -g sdk -G portage sdk RUN echo "sdk ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sdk-user diff --git a/sdk_lib/Dockerfile.sdk-update b/sdk_lib/Dockerfile.sdk-update index a102b656cb..3ddb82d1c8 100644 --- a/sdk_lib/Dockerfile.sdk-update +++ b/sdk_lib/Dockerfile.sdk-update @@ -4,22 +4,13 @@ FROM ${BASE} COPY --chown=sdk:sdk sdk_container/ /mnt/host/source COPY --chown=sdk:sdk . /mnt/host/source/src/scripts -# Disable all sandboxing for SDK updates since some core packages -# (like GO) fail to build from a permission error otherwise. -RUN cp /home/sdk/.bashrc /home/sdk/.bashrc.bak -RUN echo 'export FEATURES="-sandbox -usersandbox -ipc-sandbox -network-sandbox -pid-sandbox"' \ - >> /home/sdk/.bashrc - RUN chown sdk:sdk /mnt/host/source -RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr" +RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \ + /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr" RUN /home/sdk/sdk_entry.sh ./setup_board --board="arm64-usr" --regen_configs RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs -# Restore original .bashrc to remove sandbox disablement -RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc -RUN chown sdk:sdk /home/sdk/.bashrc - # Clean up ephemeral key directory variables that were added during build RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \ -e '/export MODULES_SIGN_KEY=/d' \ From 433f8c40fdf0211abef29df92e0e7a32911a1995 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Thu, 16 Apr 2026 10:28:10 +0100 Subject: [PATCH 4/6] app-shells/bash: Apply tentative patch to try to fix wait error Signed-off-by: James Le Cuirot --- .../bash/bash-jobs-del-pid-async.patch | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-shells/bash/bash-jobs-del-pid-async.patch diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-shells/bash/bash-jobs-del-pid-async.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-shells/bash/bash-jobs-del-pid-async.patch new file mode 100644 index 0000000000..5d02873cb6 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-shells/bash/bash-jobs-del-pid-async.patch @@ -0,0 +1,45 @@ +https://bugs.gentoo.org/970713 + +From e359bdc261f9493d91b3cf792fe4fc480ecd6dc3 Mon Sep 17 00:00:00 2001 +From: Kerin Millar +Date: Thu, 13 Nov 2025 18:39:28 +0000 +Subject: [PATCH] jobs.c: only call bgp_delete on a newly-created pid if + asynchronous + +This is a backport of the following change from the devel branch. + +jobs.c + - make_child: only call bgp_delete on a newly-created pid if that + process is asynchronous, since that is what will cause it to be + put into the bgpids table. This mostly matters for procsubs and + asynchronous jobs, but will happen for comsubs in async jobs + and coprocs as well. + +Bug: https://bugs.gentoo.org/965423 +Signed-off-by: Kerin Millar +--- + jobs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/jobs.c b/jobs.c +index cbcc2c15..bafa7c26 100644 +--- a/jobs.c ++++ b/jobs.c +@@ -2482,9 +2482,11 @@ make_child (char *command, int flags) + been reused. */ + delete_old_job (pid); + +- /* Perform the check for pid reuse unconditionally. Some systems reuse +- PIDs before giving a process CHILD_MAX/_SC_CHILD_MAX unique ones. */ +- bgp_delete (pid); /* new process, discard any saved status */ ++ /* Perform the check for background pid reuse unconditionally. ++ Some systems reuse PIDs before giving a process ++ CHILD_MAX/_SC_CHILD_MAX unique ones. */ ++ if (async_p) ++ bgp_delete (pid); /* new background process, discard any saved status */ + + last_made_pid = pid; + +-- +2.51.2 + From 8f8977f668fc7eaaac7ddb833ed6413c234e3d51 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Mon, 20 Apr 2026 10:20:54 +0100 Subject: [PATCH 5/6] build_image_util: Don't install packages to image with bad USE flags This generally shouldn't happen, given that we mostly only keep one instance of a bin package, but just in case. Signed-off-by: James Le Cuirot --- build_library/build_image_util.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 5769b64339..0c2729159e 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -152,7 +152,12 @@ emerge_to_image() { sudo -E ROOT="${root_fs_dir}" \ FEATURES="-ebuild-locks -merge-wait" \ PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \ - emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@" + emerge \ + --usepkgonly \ + --binpkg-respect-use=y \ + --jobs="${NUM_JOBS}" \ + --verbose \ + "$@" # Shortcut if this was just baselayout [[ "$*" == *sys-apps/baselayout ]] && return From 28831b50a633c7311ce5dd9e492a12c399795df2 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Mon, 20 Apr 2026 10:40:24 +0100 Subject: [PATCH 6/6] sys-apps/baselayout: Modify ${ROOT} rather than ${D} in pkg_preinst update_sdk_container_image failed to update baselayout because it touched /sys, which is not allowed in an unprivileged docker build environment. dumb-tmpfiles-proc.sh does not touch existing directories, but it was modifying the staging directory rather than the live filesystem, causing Portage to record /sys in the package's CONTENTS and then make changes to it when merging. We only need to create the directories in pkg_preinst because the other file types are already created in src_install. Signed-off-by: James Le Cuirot --- .../coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild index 3bdaf2afaf..ca9aaf1d64 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild @@ -94,7 +94,7 @@ pkg_preinst() { libdirs=$(get_all_libdirs) emake -C "${ED}/usr/share/${PN}" DESTDIR="${EROOT}" LIBDIRS="${libdirs}" layout SYSTEMD_JOURNAL_GID=${ACCT_GROUP_SYSTEMD_JOURNAL_ID:-190} ROOT_UID=0 ROOT_GID=0 CORE_UID=500 CORE_GID=500 \ - DESTDIR=${D} "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" "${ED}/usr/lib/tmpfiles.d" || die + DESTDIR=${ROOT} "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" --exclude CZL+ "${ED}/usr/lib/tmpfiles.d" || die rm -f "${ED}/usr/share/${PN}/Makefile" "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" || die }