From c1c6fa7df5c3ce65a982546a3d9ade4afa50292d Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Thu, 9 Jun 2022 18:46:25 +0200
Subject: [PATCH 1/5] sys-apps/ignition: bump ebuild release

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../{ignition-2.14.0-r1.ebuild => ignition-2.14.0-r2.ebuild}      | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/{ignition-2.14.0-r1.ebuild => ignition-2.14.0-r2.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-2.14.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-2.14.0-r2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-2.14.0-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-2.14.0-r2.ebuild

From 607f9b434f20ba86a0b0b0b66b90d06eccb5cc74 Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Thu, 9 Jun 2022 18:52:28 +0200
Subject: [PATCH 2/5] sys-apps/ignition: add "ignition-rmcfg" binary

this helper removes config from VMWare and Virtualbox and should not be
directly used by the user.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../coreos-overlay/sys-apps/ignition/ignition-9999.ebuild      | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild
index 9538f5c267..679d9c7263 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild
@@ -67,4 +67,7 @@ src_compile() {
 
 src_install() {
 	newbin ${GOBIN}/internal ${PN}
+
+	exeinto "/usr/libexec"
+	newexe ${GOBIN}/internal "${PN}-rmcfg"
 }

From 134c67aea8943f5583f3852d5e6312c5e53a3baf Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Thu, 9 Jun 2022 19:12:36 +0200
Subject: [PATCH 3/5] changelog: add entry

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../changelog/changes/2022-06-14-ignition-rmcfg-vmware.md        | 1 +
 .../coreos-overlay/changelog/security/2022-06-09-ignition.md     | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-06-14-ignition-rmcfg-vmware.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/security/2022-06-09-ignition.md

diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-06-14-ignition-rmcfg-vmware.md b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-06-14-ignition-rmcfg-vmware.md
new file mode 100644
index 0000000000..32889bf0ff
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-06-14-ignition-rmcfg-vmware.md
@@ -0,0 +1 @@
+- VMWare: Added `ignition-delete-config.service` to remove Ignition config from VM metadata, see also [here](https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion) ([coreos-overlay#1948](https://github.com/flatcar-linux/coreos-overlay/pull/1948))
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-06-09-ignition.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-06-09-ignition.md
new file mode 100644
index 0000000000..2477009969
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-06-09-ignition.md
@@ -0,0 +1 @@
+- ignition ([CVE-2022-1706](https://nvd.nist.gov/vuln/detail/CVE-2022-1706))

From 66733328c65a30e84c5cbfe1ae5c4e91868611bd Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Mon, 13 Jun 2022 11:41:43 +0200
Subject: [PATCH 4/5] base/coreos: add ignition as a Flatcar dependency

We add `sys-apps/ignition` as a `coreos-base/coreos` dependency to get
`/usr/libexec/ignition-rmcfg` available on the _real_ root.
Now we want `/usr/bin/ignition` to be in the chroot until it's being copied
to the initramfs but we don't want it on the actual root.

With `PKG_INSTALL_MASK`, we'll prevent `/usr/bin/ignition` to be added
to the image in the `./build_image` - at this time, initramfs is already
created and `sys-apps/ignition` is a binary package.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild    | 1 +
 .../coreos-overlay/profiles/coreos/base/make.defaults        | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index c583b3271e..f052baf90b 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -152,6 +152,7 @@ RDEPEND="${RDEPEND}
 	sys-apps/gawk
 	sys-apps/gptfdisk
 	sys-apps/grep
+	sys-apps/ignition
 	sys-apps/iproute2
 	sys-apps/kexec-tools
 	sys-apps/keyutils
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index 30715dc7dc..e65bd636c4 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -87,6 +87,11 @@ INSTALL_MASK="
   /etc/acpi
 "
 
+# Prevent 'ignition' binary from being installed from sys-apps/ignition binary package.
+PKG_INSTALL_MASK="
+  /usr/bin/ignition
+"
+
 # Keep the default languages small.
 # (not many things respect this though)
 LINGUAS="en"

From 23fc9679b20de87e62f03e6f99de6678cecd3b8b Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Mon, 13 Jun 2022 19:25:29 +0200
Subject: [PATCH 5/5] coreos-base/coreos-init: pull "delete-config" service

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../coreos-base/coreos-init/coreos-init-9999.ebuild             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild
index ec8d6f8b04..fa7fd86e34 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild
@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="7497ac210fcb85d7670b86e21726ffe1b23549a0" # flatcar-master
+	CROS_WORKON_COMMIT="b9c0bc0f57c2c19122c1ec1c7fb44a2e156d311e" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi