sysext: Add podman sysext

Enabled user session dbus in base image to support podman rootless mode. Extension images can now be created from multiple packages by seperating them with a comma. The podman sysext includes app-containers/podman and net-misc/passt. It can be enabled by adding podman to /etc/flatcar/enabled-sysext.conf. Potential TODO: gpgme had to be added as BDEPEND to podman ebuild.
2025-08-07 04:56:58 +02:00 · 2024-04-29 14:20:22 +02:00 · 2024-04-29 14:20:22 +02:00 · cd849d6849
commit cd849d6849
parent 425a6df565
77 changed files with 1872 additions and 7 deletions
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@ -553,6 +553,8 @@ sys-fs/udisks
 sys-fs/xfsprogs
 sys-fs/zfs
 sys-fs/zfs-kmod
+app-containers/podman
+net-misc/passt

 sys-kernel/linux-headers

--- a/build_library/extra_sysexts.sh
+++ b/build_library/extra_sysexts.sh
@ -1,3 +1,4 @@
 EXTRA_SYSEXTS=(
  zfs:sys-fs/zfs
+  podman:app-containers/podman,net-misc/passt
 )
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@ -255,7 +255,8 @@ create_prod_sysexts() {
  local to_upload=()
  for sysext in "${EXTRA_SYSEXTS[@]}"; do
    local name="flatcar-${sysext%:*}"
-    local pkg="${sysext#*:}"
+    local pkgs="${sysext#*:}"
+    local pkg_array=(${pkgs//,/ })
    local mangle_script="${BUILD_LIBRARY_DIR}/sysext_mangle_${name}"
    if [[ ! -x "${mangle_script}" ]]; then
      mangle_script=
@ -267,7 +268,7 @@ create_prod_sysexts() {
        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
 	--image_builddir="${BUILD_DIR}" \
 	${mangle_script:+--manglefs_script=${mangle_script}} \
-	"${name}" "${pkg}"
+	"${name}" "${pkg_array[@]}"
    delta_generator \
      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
      -new_image "${BUILD_DIR}/${name}.raw" \
--- a/build_library/sysext_mangle_flatcar-podman
+++ b/build_library/sysext_mangle_flatcar-podman
@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+rootfs="${1}"
+
+pushd "${rootfs}"
+
+rm -rf ./usr/{lib/debug/,lib64/cmake/,lib64/pkgconfig,include/,share/fish,share/aclocal,share/SLSA}
+
+mkdir -p ./usr/share/podman/etc
+cp -a ./etc/{fuse.conf,containers} ./usr/share/podman/etc/
+
+cat <<EOF >>./usr/lib/tmpfiles.d/podman.conf
+C /etc/containers - - - - /usr/share/podman/etc/containers
+C /etc/fuse.conf - - - - /usr/share/podman/etc/fuse.conf
+w /etc/subuid - - - - core:1065536:65536
+w /etc/subgid - - - - core:1065536:65536
+EOF
+
+popd
--- a/6
+++ b/6
@ -38,6 +38,8 @@ DEFINE_boolean skip_chroot_upgrade "${FLAGS_FALSE}" \
  "Don't run the chroot upgrade automatically; use with care."
 DEFINE_boolean only_resolve_circular_deps "${FLAGS_FALSE}" \
  "Don't build all packages; only resolve circular dependencies, then stop."
+DEFINE_boolean debug_emerge "${FLAGS_FALSE}" \
+  "Enable debug output for emerge."

 # include upload options
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
@ -163,6 +165,10 @@ if [[ "${FLAGS_rebuild}" -eq "${FLAGS_TRUE}" ]]; then
  EMERGE_FLAGS+=( --rebuild-if-unbuilt )
 fi

+if [[ "${FLAGS_debug_emerge}" -eq "${FLAGS_TRUE}" ]]; then
+  EMERGE_FLAGS+=( --debug )
+fi
+
 # Build cros_workon packages when they are changed.
 CROS_WORKON_PKGS=()
 if [ "${FLAGS_workon}" -eq "${FLAGS_TRUE}" ]; then
--- a/changelog/changes/2024-05-03-podman.md
+++ b/changelog/changes/2024-05-03-podman.md
@ -0,0 +1 @@
+- Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write 'podman' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning ([scripts#1964](https://github.com/flatcar/scripts/pull/1964))
--- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
@ -36,4 +36,6 @@ RDEPEND="
 	coreos-base/flatcar-eks
 	net-misc/chrony
 	sys-fs/zfs
+    app-containers/podman
+	net-misc/passt
 	"
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/dbus-1.14.4-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/dbus-1.14.4-r2.ebuild
@ -137,9 +137,7 @@ multilib_src_configure() {
 		--disable-kqueue
 		$(use_enable elogind)
 		$(use_enable systemd)
-		# Flatcar: disable user sessions
-		# $(use_enable systemd user-session)
-		--disable-user-session
+		$(use_enable systemd user-session)
 		--disable-embedded-tests
 		--disable-modular-tests
 		$(use_enable debug stats)
--- a/sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/Manifest
@ -0,0 +1,2 @@
+DIST aardvark-dns-v1.10.0-vendor.tar.gz 6283889 BLAKE2B cb69144eabf876e418667782171273541bbc416b456193780b4d7f1d22ad03e18f06ec0d6b1e51e21eab912317bd61dd73266d717fa97a81b4314a3c7d14776a SHA512 68d0106b71f42ba789810020d62911d880debf90a35a086aabfd614403985025dc0c5934087a98943b53f6dfd8ede4add99465cec1ae9a098ff1de1082e1ef9c
+DIST aardvark-dns-1.10.0.crate 51028 BLAKE2B 81cdc4eb7eaff7359a1a12657b2bc42603383cf0f80a3a599ce9ce277e15ad83e9d5b36c3de3bef15b3201a1e60d86286ad61469d1d58ba2252b4c0174506ea2 SHA512 3d67f1b3c66aeaf4878c09e5e8fc34717cea6c348e0295bc0521c0c4144433656a3306731c24bb362a0e340e652b036b7544e544cca99b61590547bd7a6ce629
--- a/sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/aardvark-dns-1.10.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/aardvark-dns-1.10.0.ebuild
@ -0,0 +1,47 @@
+# Copyright 2023-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+[[ ${PV} == 9999* ]] || CRATES="${PN}@${PV}"
+inherit cargo
+
+DESCRIPTION="A container-focused DNS server"
+HOMEPAGE="https://github.com/containers/aardvark-dns"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/aardvark-dns.git"
+else
+	SRC_URI="${CARGO_CRATE_URIS}"
+	SRC_URI+="https://github.com/containers/aardvark-dns/releases/download/v${PV}/${PN}-v${PV}-vendor.tar.gz"
+	KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
+fi
+
+# main
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" 0BSD Apache-2.0-with-LLVM-exceptions MIT Unlicense Unicode-DFS-2016 ZLIB"
+SLOT="0"
+QA_FLAGS_IGNORED="usr/libexec/podman/${PN}"
+QA_PRESTRIPPED="usr/libexec/podman/${PN}"
+ECARGO_VENDOR="${WORKDIR}/vendor"
+
+src_unpack() {
+	if [[ ${PV} == 9999* ]]; then
+		git-r3_src_unpack
+		cargo_live_src_unpack
+	else
+		cargo_src_unpack
+	fi
+}
+
+src_prepare() {
+	default
+	sed -i -e "s|m0755 bin|m0755 target/$(usex debug debug release)|g;" Makefile || die
+}
+
+src_install() {
+	export PREFIX="${EPREFIX}"/usr
+	default
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/aardvark-dns/metadata.xml
@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zmedico@gentoo.org</email>
+		<name>Zac Medico</name>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>me@rahil.rocks</email>
+		<name>Rahil Bhimjiani</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription lang="en">
+		Aardvark-dns is an authoritative dns server for A/AAAA container
+		records. It can forward other requests to configured resolvers.
+	</longdescription>
+	<upstream>
+		<remote-id type="github">containers/aardvark-dns</remote-id>
+		<bugs-to>https://github.com/containers/aardvark-dns/issues</bugs-to>
+		<doc>https://github.com/containers/aardvark-dns/blob/main/README.md</doc>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/catatonit/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/catatonit/Manifest
@ -0,0 +1 @@
+DIST catatonit-0.2.0.tar.gz 16608 BLAKE2B 27b6ed1148aaef963140c42e2cb6a7a8c9c25f01eef62cf519c3b1c230c8f30838f5b9cb54bf0b37b1194084f3f0c750e20316738a330d6a01c830b71b45623c SHA512 115e72002e35bb2a03919f9422a9cb2d9a0e4f087862d4ffd20e9508af6d67efc359a577ec059574f2f6c98966a1f080b65dffc8dfb83b3c2ed48e63e2aeac3b
--- a/sdk_container/src/third_party/portage-stable/app-containers/catatonit/catatonit-0.2.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/catatonit/catatonit-0.2.0.ebuild
@ -0,0 +1,31 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="A container init that is so simple it's effectively brain-dead"
+HOMEPAGE="https://github.com/openSUSE/catatonit"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/openSUSE/catatonit.git"
+else
+	SRC_URI="https://github.com/openSUSE/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
+fi
+
+LICENSE="GPL-2+"
+SLOT="0"
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_install() {
+	default
+	dodir /usr/libexec/podman
+	dosym -r /usr/bin/"${PN}" /usr/libexec/podman/"${PN}"
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/catatonit/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/catatonit/metadata.xml
@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zmedico@gentoo.org</email>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>me@rahil.rocks</email>
+		<name>Rahil Bhimjiani</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">openSUSE/catatonit</remote-id>
+		<bugs-to>https://github.com/openSUSE/catatonit/issues</bugs-to>
+		<doc>https://github.com/openSUSE/catatonit/blob/main/README.md</doc>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/conmon/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/conmon/Manifest
@ -0,0 +1 @@
+DIST conmon-2.1.10.tar.gz 121047 BLAKE2B 14b4c2d541607eac0af6b335f35bd506c9a6c3d2b4e4e3ad79f32550385e90b6f7533f505565f90fb4bb1f42d528c41e9ddc7ec275c16ee982a6d0afe1c65bff SHA512 ecf1a961f431b005b54faa68b5c1bcf31d448f994ca66a56f13002216074dba79b53b52a377d4f8dab08141d6c6cf44467352fbff37175135d3da84081b27a18
--- a/sdk_container/src/third_party/portage-stable/app-containers/conmon/conmon-2.1.10.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/conmon/conmon-2.1.10.ebuild
@ -0,0 +1,49 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit toolchain-funcs
+
+DESCRIPTION="An OCI container runtime monitor"
+HOMEPAGE="https://github.com/containers/conmon"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/conmon.git"
+else
+	SRC_URI="https://github.com/containers/conmon/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="+seccomp systemd"
+RESTRICT="test"
+
+RDEPEND="dev-libs/glib:=
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd:= )"
+DEPEND="${RDEPEND}"
+BDEPEND="dev-go/go-md2man"
+PATCHES=(
+	"${FILESDIR}/conmon-2.1.8-Makefile.patch"
+)
+
+src_prepare() {
+	default
+	sed -i -e "s|shell.*--exists libsystemd.* && echo \"0\"|shell echo $(usex systemd 0 1)|g;" Makefile || die
+	echo -e "#!/usr/bin/env bash\necho $(usex seccomp 0 1)" > hack/seccomp-notify.sh || die
+}
+
+src_compile() {
+	tc-export CC PKG_CONFIG
+	export PREFIX="${EPREFIX}/usr" GOMD2MAN=go-md2man
+	default
+}
+
+src_install() {
+	default
+	dodir /usr/libexec/podman
+	dosym ../../bin/"${PN}" /usr/libexec/podman/"${PN}"
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/conmon/files/conmon-2.1.8-Makefile.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/conmon/files/conmon-2.1.8-Makefile.patch
@ -0,0 +1,60 @@
+# https://github.com/containers/conmon/pull/482
+# https://github.com/containers/conmon/pull/456
+From 26f8263a2e5c7bff1e2d5985a8a3d5f07ab3b0b0 Mon Sep 17 00:00:00 2001
+From: Rahil Bhimjiani <me@rahil.rocks>
+Date: Tue, 26 Sep 2023 03:21:49 +0530
+Subject: [PATCH] Remove checks for (long)deprecated libsystemd-journal in
+ favor of libsystemd
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1350301#c2
+
+Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
+---
+ Makefile    | 5 +----
+ meson.build | 5 +----
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 5e6c0d39..40df8e3d 100644
+--- a/Makefile
+++ b/Makefile
+@@ -38,10 +38,7 @@ override CFLAGS += $(shell $(PKG_CONFIG) --cflags glib-2.0) -DVERSION=\"$(VERSIO
+ # "pkg-config --exists" will error if the package doesn't exist. Make can only compare
+ # output of commands, so the echo commands are to allow pkg-config to error out, make to catch it,
+ # and allow the compilation to complete.
+-ifeq ($(shell $(PKG_CONFIG) --exists libsystemd-journal && echo "0"), 0)
+-	override LIBS += $(shell $(PKG_CONFIG) --libs libsystemd-journal)
+-	override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd-journal) -D USE_JOURNALD=1
+-else ifeq ($(shell $(PKG_CONFIG) --exists libsystemd && echo "0"), 0)
+ifeq ($(shell $(PKG_CONFIG) --exists libsystemd && echo "0"), 0)
+ 	override LIBS += $(shell $(PKG_CONFIG) --libs libsystemd)
+ 	override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd) -D USE_JOURNALD=1
+ endif
+diff --git a/meson.build b/meson.build
+index 336e48f3..b454e349 100644
+--- a/meson.build
+++ b/meson.build
+@@ -47,10 +47,7 @@ else
+   libdl = cc.find_library('dl')
+ endif
+ 
+-sd_journal = dependency('libsystemd-journal', required : false)
+-if not sd_journal.found()
+-	sd_journal = dependency('libsystemd', required : false)
+-endif
+sd_journal = dependency('libsystemd', required : false)
+ if sd_journal.found()
+ 	add_project_arguments('-DUSE_JOURNALD=1', language : 'c')
+ endif
+diff --git a/docs/Makefile b/docs/Makefile
+index af20d2b8..25987664 100644
+--- a/docs/Makefile
+++ b/docs/Makefile
+@@ -1,6 +1,6 @@
+ PREFIX ?= /usr/local
+ DATADIR := ${PREFIX}/share
+ MANDIR := $(DATADIR)/man
+-GOMD2MAN = ../tools/build/go-md2man
+GOMD2MAN ?= ../tools/build/go-md2man
+ 
+ docs: $(patsubst %.md,%,$(wildcard *.8.md))
--- a/sdk_container/src/third_party/portage-stable/app-containers/conmon/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/conmon/metadata.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zmedico@gentoo.org</email>
+		<name>Zac Medico</name>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>me@rahil.rocks</email>
+		<name>Rahil Bhimjiani</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">containers/conmon</remote-id>
+		<bugs-to>https://github.com/containers/conmon/issues</bugs-to>
+		<doc>https://github.com/containers/conmon/blob/main/README.md</doc>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/Manifest
@ -0,0 +1 @@
+DIST containers-common-0.58.0.tar.gz 13164567 BLAKE2B 17795eec2d38b4d8b9d6afeb20e249208c5ae2ac767a365ef7313d1e7c36eadb9a9eb284a657dfe3f4fcb0577448d4883fabbad76e0318425fdc03809e27cd7c SHA512 6f569d68d3b0e5ead304c7f23341808d66a47b6352c772d353d50c5f4777cd8a5a5b85d6faaf2887f828c17ec49b9c5f929177a67294b5bbb69baa80656982a8
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/containers-common-0.58.0-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/containers-common-0.58.0-r1.ebuild
@ -0,0 +1,75 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit readme.gentoo-r1
+
+DESCRIPTION="Common config files and docs for Containers stack"
+HOMEPAGE="https://github.com/containers/common"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/common.git"
+else
+	SRC_URI="https://github.com/containers/common/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P#containers-}"
+	KEYWORDS="amd64 arm64 ~riscv"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+RESTRICT="test"
+RDEPEND="
+	>=app-containers/aardvark-dns-1.10.0
+	>=app-containers/crun-1.14.3
+	>=app-containers/containers-image-5.30.0
+	>=app-containers/containers-storage-1.53.0
+	app-containers/containers-shortnames
+	>=app-containers/netavark-1.10.3
+	net-firewall/nftables
+	net-firewall/iptables[nftables]
+	>=net-misc/passt-2024.03.20
+	>=sys-fs/fuse-overlayfs-1.13
+"
+
+BDEPEND="
+	>=dev-go/go-md2man-2.0.3
+"
+
+PATCHES=(
+	"${FILESDIR}/examplify-mounts-conf.patch"
+)
+
+DOC_CONTENTS="\n
+For rootless operations, one needs to configure subuid(5) and subgid(5)\n
+See /etc/sub{uid,gid} to check whether rootless user is already configured\n
+If not, quickly configure it with:\n
+usermod --add-subuids 1065536-1131071 <rootless user>\n
+usermod --add-subgids 1065536-1131071 <rootless user>\n
+"
+
+src_prepare() {
+	default
+
+	[[ -f docs/Makefile && -f Makefile ]] || die
+	sed -i -e 's|/usr/local|/usr|g;' docs/Makefile Makefile || die
+}
+
+src_compile() {
+	emake docs
+}
+
+src_install() {
+	emake DESTDIR="${ED}" install
+	readme.gentoo_create_doc
+
+	insinto /usr/share/containers
+	doins pkg/seccomp/seccomp.json pkg/subscriptions/mounts.conf
+
+	keepdir /etc/containers/certs.d /etc/containers/oci/hooks.d /etc/containers/systemd /var/lib/containers/sigstore
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/containers-common-0.58.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/containers-common-0.58.0.ebuild
@ -0,0 +1,60 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Common config files and docs for Containers stack"
+HOMEPAGE="https://github.com/containers/common"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/common.git"
+else
+	SRC_URI="https://github.com/containers/common/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P#containers-}"
+	KEYWORDS="~amd64 ~arm64 ~riscv"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+RESTRICT="test"
+RDEPEND="
+	app-containers/containers-image
+	app-containers/containers-storage
+	app-containers/containers-shortnames
+	net-firewall/nftables
+	net-firewall/iptables[nftables]
+	|| ( app-containers/crun app-containers/runc )
+	|| (
+		( >=app-containers/netavark-1.6.0 >=app-containers/aardvark-dns-1.6.0 )
+		>=app-containers/cni-plugins-0.9.1
+	)
+"
+
+BDEPEND="
+	>=dev-go/go-md2man-2.0.3
+"
+
+PATCHES=(
+	"${FILESDIR}/examplify-mounts-conf.patch"
+)
+
+src_prepare() {
+	default
+
+	[[ -f docs/Makefile && -f Makefile ]] || die
+	sed -i -e 's|/usr/local|/usr|g;' docs/Makefile Makefile || die
+}
+
+src_compile() {
+	emake docs
+}
+
+src_install() {
+	emake DESTDIR="${ED}" install
+
+	insinto /usr/share/containers
+	doins pkg/seccomp/seccomp.json pkg/subscriptions/mounts.conf
+
+	keepdir /etc/containers/certs.d /etc/containers/oci/hooks.d /etc/containers/systemd /var/lib/containers/sigstore
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/files/default.yaml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/files/default.yaml
@ -0,0 +1,28 @@
+# This is a default registries.d configuration file.  You may
+# add to this file or create additional files in registries.d/.
+#
+# lookaside: for reading/writing simple signing signatures
+# lookaside-staging: for writing simple signing signatures, preferred over lookaside
+#
+# lookaside and lookaside-staging take a value of the following:
+#   lookaside:  {schema}://location
+#
+# For reading signatures, schema may be http, https, or file.
+# For writing signatures, schema may only be file.
+
+# The default locations are built-in, for both reading and writing:
+# /var/lib/containers/sigstore for root, or
+# ~/.local/share/containers/sigstore for non-root users.
+default-docker:
+#  lookaside: https://…
+#  lookaside-staging: file:///…
+
+# The 'docker' indicator here is the start of the configuration
+# for docker registries.
+#
+# docker:
+#
+#   privateregistry.com:
+#    lookaside: https://privateregistry.com/sigstore/
+#    lookaside-staging: /mnt/nfs/privateregistry/sigstore
+
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/files/examplify-mounts-conf.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/files/examplify-mounts-conf.patch
@ -0,0 +1,7 @@
+--- a/pkg/subscriptions/mounts.conf
+++ a/pkg/subscriptions/mounts.conf
+@@ -1 +1,3 @@
+-/usr/share/rhel/secrets:/run/secrets
+# Refer to containers-mounts.conf(5)
+# Example:
+# /usr/share/rhel/secrets:/run/secrets
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/files/policy.json
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/files/policy.json
@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-common/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-common/metadata.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person" proxied="yes">
+    <email>me@rahil.rocks</email>
+    <name>Rahil Bhimjiani</name>
+  </maintainer>
+  <maintainer type="person">
+    <email>zmedico@gentoo.org</email>
+    <name>Zac Medico</name>
+  </maintainer>
+  <maintainer type="project" proxied="proxy">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="github">containers/common</remote-id>
+    <bugs-to>https://github.com/containers/common/issues</bugs-to>
+    <doc>https://github.com/containers/common/blob/main/README.md</doc>
+  </upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-image/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-image/Manifest
@ -0,0 +1 @@
+DIST containers-image-5.30.0.tar.gz 719070 BLAKE2B 5952ab703b6df793f326dd4fc82f50c5f672e2b9d142e0bc706014092420e3563599d9f1c1f65f743e1a8144b91f92b2326d7bf4c3024b5efb466d777a8ad613 SHA512 89cd0d482bb5d70037ff51413b7abca01d36bc7f39e9dc130c78462e501dae32193137a367d81532afd216a7432e127728147e6e839d5d99eeb6b6680f31d4dc
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-image/containers-image-5.30.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-image/containers-image-5.30.0.ebuild
@ -0,0 +1,37 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Default config and docs related to Containers' images"
+HOMEPAGE="https://github.com/containers/image"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/image.git"
+else
+	SRC_URI="https://github.com/containers/image/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P#containers-}"
+	KEYWORDS="amd64 arm64 ~riscv"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+
+# https://github.com/gentoo/gentoo/pull/35012#discussion_r1473740969
+RESTRICT='test'
+BDEPEND=">=dev-go/go-md2man-2.0.3"
+PATCHES=(
+	"${FILESDIR}"/fix-warnings.patch
+)
+
+src_compile() {
+	emake docs
+}
+
+src_install() {
+	emake DESTDIR="${ED}" install
+
+	insinto /etc/containers
+	doins registries.conf
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-image/files/fix-warnings.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-image/files/fix-warnings.patch
@ -0,0 +1,14 @@
+--- a/Makefile
+++ b/Makefile
+@@ -5,7 +5,2 @@
+
+-GOBIN := $(shell go env GOBIN)
+-ifeq ($(GOBIN),)
+-GOBIN := $(shell go env GOPATH)/bin
+-endif
+-
+ # when cross compiling _for_ a Darwin or windows host, then we must use openpgp
+@@ -17,3 +12,2 @@
+
+-PACKAGES := $(shell GO111MODULE=on go list $(BUILDFLAGS) ./...)
+ SOURCE_DIRS = $(shell echo $(PACKAGES) | awk 'BEGIN{FS="/"; RS=" "}{print $$4}' | uniq)
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-image/files/moving-policy-json-default-yaml.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-image/files/moving-policy-json-default-yaml.patch
@ -0,0 +1,100 @@
+From 45441676e34e6410ae8af6dbb46b6161c5c81a7c Mon Sep 17 00:00:00 2001
+From: Rahil Bhimjiani <me@rahil.website>
+Date: Thu, 7 Dec 2023 14:12:26 +0530
+Subject: [PATCH] Moving policy.json and default.yaml from containers/skopeo
+
+It makes more sense to keep these 2 files along with their man
+pages...in c/image
+https://github.com/containers/common/pull/1757
+
+Signed-off-by: Rahil Bhimjiani <me@rahil.website>
+---
+ Makefile            | 11 +++++++++++
+ default-policy.json | 14 ++++++++++++++
+ default.yaml        | 27 +++++++++++++++++++++++++++
+ 3 files changed, 52 insertions(+)
+ create mode 100644 default-policy.json
+ create mode 100644 default.yaml
+
+diff --git a/Makefile b/Makefile
+index f329ef083..5e9799b19 100644
+--- a/Makefile
+++ b/Makefile
+@@ -24,6 +24,13 @@ GOMD2MAN ?= $(shell command -v go-md2man || echo '$(GOBIN)/go-md2man')
+ MANPAGES_MD = $(wildcard docs/*.5.md)
+ MANPAGES ?= $(MANPAGES_MD:%.md=%)
+ 
+ifeq ($(shell uname -s),FreeBSD)
+CONTAINERSCONFDIR ?= /usr/local/etc/containers
+else
+CONTAINERSCONFDIR ?= /etc/containers
+endif
+REGISTRIESDDIR ?= ${CONTAINERSCONFDIR}/registries.d
+
+ # N/B: This value is managed by Renovate, manual changes are
+ # possible, as long as they don't disturb the formatting
+ # (i.e. DO NOT ADD A 'v' prefix!)
+@@ -46,6 +53,10 @@ install-docs: docs
+ 	install -m 644 docs/*.5 ${MANINSTALLDIR}/man5/
+ 
+ install: install-docs
+	install -d -m 755 ${DESTDIR}${CONTAINERSCONFDIR}
+	install -m 644 default-policy.json ${DESTDIR}${CONTAINERSCONFDIR}/policy.json
+	install -d -m 755 ${DESTDIR}${REGISTRIESDDIR}
+	install -m 644 default.yaml ${DESTDIR}${REGISTRIESDDIR}/default.yaml
+ 
+ cross:
+ 	GOOS=windows $(MAKE) build BUILDTAGS="$(BUILDTAGS) $(BUILD_TAGS_WINDOWS_CROSS)"
+diff --git a/default-policy.json b/default-policy.json
+new file mode 100644
+index 000000000..dffc54a62
+--- /dev/null
+++ b/default-policy.json
+@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}
+diff --git a/default.yaml b/default.yaml
+new file mode 100644
+index 000000000..9e892d760
+--- /dev/null
+++ b/default.yaml
+@@ -0,0 +1,27 @@
+# This is a default registries.d configuration file.  You may
+# add to this file or create additional files in registries.d/.
+#
+# lookaside: for reading/writing simple signing signatures
+# lookaside-staging: for writing simple signing signatures, preferred over lookaside
+#
+# lookaside and lookaside-staging take a value of the following:
+#   lookaside:  {schema}://location
+#
+# For reading signatures, schema may be http, https, or file.
+# For writing signatures, schema may only be file.
+
+# The default locations are built-in, for both reading and writing:
+# /var/lib/containers/sigstore for root, or
+# ~/.local/share/containers/sigstore for non-root users.
+default-docker:
+#  lookaside: https://…
+#  lookaside-staging: file:///…
+
+# The 'docker' indicator here is the start of the configuration
+# for docker registries.
+#
+# docker:
+#
+#   privateregistry.com:
+#    lookaside: https://privateregistry.com/sigstore/
+#    lookaside-staging: /mnt/nfs/privateregistry/sigstore
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-image/files/prevent-downloading-mods-5.29.2.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-image/files/prevent-downloading-mods-5.29.2.patch
@ -0,0 +1,10 @@
+--- a/Makefile
+++ b/Makefile
+@@ -15,7 +15,6 @@
+ BUILDTAGS = btrfs_noversion libdm_no_deferred_remove
+ BUILDFLAGS := -tags "$(BUILDTAGS)"
+ 
+-PACKAGES := $(shell GO111MODULE=on go list $(BUILDFLAGS) ./...)
+ SOURCE_DIRS = $(shell echo $(PACKAGES) | awk 'BEGIN{FS="/"; RS=" "}{print $$4}' | uniq)
+ 
+ PREFIX ?= ${DESTDIR}/usr
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-image/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-image/metadata.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person" proxied="yes">
+    <email>me@rahil.rocks</email>
+    <name>Rahil Bhimjiani</name>
+  </maintainer>
+  <maintainer type="person">
+    <email>zmedico@gentoo.org</email>
+    <name>Zac Medico</name>
+  </maintainer>
+  <maintainer type="project" proxied="proxy">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="github">containers/image</remote-id>
+    <bugs-to>https://github.com/containers/image/issues</bugs-to>
+    <doc>https://github.com/containers/image/blob/main/README.md</doc>
+  </upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-shortnames/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-shortnames/Manifest
@ -0,0 +1 @@
+DIST containers-shortnames-2023.02.20.tar.gz 13527 BLAKE2B 165a4c51bd284078990c94059145bb6b4bd5de4d8595eb2ccd2acc6fe8561e7edc300b7edadc684675ee281d7ada1c3a6d5aa0117c640ec22c2d2ef7e46486b5 SHA512 856dbbeb2acda276e9605bd1ecec0f8d65952c597ee2af61dd8909d7d3c04e5ef06c40b69ec4a98f79e623c536850f614c1b0af3a19637e300e7d3a285933193
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-shortnames/containers-shortnames-2023.02.20.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-shortnames/containers-shortnames-2023.02.20.ebuild
@ -0,0 +1,36 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Configures default shortnames (aliases) for Containers"
+HOMEPAGE="https://github.com/containers/shortnames"
+
+if [[ ${PV} == *9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/shortnames.git"
+else
+	SRC_URI="https://github.com/containers/shortnames/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P#containers-}"
+	KEYWORDS="amd64 arm64 ~riscv"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+
+src_configure() {
+	return
+}
+
+src_compile() {
+	return
+}
+
+src_test() {
+	return
+}
+
+src_install() {
+	insinto /etc/containers/registries.conf.d
+	newins shortnames.conf 000-shortnames.conf
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-shortnames/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-shortnames/metadata.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person" proxied="yes">
+    <email>me@rahil.rocks</email>
+    <name>Rahil Bhimjiani</name>
+  </maintainer>
+  <maintainer type="person">
+    <email>zmedico@gentoo.org</email>
+    <name>Zac Medico</name>
+  </maintainer>
+  <maintainer type="project" proxied="proxy">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="github">containers/shortnames</remote-id>
+    <bugs-to>https://github.com/containers/shortnames/issues</bugs-to>
+    <doc>https://github.com/containers/shortnames/blob/main/README.md</doc>
+  </upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/Manifest
@ -0,0 +1 @@
+DIST containers-storage-1.53.0.tar.gz 4291738 BLAKE2B 939ecca8a948165c42453d5461429d46249d73582869793969f9d4ae52d0a9fec25e6c39cd13190dad0730d9a17de7af1f237b3cf5434fd30f442c78e57ee7b3 SHA512 ea4a1d1899208eb8861e36beba206724b1f55cfd6007bc5a90c3a6a5e02835b4a2985814dc9363c31dcdc81a3fb331b29f51f5523628edb8d9c64c465d6dcaa3
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/containers-storage-1.53.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/containers-storage-1.53.0.ebuild
@ -0,0 +1,32 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Default config and docs related to Containers' storage"
+HOMEPAGE="https://github.com/containers/storage"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/storage.git"
+else
+	SRC_URI="https://github.com/containers/storage/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P#containers-}"
+	KEYWORDS="amd64 arm64 ~riscv"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+
+BDEPEND=">=dev-go/go-md2man-2.0.2"
+
+src_compile() {
+	emake -C docs GOMD2MAN=go-md2man containers-storage.conf.5
+}
+
+src_install() {
+	emake DESTDIR="${ED}" -C docs install
+
+	insinto /etc/containers
+	doins storage.conf
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/files/system-md2man-path.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/files/system-md2man-path.patch
@ -0,0 +1,7 @@
+--- a/docs/Makefile
+++ b/docs/Makefile
+@@ -1,2 +1,3 @@
+-GOMD2MAN = ../tests/tools/build/go-md2man
+GOMD2MAN = $(shell command -v go-md2man)
+
+ PREFIX ?= ${DESTDIR}/usr
--- a/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/containers-storage/metadata.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person">
+    <email>zmedico@gentoo.org</email>
+    <name>Zac Medico</name>
+  </maintainer>
+  <maintainer type="person" proxied="yes">
+    <email>me@rahil.rocks</email>
+    <name>Rahil Bhimjiani</name>
+  </maintainer>
+  <maintainer type="project" proxied="proxy">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="github">containers/storage</remote-id>
+    <bugs-to>https://github.com/containers/storage/issues</bugs-to>
+    <doc>https://github.com/containers/storage/blob/main/README.md</doc>
+  </upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/crun/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/crun/Manifest
@ -0,0 +1 @@
+DIST crun-1.14.3.tar.xz 750456 BLAKE2B 5a63b5da2f85ff1a83d4589be224c5b7a1123b6d7714b90a63c1907b78d42392aff25ffe5d9a4127173ac47026d57e9c93a39f5ba4b07de7f9f3722c14e6d203 SHA512 d6645c519ff00dda5def6d58240600d15e76969489918d51c0def2fee7dbad6374f83e5afc14a998d176aa2944765df5cd84c3031b265a1931ab23f2fc965fc1
--- a/sdk_container/src/third_party/portage-stable/app-containers/crun/crun-1.14.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/crun/crun-1.14.3.ebuild
@ -0,0 +1,65 @@
+# Copyright 2019-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit python-any-r1
+
+DESCRIPTION="A fast and low-memory footprint OCI Container Runtime fully written in C"
+HOMEPAGE="https://github.com/containers/crun"
+
+if [[ "$PV" == *9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/${PN}.git"
+else
+	SRC_URI="https://github.com/containers/${PN}/releases/download/${PV}/${P}.tar.xz"
+	KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv"
+fi
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+IUSE="+bpf +caps criu +seccomp selinux systemd static-libs"
+
+DEPEND="
+	dev-libs/yajl:=
+	sys-kernel/linux-headers
+	caps? ( sys-libs/libcap )
+	criu? ( >=sys-process/criu-3.15 )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-container )"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/pkgconfig
+"
+
+# the crun test suite is comprehensive to the extent that tests will fail
+# within a sandbox environment, due to the nature of the privileges
+# required to create linux "containers".
+RESTRICT="test"
+
+src_configure() {
+	local myeconfargs=(
+		$(use_enable bpf)
+		$(use_enable caps)
+		$(use_enable criu)
+		$(use_enable seccomp)
+		$(use_enable systemd)
+		$(usex static-libs '--enable-shared --enable-static' '--enable-shared --disable-static' '' '')
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	emake "DESTDIR=${D}" install-exec
+	doman crun.1
+	einstalldocs
+
+	einfo "Cleaning up .la files"
+	find "${ED}" -name '*.la' -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/crun/files/crun-1.11.2-caps.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/crun/files/crun-1.11.2-caps.patch
@ -0,0 +1,32 @@
+From 767ba88ef363115e80e077ce312f89f20488da01 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Robert=20G=C3=BCnzler?= <r@gnzler.io>
+Date: Thu, 9 Nov 2023 14:16:08 +0100
+Subject: [PATCH] Fix build without libcap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The work to support features introduced another point of dependency on
+libcap that previously wasn't guarded by ifdefs
+
+Refs: https://github.com/containers/crun/pull/1237
+Signed-off-by: Robert Günzler <r@gnzler.io>
+---
+ src/libcrun/container.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index ed0fa29bb..7be1713ab 100644
+--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
+@@ -3925,8 +3925,10 @@ libcrun_container_get_features (libcrun_context_t *context, struct features_info
+   // Populate namespaces
+   populate_array_field (&((*info)->linux.namespaces), namespaces, num_namspaces);
+ 
+#ifdef HAVE_CAP
+   // Populate capabilities
+   populate_capabilities (*info, &capabilities, &num_capabilities);
+#endif
+ 
+   // Hardcode the values for cgroup
+   (*info)->linux.cgroup.v1 = true;
--- a/sdk_container/src/third_party/portage-stable/app-containers/crun/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/crun/metadata.xml
@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person" proxied="yes">
+		<email>robert@gnzler.io</email>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription lang="en">
+		While most of the tools used in the Linux containers ecosystem are written in
+		Go, crun authors believe C is a better fit for a lower level tool like a
+		container runtime. runc; the most used implementation of the OCI runtime specs
+		written in Go, re-execs itself and use a module written in C for setting up
+		the environment before the container process starts.
+
+		crun aims to be also usable as a library that can be easily included in
+		programs without requiring an external process for managing OCI containers.
+	</longdescription>
+	<upstream>
+		<changelog>https://github.com/containers/crun/releases</changelog>
+		<remote-id type="github">containers/crun</remote-id>
+	</upstream>
+	<use>
+		<flag name="bpf">Enable in Kernel, eBPF (enhanced Berkley Packet Filter)
+			support for managing device controllers.
+		</flag>
+		<flag name="criu">Enable CRIU based checkpoint/restore support</flag>
+	</use>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/netavark/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/netavark/Manifest
@ -0,0 +1,2 @@
+DIST netavark-1.10.3.crate 154416 BLAKE2B a7750304484ae820eb3bb1bc4de8c2ad22d95494fe10471014e0eb999fb7578c5e9c2ab352fe357d964d701206ee7016f87134a62afe0a03cd1b574cae1264ca SHA512 6ed9cd5a69a6eacc4ad839a82680c7b98d453564aadee41eb6ea632223fba7fbdb20f11e4146dc74b6c6d3695ac50624424b3260dbb7769a4100a918e4328dbf
+DIST netavark-v1.10.3-vendor.tar.gz 16135507 BLAKE2B 114519b76d932c5918fd91cea73e8bc9f5aa3a63275f9218e667e400c3e2512e5db29ce806b5e5b509b043c04a3436344a27cf170e203d4360d00247e48b5ca9 SHA512 b8a99f45ba4ebb20414fe052ff08b1e7a7a86994c7dfa2f36d0500d52bcbd2d279aeff19fb0844a65e2375e86da33af735851f038f598771d2dac96ff7e032a5
--- a/sdk_container/src/third_party/portage-stable/app-containers/netavark/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/netavark/metadata.xml
@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zmedico@gentoo.org</email>
+		<name>Zac Medico</name>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>me@rahil.rocks</email>
+		<name>Rahil Bhimjiani</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription lang="en">
+		Netavark is a rust based network stack for containers. It is
+		being designed to work with Podman but is also applicable for
+		other OCI container management applications.
+	</longdescription>
+	<upstream>
+		<remote-id type="github">containers/netavark</remote-id>
+		<bugs-to>https://github.com/containers/netavark/issues</bugs-to>
+		<doc>https://github.com/containers/netavark/blob/main/README.md</doc>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/netavark/netavark-1.10.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/netavark/netavark-1.10.3.ebuild
@ -0,0 +1,59 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+[[ ${PV} == 9999* ]] || CRATES="${PN}@${PV}"
+
+inherit cargo systemd
+
+DESCRIPTION="A container network stack"
+HOMEPAGE="https://github.com/containers/netavark"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/netavark.git"
+else
+	SRC_URI="${CARGO_CRATE_URIS} https://github.com/containers/netavark/releases/download/v${PV}/${PN}-v${PV}-vendor.tar.gz"
+	KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
+fi
+
+# main
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" Apache-2.0-with-LLVM-exceptions BSD BSD-2 Boost-1.0 MIT Unicode-DFS-2016 Unlicense ZLIB"
+SLOT="0"
+BDEPEND="dev-go/go-md2man
+	dev-libs/protobuf"
+
+QA_FLAGS_IGNORED="
+	usr/libexec/podman/${PN}"
+QA_PRESTRIPPED="
+	usr/libexec/podman/${PN}"
+
+ECARGO_VENDOR="${WORKDIR}/vendor"
+
+src_unpack() {
+	if [[ ${PV} == 9999* ]]; then
+		git-r3_src_unpack
+		cargo_live_src_unpack
+	else
+		cargo_src_unpack
+	fi
+}
+
+src_prepare() {
+	default
+	sed -i -e "s|m0755 bin|m0755 target/$(usex debug debug release)|g;" Makefile || die
+}
+
+src_compile() {
+	cargo_src_compile
+	export PREFIX="${EPREFIX}"/usr SYSTEMDDIR="$(systemd_get_systemunitdir)"
+	emake docs
+}
+
+# Following is needed because we want to use `make install` instead of `cargo install` (exported by cargo.eclass)
+src_install() {
+	default
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/Manifest
@ -0,0 +1 @@
+DIST podman-5.0.2.tar.gz 23811875 BLAKE2B e943eb36eb0b80332223afc5d971c0886f6eaffeb7133c634d28c0a38e9aae6a54266691067dbca7684882f8b6dad72c3d5de2287ec5a7e8fb4b1cfd96df0b4d SHA512 70dbac9fc81d66eb9b0a5174f5776b805397005cacca917674d2b001591fadd05a776c956e693bad932e9eefe591c35da5c566e8e9e01db8be42bc454cd03104
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-5.0.0_rc4.confd
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-5.0.0_rc4.confd
@ -0,0 +1,11 @@
+# Config file for /etc/init.d/podman
+
+# Sets the API service daemon log level
+# valid levels: debug, info, warn, error, fatal or panic
+#LOG_LEVEL="error"
+
+# Sets the API service daemon socket
+#SOCKET="unix:///run/podman/podman.sock"
+
+# Configure the user[:group] the API service daemon will run as
+#RUN_AS_USER="root:root"
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-5.0.0_rc4.initd
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-5.0.0_rc4.initd
@ -0,0 +1,21 @@
+#!/sbin/openrc-run
+# Copyright 2015-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+description="Podman API Service"
+
+LOG_PATH="/var/log/${RC_SVCNAME}"
+output_log="${LOG_PATH}/${RC_SVCNAME}.log"
+error_log="${LOG_PATH}/${RC_SVCNAME}.log"
+RUN_PATH="/run/${RC_SVCNAME}"
+pidfile="${RUN_PATH}/${RC_SVCNAME}.pid"
+
+command_user="${RUN_AS_USER:=root:root}"
+command="/usr/bin/podman"
+command_args="--log-level ${LOG_LEVEL:-error} system service --time 0 ${SOCKET:-unix://${RUN_PATH}/${RC_SVCNAME}.sock}"
+command_background="true"
+
+start() {
+	checkpath -o "${RUN_AS_USER}" -d "${RUN_PATH}" "${LOG_PATH}"
+	default_start
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-auto-update-5.0.0.cron
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-auto-update-5.0.0.cron
@ -0,0 +1,5 @@
+#!/bin/sh
+
+# podman-auto-update(1)
+# uncomment following to auto update containers according to their auto-update policy
+# /usr/bin/podman auto-update && /usr/bin/podman image prune -f
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-clean-transient-5.0.0_rc6.confd
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-clean-transient-5.0.0_rc6.confd
@ -0,0 +1,8 @@
+# Config file for /etc/init.d/podman-clean-transient
+
+# Sets the podman log level
+# valid levels: debug, info, warn, error, fatal or panic
+#LOG_LEVEL="info"
+
+# Configure the user[:group] the podman will run as
+#RUN_AS_USER="root:root"
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-clean-transient-5.0.0_rc6.initd
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-clean-transient-5.0.0_rc6.initd
@ -0,0 +1,17 @@
+#!/sbin/openrc-run
+# Copyright 2015-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# This service runs once each boot to remove potential leftover
+# container state from previous boots.
+
+# This is needed when using transient storage mode in podman where the
+# database and other configs are stored in tmpfs, but some other files
+# are not. If we don't run this after an unclean boot then there may
+# be some leftover files that grow over time.
+
+description="Clean up podman transient data"
+
+command_user="${RUN_AS_USER:-root:root}"
+command="/usr/bin/podman"
+command_args="--log-level ${LOG_LEVEL:-info} system prune --external"
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-restart-5.0.0_rc4.confd
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-restart-5.0.0_rc4.confd
@ -0,0 +1,9 @@
+# Config file for /etc/init.d/podman-restart
+
+# Sets the podman log level
+# valid levels: debug, info, warn, error, fatal or panic
+#LOG_LEVEL="info"
+
+# Configure the user[:group] the podman will run as
+# Can be useful to manage rootful or rootless containers
+#RUN_AS_USER="root:root"
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-restart-5.0.0_rc4.initd
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman-restart-5.0.0_rc4.initd
@ -0,0 +1,22 @@
+#!/sbin/openrc-run
+# Copyright 2015-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+description="Start all containers with restart-policy set to always"
+
+command_user="${RUN_AS_USER:=root:root}"
+command="/usr/bin/podman"
+command_args="--log-level ${LOG_LEVEL:=info} start --all --filter restart-policy=always"
+
+depend() {
+	after net
+}
+
+stop() {
+	ebegin "Stopping all containers with restart-policy set to always"
+	${command} \
+		--log-level ${LOG_LEVEL} \
+		stop \
+		$(${command} container ls --filter restart-policy=always -q)
+	eend $? "Failed to stop containers with restart-policy set to always"
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman.logrotated
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/podman.logrotated
@ -0,0 +1,7 @@
+/var/log/podman/podman.log {
+	missingok
+	size 5M
+	rotate 3
+	compress
+	copytruncate
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/files/seccomp-toggle-4.7.0.patch
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/files/seccomp-toggle-4.7.0.patch
@ -0,0 +1,15 @@
+--- a/Makefile
+++ b/Makefile
+@@ -57,7 +57,11 @@
+ 	$(shell hack/systemd_tag.sh) \
+ 	$(shell hack/libsubid_tag.sh) \
+ 	exclude_graphdriver_devicemapper \
+-	seccomp
+
+BUILD_SECCOMP ?= yes
+ifeq ($(BUILD_SECCOMP),yes)
+BUILDTAGS += seccomp
+endif
+ # N/B: This value is managed by Renovate, manual changes are
+ # possible, as long as they don't disturb the formatting
+ # (i.e. DO NOT ADD A 'v' prefix!)
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/metadata.xml
@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zmedico@gentoo.org</email>
+		<name>Zac Medico</name>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>me@rahil.rocks</email>
+		<name>Rahil Bhimjiani</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription lang="en">
+		Podman (the POD MANager) is a tool for managing containers
+		and images, volumes mounted into those containers, and pods
+		made from groups of containers. Podman is based on libpod,
+		a library for container lifecycle management that is also
+		contained in this repository. The libpod library provides
+		APIs for managing containers, pods, container images,
+		and volumes.
+	</longdescription>
+	<use>
+		<flag name="btrfs">
+			Enables btrfs support (graph driver) in Podman
+		</flag>
+		<flag name="cgroup-hybrid">
+			Use legacy (hybrid) cgroups instead of modern (unified) cgroups
+		</flag>
+		<flag name="fuse">
+			Enables fuse dependencies (fuse-overlayfs is especially useful
+			for rootless mode).
+		</flag>
+		<flag name="init">
+			Enables catatonit dependency required for podman run --init.
+		</flag>
+		<flag name="rootless">
+			Enables dependencies for running in rootless mode.
+		</flag>
+		<flag name="wrapper">
+			Install wrapper which lets use podman for command `docker`
+		</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">containers/podman</remote-id>
+		<bugs-to>https://github.com/containers/podman/issues</bugs-to>
+		<doc>https://podman.io/docs</doc>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-containers/podman/podman-5.0.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/podman/podman-5.0.2.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11,12} )
+
+inherit go-module python-any-r1 tmpfiles linux-info
+
+DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI"
+HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/podman.git"
+else
+	SRC_URI="https://github.com/containers/podman/archive/v${PV/_rc/-rc}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P/_rc/-rc}"
+	[[ ${PV} != *rc* ]] && \
+		KEYWORDS="amd64 arm64 ~riscv"
+fi
+
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+SLOT="0"
+IUSE="apparmor btrfs +seccomp selinux systemd wrapper"
+RESTRICT="test"
+
+RDEPEND="
+	app-containers/catatonit
+	>=app-containers/conmon-2.1.10
+	>=app-containers/containers-common-0.58.0-r1
+	app-crypt/gpgme:=
+	dev-libs/libassuan:=
+	dev-libs/libgpg-error:=
+	sys-apps/shadow:=
+
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( sys-fs/btrfs-progs )
+	wrapper? ( !app-containers/docker-cli )
+	seccomp? ( sys-libs/libseccomp:= )
+	selinux? ( sec-policy/selinux-podman sys-libs/libselinux:= )
+	systemd? ( sys-apps/systemd:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	${PYTHON_DEPS}
+	dev-go/go-md2man
+	app-crypt/gpgme:=
+"
+
+PATCHES=(
+	"${FILESDIR}/seccomp-toggle-4.7.0.patch"
+)
+
+CONFIG_CHECK="
+	~USER_NS
+"
+
+pkg_setup() {
+	use btrfs && CONFIG_CHECK+=" ~BTRFS_FS"
+	linux-info_pkg_setup
+	python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# assure necessary files are present
+	local file
+	for file in apparmor_tag btrfs_installed_tag btrfs_tag systemd_tag; do
+		[[ -f hack/"${file}".sh ]] || die
+	done
+
+	local feature
+	for feature in apparmor systemd; do
+		cat <<-EOF > hack/"${feature}"_tag.sh || die
+		#!/usr/bin/env bash
+		$(usex ${feature} "echo ${feature}" echo)
+		EOF
+	done
+
+	echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die
+	cat <<-EOF > hack/btrfs_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
+	EOF
+}
+
+src_compile() {
+	export PREFIX="${EPREFIX}/usr"
+
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT="" EPOCH_TEST_COMMIT=""
+
+	# BUILD_SECCOMP is used in the patch to toggle seccomp
+	emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" \
+		  all $(usev wrapper docker-docs)
+}
+
+src_install() {
+	emake DESTDIR="${D}" install install.completions $(usev wrapper install.docker-full)
+
+	if use !systemd; then
+		newconfd "${FILESDIR}"/podman-5.0.0_rc4.confd podman
+		newinitd "${FILESDIR}"/podman-5.0.0_rc4.initd podman
+
+		newinitd "${FILESDIR}"/podman-restart-5.0.0_rc4.initd podman-restart
+		newconfd "${FILESDIR}"/podman-restart-5.0.0_rc4.confd podman-restart
+
+		newinitd "${FILESDIR}"/podman-clean-transient-5.0.0_rc6.initd podman-clean-transient
+		newconfd "${FILESDIR}"/podman-clean-transient-5.0.0_rc6.confd podman-clean-transient
+
+		exeinto /etc/cron.daily
+		newexe "${FILESDIR}"/podman-auto-update-5.0.0.cron podman-auto-update
+
+		insinto /etc/logrotate.d
+		newins "${FILESDIR}/podman.logrotated" podman
+	fi
+
+	keepdir /var/lib/containers
+}
+
+pkg_postinst() {
+	tmpfiles_process podman.conf $(usev wrapper podman-docker.conf)
+}
--- a/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/Manifest
@ -0,0 +1,2 @@
+DIST gpgme-1.23.2.tar.bz2 1836904 BLAKE2B 563e470e861c7cc64ecb3e8dd0a0ed8436bc0867105093abcec09f4d1e1dd95cbf64c8161cf8500b9842583b57f6583efff63e5111234e36fda1e6fbedce2f78 SHA512 6cfcd07e81a93de240582de5a46545420cee93d1f27fe20ea2c983780fdd3036b69fdba073cf549d68a20791e189bf4b3cdde14a43f912d2ab9ef3414c83ac75
+DIST gpgme-1.23.2.tar.bz2.sig 238 BLAKE2B fafba6e2f1f34c53fa3f7e05953298132f7b046048660b9f2df5bc11ccb9694b581117ca78883a8f4ca9af060397a39f3132a3711be1cd28183b7c2f8f93a8b7 SHA512 65b7cdd4ce06bb0b15b13033d226423380338efdcb47ffc3f33780a92973453053f8f59b12a3f37e392e773bdd207a7420c25aa3a210c15eec45b7bfef6e891e
--- a/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/files/gpgme-1.18.0-tests-start-stop-agent-use-command-v.patch
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/files/gpgme-1.18.0-tests-start-stop-agent-use-command-v.patch
@ -0,0 +1,27 @@
+Sent upstream to gnupg-devel@ but not yet in archive.
+
+From: Sam James <sam@gentoo.org>
+Date: Mon, 15 Aug 2022 19:29:06 +0100
+Subject: [PATCH] tests/start-stop-agent: use 'command -v' instead of 'which'
+
+`which` is an external command which isn't required by POSIX.
+
+Debian and other distributions (like Gentoo!) are looking
+to drop it from their base set of packages.
+
+Switch to `command -v` which should always work instead.
+
+Note we already use `command -v` at the start of this test anyway.
+
+Signed-off-by: Sam James <sam@gentoo.org>
+--- a/tests/start-stop-agent
+++ b/tests/start-stop-agent
+@@ -15,7 +15,7 @@ fi
+ 
+ GPG_AGENT_INFO=
+ export GPG_AGENT_INFO
+-GPG_AGENT=$(which gpg-agent)
+GPG_AGENT=$(command -v gpg-agent)
+ 
+ token=$(echo "gpgme-$(pwd)" | tr ' ' '_')
+ 
--- a/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/files/gpgme-1.23.1-tests-gnupg-no-tofu.patch
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/files/gpgme-1.23.1-tests-gnupg-no-tofu.patch
@ -0,0 +1,26 @@
+https://dev.gnupg.org/T6778
+--- a/lang/python/tests/support.py
+++ b/lang/python/tests/support.py
+@@ -46,13 +46,15 @@ def is_gpg_version(version):
+ 
+ 
+ def have_tofu_support(ctx, some_uid):
+-    keys = list(
+-        ctx.keylist(
+-            some_uid,
+-            mode=(gpg.constants.keylist.mode.LOCAL |
+-                  gpg.constants.keylist.mode.WITH_TOFU)))
+-    return len(keys) > 0
+-
+    try:
+        keys = list(
+            ctx.keylist(
+                some_uid,
+                mode=(gpg.constants.keylist.mode.LOCAL |
+                      gpg.constants.keylist.mode.WITH_TOFU)))
+        return len(keys) > 0
+    except gpg.errors.GPGMEError:
+        return False
+ 
+ # Skip the Python tests for GnuPG < 2.1.12.  Prior versions do not
+ # understand the command line flags that we assume exist.  C.f. issue
--- a/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/gpgme-1.23.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/gpgme-1.23.2.ebuild
@ -0,0 +1,227 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+DISTUTILS_EXT=1
+DISTUTILS_OPTIONAL=1
+PYTHON_COMPAT=( python3_{10..12} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
+
+# in-source builds are not supported:
+# * https://dev.gnupg.org/T6313#166339
+# * https://dev.gnupg.org/T6673#174545
+inherit distutils-r1 libtool flag-o-matic multibuild qmake-utils toolchain-funcs verify-sig
+
+DESCRIPTION="GnuPG Made Easy is a library for making GnuPG easier to use"
+HOMEPAGE="https://www.gnupg.org/related_software/gpgme"
+SRC_URI="
+	mirror://gnupg/gpgme/${P}.tar.bz2
+	verify-sig? ( mirror://gnupg/gpgme/${P}.tar.bz2.sig )
+"
+
+LICENSE="GPL-2 LGPL-2.1"
+# Please check ABI on each bump, even if SONAMEs didn't change: bug #833355
+# Use e.g. app-portage/iwdevtools integration with dev-libs/libabigail's abidiff.
+# Subslot: SONAME of each: <libgpgme.libgpgmepp.libqgpgme.FUDGE>
+# Bump FUDGE if a release is made which breaks ABI without changing SONAME.
+# (Reset to 0 if FUDGE != 0 if libgpgme/libgpgmepp/libqpggme change.)
+SLOT="1/11.6.15.2"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="common-lisp static-libs +cxx python qt5 qt6 test"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="
+	qt5? ( cxx )
+	qt6? ( cxx )
+	python? ( ${PYTHON_REQUIRED_USE} )
+"
+
+# - On each bump, update dep bounds on each version from configure.ac!
+RDEPEND="
+	>=app-crypt/gnupg-2
+	>=dev-libs/libassuan-2.5.3:=
+	>=dev-libs/libgpg-error-1.46-r1:=
+	python? ( ${PYTHON_DEPS} )
+	qt5? ( dev-qt/qtcore:5 )
+	qt6? ( dev-qt/qtbase:6 )
+"
+DEPEND="
+	${RDEPEND}
+	test? (
+		qt5? ( dev-qt/qttest:5 )
+	)
+"
+#doc? ( app-text/doxygen[dot] )
+BDEPEND="
+	$(python_gen_cond_dep '
+		dev-python/setuptools[${PYTHON_USEDEP}]
+	' python3_12)
+	python? ( dev-lang/swig )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.18.0-tests-start-stop-agent-use-command-v.patch
+	"${FILESDIR}"/${PN}-1.23.1-tests-gnupg-no-tofu.patch
+)
+
+src_prepare() {
+	default
+
+	elibtoolize
+
+	# bug #697456
+	addpredict /run/user/$(id -u)/gnupg
+
+	local MAX_WORKDIR=66
+	if use test && [[ "${#WORKDIR}" -gt "${MAX_WORKDIR}" ]]; then
+		eerror "Unable to run tests as WORKDIR='${WORKDIR}' is longer than ${MAX_WORKDIR} which causes failure!"
+		die "Could not run tests as requested with too-long WORKDIR."
+	fi
+
+	# Make best effort to allow longer PORTAGE_TMPDIR
+	# as usock limitation fails build/tests
+	ln -s "${P}" "${WORKDIR}/b" || die
+	S="${WORKDIR}/b"
+
+	# Qt 5 and Qt 6 are mutually exclusive in the gpgme build. We don't have
+	# to do three builds (normal, qt5, qt6), and we can instead just
+	# do normal+qt5 or normal+qt6. For now, we pessimise qt6 by making it
+	# be a separate build, but in time, we can swap it so qt5 has to be
+	# the separate one so some build time gets saved in the common case.
+	MULTIBUILD_VARIANTS=(
+		base
+		$(usev qt6 qt6)
+	)
+
+	gpgme_create_builddir() {
+		mkdir -p "${BUILD_DIR}" || die
+	}
+
+	multibuild_foreach_variant gpgme_create_builddir
+}
+
+src_configure() {
+	multibuild_foreach_variant gpgme_src_configure
+}
+
+gpgme_src_configure() {
+	# bug #847955
+	append-lfs-flags
+
+	cd "${BUILD_DIR}" || die
+
+	local languages=()
+
+	case ${MULTIBUILD_VARIANT} in
+		base)
+			languages=(
+				$(usev common-lisp 'cl')
+				$(usev cxx 'cpp')
+				$(usev qt5 'qt5')
+			)
+
+			if use qt5; then
+				#use doc ||
+				export DOXYGEN=true
+				export MOC="$(qt5_get_bindir)/moc"
+			fi
+
+			;;
+		*)
+			# Sanity check for refactoring, the non-base variant is only for Qt 6
+			use qt6 || die "Non-base variant shouldn't be built without Qt 6! Please report at bugs.gentoo.org."
+
+			languages=(
+				cpp
+				qt6
+			)
+
+			export MOC="$(qt6_get_libdir)/qt6/libexec/moc"
+
+			;;
+	esac
+
+	local myeconfargs=(
+		$(use test || echo "--disable-gpgconf-test --disable-gpg-test --disable-gpgsm-test --disable-g13-test")
+		--enable-languages="${languages[*]}"
+		$(use_enable static-libs static)
+	)
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+	if [[ ${MULTIBUILD_VARIANT} == base ]] && use python ; then
+		emake -C lang/python prepare
+
+		pushd lang/python > /dev/null || die
+		top_builddir="../.." srcdir="${S}/lang/python" CPP="$(tc-getCPP)" distutils-r1_src_configure
+		popd > /dev/null || die
+	fi
+}
+
+src_compile() {
+	multibuild_foreach_variant gpgme_src_compile
+}
+
+gpgme_src_compile() {
+	cd "${BUILD_DIR}" || die
+
+	emake
+
+	if [[ ${MULTIBUILD_VARIANT} == base ]] && use python ; then
+		pushd lang/python > /dev/null || die
+		top_builddir="../.." srcdir="${S}/lang/python" CPP="$(tc-getCPP)" distutils-r1_src_compile
+		popd > /dev/null || die
+	fi
+}
+
+src_test() {
+	multibuild_foreach_variant gpgme_src_test
+}
+
+gpgme_src_test() {
+	cd "${BUILD_DIR}" || die
+
+	emake check
+
+	if [[ ${MULTIBUILD_VARIANT} == base ]] && use python ; then
+		distutils-r1_src_test
+	fi
+}
+
+python_test() {
+	emake -C lang/python/tests check \
+		PYTHON=${EPYTHON} \
+		PYTHONS=${EPYTHON} \
+		TESTFLAGS="--python-libdir=${BUILD_DIR}/lib"
+}
+
+src_install() {
+	einstalldocs
+	multibuild_foreach_variant gpgme_src_install
+}
+
+gpgme_src_install() {
+	cd "${BUILD_DIR}" || die
+
+	emake DESTDIR="${D}" install
+
+	if [[ ${MULTIBUILD_VARIANT} == base ]] && use python ; then
+		pushd lang/python > /dev/null || die
+		top_builddir="../.." srcdir="${S}/lang/python" CPP="$(tc-getCPP)" distutils-r1_src_install
+		popd > /dev/null || die
+	fi
+
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# Backward compatibility for gentoo
+	# (in the past, we had slots)
+	dodir /usr/include/gpgme
+	dosym -r /usr/include/gpgme.h /usr/include/gpgme/gpgme.h
+}
--- a/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/gpgme/metadata.xml
@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<use>
+		<flag name="common-lisp">Install common-lisp files</flag>
+	</use>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest
@ -1 +1 @@
-DIST go-md2man-2.0.2.tar.gz 64353 BLAKE2B cc9ce9d14b61e600cf5179b72e08bc7e6ae5fcf31d3e00d6e5f7e5e77a26dd2b2b8a938e168e0053b2a9f9aab734d9beb02f7d95549fbf073125ad42b03cf478 SHA512 c81edfdc0b6647ef699cc908a1a7038d98da34df6d48b223b83a0699de91a7e322e70d67645acf1fc848918f4c1ea310160c7ccb75e6f97b53af7103c7aa18b3
+DIST go-md2man-2.0.3.tar.gz 64961 BLAKE2B 790fe7c247e0f934a397d7389be589c6e4d75be3cd533da13ae4e46c927604c3249e3a2f0c975320bac0f21f3040059202434f6fd4b2ea6dd50d6b772fa01842 SHA512 237e8039beea11b4efb7d0c75fb5826c17dea50057b0149b9533e72e2a5198811f9a3a5b264ea3788922d2f03b07cb57914448b2d4325d54d0f946fb42c42f40
--- a/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.3.ebuild
@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 EAPI=8
--- a/sdk_container/src/third_party/portage-stable/dev-libs/yajl/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/yajl/Manifest
@ -0,0 +1,2 @@
+DIST yajl-2.1.0-r5.tar.gz 83997 BLAKE2B 755ee1d9f8c59b730393468722dae9148cd63443a0c91f0e1894f5998b699303920b8f0748541bd280d132ee1c9dedd40ebc2a7e020a8fe65beb186f25af5402 SHA512 9e786d080803df80ec03a9c2f447501e6e8e433a6baf636824bc1d50ecf4f5f80d7dfb1d47958aeb0a30fe459bd0ef033d41bc6a79e1dc6e6b5eade930b19b02
+DIST yajl-2.1.0.tar.gz 84039 BLAKE2B 53cfa60994a478050ef1ab35ecfe60cc51f166bc101ee81f42122b134cc30afd1277c3c2661f5c03dc8c8117fcfdaab8ec7c6d735a6810ea4700f1afaea60e1a SHA512 671c06081e01584d170b614dc0685f49c6d7448b673d8ed99749ce4e0ca73875af9f62df7787b919ceaecab213668ac1d2a5800b6831731ec146353552f36985
--- a/sdk_container/src/third_party/portage-stable/dev-libs/yajl/files/yajl-2.1.0-memory-leak.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/yajl/files/yajl-2.1.0-memory-leak.patch
@ -0,0 +1,23 @@
+From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001
+From: "zhang.jiujiu" <282627424@qq.com>
+Date: Tue, 7 Dec 2021 22:37:02 +0800
+Subject: [PATCH] fix memory leaks
+
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index b9e66043..0e7bde98 100644
+--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
+@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input,
+              yajl_tree_free(v);
+         }
+         yajl_free (handle);
+	//If the requested memory is not released in time, it will cause memory leakage
+	if(ctx.root)
+	     yajl_tree_free(ctx.root);
+         return NULL;
+     }
+ 
--- a/sdk_container/src/third_party/portage-stable/dev-libs/yajl/files/yajl-2.1.0-pkg-config.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/yajl/files/yajl-2.1.0-pkg-config.patch
@ -0,0 +1,50 @@
+From 63703fd039fce33ac36e94b9ace4b7c12ef042b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Sun, 24 Feb 2019 10:49:44 +0100
+Subject: [PATCH] cmake: Fix installing pkg-config file into libdir
+
+Fix the CMake rules to install pkg-config file into lib/pkgconfig
+rather than share/pkgconfig.  The former location is correct
+for ABI-dependent files such as libraries, while the latter should be
+used only for ABI-agnostic resources (data files, executables).
+
+This fixes using yajl on multilib systems where 32-bit and 64-bit
+versions of the library are installed separately.  This requires two
+separate pkg-config files to be installed along with the libraries
+into appropriate libdirs.  When the file was installed into /usr/share,
+only one variant was permitted and effectively using the other multilib
+variant was broken, breaking other packages.
+
+Original bug report: https://bugs.gentoo.org/677870
+---
+ src/CMakeLists.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
+index 99cf9e9..81369e4 100644
+--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
+@@ -30,7 +30,7 @@ ADD_DEFINITIONS(-DYAJL_BUILD)
+ # set up some paths
+ SET (libDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
+ SET (incDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/include/yajl)
+-SET (shareDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/share/pkgconfig)
+SET (pcDir ${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib/pkgconfig)
+ 
+ # set the output path for libraries
+ SET(LIBRARY_OUTPUT_PATH ${libDir})
+@@ -61,7 +61,7 @@ FILE(MAKE_DIRECTORY ${incDir})
+ # generate build-time source
+ SET(dollar $)
+ CONFIGURE_FILE(api/yajl_version.h.cmake ${incDir}/yajl_version.h)
+-CONFIGURE_FILE(yajl.pc.cmake ${shareDir}/yajl.pc)
+CONFIGURE_FILE(yajl.pc.cmake ${pcDir}/yajl.pc)
+ 
+ # copy public headers to output directory
+ FOREACH (header ${PUB_HDRS})
+@@ -84,4 +84,4 @@ INSTALL(TARGETS yajl
+ INSTALL(TARGETS yajl_s ARCHIVE DESTINATION lib${LIB_SUFFIX})
+ INSTALL(FILES ${PUB_HDRS} DESTINATION include/yajl)
+ INSTALL(FILES ${incDir}/yajl_version.h DESTINATION include/yajl)
+-INSTALL(FILES ${shareDir}/yajl.pc DESTINATION share/pkgconfig)
+INSTALL(FILES ${pcDir}/yajl.pc DESTINATION lib${LIB_SUFFIX}/pkgconfig)
--- a/sdk_container/src/third_party/portage-stable/dev-libs/yajl/files/yajl-2.1.0-uclibc.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/yajl/files/yajl-2.1.0-uclibc.patch
@ -0,0 +1,14 @@
+diff --git a/reformatter/CMakeLists.txt b/reformatter/CMakeLists.txt
+index da4032b..d48e218 100644
+--- a/reformatter/CMakeLists.txt
+++ b/reformatter/CMakeLists.txt
+@@ -26,7 +26,7 @@ LINK_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/../${YAJL_DIST_NAME}/lib)
+
+ ADD_EXECUTABLE(json_reformat ${SRCS})
+
+-TARGET_LINK_LIBRARIES(json_reformat yajl_s)
+TARGET_LINK_LIBRARIES(json_reformat yajl_s m)
+
+ # copy the binary into the output directory
+ GET_TARGET_PROPERTY(binPath json_reformat LOCATION)
+
--- a/sdk_container/src/third_party/portage-stable/dev-libs/yajl/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/yajl/metadata.xml
@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>ruby@gentoo.org</email>
+    <name>Gentoo Ruby Project</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="github">lloyd/yajl</remote-id>
+  </upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/yajl/yajl-2.1.0-r5.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/yajl/yajl-2.1.0-r5.ebuild
@ -0,0 +1,36 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit cmake-multilib multibuild
+
+DESCRIPTION="Small event-driven (SAX-style) JSON parser"
+HOMEPAGE="https://lloyd.github.io/yajl/"
+SRC_URI="https://github.com/lloyd/yajl/archive/refs/tags/${PV}.tar.gz -> ${P}-r5.tar.gz"
+
+LICENSE="ISC"
+SLOT="0/2"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE=""
+
+PATCHES=(
+	"${FILESDIR}"/${P}-uclibc.patch # git master 5d4bf525
+	"${FILESDIR}"/${P}-pkg-config.patch # downstream
+	"${FILESDIR}"/${P}-memory-leak.patch # Bug 908036
+)
+
+src_prepare() {
+	cmake_src_prepare
+	multilib_copy_sources
+}
+
+multilib_src_test() {
+	cd "${S}"/test/parsing || die
+	./run_tests.sh "${BUILD_DIR}"/test/parsing/yajl_test || die
+}
+
+src_install() {
+	cmake-multilib_src_install
+	find "${D}" -name libyajl_s.a -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/net-misc/passt/Manifest
+++ b/sdk_container/src/third_party/portage-stable/net-misc/passt/Manifest
@ -0,0 +1 @@
+DIST passt-2024.03.26.tar.xz 195348 BLAKE2B d91e6ac1d50aae04ceb53a34341b545ff644ceccdfcfab461907050612d9d871f61591aac02ebddef9a607a9b39ce5017a2fc47c9189f85b9b9a70a30d010e4c SHA512 da771f8f334862f81702b22688c9d3552aefc2883b5a44c39156ff7a69f301cabf52fa0fb13f8695240db5411c498806d28d847fca8caff2bedb69d1a4b4e5a7
--- a/sdk_container/src/third_party/portage-stable/net-misc/passt/files/Makefile-2024.03.20.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/passt/files/Makefile-2024.03.20.patch
@ -0,0 +1,13 @@
+Addressing following bugs:
+https://bugs.gentoo.org/924494
+--- a/Makefile
+++ b/Makefile
+@@ -35,7 +35,7 @@
+ 
+ FLAGS := -Wall -Wextra -Wno-format-zero-length
+ FLAGS += -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
+-FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
+FLAGS += -O2 -pie -fPIE
+ FLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE)
+ FLAGS += -DNETNS_RUN_DIR=\"/run/netns\"
+ FLAGS += -DPASST_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH)
--- a/sdk_container/src/third_party/portage-stable/net-misc/passt/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/net-misc/passt/metadata.xml
@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person" proxied="yes">
+    <email>me@rahil.rocks</email>
+    <name>Rahil Bhimjiani</name>
+  </maintainer>
+  <maintainer type="person">
+    <email>zmedico@gentoo.org</email>
+    <name>Zac Medico</name>
+  </maintainer>
+  <maintainer type="project" proxied="proxy">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <longdescription lang="en">
+    passt implements a translation layer between a Layer-2 network interface and native Layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on a host. It doesn't require any capabilities or privileges, and it can be used as a simple replacement for Slirp.
+
+    pasta (same binary as passt, different command) offers equivalent functionality, for network namespaces: traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.
+
+    qrap  is  a  wrapper,  designed specifically for usage with qemu(1) and passt(1), connecting a UNIX domain socket to a file descriptor, and running qemu(1) with given arguments.
+  </longdescription>
+  <upstream>
+    <bugs-to>https://passt.top/passt/bugs</bugs-to>
+    <doc>https://passt.top/passt/about/</doc>
+  </upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/net-misc/passt/passt-2024.03.26.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-misc/passt/passt-2024.03.26.ebuild
@ -0,0 +1,40 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit toolchain-funcs
+
+DESCRIPTION="User-mode networking daemons for VMs and namespaces, replacement for Slirp"
+HOMEPAGE="https://passt.top/"
+
+RELEASE_COMMIT="4988e2b"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="git://passt.top/passt"
+else
+	SRC_URI="https://passt.top/passt/snapshot/passt-${RELEASE_COMMIT}.tar.xz -> ${P}.tar.xz"
+	S="${WORKDIR}/${PN}-${RELEASE_COMMIT}"
+	KEYWORDS="amd64 arm64 ~riscv"
+fi
+
+LICENSE="BSD GPL-2+"
+SLOT="0"
+IUSE="static"
+
+PATCHES=(
+	"${FILESDIR}"/Makefile-2024.03.20.patch
+)
+
+src_prepare() {
+	default
+	tc-export CC
+}
+
+src_compile() {
+	[[ ${PV} != 9999* ]] && export VERSION="${PV}"
+	export prefix="${EPREFIX}/usr" docdir="${EPREFIX}/usr/share/doc/${P}"
+
+	emake $(usev static)
+}
--- a/sdk_container/src/third_party/portage-stable/sys-fs/fuse-overlayfs/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/fuse-overlayfs/Manifest
@ -0,0 +1 @@
+DIST fuse-overlayfs-1.13.tar.gz 99775 BLAKE2B 7a0643a5ef029db7f3d1009e9dd4e7a647bf936205723fc3656dfd6d14d622e98f9df15590783492f056ab3f151fd658b6fe65f7177f9499532d02411138ac7c SHA512 2f005b7eb4f0cc31dd75a6c453d81fbbf1c77cb6c1e8f991a53465c1e8c0109c999063a3b2088978abeea2272677985cd79ecbbbcd7aaaac0088dcdd34981f4b
--- a/sdk_container/src/third_party/portage-stable/sys-fs/fuse-overlayfs/fuse-overlayfs-1.13.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/fuse-overlayfs/fuse-overlayfs-1.13.ebuild
@ -0,0 +1,27 @@
+# Copyright 2019-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools linux-info
+
+DESCRIPTION="FUSE implementation for overlayfs"
+HOMEPAGE="https://github.com/containers/fuse-overlayfs"
+SRC_URI="https://github.com/containers/fuse-overlayfs/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
+
+DEPEND="sys-fs/fuse:3"
+RDEPEND="${DEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+pkg_pretend() {
+	kernel_is -lt 4 18 && eerror "Linux Kernel > v4.18.0 is required" && die
+}
+
+src_prepare() {
+	default
+	eautoreconf
+}
--- a/sdk_container/src/third_party/portage-stable/sys-fs/fuse-overlayfs/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/fuse-overlayfs/metadata.xml
@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<upstream>
+		<remote-id type="github">containers/fuse-overlayfs</remote-id>
+	</upstream>
+	<maintainer type="person">
+		<email>zmedico@gentoo.org</email>
+		<name>Zac Medico</name>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>me@rahil.rocks</email>
+		<name>Rahil Bhimjiani</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+</pkgmetadata>
				`@ -0,0 +1 @@`
				- Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write 'podman' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning ([scripts#1964](https://github.com/flatcar/scripts/pull/1964))
				`@ -0,0 +1 @@`
				`DIST catatonit-0.2.0.tar.gz 16608 BLAKE2B 27b6ed1148aaef963140c42e2cb6a7a8c9c25f01eef62cf519c3b1c230c8f30838f5b9cb54bf0b37b1194084f3f0c750e20316738a330d6a01c830b71b45623c SHA512 115e72002e35bb2a03919f9422a9cb2d9a0e4f087862d4ffd20e9508af6d67efc359a577ec059574f2f6c98966a1f080b65dffc8dfb83b3c2ed48e63e2aeac3b`
				`@ -0,0 +1 @@`
				`DIST conmon-2.1.10.tar.gz 121047 BLAKE2B 14b4c2d541607eac0af6b335f35bd506c9a6c3d2b4e4e3ad79f32550385e90b6f7533f505565f90fb4bb1f42d528c41e9ddc7ec275c16ee982a6d0afe1c65bff SHA512 ecf1a961f431b005b54faa68b5c1bcf31d448f994ca66a56f13002216074dba79b53b52a377d4f8dab08141d6c6cf44467352fbff37175135d3da84081b27a18`
				`@ -0,0 +1 @@`
				`DIST containers-common-0.58.0.tar.gz 13164567 BLAKE2B 17795eec2d38b4d8b9d6afeb20e249208c5ae2ac767a365ef7313d1e7c36eadb9a9eb284a657dfe3f4fcb0577448d4883fabbad76e0318425fdc03809e27cd7c SHA512 6f569d68d3b0e5ead304c7f23341808d66a47b6352c772d353d50c5f4777cd8a5a5b85d6faaf2887f828c17ec49b9c5f929177a67294b5bbb69baa80656982a8`
				`@ -0,0 +1 @@`
				`DIST containers-image-5.30.0.tar.gz 719070 BLAKE2B 5952ab703b6df793f326dd4fc82f50c5f672e2b9d142e0bc706014092420e3563599d9f1c1f65f743e1a8144b91f92b2326d7bf4c3024b5efb466d777a8ad613 SHA512 89cd0d482bb5d70037ff51413b7abca01d36bc7f39e9dc130c78462e501dae32193137a367d81532afd216a7432e127728147e6e839d5d99eeb6b6680f31d4dc`
				`@ -0,0 +1 @@`
				`DIST containers-shortnames-2023.02.20.tar.gz 13527 BLAKE2B 165a4c51bd284078990c94059145bb6b4bd5de4d8595eb2ccd2acc6fe8561e7edc300b7edadc684675ee281d7ada1c3a6d5aa0117c640ec22c2d2ef7e46486b5 SHA512 856dbbeb2acda276e9605bd1ecec0f8d65952c597ee2af61dd8909d7d3c04e5ef06c40b69ec4a98f79e623c536850f614c1b0af3a19637e300e7d3a285933193`
				`@ -0,0 +1 @@`
				`DIST containers-storage-1.53.0.tar.gz 4291738 BLAKE2B 939ecca8a948165c42453d5461429d46249d73582869793969f9d4ae52d0a9fec25e6c39cd13190dad0730d9a17de7af1f237b3cf5434fd30f442c78e57ee7b3 SHA512 ea4a1d1899208eb8861e36beba206724b1f55cfd6007bc5a90c3a6a5e02835b4a2985814dc9363c31dcdc81a3fb331b29f51f5523628edb8d9c64c465d6dcaa3`
				`@ -0,0 +1 @@`
				`DIST crun-1.14.3.tar.xz 750456 BLAKE2B 5a63b5da2f85ff1a83d4589be224c5b7a1123b6d7714b90a63c1907b78d42392aff25ffe5d9a4127173ac47026d57e9c93a39f5ba4b07de7f9f3722c14e6d203 SHA512 d6645c519ff00dda5def6d58240600d15e76969489918d51c0def2fee7dbad6374f83e5afc14a998d176aa2944765df5cd84c3031b265a1931ab23f2fc965fc1`
				`@ -0,0 +1 @@`
				`DIST podman-5.0.2.tar.gz 23811875 BLAKE2B e943eb36eb0b80332223afc5d971c0886f6eaffeb7133c634d28c0a38e9aae6a54266691067dbca7684882f8b6dad72c3d5de2287ec5a7e8fb4b1cfd96df0b4d SHA512 70dbac9fc81d66eb9b0a5174f5776b805397005cacca917674d2b001591fadd05a776c956e693bad932e9eefe591c35da5c566e8e9e01db8be42bc454cd03104`
				`@ -0,0 +1 @@`
				`DIST passt-2024.03.26.tar.xz 195348 BLAKE2B d91e6ac1d50aae04ceb53a34341b545ff644ceccdfcfab461907050612d9d871f61591aac02ebddef9a607a9b39ce5017a2fc47c9189f85b9b9a70a30d010e4c SHA512 da771f8f334862f81702b22688c9d3552aefc2883b5a44c39156ff7a69f301cabf52fa0fb13f8695240db5411c498806d28d847fca8caff2bedb69d1a4b4e5a7`