From a85cb08443788f37d38b7c854a3a60ba283528c2 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 23 Apr 2019 03:29:09 +0000 Subject: [PATCH 01/11] catalyst: Temporarily disable update_seed again The glib security update blocks itself. Disable this until a new SDK is generated, then it can be reverted again. --- build_library/catalyst.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_library/catalyst.sh b/build_library/catalyst.sh index 6b3f571966..5df356559e 100644 --- a/build_library/catalyst.sh +++ b/build_library/catalyst.sh @@ -120,7 +120,7 @@ cat < Date: Thu, 2 May 2019 03:23:07 +0000 Subject: [PATCH 02/11] Revert "catalyst: Temporarily disable update_seed again" This reverts commit a85cb08443788f37d38b7c854a3a60ba283528c2. --- build_library/catalyst.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_library/catalyst.sh b/build_library/catalyst.sh index 5df356559e..6b3f571966 100644 --- a/build_library/catalyst.sh +++ b/build_library/catalyst.sh @@ -120,7 +120,7 @@ cat < Date: Tue, 11 Jun 2019 21:39:02 +0000 Subject: [PATCH 03/11] disk_layout: bump dev container from 3 to 4GB Builds are beginning to run out of space with 3GB. Bump to 4GB. --- build_library/disk_layout.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_library/disk_layout.json b/build_library/disk_layout.json index 006eddb25f..04cceaba14 100644 --- a/build_library/disk_layout.json +++ b/build_library/disk_layout.json @@ -131,7 +131,7 @@ "label":"ROOT", "fs_label":"ROOT", "type":"4f68bce3-e8cd-4db1-96e7-fbcaf984b709", - "blocks":"6291456" + "blocks":"8388608" } }, "interoute":{ From 0bcf0e9fcf7d6cae901bcc449b37a5a0099b4d84 Mon Sep 17 00:00:00 2001 From: David Michael Date: Fri, 31 May 2019 17:47:14 +0000 Subject: [PATCH 04/11] jenkins: Move workspace cleanup to the pipeline More space can be saved by removing things that get overwritten on the next job run, but they are used after this script runs (e.g. for fingerprinting). Drop the cleanup from these scripts and move it all to the post-build pipeline stage. --- jenkins/sdk.sh | 3 --- jenkins/toolchains.sh | 3 --- 2 files changed, 6 deletions(-) diff --git a/jenkins/sdk.sh b/jenkins/sdk.sh index ca482dd2b6..bfb472f479 100644 --- a/jenkins/sdk.sh +++ b/jenkins/sdk.sh @@ -20,6 +20,3 @@ enter sudo ${S}/bootstrap_sdk \ --sign_digests="${SIGNING_USER}" \ --upload_root="${UPLOAD_ROOT}" \ --upload - -# Free some disk space only on success to allow debugging failures. -sudo rm -rf src/build/catalyst/builds diff --git a/jenkins/toolchains.sh b/jenkins/toolchains.sh index e46ecf8c56..07df58bf42 100644 --- a/jenkins/toolchains.sh +++ b/jenkins/toolchains.sh @@ -20,6 +20,3 @@ enter sudo ${S}/build_toolchains \ --sign_digests="${SIGNING_USER}" \ --upload_root="${UPLOAD_ROOT}" \ --upload - -# Free some disk space only on success to allow debugging failures. -sudo rm -rf src/build/catalyst/builds From e45c7f1ec13b66db87a328ae1b2255727f1dd2ca Mon Sep 17 00:00:00 2001 From: David Michael Date: Sat, 1 Jun 2019 23:10:38 +0000 Subject: [PATCH 05/11] jenkins: Make the package build ccache more visible --- jenkins/packages.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jenkins/packages.sh b/jenkins/packages.sh index cea5b5aee5..25233e27f8 100644 --- a/jenkins/packages.sh +++ b/jenkins/packages.sh @@ -2,7 +2,7 @@ # Use a ccache dir that persists across SDK recreations. # XXX: alternatively use a ccache dir that is usable by all jobs on a given node. -mkdir -p .cache/ccache +mkdir -p ccache enter() { local verify_key= @@ -13,7 +13,7 @@ enter() { sudo ln -f "${GOOGLE_APPLICATION_CREDENTIALS}" \ chroot/etc/portage/gangue.json bin/cork enter --bind-gpg-agent=false -- env \ - CCACHE_DIR=/mnt/host/source/.cache/ccache \ + CCACHE_DIR=/mnt/host/source/ccache \ CCACHE_MAXSIZE=5G \ COREOS_DEV_BUILDS="${DOWNLOAD_ROOT}" \ {FETCH,RESUME}COMMAND_GS="/usr/bin/gangue get \ From faf07f1b8f24c5ec82305579337e074af3a9b818 Mon Sep 17 00:00:00 2001 From: David Michael Date: Sat, 3 Aug 2019 16:24:27 +0000 Subject: [PATCH 06/11] build_library: Add temporary workaround for binutils update Revert this after the new binutils is built into the SDK. --- build_library/toolchain_util.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_library/toolchain_util.sh b/build_library/toolchain_util.sh index 2b3969af8c..0e058219e6 100644 --- a/build_library/toolchain_util.sh +++ b/build_library/toolchain_util.sh @@ -188,7 +188,7 @@ get_cross_pkgs() { } # Get portage arguments restricting toolchains to binary packages only. -get_binonly_args() { +get_binonly_args() { return ; local pkgs=( "${TOOLCHAIN_PKGS[@]}" $(get_cross_pkgs "$@") ) echo "${pkgs[@]/#/--useoldpkg-atoms=}" "${pkgs[@]/#/--rebuild-exclude=}" } From 0148b0df16f9849d08772962502ed96a1f8b158d Mon Sep 17 00:00:00 2001 From: David Michael Date: Mon, 5 Aug 2019 10:52:44 -0400 Subject: [PATCH 07/11] jenkins: Stop trying to install catalyst It's already built into the SDK. --- jenkins/sdk.sh | 4 +--- jenkins/toolchains.sh | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/jenkins/sdk.sh b/jenkins/sdk.sh index bfb472f479..2606ebe672 100644 --- a/jenkins/sdk.sh +++ b/jenkins/sdk.sh @@ -13,9 +13,7 @@ gpg --import "${GPG_SECRET_KEY_FILE}" # Wipe all of catalyst. sudo rm -rf src/build -S=/mnt/host/source/src/scripts -enter sudo emerge -uv --jobs=2 catalyst -enter sudo ${S}/bootstrap_sdk \ +enter sudo /mnt/host/source/src/scripts/bootstrap_sdk \ --sign="${SIGNING_USER}" \ --sign_digests="${SIGNING_USER}" \ --upload_root="${UPLOAD_ROOT}" \ diff --git a/jenkins/toolchains.sh b/jenkins/toolchains.sh index 07df58bf42..92479e9157 100644 --- a/jenkins/toolchains.sh +++ b/jenkins/toolchains.sh @@ -13,9 +13,7 @@ gpg --import "${GPG_SECRET_KEY_FILE}" # Wipe all of catalyst. sudo rm -rf src/build -S=/mnt/host/source/src/scripts -enter sudo emerge -uv --jobs=2 catalyst -enter sudo ${S}/build_toolchains \ +enter sudo /mnt/host/source/src/scripts/build_toolchains \ --sign="${SIGNING_USER}" \ --sign_digests="${SIGNING_USER}" \ --upload_root="${UPLOAD_ROOT}" \ From 9b863fa7ae8ecee9c72e40c964d5f160d458ce82 Mon Sep 17 00:00:00 2001 From: David Michael Date: Thu, 8 Aug 2019 15:53:06 +0000 Subject: [PATCH 08/11] Revert "build_library: Add temporary workaround for binutils update" This reverts commit faf07f1b8f24c5ec82305579337e074af3a9b818. --- build_library/toolchain_util.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_library/toolchain_util.sh b/build_library/toolchain_util.sh index 0e058219e6..2b3969af8c 100644 --- a/build_library/toolchain_util.sh +++ b/build_library/toolchain_util.sh @@ -188,7 +188,7 @@ get_cross_pkgs() { } # Get portage arguments restricting toolchains to binary packages only. -get_binonly_args() { return ; +get_binonly_args() { local pkgs=( "${TOOLCHAIN_PKGS[@]}" $(get_cross_pkgs "$@") ) echo "${pkgs[@]/#/--useoldpkg-atoms=}" "${pkgs[@]/#/--rebuild-exclude=}" } From 3d60305f24aac79dade4e7c20a3a8d395621422a Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Fri, 23 Aug 2019 20:51:02 +0000 Subject: [PATCH 09/11] setup_board: add workaround for binutils issue Add a workaround to be sure we're using the correct binutils when SDK sharing. --- setup_board | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup_board b/setup_board index 73a8b8cb73..88602c041c 100755 --- a/setup_board +++ b/setup_board @@ -339,6 +339,11 @@ if [ $FLAGS_default -eq $FLAGS_TRUE ] ; then echo $BOARD_VARIANT > "$GCLIENT_ROOT/src/scripts/.default_board" fi +# workaround for https://wiki.gentoo.org/wiki/Binutils_2.32_upgrade_notes/elfutils_0.175:_unable_to_initialize_decompress_status_for_section_.debug_info +# can be dropped once all channels use 2.32 (i.e 2229.x.y+) +sudo binutils-config 'x86_64-cros-linux-gnu-2.32' +sudo binutils-config 'x86_64-pc-linux-gnu-2.32' + command_completed info "The SYSROOT is: ${BOARD_ROOT}" From 02ac9cb5b87b83f5ee9ef97776b70943e3f9e94f Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Sat, 24 Aug 2019 00:48:45 +0000 Subject: [PATCH 10/11] Revert "setup_board: add workaround for binutils issue" This reverts commit 3d60305f24aac79dade4e7c20a3a8d395621422a. --- setup_board | 5 ----- 1 file changed, 5 deletions(-) diff --git a/setup_board b/setup_board index 88602c041c..73a8b8cb73 100755 --- a/setup_board +++ b/setup_board @@ -339,11 +339,6 @@ if [ $FLAGS_default -eq $FLAGS_TRUE ] ; then echo $BOARD_VARIANT > "$GCLIENT_ROOT/src/scripts/.default_board" fi -# workaround for https://wiki.gentoo.org/wiki/Binutils_2.32_upgrade_notes/elfutils_0.175:_unable_to_initialize_decompress_status_for_section_.debug_info -# can be dropped once all channels use 2.32 (i.e 2229.x.y+) -sudo binutils-config 'x86_64-cros-linux-gnu-2.32' -sudo binutils-config 'x86_64-pc-linux-gnu-2.32' - command_completed info "The SYSROOT is: ${BOARD_ROOT}" From 97e61a164ba2d6c3a43bbfe4aa872d9ec1140316 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Sat, 24 Aug 2019 01:28:29 -0400 Subject: [PATCH 11/11] test_image_content: whitelist polkit GLSA Both CVE fixes were backported. --- build_library/test_image_content.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/build_library/test_image_content.sh b/build_library/test_image_content.sh index 1071465c04..4eae612f57 100644 --- a/build_library/test_image_content.sh +++ b/build_library/test_image_content.sh @@ -4,6 +4,7 @@ GLSA_WHITELIST=( 201412-09 # incompatible CA certificate version numbers + 201908-14 # backported both CVE fixes ) glsa_image() {