We only allow one version of Python in the SDK and generic images, but
this creates a friction during the SDK build where the seed still has
an old version of Python and the stage1 is supposed to have the new
one, and thus we end up with slot conflicts for python packages - I
don't really understand what is going on (there are python packages in
the seed image that are built for old Python and emerge wants to
install the same packages in the seed but built for the new Python and
it can't work its way around it.)
Allowing both versions of Python to coexist in stage1 seems to be
moving things forward. Stage3 image (stage2 is skipped) will contain
only the new version of Python.
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
Try to do it with in a kinda-sorta proper Gentoo way - with
PYTHON_TARGETS and PYTHON_SINGLE_TARGET variables in
make.defaults. Still need to disable all other versions of python,
otherwise our settings gets merged with settings from base Gentoo
profiles, which currently enable python 3.13. And we also need to keep
masking the other python versions, because emerge still for some
reason wants to install python 3.13 or 3.14 for some packages, despite
the settings in PYTHON_TARGETS.
We are not bumping to 3.13, because sec-policy/selinux-base
PYTHON_COMPAT is still on at most 3.12.
Note that this change still allows python 3.11 in PYTHON_TARGETS for a
transition period. Otherwise the SDK builds do not go past stage1. We
only restrict generic images to 3.12 only, otherwise we would end up
with two python version installed in sysext images.
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
We often do development work on Ignition, so this is useful to have. The
ebuild will not work with Flatcar as-is because it lacks our patches,
but it can still be used in conjunction with flatcar_workon. We cannot
apply the patches unconditionally because they are unlikely to apply.
They do not apply right now.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
A `server` USE flag avoids including that binary. The client tools now
include etcdutl for performing defragmentation and snapshot restoration
on local data.
We previously built etcdctl with `CGO_ENABLED=0`, apparently for
consistency when cross-compiling, but we have since fixed that.
Gentoo's package is not currently stabilised for arm64, as I have only
just added that keyword while bumping to the latest release. The latest
stable release is a little old, but still much newer than ours.
Closes: https://github.com/flatcar/Flatcar/issues/1932
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
I have submitted a PR upstream so that they can automatically create a
vendor tarball with each release. In the meantime, I have hosted one in
my Gentoo dev space.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Setting an absolute list was preventing newer options from being
enabled, leading to this scary error message from newer clients.
$ ssh flatcar
Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Last login: Wed Oct 15 10:05:46 UTC 2025 from 10.0.2.2 on pts/0
Flatcar Container Linux by Kinvolk beta 4426.1.0 for QEMU
After going through each of the options, the only ones we were adding
above the current 10.2p1 defaults were the diffie-hellman-group KEX
algorithms. These were dropped upstream in 2024 because they are slower
while providing no benefit over other options. The continued presence of
ecdh-sha2-nistp256 ensures compatibility with default clients at least
as far back as 2016.
I think we should just continue to follow the upstream defaults unless
some significant client breakage is reported. They're usually quite
forgiving.
The order of these is significant, and our order did differ from
upstream's slightly, but I trust their order over ours.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
