The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't
used in Flatcar and so far it seems that the backdoor wouldn't even be
compiled for Gentoo. However, we so far don't know whether the other
patches are malicious.
Revert to 5.4.2 as last known-good release (like Gentoo did).
Note that the Flatcar main branch had a copy of the 5.6 ebuild but was
not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but
the malicious contributor did other changes of unclear impact part of
this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These
should get downgraded, too.
These come from ChromeOS, we don't ship and never shipped anything under those
licenses with Flatcar.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
We currently ship an amd64 binary of thin-provisioning-tools on arm64.
To fix this add a hook that hijacks src_unpack and calls the
cross-compilation friendly implementation. We also need to fixup the
src_install implementation since it looks for the produced binary in the
default cargo location.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Gentoo's cargo based ebuilds don't cross-compile well, so we need a way
to inject coreos-cargo.eclass into them. Otherwise we'd need to fork the
ebuilds into coreos-overlay and maintain them ourselves.
The way we can do this is by sourcing the eclass from cros hooks and
overriding src_unpack to call the eclass implementation. Inheriting an
eclass is not allowed from hooks. Since we can't call any of the
inherits a variable is introduced to skip them and EXPORT_FUNCTIONS.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This change updates coreos-cloudinit to the latest flatcar-master commit.
This change disables user-configdrive.service on OpenStack,
as coreos-cloudinit.service already runs on OpenStack when the system is
not configured via ignition.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
We could use systemd-cryptenroll and cryptsetup with a TPM device but
so far the support was not compiled in.
Enable the use flags for TPM2 support in systemd.
The goal is to enable ntpd by default on AWS/GCP with using the cloud provided
ntp endpoint. Enabling ntpd.service is the easy part. Enabling the correct ntp
server is trickier. I would love to ship an OEM specific ntp.conf, but this
might interfere with user modifications to either ntpd.service or ntp.conf.
The safest way to implement this is to add the AWS/GCP time sync address
(which are link-local address) to the default ntp.conf. This will work
on AWS/GCP where ntpd will be enabled by default, and if a user on another
platform enables ntpd they will simply have a non-responsive source in
their server list - which is not a problem for ntpd.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
