The diffutils package provides the "cmp" and "diff" tools which are
essential commands in shell scripts. They used to be pulled in by
audit but the update in
https://github.com/flatcar-linux/coreos-overlay/pull/537
caused them to be dropped.
Add them to the explicit list of base packages to ensure they are
installed.
Because the --root option restricts systemd-tmpfiles to the passwd
database file in the package chroot it can't resolve the core user
and fails to set up the home folder from the baselayout-home.conf
directives.
Create the folder manually because creating a /etc/passwd file in
the package chroot would at installation overwrite the SDK user.
This reverts commit c414b38c7c56dafb05a86040443c634763527f05.
The real DNS server IP addresses should be in /etc/resolve.conf and not
just 127.0.0.53 because all cases that bind-mount /etc/resolve.conf
into a new network namespace can't reach the loopback interface that
resolved is listening on.
systemd-tmpfiles in systemd v246 requires the user/group databases in
the custom root if it gets passed with --root flag. This requires a
new version of baselayout to be pulled, so do so.
DTC (Device Tree Compiler) source tree in Flatcar Kernel modules
unnecessarily takes too much space, especially the `include-prefixes`
directory.
```
$ sudo du -a /usr/lib64/modules/$(uname -r)/source/ | sort -n -r | head -n5
130100 /usr/lib64/modules/5.8.11-flatcar/source/
69180 /usr/lib64/modules/5.8.11-flatcar/source/include
56324 /usr/lib64/modules/5.8.11-flatcar/source/scripts
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc
50728 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/include-prefixes
$ sudo ls /usr/lib64/modules/$(uname -r)/source/scripts/dtc/include-prefixes/
arc arm arm64 c6x dt-bindings h8300 microblaze mips nios2 openrisc powerpc sh xtensa
```
Most of them are for architectures that are not supported by Flatcar, so
we can remove them from the production image.
OTOH, as `dt-bindings` looks more like an architecture-independent one,
for now we keep it.
Before:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
250308 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 934152 21592 98% /usr
```
After:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
6632 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
205144 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 907628 48116 95% /usr
```
Compress every kernel module with xz (lzma), to make more free space
in the rootfs.
Before:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
90472 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
After:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
26908 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 845468 110276 89% /usr
```
Add new binaries containerd-runc-shim-v[12] to the torcx tarballs for
docker and containerd. The binaries are necessary for kubelet to
communicate via custom CRI endpoints.
The addition will cause usage of the /usr partition to grow by ~5M.
```
$ ls -l /run/torcx/unpack/docker/bin
-rwxr-xr-x. 1 root root 6742592 Sep 30 13:22 containerd-shim
-rwxr-xr-x. 1 root root 9095176 Sep 30 13:22 containerd-shim-runc-v1
-rwxr-xr-x. 1 root root 9111752 Sep 30 13:22 containerd-shim-runc-v2
$ ls -l /usr/share/torcx/store/docker\:19.03.torcx.tgz
-rw-r--r--. 1 root root 89809888 Sep 30 14:16 /usr/share/torcx/store/docker:19.03.torcx.tgz
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
Note, we do not touch other torcx profiles like docker 1.12 or 17.03,
to keep the image size as small as possible.
The use flag enables building audisp, auditd, aureport, ausearch and
probably some other tools. Not sure what's the reason for adding such
a use flag other than disabling the build of the binaries. The daemon
use flag is nowhere set, so these things are not built by default.
The ebuild is in the portage-stable repository but we need this patch in
coreos-overlay to avoid this error:
> The following keyword changes are necessary to proceed:
> (see "package.accept_keywords" in the portage(5) man page for more details)
> # required by sys-apps/systemd-245-r3::coreos[seccomp]
> # required by app-misc/ca-certificates-3.27.1-r1::coreos
> # required by dev-libs/openssl-1.1.1g::coreos
> # required by net-misc/rsync-3.2.3::portage-stable[-libressl,ssl,-static]
> # required by sys-apps/portage-2.3.40-r1::coreos[-build]
> # required by app-admin/perl-cleaner-2.27::portage-stable
> # required by dev-lang/perl-5.26.2::portage-stable
> # required by sys-apps/help2man-1.45.1::portage-stable
> # required by sys-devel/automake-1.16.1-r1::portage-stable
> # required by dev-libs/libxml2-2.9.8::portage-stable
> # required by x11-misc/shared-mime-info-1.4::portage-stable
> # required by dev-libs/gobject-introspection-1.40.0-r1::portage-stable
> # required by sys-auth/polkit-0.113-r5::coreos[introspection]
> =sys-libs/libseccomp-2.5.0 ~amd64
The savedconfig feature reads and, if not set, generates a file under
/etc/portage/savedconfig/ to source a build configuration. We probably
don't want this and specially not on the final image, therefore,
disable reading and also don't write the file to the final image.
These normally would be pulled by systemdctl enable when enabling
systemd-networkd.service, because they are used in Also= options. In
such case, we need to pull them ourselves, so they can be enabled in
/usr, not in /etc.
We are installing systemd from scratch in the image, so there are no
previously enabled units to enable or reenable after
installation. Also, this code would enable the services in /etc, which
we don't want, because /etc is not autoupdated, so the enabled
services could end up still being disabled after the update.