In addition to enabling PIE and stack protector, hardened compilers also
enable the -fstack-check option which I had previously overlooked,
conflating it with -fstack-protector which the kernel build already
handles properly. This is the second time I hit this trying to use
ccache, I forgot that -nopie was insufficent for kernel builds. Last
time around reverted in cd043688f09b22ccf245ffd11f8a22a5ff31e577.
At least this time I finally dug deep enough to find the cause instead
of setting myself up for repeating history in another 6 months. For
reference the issue is that the Go 1.3.x runtime can call clock_gettime
with a very small stack. If the vDSO library was built with
-fstack-check it will attempt to write 0 to a location beyond the end of
the very small stack, triggering SEGV:
Dump of assembler code for function __vdso_clock_gettime:
0x00007ffff7ffaa50 <+0>: push %rbp
0x00007ffff7ffaa51 <+1>: mov %rsp,%rbp
0x00007ffff7ffaa54 <+4>: push %r14
0x00007ffff7ffaa56 <+6>: push %r13
0x00007ffff7ffaa58 <+8>: push %r12
0x00007ffff7ffaa5a <+10>: push %rbx
0x00007ffff7ffaa5b <+11>: sub $0x1038,%rsp
=> 0x00007ffff7ffaa62 <+18>: orq $0x0,(%rsp)
0x00007ffff7ffaa67 <+23>: add $0x1020,%rsp
Upstream moved the python stuff to its own package which we don't need
anyway. Cleans up dependencies a bit but all the changes are in use
flags we don't enable so nothing impacts us. Our delta is now:
```patch
--- gentoo-x86/sys-apps/systemd/systemd-9999.ebuild 2015-07-11 12:19:02.628603502 -0700
+++ coreos-overlay/sys-apps/systemd/systemd-9999.ebuild 2015-07-11 12:33:19.136880252 -0700
@@ -7,16 +7,23 @@
AUTOTOOLS_AUTORECONF=yes
AUTOTOOLS_PRUNE_LIBTOOL_FILES=all
PYTHON_COMPAT=( python{2_7,3_3,3_4} )
+CROS_WORKON_PROJECT="coreos/systemd"
+CROS_WORKON_REPO="git://github.com"
if [[ ${PV} == 9999 ]]; then
- EGIT_REPO_URI="https://github.com/systemd/systemd.git"
- inherit git-r3
+ # Use ~arch instead of empty keywords for compatibility with cros-workon
+ KEYWORDS="~amd64 ~arm64 ~arm ~x86"
else
- SRC_URI="https://github.com/systemd/systemd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
- KEYWORDS="~amd64 ~arm ~ia64 ~x86"
+ CROS_WORKON_COMMIT="015325350548732458e61c193f5fab6f139f47fc"
+ KEYWORDS="amd64 arm64 ~arm ~x86"
fi
UNIFONT=unifont-8.0.01
-SRC_URI+=" terminal? ( http://unifoundry.com/pub/${UNIFONT}/font-builds/${UNIFONT}.hex.gz )"
+SRC_URI="terminal? ( http://unifoundry.com/pub/${UNIFONT}/font-builds/${UNIFONT}.hex.gz )"
+
+# cros-workon must be imported first, in cases where cros-workon and
+# another eclass exports the same function (say src_compile) we want
+# the later eclass's version to win. Only need src_unpack from workon.
+inherit cros-workon
inherit autotools-utils bash-completion-r1 linux-info multilib \
multilib-minimal pam python-any-r1 systemd toolchain-funcs udev \
@@ -31,6 +38,9 @@
idn importd +kdbus +kmod +lz4 lzma nat pam policykit
qrcode +seccomp selinux ssl sysv-utils terminal test vanilla xkb"
+# CoreOS specific use flags
+IUSE+=" man symlink-usr"
+
REQUIRED_USE="importd? ( curl gcrypt lzma )"
MINKV="3.8"
@@ -82,7 +92,6 @@
# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
PDEPEND=">=sys-apps/dbus-1.6.8-r1:0[systemd]
>=sys-apps/hwids-20130717-r1[udev]
- >=sys-fs/udev-init-scripts-25
policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )"
@@ -101,14 +110,13 @@
terminal? ( ${PYTHON_DEPS} )
test? ( >=sys-apps/dbus-1.6.8-r1:0 )"
-if [[ -n ${AUTOTOOLS_AUTORECONF} ]]; then
- DEPEND+="
- app-text/docbook-xml-dtd:4.2
+# Not required when building from unpatched tarballs, but we build from git.
+DEPEND+="
+ man? ( app-text/docbook-xml-dtd:4.2
app-text/docbook-xml-dtd:4.5
app-text/docbook-xsl-stylesheets
- dev-libs/libxslt:0
- >=dev-libs/libgcrypt-1.4.5:0"
-fi
+ dev-libs/libxslt:0 )
+ >=dev-libs/libgcrypt-1.4.5:0"
pkg_pretend() {
local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS
@@ -154,7 +162,7 @@
src_unpack() {
default
- [[ ${PV} != 9999 ]] || git-r3_src_unpack
+ cros-workon_src_unpack
}
src_prepare() {
@@ -179,9 +187,7 @@
multilib_src_configure() {
local myeconfargs=(
- # disable -flto since it is an optimization flag
- # and makes distcc less effective
- cc_cv_CFLAGS__flto=no
+ --with-pamconfdir=/usr/share/pam.d
# Workaround for gcc-4.7, bug 554454.
cc_cv_CFLAGS__Werror_shadow=no
@@ -228,6 +234,7 @@
$(multilib_native_use_enable kmod)
$(use_enable lz4)
$(use_enable lzma xz)
+ $(multilib_native_use_enable man manpages)
$(multilib_native_use_enable nat libiptc)
$(multilib_native_use_enable pam)
$(multilib_native_use_enable policykit polkit)
@@ -248,11 +255,19 @@
EFI_CC="$(tc-getCC)"
# dbus paths
- --with-dbuspolicydir="${EPREFIX}/etc/dbus-1/system.d"
+ --with-dbuspolicydir="${EPREFIX}/usr/share/dbus-1/system.d"
--with-dbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
--with-dbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
- --with-ntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
+ --with-ntp-servers="0.coreos.pool.ntp.org 1.coreos.pool.ntp.org 2.coreos.pool.ntp.org 3.coreos.pool.ntp.org"
+
+ # The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd
+ # as a sanity check for the minimum acceptable time. Explicitly set
+ # to avoid using the current build time.
+ --with-time-epoch=1372636800
+
+ # no default name servers
+ --with-dns-servers=
)
if ! multilib_is_native_abi; then
@@ -324,38 +339,81 @@
}
multilib_src_install_all() {
+ local unitdir=$(systemd_get_unitdir)
+
prune_libtool_files --modules
einstalldocs
if use sysv-utils; then
+ local prefix
+ use symlink-usr && prefix=/usr
for app in halt poweroff reboot runlevel shutdown telinit; do
- dosym "..${ROOTPREFIX-/usr}/bin/systemctl" /sbin/${app}
+ dosym "${ROOTPREFIX-/usr}/bin/systemctl" ${prefix}/sbin/${app}
done
- dosym "..${ROOTPREFIX-/usr}/lib/systemd/systemd" /sbin/init
- else
+ dosym "${ROOTPREFIX-/usr}/lib/systemd/systemd" ${prefix}/sbin/init
+ elif use man; then
# we just keep sysvinit tools, so no need for the mans
rm "${D}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 \
|| die
rm "${D}"/usr/share/man/man1/init.1 || die
fi
- # Disable storing coredumps in journald, bug #433457
- mv "${D}"/usr/lib/sysctl.d/50-coredump.conf{,.disabled} || die
-
- # Preserve empty dirs in /etc & /var, bug #437008
- keepdir /etc/binfmt.d /etc/modules-load.d /etc/tmpfiles.d \
- /etc/systemd/ntp-units.d /etc/systemd/user /var/lib/systemd \
- /var/log/journal/remote
-
- # Symlink /etc/sysctl.conf for easy migration.
- dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf
-
- # If we install these symlinks, there is no way for the sysadmin to remove them
- # permanently.
- rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die
- rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die
- rm -r "${D}"/etc/systemd/system/network-online.target.wants || die
- rm -r "${D}"/etc/systemd/system/sysinit.target.wants || die
+ # Ensure journal directory has correct ownership/mode in inital image.
+ # This is fixed by systemd-tmpfiles *but* journald starts before that
+ # and will create the journal if the filesystem is already read-write.
+ # Conveniently the systemd Makefile sets this up completely wrong.
+ dodir /var/log/journal
+ fowners root:systemd-journal /var/log/journal
+ fperms 2755 /var/log/journal
+
+ systemd_dotmpfilesd "${FILESDIR}"/systemd-coreos.conf
+ systemd_dotmpfilesd "${FILESDIR}"/systemd-resolv.conf
+
+ # Don't default to graphical.target
+ rm "${D}${unitdir}"/default.target || die
+ dosym multi-user.target "${unitdir}"/default.target
+
+ # Move a few services enabled in /etc to /usr, delete files individually
+ # so builds fail if systemd adds any new unexpected stuff to /etc
+ local f
+ for f in \
+ getty.target.wants/getty@tty1.service \
+ multi-user.target.wants/remote-fs.target \
+ multi-user.target.wants/systemd-networkd.service \
+ multi-user.target.wants/systemd-resolved.service \
+ network-online.target.wants/systemd-networkd-wait-online.service \
+ sockets.target.wants/systemd-networkd.socket \
+ sysinit.target.wants/systemd-timesyncd.service
+ do
+ local s="${f#*/}" t="${f%/*}"
+ local u="${s/@*.service/@.service}"
+
+ # systemd_enable_service doesn't understand template units
+ einfo "Enabling ${s} via ${t}"
+ dodir "${unitdir}/${t}"
+ dosym "../${u}" "${unitdir}/${t}/${s}"
+
+ rm "${D}/etc/systemd/system/${f}" || die
+ done
+ rmdir "${D}"/etc/systemd/system/*.wants || die
+
+ # Grant networkd access to set the transient host name
+ insinto /usr/share/polkit-1/rules.d
+ doins "${FILESDIR}"/99-org.freedesktop.hostname1.rules
+
+ # Do not enable random services if /etc was detected as empty!!!
+ rm "${D}"/usr/lib/systemd/system-preset/90-systemd.preset
+ insinto /usr/lib/systemd/system-preset
+ doins "${FILESDIR}"/99-default.preset
+
+ # Disable the "First Boot Wizard" by default, it isn't very applicable to CoreOS
+ rm "${D}${unitdir}"/sysinit.target.wants/systemd-firstboot.service
+
+ # Do not ship distro-specific files (nsswitch.conf pam.d)
+ rm -rf "${D}"/usr/share/factory
+ sed -i "${D}"/usr/lib/tmpfiles.d/etc.conf \
+ -e '/^C \/etc\/nsswitch\.conf/d' \
+ -e '/^C \/etc\/pam\.d/d'
}
migrate_locale() {
```
By default ccache checks the compiler's mtime and size but that gets
thrown off by reinstalls, including from binary packages. The
alternative mode reads the compiler binary itself instead. In theory
that may be slower but in reality both modes are effectively the same
speed. ccache will now work under catalyst
Dug more into the build process and python is not strictly required for
man pages, it is only used to create an index which isn't significant.
Only call setup_python when features that *do* need python are enabled.
Fixes bootstrap_sdk which builds systemd with minimal use flags.
Biggest change (beyond the version bump itself) is removing support for
building gudev which is moving out of the systemd repository. Also moves
USE flag changes from IUSE into package.use so the IUSE line doesn't
cause merge conflicts with upstream.
For reference the current delta from upstream is:
```patch
--- gentoo-x86/sys-apps/systemd/systemd-9999.ebuild 2015-07-08 14:20:49.679059002 -0700
+++ coreos-overlay/sys-apps/systemd/systemd-9999.ebuild 2015-07-08 15:51:11.351991236 -0700
@@ -4,18 +4,25 @@
EAPI=5
+AUTOTOOLS_AUTORECONF=yes
AUTOTOOLS_PRUNE_LIBTOOL_FILES=all
PYTHON_COMPAT=( python{2_7,3_3,3_4} )
+CROS_WORKON_PROJECT="coreos/systemd"
+CROS_WORKON_REPO="git://github.com"
if [[ ${PV} == 9999 ]]; then
- AUTOTOOLS_AUTORECONF=yes
- EGIT_REPO_URI="https://github.com/systemd/systemd.git"
- inherit git-r3
+ # Use ~arch instead of empty keywords for compatibility with cros-workon
+ KEYWORDS="~amd64 ~arm64 ~arm ~x86"
else
- SRC_URI="http://www.freedesktop.org/software/systemd/${P}.tar.xz"
- KEYWORDS="~amd64 ~arm ~ia64 ~x86"
+ CROS_WORKON_COMMIT="9b174479806a66ff3a220a89291a38f8a4fed701"
+ KEYWORDS="amd64 arm64 ~arm ~x86"
fi
+# cros-workon must be imported first, in cases where cros-workon and
+# another eclass exports the same function (say src_compile) we want
+# the later eclass's version to win. Only need src_unpack from workon.
+inherit cros-workon
+
inherit autotools-utils bash-completion-r1 linux-info multilib \
multilib-minimal pam python-single-r1 systemd toolchain-funcs udev \
user
@@ -29,6 +36,9 @@
idn importd +kdbus +kmod +lz4 lzma nat pam policykit python
qrcode +seccomp selinux ssl sysv-utils terminal test vanilla xkb"
+# CoreOS specific use flags
+IUSE+=" man symlink-usr"
+
REQUIRED_USE="importd? ( curl gcrypt lzma )
python? ( ${PYTHON_REQUIRED_USE} )"
@@ -82,7 +92,6 @@
# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
PDEPEND=">=sys-apps/dbus-1.6.8-r1:0[systemd]
>=sys-apps/hwids-20130717-r1[udev]
- >=sys-fs/udev-init-scripts-25
policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )"
@@ -102,19 +111,19 @@
terminal? ( media-fonts/unifont[utils(+)] )
test? ( >=sys-apps/dbus-1.6.8-r1:0 )"
-if [[ -n ${AUTOTOOLS_AUTORECONF} ]]; then
- DEPEND+="
- app-text/docbook-xml-dtd:4.2
+# Not required when building from unpatched tarballs, but we build from git.
+DEPEND+="
+ man? ( app-text/docbook-xml-dtd:4.2
app-text/docbook-xml-dtd:4.5
app-text/docbook-xsl-stylesheets
dev-libs/libxslt:0
- >=dev-libs/libgcrypt-1.4.5:0"
-fi
-
-if [[ ${PV} == 9999 ]]; then
- DEPEND+=" ${PYTHON_DEPS}"
- REQUIRED_USE+=" ${PYTHON_REQUIRED_USE}"
-fi
+ ${PYTHON_DEPS} )
+ terminal? ( ${PYTHON_DEPS} )
+ >=dev-libs/libgcrypt-1.4.5:0"
+
+REQUIRED_USE+="
+ man? ( ${PYTHON_REQUIRED_USE} )
+ terminal? ( ${PYTHON_REQUIRED_USE} )"
pkg_pretend() {
local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS
@@ -162,12 +171,6 @@
# Bug 463376
sed -i -e 's/GROUP="dialout"/GROUP="uucp"/' rules/*.rules || die
- if [[ ${PV} != 9999 ]]; then
- # Update the timestamp on this to avoid rebuilding it.
- [[ -e src/libsystemd-terminal/unifont-glyph-array.bin ]] || die "File missing from tarball"
- touch src/libsystemd-terminal/unifont-glyph-array.bin || die
- fi
-
autotools-utils_src_prepare
}
@@ -177,18 +180,14 @@
# Fix systems broken by bug #509454.
[[ ${MY_UDEVDIR} ]] || MY_UDEVDIR=/lib/udev
- if [[ ${PV} == 9999 ]] || use python; then
- python_setup
- fi
+ python_setup
multilib-minimal_src_configure
}
multilib_src_configure() {
local myeconfargs=(
- # disable -flto since it is an optimization flag
- # and makes distcc less effective
- cc_cv_CFLAGS__flto=no
+ --with-pamconfdir=/usr/share/pam.d
# Workaround for bug 516346
--enable-dependency-tracking
@@ -229,6 +228,7 @@
$(multilib_native_use_enable kmod)
$(use_enable lz4)
$(use_enable lzma xz)
+ $(multilib_native_use_enable man manpages)
$(multilib_native_use_enable nat libiptc)
$(multilib_native_use_enable pam)
$(multilib_native_use_enable policykit polkit)
@@ -250,11 +250,19 @@
EFI_CC="$(tc-getCC)"
# dbus paths
- --with-dbuspolicydir="${EPREFIX}/etc/dbus-1/system.d"
+ --with-dbuspolicydir="${EPREFIX}/usr/share/dbus-1/system.d"
--with-dbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
--with-dbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
- --with-ntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
+ --with-ntp-servers="0.coreos.pool.ntp.org 1.coreos.pool.ntp.org 2.coreos.pool.ntp.org 3.coreos.pool.ntp.org"
+
+ # The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd
+ # as a sanity check for the minimum acceptable time. Explicitly set
+ # to avoid using the current build time.
+ --with-time-epoch=1372636800
+
+ # no default name servers
+ --with-dns-servers=
)
if ! multilib_is_native_abi; then
@@ -326,38 +334,81 @@
}
multilib_src_install_all() {
+ local unitdir=$(systemd_get_unitdir)
+
prune_libtool_files --modules
einstalldocs
if use sysv-utils; then
+ local prefix
+ use symlink-usr && prefix=/usr
for app in halt poweroff reboot runlevel shutdown telinit; do
- dosym "..${ROOTPREFIX-/usr}/bin/systemctl" /sbin/${app}
+ dosym "${ROOTPREFIX-/usr}/bin/systemctl" ${prefix}/sbin/${app}
done
- dosym "..${ROOTPREFIX-/usr}/lib/systemd/systemd" /sbin/init
- else
+ dosym "${ROOTPREFIX-/usr}/lib/systemd/systemd" ${prefix}/sbin/init
+ elif use man; then
# we just keep sysvinit tools, so no need for the mans
rm "${D}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 \
|| die
rm "${D}"/usr/share/man/man1/init.1 || die
fi
- # Disable storing coredumps in journald, bug #433457
- mv "${D}"/usr/lib/sysctl.d/50-coredump.conf{,.disabled} || die
-
- # Preserve empty dirs in /etc & /var, bug #437008
- keepdir /etc/binfmt.d /etc/modules-load.d /etc/tmpfiles.d \
- /etc/systemd/ntp-units.d /etc/systemd/user /var/lib/systemd \
- /var/log/journal/remote
-
- # Symlink /etc/sysctl.conf for easy migration.
- dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf
-
- # If we install these symlinks, there is no way for the sysadmin to remove them
- # permanently.
- rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die
- rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die
- rm -r "${D}"/etc/systemd/system/network-online.target.wants || die
- rm -r "${D}"/etc/systemd/system/sysinit.target.wants || die
+ # Ensure journal directory has correct ownership/mode in inital image.
+ # This is fixed by systemd-tmpfiles *but* journald starts before that
+ # and will create the journal if the filesystem is already read-write.
+ # Conveniently the systemd Makefile sets this up completely wrong.
+ dodir /var/log/journal
+ fowners root:systemd-journal /var/log/journal
+ fperms 2755 /var/log/journal
+
+ systemd_dotmpfilesd "${FILESDIR}"/systemd-coreos.conf
+ systemd_dotmpfilesd "${FILESDIR}"/systemd-resolv.conf
+
+ # Don't default to graphical.target
+ rm "${D}${unitdir}"/default.target || die
+ dosym multi-user.target "${unitdir}"/default.target
+
+ # Move a few services enabled in /etc to /usr, delete files individually
+ # so builds fail if systemd adds any new unexpected stuff to /etc
+ local f
+ for f in \
+ getty.target.wants/getty@tty1.service \
+ multi-user.target.wants/remote-fs.target \
+ multi-user.target.wants/systemd-networkd.service \
+ multi-user.target.wants/systemd-resolved.service \
+ network-online.target.wants/systemd-networkd-wait-online.service \
+ sockets.target.wants/systemd-networkd.socket \
+ sysinit.target.wants/systemd-timesyncd.service
+ do
+ local s="${f#*/}" t="${f%/*}"
+ local u="${s/@*.service/@.service}"
+
+ # systemd_enable_service doesn't understand template units
+ einfo "Enabling ${s} via ${t}"
+ dodir "${unitdir}/${t}"
+ dosym "../${u}" "${unitdir}/${t}/${s}"
+
+ rm "${D}/etc/systemd/system/${f}" || die
+ done
+ rmdir "${D}"/etc/systemd/system/*.wants || die
+
+ # Grant networkd access to set the transient host name
+ insinto /usr/share/polkit-1/rules.d
+ doins "${FILESDIR}"/99-org.freedesktop.hostname1.rules
+
+ # Do not enable random services if /etc was detected as empty!!!
+ rm "${D}"/usr/lib/systemd/system-preset/90-systemd.preset
+ insinto /usr/lib/systemd/system-preset
+ doins "${FILESDIR}"/99-default.preset
+
+ # Disable the "First Boot Wizard" by default, it isn't very applicable to CoreOS
+ rm "${D}${unitdir}"/sysinit.target.wants/systemd-firstboot.service
+
+ # Do not ship distro-specific files (nsswitch.conf pam.d)
+ rm -rf "${D}"/usr/share/factory
+ sed -i "${D}"/usr/lib/tmpfiles.d/etc.conf \
+ -e '/^C \/etc\/nsswitch\.conf/d' \
+ -e '/^C \/etc\/pam\.d/d'
}
migrate_locale() {
```
This option doesn't actually do anything, it merely moves errors about
missing intltool from the compile step to the configure step. Upstream
dropped the flag ages ago but we kept it not knowing if it was useful.
We may not *need* things like fsck.minix but it does get the systemd
test suite to pass. setarch should be there. fdformat and others are no
longer built by the ebuild.
The Gentoo hardened compiler enables PIE by default unless it detects an
incompatible option. To detect kernel builds it uses -D__KERNEL__ which
is unfortunately a preprocessor option that ccache >= 3.2 will not pass
to compile-only calls, since in theory it is unnessicary and omitting
preprocessor options works around and issues in another (*cough* LLVM)
compilers. There really isn't any other alternative magic hack so go
with the plain no-magic solution. :)
Bug: https://bugs.gentoo.org/show_bug.cgi?id=535984
SELinux policies were attempting to run the host checkmodule and semodule
commands. The former is easy to fix via pointing them at the build root, the
latter we skip entirely because we don't want to install the policy at this
point - we'll do that during image build.
We will be carrying some patches so the version of the source code will
no longer be simply the upstream mainline version. A -coreos or
-coreos-r1 and so forth will be appended. A new variable defining the
source revision (e.g. -r1) has been added so we can continue to bump the
coreos-kernel revision independently of coreos-sources for minor things
like config updates.
