The ACI root is created by reusing the create_prod_image function
to install a base meta-package. It then runs a script to customize
the file structure as required by agent software (if necessary),
writes a manifest file from a supplied template, and then packages
it all into a tar file.
The Xen loader in GRUB never received support for our hacky scheme of
adding the verity hash to the kernel cmdline. Disable till that's fixed.
Partially reverts 2016567 and 533b1b9.
Consolidates two very similar flags into one and fix an issue where
verity could get enabled in the GRUB config when rootfs verification was
turned off (e.g. on arm64 which cannot use verity yet).
workaround for bootstrap_sdk on an Ubuntu host where /dev/shm is a
symlink to /run/shm. Since we mount the hosts /dev (for losetup) this
interferes with building python 2.7. The workaround is to disable the
/dev/shm during python builds. A longer term fix would be to not mount
the hosts /dev. Thanks for marineam for suggesting the fix on IRC.
Handling configuration changes across multiple architectures is difficult.
Let's just generate a diff in the config and then apply that to the arch or
common config manually.
If the gptprio.next command fails to give us something to boot we
shouldn't try! In order to diagnose why the failure happened halt
immediately so the user can see the error message.
Since this writes to private storage there isn't any need to wait until
the images are public to do this. Now the final publish step only
changes permissions on the AMIs and nothing more.
This is a bit of a hack, I would like something a little more
intelligent that checks for applicable metadata changes, not just any
old change in the ebuild text. That will require a bit more work/thought
and this should at least be sufficient to catch the current problems.
The issue comes down to how emerge's --usepkgonly mode works. Normally
KEYWORDS and (R)DEPEND metadata in ebuilds is used to figure out what to
install. If that metadata in the installed or binary packages is is out
of date things generally work out anyway. However when --usepkgonly is
enabled (such as in build_image) the ebuild metadata is ignored, using
only the installed and binary package metadata. Unfortunately it may be
out of date, allowing build_image to fail or otherwise behave
differently from build_packages. Perhaps there is a nice tool for
rebuilding such stale packages but emerge itself doesn't appear to.
This script should only be run after build_packages.
