* Drop the dependency on `sec-policy/selinux-dbus`
* Drop machine-id generation
* Stabilize both keywords `amd64` and `arm64` to build it.
* Do not add a third-party patch for CVE-2019-12749 again, as the fix is
already included in dbus >= 1.10.29.
Loosely based on a409238795c44dabfd16e466c8433a89f5f0844f and
e458211c8418462f4bd4d4536dc96f62380a22cf .
The upstream changed the way the default percentage value, and
make the property partially dynamic.
Upstream ref: https://github.com/systemd/systemd/pull/14007Fixes#382
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This change uses portage-stable and coreos-overlay from the local SDK
chroot (from /var/lib/gentoo/repos) in the stage 1 SDK bootstrap build.
This is part 2 of the SDK bootstrap stage 1 fix (part 1 is covered in
64d8a73ac09853a4b9b813b53299d37569c35071), which ensures stage 1 does
not introduce any changes in its ebuilds over the seed SDK.
The change also introduces an option to consciously divert from the
above enforcement by use of command line parameters:
--stage1_overlay_ref <gitref> will check out coreos-overlay and use
<gitref> for stage 1 instead of the
local SDK's
/var/lib/gentoo/repos/coreos-overlay
--stage1_portage_ref <gitref> will check out portage-stable and use
<gitref> for stage 1 instead of the
local SDK's
/var/lib/gentoo/repos/gentoo
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
The rkt container runtime is deprecated and not used anymore except
for the kubelet-wrapper script. This script can't be ported to Docker
because it is used by the user with rkt-specific arguments and it is
only a wrapper around the deprecated hyperkube images (and has been
broken for the last K8s releases). The recommended way is to run the
kubelet binary directly on the host.
The GCE daemon container was run with rkt from an ACI tar ball.
To replace rkt with systemd-nspawn, extract the tar ball to an
image and run the daemon as systemd-nspawn container.
Having the hostname units as required by the initrd.target meant that if
the unit failed (for example because the network was or the metadata
service were down), the machine wouldn't start. By making it a "wants"
rather than a "requires" we allow this unit to fail without disrupting
the whole boot.
We do not need to set COREOS_GO_VERSION to a specific version, unless
it is necessary to avoid build issues in certain cases like Docker.
Simply remove COREOS_GO_VERSION from the ebuild of cri-tools.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
