SLAB_FREELIST_RANDOM: Randomize slab allocator freelist order,
c7ce4f60ac199fb3521c5fcd64da21cee801ec2b
IO_STRICT_DEVMEM: Disallow access to /dev/mem regions that are bound
to a kernel driver, 90a545e981267e917b9d698ce07affd69787db87
HARDENED_USERCOPY: Add more address range checks to copy_{from,to}_user(),
f5509cc18daa7f82bcc553be70df2117c8eedc16
By default, the wrapper uses /var/lib/etcd which was created by the etcd
ebuild. Now that it's being removed, this ebuild needs to explicitly
create it.
Config changes:
- The refreshed Secure Boot patches now use LOCK_DOWN_KERNEL and
EFI_SECURE_BOOT_LOCK_DOWN instead of EFI_SECURE_BOOT_SIG_ENFORCE.
- KPROBE_EVENT and UPROBE_EVENT were pluralized in
6b0b7551428e4caae1e2c023a529465a9a9ae2d4.
- DEBUG_SET_MODULE_RONX was renamed in
0f5bf6d0afe4be6e1391908ff2d6dc9730e91550, but as of
ad21fc4faa2a1f919bac1073b885df9310dbc581 it's mandatory on both supported
arches. Dropped.
- VMXNET3 conflicts with ARM64_64K_PAGES as of
fbdf0e28d061708cf18ba0f8e0db5360dc9a15b9, and likely doesn't make sense on
ARM. Moved to amd64.
- TIMER_STATS was dropped in dfb4357da6ddbdf57d583ba64361c9d792b0e0b1.
- CPU_FREQ_STAT_DETAILS was dropped in
801e0f378fe7d53f87246037bf40567277275418.
See https://github.com/coreos/bugs/issues/1833 where this was requested.
This has become more important with the more recent flannel releases
including kubernetes and becoming larger as well.
The value of 5 minutes is arbitrarily chosen as a reasonable increase
over the default 90s.
There will be more race conditions from networkd attempting to
claim every network interface for users of "docker network" without
this Match pattern. Bridges are named "br-" followed by hex.
Mark it stable for arm64, and fix installation. The "install"
target is completely broken for all architectures since it will
rebuild everthing with cc every time, so use the "install-common"
target instead to bypass that.
This allows ordering other services after the agent has completely
finished its system initialization scripts and its daemons are all
running in the container.
Since /run/systemd is mounted from the host, the notify socket will
update the host's agent service. Also, since systemd-notify is run
by the "init" shell script, it uses the correct MainPID by default.
By moving specifying how to get the provider into an environment
variable, it can be overridden via an environment varaible (which will
be necessary on openstack)
