This new downstream patch disables the ManageForeignRoutes and
ManageForeignRoutingPolicyRules systemd-netword settings by default to
ensure that CNIs don't get their routes or routing policy rules
discarded on network reconfiguration events.
https://github.com/flatcar-linux/Flatcar/issues/620
With this kernel config, users can boot with fips=1 set in
`/usr/share/oem/grub.cfg`:
```
set linux_append="fips=1"
```
Which triggers various behaviors, for FIPS 200 certification.
with this config compiled in, and that boot parameter, users can can
that fips is enabled with:
```
flatcar ~ # cat /proc/sys/crypto/fips_enabled
1
```
- unmask amd64 and arm64
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
- apply duktape patchset from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/97
`.gitlab-ci.yml` patch has been removed since file is not shipped in
archive.
- fix config install paths, use systemd-tmpfiles (All configs should
be installed to /usr and tmpfiles should be used to create and fix
directory permissions instead of the ebuild's postinst.)
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
upstream has masked openssl-3 for tracking build failures. Since we are
not impacted by this failures, we can safely unmask openssl-3.
See: https://github.com/flatcar-linux/Flatcar/issues/418 for Flatcar's
dependencies.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
- drop `pkg_postint`
- create `/etc/ssl` with tmpfiles
- remove unecessary files
- mark openssl as stable for arm64 and amd64
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
We used to keep the package in overlay, because we dropped one Gentoo
patch to avoid some failures when applying updates when updating
payloads. This issue was fixed in bzip2 in a smarter way - we know
this, because we used 1.0.8 version with the fix and we didn't have
any problems so far. No point in keeping the package in overlay then.
root needs to be specified with -p instead of -S.
The policy dir (-S) defaults to (-p) + /var/lib/selinux/ + (-s).
Picked from upstream: 54a8322d18
Closes: https://github.com/flatcar-linux/Flatcar/issues/596
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
The mirror-calico workflow has been failing because it currently determines
version=v3.22.0-0.dev-typha, which is not the tag used by the individual
container images. Rewrite the version logic to determine the version based on
what is in the tigera operator manifest. This is the same manifest that we use
to deploy calico in mantle.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The entries added in changelog/security/ do not follow our existing
security section in the release notes:
https://www.flatcar.org/releases/#release-3033.2.0
Document the structure and an example to use the right format that we
need for release note generation.
The net-misc/iputils package never provided the traceroute binary,
only traceroute6, which is probably why the use flag got renamed to
traceroute6 too.
It was removed from Gentoo and with updated profiles, the build
started to fail with:
USE flag 'elibc_uclibc' referenced in conditional 'elibc_uclibc?' is
not in IUSE
We rely on this setting to make iPXE booting work on EFI platforms. In iPXE we
use 2 initramfs': the kernel builtin one and a pxe specific one that contains
the contents of the usr partition. This appears to rely on the EFI stub, which
unpacks the second one based on the passed commandline parameter (initrd=).
This affects arm64 kernels after v5.11 because of this commit:
6edcf9dc2e
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The changelog entries should be directly used for the release notes,
thus they need to be short and hold only information relevant to the
end user, and should be in the markdown bullet point format.
The used changelog entry format in
https://github.com/flatcar-linux/coreos-overlay/pull/1502 is not really
useful for the release notes. This paragraph is good for the PR
description or a commit message, but here should be a bullet point for
the release notes.
Replace the paragraph by a release notes bullet point.
All runs of the GitHub Action to update the kernel used the same
changelog name, which is a bit confusing when comparing the releases.
Append the version to the filename to avoid using the same name for the
maintenance updates of a channel releases and for the introduction of a
kernel update in main.
Unlike with Kernel 5.10, dracut does not automatically install `loop.ko`
with Kernel 5.15.
Explicitly install the loop module from the dracut command line.
Pulls in https://github.com/flatcar-linux/bootengine/pull/32
`net-libs/libnetfilter_cthelper` needs CONFIG_NF_CT_NETLINK_HELPER.
CONFIG_NET_VRF was requested by a user. CONFIG_KEY_DH_OPERATIONS is
useful for `sys-apps/keyutils`. Rest of the added configs are
dependencies.
enables ELF support to e.g. allow tc to handle BPF filters.
It has been dropped in this commit: 406576c5e5
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
It happens that kernel update PRs are created faster than we merge
them. In such case we create version gaps in the changelog. Remedy
that by adding links to all the released kernel versions between the
current one and the just released one.
This pulls in https://github.com/flatcar-linux/init/pull/56
to find a generic way of preventing conflicts with CNI interfaces that
shouldn't use DHCP and were matched by name to be set Unmanaged.
Add xml USE flag for dev-lang/python to avoid build failures during SDK
stage2. We need to add that to BOOTSTRAP_USE, not ordinary USE flags:
```
The following USE changes are necessary to proceed:
(see "package.use" in the portage(5) man page for more details)
# required by dev-python/setuptools-57.5.0::portage-stable[python_targets_python3_9]
# required by dev-python/pyparsing-2.4.7-r1::portage-stable
# required by dev-python/packaging-21.0::portage-stable
# required by dev-python/setuptools_scm-6.3.2::portage-stable
>=dev-lang/python-3.9.8 xml
```
- unmask amd64 and arm64
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
- Make BDEPEND independent from DEPEND (The `BDEPEND` is a
build-time requirement, so it should not be included in the whole
`DEPEND` list. If it does, an installation of `sys-auth/sssd`
causes other dependencies to be installed not only in the
`/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.)
- Move runstatedir option from configure to make (Now that the
upstream sssd 2.3.1 does not support `--runstatedir` option from
its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`. Instead
we need to pass `runstatedir=` to emake commands.)
- Disable realm check for nsupdate (At the moment bind-tools does
not enable `gssapi`, so its `nsupdate` tool is also not able to
run `realm` command. As a result, configure script of `sssd` fails
when running `echo realm | nsupdate`, like `syntax error`.
To avoid such issues, we need to disable the nsupdate check for
now. After we could enable `gssapi` for the SDK correctly, we can
bring back the nsupdate check in the future.)
- Add patch for CVE-2021-3621
- Set the conf dir path explicitly (Without passing the
--with-systemdconfdir flag, the configure script will query
pkg-config for the directory itself. In the cross-compilation
setup that we have, this will result in a path sysroot prepended
to the path twice. systemd.eclass has a workaround for this issue,
but it does not provide an elegant getter of the system
configuration directory, thus we call `_systemd_get_dir`
ourselves.)
- Make it compatible with newer python versions.
- apply duktape patchset from
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
(this should be re-fetched from the above MR when forward-porting
to updated polkit versions.)
- fix config install paths, use systemd-tmpfiles (All configs should
be installed to /usr and tmpfiles should be used to create and fix
directory permissions instead of the ebuild's postinst.)
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and exec from init to
unconfined
- add AVC patch for local login and journald
- add python[lxml] to BDEPEND (not pulled through policycoreutils
any more due to our changes there)
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
- Use EAPI7
- Move libsxlt and stylesheets to BDEPEND
- Introduce some USE flags, so we don't install some tools we don't
need
- Limit the size of bundled libraries
- Make it compatible with newer python versions
- Bump to r2 because of updating EAPI to 7
- Add the tmpfiles configuration for populating /var
- Add service compatibility symlinks (maybe time to drop them)
- Drop moving a binary from /usr/sbin to /sbin
- Drop populating /etc and /var
- Drop pkg_postinst
There is no minimal use flag any more, but it was more or less the
same as no daemon and no update drive database. We also disable
systemd integration, because it's only related to the daemon
functionality that we disabled.
The old version of the package didn't have a keyword for arm64. We
just updated it and it's stable for arm64 too, rendering the entry in
accept_keyword unnecessary.
The policycoreutils ebuild calls `semodule` in postinst to update SELinux stores.
It does not, however, tells `semodule` the correct ROOT to use, so builds that go into `/build/[arch]-usr` end up updating the SDK's store.
Fixes
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link)
observed when using the SDK Container to build the OS image.
It now also updates the correct store, which it previously did not.
Temporarily accept ssh-rsa algorithm in sshd_config for openssh >= 8.8,
until most ssh clients could deprecate ssh-rsa.
It is the same fix as https://github.com/flatcar-linux/init/pull/54.
However, we should do that again for GCE, because the google-oslogin
ebuild overwrites the existing sshd_config.
It used to be pulled in by dev-lang/python, but not any more. It is
needed for running fsscript during stage4 of SDK build to set up the
default python interpreter.
If python-single-r1.eclass is inherited, then PYTHON_USEDEP can't be
used directly inside dependency variable - either PYTHON_SINGLE_USEDEP
(for single-python-impl packages) should be used or the dependency
should be wrapped into python_gen_cond_dep function (for
multi-python-impl packages). crcmod is a multi-python-impl package, so
use the latter.
Also follow the practice of specifying the BDEPEND in terms of
RDEPEND. For this, we need to bump the EAPI to 7.
The reason for keeping it was that the package assumed that
unversioned python will point to python3 which wasn't the case in
Flatcar. Now that we updated python and made python3 the default, we
can move this package back to portage-stable and update it there.
We are updating python, so this modification is not needed any
more. This also seems to be the only modification we have made in this
ebuild, so we will move it back to portage-stable shortly.
This pulls in https://github.com/flatcar-linux/init/pull/55 to set the
cbr0 interface to be excluded from networkd (unmanaged) because it is
set up manually by kubenet and not through DHCP.
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
Add changelog for mantle 0.17.0.
Also add changelog for security updates of golang.org/x/{crypto,text}
in mantle, as well as github.com/gogo/protobuf 1.3.2.
Now that the Github org name of mantle was changed from coreos to
flatcar-linux, via https://github.com/flatcar-linux/mantle/pull/241,
we need to change the Github org name in ebuilds as well.
Update coreos-devel/mantle to 0.17.0-r1, to include the security updates
of golang.org/x/{crypto,text}, mainly to address CVE-2021-38561,
CVE-2021-43565.
Pulls in https://github.com/flatcar-linux/mantle/pull/262.
Kernel 5.15 contains enablement patches for linux as a hyper-v guest, so
move the configs to the common config so that they're enabled for both
arches.
PCI patches didn't make it.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
We always want the 'flatcar.autologin' parameter, but the ttyS0 setting is x86
PC specific. Move the generic part to linux_append variable and hide the
generic part behind a check for grub_platform. For EFI platforms the default
grub.cfg has the correct arch specific console configuration.
The console specification for grub itself is needed in either case
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This pulls in https://github.com/flatcar-linux/init/pull/53 to add the
"flatcar-update" tool to the image, easing manual updates, rollbacks,
channel/release jumping, and airgapped updates.
We want to check if target branch exists on the repo on which the
action is being run and will get the PR in the end, not on repo with
which the SDK came. It's useful for testing github actions on personal
forks.
The function only generates the update kind of changelogs. If the
update addresses some CVE, it needs to be added manually.
The changelog generation happens only if the changelog directory
exists. Also make sure it's included in the patches.
When selecting the docker-1.12-no profile, torcx failed because the
profile looked for 19.03 instead of 20.10.
Make the docker-1.12-no profile identical to the vendor profile so
that we don't have to update it.
`etcd` node's name was defined by `ETCD_NAME`, from `etcd/v3` the server
can't be started with both `ETCD_NAME` and `--name` supplied.
Which leads to three cases:
* `etcd-member.service` starts without further configuration, no issue
since only `ETCD_NAME=%m` is used
* `etcd-member.service` is overrided with a CLC without `name: ` key, no
issue since only `ETCD_NAME=%m` is used
* `etcd-member.service` is overrided with a CLC with a `name: ` key,
there is an issue since in the final service we will have both
`ETCD_NAME=%m` and `--name name-from-clc`
This patch conditionally unset the `ETCD_NAME` in case `--name` is
supplied.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
If we use date format of DD-MM-YYYY in changelog file names, the files
will not sorted by date. e.g. 01-12-2021 will come before 25-11-2021.
Use date format of YYYY-MM-DD to make the files sorted by date.
By accident the upstream files from the example folder got used,
instead of the downstream files that were added in the files/ folder.
Also, the configuration file didn't get installed.
Use the right paths to install the downstream files.
with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```
It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.
This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Since every tag of the nss Github repo has `_` delimiters, we need to
first use `sort -t_` for sorting, then after that we need to replace `_`
with `.` by calling tr. Without that conversion, the input ebuild file
name will be wrong.
We fixed the issue in all other maintenance branches, but not in main.
Fix that also in main.
Automatically update app-misc/ca-certificates , a derivative of
nss https://hg.mozilla.org/projects/nss . To make things easier,
we simply check for new releases on its Github mirror
https://github.com/nss-dev/nss . When the new latest tag is found,
simply bump the version of ca-certificates ebuild.
There usually exists a way to tell the configure script to use certain
path, so the script won't try to autodetect things. This is a case for
the systemd system unit directory, but apparently not for systemd util
directory. So for the system unit directory, we can forward the path
we received from systemd.eclass' `systemd_get_systemunitdir`, but for
the util directory, we need to hack the script with `sed`. The reason
for this is that autodetected directory will have the sysroot path
prepended twice. The systemd eclass has a workaround for this issue.
Without passing the --with-systemdconfdir flag, the configure script
will query pkg-config for the directory itself. In the
cross-compilation setup that we have, this will result in a path
sysroot prepended to the path twice. systemd.eclass has a workaround
for this issue, but it does not provide an elegant getter of the
system configuration directory, thus we call `_systemd_get_dir`
ourselves.
Normally we use pkg-config to query flags and libraries that are
needed to build things. These are specific to CHOST, and the build
system usually uses pkg-config on CHOST to get those flags and
libraries. But pkg-config is also used to query for the location of
the tools used during the build, and for those we need to use
pkg-config on CBUILD. But the build system is usually using the same
pkg-config for both flags and libs, and for build tools. Which works
fine for typical builds, but breaks for cross builds.
One of such build tools is glib-genmarshal. Fortunately the build
system allows us to override the detection results by passing
GLIB_GENMARSHAL="${some_path}" to the configure script. So do that.
This is to avoid querying pkg-config for this information and
overriding the SYSROOT variable. These hacks seem to be broken with
the change of the pkgconfig implementation.
We know what will the path for the directory of the system units -
it's based on rootprefix that we pass to configure script. So use this
knowledge directly instead of getting it in a roundabout way from
pkg-config file.
The recent keyword cleanup removed two keywords that are necessary to
bootstrap an arm64 sdk: open-vmdk and virtual/cdrtools. Restore them.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
app-editors/nano with `USE=unicode` results in build failures in SDK
stage1, because ncurses >= 6.2_p20210619 which does not have the USE
flag at all.
To fix that, exclude the unicode USE flag from packages.use.force list,
which is defined in portage-stable. We can do that by setting the flag
in package.use.mask.
Systemd during the initrd stage was complaining about the missing
group, which resulted in ignoring some of the udev rules. Let's
placate it by adding sgx to baselayout, so the group is available
during the initrd stage too.
Pulls in https://github.com/flatcar-linux/baselayout/pull/20.
The "create" action became "open", and "remove" became "close". Also
reorder the parameters accordingly (it's a bit different for "open" vs
"create"). Also put the options before specifying the action.
Pulls in https://github.com/flatcar-linux/bootengine/pull/31.
Clean up unnecessary ebuilds from arm64 accept_keywords like below:
app-arch/bzip2 1.0.6-r12 is already stable.
app-crypt/mit-krb5 1.19.2 is already stable.
app-emulation/open-vmdk 1.0 is not needed by arm64.
app-eselect/eselect-rust is already stable.
dev-lang/perl 5.34.0-r2 is already stable.
dev-libs/ding-libs 0.4.0 is not needed by arm64.
dev-libs/elfutils 0.177 is already stable.
dev-libs/libpcre2 10.34 is already stable.
dev-libs/libpcre 8.44 is already stable.
dev-libs/libintl-perl 1.280.0 is already stable.
dev-util/meson 0.57.2 is already stable.
dev-util/re2c 2.0.3 is already stable.
net-analyzer/tcpdump 4.9.3 is already stable.
net-dns/bind-tools 9.16.6 is already stable.
net-dns/dnsmasq 2.85 is already stable.
net-firewall/ebtables 2.0.11-r3 is already stable.
net-libs/libmicrohttpd: move to base.
net-libs/libnfnetlink 1.0.1 is already stable.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-nds/openldap 2.4.57 is already stable.
sys-apps/checkpolicy is already enabled in base.
sys-fs/btrfs-progs 4.10.2 is not needed by arm64.
sys-libs/binutils-libs 2.36.1-r2 is already stable.
virtual/perl-File-Path 2.130.0 is already stable.
virtual/cdrtools is not needed by arm64.
Add the following ebuilds to arm64 accept_keywords like below:
app-misc/jq 1.6-r3: move from base
cross-aarch64-cros-linux-gnu/gcc 9.3.0-r1: move from base
net-misc/curl 7.79.1: move from base
sec-policy/selinux-base 2.20200818-r2: move from base
sec-policy/selinux-base-policy 2.20200818-r2: move from base
sec-policy/selinux-unconfined 2.20200818-r2: move from base
sec-policy/selinux-virt 2.20200818-r2: move from base
sys-apps/checkpolicy 3.1: move from base
sys-apps/kexec-tools 2.0.17-r1 is needed by arm64
sys-firmware/edk2-ovmf 201905: move from base
sys-process/tini 0.18.0: move from base
Clean up unnecessary ebuilds from base accept_keywords like below.
Sort alphabetically.
app-crypt/efitools: move to sdk
app-misc/jq: move to arm64
cross-aarch64-cros-linux-gnu/gcc: move 9.3.0-r1 to arm64
dev-lang/spidermonkey is not needed any more.
dev-libs/protobuf 3.5.2 is already stable.
dev-libs/elfutils: specify explicit version 0.178
dev-python/boto: specify explicit keywords ~amd64, ~arm64.
dev-util/dwarves: specify explicit version 1.19
dev-util/perf 5.8 is already stable.
net-misc/curl: move 7.79.1 to arm64
net-nds/rpcbind: specify explicit keywords ~amd64, ~arm64.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-libs/libmicrohttpd: move from arm64, specify explicit keywords.
sec-policy/selinux-base: move to arm64.
sec-policy/selinux-base-policy: move to arm64.
sec-policy/selinux-unconfined: move to arm64.
sec-policy/selinux-virt: move to arm64.
sys-apps/checkpolicy: move to arm64.
sys-apps/gptfdisk 1.0.7 is already stable.
sys-apps/iproute2 5.8.0 is already stable.
sys-apps/kexec-tools 2.0.17-r1 is already stable.
sys-auth/google-oslogin 20200910.00 is already stable.
sys-kernel/dracut 053-r1 is already stable.
sys-boot/gnu-efi 3.0.3 is already stable.
sys-firmware/edk2-ovmf: move to arm64
sys-fs/dosfstools: specify explicit keywords ~amd64, ~arm64.
sys-process/tini: move to arm64
sys-libs/libselinux: already configured in arm64
sys-libs/libsepol: already configured in arm64
Now that Github rejects access to an unauthenticated URL with `git://`,
we have to make git and libcurl work with `https://`. However, during
the SDK stage2, curl is not explicitly installed, but just inherited
from the stage1. As a result, curl is built without the `ssl` USE flag.
So installation of baselayout fails with:
```
git fetch https://github.com/flatcar-linux/baselayout.git --prune +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/flatcar-linux/baselayout.git/':
Protocol "https" not supported or disabled in libcurl
```
To resolve the issue, we need to install curl with `BOOTSTRAP_USE=ssl`
before trying to install baselayout.
Also we need to set `CURL_SSL=openssl` as required by curl.
Using a USE_EXPAND variable `curl_ssl_openssl` in `BOOTSTRAP_USE`, we
can specify the correct `CURL_SSL` variable in curl.
enabling `fips` support will compile `fips.so` provider for user who
wants to use `fips` as OpenSSL provider.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Based on 9a6728f5f5d63626e4a806664c0c031e913fd758 and
380aa9c60af1e68911a479747d12b5fddaf2b1a2 .
selinux-base requires python to generate xml files, but the dependency
is implicit (through policycoreutils). Flatcar made that dependency
conditional on USE=python in policycoreutils so that we don't include
python in our images, but this causes selinux-base to fail depending on
ordering in the bootstrap process.
Fix that failure by addin an explicit dependency.
The build has been failing occasionally, due to some kind of race condition.
The last lines of log output look like this:
Updating policy/booleans.conf and policy/modules.conf
python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
support/sedoctool.py exiting for: Error while parsing xml
make: *** [Makefile:415: conf.intermediate] Error 1
* ERROR: sec-policy/selinux-base-2.20200818-r2::coreos failed (configure phase):
* emake failed
Try to fix this by forcing a sequential build.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
PR https://github.com/flatcar-linux/coreos-overlay/pull/432 started
to replace `dev-lang/rust` in accept_keywords with its new version.
However, its corresponding `virtual/rust` has never been updated.
That issue had been hidden until
4463efcfd4
started adding `virtual/rust` to accept_keywords.
Unlike `dev-lang/rust`, keywords for `virtual/rust` stayed with old
versions. As a result, subsequent Github Actions PRs for rust become
all invalid, so build failures.
Fix the issue by replacing versions of `virtual/rust` with new versions.
Also try to match with version specifiers, not only `=` but also `>=`,
'<=', '~'.
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
with the OpenSSLv3 upgrade, `update_engine` is not fully compatible yet.
See the associated issue for more details.
Let's keep the deprecated SHA functions in the meantime to run the
build.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Uses ConditionSecurity introduced in systemd v248
Fixesflatcar-linux/Flatcar#208
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.70.ebuild manifest" run.
Signed-off-by: Guillaume Perrin <guillaume28.perrin@gmail.com>
commit 5c4d184e22fd93ab926878a131150047b54d0b6c
Author: Michael Marineau <michael.marineau@coreos.com>
Date: Fri Aug 1 14:48:59 2014 -0700
polkit: fix config install paths, use systemd-tmpfiles
All configs should be installed to /usr and tmpfiles should be used to
create and fix directory permissions instead of the ebuild's postinst.
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.69.1.ebuild manifest" run.
Hgfs-mounter has been dropped from the repository and it let's make the
patch name independent of the package version so that the patch doesn't
have to be touched on every upgrade.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
systemd v249 changes the usual failed units "●" to show "×".
This commit adapts accordingly to display the correct failed units
For compatibility with the longer-cadence channels, we continue to
support "●"
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Automatically update coreos/open-vm-tools as well as
coreos-base/oem-vmware.
Get the latest open-vm-tools release number, and get its build number
from the Github repo, and replace the old build number with the new one.
Also sync coreos-base/oem-vmware in line with open-vm-tools.
We need to split the beginning of setting up the top-level git repo into
a new function prepare_git_repo, and call it in the beginning of each
script. That is to prevent some corner cases, where applying multiple
patches does not work because the latter overwrites the former patch.
So we should not set up the git repo again in each apply_patch, but only
in the beggining, prepare_git_repo.
`ebuild audit-2.8.5-r1.ebuild manifest` fails like that:
```
>>> Downloading
'017e6c6ab9.patch'
--2021-09-29 04:05:09--
017e6c6ab9.patch
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854 [text/plain]
Saving to: /mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__
2021-09-29 04:05:09 (57.3 MB/s) -
/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__ saved [854/854]
!!! Fetched file:
audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got: 854
!!! Expected: 852
Refetching... File renamed to
'/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch._checksum_failure_.o2889wwd'
!!! Couldn't download 'audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch'. Aborting.
```
That happens because the upstream audit patch
017e6c6ab9.patch
silently changed, so it could have a git commit of 8-bytes instead 7.
Fix the hash in Manifest for now, until we could update
sys-process/audit to 3.0. Upstream Gentoo already has 3.0, dropped 2.8.
However, updating to 3.0 might not so trivial due to Flatcar changes in
audit.
The bug fix https://github.com/flatcar-linux/coreos-overlay/pull/1129
caused a regression that Github Actions cannot determine a correct
$VERSION_OLD if the old ebuild file has a suffix like `-r1`.
We need to create a function to get a correct ebuild file name, by
falling back to the most similar name, in case the expected ebuild
file does not exist.
When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys`
occasionally fails with the following error:
```
gpg: key E52F0DB391453C45: no user ID
```
We need to make GnuPG accept keys even without UIDs.
Original patches come from
f292beac11/debian/patches/import-merge-without-userid .
See also https://dev.gnupg.org/T4393 .
Based on commit 3d9a9c9c3654c6b8c073e306636bf8dc64cfb657 .
Update app-crypt/gnupg to 2.2.29.
One of the key purposes for the update is to be able to use the new
default keyserver `keyserver.ubuntu.com`, which is provided by default
since 2.2.29. It is due to the shutdown of the SKS keyserver pools.
See also https://bugs.gentoo.org/811828 .
I think we still prefer to keep packages in portage-stable and
sometimes add an entry to the accept_keywords file instead of moving
the package to overlay just to edit a keyword. Or a PYTHON_COMPAT
field.
This changes comes together with the change made in portage-stable to
one of the python eclasses where we add support for python3 version
from 3.8 to 3.10. To make this change complete, we need to mask those
new versions, so building packages will not try to depend on python
version we haven't yet packaged.
