Systemd during the initrd stage was complaining about the missing
group, which resulted in ignoring some of the udev rules. Let's
placate it by adding sgx to baselayout, so the group is available
during the initrd stage too.
Pulls in https://github.com/flatcar-linux/baselayout/pull/20.
Now that Github rejects access to an unauthenticated URL with `git://`,
we have to make git and libcurl work with `https://`. However, during
the SDK stage2, curl is not explicitly installed, but just inherited
from the stage1. As a result, curl is built without the `ssl` USE flag.
So installation of baselayout fails with:
```
git fetch https://github.com/flatcar-linux/baselayout.git --prune +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/flatcar-linux/baselayout.git/':
Protocol "https" not supported or disabled in libcurl
```
To resolve the issue, we need to install curl with `BOOTSTRAP_USE=ssl`
before trying to install baselayout.
Also we need to set `CURL_SSL=openssl` as required by curl.
Using a USE_EXPAND variable `curl_ssl_openssl` in `BOOTSTRAP_USE`, we
can specify the correct `CURL_SSL` variable in curl.
enabling `fips` support will compile `fips.so` provider for user who
wants to use `fips` as OpenSSL provider.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Based on 9a6728f5f5d63626e4a806664c0c031e913fd758 and
380aa9c60af1e68911a479747d12b5fddaf2b1a2 .
selinux-base requires python to generate xml files, but the dependency
is implicit (through policycoreutils). Flatcar made that dependency
conditional on USE=python in policycoreutils so that we don't include
python in our images, but this causes selinux-base to fail depending on
ordering in the bootstrap process.
Fix that failure by addin an explicit dependency.
The build has been failing occasionally, due to some kind of race condition.
The last lines of log output look like this:
Updating policy/booleans.conf and policy/modules.conf
python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
support/sedoctool.py exiting for: Error while parsing xml
make: *** [Makefile:415: conf.intermediate] Error 1
* ERROR: sec-policy/selinux-base-2.20200818-r2::coreos failed (configure phase):
* emake failed
Try to fix this by forcing a sequential build.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
PR https://github.com/flatcar-linux/coreos-overlay/pull/432 started
to replace `dev-lang/rust` in accept_keywords with its new version.
However, its corresponding `virtual/rust` has never been updated.
That issue had been hidden until
4463efcfd4
started adding `virtual/rust` to accept_keywords.
Unlike `dev-lang/rust`, keywords for `virtual/rust` stayed with old
versions. As a result, subsequent Github Actions PRs for rust become
all invalid, so build failures.
Fix the issue by replacing versions of `virtual/rust` with new versions.
Also try to match with version specifiers, not only `=` but also `>=`,
'<=', '~'.
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
with the OpenSSLv3 upgrade, `update_engine` is not fully compatible yet.
See the associated issue for more details.
Let's keep the deprecated SHA functions in the meantime to run the
build.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Uses ConditionSecurity introduced in systemd v248
Fixesflatcar-linux/Flatcar#208
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
