Since containerd 1.5 started to turn on Go module, we need to pass
`-mod=vendor` to the go build command.
Otherwise, go build will fail because it would try to fetch missing
go deps from remote repos. It would not work inside of sandbox.
We cannot set `COREOS_GO_MOD=vendor` because containerd ebuild calls
`emake` instead of `go_build`.
Since coreos-firmware 20210511, `cxgb4/t[4-6]fw*.bin` files have a new
version '1.25.4.0'. We need to update the file name pointed by symlinks.
Otherwise build fails due to broken symlinks.
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/bootengine/pull/24
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/init/pull/40
* Drop the dependency on `sec-policy/selinux-dbus`
* Drop machine-id generation
* Stabilize both keywords `amd64` and `arm64` to build it.
* Do not add a third-party patch for CVE-2019-12749 again, as the fix is
already included in dbus >= 1.10.29.
Loosely based on a409238795c44dabfd16e466c8433a89f5f0844f and
e458211c8418462f4bd4d4536dc96f62380a22cf .
The upstream changed the way the default percentage value, and
make the property partially dynamic.
Upstream ref: https://github.com/systemd/systemd/pull/14007Fixes#382
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The rkt container runtime is deprecated and not used anymore except
for the kubelet-wrapper script. This script can't be ported to Docker
because it is used by the user with rkt-specific arguments and it is
only a wrapper around the deprecated hyperkube images (and has been
broken for the last K8s releases). The recommended way is to run the
kubelet binary directly on the host.
The GCE daemon container was run with rkt from an ACI tar ball.
To replace rkt with systemd-nspawn, extract the tar ball to an
image and run the daemon as systemd-nspawn container.
Having the hostname units as required by the initrd.target meant that if
the unit failed (for example because the network was or the metadata
service were down), the machine wouldn't start. By making it a "wants"
rather than a "requires" we allow this unit to fail without disrupting
the whole boot.
We do not need to set COREOS_GO_VERSION to a specific version, unless
it is necessary to avoid build issues in certain cases like Docker.
Simply remove COREOS_GO_VERSION from the ebuild of cri-tools.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This change pulls in the latest bootengine version, that enables ISCSI
support in dracut and avoids tearing down the network when using netroot
See https://github.com/kinvolk/bootengine/pull/22 for more information.
This reverts commit f8dda51d546b466d9faf0c936b2ad5592ab1639e.
Recently we dropped `bindist` from `RESTRICT` in openssl, so it is
now possible to turn on `ssl` for wget again. The issue of openssl being
blocked by `masked by: bindist in RESTRICT` etc. has now disappeared.
Fixes https://github.com/kinvolk/Flatcar/issues/149
For some reason, the old version of boost-build 1.67 is still here.
As we already have boost-build 1.75 in portage-stable, we should
completely delete boost 1.67.
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
We need to customize dracut. Currently the version in portage-stable is
picked because it's newer than the one in coreos-overlay. This commit
updates coreos-overlay to the same versions available in portage-stable.
This pulls in
https://github.com/kinvolk/baselayout/pull/17
to enable the pam_faillock module as replacement for pam_tally2.
The "faillock" binary can be used to see the login attempts and
account lock status which before was available with the pam_tally
command. While the tally defaults did not temporarily lock the
account on wrong password login attempts, this is done by default
with faillock. However, the default behavior was relaxed to allow
more wrong attempts and have a shorter lock time span.
As rkt is deprecated we need to run the Flannel container with Docker
or Podman. The flannel-wrapper script is based on rkt arguments and
can't be used in a compatible way but we cannot remove it since ct
explicitly uses it in the ExecStart directive when writing out a
drop-in file once flannel settings are given in a Container Linux
Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect (but that also
terminates the etcd and flannel containers, causing the services to
restart).
Since rkt is deprecated we need to run the etcd container with Docker
or Podman. The etcd-wrapper script is based on rkt arguments and can't
be used in a compatible way but we cannot remove it since ct explicitly
uses it in the ExecStart directive when writing out a drop-in file once
etcd settings are given in a Container Linux Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect.
This commit adds some comments to help other folks to
easily recognize Flatcar-specific code.
Check issue #364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
Cherry-picked from kinvolk/coreos-overlay@d0426cf.
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This commit synchronises ncurses with gentoo/gentoo@69bf5af thus
it updates the package from 6.1-r2 to 6.2-r1.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This pulls in
https://github.com/kinvolk/init/pull/38
to set predictable network interface names as alternative interface
names for virtio devices, and also add a special hardcoded ens4v1
name for GCE because the special udev rule to rename the device
stopped working after the systemd 247 update.
While the execution of the unit may succeed by finding the executables
by searching the current PATH, calling `systemd-analyze verify` on the
units fails because this requires an absolute path.
When listing kernel modules to decide which firmware should be shipped
together with the image, we need to now list both compressed and
uncompressed module.
Fixes: kinvolk/Flatcar#359
In https://github.com/kinvolk/coreos-overlay/pull/875 the repository
was switched to a fork from the archived upstream repository. However,
the ebuild was still using a reference to an old squashed Flatcar build
bot commit from the git-sync times that was only present in our old
repository.
Switch to a reference to the latest commit on the new repository which
in fact does not introduce any changes.
Since rkt will be deprecated soon, we should make toolbox run docker
instead of rkt.
Also delete dependency on `app-emulation/rkt`, and update hyperlinks.
It pulls in https://github.com/kinvolk/toolbox/pull/1 .
This change adds the USE flag cros_host to the
SDK's make.default, as part of a larger fix for the SDK bootstrap build.
The SDK bootstrap build was broken in stage 1 since package upgrades
were allowed to leak into that phase.
We now limit stage 1 to only "known good" package ebuilds, which caused
downstream breakage from missing flags in the stage 2 SDK bootstrapping.
This change fixes that breakage.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".
So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.
Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.
Introduce a USE flag spotlight, to be able to disable the spotlight
backend by default, as it is not needed by Linux.
Introduce a USE flag rededit, to be able to disable the rededit
tool if needed.
Introduce a USE flag glusterfs, to be able to disable the glusterfs
by default.
Introduce a USE flag ntvfs, to be able to disable the ntvfs-fileserver
by default.
Since the docbook-xsl-stylesheets and libxslt are needed only
at build time, we should move those deps to BDEPEND.
Now that portage was updated to the latest version, we should update
EAPI to 7. It is mainly to allow ebuilds to make BDEPEND contain real
build-time dependencies, not runtime ones.
Each Flatcar production image includes a binary `containerd-stress`,
as a part of torcx tarballs.
However it does not seem to be used anywhere.
It looks like a stress testing tool for containerd, so I don't see a
good reason to keep it.
The binary was there since the beginning, via commit
[fdd926949a10](fdd926949a),
but there is no comment or messages why it was needed.
We can simply remove `containerd-stress`.
generate_patches takes three parameters - a category, a package name
and a description. Invoking the function like `generate_patches
sys-kernel coreos-{sources,modules,kernel} Linux` makes "sys-kernel"
to be a category, "coreos-sources" to be a package name and
"coreos-modules" to become a description, while "coreos-kernel" and
"Linux" are simply ignored.
It has worked so far only because coreos-sources was first in the list
and that's where the actual changes in Manifest file happened. Had the
order of the packages been different, the workflow would be
broken. Since only coreos-sources was modified and all worked fine,
simplify the call to generate-patches.
This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
The updated portage-utils bring in two more tools, qmanifest and
qtegrity. They are pulling in some new dependencies. Since we didn't
have those tools before, we can live without them for a little while
longer.
We don't want to have separate /bin, /lib, /usr/bin and /usr/lib
directories. The former two are meant to be symlinks to the latter
two. The `split-usr` USE flag gets enabled with the profiles update in
portage-stable, so before doing the update, clear the flag in the
overlay.
This is not done for SDK images, since they seem to have split /usr on
purpose.
It is not used anywhere during the build process, thus drop
it. Dropping it makes it easier to port this ebuild to python3, since
there will be only one script to port to python3. The
`emerge-gitclone` script will need porting anyway, because it imports
portage code, which will become python3 after the update.
Most likely the package should be then renamed to
`coreos-base/emerge-gitclone`, but this can be done later.
Now that Docker 1.12 is gone, we can delete go 1.6 completely.
Note, we do not delete go 1.7, which is still needed by containerd 0.2.6
and docker 17.03.
Now that docker 1.12 is gone, we can delete `app-emulation/runc`
1.0.0_rc2, which had dependency on docker 1.12.
Note, we do not delete `app-emulation/docker-runc` 1.0.0_rc2, because
that one is needed by Docker 17.03.
Delete torcx config file needed only for Docker 1.12.
Note, let's keep the remaining file name as before,
`docker-1.12-no.json`, to be consistent with naming scheme of
the torcx repo itself of Flatcar.
One of the torcx profiles in Flatcar is for docker 1.12, which is
outdated since a long time. It takes ~27 MB of space in production
images almost for no reason.
We can and should delete docker 1.12.
After deletion:
```
$ df -h /usr
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/usr 985M 843M 91M 91% /usr
```
Using the change in https://github.com/kinvolk/init/pull/34
we can show the OEM on the motd, and by including "Pro" in the OEM
name we can also show whether it is a Pro image or not. Later this
may be revisited if the /usr/../os-release file is the place for it.
Update to 1.19.0, to keep up with recent releases of cri-tools.
Note that we should not simply update to 1.20.0, because its crictl
binary file is 30M, so bigger than the usual size.
On the other hand, crictl 1.19.0 is only 21M.
To optimize the binary size of crictl, make use of the existing
helpers provided by `coreos-go.eclass`.
Add "-X $(PROJECT)/pkg/version.Version=$(VERSION)" to GO_LDFLAGS,
as the original cri-tools Makefile does.
Note, we cannot run the native command like `emake crictl`, because
the cri-tools Makefile does not allow custom env variables like
BUILDTAGS or GO_LDFLAGS to be configured.
Add `arm64` to ACCEPTED_KEYWORDS.
Remove unnecessary files from installation, as well as the bash
completion eclass.
The bootstrapping script relies on /etc/docker existing, but this
directory doesn't exist on vanilla Flatcar. Add the missing call to
mkdir -p /etc/docker before the directory gets used.
Also, update the upstream files to their latest version.
The systemd.eclass was not finding the systemd pkg-config file to
figure out the system unit directory, so it was falling back to a
hardcoded default (`/lib/systemd/system`). In one case (when
overriding the `default.target` symlink), we tried to fix that by
specifying the `PKG_CONFIG_LIBDIR` environment variable, but that
still did not help.
Using functions from `systemd.eclass` in a systemd ebuild is working
only by chance here. This eclass is usually meant for ebuilds that
depend on systemd and rely on systemd being already installed in the
root filesystem.
The functions in `systemd.eclass` that need to figure out some values
from systemd's pkg-config file (like system unit directory) assume
that systemd is already installed in the root filesystem, which is not
the case when we actually are building and installing systemd.
To add an insult to the injury, `systemd.eclass` is not using
pkg-config directly, but rather a shell script that wraps pkg-config
(for example `/usr/bin/x86_64-cros-linux-gnu-pkg-config`). The script
clobbers the environment variables like `PKG_CONFIG_PATH` or
`PKG_CONFIG_LIBDIR`, which is why overriding them did not work when
fixing up the `default.target` symlink. Thus `systemd.eclass` was
actually falling back to a hardcoded default value. The only way to
control the script is through either SYSROOT or ROOT environment
variables. So do so.
This fixes merging the installed files into root file system using a
newer version of portage. The failure was that systemd build system
installs the `default.target` symlink in `/usr/lib/systemd/system`
pointing to `graphical.target`, while we later try to override it to
point it to `multi-user.target`. But instead of overriding a symlink,
we installed a new symlink in `/lib/systemd/system`. Both `/lib` and
`/usr/lib` are separate directories in the temporary installation
directory, but in root filesystem, both are symlinks pointing to the
same directory. Which means that we ended up with two different
symlinks in temporary installation directory, and the new portage
version could not decide which one to use during the merge into the
root filesystem. I'm not sure what old portage version did here,
likely worked by chance too.
The security patch that was brought in has stricter permission checks
which cause the service to fail:
ERROR: TCSD config file (/etc/tcsd.conf) must be user/group root/tss
Set the expected file ownership and permissions.
https://github.com/kinvolk/Flatcar/issues/335
Now that `dev-libs/nss` is removed from the depencencies list of
hard-host-depends, SDK does not include `dev-libs/nspr` any more.
As a result, `dev-lang/spidermonkey` fails to build, because it requires
`dev-libs/nspr` in the SDK. It is not sufficient to have nspr under
`/build/amd64-usr`.
Add `dev-libs/nspr` back to the dependencies of `hard-host-depends`,
to make it included in the SDK.
This change adds a new flatcar-eks package, that ships with all scripts
needed to join a Flatcar instance to an EKS cluster.
It includes the bootstrap.sh script used on Amazon Linux, to keep
compatibility with existing provisioning tools.
The package is included from the oem-ec2-compat package, when the board
is aws_pro, and it's part of board-packages, so that it's built by the
os/board/packages job.
It used to be a dependency of upstart and ureadahead, both dropped
long long time ago. Also drop nih-dbus-tool, which was built from
upstart too.
Found this out when updated profiles in portage-stable masked the
library.
Replace the use of deprecated git eclass with git-r3 and bump the
commit version to latest version. This version dropped a dependency on
jq.
It is a breaking change for users of mkova.sh, since it has changed
the order of parameters to allow passing multiple vmdk files to it.
When building `net-libs/nghttp2` needed by curl 7.74, build fails
when checking for prerequisites of boost libs.
```
configure:20402: checking whether the Boost::ASIO library is available
configure:20433: x86_64-cros-linux-gnu-g++ -std=c++14 -c -O2 -pipe
-mtune=generic -g conftest.cpp >&5
configure:20433: $? = 0
configure:20447: result: yes
configure:20540: error: Could not find a version of the library!
```
To avoid such issues, we should disable the `cxx` USE flag for
`net-libs/nghttp2`.
It's really a hindrance during bootstrap, and we would be looking into
ways of making an exception for openssl anyway. Using
package.accept_restrict file does not do the trick, apparently because
of catalyst using its own portage config.
It seems that there is no "kernel" mirror specified in third party
mirrors files in profiles any more. And gentoo seems to have switched
to direct kernel.org URLs anyway, probably because kernel.org is using
also some mirroring system, so we don't have to. Also, this syslinux
version is quite old, so if its tarball ever was on distfiles mirror,
it's gone by now.
The target methods have undergone significant refactoring. The return
value is no longer a TargetResult, it's just a Target. And also the
vendor is now part of the options.
When Docker/containerd binaries are compiled with Go 1.15 the
containers generate many signal 23 (SIGURG) events which flood
monitoring systems:
https://github.com/kubernetes/kops/issues/10388
The SIGURG signal does not kill the process but is generated by Go
runtime scheduling:
https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md)
Because the Go runtime does not know if the process expects external
SIGURG signals, the signal is not filtered out but reported to the
process: https://github.com/golang/go/issues/37942
The process has to filter this signal out itself before forwarding it
to, e.g,. children processes or logs.
This change was introduced with the Go 1.15 update (actually Go 1.14
but Flatcar skipped that for Stable), however, while containerd has
some workarounds in place, e.g., in
https://github.com/containerd/containerd/pull/4532 but there are still
areas where the signal is not handled correctly.
Until this is the case, downgrade to use the Go 1.13 compiler for
Docker/containerd binaries.
See https://github.com/kinvolk/Flatcar/issues/315
So far all sed expressions have used correct regular expressions around
semantic versions, around `.`. As a result, they matched strings even
without correct dots in place.
We need to escape the dot correctly.
Since Kernel 5.10, Github Actions simply stopped working.
What happens is that `KV_MAIN` gets passed as environmental variable to
the inline script, but not as string but float, because it contains `.`.
Apparently the last digit of the misinterpreted float number is
afterwards simply dropped by YAML parsing library used by GA.
As a result, `KV_MAIN` becomes `5.1` instead of `5.10`, `versionMain`
becomes simply `5.10`, not `5.10.6`. Then in the next steps,
both `VERSION_NEW` and `VERSION_OLD` become `5.10`, and the script
thinks it is already the latest version, so simply does not create a new
pull request.
It was not an issue when Kernel version is <= 5.9, because no digit
got dropped from the variable. Now the hidden issue was uncovered.
Simply set `KV_MAIN` or others explicitly as strings, by adding quotes,
to avoid such issues.
The upstream socket is under /run/containerd/containerd.sock which many
tools like crictl will use by default and diverging causes users to
always have to configure a non-default location.
Switch to the upstream default while still keeping a symlink so that
users are not forced to update their configurations they had to do for
the non-default location. This also keeps Docker using the old socket
location as an assertion that the symlink works. The state directory
is also switch to the default location.
Using only 127.0.0.53 for /etc/resolv.conf causes problems for
Kubernetes which is not systemd-resolved aware yet (the kubelet passes
on /etc/resolv.conf contents to containers).
Switch back for now to merging all DNS servers into /etc/resolv.conf
which breaks split DNS and we need to document how to make split DNS
work for those that want it.
When the metadata server is unavailable for some time the service did
not retry. Also, the service was triggered possibly multiple times
each time another service pulled it in which can cause problems if,
e.g., the service experiences a failure and corrupts the existing file
which could have been kept because rerunning wasn't needed.
Fixes https://github.com/kinvolk/Flatcar/issues/311
The patches were not taking effect because they did not set
net.ipv4.conf.default.rp_filter for new interfaces. Also, they got
overwritten by the baselayout configuration which takes precedence
and is the place for Flatcar-specific sysctl settings.
The desired configuration was enfored there:
https://github.com/kinvolk/baselayout/pull/13
The [repo v2.10](https://groups.google.com/g/repo-discuss/c/rpSfMCl83Sk)
was released dropping python2 support. As a result, every `repo init`
failed to run. To unblock CI builds, we released mantle
[v0.15.2](https://github.com/kinvolk/mantle/releases/tag/v0.15.2),
including a workaround to set the target branch to
[`maint`](https://gerrit.googlesource.com/git-repo/+/refs/heads/maint),
which still supports python2. Now with cork v0.15.2, `cork create` or
`cork update` will work well for now.
However, the current state is quite fragile. It will get broken again
when the upstream `maint` branch changes. We should update
`dev-vcs/repo` in coreos-overlay to 2.x with python3, and get it
included in Flatcar SDK, so we could later set the target branch in
mantle back to `stable`.
At the moment, none of the source repos has the tarball for repo 2.10,
neither GCS nor Gentoo distfiles. So for now we update it to 2.8.
It will be linked to python 3.6 in Flatcar SDK.
Also note that we do not have to keep `files/repo-1.25` script in the
coreos-overlay repo, because the script is simply identical to the
upstream `repo` script. I am not sure why the third-party script was
there in the first place. So simply remove the script.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging. This package does not depend on virtual/pam outright, but
let's avoid having an out-of-date comment.
The version now matches what is in Gentoo, despite being almost, but
not quite, entirely unlike upstream recipe. The rename is needed,
because some packages may depend on a newer pambase after they are
updated.
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
Qemu has enabled `jpeg` USE flag since the beginning, without any
reason specified. As a result, qemu pulls in unnecessary packages,
`virtual/jpeg` as well as `media-libs/libjpeg-turbo`. However,
Flatcar runs qemu always with `-display none` option. So the `jpeg`
flag is not needed at all.
Simply remove `jpeg` USE flag from qemu.
Before applying Flatcar patches to bsdiff, sync with upstream Gentoo,
so the ebuilds could make use of EAPI=7.
Also drop third-party patches, to be able to start from scratch.
Doing that we can fix [CVE-2014-9862](https://nvd.nist.gov/vuln/detail/CVE-2014-9862),
integer signedness error in bspatch.c. With the vulnerability, remote
attackers to execute arbitrary code or cause a denial of service
(heap-based buffer overflow) via a crafted patch file.
Since Gentoo already has the third-party patch, we can simply make
use of it.
See also https://bugs.gentoo.org/701848 ,
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4d7646f1d69 .
A symlink `vimdiff` should not be created, if the USE flag `minimal` is
enabled. Otherwise running `vimdiff` results in failure like that:
```
$ vimdiff aaa bbb
This Vim was not compiled with the diff feature.
```
Github Actions for Rust started failing with following errors:
```
Error: Unable to process command '::set-env name=PULL_REQUEST_NUMBER::718' successfully.
Error: The `set-env` command is disabled. Please upgrade to using
Environment Files or opt into unsecure command execution by setting the
`ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For
more information see:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
```
It happens because we have used peter-evans/create-pull-request@v2,
which did not have a bug fix for the set-env issue.
The bug was fixed in create-pull-request
[v3.4.1](https://github.com/peter-evans/create-pull-request/releases/tag/v3.4.1).
So we just need to update the version to `v3`, which already includes
v3.4.1.
# Enables Raspberry Pi 4 PHY
The following 1 line change enables the kernel module to be build enabling the Raspberry Pi 4 PHY enabling the on-board NIC.
# How to use
Build it and boot it :)
# Testing done
Validated the config change against known working 5.8.y kernels on the Pi4.
The kola tests fails to download during the release because the
artifacts of the release has not been pushed to the website yet.
This adds the logic to check if the URL is 200, then only download
or else fallback to the GCS bucket url.
This commit also changes a bug with the check to see if nvidia
is installed or required.
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This commit adds amba-4.11-fix-glibc-2.32-function-collisions.patch
which fixes compile breakage in a test shipped with Samba-4.11.
The test defines functions which are now shipped with glibc-2.32.
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
This PR includes the necessary changes to upgrade the SDK compiler to gcc-9.3.0.
It also changes the gdb-9.2 recipe to work with the Flatcar SDK.
The changes include:
sys-devel/gdb/gdb-9.2.ebuild: use EAPI6 to work around BDEPEND emerge bug
update sys-libs/nss-usrfiles to nss-usrfiles-2.30.ebuild to support glibc > 2.29
update sys-kernel/README.md to call out need for updating kernel-headers, perf
add sys-libs/glibc/README.md outlining our changes to the glibc recipe
update profiles/coreos/base/package.accept_keywords to include new toolchain
The change also adds a README to
sys-libs/glibc/README.md
and it improves on a README in
sys-kernel/README -> sys-kernel/README.md
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Enable CONFIG_OVERLAY_FS_METACOPY, metadata only copy up feature
in overlayfs. When turned on, overlayfs will only copy up metadata
when a metadata specific operation like chown/chmod is performed.
Full file will be copied up later when file is opened for WRITE
operation. More or less like delayed data copy up operation.
Enable CONFIG_OVERLAY_FS_REDIRECT_DIR, which is equivalent to
"redirect_dir=on" in the kernel command-line. When turned on, overlayfs
will copy up directory first, before the actual contents.
See also https://github.com/kinvolk/Flatcar/issues/170
To build Kernel with `CONFIG_DEBUG_INFO_BTF`, we need to make `pahole`
in dwarves included in the Flatcar SDK.
To do that, we need to make it accept `~amd64` keywords for dwarves
and binutils.
Also enable USE flag `python_single_target_python3_6` for dwarves.
CONFIG_POWER_SUPPLY enables power supply class used to represent
battery, UPS, AC or DC power supply properties to user-space.
It defines core set of attributes, which should be applicable to
most power supplies out there.
See also https://github.com/kinvolk/Flatcar/issues/215.
CONFIG_BPF_JIT_ALWAYS_ON enables BPF JIT and removes BPF interpreter
to avoid speculative execution of BPF instructions by the interpreter.
See also https://github.com/kinvolk/Flatcar/issues/185.
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst-off-by: Thilo Fromm <thilo@kinvolk.io>
We need to filter not only `-Wl,-O1`, but also other flags like
`-Wl,-O2`, `-Wl,-Og`, `-Wl,-Os`, etc. Otherwise, SDK build would fail,
for example, as its default `$LDFLAGS` includes `-Wl,-O2`.
We need to manually strip only the optimization element of
comma-separated flags, e.g. from `-Wl,-O1,-s` to `-Wl,-s`.
To support multiple characters that can follow `-O`, e.g. `-Ofast`,
we should use regexp like `[[:alnum:]]*`.
The repo `github.com/flatcar-linux/mantle` has been moved to
`github.com/kinvolk/mantle`. However, Github Actions still fetch cork
binaries from the original URL, by running `curl` without `-L`. So the
request does not get redirected to the new URL. As a result,
`CORK_VERSION` becomes null.
Fix it by replacing `flatcar-linux` with `kinvolk`, as well as adding
`-L` to the curl command, just in case.
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See https://github.com/golang/go/issues/42559.
However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:
```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```
We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
Although `dev-libs/cyrus-sasl` pulls in `net-mail/mailbase`, the
mailbase package is not needed at all.
Simply mark it as provided, to make it build without mailbase.
Also enable python_single_target_python3_6 for tdb, talloc, tevent.
Remove unnecessary arm64 keywords.
Clean up unnecessary USE flags.
At the moment bind-tools does not enable `gssapi`, so its `nsupdate`
tool is also not able to run `realm` command. As a result, configure
script of `sssd` fails when running `echo realm | nsupdate`, like
`syntax error`.
To avoid such issues, we need to disable the nsupdate check for now.
After we could enable `gssapi` for the SDK correctly, we can bring back
the nsupdate check in the future.
Now that the upstream sssd 2.3.1 does not support `--runstatedir` option
from its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`.
Instead we need to pass `runstatedir=` to emake commands.
In the past we
[enabled](https://github.com/flatcar-linux/coreos-overlay/commit/172d9311bacd)
the USE flag `gssapi` only for amd64, not for arm64. We did so to
avoid build issues that only happened for arm64.
However, that change caused interesting side effects in the SDK, where
bind-tools ended up being compiled without `gssapi`. It means, tools
like `nsupdate` in the SDK are not able to deal with certain commands
like `realm`. As a result, configure scripts in packages like
`sys-auth/sssd` fail, because they cannot run commands like
"echo realm | nsupdate".
We should bring the `gssapi` USE flag back to the SDK, to avoid such
issues in the future.
The `BDEPEND` is a build-time requirement, so it should not be included
in the whole `DEPEND` list. If it does, an installation of
`sys-auth/sssd` causes other dependencies to be installed not only in
the `/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.
Update sys-auth/sssd, by syncing with upstream Gentoo.
Mainly needed by net-fs/samba 4.11.
Also resolves CVE-2018-16883, CVE-2019-3811, CVE-2018-16838.
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
Original-by: David Michael <dm0@redhat.com>
https://github.com/flatcar-linux/coreos-overlay/commit/8445f8b4386a
The key server currently doesn't work. Since the key is not used
currently but the key we have hosted on our web server, we can remove
this failing step to restore GitHub Actions.
Apply Flatcar-specific changes, like below:
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
Original-by: David Michael <dm0@redhat.com>
6fd490ebfefd ("sys-apps/shadow: Apply CoreOS changes")
Enable Kernel config for PSI (Pressure Stall Information), which might
help system administrators to detect bottleneck in cpu, memory and io
in an easy way.
```
$ zgrep -i _psi /proc/config.gz
CONFIG_PSI=y
$ ls -l /proc/pressure/
-r--r--r--. 1 root root 0 Oct 7 11:56 cpu
-r--r--r--. 1 root root 0 Oct 7 11:56 io
-r--r--r--. 1 root root 0 Oct 7 11:56 memory
$ cat /proc/pressure/cpu
some avg10=0.13 avg60=0.68 avg300=0.28 total=1195993
$ cat /proc/pressure/io
some avg10=0.00 avg60=1.11 avg300=0.68 total=2828208
full avg10=0.00 avg60=0.91 avg300=0.56 total=2334731
$ cat /proc/pressure/memory
some avg10=0.00 avg60=0.00 avg300=0.00 total=0
full avg10=0.00 avg60=0.00 avg300=0.00 total=0
```
See also https://www.kernel.org/doc/html/latest/accounting/psi.html ,
https://facebookmicrosites.github.io/psi/docs/overview
Fixes https://github.com/flatcar-linux/Flatcar/issues/162
Use host tool when building cross.
Bump revision to -r1.
Adjust the patch on top of dbus-glib 0.110.
Original-by: Geoff Levand <geoff@infradead.org>
6d7756b77b10 ("dev-libs/dbus-glib: Fix cross compile build error")
We have these patches in v245 too. I have missed them when doing the
update to v246, because apparently I have assumed that our flatcar
branches are more or less some upstream branch/tag + our patches on
top. That assumption was wrong and it surfaced when I rebased the
v245-flatcar branch to the v245.8 tag.
Our current cros-workon setup was awkward to use when a new patch
release happened on upstream. In this case we would go to our
`v<VERSION>-flatcar` branch and merge/cherry-pick the commits from
upstream that appeared between the release we have been using so far
and the new release. In such case, our non-upstreamed patches were
hidden somewhere in history. To fix that, I proposed having a branch
for each patch release, so the branch would always be based on an
upstream tag and have our patches on top of that. An alternative
proposition was to just use the Gentoo workflow for patches, and this
is what we are doing here.
This also slightly minimizes the difference between the Gentoo recipe
and ours.
To be able to update `dev-util/gdbus-codegen` to 2.64.5, we need to
specify a single target python3.6 for gdbus-codegen.
Without it, it is not possible to emerge gdbus-codegen, because
it thinks there are multiple python single targets for the package.
Now that Go 1.10 has been removed, we can remove `dev-lang/go:1.10`
from the SDK dependencies list.
Instead add `dev-lang/go:1.15` to the SDK dependencies list.
So far Flatcar has kept a third-party patch to add a blank kernel
module `nf-conntrack-ipv4.ko` to avoid regression around Kubernetes.
The issue was that kube-proxy with ipvs started using `nf-conntrack.ko`,
which does not exist in Kernel < 4.19. The patch was originally added by
a24dbb6cb6.
However, Kubernetes 1.13 or newer already deals with the issue. It
automatically loads a different Kernel module according to Kernel
versions: `nf-conntrack-ipv4` for Kernel < 4.19, and `nf-conntrack`
for Kernel >= 4.19.
See 4b90559369 .
We can simply remove the Kernel module, as since then all production
systems have updated Kubernetes to the newer versions than 1.13.
The diffutils package provides the "cmp" and "diff" tools which are
essential commands in shell scripts. They used to be pulled in by
audit but the update in
https://github.com/flatcar-linux/coreos-overlay/pull/537
caused them to be dropped.
Add them to the explicit list of base packages to ensure they are
installed.
Rust stage0 tarballs should not be based on a patchlevel release like
`1.45.1`. It might work in case of the previous version 1.45.1, which
already exists. However, it will not work in case of x.y.1 is missing.
So the build rust 1.47.0, should pull tarballs for rust 1.46.0, instead
of 1.46.1, which does not exist.
Because the --root option restricts systemd-tmpfiles to the passwd
database file in the package chroot it can't resolve the core user
and fails to set up the home folder from the baselayout-home.conf
directives.
Create the folder manually because creating a /etc/passwd file in
the package chroot would at installation overwrite the SDK user.
This reverts commit c414b38c7c56dafb05a86040443c634763527f05.
The real DNS server IP addresses should be in /etc/resolve.conf and not
just 127.0.0.53 because all cases that bind-mount /etc/resolve.conf
into a new network namespace can't reach the loopback interface that
resolved is listening on.
systemd-tmpfiles in systemd v246 requires the user/group databases in
the custom root if it gets passed with --root flag. This requires a
new version of baselayout to be pulled, so do so.
DTC (Device Tree Compiler) source tree in Flatcar Kernel modules
unnecessarily takes too much space, especially the `include-prefixes`
directory.
```
$ sudo du -a /usr/lib64/modules/$(uname -r)/source/ | sort -n -r | head -n5
130100 /usr/lib64/modules/5.8.11-flatcar/source/
69180 /usr/lib64/modules/5.8.11-flatcar/source/include
56324 /usr/lib64/modules/5.8.11-flatcar/source/scripts
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc
50728 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/include-prefixes
$ sudo ls /usr/lib64/modules/$(uname -r)/source/scripts/dtc/include-prefixes/
arc arm arm64 c6x dt-bindings h8300 microblaze mips nios2 openrisc powerpc sh xtensa
```
Most of them are for architectures that are not supported by Flatcar, so
we can remove them from the production image.
OTOH, as `dt-bindings` looks more like an architecture-independent one,
for now we keep it.
Before:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
250308 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 934152 21592 98% /usr
```
After:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
6632 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
205144 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 907628 48116 95% /usr
```
Compress every kernel module with xz (lzma), to make more free space
in the rootfs.
Before:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
90472 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
After:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
26908 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 845468 110276 89% /usr
```
Add new binaries containerd-runc-shim-v[12] to the torcx tarballs for
docker and containerd. The binaries are necessary for kubelet to
communicate via custom CRI endpoints.
The addition will cause usage of the /usr partition to grow by ~5M.
```
$ ls -l /run/torcx/unpack/docker/bin
-rwxr-xr-x. 1 root root 6742592 Sep 30 13:22 containerd-shim
-rwxr-xr-x. 1 root root 9095176 Sep 30 13:22 containerd-shim-runc-v1
-rwxr-xr-x. 1 root root 9111752 Sep 30 13:22 containerd-shim-runc-v2
$ ls -l /usr/share/torcx/store/docker\:19.03.torcx.tgz
-rw-r--r--. 1 root root 89809888 Sep 30 14:16 /usr/share/torcx/store/docker:19.03.torcx.tgz
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
Note, we do not touch other torcx profiles like docker 1.12 or 17.03,
to keep the image size as small as possible.
The use flag enables building audisp, auditd, aureport, ausearch and
probably some other tools. Not sure what's the reason for adding such
a use flag other than disabling the build of the binaries. The daemon
use flag is nowhere set, so these things are not built by default.
The ebuild is in the portage-stable repository but we need this patch in
coreos-overlay to avoid this error:
> The following keyword changes are necessary to proceed:
> (see "package.accept_keywords" in the portage(5) man page for more details)
> # required by sys-apps/systemd-245-r3::coreos[seccomp]
> # required by app-misc/ca-certificates-3.27.1-r1::coreos
> # required by dev-libs/openssl-1.1.1g::coreos
> # required by net-misc/rsync-3.2.3::portage-stable[-libressl,ssl,-static]
> # required by sys-apps/portage-2.3.40-r1::coreos[-build]
> # required by app-admin/perl-cleaner-2.27::portage-stable
> # required by dev-lang/perl-5.26.2::portage-stable
> # required by sys-apps/help2man-1.45.1::portage-stable
> # required by sys-devel/automake-1.16.1-r1::portage-stable
> # required by dev-libs/libxml2-2.9.8::portage-stable
> # required by x11-misc/shared-mime-info-1.4::portage-stable
> # required by dev-libs/gobject-introspection-1.40.0-r1::portage-stable
> # required by sys-auth/polkit-0.113-r5::coreos[introspection]
> =sys-libs/libseccomp-2.5.0 ~amd64
The savedconfig feature reads and, if not set, generates a file under
/etc/portage/savedconfig/ to source a build configuration. We probably
don't want this and specially not on the final image, therefore,
disable reading and also don't write the file to the final image.
These normally would be pulled by systemdctl enable when enabling
systemd-networkd.service, because they are used in Also= options. In
such case, we need to pull them ourselves, so they can be enabled in
/usr, not in /etc.
We are installing systemd from scratch in the image, so there are no
previously enabled units to enable or reenable after
installation. Also, this code would enable the services in /etc, which
we don't want, because /etc is not autoupdated, so the enabled
services could end up still being disabled after the update.
At installation time, we usually want to enable services through
/lib. This change will stop making the installation to put symlinks
for getty in /etc, since we already do it in /lib.
Since v242, this unit is not enabled by default. Currently the
recommended way of initial enablement of the important units is
through `systemctl preset-all` with the preset file from systemd. We
don't want to do it, because this action creates symlinks in /etc, so
we enable those services ourselves by putting the symlinks in /lib.
Since sqlite 3.32 or newer requires dev-lang/tcl to be available in
the Flatcar SDK by default, we should add dev-lang/tcl in the dependency
list of SDK.
Update srctree path to correctly populate the Makefile for sandbox
environments. The patch is to adjusted for 5.x kernels
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The build for arm64 currently fails because it tries to build the
oslogin package but the package is marked as amd64-only.
Exclude the oslogin package from arm64 images.
Since sqlite 3.32.0, Gentoo ebuild does not deal with non-full archive,
but fetches only full archive. On top of that, the upstream sqlite's
full archive requires `tclsh` to be installed on the host system. Since
Flatcar SDK does not include `dev-lang/tcl`, it is not possible to build
sqlite from the full-archive. It means that we need to either make the
Flatcar SDK include `dev-lang/tcl`, (which takes time) or bring back the
non-full archive mechanism just like ebuilds from sqlite 3.31.x.
So adapt the full-archive patches on top of the non-full archive.
Make the ebuild fetch the non-full archive.
GCE recommends images to ship Python in them. Instead of shipping the
binaries inside our vendor partition, install an alias that will
download the latest official container, for both python2 and python3.
We were setting `CONFIG_VGACON_SOFT_SCROLLBACK=y`, but this config
option was deleted with 20782abbbdfe922496a28f9cc0c3c0030f7dfb8f, due to
security issues.
Remove the config to let the kernel image build again.
This change updates to the latest oslogin version provided by Google.
Since our last update, this was split into a different repo and the
directory structure changed significantly.
It also added group support, which needed to be added to the
nsswitch.conf file that we ship.
Flatcar users require docker group permissions, so ensure oslogin gives
that permission by shipping a separate group.conf file that gets
installed when oslogin is enabled.
The qemu update caused several errors:
* We currently don't have Python 3.8 available in the SDK, so adding it in
the PYTHON_COMPAT field causes a build failure.
* The manifest needed to be updated
* A patch file was missing
This commit fixes these errors and makes the package build.
Since rsync 3.2.0, the ebuild sets `--enable-simd` option in case of
amd64. However, the cross toolchain in Flatcar SDK is not able to deal
with the SIMD feature, so configure in rsync fails like:
```
gcc version 8.3.0 (Gentoo Hardened 8.3.0-r1 p1.1)
configure.sh:3774: $? = 0
configure.sh:3763: x86_64-cros-linux-gnu-g++ -V >&5
x86_64-cros-linux-gnu-g++: error: unrecognized command line option '-V'
x86_64-cros-linux-gnu-g++: fatal error: no input files
compilation terminated.
```
Until we could resolve the toolchain issue, we should disable
`cpu_flags_x86_sse2`, to disable simd for rsync.
Improve body text of each PR for `dev-lang/rust`, by mentioning that
it should be merged together with its paired PR in portage-stable.
Explicitly name `dev-lang/rust` instead of `Rust`, because now there are
`dev-lang/rust` as well as `virtual/rust`.
Rename the dispatched event-type name to `rust-pull-request-main`, as
`cargo` has already disappeared.
Make the repository-dispatch action send additional client-payload with
a field `coreos-overlay-pull-request-number`, which will be later used
by the corresponding PR in portage-stable for adding a link back to the
PR in coreos-overlay.
This will not be enabled by default, and still requires the "lockdown"
kernel parameter. Users can test by setting in
`/usr/share/oem/grub.cfg`:
```
set linux_append="lockdown=integrity"
```
After this is set, dmesg output you'll see:
```
[ 0.000000] Kernel is locked down from command line; see man
kernel_lockdown.7
```
Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
