While the execution of the unit may succeed by finding the executables
by searching the current PATH, calling `systemd-analyze verify` on the
units fails because this requires an absolute path.
When listing kernel modules to decide which firmware should be shipped
together with the image, we need to now list both compressed and
uncompressed module.
Fixes: kinvolk/Flatcar#359
In https://github.com/kinvolk/coreos-overlay/pull/875 the repository
was switched to a fork from the archived upstream repository. However,
the ebuild was still using a reference to an old squashed Flatcar build
bot commit from the git-sync times that was only present in our old
repository.
Switch to a reference to the latest commit on the new repository which
in fact does not introduce any changes.
Since rkt will be deprecated soon, we should make toolbox run docker
instead of rkt.
Also delete dependency on `app-emulation/rkt`, and update hyperlinks.
It pulls in https://github.com/kinvolk/toolbox/pull/1 .
This change adds the USE flag cros_host to the
SDK's make.default, as part of a larger fix for the SDK bootstrap build.
The SDK bootstrap build was broken in stage 1 since package upgrades
were allowed to leak into that phase.
We now limit stage 1 to only "known good" package ebuilds, which caused
downstream breakage from missing flags in the stage 2 SDK bootstrapping.
This change fixes that breakage.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".
So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.
Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.
Introduce a USE flag spotlight, to be able to disable the spotlight
backend by default, as it is not needed by Linux.
Introduce a USE flag rededit, to be able to disable the rededit
tool if needed.
Introduce a USE flag glusterfs, to be able to disable the glusterfs
by default.
Introduce a USE flag ntvfs, to be able to disable the ntvfs-fileserver
by default.
Since the docbook-xsl-stylesheets and libxslt are needed only
at build time, we should move those deps to BDEPEND.
Now that portage was updated to the latest version, we should update
EAPI to 7. It is mainly to allow ebuilds to make BDEPEND contain real
build-time dependencies, not runtime ones.
Each Flatcar production image includes a binary `containerd-stress`,
as a part of torcx tarballs.
However it does not seem to be used anywhere.
It looks like a stress testing tool for containerd, so I don't see a
good reason to keep it.
The binary was there since the beginning, via commit
[fdd926949a10](fdd926949a),
but there is no comment or messages why it was needed.
We can simply remove `containerd-stress`.
generate_patches takes three parameters - a category, a package name
and a description. Invoking the function like `generate_patches
sys-kernel coreos-{sources,modules,kernel} Linux` makes "sys-kernel"
to be a category, "coreos-sources" to be a package name and
"coreos-modules" to become a description, while "coreos-kernel" and
"Linux" are simply ignored.
It has worked so far only because coreos-sources was first in the list
and that's where the actual changes in Manifest file happened. Had the
order of the packages been different, the workflow would be
broken. Since only coreos-sources was modified and all worked fine,
simplify the call to generate-patches.
This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
