flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.
Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
The patches applies does not make sense to be removed, hence it would
be better to move `expat` back to portage-stable
Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
Add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Based on commit 8d040f93c289.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Signed-off-by: Dongsu Park <dongsupark@microsoft.com>
Now that the OEM partition is a btrfs partition with compression, we have
enough space to install ssm agent.
This reverts commit b6abb59c544be13e923a3e7240b5c9395c281fca.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The ebuild was missing a call to go_export() which exports GOARCH, and so was
always built for host architecture. While COREOS_GO_VERSION was specified as
go1.12, src_compile() has to use '${EGO}' to make use of it, so we were
building with go1.16 (latest). Upstream builds with 1.12 for this version, so
we will do the same.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Sysroot-wrappers contains binaries installed to /usr/lib64/sysroot-wrappers,
but the profile referenced them through the 'lib -> lib64' symlink. Stop
relying on that symlink, which is not present in arm64 profiles, and is
not part of 17.1 amd64 profiles.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
With the switch from rkt to systemd-nspawn the ability for the service
to set the routing entries for the TCP load balancer got lost,
resulting in an unreachable LB as reported in
https://github.com/kinvolk/Flatcar/issues/459
The fix also reported there is to retain CAP_NET_ADMIN when starting
the service.
Btrfs filesystems do not support a non-standard 64k page size on arm64
when the filesystem was created by a 4k page size system.
Use the default page size for arm64 to ensure compatibility with
btrfs filesystems created by amd64 systems.
With the default gzip compression the 60 MB limit for the vmlinuz
bundle of kernel+initramfs was reached. The limit comes from the size
of the /boot partition which is 128 MB large and the kernel needs to
fit twice, in addition to GRUB.
Use zstd for the initramfs as it provides a similar speed but better
compression. For the kernel we can't switch yet to zstd for arm64
but for amd64 it works.
Due to unnecessary wildcard listings, ebuild files including all rc or
beta are being listed. Since `VERSION_OLD` is already generated as a
unique version, we do not need to list multiple files to filter by
running `head -n1` etc. We just need to use only the specific ebuild.
Simply list only the unique ebuild file.
Before passing runc versions to `sed '/-/!{s/$/_/}'`, we need to replace
`_` with `-`, because runc tarball files already have names like
`1.0.0_rc2`. Without the fix, version sort would `1.0.0` come before
`1.0.0_rc2`, which is not expected in the later steps.
This does not work because the host and cross rust targets share the
same name. This needs to be reworked to (potentially) enable x86 cross
targets for aarch64 targets.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
glib-utils are used during the build so they need to be part of host
dependencies for update_engine. This only really pops up during a repeat
bootstrap, when update_engine is being built from source but glib has
been installed from a binary. BDEPEND would be the correct variable but
that requires EAPI=7, so additionally added it to DEPEND for now.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
kola-data and google-cloud-sdk install pre-built amd64 binaries, so
there's no point installing them right now. Both could be made to work
at a later time. iucode and syslinux and are x86 specific and won't
build. selinux related packages *currently* don't work/build on arm64
but could be made to work.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Where the packages are part of coreos-overlay, I keyworded the ebuilds
directly to the same level of stability as amd64. Other packages have
been keyworded through the profile, as close to the amd64 level as I
could manage.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Update-bootengine chroots into the sysroot and runs dracut from there.
Dracut 053 has revised TMPDIR handling and the portage TMPDIR prefixed
with ROOT leaks into the chroot. This causes dracut to abort during
setup with the error message "invalid tmpdir".
Override TMPDIR before running update-bootengine to allow dracut to
function.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Flatcar uses custom networking scripts in initramfs, so the dracut iscsi
module needs to be patched to account for that.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Add Flatcar specific patch to enable the iscsi module
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Update commit to 6a4ff4ca879082c07353dd379439c437cbe27e18, to sync with
the current main branch.
Pulls in https://github.com/kinvolk/updateservicectl/pull/6 .
Also update Go import paths to `github.com/kinvolk/updateservicectl`.
Also set `COREOS_GO_GO111MODULE=on` because updateservicectl now relies
on Go module.
Set PYTHON_COMPAT to python 3.6 and 3.7 to be suitable for the current
code base.
Add a custom patch to replace error with warning when running autoconf
for cross builds, because libkrb5 is not able to detect
cross-compilation.
See also https://github.com/kinvolk/Flatcar/issues/369 .
2.33
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
2.32
sys-libs/glibc-2.32,targets/sdk: backport to EAPI6, add Flatcar changes
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
We experience an issue with glibc-2.33 which causes all binaries in the
OS image to end up not stripped, which would increase the size of the OS
image threefold.
The change masks glibc-2.33 for all architectures, so the build will
default on glibc-2.32 until we have fixed the issue.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Sync with Gentoo to update intel-microcode to 20210608,
mainly to address CVE-2020-24489, CVE-2020-24511, CVE-2020-24513.
Gentoo ref: 66c8a60ea74e8ed2391c9fdff749c65eb0f398ff
2.33
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
2.32
sys-libs/glibc-2.32,targets/sdk: backport to EAPI6, add Flatcar changes
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Now that lz4 was updated to 1.9.3-r1, systemd has to depend on
lz4 >= 1.9.3-r1, so that its dependency graph during the SDK stage3
could be generated correctly.
Without that change, the preclean of SDK stage3 could fail because of
an inverted dependency order between systemd and lz4, like following:
```
emerge --depclean --with-bdeps=y
...
* Dependencies could not be completely resolved due to
* the following required packages not being installed:
*
* >=app-arch/lz4-0_p131:0/r131=[abi_x86_64(-)] pulled in by:
* sys-apps/systemd-247.6
```
Stage3 first runs `emerge --quiet --usepkg --buildpkg
--binpkg-respect-use=y --newuse -e --update --deep --with-bdeps=y @system`,
which works well.
After that, only the stage3 (no other stages) runs preclean, which in fact
runs `emerge --depclean --with-bdeps=y` to clean up unnecessary ebuilds.
That's where it fails.
That happens because systemd still depends on lz4 0_p131. As a result, the
main installation step of stage3 seems to first install systemd 247, and
after that it updates lz4 to 1.9.3-r1. Then systemd thinks it still depends
on 0_p131. When doing it the other way around, the dependency graph is
correctly generated, first lz4 1.9.3-r1, then systemd 247.
We disable SELinux because Flatcar doesn't properly support it and it
was causing labeling problems when running runc containers with
NoNewPrivileges or seccomp.
These were included as a workaround for SELinux issues on Flatcar.
However, they also disable NoNewPrivileges and seccomp support, which
reduces security.
Instead, we'll disable SELinux support in the Docker daemon in the next
commit.
Go import path of torcx has changed from coreos to flatcar-linux,
aef371c76b
So we need to fix the import path also in torcx ebuilds.
Otherwise build will simply fail due to wrong import paths.
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
Imported commit 6c0c1c8806bedcc164e5bd3541ab50b2c21e2498 .
Since containerd 1.5 started to turn on Go module, we need to pass
`-mod=vendor` to the go build command.
Otherwise, go build will fail because it would try to fetch missing
go deps from remote repos. It would not work inside of sandbox.
We cannot set `COREOS_GO_MOD=vendor` because containerd ebuild calls
`emake` instead of `go_build`.
Since coreos-firmware 20210511, `cxgb4/t[4-6]fw*.bin` files have a new
version '1.25.4.0'. We need to update the file name pointed by symlinks.
Otherwise build fails due to broken symlinks.
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/bootengine/pull/24
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/init/pull/40
* Drop the dependency on `sec-policy/selinux-dbus`
* Drop machine-id generation
* Stabilize both keywords `amd64` and `arm64` to build it.
* Do not add a third-party patch for CVE-2019-12749 again, as the fix is
already included in dbus >= 1.10.29.
Loosely based on a409238795c44dabfd16e466c8433a89f5f0844f and
e458211c8418462f4bd4d4536dc96f62380a22cf .
The upstream changed the way the default percentage value, and
make the property partially dynamic.
Upstream ref: https://github.com/systemd/systemd/pull/14007Fixes#382
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The rkt container runtime is deprecated and not used anymore except
for the kubelet-wrapper script. This script can't be ported to Docker
because it is used by the user with rkt-specific arguments and it is
only a wrapper around the deprecated hyperkube images (and has been
broken for the last K8s releases). The recommended way is to run the
kubelet binary directly on the host.
The GCE daemon container was run with rkt from an ACI tar ball.
To replace rkt with systemd-nspawn, extract the tar ball to an
image and run the daemon as systemd-nspawn container.
Having the hostname units as required by the initrd.target meant that if
the unit failed (for example because the network was or the metadata
service were down), the machine wouldn't start. By making it a "wants"
rather than a "requires" we allow this unit to fail without disrupting
the whole boot.
We do not need to set COREOS_GO_VERSION to a specific version, unless
it is necessary to avoid build issues in certain cases like Docker.
Simply remove COREOS_GO_VERSION from the ebuild of cri-tools.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This change pulls in the latest bootengine version, that enables ISCSI
support in dracut and avoids tearing down the network when using netroot
See https://github.com/kinvolk/bootengine/pull/22 for more information.
This reverts commit f8dda51d546b466d9faf0c936b2ad5592ab1639e.
Recently we dropped `bindist` from `RESTRICT` in openssl, so it is
now possible to turn on `ssl` for wget again. The issue of openssl being
blocked by `masked by: bindist in RESTRICT` etc. has now disappeared.
Fixes https://github.com/kinvolk/Flatcar/issues/149
For some reason, the old version of boost-build 1.67 is still here.
As we already have boost-build 1.75 in portage-stable, we should
completely delete boost 1.67.
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
We need to customize dracut. Currently the version in portage-stable is
picked because it's newer than the one in coreos-overlay. This commit
updates coreos-overlay to the same versions available in portage-stable.
This pulls in
https://github.com/kinvolk/baselayout/pull/17
to enable the pam_faillock module as replacement for pam_tally2.
The "faillock" binary can be used to see the login attempts and
account lock status which before was available with the pam_tally
command. While the tally defaults did not temporarily lock the
account on wrong password login attempts, this is done by default
with faillock. However, the default behavior was relaxed to allow
more wrong attempts and have a shorter lock time span.
As rkt is deprecated we need to run the Flannel container with Docker
or Podman. The flannel-wrapper script is based on rkt arguments and
can't be used in a compatible way but we cannot remove it since ct
explicitly uses it in the ExecStart directive when writing out a
drop-in file once flannel settings are given in a Container Linux
Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect (but that also
terminates the etcd and flannel containers, causing the services to
restart).
Since rkt is deprecated we need to run the etcd container with Docker
or Podman. The etcd-wrapper script is based on rkt arguments and can't
be used in a compatible way but we cannot remove it since ct explicitly
uses it in the ExecStart directive when writing out a drop-in file once
etcd settings are given in a Container Linux Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect.
This commit adds some comments to help other folks to
easily recognize Flatcar-specific code.
Check issue #364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
Cherry-picked from kinvolk/coreos-overlay@d0426cf.
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This commit synchronises ncurses with gentoo/gentoo@69bf5af thus
it updates the package from 6.1-r2 to 6.2-r1.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This pulls in
https://github.com/kinvolk/init/pull/38
to set predictable network interface names as alternative interface
names for virtio devices, and also add a special hardcoded ens4v1
name for GCE because the special udev rule to rename the device
stopped working after the systemd 247 update.
While the execution of the unit may succeed by finding the executables
by searching the current PATH, calling `systemd-analyze verify` on the
units fails because this requires an absolute path.
When listing kernel modules to decide which firmware should be shipped
together with the image, we need to now list both compressed and
uncompressed module.
Fixes: kinvolk/Flatcar#359
In https://github.com/kinvolk/coreos-overlay/pull/875 the repository
was switched to a fork from the archived upstream repository. However,
the ebuild was still using a reference to an old squashed Flatcar build
bot commit from the git-sync times that was only present in our old
repository.
Switch to a reference to the latest commit on the new repository which
in fact does not introduce any changes.
Since rkt will be deprecated soon, we should make toolbox run docker
instead of rkt.
Also delete dependency on `app-emulation/rkt`, and update hyperlinks.
It pulls in https://github.com/kinvolk/toolbox/pull/1 .
This change adds the USE flag cros_host to the
SDK's make.default, as part of a larger fix for the SDK bootstrap build.
The SDK bootstrap build was broken in stage 1 since package upgrades
were allowed to leak into that phase.
We now limit stage 1 to only "known good" package ebuilds, which caused
downstream breakage from missing flags in the stage 2 SDK bootstrapping.
This change fixes that breakage.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".
So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.
Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.
Introduce a USE flag spotlight, to be able to disable the spotlight
backend by default, as it is not needed by Linux.
Introduce a USE flag rededit, to be able to disable the rededit
tool if needed.
Introduce a USE flag glusterfs, to be able to disable the glusterfs
by default.
Introduce a USE flag ntvfs, to be able to disable the ntvfs-fileserver
by default.
Since the docbook-xsl-stylesheets and libxslt are needed only
at build time, we should move those deps to BDEPEND.
Now that portage was updated to the latest version, we should update
EAPI to 7. It is mainly to allow ebuilds to make BDEPEND contain real
build-time dependencies, not runtime ones.
Each Flatcar production image includes a binary `containerd-stress`,
as a part of torcx tarballs.
However it does not seem to be used anywhere.
It looks like a stress testing tool for containerd, so I don't see a
good reason to keep it.
The binary was there since the beginning, via commit
[fdd926949a10](fdd926949a),
but there is no comment or messages why it was needed.
We can simply remove `containerd-stress`.
generate_patches takes three parameters - a category, a package name
and a description. Invoking the function like `generate_patches
sys-kernel coreos-{sources,modules,kernel} Linux` makes "sys-kernel"
to be a category, "coreos-sources" to be a package name and
"coreos-modules" to become a description, while "coreos-kernel" and
"Linux" are simply ignored.
It has worked so far only because coreos-sources was first in the list
and that's where the actual changes in Manifest file happened. Had the
order of the packages been different, the workflow would be
broken. Since only coreos-sources was modified and all worked fine,
simplify the call to generate-patches.
This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
The updated portage-utils bring in two more tools, qmanifest and
qtegrity. They are pulling in some new dependencies. Since we didn't
have those tools before, we can live without them for a little while
longer.
We don't want to have separate /bin, /lib, /usr/bin and /usr/lib
directories. The former two are meant to be symlinks to the latter
two. The `split-usr` USE flag gets enabled with the profiles update in
portage-stable, so before doing the update, clear the flag in the
overlay.
This is not done for SDK images, since they seem to have split /usr on
purpose.
It is not used anywhere during the build process, thus drop
it. Dropping it makes it easier to port this ebuild to python3, since
there will be only one script to port to python3. The
`emerge-gitclone` script will need porting anyway, because it imports
portage code, which will become python3 after the update.
Most likely the package should be then renamed to
`coreos-base/emerge-gitclone`, but this can be done later.
Now that Docker 1.12 is gone, we can delete go 1.6 completely.
Note, we do not delete go 1.7, which is still needed by containerd 0.2.6
and docker 17.03.
Now that docker 1.12 is gone, we can delete `app-emulation/runc`
1.0.0_rc2, which had dependency on docker 1.12.
Note, we do not delete `app-emulation/docker-runc` 1.0.0_rc2, because
that one is needed by Docker 17.03.
Delete torcx config file needed only for Docker 1.12.
Note, let's keep the remaining file name as before,
`docker-1.12-no.json`, to be consistent with naming scheme of
the torcx repo itself of Flatcar.
One of the torcx profiles in Flatcar is for docker 1.12, which is
outdated since a long time. It takes ~27 MB of space in production
images almost for no reason.
We can and should delete docker 1.12.
After deletion:
```
$ df -h /usr
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/usr 985M 843M 91M 91% /usr
```
Using the change in https://github.com/kinvolk/init/pull/34
we can show the OEM on the motd, and by including "Pro" in the OEM
name we can also show whether it is a Pro image or not. Later this
may be revisited if the /usr/../os-release file is the place for it.
Update to 1.19.0, to keep up with recent releases of cri-tools.
Note that we should not simply update to 1.20.0, because its crictl
binary file is 30M, so bigger than the usual size.
On the other hand, crictl 1.19.0 is only 21M.
To optimize the binary size of crictl, make use of the existing
helpers provided by `coreos-go.eclass`.
Add "-X $(PROJECT)/pkg/version.Version=$(VERSION)" to GO_LDFLAGS,
as the original cri-tools Makefile does.
Note, we cannot run the native command like `emake crictl`, because
the cri-tools Makefile does not allow custom env variables like
BUILDTAGS or GO_LDFLAGS to be configured.
Add `arm64` to ACCEPTED_KEYWORDS.
Remove unnecessary files from installation, as well as the bash
completion eclass.
The bootstrapping script relies on /etc/docker existing, but this
directory doesn't exist on vanilla Flatcar. Add the missing call to
mkdir -p /etc/docker before the directory gets used.
Also, update the upstream files to their latest version.
The systemd.eclass was not finding the systemd pkg-config file to
figure out the system unit directory, so it was falling back to a
hardcoded default (`/lib/systemd/system`). In one case (when
overriding the `default.target` symlink), we tried to fix that by
specifying the `PKG_CONFIG_LIBDIR` environment variable, but that
still did not help.
Using functions from `systemd.eclass` in a systemd ebuild is working
only by chance here. This eclass is usually meant for ebuilds that
depend on systemd and rely on systemd being already installed in the
root filesystem.
The functions in `systemd.eclass` that need to figure out some values
from systemd's pkg-config file (like system unit directory) assume
that systemd is already installed in the root filesystem, which is not
the case when we actually are building and installing systemd.
To add an insult to the injury, `systemd.eclass` is not using
pkg-config directly, but rather a shell script that wraps pkg-config
(for example `/usr/bin/x86_64-cros-linux-gnu-pkg-config`). The script
clobbers the environment variables like `PKG_CONFIG_PATH` or
`PKG_CONFIG_LIBDIR`, which is why overriding them did not work when
fixing up the `default.target` symlink. Thus `systemd.eclass` was
actually falling back to a hardcoded default value. The only way to
control the script is through either SYSROOT or ROOT environment
variables. So do so.
This fixes merging the installed files into root file system using a
newer version of portage. The failure was that systemd build system
installs the `default.target` symlink in `/usr/lib/systemd/system`
pointing to `graphical.target`, while we later try to override it to
point it to `multi-user.target`. But instead of overriding a symlink,
we installed a new symlink in `/lib/systemd/system`. Both `/lib` and
`/usr/lib` are separate directories in the temporary installation
directory, but in root filesystem, both are symlinks pointing to the
same directory. Which means that we ended up with two different
symlinks in temporary installation directory, and the new portage
version could not decide which one to use during the merge into the
root filesystem. I'm not sure what old portage version did here,
likely worked by chance too.
The security patch that was brought in has stricter permission checks
which cause the service to fail:
ERROR: TCSD config file (/etc/tcsd.conf) must be user/group root/tss
Set the expected file ownership and permissions.
https://github.com/kinvolk/Flatcar/issues/335
Now that `dev-libs/nss` is removed from the depencencies list of
hard-host-depends, SDK does not include `dev-libs/nspr` any more.
As a result, `dev-lang/spidermonkey` fails to build, because it requires
`dev-libs/nspr` in the SDK. It is not sufficient to have nspr under
`/build/amd64-usr`.
Add `dev-libs/nspr` back to the dependencies of `hard-host-depends`,
to make it included in the SDK.
