Update the changelog entry to include information about OEM sysexts
being signed and built during the image phase.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
Move OEM sysext building from the vms phase to the image phase. This
ensures OEM sysexts are signed with the same ephemeral key as other
sysexts, which is generated during image build and discarded afterward.
- Add create_oem_sysexts() to build all OEM sysexts during image build
- Add oem_sysexts.sh with OEM sysext definitions
- Update install_oem_sysext() to use prebuilt sysexts
- Add OEM sysext download to vms.sh for CI builds
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
We removed the sysext compression, because we double-compression is
redundant for sysexts stored in already coimpressed BTRFS /usr. However,
OS-dependent sysexts that are downloaded on-demand were now also
uncompressed. This commit brings back the compression via
SYSTEMD_REPART_MKFS_OPTIONS_EROFS option.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
Generate an ephemeral sysext signing key, that is injected into the
image's sysext root of trust. All OS-dependent sysexts will be signed by
this key and the private key (stored in /tmp) will be discarded on SDK
container exit.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
We only allow one version of Python in the SDK and generic images, but
this creates a friction during the SDK build where the seed still has
an old version of Python and the stage1 is supposed to have the new
one, and thus we end up with slot conflicts for python packages - I
don't really understand what is going on (there are python packages in
the seed image that are built for old Python and emerge wants to
install the same packages in the seed but built for the new Python and
it can't work its way around it.)
Allowing both versions of Python to coexist in stage1 seems to be
moving things forward. Stage3 image (stage2 is skipped) will contain
only the new version of Python.
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
Try to do it with in a kinda-sorta proper Gentoo way - with
PYTHON_TARGETS and PYTHON_SINGLE_TARGET variables in
make.defaults. Still need to disable all other versions of python,
otherwise our settings gets merged with settings from base Gentoo
profiles, which currently enable python 3.13. And we also need to keep
masking the other python versions, because emerge still for some
reason wants to install python 3.13 or 3.14 for some packages, despite
the settings in PYTHON_TARGETS.
We are not bumping to 3.13, because sec-policy/selinux-base
PYTHON_COMPAT is still on at most 3.12.
Note that this change still allows python 3.11 in PYTHON_TARGETS for a
transition period. Otherwise the SDK builds do not go past stage1. We
only restrict generic images to 3.12 only, otherwise we would end up
with two python version installed in sysext images.
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
