libseccomp calls which in its ./configure script so when building stage3
if which isn't already there the build will fail. This is quick fix.
Reported upstream: https://bugs.gentoo.org/show_bug.cgi?id=502084
I misunderstood the documentation for systemd-tmpfiles, if a string to
write to a file is provided it will always write it, even if the file
already exists and doesn't need to be created. This means that using
tmpfiles to initialize /etc/group results appending each boot.
Instead use a little script instead, also initialize passwd and shadow
so that the `passwd` command works for the core user.
Make use of the systemd eclass where applicable.
In the last patch I modified docker-0.8.1.ebuild directly. That was
wrong. This time I copy the ebuild, add the epatch and leave
docker-0.8.0 unmodified. This also changes the patch to reflect what is
waiting for a merge upstream.
This package is based exclusively on the Mozilla certificate store
distributed in their NSS library and adopts NSS's version accordingly.
It replaces the previous Gentoo package which came directly from Debian.
The Debian package package had a couple issues we didn't like:
- Trusts the http://cacert.org root CA which isn't the worst thing in
the world to do but seems like a really bad default policy to ship.
- update-ca-certificates had a confusing configuration/hook scheme
which seemed almost useful but completely obnoxious and useless to
CoreOS at the same time. systemd-tmpfiles plus a simpler script does
a better job for us.
The python script certdata2pem.py came from Debian's source package
ca-certificates_20130119 and modified slightly. It is only used at
build-time to convert the file format used by NSS to PEM files.
The old packages used dates as the version, this one uses the NSS
library the certificate store came from as the version. This may cause
an issue if packages from Gentoo depend on >=ca-certificates-20080809 or
similar. Currently the only packages in Gentoo that do so are
sci-misc/boinc and www-client/epiphany, neither of which will ever be
needed in CoreOS so we should be OK.
While attempting to fix the easy to mix up DIGESTS names in feb59db9f I
stumbled across yet another way that the DIGESTS names were a bit
unpredictable: previously a .bz2 got stuck into the file name when
upload_images automatically compressed some file types. The new code
missed this and never added the .bz2. Correct this now, both for
image_to_vm which has a pile of glue to keep the legacy names in place
for now and build_image which I never intended to change.
Switch to portage's default (wget) for fetching. wget is nice and
reports the URL it is downloading while curl does not. This makes
understanding errors like '404' actually somewhat possible.
The --checkpoint arg to tar didn't serve much of a useful purpose as far
as I know besides adding to the build noise. Just drop it.
- Add || die to commands without them to avoid missing errors.
- Symlink resolv.conf to /run on amd64-generic images again.
- Properly sed /etc/issue out of tmpfiles.
- Fix symlinks for mtab and sudo.
- Fix directory ordering in tmpfiles.
- Update groups, a few were missing or incorrect.
- Bump coreos-base/coreos revision.
This replaces the old Gentoo baselayout and coreos-base packages.
Changes include:
- Move nss data files from /etc to /usr/share/baselayout
- Enable nss-usrfiles module to use the new location.
- Move other misc files from /etc to /usr/share/baselayout, using
compatibility symlinks in /etc generated by tmpfiles.
- All base system directories can be generated by tmpfiles.
- No more /etc/gentoo-release
- Simplified code, doesn't bother trying to migrate lib symlinks and
simply fails if the existing filesystem is incorrect.
- In /usr images the `core` user's UID/GID is now 500 to keep us within
the reserved system UID/GID space. Eventually once the SDK switches
to this the `core` user will not conflict with the local developer's
account. It also makes it clearer what range people can use when
creating accounts in /usr images. No other UID/GIDs are changing.
- New eclass to let ebuilds run the equivalent of `tmpfiles --create`.
In the future this may be replaced by calling `tmpfiles` directly
once it has a `--root` argument but I haven't pushed those patches
upstream for review yet.
This simplifies the build process, we have no need for trousers or other
tpm related things from ChromeOS. Bump vboot_reference so it no longer
needs trousers as a build dependency.
I would like to phase out parallel_emerge so disable it for all commands
other than build_image which is the only one that shows a noticeable
benefit from it (~2 min with --fast, ~3 min with --nofast).
Current version (openssl-1.0.1c) is old and has a parallel-make build
issue that can cause the build to fail randomly. Upgrade time!
New stable version is openssl-1.0.1f
