6710 Commits

Author SHA1 Message Date
Kai Lüke
8727d0fc62 app-emulation/containerd: Switch to default socket location
The upstream socket is under /run/containerd/containerd.sock which many
tools like crictl will use by default and diverging causes users to
always have to configure a non-default location.
Switch to the upstream default while still keeping a symlink so that
users are not forced to update their configurations they had to do for
the non-default location. This also keeps Docker using the old socket
location as an assertion that the symlink works. The state directory
is also switch to the default location.
2021-01-11 12:09:41 +01:00
Kai Lüke
e4760d942c sys-apps/systemd: Switch back to using a merged /etc/resolv.conf
Using only 127.0.0.53 for /etc/resolv.conf causes problems for
Kubernetes which is not systemd-resolved aware yet (the kubelet passes
on /etc/resolv.conf contents to containers).
Switch back for now to merging all DNS servers into /etc/resolv.conf
which breaks split DNS and we need to document how to make split DNS
work for those that want it.
2021-01-08 13:29:12 +01:00
Kai Lüke
79878e9388 coreos-base/afterburn: Restart on failure and keep unit active
When the metadata server is unavailable for some time the service did
not retry. Also, the service was triggered possibly multiple times
each time another service pulled it in which can cause problems if,
e.g., the service experiences a failure and corrupts the existing file
which could have been kept because rerunning wasn't needed.

Fixes https://github.com/kinvolk/Flatcar/issues/311
2021-01-07 20:20:41 +01:00
Kai Lüke
ebba6e5e1a app-emulation/containerd: Disable shim debug logs
Debug output clutters the logs which with K8s liveness/readiness probes
quickly becomes a problem.

Fixes https://github.com/kinvolk/Flatcar/issues/313
2021-01-06 12:49:20 +01:00
Flatcar Buildbot
28c90ee8b9 dev-lang: Upgrade dev-lang/rust 1.48.0 to 1.49.0 2021-01-05 08:02:08 +00:00
Kai Lüke
e4cfa10306 sys-apps/baselayout: Point to latest repo state
This pulls in
https://github.com/kinvolk/baselayout/pull/10
https://github.com/kinvolk/baselayout/pull/14
https://github.com/kinvolk/baselayout/pull/11
to configure systemd-resolved.
2021-01-04 19:14:22 +01:00
Kai Lüke
29ba53843b Merge pull request #730 from f0o/issue-285-full
Update systemd-9999.ebuild to use systemd-resolved's stub resolver
2021-01-04 19:10:39 +01:00
Marga Manterola
0f7d620c01 Merge pull request #759 from kinvolk/firmware-20201218-main
Upgrade Linux Firmware in main from 20201118 to 20201218
2021-01-04 18:53:00 +01:00
Marga Manterola
63d3279946 Merge pull request #760 from kinvolk/marga-kinvolk/linux-5.10.4
Move main to kernel 5.10.4
2021-01-04 18:50:14 +01:00
Margarita Manterola
015d4701ef Move to kernel 5.10
With this change, we start tracking linux 5.10. Only a couple of config
changes were necessary:

1. Explicitly include `CONFIG_IP6_NF_IPTABLES`, as it's no longer
   implicitly included.
   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=144b0a0e608690d46e9a77819249bdd8d23bdcb6

2. Move `CONFIG_EFI_VARS` to amd64 only, as it's no longer available on
   non Intel platforms. It's been replaced by `CONFIG_EFIVARS_FS` which
   is already enabled on the common config.
   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=963fabf37f6a94214a823df0a785e653cb8ad6ea
2021-01-04 18:49:28 +01:00
Margarita Manterola
181c13bddc Track latest init commit
Needed for kinvolk/Flatcar#278
2021-01-04 17:44:22 +01:00
Flatcar Buildbot
d11f86c31c sys-kernel: Upgrade Linux Firmware 20201118 to 20201218 2020-12-24 07:22:34 +00:00
Dongsu Park
6c2015484a sys-kernel: enable CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF enables debug info for BTF (BPF Type Format) and
CO-RE (BPF compile once, run everywhere).

See also https://github.com/kinvolk/Flatcar/issues/225.
2020-12-18 10:44:25 +01:00
Dongsu Park
842daeb3d2 Merge pull request #747 from kinvolk/rust-1.48.0-main
Upgrade dev-lang/rust in main from 1.47.0 to 1.48.0
2020-12-17 12:40:51 +01:00
Dongsu Park
84b0d50108 Merge pull request #743 from kinvolk/linux-5.9.14-main
Upgrade Linux Kernel in main from 5.9.12 to 5.9.14
2020-12-16 08:02:51 +01:00
Dongsu Park
8fa4a13cb5 Merge pull request #664 from kinvolk/dongsu/sqlite-gentoo
dev-db/sqlite: move to portage-stable
2020-12-15 14:26:03 +01:00
Kai Lüke
eb0bb3ba0c sys-apps/baselayout: Point to latest repo state
This pulls in
https://github.com/kinvolk/baselayout/pull/13
to set sysctl rp_filter=0 and reorder how the configs are applied.
2020-12-15 11:48:38 +01:00
Kai Lüke
fc82b5c839 Merge pull request #746 from kinvolk/kai/systemd-drop-sysctl-patches
sys-apps/systemd: Drop sysctl rp_filter patches
2020-12-15 11:16:20 +01:00
Dongsu Park
dc53e59e55 dev-lang/rust: adjust patches for 1.48.0
Adjust third-party patches to fix build issues.
2020-12-15 08:51:39 +01:00
Flatcar Buildbot
f20064e51a dev-lang: Upgrade dev-lang/rust 1.47.0 to 1.48.0 2020-12-15 07:43:37 +00:00
Dongsu Park
3455ae56ec Merge pull request #735 from kinvolk/firmware-20201118-main
Upgrade Linux Firmware in main from 20200918 to 20201118
2020-12-15 07:39:45 +01:00
Kai Lüke
86afa84167 sys-apps/systemd: Drop sysctl rp_filter patches
The patches were not taking effect because they did not set
net.ipv4.conf.default.rp_filter for new interfaces. Also, they got
overwritten by the baselayout configuration which takes precedence
and is the place for Flatcar-specific sysctl settings.
The desired configuration was enfored there:
https://github.com/kinvolk/baselayout/pull/13
2020-12-14 20:50:37 +01:00
Flatcar Buildbot
d5d99ca731 sys-kernel: Upgrade coreos-kernel 5.9.12 to 5.9.14 2020-12-12 07:24:43 +00:00
Dongsu Park
7ec2d64d25 dev-vcs/repo: enable keywords for Flatcar
Enable keywords `amd64` and `arm64` for Flatcar.

It is based on the previous commit:
[ea5698d5879f](https://github.com/kinvolk/coreos-overlay/commit/ea5698d5879f)
("Add arm64 keywords")
2020-12-11 15:26:59 +01:00
Dongsu Park
d229df3c79 dev-vcs/repo: sync with Gentoo for repo 2.8
The [repo v2.10](https://groups.google.com/g/repo-discuss/c/rpSfMCl83Sk)
was released dropping python2 support. As a result, every `repo init`
failed to run. To unblock CI builds, we released mantle
[v0.15.2](https://github.com/kinvolk/mantle/releases/tag/v0.15.2),
including a workaround to set the target branch to
[`maint`](https://gerrit.googlesource.com/git-repo/+/refs/heads/maint),
which still supports python2. Now with cork v0.15.2, `cork create` or
`cork update` will work well for now.

However, the current state is quite fragile. It will get broken again
when the upstream `maint` branch changes. We should update
`dev-vcs/repo` in coreos-overlay to 2.x with python3, and get it
included in Flatcar SDK, so we could later set the target branch in
mantle back to `stable`.

At the moment, none of the source repos has the tarball for repo 2.10,
neither GCS nor Gentoo distfiles. So for now we update it to 2.8.
It will be linked to python 3.6 in Flatcar SDK.

Also note that we do not have to keep `files/repo-1.25` script in the
coreos-overlay repo, because the script is simply identical to the
upstream `repo` script. I am not sure why the third-party script was
there in the first place. So simply remove the script.
2020-12-11 15:26:57 +01:00
Kai Lüke
ca5095f497 app-emulation/containerd: Enable the CRI plugin
Kubernetes uses containerd through the cri plugin which currently is
disabled due to it listening on a TCP port. Now the plugin is not
listening on a TCP port anymore but uses the same socket as gRPC.
We have documented how to enable it in
https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-from-docker-to-containerd-for-kubernetes/
but it should work by default.

Fixes https://github.com/kinvolk/Flatcar/issues/283
2020-12-11 13:03:27 +01:00
Flatcar Buildbot
aa0b1e443d sys-kernel: Upgrade Linux Firmware 20200918 to 20201118 2020-12-10 07:09:38 +00:00
Dongsu Park
33bd8598d5 Merge pull request #732 from kinvolk/dongsu/pam-1.5.1
sys-libs/pam: update to 1.5.1, fix auth issues
2020-12-09 18:09:12 +01:00
Dongsu Park
018f7dc11e sys-apps/baselayout: fix auth issue with pam 1.4
Without the fix, no ssh login works, no console login works.
2020-12-09 18:08:41 +01:00
Dongsu Park
b6784e0c3e Merge pull request #733 from kinvolk/dongsu/github-actions-firmware
.github: add Github Actions for auto-updating linux-firmware
2020-12-09 18:05:49 +01:00
Dongsu Park
7b6879079e Merge pull request #728 from kinvolk/dongsu/bsdiff-CVE-2014-9862
dev-util/bsdiff: sync with Gentoo for integer signedness error
2020-12-09 18:04:18 +01:00
Dongsu Park
57e725117f sys-libs/pam: use PATCHES for third-party patches
We should use PATCHES for the list of third-party patches, especially
for EAPI=7.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
5515bbfefb sys-auth/polkit: Replace virtual/pam with sys-libs/pam
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
f8db3e5f92 sys-auth/google-oslogin: Replace virtual/pam with sys-libs/pam
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
dcb37a9320 app-emulation/open-vm-tools: Update a comment about pam
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging. This package does not depend on virtual/pam outright, but
let's avoid having an out-of-date comment.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
34d4663480 sys-auth/pambase: Add README.md 2020-12-09 14:51:36 +01:00
Krzesimir Nowak
be676d7d13 sys-auth/pambase: Bump dep versions 2020-12-09 14:51:36 +01:00
Krzesimir Nowak
aec4bfa44f sys-auth/pambase: Update stub version
The version now matches what is in Gentoo, despite being almost, but
not quite, entirely unlike upstream recipe. The rename is needed,
because some packages may depend on a newer pambase after they are
updated.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
035c9ad5ce sys-libs/pam: Add README.md 2020-12-09 14:51:33 +01:00
Dongsu Park
38004f9962 .github: add Github Actions for auto-updating linux-firmware
Add Github Actions for coreos-firmware, just like other Kernel packages,
basically to detect new releases from the upstream linux-firmware repo.
2020-12-09 14:36:07 +01:00
Krzesimir Nowak
a0156ce756 sys-libs/pam: Make /sbin/unix_chkpwd suid
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
2020-12-08 18:40:03 +01:00
Krzesimir Nowak
660d0f310b sys-libs/pam: Install configuration into /usr
Also provide a tmpfiles fragment to bring it back.
2020-12-08 18:40:03 +01:00
Krzesimir Nowak
77d03afebf sys-libs/pam: Locked accounts functionality 2020-12-08 18:40:03 +01:00
Krzesimir Nowak
e13fd9d00b sys-libs/pam: Add a comment about a base version of the recipe 2020-12-08 18:40:03 +01:00
Krzesimir Nowak
8a585bd57a sys-libs/pam: Import pam 1.5.1 from gentoo
Import sys-libs/pam 1.5.1 from upstream Gentoo, mainly to address
CVE-2020-27780, a flaw in the way it handles empty passwords for
non-existing users. When the user doesn't exist PAM try to authenticate
with root and in the case of an empty password it successfully
authenticate.

https://github.com/linux-pam/linux-pam/issues/284
https://github.com/linux-pam/linux-pam/pull/300
2020-12-08 18:39:58 +01:00
Dongsu Park
f940214eff Merge pull request #729 from kinvolk/dongsu/delete-jpeg
profiles: disable jpeg for qemu
2020-12-07 17:19:10 +01:00
Flatcar Buildbot
a0f2fe0981 dev-lang: Upgrade Go 1.15.5 to 1.15.6 2020-12-07 07:34:41 +00:00
Daniel Preussker
f23b12e478 Update systemd-9999.ebuild 2020-12-04 18:31:51 +01:00
Dongsu Park
b0de6ba96e profiles: disable jpeg for qemu
Qemu has enabled `jpeg` USE flag since the beginning, without any
reason specified. As a result, qemu pulls in unnecessary packages,
`virtual/jpeg` as well as `media-libs/libjpeg-turbo`. However,
Flatcar runs qemu always with `-display none` option. So the `jpeg`
flag is not needed at all.

Simply remove `jpeg` USE flag from qemu.
2020-12-04 16:39:54 +01:00
Dongsu Park
50bfd50100 dev-util/bsdiff: apply Flatcar changes
Apply existing Flatcar changes on top of vanilla Gentoo ebuilds.
Basically add arm64 keyword, and apply the sais patch.

It is based on the following commits:

[4ee6aa895a02](https://github.com/kinvolk/coreos-overlay/commit/4ee6aa895a02) ("Add arm64 keywords")
[60d47e7359d1](https://github.com/kinvolk/coreos-overlay/commit/60d47e7359d1) ("Change suffix sort to sais-lite")
2020-12-04 15:18:47 +01:00