`etcd` node's name was defined by `ETCD_NAME`, from `etcd/v3` the server
can't be started with both `ETCD_NAME` and `--name` supplied.
Which leads to three cases:
* `etcd-member.service` starts without further configuration, no issue
since only `ETCD_NAME=%m` is used
* `etcd-member.service` is overrided with a CLC without `name: ` key, no
issue since only `ETCD_NAME=%m` is used
* `etcd-member.service` is overrided with a CLC with a `name: ` key,
there is an issue since in the final service we will have both
`ETCD_NAME=%m` and `--name name-from-clc`
This patch conditionally unset the `ETCD_NAME` in case `--name` is
supplied.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
If we use date format of DD-MM-YYYY in changelog file names, the files
will not sorted by date. e.g. 01-12-2021 will come before 25-11-2021.
Use date format of YYYY-MM-DD to make the files sorted by date.
By accident the upstream files from the example folder got used,
instead of the downstream files that were added in the files/ folder.
Also, the configuration file didn't get installed.
Use the right paths to install the downstream files.
with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```
It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.
This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Since every tag of the nss Github repo has `_` delimiters, we need to
first use `sort -t_` for sorting, then after that we need to replace `_`
with `.` by calling tr. Without that conversion, the input ebuild file
name will be wrong.
We fixed the issue in all other maintenance branches, but not in main.
Fix that also in main.
Automatically update app-misc/ca-certificates , a derivative of
nss https://hg.mozilla.org/projects/nss . To make things easier,
we simply check for new releases on its Github mirror
https://github.com/nss-dev/nss . When the new latest tag is found,
simply bump the version of ca-certificates ebuild.
There usually exists a way to tell the configure script to use certain
path, so the script won't try to autodetect things. This is a case for
the systemd system unit directory, but apparently not for systemd util
directory. So for the system unit directory, we can forward the path
we received from systemd.eclass' `systemd_get_systemunitdir`, but for
the util directory, we need to hack the script with `sed`. The reason
for this is that autodetected directory will have the sysroot path
prepended twice. The systemd eclass has a workaround for this issue.
Without passing the --with-systemdconfdir flag, the configure script
will query pkg-config for the directory itself. In the
cross-compilation setup that we have, this will result in a path
sysroot prepended to the path twice. systemd.eclass has a workaround
for this issue, but it does not provide an elegant getter of the
system configuration directory, thus we call `_systemd_get_dir`
ourselves.
Normally we use pkg-config to query flags and libraries that are
needed to build things. These are specific to CHOST, and the build
system usually uses pkg-config on CHOST to get those flags and
libraries. But pkg-config is also used to query for the location of
the tools used during the build, and for those we need to use
pkg-config on CBUILD. But the build system is usually using the same
pkg-config for both flags and libs, and for build tools. Which works
fine for typical builds, but breaks for cross builds.
One of such build tools is glib-genmarshal. Fortunately the build
system allows us to override the detection results by passing
GLIB_GENMARSHAL="${some_path}" to the configure script. So do that.
This is to avoid querying pkg-config for this information and
overriding the SYSROOT variable. These hacks seem to be broken with
the change of the pkgconfig implementation.
We know what will the path for the directory of the system units -
it's based on rootprefix that we pass to configure script. So use this
knowledge directly instead of getting it in a roundabout way from
pkg-config file.
The recent keyword cleanup removed two keywords that are necessary to
bootstrap an arm64 sdk: open-vmdk and virtual/cdrtools. Restore them.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
app-editors/nano with `USE=unicode` results in build failures in SDK
stage1, because ncurses >= 6.2_p20210619 which does not have the USE
flag at all.
To fix that, exclude the unicode USE flag from packages.use.force list,
which is defined in portage-stable. We can do that by setting the flag
in package.use.mask.
Systemd during the initrd stage was complaining about the missing
group, which resulted in ignoring some of the udev rules. Let's
placate it by adding sgx to baselayout, so the group is available
during the initrd stage too.
Pulls in https://github.com/flatcar-linux/baselayout/pull/20.
The "create" action became "open", and "remove" became "close". Also
reorder the parameters accordingly (it's a bit different for "open" vs
"create"). Also put the options before specifying the action.
Pulls in https://github.com/flatcar-linux/bootengine/pull/31.
Clean up unnecessary ebuilds from arm64 accept_keywords like below:
app-arch/bzip2 1.0.6-r12 is already stable.
app-crypt/mit-krb5 1.19.2 is already stable.
app-emulation/open-vmdk 1.0 is not needed by arm64.
app-eselect/eselect-rust is already stable.
dev-lang/perl 5.34.0-r2 is already stable.
dev-libs/ding-libs 0.4.0 is not needed by arm64.
dev-libs/elfutils 0.177 is already stable.
dev-libs/libpcre2 10.34 is already stable.
dev-libs/libpcre 8.44 is already stable.
dev-libs/libintl-perl 1.280.0 is already stable.
dev-util/meson 0.57.2 is already stable.
dev-util/re2c 2.0.3 is already stable.
net-analyzer/tcpdump 4.9.3 is already stable.
net-dns/bind-tools 9.16.6 is already stable.
net-dns/dnsmasq 2.85 is already stable.
net-firewall/ebtables 2.0.11-r3 is already stable.
net-libs/libmicrohttpd: move to base.
net-libs/libnfnetlink 1.0.1 is already stable.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-nds/openldap 2.4.57 is already stable.
sys-apps/checkpolicy is already enabled in base.
sys-fs/btrfs-progs 4.10.2 is not needed by arm64.
sys-libs/binutils-libs 2.36.1-r2 is already stable.
virtual/perl-File-Path 2.130.0 is already stable.
virtual/cdrtools is not needed by arm64.
Add the following ebuilds to arm64 accept_keywords like below:
app-misc/jq 1.6-r3: move from base
cross-aarch64-cros-linux-gnu/gcc 9.3.0-r1: move from base
net-misc/curl 7.79.1: move from base
sec-policy/selinux-base 2.20200818-r2: move from base
sec-policy/selinux-base-policy 2.20200818-r2: move from base
sec-policy/selinux-unconfined 2.20200818-r2: move from base
sec-policy/selinux-virt 2.20200818-r2: move from base
sys-apps/checkpolicy 3.1: move from base
sys-apps/kexec-tools 2.0.17-r1 is needed by arm64
sys-firmware/edk2-ovmf 201905: move from base
sys-process/tini 0.18.0: move from base
Clean up unnecessary ebuilds from base accept_keywords like below.
Sort alphabetically.
app-crypt/efitools: move to sdk
app-misc/jq: move to arm64
cross-aarch64-cros-linux-gnu/gcc: move 9.3.0-r1 to arm64
dev-lang/spidermonkey is not needed any more.
dev-libs/protobuf 3.5.2 is already stable.
dev-libs/elfutils: specify explicit version 0.178
dev-python/boto: specify explicit keywords ~amd64, ~arm64.
dev-util/dwarves: specify explicit version 1.19
dev-util/perf 5.8 is already stable.
net-misc/curl: move 7.79.1 to arm64
net-nds/rpcbind: specify explicit keywords ~amd64, ~arm64.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-libs/libmicrohttpd: move from arm64, specify explicit keywords.
sec-policy/selinux-base: move to arm64.
sec-policy/selinux-base-policy: move to arm64.
sec-policy/selinux-unconfined: move to arm64.
sec-policy/selinux-virt: move to arm64.
sys-apps/checkpolicy: move to arm64.
sys-apps/gptfdisk 1.0.7 is already stable.
sys-apps/iproute2 5.8.0 is already stable.
sys-apps/kexec-tools 2.0.17-r1 is already stable.
sys-auth/google-oslogin 20200910.00 is already stable.
sys-kernel/dracut 053-r1 is already stable.
sys-boot/gnu-efi 3.0.3 is already stable.
sys-firmware/edk2-ovmf: move to arm64
sys-fs/dosfstools: specify explicit keywords ~amd64, ~arm64.
sys-process/tini: move to arm64
sys-libs/libselinux: already configured in arm64
sys-libs/libsepol: already configured in arm64
Now that Github rejects access to an unauthenticated URL with `git://`,
we have to make git and libcurl work with `https://`. However, during
the SDK stage2, curl is not explicitly installed, but just inherited
from the stage1. As a result, curl is built without the `ssl` USE flag.
So installation of baselayout fails with:
```
git fetch https://github.com/flatcar-linux/baselayout.git --prune +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/flatcar-linux/baselayout.git/':
Protocol "https" not supported or disabled in libcurl
```
To resolve the issue, we need to install curl with `BOOTSTRAP_USE=ssl`
before trying to install baselayout.
Also we need to set `CURL_SSL=openssl` as required by curl.
Using a USE_EXPAND variable `curl_ssl_openssl` in `BOOTSTRAP_USE`, we
can specify the correct `CURL_SSL` variable in curl.
enabling `fips` support will compile `fips.so` provider for user who
wants to use `fips` as OpenSSL provider.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Based on 9a6728f5f5d63626e4a806664c0c031e913fd758 and
380aa9c60af1e68911a479747d12b5fddaf2b1a2 .
selinux-base requires python to generate xml files, but the dependency
is implicit (through policycoreutils). Flatcar made that dependency
conditional on USE=python in policycoreutils so that we don't include
python in our images, but this causes selinux-base to fail depending on
ordering in the bootstrap process.
Fix that failure by addin an explicit dependency.
