app-editors/nano with `USE=unicode` results in build failures in SDK
stage1, because ncurses >= 6.2_p20210619 which does not have the USE
flag at all.
To fix that, exclude the unicode USE flag from packages.use.force list,
which is defined in portage-stable. We can do that by setting the flag
in package.use.mask.
Systemd during the initrd stage was complaining about the missing
group, which resulted in ignoring some of the udev rules. Let's
placate it by adding sgx to baselayout, so the group is available
during the initrd stage too.
Pulls in https://github.com/flatcar-linux/baselayout/pull/20.
The "create" action became "open", and "remove" became "close". Also
reorder the parameters accordingly (it's a bit different for "open" vs
"create"). Also put the options before specifying the action.
Pulls in https://github.com/flatcar-linux/bootengine/pull/31.
Clean up unnecessary ebuilds from arm64 accept_keywords like below:
app-arch/bzip2 1.0.6-r12 is already stable.
app-crypt/mit-krb5 1.19.2 is already stable.
app-emulation/open-vmdk 1.0 is not needed by arm64.
app-eselect/eselect-rust is already stable.
dev-lang/perl 5.34.0-r2 is already stable.
dev-libs/ding-libs 0.4.0 is not needed by arm64.
dev-libs/elfutils 0.177 is already stable.
dev-libs/libpcre2 10.34 is already stable.
dev-libs/libpcre 8.44 is already stable.
dev-libs/libintl-perl 1.280.0 is already stable.
dev-util/meson 0.57.2 is already stable.
dev-util/re2c 2.0.3 is already stable.
net-analyzer/tcpdump 4.9.3 is already stable.
net-dns/bind-tools 9.16.6 is already stable.
net-dns/dnsmasq 2.85 is already stable.
net-firewall/ebtables 2.0.11-r3 is already stable.
net-libs/libmicrohttpd: move to base.
net-libs/libnfnetlink 1.0.1 is already stable.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-nds/openldap 2.4.57 is already stable.
sys-apps/checkpolicy is already enabled in base.
sys-fs/btrfs-progs 4.10.2 is not needed by arm64.
sys-libs/binutils-libs 2.36.1-r2 is already stable.
virtual/perl-File-Path 2.130.0 is already stable.
virtual/cdrtools is not needed by arm64.
Add the following ebuilds to arm64 accept_keywords like below:
app-misc/jq 1.6-r3: move from base
cross-aarch64-cros-linux-gnu/gcc 9.3.0-r1: move from base
net-misc/curl 7.79.1: move from base
sec-policy/selinux-base 2.20200818-r2: move from base
sec-policy/selinux-base-policy 2.20200818-r2: move from base
sec-policy/selinux-unconfined 2.20200818-r2: move from base
sec-policy/selinux-virt 2.20200818-r2: move from base
sys-apps/checkpolicy 3.1: move from base
sys-apps/kexec-tools 2.0.17-r1 is needed by arm64
sys-firmware/edk2-ovmf 201905: move from base
sys-process/tini 0.18.0: move from base
Clean up unnecessary ebuilds from base accept_keywords like below.
Sort alphabetically.
app-crypt/efitools: move to sdk
app-misc/jq: move to arm64
cross-aarch64-cros-linux-gnu/gcc: move 9.3.0-r1 to arm64
dev-lang/spidermonkey is not needed any more.
dev-libs/protobuf 3.5.2 is already stable.
dev-libs/elfutils: specify explicit version 0.178
dev-python/boto: specify explicit keywords ~amd64, ~arm64.
dev-util/dwarves: specify explicit version 1.19
dev-util/perf 5.8 is already stable.
net-misc/curl: move 7.79.1 to arm64
net-nds/rpcbind: specify explicit keywords ~amd64, ~arm64.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-libs/libmicrohttpd: move from arm64, specify explicit keywords.
sec-policy/selinux-base: move to arm64.
sec-policy/selinux-base-policy: move to arm64.
sec-policy/selinux-unconfined: move to arm64.
sec-policy/selinux-virt: move to arm64.
sys-apps/checkpolicy: move to arm64.
sys-apps/gptfdisk 1.0.7 is already stable.
sys-apps/iproute2 5.8.0 is already stable.
sys-apps/kexec-tools 2.0.17-r1 is already stable.
sys-auth/google-oslogin 20200910.00 is already stable.
sys-kernel/dracut 053-r1 is already stable.
sys-boot/gnu-efi 3.0.3 is already stable.
sys-firmware/edk2-ovmf: move to arm64
sys-fs/dosfstools: specify explicit keywords ~amd64, ~arm64.
sys-process/tini: move to arm64
sys-libs/libselinux: already configured in arm64
sys-libs/libsepol: already configured in arm64
Now that Github rejects access to an unauthenticated URL with `git://`,
we have to make git and libcurl work with `https://`. However, during
the SDK stage2, curl is not explicitly installed, but just inherited
from the stage1. As a result, curl is built without the `ssl` USE flag.
So installation of baselayout fails with:
```
git fetch https://github.com/flatcar-linux/baselayout.git --prune +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/flatcar-linux/baselayout.git/':
Protocol "https" not supported or disabled in libcurl
```
To resolve the issue, we need to install curl with `BOOTSTRAP_USE=ssl`
before trying to install baselayout.
Also we need to set `CURL_SSL=openssl` as required by curl.
Using a USE_EXPAND variable `curl_ssl_openssl` in `BOOTSTRAP_USE`, we
can specify the correct `CURL_SSL` variable in curl.
enabling `fips` support will compile `fips.so` provider for user who
wants to use `fips` as OpenSSL provider.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Based on 9a6728f5f5d63626e4a806664c0c031e913fd758 and
380aa9c60af1e68911a479747d12b5fddaf2b1a2 .
selinux-base requires python to generate xml files, but the dependency
is implicit (through policycoreutils). Flatcar made that dependency
conditional on USE=python in policycoreutils so that we don't include
python in our images, but this causes selinux-base to fail depending on
ordering in the bootstrap process.
Fix that failure by addin an explicit dependency.
The build has been failing occasionally, due to some kind of race condition.
The last lines of log output look like this:
Updating policy/booleans.conf and policy/modules.conf
python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
support/sedoctool.py exiting for: Error while parsing xml
make: *** [Makefile:415: conf.intermediate] Error 1
* ERROR: sec-policy/selinux-base-2.20200818-r2::coreos failed (configure phase):
* emake failed
Try to fix this by forcing a sequential build.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
PR https://github.com/flatcar-linux/coreos-overlay/pull/432 started
to replace `dev-lang/rust` in accept_keywords with its new version.
However, its corresponding `virtual/rust` has never been updated.
That issue had been hidden until
4463efcfd4
started adding `virtual/rust` to accept_keywords.
Unlike `dev-lang/rust`, keywords for `virtual/rust` stayed with old
versions. As a result, subsequent Github Actions PRs for rust become
all invalid, so build failures.
Fix the issue by replacing versions of `virtual/rust` with new versions.
Also try to match with version specifiers, not only `=` but also `>=`,
'<=', '~'.
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
with the OpenSSLv3 upgrade, `update_engine` is not fully compatible yet.
See the associated issue for more details.
Let's keep the deprecated SHA functions in the meantime to run the
build.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Uses ConditionSecurity introduced in systemd v248
Fixesflatcar-linux/Flatcar#208
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.70.ebuild manifest" run.
Signed-off-by: Guillaume Perrin <guillaume28.perrin@gmail.com>
commit 5c4d184e22fd93ab926878a131150047b54d0b6c
Author: Michael Marineau <michael.marineau@coreos.com>
Date: Fri Aug 1 14:48:59 2014 -0700
polkit: fix config install paths, use systemd-tmpfiles
All configs should be installed to /usr and tmpfiles should be used to
create and fix directory permissions instead of the ebuild's postinst.
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.69.1.ebuild manifest" run.
Hgfs-mounter has been dropped from the repository and it let's make the
patch name independent of the package version so that the patch doesn't
have to be touched on every upgrade.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
systemd v249 changes the usual failed units "●" to show "×".
This commit adapts accordingly to display the correct failed units
For compatibility with the longer-cadence channels, we continue to
support "●"
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Automatically update coreos/open-vm-tools as well as
coreos-base/oem-vmware.
Get the latest open-vm-tools release number, and get its build number
from the Github repo, and replace the old build number with the new one.
Also sync coreos-base/oem-vmware in line with open-vm-tools.
We need to split the beginning of setting up the top-level git repo into
a new function prepare_git_repo, and call it in the beginning of each
script. That is to prevent some corner cases, where applying multiple
patches does not work because the latter overwrites the former patch.
So we should not set up the git repo again in each apply_patch, but only
in the beggining, prepare_git_repo.
`ebuild audit-2.8.5-r1.ebuild manifest` fails like that:
```
>>> Downloading
'017e6c6ab9.patch'
--2021-09-29 04:05:09--
017e6c6ab9.patch
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854 [text/plain]
Saving to: /mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__
2021-09-29 04:05:09 (57.3 MB/s) -
/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__ saved [854/854]
!!! Fetched file:
audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got: 854
!!! Expected: 852
Refetching... File renamed to
'/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch._checksum_failure_.o2889wwd'
!!! Couldn't download 'audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch'. Aborting.
```
That happens because the upstream audit patch
017e6c6ab9.patch
silently changed, so it could have a git commit of 8-bytes instead 7.
Fix the hash in Manifest for now, until we could update
sys-process/audit to 3.0. Upstream Gentoo already has 3.0, dropped 2.8.
However, updating to 3.0 might not so trivial due to Flatcar changes in
audit.
The bug fix https://github.com/flatcar-linux/coreos-overlay/pull/1129
caused a regression that Github Actions cannot determine a correct
$VERSION_OLD if the old ebuild file has a suffix like `-r1`.
We need to create a function to get a correct ebuild file name, by
falling back to the most similar name, in case the expected ebuild
file does not exist.
When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys`
occasionally fails with the following error:
```
gpg: key E52F0DB391453C45: no user ID
```
We need to make GnuPG accept keys even without UIDs.
Original patches come from
f292beac11/debian/patches/import-merge-without-userid .
See also https://dev.gnupg.org/T4393 .
Based on commit 3d9a9c9c3654c6b8c073e306636bf8dc64cfb657 .
Update app-crypt/gnupg to 2.2.29.
One of the key purposes for the update is to be able to use the new
default keyserver `keyserver.ubuntu.com`, which is provided by default
since 2.2.29. It is due to the shutdown of the SKS keyserver pools.
See also https://bugs.gentoo.org/811828 .
I think we still prefer to keep packages in portage-stable and
sometimes add an entry to the accept_keywords file instead of moving
the package to overlay just to edit a keyword. Or a PYTHON_COMPAT
field.
This changes comes together with the change made in portage-stable to
one of the python eclasses where we add support for python3 version
from 3.8 to 3.10. To make this change complete, we need to mask those
new versions, so building packages will not try to depend on python
version we haven't yet packaged.
