Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
This PR includes the necessary changes to upgrade the SDK compiler to gcc-9.3.0.
It also changes the gdb-9.2 recipe to work with the Flatcar SDK.
The changes include:
sys-devel/gdb/gdb-9.2.ebuild: use EAPI6 to work around BDEPEND emerge bug
update sys-libs/nss-usrfiles to nss-usrfiles-2.30.ebuild to support glibc > 2.29
update sys-kernel/README.md to call out need for updating kernel-headers, perf
add sys-libs/glibc/README.md outlining our changes to the glibc recipe
update profiles/coreos/base/package.accept_keywords to include new toolchain
The change also adds a README to
sys-libs/glibc/README.md
and it improves on a README in
sys-kernel/README -> sys-kernel/README.md
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Enable CONFIG_OVERLAY_FS_METACOPY, metadata only copy up feature
in overlayfs. When turned on, overlayfs will only copy up metadata
when a metadata specific operation like chown/chmod is performed.
Full file will be copied up later when file is opened for WRITE
operation. More or less like delayed data copy up operation.
Enable CONFIG_OVERLAY_FS_REDIRECT_DIR, which is equivalent to
"redirect_dir=on" in the kernel command-line. When turned on, overlayfs
will copy up directory first, before the actual contents.
See also https://github.com/kinvolk/Flatcar/issues/170
To build Kernel with `CONFIG_DEBUG_INFO_BTF`, we need to make `pahole`
in dwarves included in the Flatcar SDK.
To do that, we need to make it accept `~amd64` keywords for dwarves
and binutils.
Also enable USE flag `python_single_target_python3_6` for dwarves.
CONFIG_POWER_SUPPLY enables power supply class used to represent
battery, UPS, AC or DC power supply properties to user-space.
It defines core set of attributes, which should be applicable to
most power supplies out there.
See also https://github.com/kinvolk/Flatcar/issues/215.
CONFIG_BPF_JIT_ALWAYS_ON enables BPF JIT and removes BPF interpreter
to avoid speculative execution of BPF instructions by the interpreter.
See also https://github.com/kinvolk/Flatcar/issues/185.
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst-off-by: Thilo Fromm <thilo@kinvolk.io>
We need to filter not only `-Wl,-O1`, but also other flags like
`-Wl,-O2`, `-Wl,-Og`, `-Wl,-Os`, etc. Otherwise, SDK build would fail,
for example, as its default `$LDFLAGS` includes `-Wl,-O2`.
We need to manually strip only the optimization element of
comma-separated flags, e.g. from `-Wl,-O1,-s` to `-Wl,-s`.
To support multiple characters that can follow `-O`, e.g. `-Ofast`,
we should use regexp like `[[:alnum:]]*`.
The repo `github.com/flatcar-linux/mantle` has been moved to
`github.com/kinvolk/mantle`. However, Github Actions still fetch cork
binaries from the original URL, by running `curl` without `-L`. So the
request does not get redirected to the new URL. As a result,
`CORK_VERSION` becomes null.
Fix it by replacing `flatcar-linux` with `kinvolk`, as well as adding
`-L` to the curl command, just in case.
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See https://github.com/golang/go/issues/42559.
However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:
```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```
We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
Although `dev-libs/cyrus-sasl` pulls in `net-mail/mailbase`, the
mailbase package is not needed at all.
Simply mark it as provided, to make it build without mailbase.
Also enable python_single_target_python3_6 for tdb, talloc, tevent.
Remove unnecessary arm64 keywords.
Clean up unnecessary USE flags.
At the moment bind-tools does not enable `gssapi`, so its `nsupdate`
tool is also not able to run `realm` command. As a result, configure
script of `sssd` fails when running `echo realm | nsupdate`, like
`syntax error`.
To avoid such issues, we need to disable the nsupdate check for now.
After we could enable `gssapi` for the SDK correctly, we can bring back
the nsupdate check in the future.
Now that the upstream sssd 2.3.1 does not support `--runstatedir` option
from its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`.
Instead we need to pass `runstatedir=` to emake commands.
In the past we
[enabled](https://github.com/flatcar-linux/coreos-overlay/commit/172d9311bacd)
the USE flag `gssapi` only for amd64, not for arm64. We did so to
avoid build issues that only happened for arm64.
However, that change caused interesting side effects in the SDK, where
bind-tools ended up being compiled without `gssapi`. It means, tools
like `nsupdate` in the SDK are not able to deal with certain commands
like `realm`. As a result, configure scripts in packages like
`sys-auth/sssd` fail, because they cannot run commands like
"echo realm | nsupdate".
We should bring the `gssapi` USE flag back to the SDK, to avoid such
issues in the future.
The `BDEPEND` is a build-time requirement, so it should not be included
in the whole `DEPEND` list. If it does, an installation of
`sys-auth/sssd` causes other dependencies to be installed not only in
the `/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.
Update sys-auth/sssd, by syncing with upstream Gentoo.
Mainly needed by net-fs/samba 4.11.
Also resolves CVE-2018-16883, CVE-2019-3811, CVE-2018-16838.