We are going to update it to a newer version, which fixes the build
system issue that was a reason for putting the package in overlay.
This is to get rid of EAPI 5 in the package.
Incase the ebtables tables are not set, the ebuilds links the
ebtables binaries to the legacy version instead of the nft version
Moving to coreos-overlay to link it to xtables-nft-multi.
The next step could be upstream the patches, incase of the usage of
nftables USE flag.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
We had an accept_keywords for versioned rust in base profile already,
but it was outdated due to a bug in github action. So update it and
move the lines from sdk target to base profile. The accept_keywords
for virtual/cargo package are dropped, because there is no such
package.
Replace any dev-lang/rust version with the current one, and make sure
that the modified files in the profiles directory is actually included
in the patch.
This is a backport of https://github.com/SSSD/sssd/pull/5748 adapted to 2.3.1.
A change was necessary: src/tools/sssctl/sssctl_logs.c wasn't passing
'--no-create' to truncate in 2.3.1 yet.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
Imported commit 20d298fb282ec9d5a060f12aef64c47aede0904d .
Update net-misc/openssh to 8.7_p1-r1, mainly to address CVE-2020-15778.
Goal of the package update is to add the support of a new option `-s`
of scp, i.e. "sftp mode of scp". Openssh 8.7 started to support the
flag, but it is disabled by default. So at the moment users need to
explicitly run `scp -s` to test the feature.
Gentoo ref: 11d6f23704e7ab84191e28e034816bfdb151d406
Now that we started encoding strings to unicode by default,
we should also take care of corner cases, where LC_CYPTE is set to a
different value from the systemd default value in `/etc/locale.gen`.
For example, under a build environment with `LC_CTYPE=C`, when the UTF-8
file name is `AC_Ra�z_Certic�mara_S.A..pem`,
build fails like that.
```
Traceback (most recent call last):
File "/var/tmp/portage/app-misc/ca-certificates-3.27.1-r2/files/certdata2pem.py",
line 127, in <module>
f = open(fname, 'w')
UnicodeEncodeError: 'ascii' codec can't encode character '\xed' in position 5: ordinal not in range(128)
* ERROR: app-misc/ca-certificates-3.27.1-r2::coreos failed (compile phase):
```
To fix that, encode filename with system encoding when opening the file.
This package contained no Flatcar modifications, so in theory it could
be moved to portage-stable. But we also will want to update it to some
recent version that does not depend on python2. But the recent
versions in gentoo use python3.{7,9}, so we will need to change it for
now, since we still use python3.6.
WALinuxAgent falls back to using the `distro` module to figure out the
distribution details in case the `get_linux_distribution` function
from the builtin `platform` module is not able to do it. With the
update of python-oem to python3, the distribution detection broke,
because we stopped carrying a patch that implemented fetching the
distribution information from `/etc/os-release`. It does not make
sense to backport that patch though, because
`platform.get_linux_distribution` is deprecated and removed in python
3.7 or 3.8. So when we update python3 to the newer version, we would
need to add the `distro` module anyway.
Maybe we can drop `distro-oem` module in future, when python-oem will
use version 3.10 and WALinuxAgent starts using the newly added
functionality in 3.10 to figure out the distribution information.
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
Add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Based on commit f7a8cd5f1fcc.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Signed-off-by: Dongsu Park <dongsupark@microsoft.com>
Now that sys-apps/policycoreutils is pulled in explicitly for both
architectures, we should be able to pull in its dependencies, e.g.
sys-apps/semodule-utils, sys-libs/libselinux, sys-libs/libsemanage,
sys-libs/libsepol. In case of arm64, however, all the ebuilds have
only `~arm64`. So we need to enable the keywords for the ebuilds.
Without the changes, build fails like:
```
!!! All ebuilds that could satisfy
">=sys-libs/libselinux-3.1:=[python?,python_targets_python3_6(-)?,-python_single_target_python3_6(-)]"
for /build/arm64-usr/ have been masked.
!!! One of the following masked packages is required to complete your
request:
- sys-libs/libselinux-9999::coreos (masked by: missing keyword)
- sys-libs/libselinux-3.2::coreos (masked by: ~arm64 keyword)
- sys-libs/libselinux-3.1-r1::coreos (masked by: ~arm64 keyword)
```
Now that Kernel config `CONFIG_ICE` is enabled, its corresponding
firmware file needs to be also in place. However, upstream
linux-firmware tarball does not contain a correct symlink to
`intel/ice/ddp/ice-1.3.26.0.pkg`, but `modinfo ice.ko` shows it
requires `ice.pkg`. So we need to create the symlink to avoid failures
at the firmware scanning stage like below:
```
Missing firmware: intel/ice/ddp/ice.pkg (ice.ko.xz)
```
The image contents are defined by the list in this package and the
dependencies pulled in. Once we would lose some dependency due to
a package change, that would also meant that this dependency's
binaries are not available to the user anymore. To prevent user
binaries from being lost we have to explicitly list them in this
package.
Add the packages that have binaries relevant to the user and are
currently installed (seen in flatcar_production_image_packages.txt
and checked manually). Also add sys-apps/acl which got lost when
removing rkt.
This pulls in
https://github.com/kinvolk/init/pull/47
to randomize OEM filesystem UUID if mounting fails, and to avoid trying
to install the QEMU qcow2 images.
Current cross builds of perl segfault on simple operations such as `perl -V`.
This appears to be due to the cross-build not getting `-fwrapv -fno-strict-aliasing`
passed from the configure script. While we try to get this fixed upstream, we
can monkeypatch our old version of perl to fix this.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This change results in building the pam_tty_audit additionally, nothing else.
Related to https://github.com/kinvolk/Flatcar/issues/485.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
It produces files with the same contents as the python2 version of the
script, but the filename handling is a bit different wrt. filenames
with weird, non-unicode characters. But overall, it does not affect
anything.
This change adds the "slirp" use flag to qemu (SDK only), enabling
qemu's user networking. This fixes a bug where qemu is unable to start
the Flatcar qemu image:
$ ./flatcar_production_qemu.sh
qemu-system-x86_64: Parameter 'type' expects a netdev backend type
The issue has been discussed on the qemu mailing list:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg786275.html
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
It contained some chromium version of flatcar scripts, from which we
were using the common.sh script in the cros-workon script (from the
now-removed coreos-base/cros-devutils package). It's not used any more
- we updated flatcar scripts to call into its internal copy of
cros-workon.
The package contained scripts that are not used in our workflow, are
unmaintained by us for a number of years now and it presents an
obstacle in porting the packages to python3.
Our scripts are using cert-to-efi-sig-list and flash-var from
efitools, and sbsign from sbsigntools. Currently the cros-devutils
package is pulling in the efitools package, which in turn pull in the
sbsigntools package.
We plan to drop the cros-devutils package, so better be explicit about
the dependencies.
We dropped the installation of the gmerge script a while ago, because
it was not used anywhere and that made one script less to port to
python3 at the time of updating portage to a recent version. Now we
only install the emerge-gitclone script, so rename the package to
reflect this fact.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
These are no longer used by anything in the tree, after removing old versions
of docker-runc/docker-proxy/containerd.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Upstream builds with go1.16. Additionally fixup the VERSION variable specify the
current Flatcar Docker version 20.10.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Upstream builds go through github.com/docker/docker repo and that builds
with go1.16 with module support disabled.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
I'm not sure if we ever built it - it's not a dependency of anything
at all. Also one of its dependencies, dev-python/pyxenstore, was
dropped in 2014, so the package is broken for about seven years
now. Looks like that the rackspace oem package is rather pulling
nova-agent through the coreos-base/nova-agent-container package.
The containerd config works in mysterious ways - sometimes it acts hierarchical
with respect to the section headers, other times not. In this case, setting
runc.options resets all the fields of the runc section, including
'runtime_type'. Having an unset runtime_type causes containerd to fail to spawn
containers (but the daemon itself starts succesfully) returning the error:
kubelet[13148]: E0823 11:57:17.030551 13148 remote_runtime.go:116] "RunPodSandbox from runtime service failed" err="rpc error: code = InvalidArgument desc = failed to create containerd container: create container failed validation: container.Runtime.Name must be set: invalid argument"
Explicitly set the runtime_type in all containerd configs, and bump the config
version to 2.
Reported as https://github.com/kinvolk/Flatcar/issues/484
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Now that we have dev-util/pkgconfig 0.29.2, there is no need to
keep third-party patch for avoiding cross-build issues in
dev-util/strace. Let's simply drop the patch, and move strace to
portage-stable.
Apparently the `coreos-devel/sdk-extras` was originally meant to work
as a meta package to pull in all the optional packages in the SDK at once.
It has been unmaintained since 2~3 years, so an attempt of `emerge
coreos-devel/sdk-extras` will give you a huge list of conflicts to
resolve. It is difficult to resurrect sdk-extras at the moment.
Delete `coreos-devel/sdk-extras` completely. Doing that, we can delete
more than 20 other packages from the source tree.
Now that coreos-devel/sdk-extras are gone, delete unnecessary configs
in profiles, for app-portage/repoman, dev-go/glide, dev-go/godep,
dev-python/awscli, dev-python/botocore, dev-python/s3transfer.
This version has an officially documented support for python3, so it
plays along our plans of removing python2 in favor of python3. When
the switch actually happens, we will need to update the ebuild to
mention the correct path to python modules. The path contains python
version, which is a hindrance. Would be nice to have it hidden behind
some variable.
There is also a version 2.4.0.2, but it's marked as a prerelease on
github, so decided to package 2.3.1.1 instead.
Upstream has switched to go 1.16, but still doesn't use go modules. The ebuilds
needed fixing up after the automated PR was created.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Set PYTHON_COMPAT to python 3.6 and 3.7 to be suitable for the current
code base.
Add a custom patch to replace error with warning when running autoconf
for cross builds, because libkrb5 is not able to detect
cross-compilation.
Based on 64e33c9f826d8fd951fd58ba1ed70debaf65be8d .
The SystemdCgroup=true setting is incompatible with kubelet
cgroupDriver: cgroupfs. So to prevent kube clusters from failing, we
will be freezing a nodes config.toml during an update. For that purpose,
we install a second configuration file that can then be selected using a
systemd drop-in unit.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Now that Docker has been updated to 20.10, we can use cgroupv2 so have
systemd mount the unified cgroup hierarchy by default. Other ways of
achieving the same would have been to pass 'systemd.unified_cgroup_hierarchy=1'
on the kernel cmdline, but this way the change propagates nicely to all
OEM consumers.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
The upstream docker repository location has changed to docker/docker.
Additionally, the cli component has been split out which which requires
fetching two hashes and updating two ebuilds. We also took the chance to
align the ebuild with gentoo's, which means there are is no more live ebuild
and no symlink.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
We are switching flatcar to cgroupv2 which is support by docker 20.10 and
kubernetes 1.19. This requires setting the systemd cgroup driver in the kubelet
config.
Due to the unified cgroup hierarchy, kubernetes <1.19 will not work so
remove all older versions.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Compared to previous torcx images the docker-cli package is a separate
package, following upstream Docker repo layout changes.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The patches do the following:
* install flatcar specific wrappers and systemd config
* force some USE flags to default on
* allow injecting CFLAGS/LDFLAGS so that torcx can work
* force building with go1.13 (like upstream does) - this won't be
necessary next time because docker master already uses go1.16
This is the version needed by docker 20.10.7. ROADMAP.md doesn't exist so it
has been removed from src_install.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
This is the version used by docker-19.03. We will be updating the live
ebuild to build docker 20.10 dependencies.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
We use coreos-go* eclass so that we can override several environment
variables and build with the same go version as docker upstream. These
changes are modeled after what was previously done in app-emulation/docker,
the cli ebuild has only been split out since v20.10.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Docker upstream split the cli component into a separate repo, so there is
a separate ebuild that builds the docker utility. This is a prerequisite
of the update of docker to 20.10.
This is an import from portage commit 69d01a4273a556b1205a7a575cb3811ab7e2443d.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
We use a custom build system to remove the cmake dependency and hardcode
relevant configuration.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Now that runc version follows simple semver semantics, we do not have to
care about number of patches up to an rc version. Remove the obsolete
comments.
flannel will write into /run/flannel/... so we need to provide
correct labelling for dir created by docker daemon
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.
Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
The patches applies does not make sense to be removed, hence it would
be better to move `expat` back to portage-stable
Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
Add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Based on commit 8d040f93c289.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Signed-off-by: Dongsu Park <dongsupark@microsoft.com>
Now that the OEM partition is a btrfs partition with compression, we have
enough space to install ssm agent.
This reverts commit b6abb59c544be13e923a3e7240b5c9395c281fca.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The ebuild was missing a call to go_export() which exports GOARCH, and so was
always built for host architecture. While COREOS_GO_VERSION was specified as
go1.12, src_compile() has to use '${EGO}' to make use of it, so we were
building with go1.16 (latest). Upstream builds with 1.12 for this version, so
we will do the same.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Sysroot-wrappers contains binaries installed to /usr/lib64/sysroot-wrappers,
but the profile referenced them through the 'lib -> lib64' symlink. Stop
relying on that symlink, which is not present in arm64 profiles, and is
not part of 17.1 amd64 profiles.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
With the switch from rkt to systemd-nspawn the ability for the service
to set the routing entries for the TCP load balancer got lost,
resulting in an unreachable LB as reported in
https://github.com/kinvolk/Flatcar/issues/459
The fix also reported there is to retain CAP_NET_ADMIN when starting
the service.
Btrfs filesystems do not support a non-standard 64k page size on arm64
when the filesystem was created by a 4k page size system.
Use the default page size for arm64 to ensure compatibility with
btrfs filesystems created by amd64 systems.
With the default gzip compression the 60 MB limit for the vmlinuz
bundle of kernel+initramfs was reached. The limit comes from the size
of the /boot partition which is 128 MB large and the kernel needs to
fit twice, in addition to GRUB.
Use zstd for the initramfs as it provides a similar speed but better
compression. For the kernel we can't switch yet to zstd for arm64
but for amd64 it works.
Due to unnecessary wildcard listings, ebuild files including all rc or
beta are being listed. Since `VERSION_OLD` is already generated as a
unique version, we do not need to list multiple files to filter by
running `head -n1` etc. We just need to use only the specific ebuild.
Simply list only the unique ebuild file.
Before passing runc versions to `sed '/-/!{s/$/_/}'`, we need to replace
`_` with `-`, because runc tarball files already have names like
`1.0.0_rc2`. Without the fix, version sort would `1.0.0` come before
`1.0.0_rc2`, which is not expected in the later steps.
This does not work because the host and cross rust targets share the
same name. This needs to be reworked to (potentially) enable x86 cross
targets for aarch64 targets.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
glib-utils are used during the build so they need to be part of host
dependencies for update_engine. This only really pops up during a repeat
bootstrap, when update_engine is being built from source but glib has
been installed from a binary. BDEPEND would be the correct variable but
that requires EAPI=7, so additionally added it to DEPEND for now.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
kola-data and google-cloud-sdk install pre-built amd64 binaries, so
there's no point installing them right now. Both could be made to work
at a later time. iucode and syslinux and are x86 specific and won't
build. selinux related packages *currently* don't work/build on arm64
but could be made to work.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Where the packages are part of coreos-overlay, I keyworded the ebuilds
directly to the same level of stability as amd64. Other packages have
been keyworded through the profile, as close to the amd64 level as I
could manage.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Update-bootengine chroots into the sysroot and runs dracut from there.
Dracut 053 has revised TMPDIR handling and the portage TMPDIR prefixed
with ROOT leaks into the chroot. This causes dracut to abort during
setup with the error message "invalid tmpdir".
Override TMPDIR before running update-bootengine to allow dracut to
function.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Flatcar uses custom networking scripts in initramfs, so the dracut iscsi
module needs to be patched to account for that.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Add Flatcar specific patch to enable the iscsi module
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Update commit to 6a4ff4ca879082c07353dd379439c437cbe27e18, to sync with
the current main branch.
Pulls in https://github.com/kinvolk/updateservicectl/pull/6 .
Also update Go import paths to `github.com/kinvolk/updateservicectl`.
Also set `COREOS_GO_GO111MODULE=on` because updateservicectl now relies
on Go module.
Set PYTHON_COMPAT to python 3.6 and 3.7 to be suitable for the current
code base.
Add a custom patch to replace error with warning when running autoconf
for cross builds, because libkrb5 is not able to detect
cross-compilation.
See also https://github.com/kinvolk/Flatcar/issues/369 .
2.33
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
2.32
sys-libs/glibc-2.32,targets/sdk: backport to EAPI6, add Flatcar changes
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
We experience an issue with glibc-2.33 which causes all binaries in the
OS image to end up not stripped, which would increase the size of the OS
image threefold.
The change masks glibc-2.33 for all architectures, so the build will
default on glibc-2.32 until we have fixed the issue.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Sync with Gentoo to update intel-microcode to 20210608,
mainly to address CVE-2020-24489, CVE-2020-24511, CVE-2020-24513.
Gentoo ref: 66c8a60ea74e8ed2391c9fdff749c65eb0f398ff
2.33
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
2.32
sys-libs/glibc-2.32,targets/sdk: backport to EAPI6, add Flatcar changes
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Now that lz4 was updated to 1.9.3-r1, systemd has to depend on
lz4 >= 1.9.3-r1, so that its dependency graph during the SDK stage3
could be generated correctly.
Without that change, the preclean of SDK stage3 could fail because of
an inverted dependency order between systemd and lz4, like following:
```
emerge --depclean --with-bdeps=y
...
* Dependencies could not be completely resolved due to
* the following required packages not being installed:
*
* >=app-arch/lz4-0_p131:0/r131=[abi_x86_64(-)] pulled in by:
* sys-apps/systemd-247.6
```
Stage3 first runs `emerge --quiet --usepkg --buildpkg
--binpkg-respect-use=y --newuse -e --update --deep --with-bdeps=y @system`,
which works well.
After that, only the stage3 (no other stages) runs preclean, which in fact
runs `emerge --depclean --with-bdeps=y` to clean up unnecessary ebuilds.
That's where it fails.
That happens because systemd still depends on lz4 0_p131. As a result, the
main installation step of stage3 seems to first install systemd 247, and
after that it updates lz4 to 1.9.3-r1. Then systemd thinks it still depends
on 0_p131. When doing it the other way around, the dependency graph is
correctly generated, first lz4 1.9.3-r1, then systemd 247.
We disable SELinux because Flatcar doesn't properly support it and it
was causing labeling problems when running runc containers with
NoNewPrivileges or seccomp.
These were included as a workaround for SELinux issues on Flatcar.
However, they also disable NoNewPrivileges and seccomp support, which
reduces security.
Instead, we'll disable SELinux support in the Docker daemon in the next
commit.
Go import path of torcx has changed from coreos to flatcar-linux,
aef371c76b
So we need to fix the import path also in torcx ebuilds.
Otherwise build will simply fail due to wrong import paths.
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
Imported commit 6c0c1c8806bedcc164e5bd3541ab50b2c21e2498 .
Since containerd 1.5 started to turn on Go module, we need to pass
`-mod=vendor` to the go build command.
Otherwise, go build will fail because it would try to fetch missing
go deps from remote repos. It would not work inside of sandbox.
We cannot set `COREOS_GO_MOD=vendor` because containerd ebuild calls
`emake` instead of `go_build`.
Since coreos-firmware 20210511, `cxgb4/t[4-6]fw*.bin` files have a new
version '1.25.4.0'. We need to update the file name pointed by symlinks.
Otherwise build fails due to broken symlinks.
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/bootengine/pull/24
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/init/pull/40
* Drop the dependency on `sec-policy/selinux-dbus`
* Drop machine-id generation
* Stabilize both keywords `amd64` and `arm64` to build it.
* Do not add a third-party patch for CVE-2019-12749 again, as the fix is
already included in dbus >= 1.10.29.
Loosely based on a409238795c44dabfd16e466c8433a89f5f0844f and
e458211c8418462f4bd4d4536dc96f62380a22cf .
The upstream changed the way the default percentage value, and
make the property partially dynamic.
Upstream ref: https://github.com/systemd/systemd/pull/14007Fixes#382
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The rkt container runtime is deprecated and not used anymore except
for the kubelet-wrapper script. This script can't be ported to Docker
because it is used by the user with rkt-specific arguments and it is
only a wrapper around the deprecated hyperkube images (and has been
broken for the last K8s releases). The recommended way is to run the
kubelet binary directly on the host.
The GCE daemon container was run with rkt from an ACI tar ball.
To replace rkt with systemd-nspawn, extract the tar ball to an
image and run the daemon as systemd-nspawn container.
Having the hostname units as required by the initrd.target meant that if
the unit failed (for example because the network was or the metadata
service were down), the machine wouldn't start. By making it a "wants"
rather than a "requires" we allow this unit to fail without disrupting
the whole boot.
We do not need to set COREOS_GO_VERSION to a specific version, unless
it is necessary to avoid build issues in certain cases like Docker.
Simply remove COREOS_GO_VERSION from the ebuild of cri-tools.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This change pulls in the latest bootengine version, that enables ISCSI
support in dracut and avoids tearing down the network when using netroot
See https://github.com/kinvolk/bootengine/pull/22 for more information.
This reverts commit f8dda51d546b466d9faf0c936b2ad5592ab1639e.
Recently we dropped `bindist` from `RESTRICT` in openssl, so it is
now possible to turn on `ssl` for wget again. The issue of openssl being
blocked by `masked by: bindist in RESTRICT` etc. has now disappeared.
Fixes https://github.com/kinvolk/Flatcar/issues/149
For some reason, the old version of boost-build 1.67 is still here.
As we already have boost-build 1.75 in portage-stable, we should
completely delete boost 1.67.
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
We need to customize dracut. Currently the version in portage-stable is
picked because it's newer than the one in coreos-overlay. This commit
updates coreos-overlay to the same versions available in portage-stable.
This pulls in
https://github.com/kinvolk/baselayout/pull/17
to enable the pam_faillock module as replacement for pam_tally2.
The "faillock" binary can be used to see the login attempts and
account lock status which before was available with the pam_tally
command. While the tally defaults did not temporarily lock the
account on wrong password login attempts, this is done by default
with faillock. However, the default behavior was relaxed to allow
more wrong attempts and have a shorter lock time span.
As rkt is deprecated we need to run the Flannel container with Docker
or Podman. The flannel-wrapper script is based on rkt arguments and
can't be used in a compatible way but we cannot remove it since ct
explicitly uses it in the ExecStart directive when writing out a
drop-in file once flannel settings are given in a Container Linux
Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect (but that also
terminates the etcd and flannel containers, causing the services to
restart).
Since rkt is deprecated we need to run the etcd container with Docker
or Podman. The etcd-wrapper script is based on rkt arguments and can't
be used in a compatible way but we cannot remove it since ct explicitly
uses it in the ExecStart directive when writing out a drop-in file once
etcd settings are given in a Container Linux Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect.
This commit adds some comments to help other folks to
easily recognize Flatcar-specific code.
Check issue #364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
Cherry-picked from kinvolk/coreos-overlay@d0426cf.
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This commit synchronises ncurses with gentoo/gentoo@69bf5af thus
it updates the package from 6.1-r2 to 6.2-r1.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This pulls in
https://github.com/kinvolk/init/pull/38
to set predictable network interface names as alternative interface
names for virtio devices, and also add a special hardcoded ens4v1
name for GCE because the special udev rule to rename the device
stopped working after the systemd 247 update.
While the execution of the unit may succeed by finding the executables
by searching the current PATH, calling `systemd-analyze verify` on the
units fails because this requires an absolute path.
When listing kernel modules to decide which firmware should be shipped
together with the image, we need to now list both compressed and
uncompressed module.
Fixes: kinvolk/Flatcar#359
In https://github.com/kinvolk/coreos-overlay/pull/875 the repository
was switched to a fork from the archived upstream repository. However,
the ebuild was still using a reference to an old squashed Flatcar build
bot commit from the git-sync times that was only present in our old
repository.
Switch to a reference to the latest commit on the new repository which
in fact does not introduce any changes.
Since rkt will be deprecated soon, we should make toolbox run docker
instead of rkt.
Also delete dependency on `app-emulation/rkt`, and update hyperlinks.
It pulls in https://github.com/kinvolk/toolbox/pull/1 .
This change adds the USE flag cros_host to the
SDK's make.default, as part of a larger fix for the SDK bootstrap build.
The SDK bootstrap build was broken in stage 1 since package upgrades
were allowed to leak into that phase.
We now limit stage 1 to only "known good" package ebuilds, which caused
downstream breakage from missing flags in the stage 2 SDK bootstrapping.
This change fixes that breakage.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".
So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.
Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.
Introduce a USE flag spotlight, to be able to disable the spotlight
backend by default, as it is not needed by Linux.
Introduce a USE flag rededit, to be able to disable the rededit
tool if needed.
Introduce a USE flag glusterfs, to be able to disable the glusterfs
by default.
Introduce a USE flag ntvfs, to be able to disable the ntvfs-fileserver
by default.
Since the docbook-xsl-stylesheets and libxslt are needed only
at build time, we should move those deps to BDEPEND.
Now that portage was updated to the latest version, we should update
EAPI to 7. It is mainly to allow ebuilds to make BDEPEND contain real
build-time dependencies, not runtime ones.
Each Flatcar production image includes a binary `containerd-stress`,
as a part of torcx tarballs.
However it does not seem to be used anywhere.
It looks like a stress testing tool for containerd, so I don't see a
good reason to keep it.
The binary was there since the beginning, via commit
[fdd926949a10](fdd926949a),
but there is no comment or messages why it was needed.
We can simply remove `containerd-stress`.
generate_patches takes three parameters - a category, a package name
and a description. Invoking the function like `generate_patches
sys-kernel coreos-{sources,modules,kernel} Linux` makes "sys-kernel"
to be a category, "coreos-sources" to be a package name and
"coreos-modules" to become a description, while "coreos-kernel" and
"Linux" are simply ignored.
It has worked so far only because coreos-sources was first in the list
and that's where the actual changes in Manifest file happened. Had the
order of the packages been different, the workflow would be
broken. Since only coreos-sources was modified and all worked fine,
simplify the call to generate-patches.
This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
The updated portage-utils bring in two more tools, qmanifest and
qtegrity. They are pulling in some new dependencies. Since we didn't
have those tools before, we can live without them for a little while
longer.
We don't want to have separate /bin, /lib, /usr/bin and /usr/lib
directories. The former two are meant to be symlinks to the latter
two. The `split-usr` USE flag gets enabled with the profiles update in
portage-stable, so before doing the update, clear the flag in the
overlay.
This is not done for SDK images, since they seem to have split /usr on
purpose.
It is not used anywhere during the build process, thus drop
it. Dropping it makes it easier to port this ebuild to python3, since
there will be only one script to port to python3. The
`emerge-gitclone` script will need porting anyway, because it imports
portage code, which will become python3 after the update.
Most likely the package should be then renamed to
`coreos-base/emerge-gitclone`, but this can be done later.
Now that Docker 1.12 is gone, we can delete go 1.6 completely.
Note, we do not delete go 1.7, which is still needed by containerd 0.2.6
and docker 17.03.
Now that docker 1.12 is gone, we can delete `app-emulation/runc`
1.0.0_rc2, which had dependency on docker 1.12.
Note, we do not delete `app-emulation/docker-runc` 1.0.0_rc2, because
that one is needed by Docker 17.03.
Delete torcx config file needed only for Docker 1.12.
Note, let's keep the remaining file name as before,
`docker-1.12-no.json`, to be consistent with naming scheme of
the torcx repo itself of Flatcar.
One of the torcx profiles in Flatcar is for docker 1.12, which is
outdated since a long time. It takes ~27 MB of space in production
images almost for no reason.
We can and should delete docker 1.12.
After deletion:
```
$ df -h /usr
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/usr 985M 843M 91M 91% /usr
```
Using the change in https://github.com/kinvolk/init/pull/34
we can show the OEM on the motd, and by including "Pro" in the OEM
name we can also show whether it is a Pro image or not. Later this
may be revisited if the /usr/../os-release file is the place for it.
Update to 1.19.0, to keep up with recent releases of cri-tools.
Note that we should not simply update to 1.20.0, because its crictl
binary file is 30M, so bigger than the usual size.
On the other hand, crictl 1.19.0 is only 21M.
To optimize the binary size of crictl, make use of the existing
helpers provided by `coreos-go.eclass`.
Add "-X $(PROJECT)/pkg/version.Version=$(VERSION)" to GO_LDFLAGS,
as the original cri-tools Makefile does.
Note, we cannot run the native command like `emake crictl`, because
the cri-tools Makefile does not allow custom env variables like
BUILDTAGS or GO_LDFLAGS to be configured.
Add `arm64` to ACCEPTED_KEYWORDS.
Remove unnecessary files from installation, as well as the bash
completion eclass.
The bootstrapping script relies on /etc/docker existing, but this
directory doesn't exist on vanilla Flatcar. Add the missing call to
mkdir -p /etc/docker before the directory gets used.
Also, update the upstream files to their latest version.
The systemd.eclass was not finding the systemd pkg-config file to
figure out the system unit directory, so it was falling back to a
hardcoded default (`/lib/systemd/system`). In one case (when
overriding the `default.target` symlink), we tried to fix that by
specifying the `PKG_CONFIG_LIBDIR` environment variable, but that
still did not help.
Using functions from `systemd.eclass` in a systemd ebuild is working
only by chance here. This eclass is usually meant for ebuilds that
depend on systemd and rely on systemd being already installed in the
root filesystem.
The functions in `systemd.eclass` that need to figure out some values
from systemd's pkg-config file (like system unit directory) assume
that systemd is already installed in the root filesystem, which is not
the case when we actually are building and installing systemd.
To add an insult to the injury, `systemd.eclass` is not using
pkg-config directly, but rather a shell script that wraps pkg-config
(for example `/usr/bin/x86_64-cros-linux-gnu-pkg-config`). The script
clobbers the environment variables like `PKG_CONFIG_PATH` or
`PKG_CONFIG_LIBDIR`, which is why overriding them did not work when
fixing up the `default.target` symlink. Thus `systemd.eclass` was
actually falling back to a hardcoded default value. The only way to
control the script is through either SYSROOT or ROOT environment
variables. So do so.
This fixes merging the installed files into root file system using a
newer version of portage. The failure was that systemd build system
installs the `default.target` symlink in `/usr/lib/systemd/system`
pointing to `graphical.target`, while we later try to override it to
point it to `multi-user.target`. But instead of overriding a symlink,
we installed a new symlink in `/lib/systemd/system`. Both `/lib` and
`/usr/lib` are separate directories in the temporary installation
directory, but in root filesystem, both are symlinks pointing to the
same directory. Which means that we ended up with two different
symlinks in temporary installation directory, and the new portage
version could not decide which one to use during the merge into the
root filesystem. I'm not sure what old portage version did here,
likely worked by chance too.
The security patch that was brought in has stricter permission checks
which cause the service to fail:
ERROR: TCSD config file (/etc/tcsd.conf) must be user/group root/tss
Set the expected file ownership and permissions.
https://github.com/kinvolk/Flatcar/issues/335
Now that `dev-libs/nss` is removed from the depencencies list of
hard-host-depends, SDK does not include `dev-libs/nspr` any more.
As a result, `dev-lang/spidermonkey` fails to build, because it requires
`dev-libs/nspr` in the SDK. It is not sufficient to have nspr under
`/build/amd64-usr`.
Add `dev-libs/nspr` back to the dependencies of `hard-host-depends`,
to make it included in the SDK.
This change adds a new flatcar-eks package, that ships with all scripts
needed to join a Flatcar instance to an EKS cluster.
It includes the bootstrap.sh script used on Amazon Linux, to keep
compatibility with existing provisioning tools.
The package is included from the oem-ec2-compat package, when the board
is aws_pro, and it's part of board-packages, so that it's built by the
os/board/packages job.
It used to be a dependency of upstart and ureadahead, both dropped
long long time ago. Also drop nih-dbus-tool, which was built from
upstart too.
Found this out when updated profiles in portage-stable masked the
library.
Replace the use of deprecated git eclass with git-r3 and bump the
commit version to latest version. This version dropped a dependency on
jq.
It is a breaking change for users of mkova.sh, since it has changed
the order of parameters to allow passing multiple vmdk files to it.
When building `net-libs/nghttp2` needed by curl 7.74, build fails
when checking for prerequisites of boost libs.
```
configure:20402: checking whether the Boost::ASIO library is available
configure:20433: x86_64-cros-linux-gnu-g++ -std=c++14 -c -O2 -pipe
-mtune=generic -g conftest.cpp >&5
configure:20433: $? = 0
configure:20447: result: yes
configure:20540: error: Could not find a version of the library!
```
To avoid such issues, we should disable the `cxx` USE flag for
`net-libs/nghttp2`.
It's really a hindrance during bootstrap, and we would be looking into
ways of making an exception for openssl anyway. Using
package.accept_restrict file does not do the trick, apparently because
of catalyst using its own portage config.
It seems that there is no "kernel" mirror specified in third party
mirrors files in profiles any more. And gentoo seems to have switched
to direct kernel.org URLs anyway, probably because kernel.org is using
also some mirroring system, so we don't have to. Also, this syslinux
version is quite old, so if its tarball ever was on distfiles mirror,
it's gone by now.
The target methods have undergone significant refactoring. The return
value is no longer a TargetResult, it's just a Target. And also the
vendor is now part of the options.
When Docker/containerd binaries are compiled with Go 1.15 the
containers generate many signal 23 (SIGURG) events which flood
monitoring systems:
https://github.com/kubernetes/kops/issues/10388
The SIGURG signal does not kill the process but is generated by Go
runtime scheduling:
https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md)
Because the Go runtime does not know if the process expects external
SIGURG signals, the signal is not filtered out but reported to the
process: https://github.com/golang/go/issues/37942
The process has to filter this signal out itself before forwarding it
to, e.g,. children processes or logs.
This change was introduced with the Go 1.15 update (actually Go 1.14
but Flatcar skipped that for Stable), however, while containerd has
some workarounds in place, e.g., in
https://github.com/containerd/containerd/pull/4532 but there are still
areas where the signal is not handled correctly.
Until this is the case, downgrade to use the Go 1.13 compiler for
Docker/containerd binaries.
See https://github.com/kinvolk/Flatcar/issues/315
So far all sed expressions have used correct regular expressions around
semantic versions, around `.`. As a result, they matched strings even
without correct dots in place.
We need to escape the dot correctly.
Since Kernel 5.10, Github Actions simply stopped working.
What happens is that `KV_MAIN` gets passed as environmental variable to
the inline script, but not as string but float, because it contains `.`.
Apparently the last digit of the misinterpreted float number is
afterwards simply dropped by YAML parsing library used by GA.
As a result, `KV_MAIN` becomes `5.1` instead of `5.10`, `versionMain`
becomes simply `5.10`, not `5.10.6`. Then in the next steps,
both `VERSION_NEW` and `VERSION_OLD` become `5.10`, and the script
thinks it is already the latest version, so simply does not create a new
pull request.
It was not an issue when Kernel version is <= 5.9, because no digit
got dropped from the variable. Now the hidden issue was uncovered.
Simply set `KV_MAIN` or others explicitly as strings, by adding quotes,
to avoid such issues.
The upstream socket is under /run/containerd/containerd.sock which many
tools like crictl will use by default and diverging causes users to
always have to configure a non-default location.
Switch to the upstream default while still keeping a symlink so that
users are not forced to update their configurations they had to do for
the non-default location. This also keeps Docker using the old socket
location as an assertion that the symlink works. The state directory
is also switch to the default location.
Using only 127.0.0.53 for /etc/resolv.conf causes problems for
Kubernetes which is not systemd-resolved aware yet (the kubelet passes
on /etc/resolv.conf contents to containers).
Switch back for now to merging all DNS servers into /etc/resolv.conf
which breaks split DNS and we need to document how to make split DNS
work for those that want it.
When the metadata server is unavailable for some time the service did
not retry. Also, the service was triggered possibly multiple times
each time another service pulled it in which can cause problems if,
e.g., the service experiences a failure and corrupts the existing file
which could have been kept because rerunning wasn't needed.
Fixes https://github.com/kinvolk/Flatcar/issues/311
The patches were not taking effect because they did not set
net.ipv4.conf.default.rp_filter for new interfaces. Also, they got
overwritten by the baselayout configuration which takes precedence
and is the place for Flatcar-specific sysctl settings.
The desired configuration was enfored there:
https://github.com/kinvolk/baselayout/pull/13
The [repo v2.10](https://groups.google.com/g/repo-discuss/c/rpSfMCl83Sk)
was released dropping python2 support. As a result, every `repo init`
failed to run. To unblock CI builds, we released mantle
[v0.15.2](https://github.com/kinvolk/mantle/releases/tag/v0.15.2),
including a workaround to set the target branch to
[`maint`](https://gerrit.googlesource.com/git-repo/+/refs/heads/maint),
which still supports python2. Now with cork v0.15.2, `cork create` or
`cork update` will work well for now.
However, the current state is quite fragile. It will get broken again
when the upstream `maint` branch changes. We should update
`dev-vcs/repo` in coreos-overlay to 2.x with python3, and get it
included in Flatcar SDK, so we could later set the target branch in
mantle back to `stable`.
At the moment, none of the source repos has the tarball for repo 2.10,
neither GCS nor Gentoo distfiles. So for now we update it to 2.8.
It will be linked to python 3.6 in Flatcar SDK.
Also note that we do not have to keep `files/repo-1.25` script in the
coreos-overlay repo, because the script is simply identical to the
upstream `repo` script. I am not sure why the third-party script was
there in the first place. So simply remove the script.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging. This package does not depend on virtual/pam outright, but
let's avoid having an out-of-date comment.
The version now matches what is in Gentoo, despite being almost, but
not quite, entirely unlike upstream recipe. The rename is needed,
because some packages may depend on a newer pambase after they are
updated.
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
Qemu has enabled `jpeg` USE flag since the beginning, without any
reason specified. As a result, qemu pulls in unnecessary packages,
`virtual/jpeg` as well as `media-libs/libjpeg-turbo`. However,
Flatcar runs qemu always with `-display none` option. So the `jpeg`
flag is not needed at all.
Simply remove `jpeg` USE flag from qemu.
Before applying Flatcar patches to bsdiff, sync with upstream Gentoo,
so the ebuilds could make use of EAPI=7.
Also drop third-party patches, to be able to start from scratch.
Doing that we can fix [CVE-2014-9862](https://nvd.nist.gov/vuln/detail/CVE-2014-9862),
integer signedness error in bspatch.c. With the vulnerability, remote
attackers to execute arbitrary code or cause a denial of service
(heap-based buffer overflow) via a crafted patch file.
Since Gentoo already has the third-party patch, we can simply make
use of it.
See also https://bugs.gentoo.org/701848 ,
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4d7646f1d69 .
A symlink `vimdiff` should not be created, if the USE flag `minimal` is
enabled. Otherwise running `vimdiff` results in failure like that:
```
$ vimdiff aaa bbb
This Vim was not compiled with the diff feature.
```
Github Actions for Rust started failing with following errors:
```
Error: Unable to process command '::set-env name=PULL_REQUEST_NUMBER::718' successfully.
Error: The `set-env` command is disabled. Please upgrade to using
Environment Files or opt into unsecure command execution by setting the
`ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For
more information see:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
```
It happens because we have used peter-evans/create-pull-request@v2,
which did not have a bug fix for the set-env issue.
The bug was fixed in create-pull-request
[v3.4.1](https://github.com/peter-evans/create-pull-request/releases/tag/v3.4.1).
So we just need to update the version to `v3`, which already includes
v3.4.1.
# Enables Raspberry Pi 4 PHY
The following 1 line change enables the kernel module to be build enabling the Raspberry Pi 4 PHY enabling the on-board NIC.
# How to use
Build it and boot it :)
# Testing done
Validated the config change against known working 5.8.y kernels on the Pi4.
The kola tests fails to download during the release because the
artifacts of the release has not been pushed to the website yet.
This adds the logic to check if the URL is 200, then only download
or else fallback to the GCS bucket url.
This commit also changes a bug with the check to see if nvidia
is installed or required.
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This commit adds amba-4.11-fix-glibc-2.32-function-collisions.patch
which fixes compile breakage in a test shipped with Samba-4.11.
The test defines functions which are now shipped with glibc-2.32.
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
This PR includes the necessary changes to upgrade the SDK compiler to gcc-9.3.0.
It also changes the gdb-9.2 recipe to work with the Flatcar SDK.
The changes include:
sys-devel/gdb/gdb-9.2.ebuild: use EAPI6 to work around BDEPEND emerge bug
update sys-libs/nss-usrfiles to nss-usrfiles-2.30.ebuild to support glibc > 2.29
update sys-kernel/README.md to call out need for updating kernel-headers, perf
add sys-libs/glibc/README.md outlining our changes to the glibc recipe
update profiles/coreos/base/package.accept_keywords to include new toolchain
The change also adds a README to
sys-libs/glibc/README.md
and it improves on a README in
sys-kernel/README -> sys-kernel/README.md
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Enable CONFIG_OVERLAY_FS_METACOPY, metadata only copy up feature
in overlayfs. When turned on, overlayfs will only copy up metadata
when a metadata specific operation like chown/chmod is performed.
Full file will be copied up later when file is opened for WRITE
operation. More or less like delayed data copy up operation.
Enable CONFIG_OVERLAY_FS_REDIRECT_DIR, which is equivalent to
"redirect_dir=on" in the kernel command-line. When turned on, overlayfs
will copy up directory first, before the actual contents.
See also https://github.com/kinvolk/Flatcar/issues/170
To build Kernel with `CONFIG_DEBUG_INFO_BTF`, we need to make `pahole`
in dwarves included in the Flatcar SDK.
To do that, we need to make it accept `~amd64` keywords for dwarves
and binutils.
Also enable USE flag `python_single_target_python3_6` for dwarves.
CONFIG_POWER_SUPPLY enables power supply class used to represent
battery, UPS, AC or DC power supply properties to user-space.
It defines core set of attributes, which should be applicable to
most power supplies out there.
See also https://github.com/kinvolk/Flatcar/issues/215.
CONFIG_BPF_JIT_ALWAYS_ON enables BPF JIT and removes BPF interpreter
to avoid speculative execution of BPF instructions by the interpreter.
See also https://github.com/kinvolk/Flatcar/issues/185.
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst-off-by: Thilo Fromm <thilo@kinvolk.io>
We need to filter not only `-Wl,-O1`, but also other flags like
`-Wl,-O2`, `-Wl,-Og`, `-Wl,-Os`, etc. Otherwise, SDK build would fail,
for example, as its default `$LDFLAGS` includes `-Wl,-O2`.
We need to manually strip only the optimization element of
comma-separated flags, e.g. from `-Wl,-O1,-s` to `-Wl,-s`.
To support multiple characters that can follow `-O`, e.g. `-Ofast`,
we should use regexp like `[[:alnum:]]*`.
The repo `github.com/flatcar-linux/mantle` has been moved to
`github.com/kinvolk/mantle`. However, Github Actions still fetch cork
binaries from the original URL, by running `curl` without `-L`. So the
request does not get redirected to the new URL. As a result,
`CORK_VERSION` becomes null.
Fix it by replacing `flatcar-linux` with `kinvolk`, as well as adding
`-L` to the curl command, just in case.
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See https://github.com/golang/go/issues/42559.
However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:
```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```
We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
Although `dev-libs/cyrus-sasl` pulls in `net-mail/mailbase`, the
mailbase package is not needed at all.
Simply mark it as provided, to make it build without mailbase.
Also enable python_single_target_python3_6 for tdb, talloc, tevent.
Remove unnecessary arm64 keywords.
Clean up unnecessary USE flags.
At the moment bind-tools does not enable `gssapi`, so its `nsupdate`
tool is also not able to run `realm` command. As a result, configure
script of `sssd` fails when running `echo realm | nsupdate`, like
`syntax error`.
To avoid such issues, we need to disable the nsupdate check for now.
After we could enable `gssapi` for the SDK correctly, we can bring back
the nsupdate check in the future.
Now that the upstream sssd 2.3.1 does not support `--runstatedir` option
from its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`.
Instead we need to pass `runstatedir=` to emake commands.
In the past we
[enabled](https://github.com/flatcar-linux/coreos-overlay/commit/172d9311bacd)
the USE flag `gssapi` only for amd64, not for arm64. We did so to
avoid build issues that only happened for arm64.
However, that change caused interesting side effects in the SDK, where
bind-tools ended up being compiled without `gssapi`. It means, tools
like `nsupdate` in the SDK are not able to deal with certain commands
like `realm`. As a result, configure scripts in packages like
`sys-auth/sssd` fail, because they cannot run commands like
"echo realm | nsupdate".
We should bring the `gssapi` USE flag back to the SDK, to avoid such
issues in the future.
The `BDEPEND` is a build-time requirement, so it should not be included
in the whole `DEPEND` list. If it does, an installation of
`sys-auth/sssd` causes other dependencies to be installed not only in
the `/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.
Update sys-auth/sssd, by syncing with upstream Gentoo.
Mainly needed by net-fs/samba 4.11.
Also resolves CVE-2018-16883, CVE-2019-3811, CVE-2018-16838.
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
Original-by: David Michael <dm0@redhat.com>
https://github.com/flatcar-linux/coreos-overlay/commit/8445f8b4386a
The key server currently doesn't work. Since the key is not used
currently but the key we have hosted on our web server, we can remove
this failing step to restore GitHub Actions.
Apply Flatcar-specific changes, like below:
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
Original-by: David Michael <dm0@redhat.com>
6fd490ebfefd ("sys-apps/shadow: Apply CoreOS changes")
Enable Kernel config for PSI (Pressure Stall Information), which might
help system administrators to detect bottleneck in cpu, memory and io
in an easy way.
```
$ zgrep -i _psi /proc/config.gz
CONFIG_PSI=y
$ ls -l /proc/pressure/
-r--r--r--. 1 root root 0 Oct 7 11:56 cpu
-r--r--r--. 1 root root 0 Oct 7 11:56 io
-r--r--r--. 1 root root 0 Oct 7 11:56 memory
$ cat /proc/pressure/cpu
some avg10=0.13 avg60=0.68 avg300=0.28 total=1195993
$ cat /proc/pressure/io
some avg10=0.00 avg60=1.11 avg300=0.68 total=2828208
full avg10=0.00 avg60=0.91 avg300=0.56 total=2334731
$ cat /proc/pressure/memory
some avg10=0.00 avg60=0.00 avg300=0.00 total=0
full avg10=0.00 avg60=0.00 avg300=0.00 total=0
```
See also https://www.kernel.org/doc/html/latest/accounting/psi.html ,
https://facebookmicrosites.github.io/psi/docs/overview
Fixes https://github.com/flatcar-linux/Flatcar/issues/162
Use host tool when building cross.
Bump revision to -r1.
Adjust the patch on top of dbus-glib 0.110.
Original-by: Geoff Levand <geoff@infradead.org>
6d7756b77b10 ("dev-libs/dbus-glib: Fix cross compile build error")
We have these patches in v245 too. I have missed them when doing the
update to v246, because apparently I have assumed that our flatcar
branches are more or less some upstream branch/tag + our patches on
top. That assumption was wrong and it surfaced when I rebased the
v245-flatcar branch to the v245.8 tag.
Our current cros-workon setup was awkward to use when a new patch
release happened on upstream. In this case we would go to our
`v<VERSION>-flatcar` branch and merge/cherry-pick the commits from
upstream that appeared between the release we have been using so far
and the new release. In such case, our non-upstreamed patches were
hidden somewhere in history. To fix that, I proposed having a branch
for each patch release, so the branch would always be based on an
upstream tag and have our patches on top of that. An alternative
proposition was to just use the Gentoo workflow for patches, and this
is what we are doing here.
This also slightly minimizes the difference between the Gentoo recipe
and ours.
To be able to update `dev-util/gdbus-codegen` to 2.64.5, we need to
specify a single target python3.6 for gdbus-codegen.
Without it, it is not possible to emerge gdbus-codegen, because
it thinks there are multiple python single targets for the package.
Now that Go 1.10 has been removed, we can remove `dev-lang/go:1.10`
from the SDK dependencies list.
Instead add `dev-lang/go:1.15` to the SDK dependencies list.
So far Flatcar has kept a third-party patch to add a blank kernel
module `nf-conntrack-ipv4.ko` to avoid regression around Kubernetes.
The issue was that kube-proxy with ipvs started using `nf-conntrack.ko`,
which does not exist in Kernel < 4.19. The patch was originally added by
a24dbb6cb6.
However, Kubernetes 1.13 or newer already deals with the issue. It
automatically loads a different Kernel module according to Kernel
versions: `nf-conntrack-ipv4` for Kernel < 4.19, and `nf-conntrack`
for Kernel >= 4.19.
See 4b90559369 .
We can simply remove the Kernel module, as since then all production
systems have updated Kubernetes to the newer versions than 1.13.
The diffutils package provides the "cmp" and "diff" tools which are
essential commands in shell scripts. They used to be pulled in by
audit but the update in
https://github.com/flatcar-linux/coreos-overlay/pull/537
caused them to be dropped.
Add them to the explicit list of base packages to ensure they are
installed.
Rust stage0 tarballs should not be based on a patchlevel release like
`1.45.1`. It might work in case of the previous version 1.45.1, which
already exists. However, it will not work in case of x.y.1 is missing.
So the build rust 1.47.0, should pull tarballs for rust 1.46.0, instead
of 1.46.1, which does not exist.
Because the --root option restricts systemd-tmpfiles to the passwd
database file in the package chroot it can't resolve the core user
and fails to set up the home folder from the baselayout-home.conf
directives.
Create the folder manually because creating a /etc/passwd file in
the package chroot would at installation overwrite the SDK user.
This reverts commit c414b38c7c56dafb05a86040443c634763527f05.
The real DNS server IP addresses should be in /etc/resolve.conf and not
just 127.0.0.53 because all cases that bind-mount /etc/resolve.conf
into a new network namespace can't reach the loopback interface that
resolved is listening on.
systemd-tmpfiles in systemd v246 requires the user/group databases in
the custom root if it gets passed with --root flag. This requires a
new version of baselayout to be pulled, so do so.
DTC (Device Tree Compiler) source tree in Flatcar Kernel modules
unnecessarily takes too much space, especially the `include-prefixes`
directory.
```
$ sudo du -a /usr/lib64/modules/$(uname -r)/source/ | sort -n -r | head -n5
130100 /usr/lib64/modules/5.8.11-flatcar/source/
69180 /usr/lib64/modules/5.8.11-flatcar/source/include
56324 /usr/lib64/modules/5.8.11-flatcar/source/scripts
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc
50728 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/include-prefixes
$ sudo ls /usr/lib64/modules/$(uname -r)/source/scripts/dtc/include-prefixes/
arc arm arm64 c6x dt-bindings h8300 microblaze mips nios2 openrisc powerpc sh xtensa
```
Most of them are for architectures that are not supported by Flatcar, so
we can remove them from the production image.
OTOH, as `dt-bindings` looks more like an architecture-independent one,
for now we keep it.
Before:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
250308 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 934152 21592 98% /usr
```
After:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
6632 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
205144 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 907628 48116 95% /usr
```
Compress every kernel module with xz (lzma), to make more free space
in the rootfs.
Before:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
90472 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
After:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
26908 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 845468 110276 89% /usr
```
Add new binaries containerd-runc-shim-v[12] to the torcx tarballs for
docker and containerd. The binaries are necessary for kubelet to
communicate via custom CRI endpoints.
The addition will cause usage of the /usr partition to grow by ~5M.
```
$ ls -l /run/torcx/unpack/docker/bin
-rwxr-xr-x. 1 root root 6742592 Sep 30 13:22 containerd-shim
-rwxr-xr-x. 1 root root 9095176 Sep 30 13:22 containerd-shim-runc-v1
-rwxr-xr-x. 1 root root 9111752 Sep 30 13:22 containerd-shim-runc-v2
$ ls -l /usr/share/torcx/store/docker\:19.03.torcx.tgz
-rw-r--r--. 1 root root 89809888 Sep 30 14:16 /usr/share/torcx/store/docker:19.03.torcx.tgz
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
Note, we do not touch other torcx profiles like docker 1.12 or 17.03,
to keep the image size as small as possible.
The use flag enables building audisp, auditd, aureport, ausearch and
probably some other tools. Not sure what's the reason for adding such
a use flag other than disabling the build of the binaries. The daemon
use flag is nowhere set, so these things are not built by default.
The ebuild is in the portage-stable repository but we need this patch in
coreos-overlay to avoid this error:
> The following keyword changes are necessary to proceed:
> (see "package.accept_keywords" in the portage(5) man page for more details)
> # required by sys-apps/systemd-245-r3::coreos[seccomp]
> # required by app-misc/ca-certificates-3.27.1-r1::coreos
> # required by dev-libs/openssl-1.1.1g::coreos
> # required by net-misc/rsync-3.2.3::portage-stable[-libressl,ssl,-static]
> # required by sys-apps/portage-2.3.40-r1::coreos[-build]
> # required by app-admin/perl-cleaner-2.27::portage-stable
> # required by dev-lang/perl-5.26.2::portage-stable
> # required by sys-apps/help2man-1.45.1::portage-stable
> # required by sys-devel/automake-1.16.1-r1::portage-stable
> # required by dev-libs/libxml2-2.9.8::portage-stable
> # required by x11-misc/shared-mime-info-1.4::portage-stable
> # required by dev-libs/gobject-introspection-1.40.0-r1::portage-stable
> # required by sys-auth/polkit-0.113-r5::coreos[introspection]
> =sys-libs/libseccomp-2.5.0 ~amd64
The savedconfig feature reads and, if not set, generates a file under
/etc/portage/savedconfig/ to source a build configuration. We probably
don't want this and specially not on the final image, therefore,
disable reading and also don't write the file to the final image.
These normally would be pulled by systemdctl enable when enabling
systemd-networkd.service, because they are used in Also= options. In
such case, we need to pull them ourselves, so they can be enabled in
/usr, not in /etc.
We are installing systemd from scratch in the image, so there are no
previously enabled units to enable or reenable after
installation. Also, this code would enable the services in /etc, which
we don't want, because /etc is not autoupdated, so the enabled
services could end up still being disabled after the update.
At installation time, we usually want to enable services through
/lib. This change will stop making the installation to put symlinks
for getty in /etc, since we already do it in /lib.
Since v242, this unit is not enabled by default. Currently the
recommended way of initial enablement of the important units is
through `systemctl preset-all` with the preset file from systemd. We
don't want to do it, because this action creates symlinks in /etc, so
we enable those services ourselves by putting the symlinks in /lib.
Since sqlite 3.32 or newer requires dev-lang/tcl to be available in
the Flatcar SDK by default, we should add dev-lang/tcl in the dependency
list of SDK.
Update srctree path to correctly populate the Makefile for sandbox
environments. The patch is to adjusted for 5.x kernels
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
