flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.
Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
The patches applies does not make sense to be removed, hence it would
be better to move `expat` back to portage-stable
Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
Add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Based on commit 8d040f93c289.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Signed-off-by: Dongsu Park <dongsupark@microsoft.com>
Now that the OEM partition is a btrfs partition with compression, we have
enough space to install ssm agent.
This reverts commit b6abb59c544be13e923a3e7240b5c9395c281fca.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The ebuild was missing a call to go_export() which exports GOARCH, and so was
always built for host architecture. While COREOS_GO_VERSION was specified as
go1.12, src_compile() has to use '${EGO}' to make use of it, so we were
building with go1.16 (latest). Upstream builds with 1.12 for this version, so
we will do the same.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Sysroot-wrappers contains binaries installed to /usr/lib64/sysroot-wrappers,
but the profile referenced them through the 'lib -> lib64' symlink. Stop
relying on that symlink, which is not present in arm64 profiles, and is
not part of 17.1 amd64 profiles.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
With the switch from rkt to systemd-nspawn the ability for the service
to set the routing entries for the TCP load balancer got lost,
resulting in an unreachable LB as reported in
https://github.com/kinvolk/Flatcar/issues/459
The fix also reported there is to retain CAP_NET_ADMIN when starting
the service.
Btrfs filesystems do not support a non-standard 64k page size on arm64
when the filesystem was created by a 4k page size system.
Use the default page size for arm64 to ensure compatibility with
btrfs filesystems created by amd64 systems.
With the default gzip compression the 60 MB limit for the vmlinuz
bundle of kernel+initramfs was reached. The limit comes from the size
of the /boot partition which is 128 MB large and the kernel needs to
fit twice, in addition to GRUB.
Use zstd for the initramfs as it provides a similar speed but better
compression. For the kernel we can't switch yet to zstd for arm64
but for amd64 it works.
Due to unnecessary wildcard listings, ebuild files including all rc or
beta are being listed. Since `VERSION_OLD` is already generated as a
unique version, we do not need to list multiple files to filter by
running `head -n1` etc. We just need to use only the specific ebuild.
Simply list only the unique ebuild file.
Before passing runc versions to `sed '/-/!{s/$/_/}'`, we need to replace
`_` with `-`, because runc tarball files already have names like
`1.0.0_rc2`. Without the fix, version sort would `1.0.0` come before
`1.0.0_rc2`, which is not expected in the later steps.
This does not work because the host and cross rust targets share the
same name. This needs to be reworked to (potentially) enable x86 cross
targets for aarch64 targets.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
glib-utils are used during the build so they need to be part of host
dependencies for update_engine. This only really pops up during a repeat
bootstrap, when update_engine is being built from source but glib has
been installed from a binary. BDEPEND would be the correct variable but
that requires EAPI=7, so additionally added it to DEPEND for now.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
kola-data and google-cloud-sdk install pre-built amd64 binaries, so
there's no point installing them right now. Both could be made to work
at a later time. iucode and syslinux and are x86 specific and won't
build. selinux related packages *currently* don't work/build on arm64
but could be made to work.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Where the packages are part of coreos-overlay, I keyworded the ebuilds
directly to the same level of stability as amd64. Other packages have
been keyworded through the profile, as close to the amd64 level as I
could manage.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Update-bootengine chroots into the sysroot and runs dracut from there.
Dracut 053 has revised TMPDIR handling and the portage TMPDIR prefixed
with ROOT leaks into the chroot. This causes dracut to abort during
setup with the error message "invalid tmpdir".
Override TMPDIR before running update-bootengine to allow dracut to
function.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Flatcar uses custom networking scripts in initramfs, so the dracut iscsi
module needs to be patched to account for that.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Add Flatcar specific patch to enable the iscsi module
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Update commit to 6a4ff4ca879082c07353dd379439c437cbe27e18, to sync with
the current main branch.
Pulls in https://github.com/kinvolk/updateservicectl/pull/6 .
Also update Go import paths to `github.com/kinvolk/updateservicectl`.
Also set `COREOS_GO_GO111MODULE=on` because updateservicectl now relies
on Go module.
Set PYTHON_COMPAT to python 3.6 and 3.7 to be suitable for the current
code base.
Add a custom patch to replace error with warning when running autoconf
for cross builds, because libkrb5 is not able to detect
cross-compilation.
See also https://github.com/kinvolk/Flatcar/issues/369 .
2.33
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
2.32
sys-libs/glibc-2.32,targets/sdk: backport to EAPI6, add Flatcar changes
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
We experience an issue with glibc-2.33 which causes all binaries in the
OS image to end up not stripped, which would increase the size of the OS
image threefold.
The change masks glibc-2.33 for all architectures, so the build will
default on glibc-2.32 until we have fixed the issue.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Sync with Gentoo to update intel-microcode to 20210608,
mainly to address CVE-2020-24489, CVE-2020-24511, CVE-2020-24513.
Gentoo ref: 66c8a60ea74e8ed2391c9fdff749c65eb0f398ff
2.33
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
2.32
sys-libs/glibc-2.32,targets/sdk: backport to EAPI6, add Flatcar changes
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Now that lz4 was updated to 1.9.3-r1, systemd has to depend on
lz4 >= 1.9.3-r1, so that its dependency graph during the SDK stage3
could be generated correctly.
Without that change, the preclean of SDK stage3 could fail because of
an inverted dependency order between systemd and lz4, like following:
```
emerge --depclean --with-bdeps=y
...
* Dependencies could not be completely resolved due to
* the following required packages not being installed:
*
* >=app-arch/lz4-0_p131:0/r131=[abi_x86_64(-)] pulled in by:
* sys-apps/systemd-247.6
```
Stage3 first runs `emerge --quiet --usepkg --buildpkg
--binpkg-respect-use=y --newuse -e --update --deep --with-bdeps=y @system`,
which works well.
After that, only the stage3 (no other stages) runs preclean, which in fact
runs `emerge --depclean --with-bdeps=y` to clean up unnecessary ebuilds.
That's where it fails.
That happens because systemd still depends on lz4 0_p131. As a result, the
main installation step of stage3 seems to first install systemd 247, and
after that it updates lz4 to 1.9.3-r1. Then systemd thinks it still depends
on 0_p131. When doing it the other way around, the dependency graph is
correctly generated, first lz4 1.9.3-r1, then systemd 247.
We disable SELinux because Flatcar doesn't properly support it and it
was causing labeling problems when running runc containers with
NoNewPrivileges or seccomp.
These were included as a workaround for SELinux issues on Flatcar.
However, they also disable NoNewPrivileges and seccomp support, which
reduces security.
Instead, we'll disable SELinux support in the Docker daemon in the next
commit.
Go import path of torcx has changed from coreos to flatcar-linux,
aef371c76b
So we need to fix the import path also in torcx ebuilds.
Otherwise build will simply fail due to wrong import paths.
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
Imported commit 6c0c1c8806bedcc164e5bd3541ab50b2c21e2498 .
Since containerd 1.5 started to turn on Go module, we need to pass
`-mod=vendor` to the go build command.
Otherwise, go build will fail because it would try to fetch missing
go deps from remote repos. It would not work inside of sandbox.
We cannot set `COREOS_GO_MOD=vendor` because containerd ebuild calls
`emake` instead of `go_build`.
Since coreos-firmware 20210511, `cxgb4/t[4-6]fw*.bin` files have a new
version '1.25.4.0'. We need to update the file name pointed by symlinks.
Otherwise build fails due to broken symlinks.
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/bootengine/pull/24
This pulls in a change in the systemd network unit to ignore the
loopback interface instead of managing its state which sometimes causes
the address to be lost.
https://github.com/kinvolk/init/pull/40
* Drop the dependency on `sec-policy/selinux-dbus`
* Drop machine-id generation
* Stabilize both keywords `amd64` and `arm64` to build it.
* Do not add a third-party patch for CVE-2019-12749 again, as the fix is
already included in dbus >= 1.10.29.
Loosely based on a409238795c44dabfd16e466c8433a89f5f0844f and
e458211c8418462f4bd4d4536dc96f62380a22cf .
The upstream changed the way the default percentage value, and
make the property partially dynamic.
Upstream ref: https://github.com/systemd/systemd/pull/14007Fixes#382
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The rkt container runtime is deprecated and not used anymore except
for the kubelet-wrapper script. This script can't be ported to Docker
because it is used by the user with rkt-specific arguments and it is
only a wrapper around the deprecated hyperkube images (and has been
broken for the last K8s releases). The recommended way is to run the
kubelet binary directly on the host.
The GCE daemon container was run with rkt from an ACI tar ball.
To replace rkt with systemd-nspawn, extract the tar ball to an
image and run the daemon as systemd-nspawn container.
Having the hostname units as required by the initrd.target meant that if
the unit failed (for example because the network was or the metadata
service were down), the machine wouldn't start. By making it a "wants"
rather than a "requires" we allow this unit to fail without disrupting
the whole boot.
We do not need to set COREOS_GO_VERSION to a specific version, unless
it is necessary to avoid build issues in certain cases like Docker.
Simply remove COREOS_GO_VERSION from the ebuild of cri-tools.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This change pulls in the latest bootengine version, that enables ISCSI
support in dracut and avoids tearing down the network when using netroot
See https://github.com/kinvolk/bootengine/pull/22 for more information.
This reverts commit f8dda51d546b466d9faf0c936b2ad5592ab1639e.
Recently we dropped `bindist` from `RESTRICT` in openssl, so it is
now possible to turn on `ssl` for wget again. The issue of openssl being
blocked by `masked by: bindist in RESTRICT` etc. has now disappeared.
Fixes https://github.com/kinvolk/Flatcar/issues/149
For some reason, the old version of boost-build 1.67 is still here.
As we already have boost-build 1.75 in portage-stable, we should
completely delete boost 1.67.
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
We need to customize dracut. Currently the version in portage-stable is
picked because it's newer than the one in coreos-overlay. This commit
updates coreos-overlay to the same versions available in portage-stable.
This pulls in
https://github.com/kinvolk/baselayout/pull/17
to enable the pam_faillock module as replacement for pam_tally2.
The "faillock" binary can be used to see the login attempts and
account lock status which before was available with the pam_tally
command. While the tally defaults did not temporarily lock the
account on wrong password login attempts, this is done by default
with faillock. However, the default behavior was relaxed to allow
more wrong attempts and have a shorter lock time span.
As rkt is deprecated we need to run the Flannel container with Docker
or Podman. The flannel-wrapper script is based on rkt arguments and
can't be used in a compatible way but we cannot remove it since ct
explicitly uses it in the ExecStart directive when writing out a
drop-in file once flannel settings are given in a Container Linux
Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect (but that also
terminates the etcd and flannel containers, causing the services to
restart).
Since rkt is deprecated we need to run the etcd container with Docker
or Podman. The etcd-wrapper script is based on rkt arguments and can't
be used in a compatible way but we cannot remove it since ct explicitly
uses it in the ExecStart directive when writing out a drop-in file once
etcd settings are given in a Container Linux Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect.
This commit adds some comments to help other folks to
easily recognize Flatcar-specific code.
Check issue #364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
Cherry-picked from kinvolk/coreos-overlay@d0426cf.
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This commit synchronises ncurses with gentoo/gentoo@69bf5af thus
it updates the package from 6.1-r2 to 6.2-r1.
Check issue kinvolk/Flatcar#364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This pulls in
https://github.com/kinvolk/init/pull/38
to set predictable network interface names as alternative interface
names for virtio devices, and also add a special hardcoded ens4v1
name for GCE because the special udev rule to rename the device
stopped working after the systemd 247 update.
While the execution of the unit may succeed by finding the executables
by searching the current PATH, calling `systemd-analyze verify` on the
units fails because this requires an absolute path.
When listing kernel modules to decide which firmware should be shipped
together with the image, we need to now list both compressed and
uncompressed module.
Fixes: kinvolk/Flatcar#359
In https://github.com/kinvolk/coreos-overlay/pull/875 the repository
was switched to a fork from the archived upstream repository. However,
the ebuild was still using a reference to an old squashed Flatcar build
bot commit from the git-sync times that was only present in our old
repository.
Switch to a reference to the latest commit on the new repository which
in fact does not introduce any changes.
Since rkt will be deprecated soon, we should make toolbox run docker
instead of rkt.
Also delete dependency on `app-emulation/rkt`, and update hyperlinks.
It pulls in https://github.com/kinvolk/toolbox/pull/1 .
This change adds the USE flag cros_host to the
SDK's make.default, as part of a larger fix for the SDK bootstrap build.
The SDK bootstrap build was broken in stage 1 since package upgrades
were allowed to leak into that phase.
We now limit stage 1 to only "known good" package ebuilds, which caused
downstream breakage from missing flags in the stage 2 SDK bootstrapping.
This change fixes that breakage.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".
So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.
Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.
Introduce a USE flag spotlight, to be able to disable the spotlight
backend by default, as it is not needed by Linux.
Introduce a USE flag rededit, to be able to disable the rededit
tool if needed.
Introduce a USE flag glusterfs, to be able to disable the glusterfs
by default.
Introduce a USE flag ntvfs, to be able to disable the ntvfs-fileserver
by default.
Since the docbook-xsl-stylesheets and libxslt are needed only
at build time, we should move those deps to BDEPEND.
Now that portage was updated to the latest version, we should update
EAPI to 7. It is mainly to allow ebuilds to make BDEPEND contain real
build-time dependencies, not runtime ones.
Each Flatcar production image includes a binary `containerd-stress`,
as a part of torcx tarballs.
However it does not seem to be used anywhere.
It looks like a stress testing tool for containerd, so I don't see a
good reason to keep it.
The binary was there since the beginning, via commit
[fdd926949a10](fdd926949a),
but there is no comment or messages why it was needed.
We can simply remove `containerd-stress`.
generate_patches takes three parameters - a category, a package name
and a description. Invoking the function like `generate_patches
sys-kernel coreos-{sources,modules,kernel} Linux` makes "sys-kernel"
to be a category, "coreos-sources" to be a package name and
"coreos-modules" to become a description, while "coreos-kernel" and
"Linux" are simply ignored.
It has worked so far only because coreos-sources was first in the list
and that's where the actual changes in Manifest file happened. Had the
order of the packages been different, the workflow would be
broken. Since only coreos-sources was modified and all worked fine,
simplify the call to generate-patches.
This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
The updated portage-utils bring in two more tools, qmanifest and
qtegrity. They are pulling in some new dependencies. Since we didn't
have those tools before, we can live without them for a little while
longer.
We don't want to have separate /bin, /lib, /usr/bin and /usr/lib
directories. The former two are meant to be symlinks to the latter
two. The `split-usr` USE flag gets enabled with the profiles update in
portage-stable, so before doing the update, clear the flag in the
overlay.
This is not done for SDK images, since they seem to have split /usr on
purpose.
It is not used anywhere during the build process, thus drop
it. Dropping it makes it easier to port this ebuild to python3, since
there will be only one script to port to python3. The
`emerge-gitclone` script will need porting anyway, because it imports
portage code, which will become python3 after the update.
Most likely the package should be then renamed to
`coreos-base/emerge-gitclone`, but this can be done later.
Now that Docker 1.12 is gone, we can delete go 1.6 completely.
Note, we do not delete go 1.7, which is still needed by containerd 0.2.6
and docker 17.03.
Now that docker 1.12 is gone, we can delete `app-emulation/runc`
1.0.0_rc2, which had dependency on docker 1.12.
Note, we do not delete `app-emulation/docker-runc` 1.0.0_rc2, because
that one is needed by Docker 17.03.
Delete torcx config file needed only for Docker 1.12.
Note, let's keep the remaining file name as before,
`docker-1.12-no.json`, to be consistent with naming scheme of
the torcx repo itself of Flatcar.
One of the torcx profiles in Flatcar is for docker 1.12, which is
outdated since a long time. It takes ~27 MB of space in production
images almost for no reason.
We can and should delete docker 1.12.
After deletion:
```
$ df -h /usr
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/usr 985M 843M 91M 91% /usr
```
Using the change in https://github.com/kinvolk/init/pull/34
we can show the OEM on the motd, and by including "Pro" in the OEM
name we can also show whether it is a Pro image or not. Later this
may be revisited if the /usr/../os-release file is the place for it.
Update to 1.19.0, to keep up with recent releases of cri-tools.
Note that we should not simply update to 1.20.0, because its crictl
binary file is 30M, so bigger than the usual size.
On the other hand, crictl 1.19.0 is only 21M.
To optimize the binary size of crictl, make use of the existing
helpers provided by `coreos-go.eclass`.
Add "-X $(PROJECT)/pkg/version.Version=$(VERSION)" to GO_LDFLAGS,
as the original cri-tools Makefile does.
Note, we cannot run the native command like `emake crictl`, because
the cri-tools Makefile does not allow custom env variables like
BUILDTAGS or GO_LDFLAGS to be configured.
Add `arm64` to ACCEPTED_KEYWORDS.
Remove unnecessary files from installation, as well as the bash
completion eclass.
The bootstrapping script relies on /etc/docker existing, but this
directory doesn't exist on vanilla Flatcar. Add the missing call to
mkdir -p /etc/docker before the directory gets used.
Also, update the upstream files to their latest version.
The systemd.eclass was not finding the systemd pkg-config file to
figure out the system unit directory, so it was falling back to a
hardcoded default (`/lib/systemd/system`). In one case (when
overriding the `default.target` symlink), we tried to fix that by
specifying the `PKG_CONFIG_LIBDIR` environment variable, but that
still did not help.
Using functions from `systemd.eclass` in a systemd ebuild is working
only by chance here. This eclass is usually meant for ebuilds that
depend on systemd and rely on systemd being already installed in the
root filesystem.
The functions in `systemd.eclass` that need to figure out some values
from systemd's pkg-config file (like system unit directory) assume
that systemd is already installed in the root filesystem, which is not
the case when we actually are building and installing systemd.
To add an insult to the injury, `systemd.eclass` is not using
pkg-config directly, but rather a shell script that wraps pkg-config
(for example `/usr/bin/x86_64-cros-linux-gnu-pkg-config`). The script
clobbers the environment variables like `PKG_CONFIG_PATH` or
`PKG_CONFIG_LIBDIR`, which is why overriding them did not work when
fixing up the `default.target` symlink. Thus `systemd.eclass` was
actually falling back to a hardcoded default value. The only way to
control the script is through either SYSROOT or ROOT environment
variables. So do so.
This fixes merging the installed files into root file system using a
newer version of portage. The failure was that systemd build system
installs the `default.target` symlink in `/usr/lib/systemd/system`
pointing to `graphical.target`, while we later try to override it to
point it to `multi-user.target`. But instead of overriding a symlink,
we installed a new symlink in `/lib/systemd/system`. Both `/lib` and
`/usr/lib` are separate directories in the temporary installation
directory, but in root filesystem, both are symlinks pointing to the
same directory. Which means that we ended up with two different
symlinks in temporary installation directory, and the new portage
version could not decide which one to use during the merge into the
root filesystem. I'm not sure what old portage version did here,
likely worked by chance too.
The security patch that was brought in has stricter permission checks
which cause the service to fail:
ERROR: TCSD config file (/etc/tcsd.conf) must be user/group root/tss
Set the expected file ownership and permissions.
https://github.com/kinvolk/Flatcar/issues/335
Now that `dev-libs/nss` is removed from the depencencies list of
hard-host-depends, SDK does not include `dev-libs/nspr` any more.
As a result, `dev-lang/spidermonkey` fails to build, because it requires
`dev-libs/nspr` in the SDK. It is not sufficient to have nspr under
`/build/amd64-usr`.
Add `dev-libs/nspr` back to the dependencies of `hard-host-depends`,
to make it included in the SDK.
This change adds a new flatcar-eks package, that ships with all scripts
needed to join a Flatcar instance to an EKS cluster.
It includes the bootstrap.sh script used on Amazon Linux, to keep
compatibility with existing provisioning tools.
The package is included from the oem-ec2-compat package, when the board
is aws_pro, and it's part of board-packages, so that it's built by the
os/board/packages job.
It used to be a dependency of upstart and ureadahead, both dropped
long long time ago. Also drop nih-dbus-tool, which was built from
upstart too.
Found this out when updated profiles in portage-stable masked the
library.
Replace the use of deprecated git eclass with git-r3 and bump the
commit version to latest version. This version dropped a dependency on
jq.
It is a breaking change for users of mkova.sh, since it has changed
the order of parameters to allow passing multiple vmdk files to it.
When building `net-libs/nghttp2` needed by curl 7.74, build fails
when checking for prerequisites of boost libs.
```
configure:20402: checking whether the Boost::ASIO library is available
configure:20433: x86_64-cros-linux-gnu-g++ -std=c++14 -c -O2 -pipe
-mtune=generic -g conftest.cpp >&5
configure:20433: $? = 0
configure:20447: result: yes
configure:20540: error: Could not find a version of the library!
```
To avoid such issues, we should disable the `cxx` USE flag for
`net-libs/nghttp2`.
It's really a hindrance during bootstrap, and we would be looking into
ways of making an exception for openssl anyway. Using
package.accept_restrict file does not do the trick, apparently because
of catalyst using its own portage config.
It seems that there is no "kernel" mirror specified in third party
mirrors files in profiles any more. And gentoo seems to have switched
to direct kernel.org URLs anyway, probably because kernel.org is using
also some mirroring system, so we don't have to. Also, this syslinux
version is quite old, so if its tarball ever was on distfiles mirror,
it's gone by now.
The target methods have undergone significant refactoring. The return
value is no longer a TargetResult, it's just a Target. And also the
vendor is now part of the options.
When Docker/containerd binaries are compiled with Go 1.15 the
containers generate many signal 23 (SIGURG) events which flood
monitoring systems:
https://github.com/kubernetes/kops/issues/10388
The SIGURG signal does not kill the process but is generated by Go
runtime scheduling:
https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md)
Because the Go runtime does not know if the process expects external
SIGURG signals, the signal is not filtered out but reported to the
process: https://github.com/golang/go/issues/37942
The process has to filter this signal out itself before forwarding it
to, e.g,. children processes or logs.
This change was introduced with the Go 1.15 update (actually Go 1.14
but Flatcar skipped that for Stable), however, while containerd has
some workarounds in place, e.g., in
https://github.com/containerd/containerd/pull/4532 but there are still
areas where the signal is not handled correctly.
Until this is the case, downgrade to use the Go 1.13 compiler for
Docker/containerd binaries.
See https://github.com/kinvolk/Flatcar/issues/315
So far all sed expressions have used correct regular expressions around
semantic versions, around `.`. As a result, they matched strings even
without correct dots in place.
We need to escape the dot correctly.
Since Kernel 5.10, Github Actions simply stopped working.
What happens is that `KV_MAIN` gets passed as environmental variable to
the inline script, but not as string but float, because it contains `.`.
Apparently the last digit of the misinterpreted float number is
afterwards simply dropped by YAML parsing library used by GA.
As a result, `KV_MAIN` becomes `5.1` instead of `5.10`, `versionMain`
becomes simply `5.10`, not `5.10.6`. Then in the next steps,
both `VERSION_NEW` and `VERSION_OLD` become `5.10`, and the script
thinks it is already the latest version, so simply does not create a new
pull request.
It was not an issue when Kernel version is <= 5.9, because no digit
got dropped from the variable. Now the hidden issue was uncovered.
Simply set `KV_MAIN` or others explicitly as strings, by adding quotes,
to avoid such issues.
The upstream socket is under /run/containerd/containerd.sock which many
tools like crictl will use by default and diverging causes users to
always have to configure a non-default location.
Switch to the upstream default while still keeping a symlink so that
users are not forced to update their configurations they had to do for
the non-default location. This also keeps Docker using the old socket
location as an assertion that the symlink works. The state directory
is also switch to the default location.
Using only 127.0.0.53 for /etc/resolv.conf causes problems for
Kubernetes which is not systemd-resolved aware yet (the kubelet passes
on /etc/resolv.conf contents to containers).
Switch back for now to merging all DNS servers into /etc/resolv.conf
which breaks split DNS and we need to document how to make split DNS
work for those that want it.
When the metadata server is unavailable for some time the service did
not retry. Also, the service was triggered possibly multiple times
each time another service pulled it in which can cause problems if,
e.g., the service experiences a failure and corrupts the existing file
which could have been kept because rerunning wasn't needed.
Fixes https://github.com/kinvolk/Flatcar/issues/311
The patches were not taking effect because they did not set
net.ipv4.conf.default.rp_filter for new interfaces. Also, they got
overwritten by the baselayout configuration which takes precedence
and is the place for Flatcar-specific sysctl settings.
The desired configuration was enfored there:
https://github.com/kinvolk/baselayout/pull/13
The [repo v2.10](https://groups.google.com/g/repo-discuss/c/rpSfMCl83Sk)
was released dropping python2 support. As a result, every `repo init`
failed to run. To unblock CI builds, we released mantle
[v0.15.2](https://github.com/kinvolk/mantle/releases/tag/v0.15.2),
including a workaround to set the target branch to
[`maint`](https://gerrit.googlesource.com/git-repo/+/refs/heads/maint),
which still supports python2. Now with cork v0.15.2, `cork create` or
`cork update` will work well for now.
However, the current state is quite fragile. It will get broken again
when the upstream `maint` branch changes. We should update
`dev-vcs/repo` in coreos-overlay to 2.x with python3, and get it
included in Flatcar SDK, so we could later set the target branch in
mantle back to `stable`.
At the moment, none of the source repos has the tarball for repo 2.10,
neither GCS nor Gentoo distfiles. So for now we update it to 2.8.
It will be linked to python 3.6 in Flatcar SDK.
Also note that we do not have to keep `files/repo-1.25` script in the
coreos-overlay repo, because the script is simply identical to the
upstream `repo` script. I am not sure why the third-party script was
there in the first place. So simply remove the script.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging. This package does not depend on virtual/pam outright, but
let's avoid having an out-of-date comment.
The version now matches what is in Gentoo, despite being almost, but
not quite, entirely unlike upstream recipe. The rename is needed,
because some packages may depend on a newer pambase after they are
updated.
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
Qemu has enabled `jpeg` USE flag since the beginning, without any
reason specified. As a result, qemu pulls in unnecessary packages,
`virtual/jpeg` as well as `media-libs/libjpeg-turbo`. However,
Flatcar runs qemu always with `-display none` option. So the `jpeg`
flag is not needed at all.
Simply remove `jpeg` USE flag from qemu.
Before applying Flatcar patches to bsdiff, sync with upstream Gentoo,
so the ebuilds could make use of EAPI=7.
Also drop third-party patches, to be able to start from scratch.
Doing that we can fix [CVE-2014-9862](https://nvd.nist.gov/vuln/detail/CVE-2014-9862),
integer signedness error in bspatch.c. With the vulnerability, remote
attackers to execute arbitrary code or cause a denial of service
(heap-based buffer overflow) via a crafted patch file.
Since Gentoo already has the third-party patch, we can simply make
use of it.
See also https://bugs.gentoo.org/701848 ,
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4d7646f1d69 .
A symlink `vimdiff` should not be created, if the USE flag `minimal` is
enabled. Otherwise running `vimdiff` results in failure like that:
```
$ vimdiff aaa bbb
This Vim was not compiled with the diff feature.
```
Github Actions for Rust started failing with following errors:
```
Error: Unable to process command '::set-env name=PULL_REQUEST_NUMBER::718' successfully.
Error: The `set-env` command is disabled. Please upgrade to using
Environment Files or opt into unsecure command execution by setting the
`ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For
more information see:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
```
It happens because we have used peter-evans/create-pull-request@v2,
which did not have a bug fix for the set-env issue.
The bug was fixed in create-pull-request
[v3.4.1](https://github.com/peter-evans/create-pull-request/releases/tag/v3.4.1).
So we just need to update the version to `v3`, which already includes
v3.4.1.
# Enables Raspberry Pi 4 PHY
The following 1 line change enables the kernel module to be build enabling the Raspberry Pi 4 PHY enabling the on-board NIC.
# How to use
Build it and boot it :)
# Testing done
Validated the config change against known working 5.8.y kernels on the Pi4.
The kola tests fails to download during the release because the
artifacts of the release has not been pushed to the website yet.
This adds the logic to check if the URL is 200, then only download
or else fallback to the GCS bucket url.
This commit also changes a bug with the check to see if nvidia
is installed or required.
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This commit adds amba-4.11-fix-glibc-2.32-function-collisions.patch
which fixes compile breakage in a test shipped with Samba-4.11.
The test defines functions which are now shipped with glibc-2.32.
Backport the glibc recipe to EAPI6 to work around BDEPEND emerge
issue, add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Also, force the "crypt" use flag for all builds so libcrypt is built.
(Upstream gentoo does the same)
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
This PR includes the necessary changes to upgrade the SDK compiler to gcc-9.3.0.
It also changes the gdb-9.2 recipe to work with the Flatcar SDK.
The changes include:
sys-devel/gdb/gdb-9.2.ebuild: use EAPI6 to work around BDEPEND emerge bug
update sys-libs/nss-usrfiles to nss-usrfiles-2.30.ebuild to support glibc > 2.29
update sys-kernel/README.md to call out need for updating kernel-headers, perf
add sys-libs/glibc/README.md outlining our changes to the glibc recipe
update profiles/coreos/base/package.accept_keywords to include new toolchain
The change also adds a README to
sys-libs/glibc/README.md
and it improves on a README in
sys-kernel/README -> sys-kernel/README.md
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Enable CONFIG_OVERLAY_FS_METACOPY, metadata only copy up feature
in overlayfs. When turned on, overlayfs will only copy up metadata
when a metadata specific operation like chown/chmod is performed.
Full file will be copied up later when file is opened for WRITE
operation. More or less like delayed data copy up operation.
Enable CONFIG_OVERLAY_FS_REDIRECT_DIR, which is equivalent to
"redirect_dir=on" in the kernel command-line. When turned on, overlayfs
will copy up directory first, before the actual contents.
See also https://github.com/kinvolk/Flatcar/issues/170
To build Kernel with `CONFIG_DEBUG_INFO_BTF`, we need to make `pahole`
in dwarves included in the Flatcar SDK.
To do that, we need to make it accept `~amd64` keywords for dwarves
and binutils.
Also enable USE flag `python_single_target_python3_6` for dwarves.
CONFIG_POWER_SUPPLY enables power supply class used to represent
battery, UPS, AC or DC power supply properties to user-space.
It defines core set of attributes, which should be applicable to
most power supplies out there.
See also https://github.com/kinvolk/Flatcar/issues/215.
CONFIG_BPF_JIT_ALWAYS_ON enables BPF JIT and removes BPF interpreter
to avoid speculative execution of BPF instructions by the interpreter.
See also https://github.com/kinvolk/Flatcar/issues/185.
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst-off-by: Thilo Fromm <thilo@kinvolk.io>
We need to filter not only `-Wl,-O1`, but also other flags like
`-Wl,-O2`, `-Wl,-Og`, `-Wl,-Os`, etc. Otherwise, SDK build would fail,
for example, as its default `$LDFLAGS` includes `-Wl,-O2`.
We need to manually strip only the optimization element of
comma-separated flags, e.g. from `-Wl,-O1,-s` to `-Wl,-s`.
To support multiple characters that can follow `-O`, e.g. `-Ofast`,
we should use regexp like `[[:alnum:]]*`.
The repo `github.com/flatcar-linux/mantle` has been moved to
`github.com/kinvolk/mantle`. However, Github Actions still fetch cork
binaries from the original URL, by running `curl` without `-L`. So the
request does not get redirected to the new URL. As a result,
`CORK_VERSION` becomes null.
Fix it by replacing `flatcar-linux` with `kinvolk`, as well as adding
`-L` to the curl command, just in case.
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See https://github.com/golang/go/issues/42559.
However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:
```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```
We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
Although `dev-libs/cyrus-sasl` pulls in `net-mail/mailbase`, the
mailbase package is not needed at all.
Simply mark it as provided, to make it build without mailbase.
Also enable python_single_target_python3_6 for tdb, talloc, tevent.
Remove unnecessary arm64 keywords.
Clean up unnecessary USE flags.
At the moment bind-tools does not enable `gssapi`, so its `nsupdate`
tool is also not able to run `realm` command. As a result, configure
script of `sssd` fails when running `echo realm | nsupdate`, like
`syntax error`.
To avoid such issues, we need to disable the nsupdate check for now.
After we could enable `gssapi` for the SDK correctly, we can bring back
the nsupdate check in the future.
Now that the upstream sssd 2.3.1 does not support `--runstatedir` option
from its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`.
Instead we need to pass `runstatedir=` to emake commands.
In the past we
[enabled](https://github.com/flatcar-linux/coreos-overlay/commit/172d9311bacd)
the USE flag `gssapi` only for amd64, not for arm64. We did so to
avoid build issues that only happened for arm64.
However, that change caused interesting side effects in the SDK, where
bind-tools ended up being compiled without `gssapi`. It means, tools
like `nsupdate` in the SDK are not able to deal with certain commands
like `realm`. As a result, configure scripts in packages like
`sys-auth/sssd` fail, because they cannot run commands like
"echo realm | nsupdate".
We should bring the `gssapi` USE flag back to the SDK, to avoid such
issues in the future.
The `BDEPEND` is a build-time requirement, so it should not be included
in the whole `DEPEND` list. If it does, an installation of
`sys-auth/sssd` causes other dependencies to be installed not only in
the `/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.
Update sys-auth/sssd, by syncing with upstream Gentoo.
Mainly needed by net-fs/samba 4.11.
Also resolves CVE-2018-16883, CVE-2019-3811, CVE-2018-16838.
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
Original-by: David Michael <dm0@redhat.com>
https://github.com/flatcar-linux/coreos-overlay/commit/8445f8b4386a
The key server currently doesn't work. Since the key is not used
currently but the key we have hosted on our web server, we can remove
this failing step to restore GitHub Actions.
Apply Flatcar-specific changes, like below:
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
Original-by: David Michael <dm0@redhat.com>
6fd490ebfefd ("sys-apps/shadow: Apply CoreOS changes")
Enable Kernel config for PSI (Pressure Stall Information), which might
help system administrators to detect bottleneck in cpu, memory and io
in an easy way.
```
$ zgrep -i _psi /proc/config.gz
CONFIG_PSI=y
$ ls -l /proc/pressure/
-r--r--r--. 1 root root 0 Oct 7 11:56 cpu
-r--r--r--. 1 root root 0 Oct 7 11:56 io
-r--r--r--. 1 root root 0 Oct 7 11:56 memory
$ cat /proc/pressure/cpu
some avg10=0.13 avg60=0.68 avg300=0.28 total=1195993
$ cat /proc/pressure/io
some avg10=0.00 avg60=1.11 avg300=0.68 total=2828208
full avg10=0.00 avg60=0.91 avg300=0.56 total=2334731
$ cat /proc/pressure/memory
some avg10=0.00 avg60=0.00 avg300=0.00 total=0
full avg10=0.00 avg60=0.00 avg300=0.00 total=0
```
See also https://www.kernel.org/doc/html/latest/accounting/psi.html ,
https://facebookmicrosites.github.io/psi/docs/overview
Fixes https://github.com/flatcar-linux/Flatcar/issues/162
Use host tool when building cross.
Bump revision to -r1.
Adjust the patch on top of dbus-glib 0.110.
Original-by: Geoff Levand <geoff@infradead.org>
6d7756b77b10 ("dev-libs/dbus-glib: Fix cross compile build error")
We have these patches in v245 too. I have missed them when doing the
update to v246, because apparently I have assumed that our flatcar
branches are more or less some upstream branch/tag + our patches on
top. That assumption was wrong and it surfaced when I rebased the
v245-flatcar branch to the v245.8 tag.
Our current cros-workon setup was awkward to use when a new patch
release happened on upstream. In this case we would go to our
`v<VERSION>-flatcar` branch and merge/cherry-pick the commits from
upstream that appeared between the release we have been using so far
and the new release. In such case, our non-upstreamed patches were
hidden somewhere in history. To fix that, I proposed having a branch
for each patch release, so the branch would always be based on an
upstream tag and have our patches on top of that. An alternative
proposition was to just use the Gentoo workflow for patches, and this
is what we are doing here.
This also slightly minimizes the difference between the Gentoo recipe
and ours.
To be able to update `dev-util/gdbus-codegen` to 2.64.5, we need to
specify a single target python3.6 for gdbus-codegen.
Without it, it is not possible to emerge gdbus-codegen, because
it thinks there are multiple python single targets for the package.
Now that Go 1.10 has been removed, we can remove `dev-lang/go:1.10`
from the SDK dependencies list.
Instead add `dev-lang/go:1.15` to the SDK dependencies list.
So far Flatcar has kept a third-party patch to add a blank kernel
module `nf-conntrack-ipv4.ko` to avoid regression around Kubernetes.
The issue was that kube-proxy with ipvs started using `nf-conntrack.ko`,
which does not exist in Kernel < 4.19. The patch was originally added by
a24dbb6cb6.
However, Kubernetes 1.13 or newer already deals with the issue. It
automatically loads a different Kernel module according to Kernel
versions: `nf-conntrack-ipv4` for Kernel < 4.19, and `nf-conntrack`
for Kernel >= 4.19.
See 4b90559369 .
We can simply remove the Kernel module, as since then all production
systems have updated Kubernetes to the newer versions than 1.13.
The diffutils package provides the "cmp" and "diff" tools which are
essential commands in shell scripts. They used to be pulled in by
audit but the update in
https://github.com/flatcar-linux/coreos-overlay/pull/537
caused them to be dropped.
Add them to the explicit list of base packages to ensure they are
installed.
Rust stage0 tarballs should not be based on a patchlevel release like
`1.45.1`. It might work in case of the previous version 1.45.1, which
already exists. However, it will not work in case of x.y.1 is missing.
So the build rust 1.47.0, should pull tarballs for rust 1.46.0, instead
of 1.46.1, which does not exist.
Because the --root option restricts systemd-tmpfiles to the passwd
database file in the package chroot it can't resolve the core user
and fails to set up the home folder from the baselayout-home.conf
directives.
Create the folder manually because creating a /etc/passwd file in
the package chroot would at installation overwrite the SDK user.
This reverts commit c414b38c7c56dafb05a86040443c634763527f05.
The real DNS server IP addresses should be in /etc/resolve.conf and not
just 127.0.0.53 because all cases that bind-mount /etc/resolve.conf
into a new network namespace can't reach the loopback interface that
resolved is listening on.
systemd-tmpfiles in systemd v246 requires the user/group databases in
the custom root if it gets passed with --root flag. This requires a
new version of baselayout to be pulled, so do so.
DTC (Device Tree Compiler) source tree in Flatcar Kernel modules
unnecessarily takes too much space, especially the `include-prefixes`
directory.
```
$ sudo du -a /usr/lib64/modules/$(uname -r)/source/ | sort -n -r | head -n5
130100 /usr/lib64/modules/5.8.11-flatcar/source/
69180 /usr/lib64/modules/5.8.11-flatcar/source/include
56324 /usr/lib64/modules/5.8.11-flatcar/source/scripts
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc
50728 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/include-prefixes
$ sudo ls /usr/lib64/modules/$(uname -r)/source/scripts/dtc/include-prefixes/
arc arm arm64 c6x dt-bindings h8300 microblaze mips nios2 openrisc powerpc sh xtensa
```
Most of them are for architectures that are not supported by Flatcar, so
we can remove them from the production image.
OTOH, as `dt-bindings` looks more like an architecture-independent one,
for now we keep it.
Before:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
51384 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
250308 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 934152 21592 98% /usr
```
After:
```
$ du -s /usr/lib64/modules/$(uname -r)/source/scripts/dtc/
6632 /usr/lib64/modules/5.8.11-flatcar/source/scripts/dtc/
$ du -s /usr/lib64/modules/
205144 /usr/lib64/modules/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 907628 48116 95% /usr
```
Compress every kernel module with xz (lzma), to make more free space
in the rootfs.
Before:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
90472 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
After:
```
$ sudo du -s /usr/lib64/modules/$(uname -r)/kernel/
26908 /usr/lib64/modules/5.8.11-flatcar/kernel/
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 845468 110276 89% /usr
```
Add new binaries containerd-runc-shim-v[12] to the torcx tarballs for
docker and containerd. The binaries are necessary for kubelet to
communicate via custom CRI endpoints.
The addition will cause usage of the /usr partition to grow by ~5M.
```
$ ls -l /run/torcx/unpack/docker/bin
-rwxr-xr-x. 1 root root 6742592 Sep 30 13:22 containerd-shim
-rwxr-xr-x. 1 root root 9095176 Sep 30 13:22 containerd-shim-runc-v1
-rwxr-xr-x. 1 root root 9111752 Sep 30 13:22 containerd-shim-runc-v2
$ ls -l /usr/share/torcx/store/docker\:19.03.torcx.tgz
-rw-r--r--. 1 root root 89809888 Sep 30 14:16 /usr/share/torcx/store/docker:19.03.torcx.tgz
$ df /usr
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/usr 1007760 916024 39720 96% /usr
```
Note, we do not touch other torcx profiles like docker 1.12 or 17.03,
to keep the image size as small as possible.
The use flag enables building audisp, auditd, aureport, ausearch and
probably some other tools. Not sure what's the reason for adding such
a use flag other than disabling the build of the binaries. The daemon
use flag is nowhere set, so these things are not built by default.
The ebuild is in the portage-stable repository but we need this patch in
coreos-overlay to avoid this error:
> The following keyword changes are necessary to proceed:
> (see "package.accept_keywords" in the portage(5) man page for more details)
> # required by sys-apps/systemd-245-r3::coreos[seccomp]
> # required by app-misc/ca-certificates-3.27.1-r1::coreos
> # required by dev-libs/openssl-1.1.1g::coreos
> # required by net-misc/rsync-3.2.3::portage-stable[-libressl,ssl,-static]
> # required by sys-apps/portage-2.3.40-r1::coreos[-build]
> # required by app-admin/perl-cleaner-2.27::portage-stable
> # required by dev-lang/perl-5.26.2::portage-stable
> # required by sys-apps/help2man-1.45.1::portage-stable
> # required by sys-devel/automake-1.16.1-r1::portage-stable
> # required by dev-libs/libxml2-2.9.8::portage-stable
> # required by x11-misc/shared-mime-info-1.4::portage-stable
> # required by dev-libs/gobject-introspection-1.40.0-r1::portage-stable
> # required by sys-auth/polkit-0.113-r5::coreos[introspection]
> =sys-libs/libseccomp-2.5.0 ~amd64
The savedconfig feature reads and, if not set, generates a file under
/etc/portage/savedconfig/ to source a build configuration. We probably
don't want this and specially not on the final image, therefore,
disable reading and also don't write the file to the final image.
These normally would be pulled by systemdctl enable when enabling
systemd-networkd.service, because they are used in Also= options. In
such case, we need to pull them ourselves, so they can be enabled in
/usr, not in /etc.
We are installing systemd from scratch in the image, so there are no
previously enabled units to enable or reenable after
installation. Also, this code would enable the services in /etc, which
we don't want, because /etc is not autoupdated, so the enabled
services could end up still being disabled after the update.
At installation time, we usually want to enable services through
/lib. This change will stop making the installation to put symlinks
for getty in /etc, since we already do it in /lib.
Since v242, this unit is not enabled by default. Currently the
recommended way of initial enablement of the important units is
through `systemctl preset-all` with the preset file from systemd. We
don't want to do it, because this action creates symlinks in /etc, so
we enable those services ourselves by putting the symlinks in /lib.
Since sqlite 3.32 or newer requires dev-lang/tcl to be available in
the Flatcar SDK by default, we should add dev-lang/tcl in the dependency
list of SDK.
Update srctree path to correctly populate the Makefile for sandbox
environments. The patch is to adjusted for 5.x kernels
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The build for arm64 currently fails because it tries to build the
oslogin package but the package is marked as amd64-only.
Exclude the oslogin package from arm64 images.
Since sqlite 3.32.0, Gentoo ebuild does not deal with non-full archive,
but fetches only full archive. On top of that, the upstream sqlite's
full archive requires `tclsh` to be installed on the host system. Since
Flatcar SDK does not include `dev-lang/tcl`, it is not possible to build
sqlite from the full-archive. It means that we need to either make the
Flatcar SDK include `dev-lang/tcl`, (which takes time) or bring back the
non-full archive mechanism just like ebuilds from sqlite 3.31.x.
So adapt the full-archive patches on top of the non-full archive.
Make the ebuild fetch the non-full archive.
GCE recommends images to ship Python in them. Instead of shipping the
binaries inside our vendor partition, install an alias that will
download the latest official container, for both python2 and python3.
We were setting `CONFIG_VGACON_SOFT_SCROLLBACK=y`, but this config
option was deleted with 20782abbbdfe922496a28f9cc0c3c0030f7dfb8f, due to
security issues.
Remove the config to let the kernel image build again.
This change updates to the latest oslogin version provided by Google.
Since our last update, this was split into a different repo and the
directory structure changed significantly.
It also added group support, which needed to be added to the
nsswitch.conf file that we ship.
Flatcar users require docker group permissions, so ensure oslogin gives
that permission by shipping a separate group.conf file that gets
installed when oslogin is enabled.
The qemu update caused several errors:
* We currently don't have Python 3.8 available in the SDK, so adding it in
the PYTHON_COMPAT field causes a build failure.
* The manifest needed to be updated
* A patch file was missing
This commit fixes these errors and makes the package build.
Since rsync 3.2.0, the ebuild sets `--enable-simd` option in case of
amd64. However, the cross toolchain in Flatcar SDK is not able to deal
with the SIMD feature, so configure in rsync fails like:
```
gcc version 8.3.0 (Gentoo Hardened 8.3.0-r1 p1.1)
configure.sh:3774: $? = 0
configure.sh:3763: x86_64-cros-linux-gnu-g++ -V >&5
x86_64-cros-linux-gnu-g++: error: unrecognized command line option '-V'
x86_64-cros-linux-gnu-g++: fatal error: no input files
compilation terminated.
```
Until we could resolve the toolchain issue, we should disable
`cpu_flags_x86_sse2`, to disable simd for rsync.
Improve body text of each PR for `dev-lang/rust`, by mentioning that
it should be merged together with its paired PR in portage-stable.
Explicitly name `dev-lang/rust` instead of `Rust`, because now there are
`dev-lang/rust` as well as `virtual/rust`.
Rename the dispatched event-type name to `rust-pull-request-main`, as
`cargo` has already disappeared.
Make the repository-dispatch action send additional client-payload with
a field `coreos-overlay-pull-request-number`, which will be later used
by the corresponding PR in portage-stable for adding a link back to the
PR in coreos-overlay.
This will not be enabled by default, and still requires the "lockdown"
kernel parameter. Users can test by setting in
`/usr/share/oem/grub.cfg`:
```
set linux_append="lockdown=integrity"
```
After this is set, dmesg output you'll see:
```
[ 0.000000] Kernel is locked down from command line; see man
kernel_lockdown.7
```
Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
Github Action for Go has had a bug when parsing the current Go version
from `dev-lang/go/Manifest`, only when the current ebuild file has only
major + minor versions, without patchlevel. For example, it could parse
well `1.13.15`, but not `1.15`. We need to make it deal with both
versions, `x.y.z` and `x.y`.
With this PR, for example, when `VERSION_SHORT` is `1.15` and the
Manifest includes a tarball `go1.15.src.tar.gz`, we can confirm the new
regexp works well like below:
```
$ sed -n "s/^DIST go\(1\.15\.*[0-9]*\)\.src.*/\1/p" dev-lang/go/Manifest
1.15
```
The dependency was added in commit
dddb318b9f989acba9ccca9babc4715a9075eae8. Earlier the regulator code
was only built for arm64, but since the CONFIG_AT803X_PHY variable is
specified in common config, the CONFIG_REGULATOR variables needed to
be moved to common config too.
The script sorts the lines in the config files and prints a messages
when some variable is being overridden (means that it is specified
twice in the config).
The script can be also used to check for such situations with full
configs like:
cat commonconfig-* amd64_defconfig-* >amd64fullconfig
./sort_config.sh amd64fullconfig
rm amd64fullconfig
Most of the duplicates happened to be within amd64 config. But some of
the duplicates were across the files (defined in both common and
amd64). Almost all of them were exact duplicates, so those could be
just dropped, favoring the config lines in common config to remain.
The CONFIG_CONNECTOR was different in common config (module) and in
amd64 config (builtin), so the config line was moved to arm64
config. Now amd64 has CONFIG_CONNECTOR as builtin and arm64 as a
module.
A memory corruption vulnerability in AF_PACKET causes the kernel to
panic or enter undefined behavior, tracked as CVE-2020-14386.
While the proposed patch is not included in an upstream release,
include it as downstream patch.
Further information and PoC:
https://www.openwall.com/lists/oss-security/2020/09/03/3
Now that Go [1.15](Go://go.googlesource.com/go/+/refs/tags/go1.15) has
been released, we should update the default Go version to 1.15.
Since the [EINTR issue](https://github.com/golang/go/issues/38033) was
fixed in 1.15, we can simply move from 1.13 to 1.15.
On the other hand, we should not add 1.14, as the
[EINTR bug fix](https://go-review.googlesource.com/c/go/+/232862/) was
not backported to 1.14.
With this kernel config, users can boot with fips=1 set in
`/usr/share/oem/grub.cfg`:
```
set linux_append="fips=1"
```
Which triggers various behaviors, for FIPS 200 certification.
with this config compiled in, and that boot parameter, users can can
that fips is enabled with:
```
flatcar ~ # cat /proc/sys/crypto/fips_enabled
1
```
Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
The best practice established in this repository is to reset the
package folder and import a new version from upstream without
modifications. In a separate commit the downstream changes are applied.
This makes it clear which downstream changes need to be ported when
updating to a newer version in the future. Unfortunately this is not
always done which causes confusion and more work. As first step
document the process before we later look into more automation.
This commit adds a dependency on acct-group/render to systemd.
The respective group is provided by portage-stable
(https://github.com/flatcar-linux/portage-stable
commit ID db2ed1e74a89944b1500dba1471072e8da3dddc9).
Furthermore, the baselayout commit ID is bumped to include a
change from https://github.com/flatcar-linux/baselayout - to
1d32bea2c0e4335d4a8f7e0ccd6a7b41da15e4a7 - which includes
this group in the baselayout used by initramfs.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
The `OPTIONS+="event_timeout=180"` rule is not supported by systemd,
and with recent update, systemd complains quite visibly in journalctl
about it. This is already fixed in lvm2 upstream, so this patch will
not be necessary when we do the update.
The outdated portage-stable mask file can't be updated until we update
glibc or unmask it. Instead of dealing with glibc masking, just address
the situation of this openssl version being masked in the outdated file.
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
The amazon-ssm-agent package was never built and caused the vm-matrix
job to find no binary package.
Build it as part of build_packages but don't install it on openstack
or brightbox images. The plan is to add it for EC2 but currently the
binaries are too large.
The folder /var/log/journal/remote used to be part of the inital rootfs
through a keepdir directive in the build. However, any paths except
/usr are ephemeral and can be deleted at any time and should be recreated
with tmpfile directives. When upstream Gentoo removed the line
"keepdir /var/log/journal/remote" our tests started to fail but in fact
they could have failed earlier if they had tested with Ignition creating
a new root filesystem which lacks the /var/log/journal/remote folder.
Add a directive to create /var/log/journal/remote at runtime in any case.
Increase the revision and apply a new lvm2-2.02.145-oneshot.patch:
The lvm2-activation(-early).service was triggered multiple times which
if done too quickly leads to a failure like this:
systemd[1]: Finished Activation of LVM2 logical volumes.
systemd[1]: lvm2-activation-early.service: Start request repeated too quickly.
systemd[1]: lvm2-activation-early.service: Failed with result 'start-limit-hit'.
Set RemainAfterExit=yes as done for the other oneshot services to
prevent the unit from running multiple times in a row and hitting the
restart limit.
The patch was sent to upstream lvm-devel@redhat.com
The flatcar-tmpfiles and clean-ca-certificates services were run
many times and finally failed to run because they were spawned too
often during the allowed time period.
Mark them as active after they ran once. Also ensure that when they
run all mounts are ready.
Pulls in https://github.com/flatcar-linux/baselayout/pull/4
The baselayout ebuild file calls systemd-tmpfiles but despite that
the systemd ebuild file depends on libidn2 through a use flag, it was
not built early enough.
Ensure that libidn2 is built before baselayout wants to use it.
The metadata/md5-cache folder is machine-generated based on the
other files in the repository. It causes merge conflicts when at
one time they were not regernated in a commit and then later a
commit does it and includes cache changes which are incompatible
with later or newer states.
Remove the folder as it is not necessary to have it and was removed
in upstream Gentoo, too.
The new main branch is the only branch that should get new software
updates with the exception of the maintenance branches that get kernel
updates.
Only target the main branch with GitHub Actions until we add discovery
for all active channel maintenance branches.
So far Github actions have not changed existing `COMMIT_ID` variable in
runc ebuilds. As a result, the result PRs have correct versions with wrong
commit hashes.
We need to replace `COMMIT_ID` with one that matches with the new version.
To do that, clone the repo completely, since it is not possible to get
the commit hash by running `git rev-parse` on a shallow cloned repo.
Parse commit from a tag with an original version with `-` as its
delimiter, e.g. `v1.0.0-rc91`, because a transformed
tag like `v1.0.0_rc91` does not exist in the upstream repo.
We need to update rust versions also in multiple files in profiles,
e.g. `package.accept_keywords`. Otherwise `emerge rust` will fail,
due to mismatches between rust versions, in profiles and the actual
ebuilds.
docker-runc ebuild has lines of runc versions with not only underscore
(`_`) but also hyphen (`-`). So when we replace the runc version, we
need to also care about versions with hyphen, for example, `1.0.0-rc10`.
`exit` command will simply fail the whole script, so it would not be
possible to check for status of `checkout_branches`. Instead, we need to
use `return` for the error checks.
In case the target branch already exists, `checkout_branch()` needs to
simply `exit 0`, so the subsequent steps could be skipped.
In that case, it has to set `UPDATE_NEEDED` to 0, so the Github action
could avoiding creating another PR.
It resolves occasional issues that happen when subsequent PRs overwrite
existing open PRs made on the very same version. It would be no problem
if there was no change in the PR. However, if there was any manual
change in the previous open PR, the change will be simply overwritten.
That would be very unfortunate.
When checking out into a branch name, append `-${CHANNEL}` to the name,
so the branch can be distinguished from each other. To do that, make
every Github actions yaml file pass in its corresponding `CHANNEL`
variable.
We do not need to specify each version from each workflow yaml file.
Make *-apply.patch scripts instead generate `$VERSION_SHORT` from the
input version value.
We do not need to specify a cork version from each Github action.
Simply detect the latest version in `setup-flatcar-sdk.sh`, before
downloading cork binary file from Github.
Also remove the env variable for cork version from each Github action.
To get containerd in sync with upstream, we need to schedule weekly
Github actions. It runs on Friday every week, only for Alpha and Edge.
Similar to those for Docker, we need to deal with torcx ebuilds as well,
as they contain containerd versions.
We do not need to run once in a day to check for updates from
ordinary packages. Most releases happen once in more than a week.
So schedule the Github actions only once in a week for most packages.
Go on Mon, Rust on Tue, Docker on Wed, Runc on Thu.
Note, we still need to check for Kernel once in a day, as Kernel
releases happen quite often.
`kernel-apply-patch.sh` cannot detect the existing kernel version,
if the version does not have a patchlevel, e.g. `5.6`. So the old
kernel version variable becomes an empty string, and the final pull
request has an empty field after the `from` string.
If the Manifest does not have a `patch-` line, try to read a `linux-`
line again, to detect the correct kernel version.
Schedule daily Github actions for creating PRs for upstream Rust releases.
The Github workflow will create pull request for `dev-lang/rust` in
`coreos-overlay`. At the same time, it will send a repository dispatch
event to `flatcar-linux/portage-stable`, to update also `virtual/rust`.
We need to send different event types to distinguish alpha from edge.
When setting up a Flatcar SDK from scratch, we need to also set up
correct configs in `/etc/portage/make.conf`. For example we need to
set `PORTDIR=/mnt/host/source/src/third_party/portage-stable` instead
of the default Gentoo configs like `PORTDIR=/var/gentoo/repos/gentoo`.
Otherwise `update_metadata` will fail in some cases, because portage
cannot find the correct location of portage-stable.
Before starting to apply patches inside `coreos-overlay`, we need to
check out base branches, also for `scripts` and `portage-stable`.
Otherwise, in case of Beta, Alpha, or Edge, `ebuild` commands could
fail due to mismatch of ebuild files across multiple repos like
`coreos-overlay` and `portage-stable`.
Schedule daily Github actions for upstream runc releases, just like
Docker.
In this case, we also need to update multiple repos like
`app-emulation/docker`, `app-emulation/containerd`, `app-torcx/docker`, etc.
Schedule daily Github actions to get upstream Docker releases,
for Alpha and Edge.
We need to change more files, as Docker version is used by torcx
as well as docker-runc.
We need to set up coreos profiles under `/etc/portage/repos.conf`, to be
able to run any package-related actions like `emerge` or `egencache`.
Also change permissions for directories, so portage actions could write
files.
To reduce running time of git clone, we should avoid a full git clone
of the linux kernel repo. Instead, we shallow clone the repo, and
parse tags list by running `git ls-remote`.
If the current Flatcar release is already the latest Kernel, we should
simply exit with 0, without giving a failure status 1. The `exit 1`
would the otherwise result in a failure of the entire Github actions.
This commit add 2 different Github actions that run once in a day,
one for Alpha, Kernel 4.19, and the other for Edge, Kernel 5.5.
Because of limitations of Github Actions, i.e. create-pull-request
actions, we cannot combine the two actions into one.
Also we need to create a patch and apply it to the top source directory,
since the create-pull-request action requires the changes in the top
directory.
Although we are not updating flatcar-master branch, (only Alpha and
Edge) the Github actions files need to be merged to flatcar-master,
because Github actions can only schedule cron jobs from the default
branch, flatcar-master.
The caching git web view which was used as source location is not
reliable because the cache can be corrupt, the gzip compression of the
snapshot can change, and the cache is produced by the web server which
is not there to give high security guarantees. We experienced cache
corruption.
Switch to the recommended mirror under
https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/
which also hosts signatures and not having the downsides mentioned
above. This is a downstream change until upstream Gentoo changes the
location.
Update rust ebuild 1.44.1 to get it synced with upstream Gentoo.
Now that rust was updated to 1.44.1, we need to update patch files
and ebuilds, so that it can build without build failures.
When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys`
occasionally fails with the following error:
```
gpg: key E52F0DB391453C45: no user ID
```
We need to make GnuPG accept keys even without UIDs.
Original patches come from
f292beac11/debian/patches/import-merge-without-userid .
See also https://dev.gnupg.org/T4393 .
Enable kernel config
[CONFIG_IKHEADERS](435faf5c21/init/Kconfig (L610-L617)
),
to make Kernel export kernel headers via `/sys/kernel/kheaders.tar.xz`.
Then bpf-related tools can be used without additional kernel headers in
userspace.
This reverts commit 517e23ebfe96137f1482ae42f8b29fc2f1b31317.
The new USE flag `ssl` for wget resulted in a strange issue.
`wget` started to pull in `dev-libs/openssl`, which has `bindist` in its
USE flag. The catalyst stages, however, need to install wget without
`bindist`. Such mismatches resulted in errors like:
```
!!! All ebuilds that could satisfy "dev-libs/openssl:0=" for /tmp/stage1root/ have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/openssl-1.0.2u::coreos (masked by: bindist in RESTRICT)
```
So to fix the issue, what needs to be done is basically:
```
ACCEPT_RESTRICT=bindist USE=-bindist emerge -pv openssl openssh
```
Unfortunately it is not possible to set `accept_restrict` configs
under the coreos-overlay repo. We need to have some time to investigate
why it is so.
As a hotfix, we need to revert the `ssl` USE flag for wget.
When catalyst tries to fetch a file via https, wget sometimes fails
to do so, with the following messages:
```
https://www.kernel.org/pub/software/scm/git/git-2.24.1.tar.xz: HTTPS
support not compiled in.
!!! Couldn't download 'git-2.24.1.tar.xz'. Aborting.
```
That probably happens because wget in some catalyst stages are compiled
without `ssl` USE flag. If a catalyst stage is lucky enough to rebuild
wget with `ssl` before actually fetching a file, it would work well.
Though if not, it would fail. It is not deterministic, and hard to
reproduce.
So backport the fix from upstream Gentoo,
https://github.com/gentoo/gentoo/commit/d141380b915d , for both amd64
and arm64. By setting `ssl` for wget in `package.use.force`, it is now
not possible to disable `ssl` for wget.
More details: https://bugs.gentoo.org/611072
Drop pkg_pretend since it breaks build_image if cross-compilers are
not installed yet (e.g. in Jenkins jobs).
Drop the libidn2 runtime dependency since it breaks bootstrapping,
and it's dlopen()ed so the resolver can work without it.
Drop the host /dev/pts checks since the SDK doesn't control it.
Apply our gshadow segfault patch, and adapt into glibc 2.30.
Install nscd.conf in /usr and set up tmpfiles to link it in /etc.
Wipe out /etc files (except for an environment file that is still
needed in the SDK).
Originally comes from eb07324f4de3 ("sys-libs/glibc: Apply CoreOS
changes").
When 788f328dc752a75da08d4c6fc27d094ecb4807d5 introduced pulling from
docker by default, "--insecure-options=image" was added for all
docker registries. However, when the user also needs to set "http" as
in "--insecure-options=image,http" it will not be used because the
other argument is added as last disregarding the option was already
set by the user.
Check if the option was set by the user and only add it if it is not
provided. If the user forgets to add "image" then rkt will simply
fail and tell that this option is needed; thus no complex logic of
appending and detecting only "image" is needed. Do the same for the
"--trust-keys-from-https" option to be consistent in allowing to
overwrite it with "--trust-keys-from-https=false".
- Mask sig 0x000406e3, pf_mask 0xc0, revision=0xd6 [Link 1]
- Mask sig 0x000406e3, pf_mask 0xc0, revision=0xda [Bug 722768]
This will basically downgrade microcode for 0x000406e3 back to rev 0x00d6 from 2019-10-03.
Link1: c1d8ba62ab
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
There is no portage-stable/licenses/Apache-2 file because the
correct name for the license is Apache-2.0, and the missing
license file causes the build to fail.
Now that bind-tools are built with gssapi only for AMD, without gssapi
for ARM, we need to get the USE flag requirement relaxed. Profile for
each architecture will instead choose whether to use gssapi.
bind-tools has been disabled since a long time, probably because of
build errors around cross-compilation for ARM. However, bind-tools
binaries should be at least included in ARM images. So enable bind-tools
again for ARM without gssapi included.
To do that, disable gssapi for bind-tools only in the ARM profile, and
enable gssapi only in the AMD profile.
Since Docker >= 19.03.9 started to depend on github.com/pkg/errors
v0.9.1 or newer, it is now necessary to set `go1.13` in
`DOCKER_BUILDTAGS`. Otherwise, it cannot find `Is` function.
See also https://github.com/pkg/errors/blob/v0.9.1/go113.go#L16 .
They were needed when Jenkins did not have qemu-static to run compiled
binaries of the target architecture.
Remove the patches as Jenkins is ready now and qemu-static is there to
stay because we need it for SELinux and other things.
The unzip update in the portage-stable branch going along with this PR
suddenly fails to compile because ccache permissions are wrong in one
subfolder.
Disable ccache because it only gives a low hit rate anyway and once a
package is compiled, emerge will reuse the binary package. (A possible
compilation performance regression would be if a kernel patch is tested
and the kernel package needs to be build over and over again without being
able to keep the object files - not sure if this or something similar is
often the case.)
This commit adds the wireguard module patch through the
wireguard-linux-compat repo. This also adds the wireguard-tools, the
userspace tool for wireguard
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
The user can only login via SSH if no password was set and can't login
over the serial console in the web UI. To login, the user needs to press
reboot and then append flatcar.autologin to the kernel command line parameters
in GRUB each time. The user may also not know that this option even exists.
Set flatcar.autologin by default in the kernel command line parameters for
Azure so that users don't need to set this themselves.
Since strace 5.3 or newer is not enabled for `amd64` and `arm64` by
default, we need to add keywords `~amd64` and `~arm64` for newer
versions of strace.
Update strace to 5.6, to make it compatible with recent Kernels.
It does not include a third-party patch `strace-5.5-static.patch`,
which could cause build failures with pkgconfig <= 2.28.
Now that `cross-{x86_64,aarch64}-cros-linux-gnu/gdb` was updated to 9.1,
it needs exactly one of `python_single_target_python3_6` and
`python_single_target_python3_7`. Since python 3.7 is not available yet,
we need to enable 3.6 and disable 3.7, for the SDK profile.
Without the fix, toolchain builds will fail like that:
```
!!! The ebuild selected to satisfy "cross-aarch64-cros-linux-gnu/gdb"
has unmet requirements.
- cross-aarch64-cros-linux-gnu/gdb-9.1-r1::x-crossdev USE="client nls python server -lzma -multitarget -source-highlight -test -vanilla -xml -xxhash"
PYTHON_SINGLE_TARGET="-python3_6 (-python3_7)" PYTHON_TARGETS="python3_6 (-python3_7)"
The following REQUIRED_USE flag constraints are unsatisfied:
python? ( exactly-one-of ( python_single_target_python3_6 python_single_target_python3_7 ) )
The above constraints are a subset of the following complete expression:
python? ( exactly-one-of ( python_single_target_python3_6 python_single_target_python3_7 )
python_single_target_python3_6? ( python_targets_python3_6)
python_single_target_python3_7? ( python_targets_python3_7 ) ) any-of ( client server )
```
The user can only login via SSH if no password was set and can't login
over the VGA console in the web UI. To login the user needs to press
reboot and then append flatcar.autologin to the kernel command line parameters
in GRUB each time. The user may also not know that this option even exists.
Set flatcar.autologin by default in the kernel command line parameters for
VMware so that users don't need to set this themselves.
Update gdb to 9.1, and add --without-libmpfr-prefix to configure.
Since we should remove gdb from portage-stable, we need to update gdb
to 9.1 in coreos-overlay.
Change the default Kernel version of Alpha to 5.4, the most latest
LTS Kernel tree.
Also update patches and kernel configs, so it could build with the
new Kernel.
We should enable the USE flag `selinux` not only for
`app-emulation/runc`, but also for `app-emulation/docker-runc`.
Otherwise, runc will be built without `BUILDTAGS=selinux`, so
runc is not able to detect selinuxfs of the system.
When setting up flannel interfaces, use MACAddressPolicy=none, so that
the MAC Address used is the initial one set by the kernel and not the
one assigned by systemd.
See coreos/flannel#1155 for more information.
In #279 we tried adding the MACAddressPolicy=none setting to the
existing 50-flannel.network file. But the change should have been in a
.link file, not a .network file.
When setting up flannel interfaces, use MACAddressPolicy=none, so that
the MAC Address used is the initial one set by the kernel and not the
one assigned by systemd.
See https://github.com/coreos/flannel/issues/1155 for more information.
Now that we started independent releases, we do not have to
check out upstream coreos branches.
Just check out the default branch for the repository, and rely
on the revision commits/branches for our release branches.
Enable a USE flag `tracepath` for iputils to get the
`/usr/sbin/tracepath` binary file included in Flatcar images.
Note, the `tracepath` flag is not the same as the existing `traceroute`
flag, which enables only `tracerout6`.
