Upstream builds go through github.com/docker/docker repo and that builds
with go1.16 with module support disabled.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
I'm not sure if we ever built it - it's not a dependency of anything
at all. Also one of its dependencies, dev-python/pyxenstore, was
dropped in 2014, so the package is broken for about seven years
now. Looks like that the rackspace oem package is rather pulling
nova-agent through the coreos-base/nova-agent-container package.
The containerd config works in mysterious ways - sometimes it acts hierarchical
with respect to the section headers, other times not. In this case, setting
runc.options resets all the fields of the runc section, including
'runtime_type'. Having an unset runtime_type causes containerd to fail to spawn
containers (but the daemon itself starts succesfully) returning the error:
kubelet[13148]: E0823 11:57:17.030551 13148 remote_runtime.go:116] "RunPodSandbox from runtime service failed" err="rpc error: code = InvalidArgument desc = failed to create containerd container: create container failed validation: container.Runtime.Name must be set: invalid argument"
Explicitly set the runtime_type in all containerd configs, and bump the config
version to 2.
Reported as https://github.com/kinvolk/Flatcar/issues/484
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Now that we have dev-util/pkgconfig 0.29.2, there is no need to
keep third-party patch for avoiding cross-build issues in
dev-util/strace. Let's simply drop the patch, and move strace to
portage-stable.
Apparently the `coreos-devel/sdk-extras` was originally meant to work
as a meta package to pull in all the optional packages in the SDK at once.
It has been unmaintained since 2~3 years, so an attempt of `emerge
coreos-devel/sdk-extras` will give you a huge list of conflicts to
resolve. It is difficult to resurrect sdk-extras at the moment.
Delete `coreos-devel/sdk-extras` completely. Doing that, we can delete
more than 20 other packages from the source tree.
Now that coreos-devel/sdk-extras are gone, delete unnecessary configs
in profiles, for app-portage/repoman, dev-go/glide, dev-go/godep,
dev-python/awscli, dev-python/botocore, dev-python/s3transfer.
This version has an officially documented support for python3, so it
plays along our plans of removing python2 in favor of python3. When
the switch actually happens, we will need to update the ebuild to
mention the correct path to python modules. The path contains python
version, which is a hindrance. Would be nice to have it hidden behind
some variable.
There is also a version 2.4.0.2, but it's marked as a prerelease on
github, so decided to package 2.3.1.1 instead.
Upstream has switched to go 1.16, but still doesn't use go modules. The ebuilds
needed fixing up after the automated PR was created.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Set PYTHON_COMPAT to python 3.6 and 3.7 to be suitable for the current
code base.
Add a custom patch to replace error with warning when running autoconf
for cross builds, because libkrb5 is not able to detect
cross-compilation.
Based on 64e33c9f826d8fd951fd58ba1ed70debaf65be8d .
The SystemdCgroup=true setting is incompatible with kubelet
cgroupDriver: cgroupfs. So to prevent kube clusters from failing, we
will be freezing a nodes config.toml during an update. For that purpose,
we install a second configuration file that can then be selected using a
systemd drop-in unit.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Now that Docker has been updated to 20.10, we can use cgroupv2 so have
systemd mount the unified cgroup hierarchy by default. Other ways of
achieving the same would have been to pass 'systemd.unified_cgroup_hierarchy=1'
on the kernel cmdline, but this way the change propagates nicely to all
OEM consumers.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
The upstream docker repository location has changed to docker/docker.
Additionally, the cli component has been split out which which requires
fetching two hashes and updating two ebuilds. We also took the chance to
align the ebuild with gentoo's, which means there are is no more live ebuild
and no symlink.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
We are switching flatcar to cgroupv2 which is support by docker 20.10 and
kubernetes 1.19. This requires setting the systemd cgroup driver in the kubelet
config.
Due to the unified cgroup hierarchy, kubernetes <1.19 will not work so
remove all older versions.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Compared to previous torcx images the docker-cli package is a separate
package, following upstream Docker repo layout changes.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The patches do the following:
* install flatcar specific wrappers and systemd config
* force some USE flags to default on
* allow injecting CFLAGS/LDFLAGS so that torcx can work
* force building with go1.13 (like upstream does) - this won't be
necessary next time because docker master already uses go1.16
This is the version needed by docker 20.10.7. ROADMAP.md doesn't exist so it
has been removed from src_install.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
This is the version used by docker-19.03. We will be updating the live
ebuild to build docker 20.10 dependencies.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
We use coreos-go* eclass so that we can override several environment
variables and build with the same go version as docker upstream. These
changes are modeled after what was previously done in app-emulation/docker,
the cli ebuild has only been split out since v20.10.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Docker upstream split the cli component into a separate repo, so there is
a separate ebuild that builds the docker utility. This is a prerequisite
of the update of docker to 20.10.
This is an import from portage commit 69d01a4273a556b1205a7a575cb3811ab7e2443d.
Signed-off-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
We use a custom build system to remove the cmake dependency and hardcode
relevant configuration.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Now that runc version follows simple semver semantics, we do not have to
care about number of patches up to an rc version. Remove the obsolete
comments.
flannel will write into /run/flannel/... so we need to provide
correct labelling for dir created by docker daemon
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.
Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
The patches applies does not make sense to be removed, hence it would
be better to move `expat` back to portage-stable
Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
Add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Based on commit 8d040f93c289.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Signed-off-by: Dongsu Park <dongsupark@microsoft.com>
Now that the OEM partition is a btrfs partition with compression, we have
enough space to install ssm agent.
This reverts commit b6abb59c544be13e923a3e7240b5c9395c281fca.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The ebuild was missing a call to go_export() which exports GOARCH, and so was
always built for host architecture. While COREOS_GO_VERSION was specified as
go1.12, src_compile() has to use '${EGO}' to make use of it, so we were
building with go1.16 (latest). Upstream builds with 1.12 for this version, so
we will do the same.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Sysroot-wrappers contains binaries installed to /usr/lib64/sysroot-wrappers,
but the profile referenced them through the 'lib -> lib64' symlink. Stop
relying on that symlink, which is not present in arm64 profiles, and is
not part of 17.1 amd64 profiles.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
With the switch from rkt to systemd-nspawn the ability for the service
to set the routing entries for the TCP load balancer got lost,
resulting in an unreachable LB as reported in
https://github.com/kinvolk/Flatcar/issues/459
The fix also reported there is to retain CAP_NET_ADMIN when starting
the service.
Btrfs filesystems do not support a non-standard 64k page size on arm64
when the filesystem was created by a 4k page size system.
Use the default page size for arm64 to ensure compatibility with
btrfs filesystems created by amd64 systems.
With the default gzip compression the 60 MB limit for the vmlinuz
bundle of kernel+initramfs was reached. The limit comes from the size
of the /boot partition which is 128 MB large and the kernel needs to
fit twice, in addition to GRUB.
Use zstd for the initramfs as it provides a similar speed but better
compression. For the kernel we can't switch yet to zstd for arm64
but for amd64 it works.
Due to unnecessary wildcard listings, ebuild files including all rc or
beta are being listed. Since `VERSION_OLD` is already generated as a
unique version, we do not need to list multiple files to filter by
running `head -n1` etc. We just need to use only the specific ebuild.
Simply list only the unique ebuild file.
Before passing runc versions to `sed '/-/!{s/$/_/}'`, we need to replace
`_` with `-`, because runc tarball files already have names like
`1.0.0_rc2`. Without the fix, version sort would `1.0.0` come before
`1.0.0_rc2`, which is not expected in the later steps.
This does not work because the host and cross rust targets share the
same name. This needs to be reworked to (potentially) enable x86 cross
targets for aarch64 targets.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
glib-utils are used during the build so they need to be part of host
dependencies for update_engine. This only really pops up during a repeat
bootstrap, when update_engine is being built from source but glib has
been installed from a binary. BDEPEND would be the correct variable but
that requires EAPI=7, so additionally added it to DEPEND for now.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
kola-data and google-cloud-sdk install pre-built amd64 binaries, so
there's no point installing them right now. Both could be made to work
at a later time. iucode and syslinux and are x86 specific and won't
build. selinux related packages *currently* don't work/build on arm64
but could be made to work.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Where the packages are part of coreos-overlay, I keyworded the ebuilds
directly to the same level of stability as amd64. Other packages have
been keyworded through the profile, as close to the amd64 level as I
could manage.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Update-bootengine chroots into the sysroot and runs dracut from there.
Dracut 053 has revised TMPDIR handling and the portage TMPDIR prefixed
with ROOT leaks into the chroot. This causes dracut to abort during
setup with the error message "invalid tmpdir".
Override TMPDIR before running update-bootengine to allow dracut to
function.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Flatcar uses custom networking scripts in initramfs, so the dracut iscsi
module needs to be patched to account for that.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Add Flatcar specific patch to enable the iscsi module
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
