Stripped down open-vm-tools ebuild for installing to /usr/share/oem
Based on efforts by:
Camilo Aguilar <camilo.aguilar@gmail.com>
Alex Crawford <alex.crawford@coreos.com>
I am unsure exactly what situation is causing the loopback partition
device node to not exist when it is being mounted but this should help
work around the situation and log loudly about it so we can hopefully
figure out where to dig further.
When we add verity support we will be relying on generic packages such
as cryptsetup instead of whatever unknown bits are in this code base. It
has stopped building and I thought I removed it ages ago. Oops.
Sync up with upstream gentoo, pulling in the final version of the patch
for these issues. This is functionally equivalent to 4.2_p51 but
upstream hasn't officially announced that version yet it seems.
Version 4 is too low. Some VMware products even crash trying to
upgrade it to a greater version (VMware Fusion 6 Pro). Having at
least 7 will allow us to use some modern features in most VMware
products, such as enabling vmxnet3 virtual network adapters or adding
much more memory and cpu cores to virtual machines.
Another day another bash version bump. This is the final version of the
patch to add a special prefix and suffix to exported functions in the
environment, preventing bugs similar to the previous two from becoming
remotely exploitable.
http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00279.html
There still remain two less significant memory-access issues, dubbed
CVE-2014-7186 and CVE-2014-7187. So expect another bump soon.
http://www.openwall.com/lists/oss-security/2014/09/25/32
Prioritizing security and stability over performance in SSH, omitting
this kind of patch is generally more consistent with our objectives.
Visibly this removes "-hpn14v4" from the OpenSSH protocol banner:
SSH-2.0-OpenSSH_6.6p1-hpn14v4
Discussion: https://github.com/coreos/bugs/issues/149
Pruning files via INSTALL_MASK in the profile is a bit more apropriate
since it allows us to keep most of that info in one place. The only
parts that need to be deleted or adjusted here are inputs and outputs of
`env-update` which has to be run after everything is installed.
Previously we didn't actually clean up `env.d` at all which lead at
least one user to think they should edit those files and run
`env-update` themselves but we don't ship that tool on prod images.
Some of these were deleted by build_image, others were still being
shipped but aren't really needed.
The big question mark is LVM, it isn't clear if LVM's default behavior
is actually sane or if the configs are needed to make it sane. Either
way we were already removing this, but something to note in case issues
crop up eventually.
