Fix some issues for booting without using tmpfiles to setup the root
filesystem in advance. For example this now works reliably:
mkdir -p c/etc
cp /etc/os-release c/etc
ln -s usr/lib64 c/lib
ln -s usr/lib64 c/lib64
ln -s usr/bin c/bin
ln -s usr/sbin c/sbin
systemd-nspawn --directory=c --bind=/usr --boot
This kills the massive time-waster we currently have during boot to
cleanup/refresh OpenSSL's certificate directory in /etc/ssl/certs.
System provided certs are now hashed at build time and tempfiles is used
to install the proper links. The certificate bundle is also created at
build time and provided as a symlink. Since tempfiles does not help us
clean up broken links to certs that have been removed that task has been
moved to clean-ca-certificates.service which is still run on every boot.
The update-ca-certificates.service is now only responsible for
recreating the certificate bundle if required. On systems where the user
has never run update-ca-certificates the certificate bundle is just a
symlink to the copy in /usr and update-ca-certificates.service never
runs on boot. If the user does run update-ca-certificates then
update-ca-certificates.service will rewrite the bundle only if the
directory has not been modified since the last time it ran.
There are a few edge cases where if stale hash links may be left if a
system provided cert was replaced a subject that is different enough to
change the hash but not change the file name. I don't expect that to
ever happen though. Also hash collisions between the system certs and
each other or user provided certs are not handled gracefully but should
be rare. tempfiles will report wrong symlink errors in that case.
Pull in some updates from upstream Gentoo.
As a follow up to the gentoo-systemd-integration removal prune the now
unused vanilla use flag and our custom openrc use flag along with it.
Since moving to the new bucket scheme we haven't been posting alpha disk
images as soon as they were built but it is often useful to post them
before promoting them so people can easily test them.
New script update_metadata to do a global update of both repos.
Add support to update_ebuilds to do incremental updates when just
pulling new ebuilds into portage-stable.
Add settings that are currently provided by make.conf.common-target in
coreos-overlay. Most of these are better off being derived directly from
the host environment's portage configuration.
The PKGDIR, TMPDIR, and LOGDIR values are changing to be more consistant
with the SDK configuration but these changes won't take effect until the
old make.conf.common-target is removed since its values override these.
The dev images are going to become complete build environments. Keeping
track of the differences between the two via profiles will be easier
than making the current prod and dev image scripts even more complex.
The intent of this file is to exclude dependencies from both the build
root in /build/amd64-usr and board images that would be pulled in but
aren't actually needed. Many of these are build utilities that need to
be provided by the SDK rather than the build root. The current state is
a bit confusing because we are actually including things like git but it
is also listed here and this somehow works due to version differences.
Additionally dev images will start including a working build environment
soon so may of these tools need to get built after all. To simplify
things everything has been removed except for the few packages that are
would get pulled into production images if it weren't for this file.
packages.provided actually shouldn't be used in this way, instead
controlling dependencies should be done via USE flags and possibly some
day the experimental HDEPEND ebuild variable.
