6719 Commits

Author SHA1 Message Date
Kai Lüke
2aaec9f0f5 app-emulation/(docker*|containerd): Revert to Go 1.13
When Docker/containerd binaries are compiled with Go 1.15 the
containers generate many signal 23 (SIGURG) events which flood
monitoring systems:
  https://github.com/kubernetes/kops/issues/10388
The SIGURG signal does not kill the process but is generated by Go
runtime scheduling:
  https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md)
Because the Go runtime does not know if the process expects external
SIGURG signals, the signal is not filtered out but reported to the
process: https://github.com/golang/go/issues/37942
The process has to filter this signal out itself before forwarding it
to, e.g,. children processes or logs.
This change was introduced with the Go 1.15 update (actually Go 1.14
but Flatcar skipped that for Stable), however, while containerd has
some workarounds in place, e.g., in
https://github.com/containerd/containerd/pull/4532 but there are still
areas where the signal is not handled correctly.
Until this is the case, downgrade to use the Go 1.13 compiler for
Docker/containerd binaries.

See https://github.com/kinvolk/Flatcar/issues/315
2021-01-13 15:27:24 +01:00
Marga Manterola
b3d97f7eb0 Merge pull request #765 from kinvolk/rust-1.49.0-main
Upgrade dev-lang/rust in main from 1.48.0 to 1.49.0
2021-01-13 10:46:29 +01:00
Marga Manterola
cd0f74d157 Merge pull request #777 from kinvolk/linux-5.10.7-main
Upgrade Linux Kernel in main from 5.10.4 to 5.10.7
2021-01-13 10:45:46 +01:00
Flatcar Buildbot
f8301ebf2d sys-kernel: Upgrade coreos-kernel 5.10.4 to 5.10.7 2021-01-13 07:57:23 +00:00
Dongsu Park
9a4dd68239 dev-util/bsdiff: fix heap overflow vulnerability CVE-2020-14315
Fix a heap overflow vulnerability in bspatch included in bsdiff.

Originally the security issue was published as [FreeBSD-SA-16:29](https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc),
which pointed to a FreeBSD [patch](https://security.freebsd.org/patches/SA-16:29/bspatch.patch).
However, the patch was a set of huge changes including other unrelated
changes. That's why it was not simple at all to apply the patch to
bsdiff. Both Gentoo and Flatcar have not included the fix.

Fortunately X41 D-SEC [examined](https://www.x41-dsec.de/security/news/working/research/2020/07/15/bspatch/)
the issue again, and nailed down to a simple patch that can be easily
applied to other trees. We simply take the patch with minimal changes.

See also [CVE-2020-14315](https://nvd.nist.gov/vuln/detail/CVE-2020-14315).
2021-01-12 17:14:44 +01:00
Dongsu Park
4f4a76a1a2 Merge pull request #772 from kinvolk/dongsu/github-actions-envvar-string
.github: fix env vars and sed expressions
2021-01-12 17:14:05 +01:00
Dongsu Park
b41e27188f .github: escape dot correctly in sed expressions
So far all sed expressions have used correct regular expressions around
semantic versions, around `.`. As a result, they matched strings even
without correct dots in place.

We need to escape the dot correctly.
2021-01-12 13:36:00 +01:00
Dongsu Park
0a93596e4a .github: pass env variables explicitly as string
Since Kernel 5.10, Github Actions simply stopped working.
What happens is that `KV_MAIN` gets passed as environmental variable to
the inline script, but not as string but float, because it contains `.`.
Apparently the last digit of the misinterpreted float number is
afterwards simply dropped by YAML parsing library used by GA.
As a result, `KV_MAIN` becomes `5.1` instead of `5.10`, `versionMain`
becomes simply `5.10`, not `5.10.6`. Then in the next steps,
both `VERSION_NEW` and `VERSION_OLD` become `5.10`, and the script
thinks it is already the latest version, so simply does not create a new
pull request.

It was not an issue when Kernel version is <= 5.9, because no digit
got dropped from the variable. Now the hidden issue was uncovered.

Simply set `KV_MAIN` or others explicitly as strings, by adding quotes,
to avoid such issues.
2021-01-12 13:35:50 +01:00
Kai Lüke
0b91fe4603 app-emulation/containerd: Add upstream service file settings
The service file was missing some options from
https://github.com/containerd/containerd/blob/master/containerd.service
2021-01-11 12:41:23 +01:00
Kai Lüke
8727d0fc62 app-emulation/containerd: Switch to default socket location
The upstream socket is under /run/containerd/containerd.sock which many
tools like crictl will use by default and diverging causes users to
always have to configure a non-default location.
Switch to the upstream default while still keeping a symlink so that
users are not forced to update their configurations they had to do for
the non-default location. This also keeps Docker using the old socket
location as an assertion that the symlink works. The state directory
is also switch to the default location.
2021-01-11 12:09:41 +01:00
Kai Lüke
e4760d942c sys-apps/systemd: Switch back to using a merged /etc/resolv.conf
Using only 127.0.0.53 for /etc/resolv.conf causes problems for
Kubernetes which is not systemd-resolved aware yet (the kubelet passes
on /etc/resolv.conf contents to containers).
Switch back for now to merging all DNS servers into /etc/resolv.conf
which breaks split DNS and we need to document how to make split DNS
work for those that want it.
2021-01-08 13:29:12 +01:00
Kai Lüke
79878e9388 coreos-base/afterburn: Restart on failure and keep unit active
When the metadata server is unavailable for some time the service did
not retry. Also, the service was triggered possibly multiple times
each time another service pulled it in which can cause problems if,
e.g., the service experiences a failure and corrupts the existing file
which could have been kept because rerunning wasn't needed.

Fixes https://github.com/kinvolk/Flatcar/issues/311
2021-01-07 20:20:41 +01:00
Kai Lüke
ebba6e5e1a app-emulation/containerd: Disable shim debug logs
Debug output clutters the logs which with K8s liveness/readiness probes
quickly becomes a problem.

Fixes https://github.com/kinvolk/Flatcar/issues/313
2021-01-06 12:49:20 +01:00
Flatcar Buildbot
28c90ee8b9 dev-lang: Upgrade dev-lang/rust 1.48.0 to 1.49.0 2021-01-05 08:02:08 +00:00
Kai Lüke
e4cfa10306 sys-apps/baselayout: Point to latest repo state
This pulls in
https://github.com/kinvolk/baselayout/pull/10
https://github.com/kinvolk/baselayout/pull/14
https://github.com/kinvolk/baselayout/pull/11
to configure systemd-resolved.
2021-01-04 19:14:22 +01:00
Kai Lüke
29ba53843b Merge pull request #730 from f0o/issue-285-full
Update systemd-9999.ebuild to use systemd-resolved's stub resolver
2021-01-04 19:10:39 +01:00
Marga Manterola
0f7d620c01 Merge pull request #759 from kinvolk/firmware-20201218-main
Upgrade Linux Firmware in main from 20201118 to 20201218
2021-01-04 18:53:00 +01:00
Marga Manterola
63d3279946 Merge pull request #760 from kinvolk/marga-kinvolk/linux-5.10.4
Move main to kernel 5.10.4
2021-01-04 18:50:14 +01:00
Margarita Manterola
015d4701ef Move to kernel 5.10
With this change, we start tracking linux 5.10. Only a couple of config
changes were necessary:

1. Explicitly include `CONFIG_IP6_NF_IPTABLES`, as it's no longer
   implicitly included.
   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=144b0a0e608690d46e9a77819249bdd8d23bdcb6

2. Move `CONFIG_EFI_VARS` to amd64 only, as it's no longer available on
   non Intel platforms. It's been replaced by `CONFIG_EFIVARS_FS` which
   is already enabled on the common config.
   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=963fabf37f6a94214a823df0a785e653cb8ad6ea
2021-01-04 18:49:28 +01:00
Margarita Manterola
181c13bddc Track latest init commit
Needed for kinvolk/Flatcar#278
2021-01-04 17:44:22 +01:00
Flatcar Buildbot
d11f86c31c sys-kernel: Upgrade Linux Firmware 20201118 to 20201218 2020-12-24 07:22:34 +00:00
Dongsu Park
6c2015484a sys-kernel: enable CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF enables debug info for BTF (BPF Type Format) and
CO-RE (BPF compile once, run everywhere).

See also https://github.com/kinvolk/Flatcar/issues/225.
2020-12-18 10:44:25 +01:00
Dongsu Park
842daeb3d2 Merge pull request #747 from kinvolk/rust-1.48.0-main
Upgrade dev-lang/rust in main from 1.47.0 to 1.48.0
2020-12-17 12:40:51 +01:00
Dongsu Park
84b0d50108 Merge pull request #743 from kinvolk/linux-5.9.14-main
Upgrade Linux Kernel in main from 5.9.12 to 5.9.14
2020-12-16 08:02:51 +01:00
Dongsu Park
8fa4a13cb5 Merge pull request #664 from kinvolk/dongsu/sqlite-gentoo
dev-db/sqlite: move to portage-stable
2020-12-15 14:26:03 +01:00
Kai Lüke
eb0bb3ba0c sys-apps/baselayout: Point to latest repo state
This pulls in
https://github.com/kinvolk/baselayout/pull/13
to set sysctl rp_filter=0 and reorder how the configs are applied.
2020-12-15 11:48:38 +01:00
Kai Lüke
fc82b5c839 Merge pull request #746 from kinvolk/kai/systemd-drop-sysctl-patches
sys-apps/systemd: Drop sysctl rp_filter patches
2020-12-15 11:16:20 +01:00
Dongsu Park
dc53e59e55 dev-lang/rust: adjust patches for 1.48.0
Adjust third-party patches to fix build issues.
2020-12-15 08:51:39 +01:00
Flatcar Buildbot
f20064e51a dev-lang: Upgrade dev-lang/rust 1.47.0 to 1.48.0 2020-12-15 07:43:37 +00:00
Dongsu Park
3455ae56ec Merge pull request #735 from kinvolk/firmware-20201118-main
Upgrade Linux Firmware in main from 20200918 to 20201118
2020-12-15 07:39:45 +01:00
Kai Lüke
86afa84167 sys-apps/systemd: Drop sysctl rp_filter patches
The patches were not taking effect because they did not set
net.ipv4.conf.default.rp_filter for new interfaces. Also, they got
overwritten by the baselayout configuration which takes precedence
and is the place for Flatcar-specific sysctl settings.
The desired configuration was enfored there:
https://github.com/kinvolk/baselayout/pull/13
2020-12-14 20:50:37 +01:00
Flatcar Buildbot
d5d99ca731 sys-kernel: Upgrade coreos-kernel 5.9.12 to 5.9.14 2020-12-12 07:24:43 +00:00
Dongsu Park
7ec2d64d25 dev-vcs/repo: enable keywords for Flatcar
Enable keywords `amd64` and `arm64` for Flatcar.

It is based on the previous commit:
[ea5698d5879f](https://github.com/kinvolk/coreos-overlay/commit/ea5698d5879f)
("Add arm64 keywords")
2020-12-11 15:26:59 +01:00
Dongsu Park
d229df3c79 dev-vcs/repo: sync with Gentoo for repo 2.8
The [repo v2.10](https://groups.google.com/g/repo-discuss/c/rpSfMCl83Sk)
was released dropping python2 support. As a result, every `repo init`
failed to run. To unblock CI builds, we released mantle
[v0.15.2](https://github.com/kinvolk/mantle/releases/tag/v0.15.2),
including a workaround to set the target branch to
[`maint`](https://gerrit.googlesource.com/git-repo/+/refs/heads/maint),
which still supports python2. Now with cork v0.15.2, `cork create` or
`cork update` will work well for now.

However, the current state is quite fragile. It will get broken again
when the upstream `maint` branch changes. We should update
`dev-vcs/repo` in coreos-overlay to 2.x with python3, and get it
included in Flatcar SDK, so we could later set the target branch in
mantle back to `stable`.

At the moment, none of the source repos has the tarball for repo 2.10,
neither GCS nor Gentoo distfiles. So for now we update it to 2.8.
It will be linked to python 3.6 in Flatcar SDK.

Also note that we do not have to keep `files/repo-1.25` script in the
coreos-overlay repo, because the script is simply identical to the
upstream `repo` script. I am not sure why the third-party script was
there in the first place. So simply remove the script.
2020-12-11 15:26:57 +01:00
Kai Lüke
ca5095f497 app-emulation/containerd: Enable the CRI plugin
Kubernetes uses containerd through the cri plugin which currently is
disabled due to it listening on a TCP port. Now the plugin is not
listening on a TCP port anymore but uses the same socket as gRPC.
We have documented how to enable it in
https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-from-docker-to-containerd-for-kubernetes/
but it should work by default.

Fixes https://github.com/kinvolk/Flatcar/issues/283
2020-12-11 13:03:27 +01:00
Flatcar Buildbot
aa0b1e443d sys-kernel: Upgrade Linux Firmware 20200918 to 20201118 2020-12-10 07:09:38 +00:00
Dongsu Park
33bd8598d5 Merge pull request #732 from kinvolk/dongsu/pam-1.5.1
sys-libs/pam: update to 1.5.1, fix auth issues
2020-12-09 18:09:12 +01:00
Dongsu Park
018f7dc11e sys-apps/baselayout: fix auth issue with pam 1.4
Without the fix, no ssh login works, no console login works.
2020-12-09 18:08:41 +01:00
Dongsu Park
b6784e0c3e Merge pull request #733 from kinvolk/dongsu/github-actions-firmware
.github: add Github Actions for auto-updating linux-firmware
2020-12-09 18:05:49 +01:00
Dongsu Park
7b6879079e Merge pull request #728 from kinvolk/dongsu/bsdiff-CVE-2014-9862
dev-util/bsdiff: sync with Gentoo for integer signedness error
2020-12-09 18:04:18 +01:00
Dongsu Park
57e725117f sys-libs/pam: use PATCHES for third-party patches
We should use PATCHES for the list of third-party patches, especially
for EAPI=7.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
5515bbfefb sys-auth/polkit: Replace virtual/pam with sys-libs/pam
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
f8db3e5f92 sys-auth/google-oslogin: Replace virtual/pam with sys-libs/pam
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
dcb37a9320 app-emulation/open-vm-tools: Update a comment about pam
We are getting rid of the virtual/pam package. The package provided a
dependency on one of pam or openpam. It looks like Gentoo dropped
openpam, making virtual/pam unnecessary. Also, existence of
virtual/pam causes some circular dependencies to manifest during
emerging. This package does not depend on virtual/pam outright, but
let's avoid having an out-of-date comment.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
34d4663480 sys-auth/pambase: Add README.md 2020-12-09 14:51:36 +01:00
Krzesimir Nowak
be676d7d13 sys-auth/pambase: Bump dep versions 2020-12-09 14:51:36 +01:00
Krzesimir Nowak
aec4bfa44f sys-auth/pambase: Update stub version
The version now matches what is in Gentoo, despite being almost, but
not quite, entirely unlike upstream recipe. The rename is needed,
because some packages may depend on a newer pambase after they are
updated.
2020-12-09 14:51:36 +01:00
Krzesimir Nowak
035c9ad5ce sys-libs/pam: Add README.md 2020-12-09 14:51:33 +01:00
Dongsu Park
38004f9962 .github: add Github Actions for auto-updating linux-firmware
Add Github Actions for coreos-firmware, just like other Kernel packages,
basically to detect new releases from the upstream linux-firmware repo.
2020-12-09 14:36:07 +01:00
Krzesimir Nowak
a0156ce756 sys-libs/pam: Make /sbin/unix_chkpwd suid
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
2020-12-08 18:40:03 +01:00