-Z reports SELinux contexts. +M reports portmapper registrations; -M is
the default. +-M is not very useful, but mayday passes -M, and fails to
record lsof output when that option is not supported.
This adds the option --torcx_store to specify the path to a
directory containing torcx images to be baked into the OS image. A
blank string can be given instead of a path to restore the previous
behavior and leave an empty vendor store.
The default value is the default path created by build_torcx_store,
which is used when build_packages updates torcx images. This means
that the current pattern "./build_packages && ./build_image prod"
should result in a fully updated OS image with all torcx images
available in the vendor store.
The idea is that once the installed board packages have changed,
the sysroot that was used to build any existing torcx packages may
no longer be compatible. It will therefore run build_torcx_store,
passing relevant options to it, to build a new torcx store of
images with the current sysroot.
This adds --skip_torcx_store to use the previous behavior.
This creates new torcx stores under src/build/torcx, similar to the
layout of src/build/images. The script contains a list of packages
to build so there is a deterministic set that gets branched with
this repository. For development, a different list can also be
given on the command line.
Images are created by building only the direct dependencies of
meta-packages under the app-torcx category. They use the board
root as the sysroot for cross-compiling. The base layout of the
installation root is structured so everything is under either /bin
or /lib for simplicity. Any systemd units are rewritten so they
depend on a successful torcx apply, and they inject the appropriate
torcx runtime directory into the PATH.
When ELF binaries are compiled, they are given an RPATH value of
/ORIGIN/../lib which gets rewritten to $ORIGIN/../lib. The final
value enables automatic dynamic linking with packaged libraries.
The intermediate value is to avoid having to escape the $ through
the various build system layers (which are different for each
package) and it pretends to be an absolute path to silence security
warnings.
The systemd package from setup_board does not have USE=cryptsetup,
but it gets installed before build_packages, which satisfies the
build-time dependency from the kernel. The initramfs should have
the cryptsetup files, so explicitly depend on it to order building
the kernel after the final systemd package.
We were chowning the host directory, not the one in the chroot.
Host gpg >= 2.1.13 puts the gpg-agent socket in /run/user/UID/gnupg,
which is bind-mounted into the chroot, but the SDK gpg was ignoring it
because /run/user/UID was not owned by UID. This broke tag signing with
YubiKeys.
The `kubenet` network plugin uses `ebtables` to set up some [dedup rules](0480917b55/pkg/kubelet/network/kubenet/kubenet_linux.go (L808)). `ebtables` tries to automatically load missing `ebt_*` kernel modules when first used. Without access to `/lib/modules` this fails and `kubenet` subsequently fails to ensure the ebtables rules.
