`net-libs/libnetfilter_cthelper` needs CONFIG_NF_CT_NETLINK_HELPER.
CONFIG_NET_VRF was requested by a user. CONFIG_KEY_DH_OPERATIONS is
useful for `sys-apps/keyutils`. Rest of the added configs are
dependencies.
enables ELF support to e.g. allow tc to handle BPF filters.
It has been dropped in this commit: 406576c5e5
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
It happens that kernel update PRs are created faster than we merge
them. In such case we create version gaps in the changelog. Remedy
that by adding links to all the released kernel versions between the
current one and the just released one.
This pulls in https://github.com/flatcar-linux/init/pull/56
to find a generic way of preventing conflicts with CNI interfaces that
shouldn't use DHCP and were matched by name to be set Unmanaged.
Add xml USE flag for dev-lang/python to avoid build failures during SDK
stage2. We need to add that to BOOTSTRAP_USE, not ordinary USE flags:
```
The following USE changes are necessary to proceed:
(see "package.use" in the portage(5) man page for more details)
# required by dev-python/setuptools-57.5.0::portage-stable[python_targets_python3_9]
# required by dev-python/pyparsing-2.4.7-r1::portage-stable
# required by dev-python/packaging-21.0::portage-stable
# required by dev-python/setuptools_scm-6.3.2::portage-stable
>=dev-lang/python-3.9.8 xml
```
- unmask amd64 and arm64
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
- Make BDEPEND independent from DEPEND (The `BDEPEND` is a
build-time requirement, so it should not be included in the whole
`DEPEND` list. If it does, an installation of `sys-auth/sssd`
causes other dependencies to be installed not only in the
`/build`, but also under the SDK. That's not what we want, so we
need to exclude `BDEPEND` from the list.)
- Move runstatedir option from configure to make (Now that the
upstream sssd 2.3.1 does not support `--runstatedir` option from
its configure script, we need to remove the option, to unblock the
configure issue like `unrecognized option --runstatedir`. Instead
we need to pass `runstatedir=` to emake commands.)
- Disable realm check for nsupdate (At the moment bind-tools does
not enable `gssapi`, so its `nsupdate` tool is also not able to
run `realm` command. As a result, configure script of `sssd` fails
when running `echo realm | nsupdate`, like `syntax error`.
To avoid such issues, we need to disable the nsupdate check for
now. After we could enable `gssapi` for the SDK correctly, we can
bring back the nsupdate check in the future.)
- Add patch for CVE-2021-3621
- Set the conf dir path explicitly (Without passing the
--with-systemdconfdir flag, the configure script will query
pkg-config for the directory itself. In the cross-compilation
setup that we have, this will result in a path sysroot prepended
to the path twice. systemd.eclass has a workaround for this issue,
but it does not provide an elegant getter of the system
configuration directory, thus we call `_systemd_get_dir`
ourselves.)
- Make it compatible with newer python versions.
- apply duktape patchset from
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
(this should be re-fetched from the above MR when forward-porting
to updated polkit versions.)
- fix config install paths, use systemd-tmpfiles (All configs should
be installed to /usr and tmpfiles should be used to create and fix
directory permissions instead of the ebuild's postinst.)
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and exec from init to
unconfined
- add AVC patch for local login and journald
- add python[lxml] to BDEPEND (not pulled through policycoreutils
any more due to our changes there)
- Check out our previous ntp.conf and service units
- Disable USE=threads
- Add USE=perl, disabled to skip the scripts subdir
- Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
- Drop unused init scripts and pkg_postinst
- Add a minimal USE flag for only installing libraries
- Change the Perl and Python run-time deps to build-time only
- Drop a bunch of dependencies with broken cross-compilation
- Enable using bundled libraries in their place
- Disable building libraries requiring Python
- Use EAPI7
- Move libsxlt and stylesheets to BDEPEND
- Introduce some USE flags, so we don't install some tools we don't
need
- Limit the size of bundled libraries
- Make it compatible with newer python versions
- Bump to r2 because of updating EAPI to 7
- Add the tmpfiles configuration for populating /var
- Add service compatibility symlinks (maybe time to drop them)
- Drop moving a binary from /usr/sbin to /sbin
- Drop populating /etc and /var
- Drop pkg_postinst
There is no minimal use flag any more, but it was more or less the
same as no daemon and no update drive database. We also disable
systemd integration, because it's only related to the daemon
functionality that we disabled.
The old version of the package didn't have a keyword for arm64. We
just updated it and it's stable for arm64 too, rendering the entry in
accept_keyword unnecessary.
The policycoreutils ebuild calls `semodule` in postinst to update SELinux stores.
It does not, however, tells `semodule` the correct ROOT to use, so builds that go into `/build/[arch]-usr` end up updating the SDK's store.
Fixes
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link)
observed when using the SDK Container to build the OS image.
It now also updates the correct store, which it previously did not.
Temporarily accept ssh-rsa algorithm in sshd_config for openssh >= 8.8,
until most ssh clients could deprecate ssh-rsa.
It is the same fix as https://github.com/flatcar-linux/init/pull/54.
However, we should do that again for GCE, because the google-oslogin
ebuild overwrites the existing sshd_config.
It used to be pulled in by dev-lang/python, but not any more. It is
needed for running fsscript during stage4 of SDK build to set up the
default python interpreter.
If python-single-r1.eclass is inherited, then PYTHON_USEDEP can't be
used directly inside dependency variable - either PYTHON_SINGLE_USEDEP
(for single-python-impl packages) should be used or the dependency
should be wrapped into python_gen_cond_dep function (for
multi-python-impl packages). crcmod is a multi-python-impl package, so
use the latter.
Also follow the practice of specifying the BDEPEND in terms of
RDEPEND. For this, we need to bump the EAPI to 7.
The reason for keeping it was that the package assumed that
unversioned python will point to python3 which wasn't the case in
Flatcar. Now that we updated python and made python3 the default, we
can move this package back to portage-stable and update it there.
