- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
As the Gentoo ebuild of dev-lang/rust >= 1.66.0 keeps workaround that
explicitly checks for a version like 1.66.0, that ebuild would obviously
make the build fail with 1.66.1.
Update the version from 1.66.0 to 1.66.1 to fix the build.
Every dev-lang/rust ebuild does a specific check if PV is the version,
e.g.:
if [[ "${PV}" == 1.66.1 ]]; then,
So it is needed to replace the hard-coded version with the new version.
This pulls in
https://github.com/flatcar/bootengine/pull/50
to select the active sysext images for OEMs or Flatcar extensions
that are coupled to the OS version. Systemd 252 is needed for the
sysext images to load without error because earlier systemd versions
were too strict about the final filename target name of a symlink.
Apply Flatcar modifications.
Unlike python <= 3.9.12, it is now unnecessary to replace virtual/awk
with app-alternatives/awk, because the upstream python ebuild already
has app-alternatives/awk.
Based on 32b448f8ccbf5f814739f834151803532272b1f9.
Add an ebuild phase hook that runs when pkg_postinst is about to be
executed. The hook sets up the environment for acct-user packages to
avoid modifications of the preexisting users - these are provided by
our baselayout and usermod can't change anything there anyway (it
complains that the user is not in /etc/passwd).
This was a default so far, but updating portage resulted in a change
of the default binary packages compressor from bzip2 to zstd. We
eventually will want to follow this change too, but first some scripts
that assume bzip2 will need to be updated. So for now keep using bzip2
to limit the scope of updating portage.
The binpkg-multi-instance feature seems to be about having multiple
binary packages of a single source package, in case those packages
were built with different USE flags and stuff.
So far we have not used this feature, and it looks like that the
update of portage has made this feature to be enabled by default. The
enabling broke the image build, because this feature makes portage to
use a bit different directory structure to store binary packages. So
instead of storing sys-devel/gcc binary package in
${PKGDIR}/sys-devel/gcc-${VERSION}.tbz2, the binary package is stored
in ${PKGDIR}/sys-devel/gcc/gcc-${VERSION}-${BUILD_ID}.xpak.
Maybe we could consider using this feature at some point in future,
but for now disable it to keep building things working.
So far we have been modifying the ebuild file to make rsync-verify to
be disabled by default instead of enabled by default as it's done by
upstream ebuild.
This will allow us to remove another modification from portage ebuild
and eventually move sys-apps/portage to portage-stable.
The package installs a default repos.conf in
/usr/share/portage/config/repos.conf. Normally it contained a default
configuration for gentoo repository, but we have a modification in the
ebuild that clobbers the contents of the file with a comment
line. Which means that this configuration file is empty. We do so,
because we are putting our own configuration in /etc anyway.
To minimize the amount of modifications put into the ebuild, we can
add /usr/share/portage/config/repos.conf into INSTALL_MASK. This is
one modification less and it's putting us closer to moving
sys-apps/portage to portage-stable.
According to sshd_config manual, only lines starting with a hash and
empty lines are treated as comments. Which means that comments coming
after the key value pairs are not really comments and sshd complains
about them like:
/etc/ssh/sshd_config line 6: keyword PrintLastLog extra arguments at end of line
/etc/ssh/sshd_config line 7: keyword PrintMotd extra arguments at end of line
/etc/ssh/sshd_config: terminating, 2 bad configuration options
Sort the use flags, drop obsolete ones and nonexistent packages, drop
unnecessary accept keywords file (as it would potentially introduce a
version mismatch between amd64 and arm64).
it mainly brings back Vagrant which was failing with Ignition 2.14.0
even if no Ignition is provided.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
As the Gentoo ebuild of dev-lang/rust >= 1.65 keeps workaround that
explicitly checks for a version like 1.65, that ebuild would obviously
make the build fail with 1.66.
Update the version from 1.65 to 1.66 to fix the build.
We should run apt-get update before installing native Ubuntu packages
like qemu-user-static. Otherwise apt-get install could fail like:
```
Err:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/universe
amd64 qemu-user-static amd64 1:6.2+dfsg-2ubuntu6.5
404 Not Found [IP: 52.252.75.106 80]
```
That happens because meanwhile the qemu-user-static deb package in the
Azure mirror was updated from 6.5 to 6.6, without keeping the old
version. Its index of the Azure mirror was updated, but
setup-flatcra-sdk.sh did not sync that, as apt-get update did not run.
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
update_engine needs to access context from SHA256 to store it and
restore it for further computations on it.
With OpenSSL SHA256 v3 implementation is not possible, let's use the
libsodium implementation.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
- sys-libs/pam: Make /sbin/unix_chkpwd suid
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
- sys-libs/pam: Install configuration into /usr
Also provide a tmpfiles fragment to bring it back.
- sys-libs/pam: Locked accounts functionality
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
- Fix cross build issues with configuring gmp libs
As gdb 11 or newer requires gmp libs as dependency, a cross build of
gdb 11.2 started to fail when its configure scripts try to detect if
gmp exists. The failure occurs mainly because the build still
passes '-L/usr/lib64` to LDFLAGS. Let's say, for example, host
toolchains outside of sysroot have amd64 libs, while the target
inside of sysroot should have arm64 libs. However, configure scripts
of gdb 11.2 still try to find its libs outside of sysroot,
/usr/lib64, although it should find its libs inside of sysroot,
e.g. /build/arm64/usr/lib64.
To fix the cross build issues, pass --with-sysroot as well as
--libdir, correctly with ${ESYSROOT}.
As a side note, for some reason, upstream gdb configure scripts are
not able to correctly make use of its gmp-specific options like
--with-gmp or --with-gmp-lib. Passing those options does not bring
anything. Also configure must have both --with-sysroot and
--libdir, to make the build work.
- Replace dependency on virtual/yacc with app-alternatives/yacc
The former is gone in favor of the latter in Gentoo. This change
will be dropped when we sync the package with Gentoo again.
- take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
- replace virtual/awk with app-alternatives/awk
Users reported a deadlock in ext4 that occurs under loads after kernel 5.15.72.
We debugged and found that this issue is also present upstream (6.x) and found
a fix. The fix has been validated to fix the issue, but we're still waiting for
a reponse from the ext4 maintainer.
In the meantime, apply the backport to our kernel sources, so that users can be
unblocked from updating. This will be released to alpha/beta first, and
hopefully by the time it is promoted to stable, the fix will be merged to the
kernel tree and backported to 5.15.
app-emulation/qemu depends on dev-libs/glib preferentially built with
static libraries. The GLib library started to depend on
dev-libs/libpcre2 after the update. Since dev-libs/glib is built with
static-libs USE flag, it propagates the requirement to
dev-libs/libpcre2 too. Thus update the line with old dev-libs/libpcre
in package.use to new dev-libs/libpcre2 now. Hopefully nothing needs
static libs of old dev-libs/libpcre.
Should not be necessary - dev-libs/glib is not pulling it anymore, and
other ebuilds needing the package pull it with BDEPEND, which means
that the package on SDK is being used.
This pulls in
https://github.com/flatcar/update-ssh-keys/pull/7
to support Hardware Security Keys in update-ssh-keys.
Until we have a new crates.io release of openssh-keys with
https://github.com/coreos/openssh-keys/pull/68 we need to host it on
Origin or find a way to make the eclass more flexible. Here it was
hosted on Origin (from "cargo package") and the Cargo.toml/lock patched
on build to think it would come from crates.io because the Gentoo
eclass only supports that location.
In case the OEM partition was specified with the name "OEM",
the btrfs format was not forced because it only considered the name "oem".
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
- Drop the init.d files.
- Remove the socket unit's rate limiting.
- Mark the package as stable.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
