The old version 2.1.4 does not cross-compile without help from QEMU that
we cannot rely on going forwards. 2.1.10 is Meson-based and handles this
much better.
Rather than update the package in-place, migrate it to portage-stable
and cover the differences with a small patch and env script.
Upstream now carries the systemd files, so we do not need to add these.
/etc is now automatically moved to /usr/share/flatcar/etc, so we no
longer need any special handling for that here, but I have added a
compatibility symlink for iscsid.conf.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The coreos-overlay package under app-admin was written by Jeremi around
the same time I added it to Gentoo under sys-apps. It has had a new
release since.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
It is not clear why this was forked originally. One reason was to avoid
the sys-apps/lsb-release dependency, but it probably wasn't just that.
It seems likely that the upstream package did not support cross targets
at the time. Now it does.
It appears that LTO was previously enabled by us following Gentoo rather
than through an explicit decision. They now disable it by default, so we
do likewise. It previously used "fat" LTO, which makes Rust especially
slow to build and reportedly made rustc slower than with "thin" LTO!
There seems little benefit in using thin LTO given that we rebuild Rust
almost as much as the packages that use it, plus we don't enable LTO
anywhere else.
We still avoid rustdoc to keep the size down using INSTALL_MASK. This
isn't as good as not building it in the first place, but this alone
isn't worth keeping a fork.
Cross targets are now handled via the admittedly experimental
RUST_CROSS_TARGETS support. This has been in place for a while, and I
think it is fairly widely used now. If it does disappear, it would
almost certainly be for something even better.
This also updates Rust from 1.80.0 to 1.80.1.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Landlock is a feature to create security sandboxes thanks to 3 dedicated
system calls. They are designed to be safe to used by any processes,
which can only drop their privileges, similarly to seccomp.
The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y)
but it is not enough to make it usable by default. As a stackable LSM,
it is required to enable it at boot time with the CONFIG_LSM list. See
https://docs.kernel.org/userspace-api/landlock.html#kernel-support
As for other stackable LSMs, prepending Landlock to the default LSM list
enables users to potentially get more protection by default by letting
programs sandbox themselves.
As a dependency, CONFIG_SECURITY_PATH=y will be automatically set.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Catalyst 4 has totally changed the way repositories are handled. It only
works when the name of the directory containing the repository matches
the configured name of that repository. This was not the case for us,
with the coreos repository residing in the coreos-overlay directory. We
wanted to move and rename our repositories anyway, but this is a big
change, so we'll do separately. For now, this just renames coreos to
coreos-overlay.
Catalyst 4 also ingests the main repository snapshot as a squashfs
rather than a tarball. It features a utility to generate such a
snapshot, but it doesn't fit Flatcar well, particularly because it
expects each ebuild repository to reside at the top level of its own git
repository. It was very easy to call tar2sqfs manually though.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Change `flatcar-openstack-hostname.service` to use afterburn `openstack` provider implemented on coreos/afterburn#462 instead of `openstack-metadata`.
BootEngine PR: flatcar/bootengine#96
Enabled user session dbus in base image to support podman rootless mode.
Extension images can now be created from multiple packages by seperating
them with a comma. The podman sysext includes app-containers/podman and
net-misc/passt.
It can be enabled by adding podman to /etc/flatcar/enabled-sysext.conf.
Potential TODO: gpgme had to be added as BDEPEND to podman ebuild.
As Ignition supports KubeVirt, add a custom oem for it and also the
required parts to be able to build an image in .qcow2 format that
is already using internal .qcow2 gzip compression.
Fixes: https://github.com/flatcar/Flatcar/issues/1358
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
On Windows, the .bz2 compression format is not supported by native
tooling and external tools like 7zip need to be installed.
Switching to .zip compression, there will be no need for the extra step
of having external tools.
See: https://github.com/flatcar/Flatcar/issues/1009
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
So far the console in OpenStack (or Brightbox which shares the image)
was not usable well until one issues a reboot to add the autologin in
the GRUB menu.
Add it by default so that one doesn't need this reboot trick.
The qemu and qemu_uefi_secure images have the same contents as the
qemu_uefi image which wastes space on the release server. A similar
case is the PXE vmlinuz which is the same as the regular one, too.
Set up symlinks for same images, and also detect this when compressing
to set up symlinks there as well. To reduce complexity, the qemu and
qemu_uefi_secure images are not supported anymore and the Jenkins or
GitHub CI will skip over them if specified. Users that build their own
images need to adapt, though.
Add support for Gen 2 Hyper-V VMs.
`./image_to_vm` tool has now a new supported format: `hyperv_vhdx`,
that produces .vhdx dynamic disks.
How to use:
```bash
./image_to_vm.sh --from ../build/images/amd64-usr/developer-latest/ --format hyperv_vhdx
```
See: https://github.com/flatcar/Flatcar/issues/1009
Uses PR: https://github.com/flatcar/bootengine/pull/92
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
While Flatcar itself runs fine with 1 GB, many workloads do not and
having to debug this is time consuming when one forgets to bump the VM
memory, e.g., in the Qemu script.
Default to 2 GB as known-good setting for things like Kubernetes or
setting up LUKS devices.
The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't
used in Flatcar and so far it seems that the backdoor wouldn't even be
compiled for Gentoo. However, we so far don't know whether the other
patches are malicious.
Revert to 5.4.2 as last known-good release (like Gentoo did).
Note that the Flatcar main branch had a copy of the 5.6 ebuild but was
not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but
the malicious contributor did other changes of unclear impact part of
this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These
should get downgraded, too.
