8379 Commits

Author SHA1 Message Date
Marga Manterola
3da6f34a32 Merge pull request #794 from kinvolk/marga-kinvolk/eks
flatcar-eks: facilitate provisioning EKS workers
2021-01-22 18:30:02 +01:00
Margarita Manterola
9b18ee2ede flatcar-eks: facilitate provisioning EKS workers
This change adds a new flatcar-eks package, that ships with all scripts
needed to join a Flatcar instance to an EKS cluster.

It includes the bootstrap.sh script used on Amazon Linux, to keep
compatibility with existing provisioning tools.

The package is included from the oem-ec2-compat package, when the board
is aws_pro, and it's part of board-packages, so that it's built by the
os/board/packages job.
2021-01-22 17:22:46 +01:00
Dongsu Park
c7449edc42 coreos-base/oem-vmware: update to 11.2.5
Update oem-vmware to 11.2.5, corresponding to the update of
open-vm-tools to 11.2.5.
2021-01-22 16:38:27 +01:00
Dongsu Park
02dbb8e4b2 app-emulation/open-vm-tools: update to 11.2.5
Update open-vm-tools 11.2.5,
https://github.com/vmware/open-vm-tools/releases/tag/stable-11.2.5 .
Update also the build number to 17337674.
2021-01-22 16:37:41 +01:00
Krzesimir Nowak
90a55e6aac Merge pull request #793 from kinvolk/krnowak/drop-libnih
Drop libnih
2021-01-22 08:34:40 +01:00
Krzesimir Nowak
82366dc61e profiles: Drop obsolete record on libnih 2021-01-21 17:57:37 +01:00
Krzesimir Nowak
2e849b27c5 coreos-base/hard-host-depends: Drop dependency on libnih
It used to be a dependency of upstart and ureadahead, both dropped
long long time ago. Also drop nih-dbus-tool, which was built from
upstart too.

Found this out when updated profiles in portage-stable masked the
library.
2021-01-21 17:57:37 +01:00
Krzesimir Nowak
e6c50ad9c0 Merge pull request #792 from kinvolk/sayan/systemd-247-fix-DefaultTasksMax-patch
sys-apps/systemd: Fix the DefaultTasksMax patch to default to 100%
2021-01-21 17:54:01 +01:00
Sayan Chowdhury
b24a61edf5 sys-apps/systemd: Fix the DefaultTasksMax patch to default to 100%
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
2021-01-21 15:55:53 +05:30
Sayan Chowdhury
0a7ffd5229 Merge pull request #790 from kinvolk/sayan/update-systemd
sys-apps/systemd: Update to systemd v247
2021-01-21 12:49:13 +05:30
Krzesimir Nowak
f455c8e08c Merge pull request #786 from kinvolk/krnowak/update-openvmdk
app-emulation/open-vmdk: Update
2021-01-20 17:30:56 +01:00
Sayan Chowdhury
f0c0fe10af sys-apps/systemd: Update to systemd v247
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
2021-01-20 12:04:33 +00:00
Sayan Chowdhury
1cbe7c1fd2 sys-block/open-iscsi: Apply Flatcar patches
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
2021-01-20 10:04:27 +00:00
Sayan Chowdhury
c73b19d504 sys-block/open-iscsi: Sync from Gentoo
sync ref: 3e85eb9a786a79658e0abdb357f92f06ebf2a154

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
2021-01-20 09:44:48 +00:00
Krzesimir Nowak
7992b94560 app-emulation/open-vmdk: Update
Replace the use of deprecated git eclass with git-r3 and bump the
commit version to latest version. This version dropped a dependency on
jq.

It is a breaking change for users of mkova.sh, since it has changed
the order of parameters to allow passing multiple vmdk files to it.
2021-01-19 12:58:00 +01:00
Dongsu Park
4ff2518ba3 Merge pull request #782 from kinvolk/dongsu/curl-7.74
profiles: disable cxx for net-libs/nghttp2
2021-01-19 12:41:33 +01:00
Dongsu Park
9375f927fc profiles: disable cxx for net-libs/nghttp2
When building `net-libs/nghttp2` needed by curl 7.74, build fails
when checking for prerequisites of boost libs.

```
configure:20402: checking whether the Boost::ASIO library is available
configure:20433: x86_64-cros-linux-gnu-g++ -std=c++14 -c -O2 -pipe
-mtune=generic -g   conftest.cpp >&5
configure:20433: $? = 0
configure:20447: result: yes
configure:20540: error: Could not find a version of the library!
```

To avoid such issues, we should disable the `cxx` USE flag for
`net-libs/nghttp2`.
2021-01-18 18:23:37 +01:00
Marga Manterola
c0e950abc9 Merge pull request #785 from kinvolk/linux-5.10.8-main
Upgrade Linux Kernel in main from 5.10.7 to 5.10.8
2021-01-18 12:21:29 +01:00
Kai Lüke
168c59752f Merge pull request #774 from kinvolk/kai/use-go-1.13-for-docker
app-emulation/(docker*|containerd): Revert to Go 1.13
2021-01-18 11:57:00 +01:00
Flatcar Buildbot
ddc4dac853 sys-kernel: Upgrade coreos-kernel 5.10.7 to 5.10.8 2021-01-18 07:59:25 +00:00
Krzesimir Nowak
03d24ee62c Merge pull request #780 from kinvolk/krnowak/syslinux-url
sys-boot/syslinux: Update the SRC_URI to use kernel.org directly
2021-01-17 16:13:39 +01:00
Krzesimir Nowak
f39c42ea26 Merge pull request #781 from kinvolk/krnowak/openssl-restrict
dev-libs/openssl: Drop bindist from RESTRICT variable
2021-01-17 16:13:14 +01:00
Krzesimir Nowak
0852e93c07 dev-libs/openssl: Drop bindist from RESTRICT variable
It's really a hindrance during bootstrap, and we would be looking into
ways of making an exception for openssl anyway. Using
package.accept_restrict file does not do the trick, apparently because
of catalyst using its own portage config.
2021-01-15 14:10:19 +01:00
Krzesimir Nowak
afae905dfa sys-boot/syslinux: Update the SRC_URI to use kernel.org directly
It seems that there is no "kernel" mirror specified in third party
mirrors files in profiles any more. And gentoo seems to have switched
to direct kernel.org URLs anyway, probably because kernel.org is using
also some mirroring system, so we don't have to. Also, this syslinux
version is quite old, so if its tarball ever was on distfiles mirror,
it's gone by now.
2021-01-15 14:08:00 +01:00
Marga Manterola
474ad08bb6 Merge pull request #779 from kinvolk/marga-kinvolk/fix-rust
dev-lang/rust: Fix patch name
2021-01-14 12:22:27 +01:00
Margarita Manterola
724a868e10 dev-lang/rust: Fix patch name 2021-01-14 12:19:05 +01:00
Marga Manterola
7d9f12861c Merge pull request #778 from kinvolk/marga-kinvolk/fix-rust
dev-lang/rust: Move TargetResult to Target in our local patch
2021-01-14 11:52:53 +01:00
Margarita Manterola
4ba48d93d3 dev-lang/rust: Move TargetResult to Target in our local patch
The target methods have undergone significant refactoring. The return
value is no longer a TargetResult, it's just a Target. And also the
vendor is now part of the options.
2021-01-14 11:50:24 +01:00
Kai Lüke
2aaec9f0f5 app-emulation/(docker*|containerd): Revert to Go 1.13
When Docker/containerd binaries are compiled with Go 1.15 the
containers generate many signal 23 (SIGURG) events which flood
monitoring systems:
  https://github.com/kubernetes/kops/issues/10388
The SIGURG signal does not kill the process but is generated by Go
runtime scheduling:
  https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md)
Because the Go runtime does not know if the process expects external
SIGURG signals, the signal is not filtered out but reported to the
process: https://github.com/golang/go/issues/37942
The process has to filter this signal out itself before forwarding it
to, e.g,. children processes or logs.
This change was introduced with the Go 1.15 update (actually Go 1.14
but Flatcar skipped that for Stable), however, while containerd has
some workarounds in place, e.g., in
https://github.com/containerd/containerd/pull/4532 but there are still
areas where the signal is not handled correctly.
Until this is the case, downgrade to use the Go 1.13 compiler for
Docker/containerd binaries.

See https://github.com/kinvolk/Flatcar/issues/315
2021-01-13 15:27:24 +01:00
Marga Manterola
b3d97f7eb0 Merge pull request #765 from kinvolk/rust-1.49.0-main
Upgrade dev-lang/rust in main from 1.48.0 to 1.49.0
2021-01-13 10:46:29 +01:00
Marga Manterola
cd0f74d157 Merge pull request #777 from kinvolk/linux-5.10.7-main
Upgrade Linux Kernel in main from 5.10.4 to 5.10.7
2021-01-13 10:45:46 +01:00
Dongsu Park
e1a95462f8 Merge pull request #773 from kinvolk/dongsu/bsdiff-CVE-2020-14315
dev-util/bsdiff: fix heap overflow vulnerability CVE-2020-14315
2021-01-13 08:58:18 +01:00
Flatcar Buildbot
f8301ebf2d sys-kernel: Upgrade coreos-kernel 5.10.4 to 5.10.7 2021-01-13 07:57:23 +00:00
Dongsu Park
9a4dd68239 dev-util/bsdiff: fix heap overflow vulnerability CVE-2020-14315
Fix a heap overflow vulnerability in bspatch included in bsdiff.

Originally the security issue was published as [FreeBSD-SA-16:29](https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc),
which pointed to a FreeBSD [patch](https://security.freebsd.org/patches/SA-16:29/bspatch.patch).
However, the patch was a set of huge changes including other unrelated
changes. That's why it was not simple at all to apply the patch to
bsdiff. Both Gentoo and Flatcar have not included the fix.

Fortunately X41 D-SEC [examined](https://www.x41-dsec.de/security/news/working/research/2020/07/15/bspatch/)
the issue again, and nailed down to a simple patch that can be easily
applied to other trees. We simply take the patch with minimal changes.

See also [CVE-2020-14315](https://nvd.nist.gov/vuln/detail/CVE-2020-14315).
2021-01-12 17:14:44 +01:00
Dongsu Park
4f4a76a1a2 Merge pull request #772 from kinvolk/dongsu/github-actions-envvar-string
.github: fix env vars and sed expressions
2021-01-12 17:14:05 +01:00
Dongsu Park
b41e27188f .github: escape dot correctly in sed expressions
So far all sed expressions have used correct regular expressions around
semantic versions, around `.`. As a result, they matched strings even
without correct dots in place.

We need to escape the dot correctly.
2021-01-12 13:36:00 +01:00
Dongsu Park
0a93596e4a .github: pass env variables explicitly as string
Since Kernel 5.10, Github Actions simply stopped working.
What happens is that `KV_MAIN` gets passed as environmental variable to
the inline script, but not as string but float, because it contains `.`.
Apparently the last digit of the misinterpreted float number is
afterwards simply dropped by YAML parsing library used by GA.
As a result, `KV_MAIN` becomes `5.1` instead of `5.10`, `versionMain`
becomes simply `5.10`, not `5.10.6`. Then in the next steps,
both `VERSION_NEW` and `VERSION_OLD` become `5.10`, and the script
thinks it is already the latest version, so simply does not create a new
pull request.

It was not an issue when Kernel version is <= 5.9, because no digit
got dropped from the variable. Now the hidden issue was uncovered.

Simply set `KV_MAIN` or others explicitly as strings, by adding quotes,
to avoid such issues.
2021-01-12 13:35:50 +01:00
Kai Lüke
2c1655907e Merge pull request #771 from kinvolk/kai/containerd-default-socket
app-emulation/containerd: Switch to default socket location
2021-01-11 16:50:48 +01:00
Kai Lüke
0b91fe4603 app-emulation/containerd: Add upstream service file settings
The service file was missing some options from
https://github.com/containerd/containerd/blob/master/containerd.service
2021-01-11 12:41:23 +01:00
Kai Lüke
8727d0fc62 app-emulation/containerd: Switch to default socket location
The upstream socket is under /run/containerd/containerd.sock which many
tools like crictl will use by default and diverging causes users to
always have to configure a non-default location.
Switch to the upstream default while still keeping a symlink so that
users are not forced to update their configurations they had to do for
the non-default location. This also keeps Docker using the old socket
location as an assertion that the symlink works. The state directory
is also switch to the default location.
2021-01-11 12:09:41 +01:00
Kai Lüke
58579a67e4 Merge pull request #769 from kinvolk/kai/resolv-conf-no-loopback
sys-apps/systemd: Switch back to using a merged /etc/resolv.conf
2021-01-08 13:29:50 +01:00
Kai Lüke
e4760d942c sys-apps/systemd: Switch back to using a merged /etc/resolv.conf
Using only 127.0.0.53 for /etc/resolv.conf causes problems for
Kubernetes which is not systemd-resolved aware yet (the kubelet passes
on /etc/resolv.conf contents to containers).
Switch back for now to merging all DNS servers into /etc/resolv.conf
which breaks split DNS and we need to document how to make split DNS
work for those that want it.
2021-01-08 13:29:12 +01:00
Kai Lüke
28055544d9 Merge pull request #768 from kinvolk/kai/coreos-metadata-retry-remain
coreos-base/afterburn: Restart on failure and keep unit active
2021-01-08 11:10:43 +01:00
Kai Lüke
79878e9388 coreos-base/afterburn: Restart on failure and keep unit active
When the metadata server is unavailable for some time the service did
not retry. Also, the service was triggered possibly multiple times
each time another service pulled it in which can cause problems if,
e.g., the service experiences a failure and corrupts the existing file
which could have been kept because rerunning wasn't needed.

Fixes https://github.com/kinvolk/Flatcar/issues/311
2021-01-07 20:20:41 +01:00
Kai Lüke
981b744828 Merge pull request #766 from kinvolk/kai/containerd-no-shim-debug-log
app-emulation/containerd: Disable shim debug logs
2021-01-06 17:00:08 +01:00
Kai Lüke
ebba6e5e1a app-emulation/containerd: Disable shim debug logs
Debug output clutters the logs which with K8s liveness/readiness probes
quickly becomes a problem.

Fixes https://github.com/kinvolk/Flatcar/issues/313
2021-01-06 12:49:20 +01:00
Flatcar Buildbot
28c90ee8b9 dev-lang: Upgrade dev-lang/rust 1.48.0 to 1.49.0 2021-01-05 08:02:08 +00:00
Kai Lüke
e194b4b183 Merge pull request #764 from kinvolk/kai/bump-baselayout-for-resolved
sys-apps/baselayout: Point to latest repo state
2021-01-04 19:16:35 +01:00
Kai Lüke
e4cfa10306 sys-apps/baselayout: Point to latest repo state
This pulls in
https://github.com/kinvolk/baselayout/pull/10
https://github.com/kinvolk/baselayout/pull/14
https://github.com/kinvolk/baselayout/pull/11
to configure systemd-resolved.
2021-01-04 19:14:22 +01:00
Kai Lüke
29ba53843b Merge pull request #730 from f0o/issue-285-full
Update systemd-9999.ebuild to use systemd-resolved's stub resolver
2021-01-04 19:10:39 +01:00