SLSA provenance generation iterates over $A (which is a subset of $SRC_URI) and
for each of those tries to find a match in $SRC_URI. That's quadratic
complexity, and the performance impact is bad because we shell out to a helper
utility (basename) for every entry. This is leading to long stalls when
generating SLSA for packages with long distfile lists, like go and rust
packages. Iterate over SRC_URI once and create a dictionary to speed up
subsequent lookups. dev-db/etcdctl is a good candidate for testing.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- Update to slsa 1.0. This is only partially done, as we still need to
provide a proper build type. Maybe we could reuse the Github Actions
Workflow
(https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1).
- Stop using portageq - its use in ebuilds is banned, so eventually it
would stop working. Replace it with our hack.
- Stop trying to get a commit hash of coreos-overlay or portage-stable
as if they were submodules. This setup is long gone, so a commit
hash of toplevel scripts repo is enough.
- Use zstd for compressing generated JSON files.
In the release profile of Cargo.toml, add `codegen-units = 1`,
`strip = true`, and remove `debug = true`, to reduce binary size of
afterburn included in production images.
Fix build issue that started to appear in afterburn 5.5.0. Every public
function for the amd64 part must have a corresponding empty function in
the unsupported part, so that cross-compile for arm64 can work.
0003-encode-information-for-systemd-networkd-wait-online.patch
can be dropped, as it was already merged to upstream.
d2cc340038
Since upstream does not enable `lto = true` any more in
464c7f9f0a,
it is not necessary to keep the LTO patch.
Just drop it.
Adjust Flatcar patches 000[12]* for afterburn 5.5.0.
For 0001* to be compiled, it is necessary to add again the hostname
crate, which is not included in 5.5 any more by default.
Otherwise it gets restarted a few times, which displays this line in the
logs:
```
Nov 30 13:28:41.819250 enable-oslogin[1232]: /etc/pam.d/sshd already exists. Not enabling OS Login
```
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
The removal of files in the overlay present in the lowerdir creates
whiteout entries that mask the lowerdir entries. For those files that
have a tmpfile rule for creation, a reboot would cause the file to be
created in the upperdir, meaning this file is not updated from the
lowerdir when it changes. In addition we have filtered out some tmpfile
rules that caused upcopies (symlinks and directories) which meant that
removing the /etc/resolv.conf symlink didn't bring it back after reboot.
To make files from the lowerdir show up if they have a tmpfile rule that
normally would recreate them we keep a list of whiteout entries that we
clean up on boot. This also prevents freezing files because
systemd-tmpfiles does not need to recreate them in the upperdir.
EAPI needs to be defined within first 24 lines, so the description
would push the definition too much down as it needs to happen after
possible declaration of EAPI as local for the source case.
Image changes job needs a list of OEMIDs that are built for a specific
architecture. Similar information already existed in the
coreos-base/common-oem-files ebuild, so factor it out to a separate
file, so the image changes job does not need to source the entire
ebuild (or process it in other way), but rather source the smaller
file.
For now we don't have a single place where we could learn about which
OEMs with a sysext image gets built for certain architecture. So add
it for now to the coreos-base/common-oem-files package. Missing
architecture info for an OEM that gets built only in a certain arch is
not going to be fatal for the image changes job - we will just get a
report for this OEM with messages about failures to download some
files.
This is the current version being deployed to the Azure fleet for other
distros. This update contains a fix for:
Failed to get the PID of the DHCP client: invalid literal for int() with base 10: 'MainPID=1640'
The upstream fix (stripping MainPid=) is in
https://github.com/Azure/WALinuxAgent/pull/2784.
The patch has also been updated to fix the error:
Unable to setup the persistent firewall rules: [Errno 30] Read-only file system: '/lib/systemd/system/waagent-network-setup.service'
by redirecting unit file installation to /etc/systemd/system. This change
requires handling in manglefs.sh as package installation unfortunately uses the
same path. This also requires adding a dependency on systemd-sysext.service to
that unit, as it depends on python, which is done through a drop-in.
A final change is handling interface restart. RedHat and Ubuntu bounce a single
link while Flatcar has so far used the "coreos" implementation (restart the
whole systemd-networkd), which forced a full dhcp lease renewal. Follow the
approaches of other distros by copying their implementation of restart_if.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
