This reverts commit 25de567365b64397fb9de6245ea80be005001768.
I think that the reverted commit was trying to fix a "non-error". On
Gentoo distfiles, it that seems a glitch has occured on
ca-certificates-3.120.1, as the decompressed archive tree files is not
consistent from one release to the other:
```
$ wget http://distfiles.gentoo.org/distfiles/37/nss-3.120.1.tar.gz
$ wget http://distfiles.gentoo.org/distfiles/43/nss-3.121.tar.gz
$ tar -xf nss-3.120.1.tar.gz
$ tar -xf nss-3.121.tar.gz
$ ls -l nss-3.121/nss
total 88
drwxr-xr-x 8 tormath1 tormath1 160 Mar 2 15:00 automation
-rwxr-xr-x 1 tormath1 tormath1 9183 Feb 19 10:30 build.sh
...
$ ls -l nss-NSS_3_120_1_RTM/
total 88
drwxr-xr-x 8 tormath1 tormath1 160 Feb 11 19:19 automation
-rwxr-xr-x 1 tormath1 tormath1 9183 Feb 11 19:19 build.sh
...
```
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
For some reasons, the '#!/usr/bin/env python3' command of the
'show-fixed-kernel-cves.py' started to resolve
'python3' before reaching the 'ci-automation/python-bin' PATH location.
So 'feedparser' was not installed, so it was failing.
I guess we shipped some Python updates providing 'python3' resolution,
or we stopped masked some Python related stuffs into the SDK.
Flipping the 'ci-automation/python-bin' should fix the issue and it
should not have any side-effects as this is scopped only on the
'show-changes' script call.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
I hadn't realised this is called for the SDK itself, i.e. without an
applicable "board". I find having the SDK's os-release to be largely the
same as the image's a little odd, but that's a different problem.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The account is currently unavailable, if the garbage collection fails,
the following clouds are not cleaned-up (e.g stackit, akamai, etc.)
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This change introduces the "Extensible Scheduling Class" kernel option
(https://cateee.net/lkddb/web-lkddb/SCHED_CLASS_EXT.html), essentially
enabling BPF process schedulers.
While only few actual scheduler implementations will be able to use this
at this point (most also need CONFIG_PAHOLE_HAS_BTF_TAG which is only
available when the kernel is built with CLANG), it's a step into the
right direction.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Commit 01eea0f of PR https://github.com/flatcar/scripts/pull/3555
introduced build issue for bootengine and coreos-init; the source
tarball filename reflected in the manifest does not correspond to the
filename used in the ebuild. Hence, the checksum verification fails.
Also, the version symlinks were not updated by the original change.
This change uses the correct filename and checksums and updates the
versions.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
For A/B-updated /etc contents we used a custom overlay mount that
provides the default files through a lowerdir loaded from /usr. Since
then we upstreamed mutable systemd-confext support and now we can switch
to it.
This pulls in https://github.com/flatcar/init/pull/138 and
https://github.com/flatcar/bootengine/pull/115 together with backported
systemd patches that have opened or merged upstream PRs to fix --root=
issues and add a refresh skip check to prevent boot disruptions due to
the multiple daemon reloads and - more important - the missing atomic
remount that would mean /etc is gone for a few milliseconds during boot.
The skip logic works best with verity hashes and thus the default
confext must be a verity extension image.
User-provided confext don't work well yet unless they use verity due to
the missing atomic remount and reliance on the skipping logic. We also
need to look into stacking order and other mutabiliy settings.
The backported systemd patches relate to the following upstream PRs:
https://github.com/systemd/systemd/pull/39843 for
vpick-Don-t-use-openat-directly-but-resolve-symlinks
discover-image-Follow-symlinks-in-a-given-root
sysext-Use-correct-image-name-for-extension-release
test-Add-tests-for-handling-symlinks-with-systemd-sy
Note that the patch in the PR relies on
0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not.
https://github.com/systemd/systemd/pull/39980 for
sysext-Create-mutable-directory-with-the-right-mode
sysext-Skip-refresh-if-no-changes-are-found
https://github.com/systemd/systemd/pull/39991 for
sysext-Get-verity-user-certs-from-given-root
https://github.com/systemd/systemd/pull/40063 for
sysext-Fix-config-file-support-with-root
which relies on https://github.com/systemd/systemd/pull/38250 for
man-sysext.conf-add-systemd-sysext-config-files
sysext-introduce-global-config-file
sysext-support-ImagePolicy-global-config-option
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
Most sysexts need a daemon reload to get their services (re)started when
systemd-sysext (re)loads extensions after boot. Up to now this was done
through ensure-sysext.service but only when systemd-sysext.service was
restarted. A manual invocation of systemd-sysext did not get the
daemon reload and, e.g., Docker failed to start.
Since the daemon reload is done when at least one extension needs it
and we can say that this is likely true for most of the extensions we
build, we can unconditionally set it for now and see if we need to
make it conditional per sysext later, e.g., when one could only have
plain CLI extensions and no service extensions such as Docker/containerd
or Podman (and even NVIDIA/ZFS require services after load).
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
