Now that Github rejects access to an unauthenticated URL with `git://`,
we have to make git and libcurl work with `https://`. However, during
the SDK stage2, curl is not explicitly installed, but just inherited
from the stage1. As a result, curl is built without the `ssl` USE flag.
So installation of baselayout fails with:
```
git fetch https://github.com/flatcar-linux/baselayout.git --prune +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/flatcar-linux/baselayout.git/':
Protocol "https" not supported or disabled in libcurl
```
To resolve the issue, we need to install curl with `BOOTSTRAP_USE=ssl`
before trying to install baselayout.
Also we need to set `CURL_SSL=openssl` as required by curl.
Using a USE_EXPAND variable `curl_ssl_openssl` in `BOOTSTRAP_USE`, we
can specify the correct `CURL_SSL` variable in curl.
enabling `fips` support will compile `fips.so` provider for user who
wants to use `fips` as OpenSSL provider.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Add a symlink-usr USE flag for keeping a minimal set of terminfo
files in /usr/share/terminfo.
Also allow writes to /dev/ptmx, which sometimes causes the sandbox
to fail Jenkins builds.
Based on 9a6728f5f5d63626e4a806664c0c031e913fd758 and
380aa9c60af1e68911a479747d12b5fddaf2b1a2 .
selinux-base requires python to generate xml files, but the dependency
is implicit (through policycoreutils). Flatcar made that dependency
conditional on USE=python in policycoreutils so that we don't include
python in our images, but this causes selinux-base to fail depending on
ordering in the bootstrap process.
Fix that failure by addin an explicit dependency.
The build has been failing occasionally, due to some kind of race condition.
The last lines of log output look like this:
Updating policy/booleans.conf and policy/modules.conf
python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
support/sedoctool.py exiting for: Error while parsing xml
make: *** [Makefile:415: conf.intermediate] Error 1
* ERROR: sec-policy/selinux-base-2.20200818-r2::coreos failed (configure phase):
* emake failed
Try to fix this by forcing a sequential build.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
PR https://github.com/flatcar-linux/coreos-overlay/pull/432 started
to replace `dev-lang/rust` in accept_keywords with its new version.
However, its corresponding `virtual/rust` has never been updated.
That issue had been hidden until
4463efcfd4
started adding `virtual/rust` to accept_keywords.
Unlike `dev-lang/rust`, keywords for `virtual/rust` stayed with old
versions. As a result, subsequent Github Actions PRs for rust become
all invalid, so build failures.
Fix the issue by replacing versions of `virtual/rust` with new versions.
Also try to match with version specifiers, not only `=` but also `>=`,
'<=', '~'.
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
with the OpenSSLv3 upgrade, `update_engine` is not fully compatible yet.
See the associated issue for more details.
Let's keep the deprecated SHA functions in the meantime to run the
build.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Uses ConditionSecurity introduced in systemd v248
Fixesflatcar-linux/Flatcar#208
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.70.ebuild manifest" run.
Signed-off-by: Guillaume Perrin <guillaume28.perrin@gmail.com>
commit 5c4d184e22fd93ab926878a131150047b54d0b6c
Author: Michael Marineau <michael.marineau@coreos.com>
Date: Fri Aug 1 14:48:59 2014 -0700
polkit: fix config install paths, use systemd-tmpfiles
All configs should be installed to /usr and tmpfiles should be used to
create and fix directory permissions instead of the ebuild's postinst.
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.69.1.ebuild manifest" run.
Hgfs-mounter has been dropped from the repository and it let's make the
patch name independent of the package version so that the patch doesn't
have to be touched on every upgrade.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
systemd v249 changes the usual failed units "●" to show "×".
This commit adapts accordingly to display the correct failed units
For compatibility with the longer-cadence channels, we continue to
support "●"
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Automatically update coreos/open-vm-tools as well as
coreos-base/oem-vmware.
Get the latest open-vm-tools release number, and get its build number
from the Github repo, and replace the old build number with the new one.
Also sync coreos-base/oem-vmware in line with open-vm-tools.
We need to split the beginning of setting up the top-level git repo into
a new function prepare_git_repo, and call it in the beginning of each
script. That is to prevent some corner cases, where applying multiple
patches does not work because the latter overwrites the former patch.
So we should not set up the git repo again in each apply_patch, but only
in the beggining, prepare_git_repo.
`ebuild audit-2.8.5-r1.ebuild manifest` fails like that:
```
>>> Downloading
'017e6c6ab9.patch'
--2021-09-29 04:05:09--
017e6c6ab9.patch
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854 [text/plain]
Saving to: /mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__
2021-09-29 04:05:09 (57.3 MB/s) -
/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__ saved [854/854]
!!! Fetched file:
audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got: 854
!!! Expected: 852
Refetching... File renamed to
'/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch._checksum_failure_.o2889wwd'
!!! Couldn't download 'audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch'. Aborting.
```
That happens because the upstream audit patch
017e6c6ab9.patch
silently changed, so it could have a git commit of 8-bytes instead 7.
Fix the hash in Manifest for now, until we could update
sys-process/audit to 3.0. Upstream Gentoo already has 3.0, dropped 2.8.
However, updating to 3.0 might not so trivial due to Flatcar changes in
audit.
The bug fix https://github.com/flatcar-linux/coreos-overlay/pull/1129
caused a regression that Github Actions cannot determine a correct
$VERSION_OLD if the old ebuild file has a suffix like `-r1`.
We need to create a function to get a correct ebuild file name, by
falling back to the most similar name, in case the expected ebuild
file does not exist.
When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys`
occasionally fails with the following error:
```
gpg: key E52F0DB391453C45: no user ID
```
We need to make GnuPG accept keys even without UIDs.
Original patches come from
f292beac11/debian/patches/import-merge-without-userid .
See also https://dev.gnupg.org/T4393 .
Based on commit 3d9a9c9c3654c6b8c073e306636bf8dc64cfb657 .
Update app-crypt/gnupg to 2.2.29.
One of the key purposes for the update is to be able to use the new
default keyserver `keyserver.ubuntu.com`, which is provided by default
since 2.2.29. It is due to the shutdown of the SKS keyserver pools.
See also https://bugs.gentoo.org/811828 .
I think we still prefer to keep packages in portage-stable and
sometimes add an entry to the accept_keywords file instead of moving
the package to overlay just to edit a keyword. Or a PYTHON_COMPAT
field.
This changes comes together with the change made in portage-stable to
one of the python eclasses where we add support for python3 version
from 3.8 to 3.10. To make this change complete, we need to mask those
new versions, so building packages will not try to depend on python
version we haven't yet packaged.
with the recent update of `dev-lang/perl`, we added the `minimal`
useflag.
This one is not taken in account from `package.use` into the stage 2 of the boostraping,
because we do an `export USE=...`.
Following the precedence of the USE flag with Gentoo, the `export` will
be used in first, so the `package.use` with our `dev-lang/perl minimal`
won't be used.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This seems to be still unpackaged by gentoo, so refresh it on our own
then and do some maintainance work on it:
- Update to the recent EAPI, replacing autotools-utils with autotools,
and systemd_get_unitdir with systemd_get_systemunitdir.
- Add a patch from upstream fixing the pkg-config detection, so our
hack during configure phase is not necessary any more.
- Patch the configure script to put the D-Bus policy files in
/usr/share instead of /etc. This removes a need for a hack in the
install step.
This is to get rid of EAPI 5 in the package.
