trousers supports TPM 1.2, and fails for TPM 2. This commits
skips the tcsd service if TPM 2 is detected.
Uses ConditionSecurity introduced in systemd v248
Fixesflatcar-linux/Flatcar#208
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.70.ebuild manifest" run.
Signed-off-by: Guillaume Perrin <guillaume28.perrin@gmail.com>
commit 5c4d184e22fd93ab926878a131150047b54d0b6c
Author: Michael Marineau <michael.marineau@coreos.com>
Date: Fri Aug 1 14:48:59 2014 -0700
polkit: fix config install paths, use systemd-tmpfiles
All configs should be installed to /usr and tmpfiles should be used to
create and fix directory permissions instead of the ebuild's postinst.
For HTTPS to work and also for it to deliver the security promises we
need to ship the latest certificate database.
Update the package version symlink in oder to fetch the database from
the newest NSS release under
https://ftp.mozilla.org/pub/security/nss/releases/
and do a "ebuild ca-certificates-3.69.1.ebuild manifest" run.
Hgfs-mounter has been dropped from the repository and it let's make the
patch name independent of the package version so that the patch doesn't
have to be touched on every upgrade.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
systemd v249 changes the usual failed units "●" to show "×".
This commit adapts accordingly to display the correct failed units
For compatibility with the longer-cadence channels, we continue to
support "●"
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Automatically update coreos/open-vm-tools as well as
coreos-base/oem-vmware.
Get the latest open-vm-tools release number, and get its build number
from the Github repo, and replace the old build number with the new one.
Also sync coreos-base/oem-vmware in line with open-vm-tools.
We need to split the beginning of setting up the top-level git repo into
a new function prepare_git_repo, and call it in the beginning of each
script. That is to prevent some corner cases, where applying multiple
patches does not work because the latter overwrites the former patch.
So we should not set up the git repo again in each apply_patch, but only
in the beggining, prepare_git_repo.
`ebuild audit-2.8.5-r1.ebuild manifest` fails like that:
```
>>> Downloading
'017e6c6ab9.patch'
--2021-09-29 04:05:09--
017e6c6ab9.patch
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854 [text/plain]
Saving to: /mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__
2021-09-29 04:05:09 (57.3 MB/s) -
/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch.__download__ saved [854/854]
!!! Fetched file:
audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got: 854
!!! Expected: 852
Refetching... File renamed to
'/mnt/host/source/.cache/distfiles/audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch._checksum_failure_.o2889wwd'
!!! Couldn't download 'audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch'. Aborting.
```
That happens because the upstream audit patch
017e6c6ab9.patch
silently changed, so it could have a git commit of 8-bytes instead 7.
Fix the hash in Manifest for now, until we could update
sys-process/audit to 3.0. Upstream Gentoo already has 3.0, dropped 2.8.
However, updating to 3.0 might not so trivial due to Flatcar changes in
audit.
The bug fix https://github.com/flatcar-linux/coreos-overlay/pull/1129
caused a regression that Github Actions cannot determine a correct
$VERSION_OLD if the old ebuild file has a suffix like `-r1`.
We need to create a function to get a correct ebuild file name, by
falling back to the most similar name, in case the expected ebuild
file does not exist.
When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys`
occasionally fails with the following error:
```
gpg: key E52F0DB391453C45: no user ID
```
We need to make GnuPG accept keys even without UIDs.
Original patches come from
f292beac11/debian/patches/import-merge-without-userid .
See also https://dev.gnupg.org/T4393 .
Based on commit 3d9a9c9c3654c6b8c073e306636bf8dc64cfb657 .
Update app-crypt/gnupg to 2.2.29.
One of the key purposes for the update is to be able to use the new
default keyserver `keyserver.ubuntu.com`, which is provided by default
since 2.2.29. It is due to the shutdown of the SKS keyserver pools.
See also https://bugs.gentoo.org/811828 .
I think we still prefer to keep packages in portage-stable and
sometimes add an entry to the accept_keywords file instead of moving
the package to overlay just to edit a keyword. Or a PYTHON_COMPAT
field.
This changes comes together with the change made in portage-stable to
one of the python eclasses where we add support for python3 version
from 3.8 to 3.10. To make this change complete, we need to mask those
new versions, so building packages will not try to depend on python
version we haven't yet packaged.
with the recent update of `dev-lang/perl`, we added the `minimal`
useflag.
This one is not taken in account from `package.use` into the stage 2 of the boostraping,
because we do an `export USE=...`.
Following the precedence of the USE flag with Gentoo, the `export` will
be used in first, so the `package.use` with our `dev-lang/perl minimal`
won't be used.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This seems to be still unpackaged by gentoo, so refresh it on our own
then and do some maintainance work on it:
- Update to the recent EAPI, replacing autotools-utils with autotools,
and systemd_get_unitdir with systemd_get_systemunitdir.
- Add a patch from upstream fixing the pkg-config detection, so our
hack during configure phase is not necessary any more.
- Patch the configure script to put the D-Bus policy files in
/usr/share instead of /etc. This removes a need for a hack in the
install step.
This is to get rid of EAPI 5 in the package.
We are going to update it to a newer version, which fixes the build
system issue that was a reason for putting the package in overlay.
This is to get rid of EAPI 5 in the package.
Incase the ebtables tables are not set, the ebuilds links the
ebtables binaries to the legacy version instead of the nft version
Moving to coreos-overlay to link it to xtables-nft-multi.
The next step could be upstream the patches, incase of the usage of
nftables USE flag.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
We had an accept_keywords for versioned rust in base profile already,
but it was outdated due to a bug in github action. So update it and
move the lines from sdk target to base profile. The accept_keywords
for virtual/cargo package are dropped, because there is no such
package.
Replace any dev-lang/rust version with the current one, and make sure
that the modified files in the profiles directory is actually included
in the patch.
This is a backport of https://github.com/SSSD/sssd/pull/5748 adapted to 2.3.1.
A change was necessary: src/tools/sssctl/sssctl_logs.c wasn't passing
'--no-create' to truncate in 2.3.1 yet.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- Drop the init.d files.
- Remove the socket unit's rate limiting.
Instead of dropping bindist, enable it with the profiles now so it
doesn't need to be modified on future updates.
Imported commit 20d298fb282ec9d5a060f12aef64c47aede0904d .
Update net-misc/openssh to 8.7_p1-r1, mainly to address CVE-2020-15778.
Goal of the package update is to add the support of a new option `-s`
of scp, i.e. "sftp mode of scp". Openssh 8.7 started to support the
flag, but it is disabled by default. So at the moment users need to
explicitly run `scp -s` to test the feature.
Gentoo ref: 11d6f23704e7ab84191e28e034816bfdb151d406
Now that we started encoding strings to unicode by default,
we should also take care of corner cases, where LC_CYPTE is set to a
different value from the systemd default value in `/etc/locale.gen`.
For example, under a build environment with `LC_CTYPE=C`, when the UTF-8
file name is `AC_Ra�z_Certic�mara_S.A..pem`,
build fails like that.
```
Traceback (most recent call last):
File "/var/tmp/portage/app-misc/ca-certificates-3.27.1-r2/files/certdata2pem.py",
line 127, in <module>
f = open(fname, 'w')
UnicodeEncodeError: 'ascii' codec can't encode character '\xed' in position 5: ordinal not in range(128)
* ERROR: app-misc/ca-certificates-3.27.1-r2::coreos failed (compile phase):
```
To fix that, encode filename with system encoding when opening the file.
This package contained no Flatcar modifications, so in theory it could
be moved to portage-stable. But we also will want to update it to some
recent version that does not depend on python2. But the recent
versions in gentoo use python3.{7,9}, so we will need to change it for
now, since we still use python3.6.
WALinuxAgent falls back to using the `distro` module to figure out the
distribution details in case the `get_linux_distribution` function
from the builtin `platform` module is not able to do it. With the
update of python-oem to python3, the distribution detection broke,
because we stopped carrying a patch that implemented fetching the
distribution information from `/etc/os-release`. It does not make
sense to backport that patch though, because
`platform.get_linux_distribution` is deprecated and removed in python
3.7 or 3.8. So when we update python3 to the newer version, we would
need to add the `distro` module anyway.
Maybe we can drop `distro-oem` module in future, when python-oem will
use version 3.10 and WALinuxAgent starts using the newly added
functionality in 3.10 to figure out the distribution information.
- unmask amd64 and arm64
- remove tmpfiles from ebuild inherit so we don't run into a circular
dep with systemd, use systemd_tmpfilesd instead
- take care of nscd.conf via systemd_tmpfilesd,
add files/nscd-conf.tmpfiles.
- Don't run sanity checks in pkg_pretend to prevent gcc checks when
only the binary package is installed.
- comment out 'dostrip -x' to force the OS image binaries to be stripped
- remove everything glibc wants to put under /etc since we use
baselayout to provide that
Add flatcar specific changes to the build recipe.
Move PYTHON_DEPS to DEPEND so things can build.
Don't run sanity checks in pkg_pretend
(similar change as in glibc-2.29) to prevent
gcc checks when only the binary package is installed.
Based on commit f7a8cd5f1fcc.
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Signed-off-by: Dongsu Park <dongsupark@microsoft.com>
Now that sys-apps/policycoreutils is pulled in explicitly for both
architectures, we should be able to pull in its dependencies, e.g.
sys-apps/semodule-utils, sys-libs/libselinux, sys-libs/libsemanage,
sys-libs/libsepol. In case of arm64, however, all the ebuilds have
only `~arm64`. So we need to enable the keywords for the ebuilds.
Without the changes, build fails like:
```
!!! All ebuilds that could satisfy
">=sys-libs/libselinux-3.1:=[python?,python_targets_python3_6(-)?,-python_single_target_python3_6(-)]"
for /build/arm64-usr/ have been masked.
!!! One of the following masked packages is required to complete your
request:
- sys-libs/libselinux-9999::coreos (masked by: missing keyword)
- sys-libs/libselinux-3.2::coreos (masked by: ~arm64 keyword)
- sys-libs/libselinux-3.1-r1::coreos (masked by: ~arm64 keyword)
```
Now that Kernel config `CONFIG_ICE` is enabled, its corresponding
firmware file needs to be also in place. However, upstream
linux-firmware tarball does not contain a correct symlink to
`intel/ice/ddp/ice-1.3.26.0.pkg`, but `modinfo ice.ko` shows it
requires `ice.pkg`. So we need to create the symlink to avoid failures
at the firmware scanning stage like below:
```
Missing firmware: intel/ice/ddp/ice.pkg (ice.ko.xz)
```
The image contents are defined by the list in this package and the
dependencies pulled in. Once we would lose some dependency due to
a package change, that would also meant that this dependency's
binaries are not available to the user anymore. To prevent user
binaries from being lost we have to explicitly list them in this
package.
Add the packages that have binaries relevant to the user and are
currently installed (seen in flatcar_production_image_packages.txt
and checked manually). Also add sys-apps/acl which got lost when
removing rkt.
This pulls in
https://github.com/kinvolk/init/pull/47
to randomize OEM filesystem UUID if mounting fails, and to avoid trying
to install the QEMU qcow2 images.
