Flatcar is in the NIST CPE dictionary. Let's programmatically build the
`CPE_NAME` in the build process in order to be scanned.
`CPE_NAME` is part of `/etc/os-release` with the following manual entry:
```
CPE_NAME=
A CPE name for the operating system, in URI binding syntax, following the Common Platform Enumeration Specification[2] as proposed by the NIST.
This field is optional. Example: "CPE_NAME="cpe:/o:fedoraproject:fedora:17""
...
[^2]: Common Platform Enumeration Specification
http://scap.nist.gov/specifications/cpe/
```
Which indicates that the current version of CPE is 2.3.
Closes: https://github.com/flatcar-linux/Flatcar/issues/536
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
By accident the upstream files from the example folder got used,
instead of the downstream files that were added in the files/ folder.
Also, the configuration file didn't get installed.
Use the right paths to install the downstream files.
Equinix Metal ARM server are not yet hourly available in the default `sv15` region
so we override the `PACKET_REGION` to `Dallas` since it's available in this region.
We do not override `PACKET_REGION` for both board on top level because we need to keep proximity
for PXE booting.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```
It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.
This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Since every tag of the nss Github repo has `_` delimiters, we need to
first use `sort -t_` for sorting, then after that we need to replace `_`
with `.` by calling tr. Without that conversion, the input ebuild file
name will be wrong.
We fixed the issue in all other maintenance branches, but not in main.
Fix that also in main.
Automatically update app-misc/ca-certificates , a derivative of
nss https://hg.mozilla.org/projects/nss . To make things easier,
we simply check for new releases on its Github mirror
https://github.com/nss-dev/nss . When the new latest tag is found,
simply bump the version of ca-certificates ebuild.
There usually exists a way to tell the configure script to use certain
path, so the script won't try to autodetect things. This is a case for
the systemd system unit directory, but apparently not for systemd util
directory. So for the system unit directory, we can forward the path
we received from systemd.eclass' `systemd_get_systemunitdir`, but for
the util directory, we need to hack the script with `sed`. The reason
for this is that autodetected directory will have the sysroot path
prepended twice. The systemd eclass has a workaround for this issue.
Without passing the --with-systemdconfdir flag, the configure script
will query pkg-config for the directory itself. In the
cross-compilation setup that we have, this will result in a path
sysroot prepended to the path twice. systemd.eclass has a workaround
for this issue, but it does not provide an elegant getter of the
system configuration directory, thus we call `_systemd_get_dir`
ourselves.
Normally we use pkg-config to query flags and libraries that are
needed to build things. These are specific to CHOST, and the build
system usually uses pkg-config on CHOST to get those flags and
libraries. But pkg-config is also used to query for the location of
the tools used during the build, and for those we need to use
pkg-config on CBUILD. But the build system is usually using the same
pkg-config for both flags and libs, and for build tools. Which works
fine for typical builds, but breaks for cross builds.
One of such build tools is glib-genmarshal. Fortunately the build
system allows us to override the detection results by passing
GLIB_GENMARSHAL="${some_path}" to the configure script. So do that.
This is to avoid querying pkg-config for this information and
overriding the SYSROOT variable. These hacks seem to be broken with
the change of the pkgconfig implementation.
We know what will the path for the directory of the system units -
it's based on rootprefix that we pass to configure script. So use this
knowledge directly instead of getting it in a roundabout way from
pkg-config file.
