Enable su USE flag for shadow, because shadow >= 4.11 does not have it
by default.
Ideally util-linux should have the su binary, but that is currently not
possible, because of a bunch of additional dependencies in SDK like
pam_sssd in baselayout.
- Carry over our custom tmpfiles and securetty files
- Remove /etc files and install them to /usr, use tmpfiles
- Switch /etc/login.defs edits to /usr/share/shadow/login.defs
- Drop moving passwd out of /usr since we don't have split-usr
- Drop pkg_postinst
This pulls in
https://github.com/flatcar-linux/ignition/pull/35
to prevent boot failures such as fsck running while udev was still
processing the disk changes, and thus failing when the /dev/disk/
symlink is shortly gone.
Add dev-python/docutils, dev-util/patchutils to hard-host-depends.
Without adding those in the SDK, the new package dev-util/bpftool would
end up pulling in the new dependencies into the production images, which
should not happen.
SDK bootstrap is failing with:
Message: sbat-distro (from ID):
../systemd-stable-250.3/src/boot/efi/meson.build:189:24: ERROR: Problem encountered: Required sbat-distro option not set and autodetection failed
The gnuefi USE flag controls whether bootctl and systemd-boot are built, but we
only need those on the target. Currently the USE flag is set for SDK as well,
so move it to coreos/targets/generic.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Add missing entries to passwd and group.
Updated netperf needs netperf user and group. Updated systemd needs
various systemd users and groups. Dnsmasq also seems to require its
own user/group.
All this is added to prevent systemd-sysusers adding these to
/etc/passwd. And systemd-sysusers adds these, because the updated
user/group eclass in portage-stable now drops configuration files into
/usr/lib/sysusers.d. Maybe at some point we will switch over to
(patched?) systemd-sysusers, so this catch-up game won't be necessary,
but we are not there yet.
This includes the `auditd` binary and systemd unit as part of the
distro. While journald is also able to handle logs from the linux audit
subsystem, auditd provides audit-specific capabilities that are
necessary in deployments subject to regulatory compliance.
For one, an administrator is able to configure audit log writing policy
to ensure that logs land on disk and nothing is missed (`flush`). We
wouldn't want such policy through journald as it woudl sync and ensure
all logs which might be undesirable and too resource intensive. In
short, this allows us to configure different management policies for
audit logs compared to general logs.
It allows us to explicitly configure the node's reaction to errors such
as the disk beign full, the disk having other issues or space constraints.
While Flatcar is not Common Criteria certified which would require the
system to shut down if audit logs present issues (not written or
collected), some FedRAMP environments do require actions such as
notifications (which could be achieved via syslog). This can be
explicitly done with auditd as well.
Co-authored-by: Kai Lüke <pothos@users.noreply.github.com>
- Consolidate them (so enabling selinux and disabling hybrid cgroups
was moved).
- Remove outdated masks (arm64 does not mask any use flags any more)
and use flags (ssl was replaced in favor of +openssl and gnutls,
introspection is gone).
- Add gnuefi (for bootctl, earlier it was built if we requested
general efi support, now it's built when support also for gnu-efi is
requested).
