This package is based exclusively on the Mozilla certificate store
distributed in their NSS library and adopts NSS's version accordingly.
It replaces the previous Gentoo package which came directly from Debian.
The Debian package package had a couple issues we didn't like:
- Trusts the http://cacert.org root CA which isn't the worst thing in
the world to do but seems like a really bad default policy to ship.
- update-ca-certificates had a confusing configuration/hook scheme
which seemed almost useful but completely obnoxious and useless to
CoreOS at the same time. systemd-tmpfiles plus a simpler script does
a better job for us.
The python script certdata2pem.py came from Debian's source package
ca-certificates_20130119 and modified slightly. It is only used at
build-time to convert the file format used by NSS to PEM files.
The old packages used dates as the version, this one uses the NSS
library the certificate store came from as the version. This may cause
an issue if packages from Gentoo depend on >=ca-certificates-20080809 or
similar. Currently the only packages in Gentoo that do so are
sci-misc/boinc and www-client/epiphany, neither of which will ever be
needed in CoreOS so we should be OK.
Switch to portage's default (wget) for fetching. wget is nice and
reports the URL it is downloading while curl does not. This makes
understanding errors like '404' actually somewhat possible.
The --checkpoint arg to tar didn't serve much of a useful purpose as far
as I know besides adding to the build noise. Just drop it.
- Add || die to commands without them to avoid missing errors.
- Symlink resolv.conf to /run on amd64-generic images again.
- Properly sed /etc/issue out of tmpfiles.
- Fix symlinks for mtab and sudo.
- Fix directory ordering in tmpfiles.
- Update groups, a few were missing or incorrect.
- Bump coreos-base/coreos revision.
This replaces the old Gentoo baselayout and coreos-base packages.
Changes include:
- Move nss data files from /etc to /usr/share/baselayout
- Enable nss-usrfiles module to use the new location.
- Move other misc files from /etc to /usr/share/baselayout, using
compatibility symlinks in /etc generated by tmpfiles.
- All base system directories can be generated by tmpfiles.
- No more /etc/gentoo-release
- Simplified code, doesn't bother trying to migrate lib symlinks and
simply fails if the existing filesystem is incorrect.
- In /usr images the `core` user's UID/GID is now 500 to keep us within
the reserved system UID/GID space. Eventually once the SDK switches
to this the `core` user will not conflict with the local developer's
account. It also makes it clearer what range people can use when
creating accounts in /usr images. No other UID/GIDs are changing.
- New eclass to let ebuilds run the equivalent of `tmpfiles --create`.
In the future this may be replaced by calling `tmpfiles` directly
once it has a `--root` argument but I haven't pushed those patches
upstream for review yet.
This simplifies the build process, we have no need for trousers or other
tpm related things from ChromeOS. Bump vboot_reference so it no longer
needs trousers as a build dependency.
Nmap itself is excluded, just want the basic network tools.
ncat is a netcat implementation with support for fun things like SSL.
In the future we could add nping but since we already include iputils
that is not quite as important as ncat.
The nmap ebuild includes a compile fix posted here:
https://bugs.gentoo.org/show_bug.cgi?id=501136
Symlinks out of /etc to /usr should generally be relative, that way they
work regardless of whether you are based at / or dealing with a new
chroot you haven't entered yet, or a build root like /build/amd64-usr
Namely the absolute links break cros_sdk which copies skel into home.
Also switch to /usr/share/skel since other packages may need install
things to that directory in the future.
If c10n fails etcd should not start, wait until it is known if there is
a cluster config to use or not. Also now c10n may not write out a
cluster config on ec2 if there isn't a need for one. Make this case
non-fatal and start up etcd as a master node.
Includes a few other changes which are either bug fixes or doc updates:
Brandon Philips (4):
bump(README): increase the version of the README to 0.3.0
fix(README): move contact closer to contributing
feat(scripts): use zip for windows and darwin
fix(server/v1): don't fail put on new v1 key
Brian Waldon (3):
doc(CompareAndDelete): Add missing CAD docs
doc(CompareAndSwap): clarify prevIndex in CAS
chore(gofmt): gofmt compare_and_delete_command.go
Jan-Erik Rediger (1):
Change token example to use returned value only
Michael Marineau (1):
add(server/v1/tests): Port many of the v2 HTTP handler tests to v1
TANABE Ken-ichi (2):
fix(mod/lock): Use dedicated channel to shutdown goroutine properly
fix(mod/lock): Use CreatedIndex in the first node to watch
A broken e2fsprogs-libs binary package lacking compile_et has been
causing problems. I am entirely at a loss as to how this happened in the
first place and unfortunately the error is not revealed until much
later. Hopefully this crude test at the end of src_install will find the
error as it happens. Or at the very least the revision bump will force
everything to move past the one bad build.
One oddity here: /etc/nsswitch.conf is setup as a postinst command in
order to avoid conflicting with baselayout once it starts installing
nsswitch.conf instead. Later glibc won't provide nsswitch.conf at all.
We haven't been using it, the version we have is old, and the build
appears to be a little flaky. Just drop it, can always bump and re-add
later if someone wants it.
Trying on a new scheme to use an if statement so we can share the same
ebuild between live and stable ebuilds. This should help avoid letting
the two get out of sync.
This conflicts with /etc/portage/make.profile in the chroot, generating
lots of warnings. This was always a weird hack anyway. Instead lets
start configuring portage properly in dev images, this will be handled
in the build scripts.
Copy of upstream 2.7.5-r4 + cross compile tweaks/fixes from our -r2
Dropped some sed hackery related to ChromiumOS's /usr/local weirdness.
I am hoping that issue18851.patch fixes some intermittent build issues.
Although it'd be nice to re-use packages for experimental boards that
may only have a few differences from amd64-generic there is a bug in
some ebuilds and portage that break sharing binary packages between
different values of $ROOT. This prevents that from happening by
accident.
https://bugs.gentoo.org/show_bug.cgi?id=490014
This profile enables the symlink-usr USE flag and target profiles have a
new variable COREOS_DISK_LAYOUT_SUFFIX that allows the profile to switch
to a different set of disk layouts. By default no suffix is used but the
usr profile uses layouts with the suffix "-usr" such as "base-usr".
This provides firmware from linux-firmware but excludes everything not
explicitly required by coreos-kernel. Note that firmware installed by
this will only be available on the root filesystem, the initrd still
uses the smaller set of firmware the linux repo provides.
The current 3.12 kernel wants a few files missing in the July snapshot:
* Missing firmware: ct2fw-3.2.1.1.bin (bna.ko)
* Missing firmware: ctfw-3.2.1.1.bin (bna.ko)
* Missing firmware: cxgb4/t5fw.bin (cxgb4.ko)
These files have been added to the linux-firmware repo so a newer
snapshot will be required but for now I'm sticking with what is already
in Gentoo so I don't have to generate my own tarball or whatever.
In preparation for moving to using firmware provided by the
linux-firmware repository instead of linux the kernel ebuild needs to
stop installing the files to avoid conflicts. Also to better ensure that
the firmware package gets rebuilt every time the kernel does bump to
EAPI=5 and set the subslot to the ebuild version/revision. The firmware
package can then depend on the kernel w/ a special slot operator to make
sure it gets rebuilt when the kernel version changes. The firmware
package can then scan the installed modules and only install the
firmware that is required.
(Portage automatic rebuild behavior often makes this sort of rebuild
happen anyway but using subslots makes it a strict requirement.)
This appears to be part of a scheme to set an alternative login password
in ChromeOS that we have not been using. Our solution will be to make
/etc read-write so this can just go away.
Existing behavior remains unchanged if symlink-usr is unset, otherwise
leave terminfo alone (if minimal is also unset) or prune terminfo down
to the set that would have been installed to /etc if minimal is set.
On CoreOS we use systemd to manage docker containers. Having docker
automatically start containers on reboot makes everything confused. Stop
doing this.
This makes double sure that the symlink is never removed by INSTALL_MASK
or PKG_INSTALL_MASK. This symlink is so strictly required by random
tools we cannot allow it to ever go missing by mistake.
A case of binary packages masking breakage, didn't notice this broke
because I didn't happen to trigger a build of gmerge during my testing.
This package.provided file contained the hackily installed toolchain
which is now handled via a normal emerge instead.
The INSTALL_MASK is altered all over the place, clean it up by moving
all of it to profiles. Add /usr/share/{i18n,locales} to exclude those
installed by glibc since it doesn't have a nls use flag to disable them.
Change the install location based on symlink-usr instead of the target
and use absolute symlinks. We need to move towards never installing to
/{bin,sbin,lib...} and the use of absolute links avoids needlessly
breaking if the symlink-usr flag and the current state of /bin don't
agree (i.e. between flipping the flag and migrating the current files).
As much as I like not seeing the i8042 error in the kernel log on
platforms without it I foresee someone being really ticked off with me
for making this a module when dracut fails without loading the PS/2 and
keyboard modules making the rescue shell kinda hard to use unless a
serial console is also available.
Yeah, well, fair enough future me. You win.
The kernel is much more particular about how it handles the cpio format
than GNU's cpio tool. Two things:
- Don't use the -depth option to find, cpio documentation recommends
using it (the directory comes after the contents so set the
permissions on the dir last in case it is overly restrictive) but the
kernel thinks the other direction and doesn't put things into a
directory that does not (yet) exist.
- Don't add anything under /lib which is a symlink in the original
file. Adding /lib as a directory later replaces the earlier /lib
symlink. Again the user space tool thinks in the other direction and
will happily dereference the symlink while extracting, preserving it.
CPIO CPIO CPIO!
