New version: stable-3602.2.3

Update ca-certificates in flatcar-3602 from 3.94 to 3.95

build_library/build_image_util.sh

@@ -821,9 +821,16 @@ EOF
   done
   sudo "${root_fs_dir}"/usr/sbin/flatcar-tmpfiles "${root_fs_dir}"
   # Now that we used the tmpfiles for creating /etc we delete them because
-  # the L, d, and C entries cause upcopies. Also filter out rules with ! or - but no other modifiers
+  # the L, d, D, and C entries cause upcopies. Also filter out rules with ! or - but no other modifiers
   # like + or = which explicitly recreate files.
-  sudo sed -i '/^[CLd]-*!*-*[ \t]*\/etc\//d' "${root_fs_dir}"/usr/lib/tmpfiles.d/*
+  # But before filtering, first store rules that would recreate missing files
+  # to /usr/share/flatcar/etc-no-whiteouts so that we can ensure that
+  # no overlayfs whiteouts exist for these files (example: /etc/resolv.conf).
+  # These rules are combined with the + modifier in addition.
+  # Other rules like w, e, x, do not create files that don't exist.
+  # Note: '-' must come first in the modifier pattern.
+  grep -Ph '^[fcCdDLvqQpb][-=~^!+]*[ \t]*/etc' "${root_fs_dir}"/usr/lib/tmpfiles.d/* | grep -oP '/etc[^ \t]*' | sudo_clobber "${root_fs_dir}"/usr/share/flatcar/etc-no-whiteouts
+  sudo sed -i '/^[CdDL][-=~^!]*[ \t]*\/etc\//d' "${root_fs_dir}"/usr/lib/tmpfiles.d/*
 
   # SELinux: Label the root filesystem for using 'file_contexts'.
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as

build_library/disk_util

@@ -403,7 +403,7 @@ def FormatExt(part, device):
                   '-t', part['fs_type'],
                   '-b', part['fs_block_size'],
                   '-i', part.get('fs_bytes_per_inode', part['fs_block_size']),
-                  '-I', part.get('fs_inode_size', 128),
+                  '-I', part.get('fs_inode_size', 256),
                   device,
                   part['fs_blocks']])
 

build_library/grub_install.sh

@@ -111,26 +111,21 @@ trap cleanup EXIT
 info "Installing GRUB ${FLAGS_target} in ${FLAGS_disk_image##*/}"
 LOOP_DEV=$(sudo losetup --find --show --partscan "${FLAGS_disk_image}")
 ESP_DIR=$(mktemp --directory)
+MOUNTED=
 
-# work around slow/buggy udev, make sure the node is there before mounting
-if [[ ! -b "${LOOP_DEV}p1" ]]; then
-    # sleep a little just in case udev is ok but just not finished yet
-    warn "loopback device node ${LOOP_DEV}p1 missing, waiting on udev..."
-    sleep 0.5
-    for (( i=0; i<5; i++ )); do
-        if [[ -b "${LOOP_DEV}p1" ]]; then
-            break
-        fi
-        warn "looback device node still ${LOOP_DEV}p1 missing, reprobing..."
-        sudo blockdev --rereadpt ${LOOP_DEV}
-        sleep 0.5
-    done
-    if [[ ! -b "${LOOP_DEV}p1" ]]; then
-        failboat "${LOOP_DEV}p1 where art thou? udev has forsaken us!"
+for (( i=0; i<5; ++i )); do
+    if sudo mount -t vfat "${LOOP_DEV}p1" "${ESP_DIR}"; then
+        MOUNTED=x
+        break
     fi
+    warn "loopback device node ${LOOP_DEV}p1 still missing, reprobing..."
+    sudo blockdev --rereadpt "${LOOP_DEV}"
+    # sleep for 0.5, then 1, then 2, then 4, then 8 seconds.
+    sleep "$(bc <<<"scale=1; (2.0 ^ ${i}) / 2.0")"
+done
+if [[ -z ${MOUNTED} ]]; then
+    failboat "${LOOP_DEV}p1 where art thou? udev has forsaken us!"
 fi
-
-sudo mount -t vfat "${LOOP_DEV}p1" "${ESP_DIR}"
 sudo mkdir -p "${ESP_DIR}/${GRUB_DIR}"
 
 info "Compressing modules in ${GRUB_DIR}"

build_library/vm_image_util.sh

@@ -9,7 +9,6 @@ VALID_IMG_TYPES=(
     ami
     ami_vmdk
     azure
-    brightbox
     cloudsigma
     cloudstack
     cloudstack_vhd
@@ -223,12 +222,6 @@ IMG_openstack_mini_DISK_FORMAT=qcow2
 IMG_openstack_mini_OEM_PACKAGE=oem-ec2-compat
 IMG_openstack_mini_OEM_USE=openstack
 
-## brightbox, supports ec2's metadata format so use oem-ec2-compat
-IMG_brightbox_DISK_FORMAT=qcow2
-IMG_brightbox_DISK_LAYOUT=vm
-IMG_brightbox_OEM_PACKAGE=oem-ec2-compat
-IMG_brightbox_OEM_USE=brightbox
-
 ## pxe, which is an cpio image
 IMG_pxe_DISK_FORMAT=cpio
 IMG_pxe_PARTITIONED_IMG=0
@@ -555,7 +548,7 @@ _write_raw_disk() {
 }
 
 _write_qcow2_disk() {
-    qemu-img convert -f raw "$1" -O qcow2 -o compat=0.10 "$2"
+    qemu-img convert -f raw "$1" -O qcow2 -c -o compat=0.10 "$2"
     assert_image_size "$2" qcow2
 }
 

changelog/bugfixes/2023-06-07-systemd-reboot.md

@@ -0,0 +1 @@
+- Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)

changelog/bugfixes/2023-06-26-flatcar-install.md

@@ -0,0 +1 @@
+- Worked around a bash regression in `flatcar-install` and added error reporting for disk write failures [Flatcar#1059](https://github.com/flatcar/Flatcar/issues/1059)

changelog/bugfixes/2023-06-28-sssd-var-log.md

@@ -0,0 +1 @@
+- Ensured that the folder `/var/log/sssd` is created if it doesn't exist, required for `sssd.service` ([Flatcar#1096](https://github.com/flatcar/Flatcar/issues/1096))

changelog/bugfixes/2023-08-10-systemd-restart-service.md

@@ -0,0 +1 @@
+- Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal ([flatcar#1157](https://github.com/flatcar/Flatcar/issues/1157))

changelog/bugfixes/2023-09-29-ignition-partition.md

@@ -0,0 +1 @@
+- Triggered re-reading of partition table to fix adding partitions to the boot disk [scripts#1202](https://github.com/flatcar/scripts/pull/1202)

changelog/bugfixes/2023-10-04-azure-multinic.md

@@ -0,0 +1 @@
+- Disabled systemd-networkd's RoutesToDNS setting by default to fix provisioning failures observed in VMs with multiple network interfaces on Azure ([scripts#1206](https://github.com/flatcar/scripts/pull/1206))

changelog/bugfixes/2023-10-09-docker-go-1.19.md

@@ -0,0 +1 @@
+- Fixed a regression in Docker resulting in file permissions being dropped from exported container images. ([scripts#1231](https://github.com/flatcar/scripts/pull/1231))

changelog/bugfixes/2023-11-29-recreate-etc-files.md

@@ -0,0 +1 @@
+- Deleted files in `/etc` that have a tmpfiles rule that normally would recreate them will now show up again through the `/etc` lowerdir ([Flatcar#1265](https://github.com/flatcar/Flatcar/issues/1265), [bootengine#79](https://github.com/flatcar/bootengine/pull/79))

changelog/changes/2023-06-22-ext4-inode-size.md

@@ -0,0 +1 @@
+- Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness ([Flatcar#1082](https://github.com/flatcar/Flatcar/issues/1082))

changelog/changes/2023-09-12-azure-mana-vf.md

@@ -0,0 +1 @@
+- Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure ([scripts#1131](https://github.com/flatcar/scripts/pull/1131))

changelog/changes/2023-09-12-qcow2-compression.md

@@ -0,0 +1 @@
+- Use qcow2 compressed format instead of additional compression layer in Qemu images ([Flatcar#1135](https://github.com/flatcar/Flatcar/issues/1135), [scripts#1132](https://github.com/flatcar/scripts/pull/1132))

changelog/changes/2023-10-09-kubernetes-usr-libexec.md

@@ -0,0 +1 @@
+- To make Kubernetes work by default, `/usr/libexec/kubernetes/kubelet-plugins/volume/exec` is now a symlink to the writable folder `/var/kubernetes/kubelet-plugins/volume/exec` ([Flatcar#1193](https://github.com/flatcar/Flatcar/issues/1193))

changelog/changes/2023-10-23-squashfs-zstd.md

@@ -0,0 +1 @@
+- linux kernel: added zstd support for squashfs kernel module ([scripts#](https://github.com/flatcar/scripts/pull/1297))

changelog/changes/2023-11-14-brightbox.md

@@ -0,0 +1,2 @@
+- Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
+- OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the `.gz` or `.bz2` images)

changelog/security/2023-07-27-openssh-9.3_p2.md

@@ -0,0 +1 @@
+- OpenSSH ([CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408))

changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md

@@ -0,0 +1 @@
+- linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593))

changelog/security/2023-08-09-linux-5.15.125.md

@@ -0,0 +1 @@
+- Linux ([CVE-2022-40982](https://nvd.nist.gov/vuln/detail/CVE-2022-40982), [CVE-2022-41804](https://nvd.nist.gov/vuln/detail/CVE-2022-41804), [CVE-2023-20569](https://nvd.nist.gov/vuln/detail/CVE-2023-20569), [CVE-2023-23908](https://nvd.nist.gov/vuln/detail/CVE-2023-23908))

changelog/security/2023-10-13-curl-backport.md

@@ -0,0 +1 @@
+- curl ([CVE-2023-38545](https://nvd.nist.gov/vuln/detail/CVE-2023-38545), [CVE-2023-38546](https://nvd.nist.gov/vuln/detail/CVE-2023-38546))

changelog/updates/2023-05-25-linux-5.15.113-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.113](https://lwn.net/Articles/932883) (includes [5.15.112](https://lwn.net/Articles/932134)))

changelog/updates/2023-06-05-ca-certificates-3.90-update.md

@@ -0,0 +1 @@
+- ca-certificates ([3.90](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html))

changelog/updates/2023-06-07-systemd-update.md

@@ -0,0 +1 @@
+- systemd ([252.11](https://github.com/systemd/systemd-stable/releases/tag/v252.11) (from 252.5))

changelog/updates/2023-06-15-linux-5.15.117-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.117](https://lwn.net/Articles/934622) (includes [5.15.116](https://lwn.net/Articles/934320), [5.15.115](https://lwn.net/Articles/933909), [5.15.114](https://lwn.net/Articles/933280)))

changelog/updates/2023-06-29-linux-5.15.119-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.119](https://lwn.net/Articles/936675) (includes [5.15.118](https://lwn.net/Articles/935584)))

changelog/updates/2023-07-03-ca-certificates-3.91-update.md

@@ -0,0 +1 @@
+- ca-certificates ([3.91](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html))

changelog/updates/2023-07-06-linux-5.15.120-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.120](https://lwn.net/Articles/937404))

changelog/updates/2023-07-31-ca-certificates-3.92-update.md

@@ -0,0 +1 @@
+- ca-certificates ([3.92](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html))

changelog/updates/2023-08-01-linux-firmware-20230625-update.md

@@ -0,0 +1 @@
+- linux-firmware ([20230625](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230625))

changelog/updates/2023-08-03-linux-5.15.124-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.124](https://lwn.net/Articles/940339) (includes [5.15.123](https://lwn.net/Articles/939424), [5.15.122](https://lwn.net/Articles/939104), [5.15.121](https://lwn.net/Articles/939016)))

changelog/updates/2023-08-12-linux-5.15.126-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.126](https://lwn.net/Articles/941273) (includes [5.15.125](https://lwn.net/Articles/940798)))

changelog/updates/2023-08-31-linux-5.15.129-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.129](https://lwn.net/Articles/943113) (includes [5.15.128](https://lwn.net/Articles/942866), [5.15.127](https://lwn.net/Articles/941775)))

changelog/updates/2023-09-04-ca-certificates-3.93-update.md

@@ -0,0 +1 @@
+- ca-certificates ([3.93](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_93.html))

changelog/updates/2023-09-07-linux-5.15.131-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.131](https://lwn.net/Articles/943755) (includes [5.15.130](https://lwn.net/Articles/943404)))

changelog/updates/2023-09-19-linux-5.15.132-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.132](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v5.15.132))

changelog/updates/2023-09-24-linux-5.15.133-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.133](https://lwn.net/Articles/945380))

changelog/updates/2023-10-09-ca-certificates-3.94-update.md

@@ -0,0 +1 @@
+- ca-certificates ([3.94](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_94.html))

changelog/updates/2023-10-11-linux-5.15.135-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.135](https://lwn.net/Articles/947299) (includes [5.15.134](https://lwn.net/Articles/946855)))

changelog/updates/2023-10-20-linux-5.15.136-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.136](https://lwn.net/Articles/948297))

changelog/updates/2023-10-26-linux-5.15.137-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.137](https://lwn.net/Articles/948818))

changelog/updates/2023-11-09-linux-5.15.138-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.138](https://lwn.net/Articles/950714))

changelog/updates/2023-11-21-linux-5.15.139-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.139](https://lwn.net/Articles/952004))

changelog/updates/2023-12-03-linux-5.15.141-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.141](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v5.15.141) (includes [5.15.140](https://lwn.net/Articles/953130)))

changelog/updates/2023-12-04-ca-certificates-3.95-update.md

@@ -0,0 +1 @@
+- ca-certificates ([3.95](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html))

changelog/updates/2023-12-09-linux-5.15.142-update.md

@@ -0,0 +1 @@
+- Linux ([5.15.142](https://lwn.net/Articles/954114))

ci-automation/ci-config.env

@@ -156,3 +156,8 @@ AZURE_LOCATION="${AZURE_LOCATION:-westeurope}"
 # -- Openstack --
 : ${OPENSTACK_IMAGE_NAME:='flatcar_production_openstack_image.img.gz'}
 OPENSTACK_PARALLEL="${PARALLEL_TESTS:-3}"
+
+# -- Brightbox --
+: ${BRIGHTBOX_IMAGE_NAME:='flatcar_production_openstack_image.img'}
+BRIGHTBOX_PARALLEL="${PARALLEL_TESTS:-1}"
+: ${BRIGHTBOX_SERVER_TYPE:="2gb.ssd"}

ci-automation/ci_automation_common.sh

@@ -24,7 +24,7 @@ function check_version_string() {
 
 function update_and_push_version() {
     local version="$1"
-    local push_to_branch="${2:-false}"
+    local target_branch="${2:-}"
 
     # set up author and email so git does not complain when tagging
     if ! git config --get user.name >/dev/null 2>&1 ; then
@@ -65,9 +65,8 @@ function update_and_push_version() {
 
     git tag -f "${TAG_ARGS[@]}" "${version}"
 
-    if [ "${push_to_branch}" = "true" ]; then
-      local branch="$(git rev-parse --abbrev-ref HEAD)"
-      git push origin "${branch}"
+    if [[ -n "${target_branch}" ]]; then
+      git push origin "HEAD:${target_branch}"
     fi
 
     git push origin "${version}"

ci-automation/garbage_collect.sh

@@ -152,6 +152,7 @@ function _garbage_collect_impl() {
       --env GCP_JSON_KEY \
       --env VMWARE_ESX_CREDS \
       --env OPENSTACK_CREDS \
+      --env BRIGHTBOX_CLIENT_ID --env BRIGHTBOX_CLIENT_SECRET \
       -w /work -v "$PWD":/work "${mantle_ref}" /work/ci-automation/garbage_collect_cloud.sh
 }
 # --

ci-automation/garbage_collect_cloud.sh

@@ -3,19 +3,10 @@ set -euo pipefail
 timeout --signal=SIGQUIT 60m ore aws gc --access-id "${AWS_ACCESS_KEY_ID}" --secret-key "${AWS_SECRET_ACCESS_KEY}"
 timeout --signal=SIGQUIT 60m ore do gc --config-file=<(echo "${DIGITALOCEAN_TOKEN_JSON}" | base64 --decode)
 timeout --signal=SIGQUIT 60m ore gcloud gc --json-key <(echo "${GCP_JSON_KEY}" | base64 --decode)
-# Because the Azure file gets read multiple times it can't be passed like <(cmd) because bash backs this FD
-# by a pipe meaning the data is gone after reading. We can create an FD (the FD number is assigned to
-# variable through exec {NAME}) manually and use a file under /tmp to back it instead, allowing multiple
-# reads.
-echo "${AZURE_PROFILE}" | base64 --decode > /tmp/azure_profile
-exec {azure_profile}</tmp/azure_profile
-rm /tmp/azure_profile
-echo "${AZURE_AUTH_CREDENTIALS}" | base64 --decode > /tmp/azure_auth
-exec {azure_auth}</tmp/azure_auth
-rm /tmp/azure_auth
-timeout --signal=SIGQUIT 60m ore azure gc --duration 6h \
-  --azure-profile="/proc/$$/fd/${azure_profile}" --azure-auth="/proc/$$/fd/${azure_auth}"
+timeout --signal=SIGQUIT 60m ore azure gc --duration 6h --azure-identity
 timeout --signal=SIGQUIT 60m ore equinixmetal gc --duration 6h \
   --project="${EQUINIXMETAL_PROJECT}" --gs-json-key=<(echo "${GCP_JSON_KEY}" | base64 --decode) --api-key="${EQUINIXMETAL_KEY}"
 timeout --signal=SIGQUIT 60m ore openstack gc --duration 6h \
   --config-file=<(echo "${OPENSTACK_CREDS}" | base64 --decode)
+timeout --signal=SIGQUIT 60m ore brightbox gc --duration 6h \
+  --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}"

ci-automation/image_changes.sh

@@ -51,6 +51,23 @@ function _image_changes_impl() {
     source sdk_container/.repo/manifests/version.txt
     local vernum="${FLATCAR_VERSION}"
 
+    MAJOR_B=$(echo "${FLATCAR_VERSION}" | cut -d . -f 1)
+
+    SUFFIX=
+    if [ "${channel}" = "lts" ]; then
+            curl -fsSLO --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 'https://lts.release.flatcar-linux.net/lts-info'
+            while read -r LINE; do
+                # each line is major:year:(supported|unsupported)
+                TUPLE=(${LINE//:/ })
+                MAJOR="${TUPLE[0]}"
+                if [[ "${MAJOR_B}" = "${MAJOR}" ]]; then
+                    SUFFIX="-${TUPLE[1]}"
+                    break
+                fi
+            done <lts-info
+            rm -f lts-info
+    fi
+
     echo "==================================================================="
     export BOARD_A="${arch}-usr"
     export FROM_A="release"
@@ -59,9 +76,8 @@ function _image_changes_impl() {
     else
             NEW_CHANNEL="${channel}"
     fi
-    NEW_CHANNEL_VERSION_A=$(curl -fsSL --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 "https://${NEW_CHANNEL}.release.flatcar-linux.net/${BOARD_A}/current/version.txt" | grep -m 1 FLATCAR_VERSION= | cut -d = -f 2)
+    NEW_CHANNEL_VERSION_A=$(curl -fsSL --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 "https://${NEW_CHANNEL}.release.flatcar-linux.net/${BOARD_A}/current${SUFFIX}/version.txt" | grep -m 1 FLATCAR_VERSION= | cut -d = -f 2)
     MAJOR_A=$(echo "${NEW_CHANNEL_VERSION_A}" | cut -d . -f 1)
-    MAJOR_B=$(echo "${FLATCAR_VERSION}" | cut -d . -f 1)
     # When the major version for the new channel is different, a transition has happened and we can find the previous release in the old channel
     if [ "${MAJOR_A}" != "${MAJOR_B}" ]; then
         case "${NEW_CHANNEL}" in

ci-automation/packages-tag.sh

@@ -68,11 +68,19 @@ function _packages_tag_impl() {
 
     # Create new tag in scripts repo w/ updated versionfile
     # Also push the changes to the branch ONLY IF we're doing a nightly
-    #   build of the 'main'/'flatcar-MAJOR' branch AND we're definitely ON the respective branch
-    local push_branch="false"
-    if    [[ "${version}" =~ ^(stable|alpha|beta|lts)-[0-9.]+-nightly-[-0-9]+$ ]] \
-       && [[ "$(git rev-parse --abbrev-ref HEAD)" =~ ^flatcar-[0-9]+$ ]] ; then
-        push_branch="true"
+    #   build of the 'flatcar-MAJOR' branch AND we're definitely ON the respective branch
+    local target_branch=''
+    # These variables are here to make it easier to test nightly
+    # builds without messing with actual release branches.
+    local flatcar_branch_prefix='flatcar'
+    local nightly='nightly'
+    # Patterns used below.
+    local nightly_pattern_1='^(stable|alpha|beta|lts)-[0-9.]+-'"${nightly}"'-[-0-9]+$'
+    local nightly_pattern_2='^(stable|alpha|beta|lts)-[0-9.]+(|-'"${nightly}"'-[-0-9]+)$'
+    local flatcar_pattern='^'"${flatcar_branch_prefix}"'-[0-9]+$'
+    if    [[ "${version}" =~ ${nightly_pattern_1} ]] \
+       && [[ "$(git rev-parse --abbrev-ref HEAD)" =~ ${flatcar_pattern} ]] ; then
+        target_branch="$(git rev-parse --abbrev-ref HEAD)"
         local existing_tag=""
         # Check for the existing tag only when we allow shortcutting
         # the builds. That way we can skip the checks for build
@@ -83,7 +91,7 @@ function _packages_tag_impl() {
             existing_tag=$(git tag --points-at HEAD) # exit code is always 0, output may be empty
         fi
         # If the found tag is a release or nightly tag, we stop this build if there are no changes
-        if [[ "${existing_tag}" =~ ^(stable|alpha|beta|lts)-[0-9.]+(|-nightly-[-0-9]+)$ ]]; then
+        if [[ "${existing_tag}" =~ ${nightly_pattern_2} ]]; then
           local ret=0
           git diff --exit-code "${existing_tag}" || ret=$?
           if [[ ret -eq 0 ]]; then
@@ -108,7 +116,7 @@ function _packages_tag_impl() {
       source sdk_lib/sdk_container_common.sh
       create_versionfile "$sdk_version" "$version"
     )
-    update_and_push_version "${version}" "${push_branch}"
+    update_and_push_version "${version}" "${target_branch}"
     apply_local_patches
 }
 # --

ci-automation/sdk_bootstrap.sh

@@ -78,10 +78,17 @@ function _sdk_bootstrap_impl() {
     # Also push the changes to the branch ONLY IF we're doing a nightly
     #   build of the 'main' branch AND we're definitely ON the main branch.
     #   This includes intermediate SDKs when doing 2-phase nightly builds.
-    local push_branch="false"
-    if   [[ "${version}" =~ ^main-[0-9.]+-nightly-[-0-9]+(-INTERMEDIATE)?$ ]] \
-       && [ "$(git rev-parse --abbrev-ref HEAD)" = "main"  ] ; then
-        push_branch="true"
+    local target_branch=''
+    # These variables are here to make it easier to test nightly
+    # builds without messing with actual release branches.
+    local main_branch='main'
+    local nightly='nightly'
+    # Patterns used below.
+    local nightly_pattern_1='^main-[0-9.]+-'"${nightly}"'-[-0-9]+(-INTERMEDIATE)?$'
+    local nightly_pattern_2='^main-[0-9.]+-'"${nightly}"'-[-0-9]+$'
+    if   [[ "${version}" =~ ${nightly_pattern_1} ]] \
+       && [ "$(git rev-parse HEAD)" = "$(git rev-parse "origin/${main_branch}")"  ] ; then
+        target_branch=${main_branch}
         local existing_tag=""
         # Check for the existing tag only when we allow shortcutting
         # the builds. That way we can skip the checks for build
@@ -92,7 +99,7 @@ function _sdk_bootstrap_impl() {
             existing_tag=$(git tag --points-at HEAD) # exit code is always 0, output may be empty
         fi
         # If the found tag is a nightly tag, we stop this build if there are no changes
-        if [[ "${existing_tag}" =~ ^main-[0-9.]+-nightly-[-0-9]+$ ]]; then
+        if [[ "${existing_tag}" =~ ${nightly_pattern_2} ]]; then
           local ret=0
           git diff --exit-code "${existing_tag}" || ret=$?
           if [ "$ret" = "0" ]; then
@@ -132,7 +139,7 @@ function _sdk_bootstrap_impl() {
       source sdk_lib/sdk_container_common.sh
       create_versionfile "${vernum}"
     )
-    update_and_push_version "${version}" "${push_branch}"
+    update_and_push_version "${version}" "${target_branch}"
     apply_local_patches
 
     ./bootstrap_sdk_container -x ./ci-cleanup.sh "${seed_version}" "${vernum}"

ci-automation/vendor-testing/azure.sh

@@ -18,11 +18,6 @@ azure_instance_type_var="AZURE_${CIA_ARCH}_MACHINE_SIZE"
 azure_instance_type="${!azure_instance_type_var}"
 azure_vnet_subnet_name="jenkins-vnet-${AZURE_LOCATION}"
 
-azure_profile_config_file=''
-secret_to_file azure_profile_config_file "${AZURE_PROFILE}"
-azure_auth_config_file=''
-secret_to_file azure_auth_config_file "${AZURE_AUTH_CREDENTIALS}"
-
 # Fetch the Azure image if not present
 if [ -f "${AZURE_IMAGE_NAME}" ] ; then
     echo "++++ ${CIA_TESTSCRIPT}: Using existing ${AZURE_IMAGE_NAME} for testing ${CIA_VERNUM} (${CIA_ARCH}) ++++"
@@ -57,8 +52,7 @@ run_kola_tests() {
       --platform=azure \
       --azure-image-file="${AZURE_IMAGE_NAME}" \
       --azure-location="${AZURE_LOCATION}" \
-      --azure-profile="${azure_profile_config_file}" \
-      --azure-auth="${azure_auth_config_file}" \
+      --azure-identity \
       --torcx-manifest="${CIA_TORCX_MANIFEST}" \
       --tapfile="${instance_tapfile}" \
       --azure-size="${instance_type}" \

ci-automation/vendor-testing/brightbox.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# Copyright (c) 2023 The Flatcar Maintainers.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set -euo pipefail
+
+# Test execution script for the Brightbox vendor.
+# This script is supposed to run in the mantle container.
+
+source ci-automation/vendor_test.sh
+
+# ARM64 is not supported on Brightbox, so for now fail it as an
+# unsupported option.
+if [[ "${CIA_ARCH}" == "arm64" ]]; then
+    echo "1..1" > "${CIA_TAPFILE}"
+    echo "not ok - all qemu tests" >> "${CIA_TAPFILE}"
+    echo "  ---" >> "${CIA_TAPFILE}"
+    echo "  ERROR: ARM64 tests not supported on Brightbox." | tee -a "${CIA_TAPFILE}"
+    echo "  ..." >> "${CIA_TAPFILE}"
+    break_retest_cycle
+    exit 1
+fi
+
+# BRIGHTBOX_CLIENT_ID, BRIGHTBOX_CLIENT_SECRET should be provided by sdk_container/.env
+
+# Upload the image on Brightbox.
+IMAGE_ID=$(ore brightbox create-image \
+  --name=flatcar-"${CIA_VERNUM}" \
+  --url="https://${BUILDCACHE_SERVER}/images/${CIA_ARCH}/${CIA_VERNUM}/${BRIGHTBOX_IMAGE_NAME}" \
+  --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" \
+  --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}"
+)
+
+# Remove any left-over servers.
+ore brightbox remove-servers \
+  --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" \
+  --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}" || :
+
+# Remove any left-over IPs.
+ore brightbox remove-ips \
+  --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" \
+  --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}" || :
+
+# Delete the image once we exit.
+trap 'ore brightbox delete-image --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}" --id "${IMAGE_ID}" || true' EXIT
+
+kola_test_basename="ci-${CIA_VERNUM//+/-}"
+kola_test_basename="${kola_test_basename//[+.]/-}"
+
+set -x
+
+timeout --signal=SIGQUIT 2h kola run \
+  --board="${CIA_ARCH}-usr" \
+  --parallel="${BRIGHTBOX_PARALLEL}" \
+  --tapfile="${CIA_TAPFILE}" \
+  --channel="${CIA_CHANNEL}" \
+  --basename="${kola_test_basename}" \
+  --platform=brightbox \
+  --brightbox-image="${IMAGE_ID}" \
+  --brightbox-client-id="${BRIGHTBOX_CLIENT_ID}" \
+  --brightbox-client-secret="${BRIGHTBOX_CLIENT_SECRET}" \
+  --brightbox-server-type="${BRIGHTBOX_SERVER_TYPE}" \
+  "${@}"
+
+set +x

ci-automation/vms.sh

@@ -117,8 +117,12 @@ function _vm_build_impl() {
     for format in ${formats}; do
         echo " ###################  VENDOR '${format}' ################### "
         COMPRESSION_FORMAT="bz2"
-        if [[ "${format}" =~ ^(openstack|openstack_mini|digitalocean)$ ]];then
+        if [[ "${format}" =~ ^(openstack_mini|digitalocean)$ ]];then
             COMPRESSION_FORMAT="gz,bz2"
+        elif [[ "${format}" =~ ^(openstack)$ ]];then
+            COMPRESSION_FORMAT="gz,bz2,none"
+        elif [[ "${format}" =~ ^(qemu|qemu_uefi)$ ]];then
+            COMPRESSION_FORMAT="bz2,none"
         fi
         ./run_sdk_container -n "${vms_container}" -C "${packages_image}" \
             -v "${vernum}" \
@@ -136,6 +140,7 @@ function _vm_build_impl() {
         -v "${vernum}" \
         mv "${CONTAINER_IMAGE_ROOT}/${arch}-usr/" "./${images_out}/"
 
+    ( cd images/latest ; ln -s flatcar_production_openstack_image.img.bz2 flatcar_production_brightbox_image.img.bz2 )
     create_digests "${SIGNER}" "images/latest/"*
     sign_artifacts "${SIGNER}" "images/latest/"*
     copy_to_buildcache "images/${arch}/${vernum}/" "images/latest/"*

sdk_container/.repo/manifests/mantle-container

@@ -1 +1 @@
-ghcr.io/flatcar/mantle:git-c49e02dc12e968c2c6cffd873b04a80809e90c1c
+ghcr.io/flatcar/mantle:git-b15d26b91a844ca5e84dc4473b2fc4820a2158f2

sdk_container/.repo/manifests/version.txt

@@ -1,4 +1,4 @@
-FLATCAR_VERSION=3601.0.0+nightly-20230511-2100
-FLATCAR_VERSION_ID=3601.0.0
-FLATCAR_BUILD_ID="nightly-20230511-2100"
-FLATCAR_SDK_VERSION=3601.0.0+nightly-20230511-2100
+FLATCAR_VERSION=3602.2.3
+FLATCAR_VERSION_ID=3602.2.3
+FLATCAR_BUILD_ID=""
+FLATCAR_SDK_VERSION=3602.0.0

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-cli/docker-cli-20.10.24.ebuild

@@ -6,7 +6,7 @@ GIT_COMMIT=e78084afe5
 EGO_PN="github.com/docker/cli"
 
 COREOS_GO_PACKAGE="${EGO_PN}"
-COREOS_GO_VERSION="go1.18"
+COREOS_GO_VERSION="go1.19"
 
 inherit bash-completion-r1  golang-vcs-snapshot coreos-go-depend
 

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-proxy/docker-proxy-9999.ebuild

@@ -5,7 +5,7 @@ EAPI=6
 EGO_PN="github.com/docker/libnetwork"
 
 COREOS_GO_PACKAGE="${EGO_PN}"
-COREOS_GO_VERSION="go1.18"
+COREOS_GO_VERSION="go1.19"
 COREOS_GO_GO111MODULE="off"
 
 if [[ ${PV} == *9999 ]]; then

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.7.ebuild

@@ -5,7 +5,7 @@ EAPI=6
 
 GITHUB_URI="github.com/opencontainers/runc"
 COREOS_GO_PACKAGE="${GITHUB_URI}"
-COREOS_GO_VERSION="go1.18"
+COREOS_GO_VERSION="go1.19"
 # the commit of runc that docker uses.
 # see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4
 COMMIT_ID="532d81d385677036958916d9aed5dd3431c5edb5"

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild

@@ -4,7 +4,7 @@
 EAPI=7
 EGO_PN=github.com/docker/docker
 GIT_COMMIT=d6cbf44b8c
-COREOS_GO_VERSION="go1.18"
+COREOS_GO_VERSION="go1.19"
 COREOS_GO_GO111MODULE="off"
 
 inherit bash-completion-r1 linux-info systemd udev golang-vcs-snapshot

sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest

@@ -1 +1 @@
-DIST nss-3.89.1.tar.gz 71624456 BLAKE2B fca6e09375ba2ce4a6f0bf189cabb9cdb1ba7cb5ebc1a49d47a2d6b509936a60d7f1867f71cdcfa6a81c0cbbf298513981a9b16ac23bbc464c7004bb40b830b4 SHA512 aeece4e8bc28113fc53997b29c89d40b4be74fee4f5d27c4e065d2fa6701038442f4eeeb1fcf98befedb03537a5a48a4701fe270f56197da57946529f9fa02dd
+DIST nss-3.95.tar.gz 76571130 BLAKE2B 9d40b09c0c58901781abfad609dd45f44c2f4d1ce9d4f1592748cb64a9eb29b1ac84be54ebb19fa528d8b9fd08911f769a80f72d9e6dbb22e82e5b3581a30af1 SHA512 54567c063fc72bf1a29898bc8cc405e54aa086269021d864b10a3640e6b4ae0d632834db87766257fdb43740d9bc71e362d69cfe6924f5c72a6e1a99a91f8c3a

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-cloudinit/coreos-cloudinit-9999.ebuild

@@ -12,7 +12,7 @@ inherit cros-workon systemd toolchain-funcs udev coreos-go
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="89319292b9bca85a7a1f5f8a47c459dd45a8cc7a" # flatcar-master
+	CROS_WORKON_COMMIT="b50fb650de1fa308d3ed252a1722411691fc7c21" # flatcar-3602-backport
 	KEYWORDS="amd64 arm64"
 fi
 

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="17224c8d6f71b17676bbcf34919072fb67a6bf4c" # flatcar-master
+	CROS_WORKON_COMMIT="325e7ede6dc51e6ed7ef1f39876b48e0736c0989" # flatcar-3602-backport
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild

@@ -92,4 +92,9 @@ src_install() {
         dosym "${target}" "${link}"
         fowners --no-dereference 500:500 "${link}"
     done
+
+    # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...
+    # (The below keepdir will result in a tmpfiles entry in base_image_var.conf)
+    keepdir /var/kubernetes/kubelet-plugins/volume/exec
+    dosym /var/kubernetes/kubelet-plugins/volume/exec /usr/libexec/kubernetes/kubelet-plugins/volume/exec
 }

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ec2-compat/files/grub-brightbox.cfg

@@ -1,3 +0,0 @@
-# Flatcar GRUB settings for EC2
-
-set oem_id="brightbox"

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ec2-compat/oem-ec2-compat-0.1.2-r2.ebuild

@@ -10,8 +10,8 @@ SRC_URI=""
 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="amd64 arm64 x86"
-IUSE="ec2 openstack brightbox"
-REQUIRED_USE="^^ ( ec2 openstack brightbox )"
+IUSE="ec2 openstack"
+REQUIRED_USE="^^ ( ec2 openstack )"
 
 RDEPEND="
 	ec2? ( app-emulation/amazon-ssm-agent )
@@ -32,10 +32,6 @@ src_prepare() {
 		ID="openstack"
 		NAME="Openstack"
 		HOME_URL="https://www.openstack.org/"
-	elif use brightbox ; then
-		ID="brightbox"
-		NAME="Brightbox"
-		HOME_URL="http://brightbox.com/"
 	else
 		die "Unknown OEM!"
 	fi
@@ -54,8 +50,6 @@ src_install() {
 		newins "${FILESDIR}/grub-ec2.cfg" grub.cfg
 	elif use openstack ; then
 		newins "${FILESDIR}/grub-openstack.cfg" grub.cfg
-	elif use brightbox ; then
-		newins "${FILESDIR}/grub-brightbox.cfg" grub.cfg
 	fi
 
 	insinto "/usr/share/oem/base"

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-misc/curl/CVE-2023-38545_7.87.0.patch

@@ -0,0 +1,134 @@
+From 92fd36dd54de9ac845549944692eb33c5aee7343 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Mon, 9 Oct 2023 17:15:44 -0400
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+This patch applies to curl versions 7.87.0 - 8.1.2. Other versions
+that are affected take a different patch. Refer to the CVE advisory
+for more information.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+---
+ lib/socks.c             |  8 +++----
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index d491e08..e7da5b4 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -539,9 +539,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+ 
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+ 
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -882,7 +882,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3e0221a..64b11de 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -99,7 +99,7 @@ test679 test680 test681 test682 test683 test684 test685 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test728 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 0000000..05bcf28
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++97
++</errorcode>
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++<stderr mode="text">
++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
++</stderr>
++</verify>
++</testcase>
+-- 
+2.7.4
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-misc/curl/CVE-2023-38546.patch

@@ -0,0 +1,120 @@
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 13 ++++---------
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff -r -u -p curl-8.0.1/lib/cookie.c curl-8.0.1-patched/lib/cookie.c
+--- curl-8.0.1/lib/cookie.c	2023-03-20 11:38:42.000000000 -0000
++++ curl-8.0.1-patched/lib/cookie.c	2023-10-13 11:42:44.820188193 -0000
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -726,11 +725,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if((nlen == 7) && strncasecompare("version", namep, 7)) {
+-          strstore(&co->version, valuep, vlen);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
+           /*
+@@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data,
+     free(clist->path);
+     free(clist->spath);
+     free(clist->expirestr);
+-    free(clist->version);
+     free(clist->maxage);
+ 
+     *clist = *co;  /* then store all the new data */
+@@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(stru
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+     /*
+      * Initialize the next_expiration time to signal that we don't have enough
+      * information yet.
+@@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1611,7 +1601,6 @@ void Curl_cookie_cleanup(struct CookieIn
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff -r -u -p curl-8.0.1/lib/cookie.h curl-8.0.1-patched/lib/cookie.h
+--- curl-8.0.1/lib/cookie.h	2023-03-17 23:34:19.000000000 -0000
++++ curl-8.0.1-patched/lib/cookie.h	2023-10-13 11:47:39.693438491 -0000
+@@ -36,11 +36,7 @@ struct Cookie {
+   char *domain;      /* domain = <this> */
+   curl_off_t expires;  /* expires = <this> */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+-
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+   bool secure;       /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -61,13 +57,11 @@ struct Cookie {
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+-
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;      /* last creation-time used in the jar */
+   bool running;    /* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;      /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+ 
+ /* This is the maximum line length we accept for a cookie line. RFC 2109
+diff -r -u -p curl-8.0.1/lib/easy.c curl-8.0.1-patched/lib/easy.c
+--- curl-8.0.1/lib/easy.c	2023-03-20 11:28:32.000000000 -0000
++++ curl-8.0.1-patched/lib/easy.c	2023-10-13 11:42:44.824188258 -0000
+@@ -911,9 +911,7 @@ struct Curl_easy *curl_easy_duphandle(st
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest

@@ -1,10 +1,2 @@
-DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
-DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
-DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
-DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
-DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
-DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
-DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
-DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
-DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
-DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
+DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35
+DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch

@@ -1,48 +0,0 @@
-diff --git a/auth-options.c b/auth-options.c
-index b05d6d6f..d1f42f04 100644
---- a/auth-options.c
-+++ b/auth-options.c
-@@ -26,6 +26,7 @@
- #include <stdarg.h>
- #include <ctype.h>
- #include <limits.h>
-+#include <stdlib.h>
- 
- #include "openbsd-compat/sys-queue.h"
- 
-diff --git a/hmac.c b/hmac.c
-index 1c879640..a29f32c5 100644
---- a/hmac.c
-+++ b/hmac.c
-@@ -19,6 +19,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdlib.h>
- 
- #include "sshbuf.h"
- #include "digest.h"
-diff --git a/krl.c b/krl.c
-index 8e2d5d5d..c32e147a 100644
---- a/krl.c
-+++ b/krl.c
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <time.h>
- #include <unistd.h>
-+#include <stdlib.h>
- 
- #include "sshbuf.h"
- #include "ssherr.h"
-diff --git a/mac.c b/mac.c
-index 51dc11d7..3d11eba6 100644
---- a/mac.c
-+++ b/mac.c
-@@ -29,6 +29,7 @@
- 
- #include <string.h>
- #include <stdio.h>
-+#include <stdlib.h>
- 
- #include "digest.h"
- #include "hmac.h"

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch

@@ -1,18 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:06:45.020527770 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:07:01.294423665 -0700
-@@ -1414,14 +1414,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch

@@ -1,13 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 34808b5c..88d7ccac 100644
---- a/kex.c
-+++ b/kex.c
-@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- 	if (version_addendum != NULL && *version_addendum == '\0')
- 		version_addendum = NULL;
- 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- 	    version_addendum == NULL ? "" : " ",
- 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
- 		oerrno = errno;

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch

@@ -1,14 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 2e065ba3..4ce80cb2 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_ppoll
- 	SC_ALLOW(__NR_ppoll),
- #endif
-+#ifdef __NR_ppoll_time64
-+	SC_ALLOW(__NR_ppoll_time64),
-+#endif
- #ifdef __NR_poll
- 	SC_ALLOW(__NR_poll),
- #endif

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch

@@ -1,12 +0,0 @@
-diff -ur a/auth2.c b/auth2.c
---- a/auth2.c	2022-05-19 15:59:32.875160028 -0700
-+++ b/auth2.c	2022-05-19 16:03:44.291594908 -0700
-@@ -226,7 +226,7 @@
- 	int digest_alg;
- 	size_t len;
- 	u_char *hash;
--	double delay;
-+	double delay = 0;
- 
- 	digest_alg = ssh_digest_maxbytes();
- 	if (len = ssh_digest_bytes(digest_alg) > 0) {

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-GSSAPI-dns.patch

@@ -1,8 +1,6 @@
-diff --git a/auth.c b/auth.c
-index 00b168b4..8ee93581 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -729,118 +729,6 @@ fakepw(void)
+@@ -637,118 +637,6 @@
  	return (&fake);
  }
  
@@ -121,11 +119,9 @@ index 00b168b4..8ee93581 100644
  /* These functions link key/cert options to the auth framework */
  
  /* Log sshauthopt options locally and (optionally) for remote transmission */
-diff --git a/canohost.c b/canohost.c
-index a810da0e..18e9d8d4 100644
 --- a/canohost.c
 +++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
+@@ -205,3 +205,117 @@
  {
  	return get_sock_port(sock, 1);
  }
@@ -243,11 +239,9 @@ index a810da0e..18e9d8d4 100644
 +		return dnsname;
 +	}
 +}
-diff --git a/readconf.c b/readconf.c
-index 03369a08..b45898ce 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
+@@ -160,6 +160,7 @@
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -255,7 +249,7 @@ index 03369a08..b45898ce 100644
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
-@@ -207,9 +208,11 @@ static struct {
+@@ -207,9 +208,11 @@
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -267,7 +261,7 @@ index 03369a08..b45898ce 100644
  #endif
  #ifdef ENABLE_PKCS11
  	{ "pkcs11provider", oPKCS11Provider },
-@@ -1117,6 +1120,10 @@ parse_time:
+@@ -1125,6 +1128,10 @@
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
  
@@ -278,7 +272,7 @@ index 03369a08..b45898ce 100644
  	case oBatchMode:
  		intptr = &options->batch_mode;
  		goto parse_flag;
-@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+@@ -2341,6 +2348,7 @@
  	options->pubkey_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
@@ -286,7 +280,7 @@ index 03369a08..b45898ce 100644
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+@@ -2501,6 +2509,8 @@
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
@@ -295,11 +289,9 @@ index 03369a08..b45898ce 100644
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index f7d53b06..c3a91898 100644
 --- a/readconf.h
 +++ b/readconf.h
-@@ -40,6 +40,7 @@ typedef struct {
+@@ -41,6 +41,7 @@
  	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
  	int     gss_authentication;	/* Try GSS authentication */
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
@@ -307,11 +299,9 @@ index f7d53b06..c3a91898 100644
  	int     password_authentication;	/* Try password
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index cd0eea86..27101943 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -832,6 +832,16 @@ The default is
+@@ -843,6 +843,16 @@
  Forward (delegate) credentials to the server.
  The default is
  .Cm no .
@@ -328,11 +318,9 @@ index cd0eea86..27101943 100644
  .It Cm HashKnownHosts
  Indicates that
  .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index fea50fab..aeff639b 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+@@ -764,6 +764,13 @@
  	OM_uint32 min;
  	int r, ok = 0;
  	gss_OID mech = NULL;
@@ -346,7 +334,7 @@ index fea50fab..aeff639b 100644
  
  	/* Try one GSSAPI method at a time, rather than sending them all at
  	 * once. */
-@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+@@ -778,7 +785,7 @@
  		    elements[authctxt->mech_tried];
  		/* My DER encoding requires length<128 */
  		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch

@@ -1,5 +1,3 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 23b40b643..d93a357c6 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
 @@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch

@@ -5,9 +5,9 @@ https://bugs.gentoo.org/493866
 
 --- a/regress/putty-ciphers.sh
 +++ b/regress/putty-ciphers.sh
-@@ -10,11 +10,17 @@ fi
+@@ -16,11 +16,17 @@
  
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
  	verbose "$tid: cipher $c"
 +	rm -f ${COPY}
  	cp ${OBJ}/.putty/sessions/localhost_proxy \
@@ -26,7 +26,7 @@ https://bugs.gentoo.org/493866
  	if [ $? -ne 0 ]; then
 --- a/regress/putty-kex.sh
 +++ b/regress/putty-kex.sh
-@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
+@@ -20,6 +20,12 @@
  	    ${OBJ}/.putty/sessions/kex_$k
  	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
  
@@ -41,7 +41,7 @@ https://bugs.gentoo.org/493866
  		fail "KEX $k failed"
 --- a/regress/putty-transfer.sh
 +++ b/regress/putty-transfer.sh
-@@ -14,6 +14,13 @@ for c in 0 1 ; do
+@@ -26,6 +26,13 @@
  	cp ${OBJ}/.putty/sessions/localhost_proxy \
  	    ${OBJ}/.putty/sessions/compression_$c
  	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch

@@ -1,5 +1,3 @@
-diff --git a/gss-serv.c b/gss-serv.c
-index b5d4bb2d..00e3d118 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd

@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd

@@ -0,0 +1,87 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# Make sure that the user's config isn't busted before we try
+	# to start the daemon (this will produce better error messages
+	# than if we just try to start it blindly).
+	#
+	# We always need to call checkconfig because this function will
+	# also generate any missing host key and you can start a
+	# non-running service with "restart" argument.
+	checkconfig || return $?
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml

@@ -6,31 +6,28 @@
 		<name>Gentoo Base System</name>
 	</maintainer>
 	<longdescription>
-OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that 
-increasing numbers of people on the Internet are coming to rely on. Many users of telnet, 
-rlogin, ftp, and other such programs might not realize that their password is transmitted 
-across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) 
-to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. 
-Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety 
-of authentication methods.
+		OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
+		increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
+		rlogin, ftp, and other such programs might not realize that their password is transmitted
+		across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
+		to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
+		Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
+		of authentication methods.
 
-The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which 
-replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of 
-the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, 
-ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+		The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
+		replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
+		the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
+		ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
 	</longdescription>
 	<use>
-		<flag name="hpn">Enable high performance ssh</flag>
 		<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
 		<flag name="livecd">Enable root password logins for live-cd environment.</flag>
 		<flag name="security-key">Include builtin U2F/FIDO support</flag>
 		<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
-		<flag name="X509">Adds support for X.509 certificate authentication</flag>
 		<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
 		<remote-id type="github">openssh/openssh-portable</remote-id>
-		<remote-id type="sourceforge">hpnssh</remote-id>
 	</upstream>
 </pkgmetadata>

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild

@@ -9,59 +9,26 @@ inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
 # and _p? releases.
 PARCH=${P/_}
 
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch"
-HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
-
-SCTP_VER="1.2"
-SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-
-X509_VER="14.1.1"
-X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
-X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
-
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? (
-		$(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}")
-		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
-	)}
-	${X509_VER:+X509? (
-		https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
-		https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
-		${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
-	)}
-	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
-"
+SRC_URI="
+	mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )"
 VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
 S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
 
 RESTRICT="!test? ( test )"
 
 REQUIRED_USE="
-	hpn? ( ssl )
 	ldns? ( ssl )
 	pie? ( !static )
 	static? ( !kerberos !pam )
-	X509? ( !sctp ssl !xmss )
 	xmss? ( ssl  )
 	test? ( ssl )
 "
@@ -69,16 +36,13 @@ REQUIRED_USE="
 # tests currently fail with XMSS
 REQUIRED_USE+="test? ( !xmss )"
 
-# Blocker on older gcc-config for bug #872416
 LIB_DEPEND="
-	!<sys-devel/gcc-config-2.6
 	audit? ( sys-process/audit[static-libs(+)] )
 	ldns? (
 		net-libs/ldns[static-libs(+)]
 		net-libs/ldns[ecdsa(+),ssl(+)]
 	)
 	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
 	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
 	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
 	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
@@ -98,6 +62,7 @@ DEPEND="${RDEPEND}
 	static? ( ${LIB_DEPEND} )
 "
 RDEPEND="${RDEPEND}
+	!net-misc/openssh-contrib
 	pam? ( >=sys-auth/pambase-20081028 )
 	!prefix? ( sys-apps/shadow )
 	X? ( x11-apps/xauth )
@@ -116,31 +81,41 @@ BDEPEND="
 "
 
 PATCHES=(
-	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
-	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
-	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
-	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
-	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
+	"${FILESDIR}/${PN}-9.3_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+	"${FILESDIR}/${PN}-9.3_p1-openssl-ignore-status.patch"
+	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
+	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
-	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
-	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+	"${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044
 	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
 )
 
 pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	local missing=()
-	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
-	check_feature hpn HPN_VER
-	check_feature sctp SCTP_PATCH
-	check_feature X509 X509_PATCH
-	if [[ ${#missing[@]} -ne 0 ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested: ${missing[*]}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
+	local i enabled_eol_flags disabled_eol_flags
+	for i in hpn sctp X509; do
+		if has_version "net-misc/openssh[${i}]"; then
+			enabled_eol_flags+="${i},"
+			disabled_eol_flags+="-${i},"
+		fi
+	done
+
+	if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
+		ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
+		ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
+		ewarn "since these USE flags required third-party patches that often trigger bugs"
+		ewarn "and are of questionable provenance."
+		ewarn
+		ewarn "If you must continue relying on this functionality, switch to"
+		ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
+		ewarn "world file first: 'emerge --deselect net-misc/openssh'"
+		ewarn
+		ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
+		ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
+		ewarn "variant, when re-emerging you will have to set"
+		ewarn
+		ewarn "  OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
+
+		die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
 	fi
 
 	# Make sure people who are using tcp wrappers are notified of its removal. #531156
@@ -150,13 +125,6 @@ pkg_pretend() {
 	fi
 }
 
-src_unpack() {
-	default
-
-	# We don't have signatures for HPN, X509, so we have to write this ourselves
-	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
-}
-
 src_prepare() {
 	sed -i \
 		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
@@ -169,107 +137,6 @@ src_prepare() {
 
 	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
 
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${WORKDIR}/${X509_GLUE_PATCH}"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
-		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
 	eapply_user #473004
 
 	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
@@ -283,11 +150,6 @@ src_prepare() {
 		-e 's:-D_FORTIFY_SOURCE=2::'
 	)
 
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
 	# _XOPEN_SOURCE causes header conflicts on Solaris
 	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
 		-e 's/-D_XOPEN_SOURCE//'
@@ -323,20 +185,17 @@ src_configure() {
 		--datadir="${EPREFIX}"/usr/share/openssh
 		--with-privsep-path="${EPREFIX}"/var/empty
 		--with-privsep-user=sshd
+		--with-hardening
 		$(use_with audit audit linux)
 		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
 		$(use_with ldns)
 		$(use_with libedit)
 		$(use_with pam)
 		$(use_with pie)
 		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with security-key security-key-builtin)
 		$(use_with ssl openssl)
 		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
 	)
 
 	if use elibc_musl; then
@@ -368,6 +227,37 @@ src_test() {
 	emake -j1 "${tests[@]}" </dev/null
 }
 
+insert_include() {
+	local src_config=${1} options=${2} includedir=${3}
+	local name copy regexp_options regexp lineno comment_options
+
+	name=${src_config##*/}
+	copy="${T}/${name}"
+	cp -a "${src_config}" "${copy}" || die
+
+	# Catch "Option ", "#Option " or "# Option ".
+	regexp_options=${options//,/'\|'}
+	regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
+	lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
+	# We have found a first line with the option, now find a first
+	# non-comment line just above the comments of the option. The
+	# lineno - 2 is here to ignore the line just above the option
+	# in case the comment block is separated by an empty line.
+	lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
+
+	comment_options=${options//,/ or }
+	{
+		head -n "${lineno}" "${copy}" || die
+		cat <<-EOF || die
+		# Make sure that all ${comment_options} options are below this Include!
+		Include "${EPREFIX}/${includedir}/*.conf"
+
+		EOF
+		tail -n "+${lineno}" "${copy}" || die
+	} >"${src_config}"
+	rm -f "${copy}" || die
+}
+
 # Gentoo tweaks to default config files.
 tweak_ssh_configs() {
 	local locale_vars=(
@@ -380,46 +270,69 @@ tweak_ssh_configs() {
 		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
 	)
 
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
 
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
+	insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
+	insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
 
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
+	# Send locale environment variables (bug #367017)
 	SendEnv ${locale_vars[*]}
 
-	# Send COLORTERM to match TERM. #658540
+	# Send COLORTERM to match TERM (bug #658540)
 	SendEnv COLORTERM
 	EOF
 
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
+	RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+	# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+	EOF
+
+	# Move sshd's Subsystem option to a drop-in file.
+	grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
+	sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
+
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
+	# Allow client to pass locale environment variables (bug #367017)
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM (bug #658540)
+	AcceptEnv COLORTERM
+	EOF
+
 	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
+		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
+		UsePAM yes
+		# This interferes with PAM.
+		PasswordAuthentication no
+		# PAM can do its own handling of MOTD.
+		PrintMotd no
+		PrintLastLog no
+		EOF
 	fi
 
 	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
+		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
+		# Allow root login with password on livecds.
+		PermitRootLogin Yes
+		EOF
 	fi
+
+	local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
+	fperms 0700 /etc/ssh/sshd_config.d
+	fperms 0600 "${sshd_drop_ins[@]#${ED}}"
 }
 
 src_install() {
 	emake install-nokeys DESTDIR="${D}"
 	fperms 600 /etc/ssh/sshd_config
 	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
 
 	if use pam; then
 		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
@@ -428,9 +341,7 @@ src_install() {
 	tweak_ssh_configs
 
 	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
 
 	diropts -m 0700
 	dodir /etc/skel/.ssh
@@ -501,16 +412,4 @@ pkg_postinst() {
 		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
 		elog "and update all clients/servers that utilize them."
 	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
 }

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0022-sgdisk-Run-partprobe-after-partition-changes.patch

@@ -0,0 +1,67 @@
+From e5c4e6bd9f3bad3b27e338e4da2f3b0b53ab1599 Mon Sep 17 00:00:00 2001
+From: Kai Lueke <kailuke@microsoft.com>
+Date: Fri, 29 Sep 2023 18:06:09 +0200
+Subject: [PATCH] sgdisk: Run partprobe after partition changes
+
+The sgdisk tool does not update the kernel partition table in contrast
+to other similar tools. Often udev can detect the changes but not always
+as experienced when adding a new partition on Flatcar's boot disk.
+Instead of implicitly relying on some other component to re-read the
+kernel partition table, trigger the re-read with partprobe.
+---
+ dracut/30ignition/module-setup.sh | 1 +
+ internal/distro/distro.go         | 2 ++
+ internal/sgdisk/sgdisk.go         | 5 +++++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/dracut/30ignition/module-setup.sh b/dracut/30ignition/module-setup.sh
+index ad7e80fd..3cdcb631 100755
+--- a/dracut/30ignition/module-setup.sh
++++ b/dracut/30ignition/module-setup.sh
+@@ -33,6 +33,7 @@ install() {
+         mkfs.xfs \
+         mkswap \
+         sgdisk \
++        partprobe \
+         useradd \
+         userdel \
+         usermod \
+diff --git a/internal/distro/distro.go b/internal/distro/distro.go
+index 61ca87ae..c1c13b62 100644
+--- a/internal/distro/distro.go
++++ b/internal/distro/distro.go
+@@ -37,6 +37,7 @@ var (
+ 	mdadmCmd     = "mdadm"
+ 	mountCmd     = "mount"
+ 	sgdiskCmd    = "sgdisk"
++	partprobeCmd = "partprobe"
+ 	modprobeCmd  = "modprobe"
+ 	udevadmCmd   = "udevadm"
+ 	usermodCmd   = "usermod"
+@@ -90,6 +91,7 @@ func GroupdelCmd() string  { return groupdelCmd }
+ func MdadmCmd() string     { return mdadmCmd }
+ func MountCmd() string     { return mountCmd }
+ func SgdiskCmd() string    { return sgdiskCmd }
++func PartprobeCmd() string { return partprobeCmd }
+ func ModprobeCmd() string  { return modprobeCmd }
+ func UdevadmCmd() string   { return udevadmCmd }
+ func UsermodCmd() string   { return usermodCmd }
+diff --git a/internal/sgdisk/sgdisk.go b/internal/sgdisk/sgdisk.go
+index 29915809..e70a3881 100644
+--- a/internal/sgdisk/sgdisk.go
++++ b/internal/sgdisk/sgdisk.go
+@@ -121,6 +121,11 @@ func (op *Operation) Commit() error {
+ 	if _, err := op.logger.LogCmd(cmd, "deleting %d partitions and creating %d partitions on %q", len(op.deletions), len(op.parts), op.dev); err != nil {
+ 		return fmt.Errorf("create partitions failed: %v", err)
+ 	}
++	// In contrast to similar tools, sgdisk does not trigger the update of the kernel partition table
++	cmd = exec.Command(distro.PartprobeCmd(), op.dev)
++	if _, err := op.logger.LogCmd(cmd, "re-reading of %d deleted partitions and %d created partitions on %q", len(op.deletions), len(op.parts), op.dev); err != nil {
++		return fmt.Errorf("re-reading partitions failed: %v", err)
++	}
+ 
+ 	return nil
+ }
+-- 
+2.41.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild

@@ -60,6 +60,7 @@ PATCHES=(
 	"${FILESDIR}/0016-internal-exec-stages-disks-prevent-races-with-udev.patch"
 	"${FILESDIR}/0017-translation-support-OEM-and-oem.patch"
 	"${FILESDIR}/0018-revert-internal-oem-drop-noop-OEMs.patch"
+	"${FILESDIR}/0022-sgdisk-Run-partprobe-after-partition-changes.patch"
 )
 
 src_compile() {

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest

@@ -1 +1 @@
-DIST systemd-stable-252.5.tar.gz 11762414 BLAKE2B c9560ad5e49b7ff33ebcf2e553fa1824131e84bb7c40e5b04135bcdce9ad2ef32194382a501a1853a28e02b7f434bf1fb53edd6e9272d432c23fb116015d751f SHA512 f3359e0496b673033d6c8da5c117890e0dc26c9db51003b28f629ac751d9bae117be32d9f54c377eb2d5a7c2d36ac0dbdc2116498698e993550fbdd9aae535b9
+DIST systemd-stable-252.11.tar.gz 11845530 BLAKE2B 5c4492040640d09248d4ec775e8bfca5dbe81d42f4fbda6ecb120271624c19d84eeacd0e93dd018fbab714a29954d50898a93238179948927e466b345446bc9a SHA512 f64c452b028eb8c6342a7e3b943fc22adb04bcfe00790dd91827604bf8746b5cf87fbffd666f408b1a89ed999dec2629533b92d02bec560406ea03313fc41206

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-Revert-core-service-when-resetting-PID-also-reset-known.patch

@@ -0,0 +1,40 @@
+From 34e834f496338fdc2a8a8cc771cba4082079cf9a Mon Sep 17 00:00:00 2001
+From: msizanoen <msizanoen@qtmlabs.xyz>
+Date: Mon, 12 Jun 2023 10:30:12 +0700
+Subject: [PATCH] Revert "core/service: when resetting PID also reset known
+ flag"
+
+This reverts commit ff32060f2ed37b68dc26256b05e2e69013b0ecfe.
+
+This change is incorrect as we don't want to mark the PID as invalid but
+only mark it as dead.
+
+The change in question also breaks user level socket activation for
+`podman.service` as the termination of the main `podman system service`
+process is not properly handled, causing any application accessing the
+socket to hang.
+
+This is because the user-level `podman.service` unit also hosts two
+non-main processes: `rootlessport` and `rootlessport-child` which causes
+the `cgroup_good` check to still succeed.
+
+The original submitter of this commit is recommended to find another
+more correct way to fix the cgroupsv1 issue on CentOS 8.
+
+(cherry picked from commit f29f0877c5abfd03060838d1812ea6fdff3b0b37)
+---
+ src/core/service.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index c05f13c765..211f72900e 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -3529,7 +3529,6 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
+                         return;
+ 
+                 s->main_pid = 0;
+-                s->main_pid_known = false;
+                 exec_status_exit(&s->main_exec_status, &s->exec_context, pid, code, status);
+ 
+                 if (s->main_command) {

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.11-r1.ebuild

@@ -248,6 +248,7 @@ src_prepare() {
 		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
 		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
 		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
+		"${FILESDIR}/0008-Revert-core-service-when-resetting-PID-also-reset-known.patch"
 	)
 
 	if ! use vanilla; then

sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf

@@ -11,3 +11,4 @@ d /var/lib/sss/pipes/private	0700	root	root	-	-
 d /var/lib/sss/pubconf		0700	root	root	-	-
 d /var/lib/sss/pubconf/krb5.include.d	0700	root	root	-	-
 d /var/lib/sss/secrets		0755	root	root	-	-
+d /var/log/sssd			0700	root	root	-	-

sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild

@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="d3cc0f4b1dce6a5084a8a909810efc30c367020b" # flatcar-master
+	CROS_WORKON_COMMIT="010fa853e525a7174e4a60385c18716b7d8ece24" # flatcar-3602-backport
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest

@@ -1 +1 @@
-DIST linux-firmware-20230404.tar.xz 273105092 BLAKE2B 3bf6c4d5e501362613bdcb01c416a4ed8f818c48bc5875040aec05b63b570d156200ed85c7206d2075b9b0998aa4a358c0bcd5fa3abd3efcee145492b602db52 SHA512 815ee4c72396d9dcebd1e8a66cd63a523e3dcf623a06cb6d5d4df63a0830532c66f5c4564dd3c258ebe5072830a103800b7159d39d7a68cbb40d76abed399f9c
+DIST linux-firmware-20230625_p20230724.tar.gz 441906566 BLAKE2B 5bed31d9ad78440bb12feeacb1ba27a07ad30b0eb8c7bfd03a4e7a7590012af1f9535a49fbf031abf79dd05ca90be79566f06db6f955910edfdca61281831c67 SHA512 daaf07422eb6f3e1b50f8a5dba5bfff747fe6750c0210ab798745f61d774eef7642ab45b9b404c668cf017d6b7fcf89c34bce9e6c77053b1b81f1a3498c5be18

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild

@@ -10,7 +10,7 @@ inherit linux-info savedconfig
 
 # In case this is a real snapshot, fill in commit below.
 # For normal, tagged releases, leave blank
-MY_COMMIT=
+MY_COMMIT="59fbffa9ec8e4b0b31d2d13e715cf6580ad0e99c"
 
 if [[ ${PV} == 99999999* ]]; then
 	inherit git-r3
@@ -18,6 +18,7 @@ if [[ ${PV} == 99999999* ]]; then
 else
 	if [[ -n "${MY_COMMIT}" ]]; then
 		SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/${MY_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz"
+		S="${WORKDIR}/${MY_COMMIT}"
 	else
 		SRC_URI="https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/linux-firmware-${PV}.tar.xz -> linux-firmware-${PV}.tar.xz"
 	fi
@@ -59,7 +60,7 @@ RESTRICT="binchecks strip"
 # source name is linux-firmware, not coreos-firmware
 S="${WORKDIR}/linux-firmware-${PV}"
 
-CXGB_VERSION="1.27.1.0"
+CXGB_VERSION="1.27.3.0"
 ICE_DDP_VERSION="1.3.30.0"
 
 src_unpack() {
@@ -67,6 +68,11 @@ src_unpack() {
 		git-r3_src_unpack
 	else
 		default
+		# rename directory from git snapshot tarball
+		if [[ ${#MY_COMMIT} -gt 8 ]]; then
+			mv ${MY_COMMIT}/ linux-firmware-${PV} || die
+		fi
+
 		# Upstream linux-firmware tarball does not contain
 		# symlinks for cxgb4 firmware files, but "modinfo
 		# cxgb4.ko" shows it requires t?fw.bin files. These