New version: stable-3602.2.2

The special Brightbox image uses the OpenStack userdata in Ignition but
lacked Afterburn usage. It actually works to use the OpenStack image and
directly which also enables Afterburn, thus we can drop the special
image.
Don't build a special image for Brightbox but recommend to use OpenStack
images directly. A symlink is added to help with the download of
hardcoded user scripts.

.github/workflows/cacerts-release.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out main scripts branch for GitHub workflow scripts only
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: gha
@@ -23,7 +23,7 @@ jobs:
         run: gha/.github/workflows/figure-out-branch.sh '${{ matrix.channel }}'
       - name: Check out work scripts branch for updating
         if: steps.figure-out-branch.outputs.SKIP == 0
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: work
@@ -57,7 +57,7 @@ jobs:
         run: gha/.github/workflows/cacerts-apply-patch.sh
       - name: Create pull request
         if: (steps.figure-out-branch.outputs.SKIP == 0) && (steps.apply-patch.outputs.UPDATE_NEEDED == 1)
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v5
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: work
@@ -66,4 +66,3 @@ jobs:
           title: Update ca-certificates in ${{ steps.figure-out-branch.outputs.BRANCH }} from ${{ steps.apply-patch.outputs.VERSION_OLD }} to ${{ steps.nss-latest-release.outputs.NSS_VERSION }}
           body: Subject says it all.
           labels: ${{ steps.figure-out-branch.outputs.LABEL }}
-          signoff: true

.github/workflows/ci.yaml

@@ -1,40 +1,33 @@
 name: "Run build"
 on:
+  pull_request:
+    # Run when the PR is opened, reopened, or updated (synchronize)
+    types: [opened, ready_for_review, reopened, synchronize]
   workflow_dispatch:
     inputs:
       image_formats:
-        type: string
         description: |
           Space-separated vendor formats to build.
         required: true
-        default: qemu_uefi pxe
-      custom_sdk_version:
-        type: string
-        required: false
-        description: |
-          Custom SDK container version to use for this build.
+        default: qemu_uefi
 
-  workflow_call:
-    inputs:
-      image_formats:
-        type: string
-        description: |
-          Space-separated vendor formats to build.
-        required: true
-        default: qemu_uefi pxe
-      custom_sdk_version:
-        type: string
-        required: false
-        description: |
-          Custom SDK container version to use for this build.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} 
+  cancel-in-progress: true
 
 permissions:
   pull-requests: write
 
 jobs:
   packages:
+    # Do not run when still in draft mode but a review was requested anyway
+    if: github.event.pull_request.draft == false
     name: "Build Flatcar packages"
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
+      - self-hosted
+      - debian
+      - build
+      - x64
     strategy:
       fail-fast: false
       matrix:
@@ -50,24 +43,20 @@ jobs:
         run: |
           sudo rm /bin/sh
           sudo ln -s /bin/bash /bin/sh
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release qemu-user-static git
+          sudo mkdir -p /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          echo \
+            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+            $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
           sudo apt-get update
-          sudo apt-get install -y ca-certificates curl git gnupg lsb-release python3 python3-packaging qemu-user-static zstd
+          sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
 
-      - name: Set up Docker
-        uses: docker/setup-docker-action@v4
-
-      - name: Checkout scripts
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           path: scripts
           fetch-depth: 0
 
-      - name: Checkout build scripts
-        uses: actions/checkout@v4
-        with:
-          repository: flatcar/flatcar-build-scripts
-          path: flatcar-build-scripts
-
       # Hack alert: actions/checkout will check out the (disjunct) merge commit of a PR
       #  instead of its head commit. That commit is not connected to any branch.
       # This causes breakage downstream e.g. when the devcontainer test wants to check out
@@ -81,6 +70,7 @@ jobs:
           set -euo pipefail
 
           git checkout ${{ github.event.pull_request.head.sha }}
+          git submodule update
 
       - name: Set environment
         shell: bash
@@ -88,16 +78,18 @@ jobs:
           arch="${{ matrix.arch }}"
           echo "arch=${arch}" >> $GITHUB_ENV
 
-          IMAGE_FORMATS="qemu_uefi pxe"
-          [ -z "${{ inputs.image_formats }}" ] || IMAGE_FORMATS="${{ inputs.image_formats }}"
+          IMAGE_FORMATS="qemu_uefi"
+          [ -z "${{ github.event.inputs.image_formats }}" ] || IMAGE_FORMATS="${{ github.event.inputs.image_formats }}"
           echo "IMAGE_FORMATS=${IMAGE_FORMATS}" >> $GITHUB_ENV
 
-          # Artifact root for images as seen from within the container
+          # Artifact root for images and torcx tarball as seen from within the container
           echo "CI_CONTAINER_ARTIFACT_ROOT=/home/sdk/trunk/src/scripts/artifacts" >> $GITHUB_ENV
+          echo "CI_CONTAINER_TORCX_ROOT=/home/sdk/trunk/src/scripts/artifacts/torcx" >> $GITHUB_ENV
+          mkdir -p artifacts/torcx
 
-          if [ -n "${{ inputs.custom_sdk_version }}" ] ; then
-              echo "CUSTOM_SDK_VERSION=${{ inputs.custom_sdk_version }}" >> $GITHUB_ENV
-          fi
+          # Placeholder URL for run-kola-tests.yaml, "Extract artifacts" step which will replace
+          #  this with its IP address.
+          echo "TORCX_TESTS_PACKAGE_URL=http://localhost:12345" >> $GITHUB_ENV
 
       - name: Build packages
         shell: bash
@@ -106,13 +98,12 @@ jobs:
           set -x
           set -euo pipefail
 
-          # This is also done again in run-kola-tests.yaml because these changes here disappear
           source ci-automation/ci_automation_common.sh
           source sdk_container/.repo/manifests/version.txt
 
           version="alpha-$FLATCAR_VERSION_ID"
           check_version_string "$version"
-          sdk_version="${CUSTOM_SDK_VERSION:-$FLATCAR_SDK_VERSION}"
+          sdk_version="${FLATCAR_SDK_VERSION}"
 
           sdk_name="flatcar-sdk-${arch}"
           docker_sdk_vernum="$(vernum_to_docker_image_version "${sdk_version}")"
@@ -132,7 +123,9 @@ jobs:
           #  which will be re-used by subsequent build steps.
           ./run_sdk_container -n "${container_name}" -v "${version}" \
             -C "${sdk_image}" \
-            ./build_packages --board="${arch}-usr"
+            ./build_packages --board="${arch}-usr" \
+                --torcx_output_root="${CI_CONTAINER_TORCX_ROOT}" \
+                --torcx_extra_pkg_url="${TORCX_TESTS_PACKAGE_URL}"
 
           # Create binpkgs tarball for archiving as artifact later
           ./run_sdk_container -n "${container_name}" \
@@ -140,7 +133,7 @@ jobs:
                 -cvf binpkgs.tar .
 
       - name: Extract build logs
-        if: always() && !cancelled()
+        if: always()
         shell: bash
         run: |
           set -euo pipefail
@@ -151,8 +144,8 @@ jobs:
               /build/${arch}-usr/var/tmp/portage
 
       - name: Upload build logs
-        if: always() && !cancelled()
-        uses: actions/upload-artifact@v4
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
           name: ${{ matrix.arch }}-build-logs
@@ -177,7 +170,7 @@ jobs:
           ./run_sdk_container -n "${container_name}" \
                   ./build_image --board="${arch}-usr" --group="${channel}" \
                                 --output_root="${CI_CONTAINER_ARTIFACT_ROOT}" \
-                                prodtar container sysext oem_sysext
+                                --torcx_root="${CI_CONTAINER_TORCX_ROOT}" prodtar container
 
       - name: Build VM image(s)
         shell: bash
@@ -189,34 +182,34 @@ jobs:
 
           images_out="images"
 
-          printf -v formats "%s\n" ${IMAGE_FORMATS}
-          if grep -q '^vmware' <<< "${formats}"; then
-              formats=$(grep -v '^vmware' <<< "${formats}")
-              printf -v formats "%s\n" ${formats} vmware vmware_ova vmware_raw
+          has_packet=0
+          has_pxe=0
+          formats="${IMAGE_FORMATS}"
+          for format in "${formats}";do
+            [[ "${format}" = 'packet' ]] || [[ "${format}" = 'equinix_metal' ]] && has_packet=1
+            [[ "${format}" = 'pxe' ]] && has_pxe=1
+          done
+
+          [[ ${has_packet} -eq 1 ]] && [[ ${has_pxe} -eq 0 ]] && set -- 'pxe' "${@}"
+          if echo "$formats" | tr ' ' '\n' | grep -q '^vmware'; then
+            formats=$(echo "$formats" | tr ' ' '\n' | sed '/vmware.*/d')
+            formats+=" vmware vmware_insecure vmware_ova vmware_raw"
           fi
-          if grep -q '^ami\|^aws' <<< "${formats}"; then
-              formats=$(grep -v '^ami\|^aws' <<< "${formats}")
-              printf -v formats "%s\n" ${formats} ami ami_vmdk
+          if echo "$formats" | tr ' ' '\n' | grep -q -P '^(ami|aws)'; then
+            formats=$(echo "$formats" | tr ' ' '\n' | sed '/ami.*/d' | sed '/aws/d')
+            formats+=" ami ami_vmdk"
           fi
+          # Keep compatibility with SDK scripts where "equinix_metal" remains unknown.
+          formats=$(echo "$formats" | tr ' ' '\n' | sed 's/equinix_metal/packet/g')
 
           for format in ${formats}; do
-              if [ "${format}" = qemu ] || [ "${format}" = qemu_uefi_secure ]; then
-                  continue
-              fi
               echo " ###################  VENDOR '${format}' ################### "
               ./run_sdk_container -n "${container_name}" \
                   ./image_to_vm.sh --format "${format}" --board="${arch}-usr" \
                       --from "${CI_CONTAINER_ARTIFACT_ROOT}/${arch}-usr/latest" \
-                      --image_compression_formats=none
+                      --image_compression_formats=bz2
           done
 
-          # Zip doesn't handle symlinks well, remove them
-          rm -f artifacts/${arch}-usr/latest/flatcar_production_{qemu,qemu_uefi_secure}_image.img*
-          # or create an explicit copy:
-          if [ -e artifacts/${arch}-usr/latest/flatcar_production_pxe.vmlinuz ]; then
-            rm -f artifacts/${arch}-usr/latest/flatcar_production_pxe.vmlinuz
-            cp artifacts/${arch}-usr/latest/flatcar_production_{image,pxe}.vmlinuz
-          fi
           # upload-artifacts cannot handle artifact uploads from sym-linked directories (no, really)
           #  so we move things around.
           mkdir -p artifacts/images
@@ -225,14 +218,14 @@ jobs:
             mv * ../../images/
           )
 
-      - name: Generate reports against last release
-        run: .github/workflows/image_changes.sh ${{ matrix.arch }} release
+          # create a tarball for torcx package + JSON file because upload-artifacts cannot handle filenames containing colons
+          #  (such as "docker:20.10.torcx.tgz")
+          mv artifacts/torcx/${arch}-usr/latest/torcx_manifest.json artifacts/torcx/pkgs/
+          tar -C artifacts/torcx/pkgs/ -cvf torcx.tar .
 
-      - name: Generate reports against last nightly
-        run: .github/workflows/image_changes.sh ${{ matrix.arch }} nightly
 
       - name: Upload binpkgs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
           name: ${{ matrix.arch }}-binpkgs
@@ -240,7 +233,7 @@ jobs:
             scripts/binpkgs.tar
 
       - name: Upload update image (used with kola tests later)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
           name: ${{ matrix.arch }}-test-update
@@ -248,36 +241,35 @@ jobs:
             scripts/artifacts/images/flatcar_test_update.gz
 
       - name: Upload generic image
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
           name: ${{ matrix.arch }}-generic-image
           path: |
-            scripts/artifacts/images/flatcar_production_image.bin
+            scripts/artifacts/images/flatcar_production_image.bin.bz2
             scripts/artifacts/images/flatcar_production_image.grub
             scripts/artifacts/images/flatcar_production_image.shim
             scripts/artifacts/images/flatcar_production_image.vmlinuz
             scripts/artifacts/images/flatcar_production_image*.txt
             scripts/artifacts/images/flatcar_production_image*.json
             scripts/artifacts/images/flatcar_production_image_pcr_policy.zip
-            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
-            scripts/artifacts/images/flatcar_production_qemu.sh
+            scripts/artifacts/images/flatcar_production_*_efi_*.fd
 
       - name: Upload developer container
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
           name: ${{ matrix.arch }}-devcontainer
           path: |
             scripts/artifacts/images/flatcar_developer_container*
 
-      - name: Upload reports
-        uses: actions/upload-artifact@v4
+      - name: Upload torcx tarball
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
-          name: ${{ matrix.arch }}-image-changes-reports
+          name: ${{ matrix.arch }}-torcx
           path: |
-            scripts/image-changes-reports*.txt
+            scripts/torcx.tar
 
       # Clean up what we uploaded already so the "vendor images" wildcard
       #  works when uploading artifacts in the next step.
@@ -292,19 +284,16 @@ jobs:
                 artifacts/images/flatcar_production_update*
 
       - name: Upload vendor images
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           retention-days: 7
           name: ${{ matrix.arch }}-vm-images
           path: |
-            scripts/artifacts/images/*.img
-            scripts/artifacts/images/*.bin
-            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
+            scripts/artifacts/images/*.img.bz2
+            scripts/artifacts/images/*.bin.bz2
+            scripts/artifacts/images/flatcar_production_*_efi_*.fd
             scripts/artifacts/images/*.txt
-            scripts/artifacts/images/flatcar-*.raw
             scripts/artifacts/images/flatcar_production_*.sh
-            scripts/artifacts/images/flatcar_production_pxe_image.cpio.gz
-            scripts/artifacts/images/flatcar_production_pxe.vmlinuz
 
   test:
     needs: packages

.github/workflows/common.sh

@@ -186,7 +186,7 @@ function commit_changes() {
   for dir; do
     git add "${dir}"
   done
-  git commit --signoff -m "${pkg}: Update from ${old_version} to ${new_version}"
+  git commit -m "${pkg}: Update from ${old_version} to ${new_version}"
 
   popd
 }

.github/workflows/containerd-apply-patch.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
+
+prepare_git_repo
+
+if ! check_remote_branch "containerd-${VERSION_NEW}-${TARGET_BRANCH}"; then
+    echo "remote branch already exists, nothing to do"
+    exit 0
+fi
+
+pushd "${SDK_OUTER_OVERLAY}"
+
+VERSION_OLD=$(sed -n "s/^DIST containerd-\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p" app-emulation/containerd/Manifest | sort -ruV | head -n1)
+if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
+    echo "already the latest Containerd, nothing to do"
+    exit 0
+fi
+
+# we need to update not only the main ebuild file, but also its CONTAINERD_COMMIT,
+# which needs to point to COMMIT_HASH that matches with $VERSION_NEW from upstream containerd.
+containerdEbuildOldSymlink=$(get_ebuild_filename app-emulation/containerd "${VERSION_OLD}")
+containerdEbuildNewSymlink="app-emulation/containerd/containerd-${VERSION_NEW}.ebuild"
+containerdEbuildMain="app-emulation/containerd/containerd-9999.ebuild"
+git mv "${containerdEbuildOldSymlink}" "${containerdEbuildNewSymlink}"
+sed -i "s/CONTAINERD_COMMIT=\"\(.*\)\"/CONTAINERD_COMMIT=\"${COMMIT_HASH}\"/g" "${containerdEbuildMain}"
+sed -i "s/v${VERSION_OLD}/v${VERSION_NEW}/g" "${containerdEbuildMain}"
+
+
+DOCKER_VERSION=$(sed -n "s/^DIST docker-\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p" app-emulation/docker/Manifest | sort -ruV | head -n1)
+# torcx ebuild file has a docker version with only major and minor versions, like 19.03.
+versionTorcx=${DOCKER_VERSION%.*}
+torcxEbuildFile=$(get_ebuild_filename app-torcx/docker "${versionTorcx}")
+sed -i "s/containerd-${VERSION_OLD}/containerd-${VERSION_NEW}/g" "${torcxEbuildFile}"
+
+popd
+
+URL="https://github.com/containerd/containerd/releases/tag/v${VERSION_NEW}"
+
+generate_update_changelog 'containerd' "${VERSION_NEW}" "${URL}" 'containerd'
+
+commit_changes app-emulation/containerd "${VERSION_OLD}" "${VERSION_NEW}" \
+               app-torcx/docker
+
+cleanup_repo
+
+echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}"
+echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"

.github/workflows/containerd-release-main.yaml

@@ -0,0 +1,50 @@
+name: Get the latest Containerd release for main
+on:
+  schedule:
+    - cron:  '00 8 * * 5'
+  workflow_dispatch:
+
+jobs:
+  get-containerd-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out scripts
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+      - name: Figure out latest Containerd release version
+        id: containerd-latest-release
+        run: |
+          versionCommitPair=( $(git ls-remote --tags https://github.com/containerd/containerd | grep 'refs/tags/v[0-9]*\.[0-9]*\.[0-9]*$' | sed -e 's#^\([0-9a-fA-F]*\)[[:space:]]*refs/tags/v\(.*\)$#\2 \1#g' | sort --reverse --unique --version-sort | head --lines 1) )
+
+          echo "VERSION_NEW=${versionCommitPair[0]}" >>"${GITHUB_OUTPUT}"
+          echo "COMMIT_HASH=${versionCommitPair[1]}" >>"${GITHUB_OUTPUT}"
+      - name: Set up Flatcar SDK
+        id: setup-flatcar-sdk
+        env:
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          CHANNEL: main
+        run: scripts/.github/workflows/setup-flatcar-sdk.sh
+      - name: Apply patch for main
+        id: apply-patch-main
+        env:
+          GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          VERSION_NEW: ${{ steps.containerd-latest-release.outputs.VERSION_NEW }}
+          COMMIT_HASH: ${{ steps.containerd-latest-release.outputs.COMMIT_HASH }}
+          PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
+          SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
+          TARGET_BRANCH: main
+        run: scripts/.github/workflows/containerd-apply-patch.sh
+      - name: Create pull request for main
+        uses: peter-evans/create-pull-request@v5
+        if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+          branch: "containerd-${{ steps.containerd-latest-release.outputs.VERSION_NEW }}-main"
+          base: main
+          title: Upgrade Containerd in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.containerd-latest-release.outputs.VERSION_NEW }}
+          body: Subject says it all.
+          labels: main

.github/workflows/docker-apply-patch.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
+
+prepare_git_repo
+
+if ! check_remote_branch "docker-${VERSION_NEW}-${TARGET_BRANCH}"; then
+    echo "remote branch already exists, nothing to do"
+    exit 0
+fi
+
+pushd "${SDK_OUTER_OVERLAY}"
+
+VERSION_OLD=$(sed -n "s/^DIST docker-\([0-9]*.[0-9]*.[0-9]*\).*/\1/p" app-emulation/docker/Manifest | sort -ruV | head -n1)
+if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
+    echo "already the latest Docker, nothing to do"
+    exit 0
+fi
+
+# we need to update not only the main ebuild file, but also its DOCKER_GITCOMMIT,
+# which needs to point to COMMIT_HASH that matches with $VERSION_NEW from upstream docker-ce.
+dockerEbuildOld=$(get_ebuild_filename app-emulation/docker "${VERSION_OLD}")
+dockerEbuildNew="app-emulation/docker/docker-${VERSION_NEW}.ebuild"
+git mv "${dockerEbuildOld}" "${dockerEbuildNew}"
+sed -i "s/GIT_COMMIT=\(.*\)/GIT_COMMIT=${COMMIT_HASH_MOBY}/g" "${dockerEbuildNew}"
+sed -i "s/v${VERSION_OLD}/v${VERSION_NEW}/g" "${dockerEbuildNew}"
+
+cliEbuildOld=$(get_ebuild_filename app-emulation/docker-cli "${VERSION_OLD}")
+cliEbuildNew="app-emulation/docker-cli/docker-cli-${VERSION_NEW}.ebuild"
+git mv "${cliEbuildOld}" "${cliEbuildNew}"
+sed -i "s/GIT_COMMIT=\(.*\)/GIT_COMMIT=${COMMIT_HASH_CLI}/g" "${cliEbuildNew}"
+sed -i "s/v${VERSION_OLD}/v${VERSION_NEW}/g" "${cliEbuildNew}"
+
+# torcx ebuild file has a docker version with only major and minor versions, like 19.03.
+versionTorcx=${VERSION_OLD%.*}
+torcxEbuildFile=$(get_ebuild_filename app-torcx/docker "${versionTorcx}")
+sed -i "s/docker-${VERSION_OLD}/docker-${VERSION_NEW}/g" "${torcxEbuildFile}"
+sed -i "s/docker-cli-${VERSION_OLD}/docker-cli-${VERSION_NEW}/g" "${torcxEbuildFile}"
+
+# update also docker versions used by the current docker-runc ebuild file.
+versionRunc=$(sed -n "s/^DIST docker-runc-\([0-9]*.[0-9]*.*\)\.tar.*/\1/p" app-emulation/docker-runc/Manifest | sort -ruV | head -n1)
+runcEbuildFile=$(get_ebuild_filename app-emulation/docker-runc "${versionRunc}")
+sed -i "s/github.com\/docker\/docker-ce\/blob\/v${VERSION_OLD}/github.com\/docker\/docker-ce\/blob\/v${VERSION_NEW}/g" ${runcEbuildFile}
+
+popd
+
+# URL for Docker release notes has a specific format of
+#   https://docs.docker.com/engine/release-notes/MAJOR.MINOR/#COMBINEDFULLVERSION
+# To get the subfolder part MAJOR.MINOR, drop the patchlevel of the semver.
+#   e.g. 20.10.23 -> 20.10
+# To get the combined full version, drop all dots from the full version.
+#   e.g. 20.10.23 -> 201023
+# So the result becomes like:
+#   https://docs.docker.com/engine/release-notes/20.10/#201023
+URLSUBFOLDER=${VERSION_NEW%.*}
+URLVERSION="${VERSION_NEW//./}"
+URL="https://docs.docker.com/engine/release-notes/${URLSUBFOLDER}/#${URLVERSION}"
+
+generate_update_changelog 'Docker' "${VERSION_NEW}" "${URL}" 'docker'
+
+regenerate_manifest app-emulation/docker-cli "${VERSION_NEW}"
+commit_changes app-emulation/docker "${VERSION_OLD}" "${VERSION_NEW}" \
+               app-emulation/docker-cli \
+               app-torcx/docker \
+               app-emulation/docker-runc
+
+cleanup_repo
+
+echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}"
+echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"

.github/workflows/docker-release-main.yaml

@@ -0,0 +1,53 @@
+name: Get the latest Docker release for main
+on:
+  schedule:
+    - cron:  '35 7 * * 3'
+  workflow_dispatch:
+
+jobs:
+  get-docker-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out scripts
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+      - name: Figure out latest Docker release version
+        id: docker-latest-release
+        run: |
+          versionCommitPairMoby=( $(git ls-remote --tags https://github.com/moby/moby | grep 'refs/tags/v[0-9]*\.[0-9]*\.[0-9]*$' | sed -e 's#^\([0-9a-fA-F]*\)[[:space:]]*refs/tags/v\(.*\)$#\2 \1#g' | sort --reverse --unique --version-sort | head --lines 1) )
+          commitHashCLI=$(git ls-remote --tags https://github.com/docker/cli | grep 'refs/tags/v'"${versionCommitPairMoby[0]}"'$' | cut -f1)
+
+          echo "VERSION_NEW=${versionCommitPairMoby[0]}" >>"${GITHUB_OUTPUT}"
+          echo "COMMIT_HASH_MOBY=${versionCommitPairMoby[1]}" >>"${GITHUB_OUTPUT}"
+          echo "COMMIT_HASH_CLI=${commitHashCLI}" >>"${GITHUB_OUTPUT}"
+      - name: Set up Flatcar SDK
+        id: setup-flatcar-sdk
+        env:
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          CHANNEL: main
+        run: scripts/.github/workflows/setup-flatcar-sdk.sh
+      - name: Apply patch for main
+        id: apply-patch-main
+        env:
+          GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          VERSION_NEW: ${{ steps.docker-latest-release.outputs.VERSION_NEW }}
+          COMMIT_HASH_MOBY: ${{ steps.docker-latest-release.outputs.COMMIT_HASH_MOBY }}
+          COMMIT_HASH_CLI: ${{ steps.docker-latest-release.outputs.COMMIT_HASH_CLI }}
+          PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
+          SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
+          TARGET_BRANCH: main
+        run: scripts/.github/workflows/docker-apply-patch.sh
+      - name: Create pull request for main
+        uses: peter-evans/create-pull-request@v5
+        if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+          branch: docker-${{ steps.docker-latest-release.outputs.VERSION_NEW }}-main
+          base: main
+          title: Upgrade Docker in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.docker-latest-release.outputs.VERSION_NEW }}
+          body: Subject says it all.
+          labels: main

.github/workflows/firmware-release-main.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: scripts
@@ -35,7 +35,7 @@ jobs:
           TARGET_BRANCH: main
         run: scripts/.github/workflows/firmware-apply-patch.sh
       - name: Create pull request for main
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v5
         if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
@@ -45,4 +45,3 @@ jobs:
           title: Upgrade Linux Firmware in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.firmware-latest-release.outputs.VERSION_NEW }}
           body: Subject says it all.
           labels: main
-          signoff: true

.github/workflows/go-apply-patch.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
+
+prepare_git_repo
+
+# create a mapping between short version and new version, e.g. 1.16 -> 1.16.3
+declare -A VERSIONS
+for version_new in ${VERSIONS_NEW}; do
+  version_new_trimmed="${version_new%.*}"
+  if [[ "${version_new_trimmed%.*}" = "${version_new_trimmed}" ]]; then
+    version_new_trimmed="${version_new}"
+  fi
+  VERSIONS["${version_new_trimmed}"]="${version_new}"
+done
+
+branch_name="go-$(join_by '-and-' ${VERSIONS_NEW})-main"
+
+if ! check_remote_branch "${branch_name}"; then
+  echo "remote branch already exists, nothing to do"
+  exit 0
+fi
+
+# Parse the Manifest file for already present source files and keep the latest version in the current series
+# DIST go1.17.src.tar.gz ... => 1.17
+# DIST go1.17.1.src.tar.gz ... => 1.17.1
+declare -a UPDATED_VERSIONS_OLD UPDATED_VERSIONS_NEW
+any_different=0
+for version_short in "${!VERSIONS[@]}"; do
+  pushd "${SDK_OUTER_OVERLAY}"
+  VERSION_NEW="${VERSIONS["${version_short}"]}"
+  VERSION_OLD=$(sed -n "s/^DIST go\(${version_short}\(\.*[0-9]*\)\?\)\.src.*/\1/p" dev-lang/go/Manifest | sort -ruV | head -n1)
+  if [[ -z "${VERSION_OLD}" ]]; then
+    echo "${version_short} is not packaged, skipping"
+    popd
+    continue
+  fi
+  if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
+    echo "${version_short} is already at the latest (${VERSION_NEW}), skipping"
+    popd
+    continue
+  fi
+  UPDATED_VERSIONS_OLD+=("${VERSION_OLD}")
+  UPDATED_VERSIONS_NEW+=("${VERSION_NEW}")
+
+  any_different=1
+  EBUILD_FILENAME=$(get_ebuild_filename dev-lang/go "${VERSION_OLD}")
+  git mv "${EBUILD_FILENAME}" "dev-lang/go/go-${VERSION_NEW}.ebuild"
+
+  popd
+
+  URL="https://go.dev/doc/devel/release#go${VERSION_NEW}"
+
+  generate_update_changelog 'Go' "${VERSION_NEW}" "${URL}" 'go'
+
+  commit_changes dev-lang/go "${VERSION_OLD}" "${VERSION_NEW}"
+done
+
+cleanup_repo
+
+if [[ $any_different -eq 0 ]]; then
+    echo "go packages were already at the latest versions, nothing to do"
+    exit 0
+fi
+
+vo_gh="$(join_by ' and ' "${UPDATED_VERSIONS_OLD[@]}")"
+vn_gh="$(join_by ' and ' "${UPDATED_VERSIONS_NEW[@]}")"
+
+echo "VERSIONS_OLD=${vo_gh}" >>"${GITHUB_OUTPUT}"
+echo "VERSIONS_NEW=${vn_gh}" >>"${GITHUB_OUTPUT}"
+echo "BRANCH_NAME=${branch_name}" >>"${GITHUB_OUTPUT}"
+echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"

.github/workflows/go-current-major-versions.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
+
+pushd "${SDK_OUTER_OVERLAY}"
+
+versions=()
+for ebuild in dev-lang/go/go-*.ebuild; do
+    version="${ebuild##*/go-}" # 1.20.1-r1.ebuild or 1.19.ebuild
+    version="${version%.ebuild}" # 1.20.1-r1 or 1.19
+    version="${version%%-*}" # 1.20.1 or 1.19
+    short_version="${version%.*}" # 1.20 or 1
+    if [[ "${short_version%.*}" = "${short_version}" ]]; then
+        # fix short version
+        short_version="${version}"
+    fi
+
+    versions+=($(git ls-remote --tags https://github.com/golang/go | \
+                     cut -f2 | \
+                     sed --quiet "/refs\/tags\/go${short_version}\(\.[0-9]*\)\?$/s/^refs\/tags\/go//p" | \
+                     grep --extended-regexp --invert-match --regexp='(beta|rc)' | \
+                     sort --reverse --unique --version-sort | \
+                     head --lines=1))
+done
+
+popd
+
+echo "VERSIONS_NEW=${versions[*]}" >>"${GITHUB_OUTPUT}"

.github/workflows/go-release-main.yaml

@@ -0,0 +1,48 @@
+name: Get the latest Go release for main
+on:
+  schedule:
+    - cron:  '15 7 * * 1'
+  workflow_dispatch:
+
+jobs:
+  get-go-releases:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out scripts
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+      - name: Figure out latest Go release versions
+        id: go-latest-release
+        env:
+          GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+        run: scripts/.github/workflows/go-current-major-versions.sh
+      - name: Set up Flatcar SDK
+        id: setup-flatcar-sdk
+        env:
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          CHANNEL: main
+        run: scripts/.github/workflows/setup-flatcar-sdk.sh
+      - name: Apply patch for main
+        id: apply-patch-main
+        env:
+          GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          VERSIONS_NEW: ${{ steps.go-latest-release.outputs.VERSIONS_NEW }}
+          PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
+          SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
+          TARGET_BRANCH: main
+        run: scripts/.github/workflows/go-apply-patch.sh
+      - name: Create pull request for main
+        uses: peter-evans/create-pull-request@v5
+        if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+          branch: ${{ steps.apply-patch-main.outputs.BRANCH_NAME }}
+          base: main
+          title: Upgrade Go from ${{ steps.apply-patch-main.outputs.VERSIONS_OLD }} to ${{ steps.apply-patch-main.outputs.VERSIONS_NEW }}
+          body: Subject says it all.
+          labels: main

.github/workflows/image_changes.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-
-#set -x
-set -euo pipefail
-
-source ci-automation/image_changes.sh
-
-# Callback invoked by run_image_changes_job, read its docs to learn
-# about the details about the callback.
-function github_ricj_callback() {
-    package_diff_env+=(
-        "FROM_B=file://${PWD}/artifacts/images"
-        # BOARD_B and CHANNEL_B are unused.
-    )
-    package_diff_params+=(
-        # The package-diff script appends version to the file
-        # URL, but the directory with the image has no version
-        # component at its end, so we use . as a version.
-        '.'
-    )
-    # Nothing to add to size changes env.
-    size_changes_params+=(
-        "local:${PWD}/artifacts/images"
-    )
-    show_changes_env+=(
-        # Override the default locations of repositories.
-        "SCRIPTS_REPO=."
-        "COREOS_OVERLAY_REPO=../coreos-overlay"
-        "PORTAGE_STABLE_REPO=../portage-stable"
-    )
-    show_changes_params+=(
-        # We may not have a tag handy, so we tell show-changes
-        # to use git HEAD as a reference to new changelog
-        # entries.
-        'NEW_VERSION=HEAD'
-    )
-}
-
-arch=${1}; shift
-mode=${1}; shift
-report_file_name="image-changes-reports-${mode}.txt"
-
-run_image_changes_job "${arch}" "${mode}" "${report_file_name}" '../flatcar-build-scripts' github_ricj_callback

.github/workflows/kernel-apply-patch.sh

@@ -11,7 +11,6 @@ if ! check_remote_branch "linux-${VERSION_NEW}-${TARGET_BRANCH}"; then
     exit 0
 fi
 
-# Dive into ebuild repo section of SDK
 pushd "${SDK_OUTER_OVERLAY}"
 
 # trim the 3rd part in the input semver, e.g. from 5.4.1 to 5.4
@@ -25,19 +24,13 @@ if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
     exit 0
 fi
 
-extra_pkgs=(
-    sys-kernel/coreos-modules
-    sys-kernel/coreos-kernel
-    app-emulation/hv-daemons
-)
-
-for pkg in sys-kernel/coreos-{sources,modules,kernel} app-emulation/hv-daemons; do
-    pkg+=/${pkg##*/}
-    git mv "${pkg}"-*.ebuild "${pkg}-${VERSION_NEW}.ebuild"
-    sed -i -e '/^COREOS_SOURCE_REVISION=/s/=.*/=""/' "${pkg}-${VERSION_NEW}.ebuild"
+for pkg in sources modules kernel; do
+    pushd "sys-kernel/coreos-${pkg}"
+    git mv "coreos-${pkg}"-*.ebuild "coreos-${pkg}-${VERSION_NEW}.ebuild"
+    sed -i -e '/^COREOS_SOURCE_REVISION=/s/=.*/=""/' "coreos-${pkg}-${VERSION_NEW}.ebuild"
+    popd
 done
 
-# Leave ebuild repo section of SDK
 popd
 
 function get_lwn_link() {
@@ -77,7 +70,9 @@ URL=$(get_lwn_link "${VERSION_NEW}")
 
 generate_update_changelog 'Linux' "${VERSION_NEW}" "${URL}" 'linux' "${OLD_VERSIONS_AND_URLS[@]}"
 
-commit_changes sys-kernel/coreos-sources "${VERSION_OLD}" "${VERSION_NEW}" "${extra_pkgs[@]}"
+commit_changes sys-kernel/coreos-sources "${VERSION_OLD}" "${VERSION_NEW}" \
+               sys-kernel/coreos-modules \
+               sys-kernel/coreos-kernel
 
 cleanup_repo
 

.github/workflows/kernel-release.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out main scripts branch for GitHub workflow scripts only
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: gha
@@ -23,7 +23,7 @@ jobs:
         run: gha/.github/workflows/figure-out-branch.sh '${{ matrix.channel }}'
       - name: Check out work scripts branch for updating
         if: steps.figure-out-branch.outputs.SKIP == 0
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: work
@@ -58,7 +58,7 @@ jobs:
         run: gha/.github/workflows/kernel-apply-patch.sh
       - name: Create pull request
         if: (steps.figure-out-branch.outputs.SKIP == 0) && (steps.apply-patch.outputs.UPDATE_NEEDED == 1)
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v5
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: work
@@ -67,4 +67,3 @@ jobs:
           title: Upgrade Linux Kernel for ${{ steps.figure-out-branch.outputs.BRANCH }} from ${{ steps.apply-patch.outputs.VERSION_OLD }} to ${{ steps.kernel-latest-release.outputs.KERNEL_VERSION }}
           body: Subject says it all.
           labels: ${{ steps.figure-out-branch.outputs.LABEL }}
-          signoff: true

.github/workflows/mantle-releases-main.yml

@@ -45,7 +45,7 @@ jobs:
           fi
           echo "BRANCH=${branch}" >>"${GITHUB_OUTPUT}"
           echo "SKIP=${skip}" >>"${GITHUB_OUTPUT}"
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         if: ${{ steps.figure-out-branch.outputs.SKIP == 0 }}
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
         id: fetch-latest-mantle
         run: |
           set -euo pipefail
-          commit=$(git ls-remote  https://github.com/flatcar/mantle refs/heads/main | cut -f1)
+          commit=$(git ls-remote  https://github.com/flatcar/mantle refs/heads/flatcar-master | cut -f1)
           echo "COMMIT=${commit}" >>"${GITHUB_OUTPUT}"
       - name: Try to apply patch
         if: ${{ steps.figure-out-branch.outputs.SKIP == 0 }}
@@ -69,7 +69,7 @@ jobs:
           fi
       - name: Create pull request for branch
         if: ${{ steps.figure-out-branch.outputs.SKIP == 0 }}
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v4
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           base: ${{ steps.figure-out-branch.outputs.BRANCH }}
@@ -79,4 +79,3 @@ jobs:
           title: Upgrade mantle container image to latest HEAD in ${{ steps.figure-out-branch.outputs.BRANCH }}
           commit-message: Update mantle container image to latest HEAD
           delete-branch: true
-          signoff: true

.github/workflows/portage-stable-packages-list

@@ -3,36 +3,24 @@
 acct-group/adm
 acct-group/audio
 acct-group/cdrom
-acct-group/clock
-acct-group/cuse
 acct-group/dialout
 acct-group/disk
 acct-group/dnsmasq
-acct-group/docker
-acct-group/floppy
-acct-group/incus
-acct-group/incus-admin
 acct-group/input
-acct-group/jobserver
 acct-group/kmem
 acct-group/kvm
 acct-group/lp
-acct-group/lxc
 acct-group/man
 acct-group/messagebus
-acct-group/named
 acct-group/netperf
 acct-group/nobody
 acct-group/ntp
-acct-group/openct
 acct-group/pcap
-acct-group/pcscd
 acct-group/polkitd
 acct-group/portage
 acct-group/render
 acct-group/root
 acct-group/sgx
-acct-group/shadow
 acct-group/sshd
 acct-group/systemd-coredump
 acct-group/systemd-journal
@@ -44,24 +32,18 @@ acct-group/systemd-timesync
 acct-group/tape
 acct-group/tss
 acct-group/tty
-acct-group/usb
 acct-group/users
 acct-group/utmp
-acct-group/uucp
 acct-group/video
 acct-group/wheel
 
 acct-user/dnsmasq
-acct-user/lxc
 acct-user/man
 acct-user/messagebus
-acct-user/named
 acct-user/netperf
 acct-user/nobody
 acct-user/ntp
-acct-user/nvpd
 acct-user/pcap
-acct-user/pcscd
 acct-user/polkitd
 acct-user/portage
 acct-user/root
@@ -74,19 +56,12 @@ acct-user/systemd-resolve
 acct-user/systemd-timesync
 acct-user/tss
 
-app-admin/eselect
-app-admin/logrotate
-app-admin/perl-cleaner
-app-admin/sudo
-
 app-alternatives/awk
 app-alternatives/bc
 app-alternatives/bzip2
 app-alternatives/cpio
-app-alternatives/gpg
 app-alternatives/gzip
 app-alternatives/lex
-app-alternatives/ninja
 app-alternatives/sh
 app-alternatives/tar
 app-alternatives/yacc
@@ -96,12 +71,9 @@ app-arch/cpio
 app-arch/gzip
 app-arch/lbzip2
 app-arch/libarchive
-app-arch/lz4
-app-arch/lzop
 app-arch/ncompress
 app-arch/pbzip2
 app-arch/pigz
-app-arch/pixz
 app-arch/rpm2targz
 app-arch/sharutils
 app-arch/tar
@@ -112,346 +84,173 @@ app-arch/zstd
 
 app-cdr/cdrtools
 
-app-containers/aardvark-dns
-app-containers/catatonit
-app-containers/conmon
-app-containers/containerd
-app-containers/containers-common
-app-containers/containers-image
-app-containers/containers-shortnames
-app-containers/containers-storage
-app-containers/cri-tools
-app-containers/crun
-app-containers/docker
-app-containers/docker-buildx
-app-containers/docker-cli
-app-containers/incus
-app-containers/lxc
-app-containers/netavark
-app-containers/podman
-app-containers/runc
-app-containers/syft
-
 app-crypt/adcli
-app-crypt/argon2
-app-crypt/ccid
-app-crypt/gnupg
-app-crypt/gpgme
-app-crypt/libb2
 app-crypt/libmd
 app-crypt/mit-krb5
-app-crypt/p11-kit
 app-crypt/pinentry
-app-crypt/rhash
-app-crypt/sbsigntools
-app-crypt/tpm2-tools
-app-crypt/tpm2-tss
-app-crypt/trousers
-
-app-doc/eclass-manpages
 
 app-editors/nano
 app-editors/vim
 app-editors/vim-core
 
-app-emulation/open-vmdk
 app-emulation/qemu
 app-emulation/qemu-guest-agent
-app-emulation/virt-firmware
 
 app-eselect/eselect-iptables
-app-eselect/eselect-lib-bin-symlink
-app-eselect/eselect-pinentry
-app-eselect/eselect-python
-app-eselect/eselect-rust
-app-eselect/eselect-vi
+app-eselect/eselect-lua
 
 app-misc/c_rehash
 app-misc/editor-wrapper
-app-misc/jq
-app-misc/mime-types
-app-misc/pax-utils
 
 app-portage/elt-patches
-app-portage/gentoolkit
-app-portage/getuto
 app-portage/portage-utils
 
 app-shells/bash
 app-shells/bash-completion
-app-shells/gentoo-bashcomp
 
 app-text/asciidoc
 app-text/build-docbook-catalog
 app-text/docbook-xml-dtd
 app-text/docbook-xsl-ns-stylesheets
 app-text/docbook-xsl-stylesheets
-app-text/mandoc
 app-text/manpager
-app-text/scdoc
 app-text/sgml-common
-app-text/xmlto
 
-app-vim/gentoo-syntax
-
-dev-build/autoconf
-dev-build/autoconf-archive
-dev-build/autoconf-wrapper
-dev-build/automake
-dev-build/automake-wrapper
-dev-build/cmake
-dev-build/gtk-doc-am
-dev-build/libtool
-dev-build/make
-dev-build/meson
-dev-build/meson-format-array
-dev-build/ninja
-
-dev-cpp/azure-core
-dev-cpp/azure-identity
-dev-cpp/azure-security-keyvault-certificates
-dev-cpp/azure-security-keyvault-keys
-dev-cpp/gflags
-dev-cpp/glog
-dev-cpp/gtest
-
-dev-db/etcd
 dev-db/sqlite
 
-dev-debug/gdb
-dev-debug/strace
-
-dev-embedded/u-boot-tools
-
-dev-go/go-md2man
-
 dev-lang/duktape
-dev-lang/go
-dev-lang/go-bootstrap
-dev-lang/nasm
+dev-lang/lua
 dev-lang/perl
 dev-lang/python
 dev-lang/python-exec
 dev-lang/python-exec-conf
-dev-lang/rust
-dev-lang/rust-bin
-dev-lang/rust-common
-dev-lang/swig
-dev-lang/tcl
-dev-lang/yasm
 
+dev-libs/boost
 dev-libs/cJSON
-dev-libs/cowsql
 dev-libs/cyrus-sasl
-dev-libs/dbus-glib
-dev-libs/ding-libs
 dev-libs/elfutils
 dev-libs/expat
 dev-libs/glib
 dev-libs/gmp
+dev-libs/gobject-introspection
 dev-libs/gobject-introspection-common
-dev-libs/inih
-dev-libs/jansson
-dev-libs/jose
-dev-libs/json-c
 dev-libs/jsoncpp
 dev-libs/libaio
-dev-libs/libassuan
-dev-libs/libbsd
-dev-libs/libdnet
-dev-libs/libev
-dev-libs/libevent
-dev-libs/libffi
-dev-libs/libgcrypt
-dev-libs/libgpg-error
 dev-libs/libksba
 dev-libs/libltdl
-dev-libs/libmspack
 dev-libs/libnl
-dev-libs/libp11
 dev-libs/libpcre2
-dev-libs/libpipeline
-dev-libs/libpwquality
-dev-libs/libsodium
 dev-libs/libtasn1
-dev-libs/libtraceevent
-dev-libs/libtracefs
-dev-libs/libunistring
-dev-libs/libusb
 dev-libs/libuv
-dev-libs/libverto
 dev-libs/libxml2
 dev-libs/libxslt
-dev-libs/libyaml
-dev-libs/lzo
-dev-libs/mpc
-dev-libs/mpdecimal
-dev-libs/mpfr
 dev-libs/nettle
-dev-libs/npth
-dev-libs/nspr
 dev-libs/oniguruma
-dev-libs/opensc
-dev-libs/openssl
-dev-libs/popt
-dev-libs/protobuf
-dev-libs/raft
-dev-libs/rapidjson
-dev-libs/tree-sitter
-dev-libs/tree-sitter-bash
-dev-libs/userspace-rcu
-dev-libs/xmlsec
-dev-libs/xxhash
-dev-libs/yajl
 
-dev-perl/File-Slurper
+dev-perl/File-Slurp
+dev-perl/Locale-gettext
 dev-perl/Parse-Yapp
+dev-perl/Text-Unidecode
+dev-perl/Unicode-EastAsianWidth
 
-dev-python/backports-tarfile
-dev-python/cachecontrol
+dev-python/autocommand
+dev-python/boto
 dev-python/certifi
-dev-python/cffi
-dev-python/chardet
-dev-python/charset-normalizer
-dev-python/colorama
 dev-python/crcmod
-dev-python/cryptography
 dev-python/cython
-dev-python/dependency-groups
-dev-python/distlib
 dev-python/distro
 dev-python/docutils
-dev-python/editables
-dev-python/ensurepip-pip
-dev-python/ensurepip-setuptools
 dev-python/fasteners
-dev-python/fastjsonschema
-dev-python/flit-core
+dev-python/flit_core
 dev-python/gentoo-common
 dev-python/gpep517
-dev-python/hatch-vcs
-dev-python/hatchling
-dev-python/idna
+dev-python/inflect
 dev-python/installer
-dev-python/jaraco-collections
 dev-python/jaraco-context
 dev-python/jaraco-functools
 dev-python/jaraco-text
-dev-python/jinja2
-dev-python/lark
+dev-python/jinja
 dev-python/lazy-object-proxy
-dev-python/linkify-it-py
 dev-python/lxml
-dev-python/markdown-it-py
 dev-python/markupsafe
-dev-python/mdurl
 dev-python/more-itertools
-dev-python/msgpack
+dev-python/nspektr
+dev-python/ordered-set
 dev-python/packaging
-dev-python/pathspec
-dev-python/pefile
-dev-python/pip
 dev-python/platformdirs
-dev-python/pluggy
-dev-python/ply
-dev-python/poetry-core
-dev-python/pycparser
+dev-python/pydantic
 dev-python/pydecomp
 dev-python/pygments
-dev-python/pyproject-hooks
-dev-python/pysocks
-dev-python/requests
-dev-python/resolvelib
-dev-python/rich
+dev-python/pyparsing
 dev-python/setuptools
 dev-python/setuptools-scm
 dev-python/six
 dev-python/snakeoil
 dev-python/tomli
-dev-python/tomli-w
-dev-python/tree-sitter
-dev-python/trove-classifiers
-dev-python/truststore
 dev-python/typing-extensions
-dev-python/uc-micro-py
-dev-python/urllib3
 dev-python/wheel
 
+dev-util/b2
 dev-util/bpftool
-dev-util/bsdiff
 dev-util/catalyst
-dev-util/debugedit
+dev-util/checkbashisms
+dev-util/cmake
+dev-util/cmocka
+dev-util/desktop-file-utils
 dev-util/gdbus-codegen
 dev-util/glib-utils
 dev-util/gperf
-dev-util/maturin
+dev-util/gtk-doc-am
+dev-util/meson
+dev-util/meson-format-array
+dev-util/ninja
 dev-util/pahole
 dev-util/patchelf
 dev-util/patchutils
 dev-util/perf
-dev-util/pkgcheck
 dev-util/pkgconf
 dev-util/re2c
-dev-util/xdelta
-dev-util/xxd
+dev-util/strace
 
 dev-vcs/git
+dev-vcs/repo
 
 eclass/acct-group.eclass
 eclass/acct-user.eclass
 eclass/alternatives.eclass
 eclass/app-alternatives.eclass
 eclass/autotools.eclass
-eclass/bash-completion-r1.eclass
-eclass/branding.eclass
-eclass/cargo.eclass
-eclass/check-reqs.eclass
+# Still has some Flatcar modifications, will need to upstream it first.
+#
+# eclass/bash-completion-r1.eclass
 eclass/cmake-multilib.eclass
 eclass/cmake.eclass
-eclass/crossdev.eclass
-eclass/db-use.eclass
 eclass/desktop.eclass
-eclass/dist-kernel-utils.eclass
 eclass/distutils-r1.eclass
-eclass/dot-a.eclass
+eclass/eapi7-ver.eclass
 eclass/eapi8-dosym.eclass
-eclass/eapi9-pipestatus.eclass
-eclass/eapi9-ver.eclass
 eclass/edo.eclass
 eclass/edos2unix.eclass
 eclass/elisp-common.eclass
+eclass/epatch.eclass
+eclass/eqawarn.eclass
 eclass/estack.eclass
+eclass/eutils.eclass
 eclass/fcaps.eclass
 eclass/flag-o-matic.eclass
 eclass/git-r3.eclass
 eclass/gnome.org.eclass
-eclass/gnome2-utils.eclass
 eclass/gnuconfig.eclass
-eclass/go-env.eclass
-eclass/go-module.eclass
-eclass/golang-base.eclass
-eclass/golang-vcs-snapshot.eclass
-eclass/golang-vcs.eclass
-eclass/guile-single.eclass
-eclass/guile-utils.eclass
 eclass/java-pkg-opt-2.eclass
 eclass/java-utils-2.eclass
 eclass/kernel-2.eclass
 eclass/libtool.eclass
 eclass/linux-info.eclass
-eclass/linux-mod-r1.eclass
 eclass/linux-mod.eclass
-eclass/llvm-r1.eclass
-eclass/llvm-utils.eclass
 eclass/llvm.eclass
-eclass/lua-single.eclass
-eclass/lua-utils.eclass
-eclass/mercurial.eclass
+eclass/ltprune.eclass
 eclass/meson-multilib.eclass
 eclass/meson.eclass
-eclass/mono-env.eclass
-eclass/mount-boot-utils.eclass
-eclass/mount-boot.eclass
 eclass/multibuild.eclass
 eclass/multilib-build.eclass
 eclass/multilib-minimal.eclass
@@ -460,13 +259,11 @@ eclass/multiprocessing.eclass
 eclass/ninja-utils.eclass
 eclass/optfeature.eclass
 eclass/out-of-source-utils.eclass
-eclass/out-of-source.eclass
 eclass/pam.eclass
 eclass/pax-utils.eclass
 eclass/perl-functions.eclass
-eclass/perl-module.eclass
-eclass/plocale.eclass
 eclass/portability.eclass
+eclass/plocale.eclass
 eclass/prefix.eclass
 eclass/preserve-libs.eclass
 eclass/pypi.eclass
@@ -474,34 +271,19 @@ eclass/python-any-r1.eclass
 eclass/python-r1.eclass
 eclass/python-single-r1.eclass
 eclass/python-utils-r1.eclass
-eclass/qmake-utils.eclass
 eclass/readme.gentoo-r1.eclass
-eclass/rpm.eclass
-eclass/ruby-single.eclass
-eclass/ruby-utils.eclass
-eclass/rust-toolchain.eclass
-eclass/rust.eclass
 eclass/savedconfig.eclass
-eclass/secureboot.eclass
-eclass/selinux-policy-2.eclass
-eclass/sgml-catalog-r1.eclass
-eclass/shell-completion.eclass
-eclass/ssl-cert.eclass
 eclass/strip-linguas.eclass
-eclass/subversion.eclass
-eclass/sysroot.eclass
 eclass/systemd.eclass
 eclass/tmpfiles.eclass
-eclass/toolchain-autoconf.eclass
 eclass/toolchain-funcs.eclass
 eclass/toolchain.eclass
-eclass/tree-sitter-grammar.eclass
 eclass/udev.eclass
-eclass/unpacker.eclass
 eclass/user-info.eclass
-eclass/usr-ldscript.eclass
+# This file is modified by us to be an empty file, so can't be synced for now.
+#
+# eclass/usr-ldscript.eclass
 eclass/vcs-clean.eclass
-eclass/vcs-snapshot.eclass
 eclass/verify-sig.eclass
 eclass/vim-doc.eclass
 eclass/vim-plugin.eclass
@@ -509,261 +291,108 @@ eclass/virtualx.eclass
 eclass/waf-utils.eclass
 eclass/wrapper.eclass
 eclass/xdg-utils.eclass
-eclass/xdg.eclass
-eclass/xorg-3.eclass
 
 licenses
 
 media-libs/libpng
 
-net-analyzer/netperf
-net-analyzer/openbsd-netcat
-net-analyzer/tcpdump
+net-analyzer/nmap
 net-analyzer/traceroute
 
-net-dialup/lrzsz
-net-dialup/minicom
-
-net-dns/bind
+net-dns/bind-tools
 net-dns/c-ares
 net-dns/dnsmasq
-net-dns/libidn2
-
-net-firewall/conntrack-tools
-net-firewall/ebtables
-net-firewall/ipset
-net-firewall/iptables
-net-firewall/nftables
 
 net-fs/cifs-utils
-net-fs/nfs-utils
-net-fs/samba
 
 net-libs/gnutls
-net-libs/libmicrohttpd
-net-libs/libmnl
-net-libs/libnetfilter_conntrack
-net-libs/libnetfilter_cthelper
-net-libs/libnetfilter_cttimeout
-net-libs/libnetfilter_queue
-net-libs/libnfnetlink
-net-libs/libnftnl
+net-libs/libnsl
 net-libs/libpcap
-net-libs/libpsl
 net-libs/libslirp
-net-libs/libtirpc
 net-libs/nghttp2
-net-libs/rpcsvc-proto
 
 net-misc/bridge-utils
-net-misc/chrony
 net-misc/curl
 net-misc/ethertypes
 net-misc/iperf
 net-misc/iputils
-net-misc/ntp
-net-misc/openssh
-net-misc/passt
 net-misc/rsync
 net-misc/socat
 net-misc/wget
 net-misc/whois
 
-net-nds/openldap
-net-nds/rpcbind
-
 net-vpn/wireguard-tools
 
+perl-core/File-Temp
+
 profiles
 
-scripts
-
-sec-keys/openpgp-keys-gentoo-release
-
-sec-policy/selinux-base
-sec-policy/selinux-base-policy
-sec-policy/selinux-container
-sec-policy/selinux-dbus
-sec-policy/selinux-policykit
-sec-policy/selinux-sssd
-sec-policy/selinux-unconfined
+# The bootstrap script has some modifications, so we can't sync scripts directory yet.
+#
+# scripts
 
 sys-apps/acl
 sys-apps/attr
-sys-apps/azure-vm-utils
-sys-apps/bubblewrap
-sys-apps/busybox
-sys-apps/checkpolicy
-sys-apps/config-site
-sys-apps/coreutils
-sys-apps/dbus
-sys-apps/debianutils
 sys-apps/diffutils
 sys-apps/dtc
-sys-apps/ethtool
 sys-apps/file
 sys-apps/findutils
 sys-apps/gawk
 sys-apps/gentoo-functions
-sys-apps/gptfdisk
-sys-apps/grep
-sys-apps/groff
 sys-apps/help2man
-sys-apps/hwdata
 sys-apps/i2c-tools
-sys-apps/iproute2
 sys-apps/iucode_tool
-sys-apps/kbd
-sys-apps/kexec-tools
-sys-apps/keyutils
-sys-apps/kmod
 sys-apps/less
-sys-apps/locale-gen
-sys-apps/lsb-release
-sys-apps/lshw
-sys-apps/man-db
-sys-apps/man-pages
-sys-apps/miscfiles
-sys-apps/net-tools
-sys-apps/nvme-cli
-sys-apps/pciutils
-sys-apps/pcsc-lite
-sys-apps/pkgcore
 sys-apps/portage
-sys-apps/pv
-sys-apps/sandbox
-sys-apps/sed
-sys-apps/semodule-utils
-sys-apps/shadow
-sys-apps/smartmontools
-sys-apps/systemd
 sys-apps/texinfo
-sys-apps/usbutils
-sys-apps/util-linux
-sys-apps/which
-sys-apps/zram-generator
-
-sys-auth/pambase
-sys-auth/polkit
-sys-auth/sssd
-
-sys-block/open-iscsi
-sys-block/open-isns
-sys-block/parted
-sys-block/thin-provisioning-tools
-
-sys-boot/efibootmgr
-sys-boot/gnu-efi
-sys-boot/grub
-sys-boot/mokutil
 
+sys-devel/autoconf
+sys-devel/autoconf-archive
+sys-devel/autoconf-wrapper
+sys-devel/automake
+sys-devel/automake-wrapper
 sys-devel/bc
 sys-devel/binutils
 sys-devel/binutils-config
 sys-devel/bison
 sys-devel/crossdev
-sys-devel/dwz
 sys-devel/flex
 sys-devel/gcc
 sys-devel/gcc-config
+sys-devel/gdb
 sys-devel/gettext
 sys-devel/gnuconfig
+sys-devel/libtool
 sys-devel/m4
 sys-devel/patch
 
-sys-firmware/edk2-bin
+sys-firmware/edk2-ovmf-bin
 sys-firmware/intel-microcode
 sys-firmware/ipxe
 sys-firmware/seabios-bin
 sys-firmware/sgabios
 
-sys-fs/btrfs-progs
-sys-fs/cryptsetup
-sys-fs/dosfstools
-sys-fs/e2fsprogs
-sys-fs/erofs-utils
-sys-fs/fuse
-sys-fs/fuse-common
-sys-fs/fuse-overlayfs
-sys-fs/inotify-tools
-sys-fs/lsscsi
-sys-fs/lvm2
-sys-fs/lxcfs
-sys-fs/mdadm
-sys-fs/mtools
-sys-fs/multipath-tools
-sys-fs/quota
-sys-fs/squashfs-tools
-sys-fs/squashfs-tools-ng
-sys-fs/xfsprogs
-sys-fs/zfs
-sys-fs/zfs-kmod
-
-sys-kernel/dracut
 sys-kernel/linux-headers
 
+sys-fs/e2fsprogs
+sys-fs/multipath-tools
+
 sys-libs/binutils-libs
-sys-libs/cracklib
-sys-libs/efivar
-sys-libs/gdbm
-sys-libs/glibc
 sys-libs/libcap
 sys-libs/libcap-ng
-sys-libs/libnvme
 sys-libs/libseccomp
-sys-libs/libselinux
-sys-libs/libsepol
-sys-libs/libunwind
-sys-libs/liburing
-sys-libs/libxcrypt
-sys-libs/ncurses
-sys-libs/pam
 sys-libs/readline
-sys-libs/talloc
-sys-libs/tdb
-sys-libs/tevent
-sys-libs/timezone-data
 sys-libs/zlib
 
-sys-power/acpid
-
-sys-process/audit
-sys-process/lsof
-sys-process/procps
-sys-process/psmisc
-sys-process/tini
-
-virtual/acl
-virtual/dev-manager
-virtual/editor
-virtual/krb5
-virtual/ldb
-virtual/libc
 virtual/libcrypt
 virtual/libelf
-virtual/libiconv
-virtual/libintl
-virtual/libudev
-virtual/libusb
-virtual/man
-virtual/openssh
-virtual/os-headers
-virtual/package-manager
-virtual/pager
 virtual/perl-Carp
-virtual/perl-Encode
 virtual/perl-Exporter
 virtual/perl-ExtUtils-MakeMaker
+virtual/perl-File-Spec
+virtual/perl-File-Temp
+virtual/perl-Getopt-Long
+virtual/perl-IO
 virtual/pkgconfig
-virtual/resolvconf
-virtual/service-manager
-virtual/ssh
-virtual/tmpfiles
-virtual/udev
-virtual/zlib
-
-x11-drivers/nvidia-drivers
 
 x11-libs/pixman
-
-x11-misc/makedepend

.github/workflows/pr-comment-build-dispatcher.yaml

@@ -1,80 +0,0 @@
-name: "PR command build dispatcher"
-on:
-  issue_comment:
-    types: [created]
-
-permissions:
-  pull-requests: write
-
-concurrency:
-  group: ${{ github.workflow }}-pr-command-${{ github.event.issue.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  run_pre_checks:
-    # Only run if this is a PR comment that contains a valid command
-    if: ${{ github.event.issue.pull_request && (contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk')) }}
-    name: Check if commenter is in the Flatcar maintainers team
-    outputs:
-      maintainers: steps.step1.output.maintainers
-      sdk_changes: ${{ steps.step3.outputs.sdk_changes }}
-    runs-on:
-      - ubuntu-latest
-    steps:
-      - name: Fetch members of the maintainers team
-        id: step1
-        env:
-          requester: ${{ github.event.comment.user.login }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          curl --fail --show-error -L --silent \
-                  -H "Accept: application/vnd.github+json" \
-                  -H "Authorization: Bearer ${{ secrets.GH_ACTIONS_ORG_READ }}" \
-                  -H "X-GitHub-Api-Version: 2022-11-28" \
-                  https://api.github.com/orgs/flatcar/teams/flatcar-maintainers/members \
-              | jq -r '.[].login' > maintainers.txt
-
-          echo "Current members of the maintainers team:"
-          cat maintainers.txt
-
-          res=false
-          echo "Checking for membership of '${{ env.requester }}'"
-          if grep -qE "^${{ env.requester }}$" maintainers.txt ; then
-            echo "Succeeded."
-            res=true
-          else
-            echo "FAILED: '${{ env.requester }} is not a member of the Flatcar maintainers team."
-          fi
-
-          $res
-
-      - name: Set outputs
-        id: step2
-        shell: bash
-        run: |
-          echo "sdk_changes=${{ contains(github.event.comment.body, '/update-sdk') }}" >> $GITHUB_OUTPUT
-
-      - name: Post a link to the workflow run to the PR
-        id: step3
-        uses: mshick/add-pr-comment@v2
-        with:
-          issue: ${{ github.event.issue.pull_request.number }}
-          message: "Build action triggered: [${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"
-
-  update_sdk:
-    needs: run_pre_checks
-    if: needs.run_pre_checks.result == 'success' && needs.run_pre_checks.outputs.sdk_changes == 'true'
-    name: "Build an updated SDK container"
-    # SDK build needs access to bincache ssh secret
-    secrets: inherit
-    uses: ./.github/workflows/update-sdk.yaml
-
-  build_image:
-    needs: [ run_pre_checks, update_sdk ]
-    if: (always() && ! cancelled()) && needs.run_pre_checks.result == 'success' && needs.update_sdk.result != 'failure' && contains(github.event.comment.body, '/build-image')
-    name: "Build the OS image"
-    uses: ./.github/workflows/ci.yaml
-    with:
-      custom_sdk_version: ${{ needs.update_sdk.outputs.sdk_version }}
-      image_formats: qemu_uefi pxe

.github/workflows/pr-workflows.yaml

@@ -1,49 +0,0 @@
-name: "Run PR workflows"
-on:
-  pull_request:
-
-permissions:
-  pull-requests: write
-
-concurrency:
-  group: ${{ github.workflow }}-pr-${{ github.head_ref || github.ref_name }}
-  cancel-in-progress: true
-
-jobs:
-  pre_check:
-    name: "Check if we need to update the SDK"
-    runs-on: ubuntu-latest
-    # Setting the environment is the more important reason we need this job.
-    # We use this job as a gate, so we can approve the PR workflow only once. If
-    # we set this in the update_sdk job and in the build_image job, we would have
-    # to approve the workflow for every job that kicks off. Given that the jobs
-    # are sequenced, this is cumbersome. Use this job as a gate and make the rest
-    # dependent on it.
-    environment: development
-    outputs:
-      sdk_changes: ${{ steps.step1.outputs.sdk_changes }}
-    steps:
-      - name: Set outputs
-        id: step1
-        shell: bash
-        run: |
-          echo "sdk_changes=${{ contains(github.event.pull_request.body, '/update-sdk') }}" >> $GITHUB_OUTPUT
-
-  update_sdk:
-    name: "Build an updated SDK container"
-    needs: [ pre_check ]
-    if: needs.pre_check.outputs.sdk_changes == 'true'
-    # SDK build needs access to bincache ssh secret
-    secrets: inherit
-    uses: ./.github/workflows/update-sdk.yaml
-
-  build_image:
-    needs: [ update_sdk ]
-    # The update-sdk job may be skipped, which is fine. We only care if it tried to
-    # run, but failed.
-    if: (always() && !cancelled()) && needs.update_sdk.result != 'failure'
-    name: "Build the OS image"
-    uses: ./.github/workflows/ci.yaml
-    with:
-      custom_sdk_version: ${{ needs.update_sdk.outputs.sdk_version }}
-      image_formats: qemu_uefi pxe

.github/workflows/run-kola-tests.yaml

@@ -17,11 +17,15 @@ on:
 jobs:
   tests:
     name: "Run Kola tests"
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
+      - self-hosted
+      - debian
+      - kola
+      - ${{ matrix.arch }}
     strategy:
       fail-fast: false
       matrix:
-        arch: ["amd64"]
+        arch: ["amd64", "arm64"]
 
     steps:
       - name: Prepare machine
@@ -30,7 +34,18 @@ jobs:
         run: |
           sudo rm /bin/sh
           sudo ln -s /bin/bash /bin/sh
-          sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release qemu-system git bzip2 jq dnsmasq python3 zstd iproute2 iptables
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release qemu-system git bzip2 jq dnsmasq python3
+          sudo systemctl stop dnsmasq
+          sudo systemctl mask dnsmasq
+
+          # Install Docker-CE
+          sudo mkdir -p /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          echo \
+            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+            $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y docker-ce docker-ce-cli containerd.io
 
           # Set up MASQUERADE. Don't care much to secure it.
           # This is needed for the VMs kola spins up to have internet access.
@@ -39,10 +54,7 @@ jobs:
           sudo iptables -I FORWARD -o $DEFAULT_ROUTE_DEVICE -j ACCEPT
           sudo iptables -I FORWARD -i $DEFAULT_ROUTE_DEVICE -j ACCEPT
 
-      - name: Set up Docker
-        uses: docker/setup-docker-action@v4
-
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           path: scripts
           fetch-depth: 0
@@ -65,28 +77,34 @@ jobs:
 
       - name: Download binpkgs
         if: ${{ !inputs.workflow_run_id }}
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
         with:
           name: ${{ matrix.arch }}-binpkgs
 
       - name: Download test update image
         if: ${{ !inputs.workflow_run_id }}
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
         with:
           name: ${{ matrix.arch }}-test-update
 
       - name: Download generic image
         if: ${{ !inputs.workflow_run_id }}
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
         with:
           name: ${{ matrix.arch }}-generic-image
 
       - name: Download developer container
         if: ${{ !inputs.workflow_run_id }}
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
         with:
           name: ${{ matrix.arch }}-devcontainer
 
+      - name: Download torcx tarball
+        if: ${{ !inputs.workflow_run_id }}
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ matrix.arch }}-torcx
+
       - name: Download binpkgs from other workflow
         uses: gabriel-samfira/action-download-artifact@v5
         if: ${{ inputs.workflow_run_id }}
@@ -123,6 +141,15 @@ jobs:
           run_id: ${{ inputs.workflow_run_id }}
           name: ${{ matrix.arch }}-devcontainer
 
+      - name: Download torcx tarball from other workflow
+        uses: gabriel-samfira/action-download-artifact@v5
+        if: ${{ inputs.workflow_run_id }}
+        with:
+          workflow: ${{ inputs.workflow_name_or_id }}
+          workflow_conclusion: success
+          run_id: ${{ inputs.workflow_run_id }}
+          name: ${{ matrix.arch }}-torcx
+
       - name: Extract artifacts
         shell: bash
         run: |
@@ -130,8 +157,8 @@ jobs:
           set -x
           set -euo pipefail
 
-          # Set up a webserver for devcontainer tests.
-          # The respective tests will download devcontainer via http.
+          # Set up a webserver for devcontainer and torcx tests.
+          # The respective tests will download devcontainer and torcx tarball via http.
           # The devcontainer test will then run a build
           #   which will download and install binpkgs into the dev container.
           # For the sake of that test we will serve both via a temporary local web server.
@@ -147,10 +174,24 @@ jobs:
           mv flatcar_developer_container* ${TESTS_WEBSERVER_WEBROOT}
           tar -C ${TESTS_WEBSERVER_WEBROOT} -xvf binpkgs.tar
 
+          tar -C ${TESTS_WEBSERVER_WEBROOT} -xvf torcx.tar
+
+          # Move torcx package into plain webroot
+          #  (path consists of <arch>/<packagename>/<checksum>/<packagename>:<version>.torcx.tar.gz)
+          mv "${TESTS_WEBSERVER_WEBROOT}/${{ matrix.arch }}-usr"/*/*/*.torcx.tgz \
+             "${TESTS_WEBSERVER_WEBROOT}"
+
+          # Update torcx.json's http URL to point to the webserver IP.
+          # ci.yaml defines the "localhost" placeholder in its "Set Environment" step.
+          sed -i "s,http://localhost:12345,http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}," \
+                 "${TESTS_WEBSERVER_WEBROOT}/torcx_manifest.json"
+          cat "${TESTS_WEBSERVER_WEBROOT}/torcx_manifest.json"
+
           # Extract the generic image we'll use for qemu tests.
           # Note that the qemu[_uefi] tests use the generic image instead of the
           #  qemu vendor VM image ("Astronaut: [...] Always have been.").
-          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.qcow2 flatcar_production_qemu_uefi_efi_vars.qcow2 scripts/
+          bzip2 --decompress flatcar_production_image.bin.bz2
+          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.fd scripts/
 
           mv flatcar_test_update.gz scripts/
 
@@ -164,29 +205,22 @@ jobs:
           python3 -m http.server -d "${TESTS_WEBSERVER_WEBROOT}" -b "${TESTS_WEBSERVER_IP}" "${TESTS_WEBSERVER_PORT}" &
 
           pushd scripts
-
-          source ci-automation/ci_automation_common.sh
-          source sdk_container/.repo/manifests/version.txt
-
-          version="alpha-$FLATCAR_VERSION_ID"
-          check_version_string "$version"
-          sdk_version="${CUSTOM_SDK_VERSION:-$FLATCAR_SDK_VERSION}"
-
-          # Create version file
-          (
-            source sdk_lib/sdk_container_common.sh
-            create_versionfile "$sdk_version" "$version"
-          )
-
           source ci-automation/test.sh
 
-          PARALLEL_ARCH=5
+          # Provide our own torcx prepare function so we use our local manifest json.
+          # This is called by test_run below.
+          function __prepare_torcx() {
+            shift; shift # no need for arch or vernum
+            local destdir="$1"
+            cp "../${TESTS_WEBSERVER_WEBROOT}/torcx_manifest.json" "${destdir}"
+          }
+
+          PARALLEL_ARCH=10
 
           cat > sdk_container/.env <<EOF
           # export the QEMU_IMAGE_NAME to avoid to download it.
           export QEMU_IMAGE_NAME="/work/flatcar_production_image.bin"
-          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.qcow2"
-          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.qcow2"
+          export QEMU_UEFI_BIOS="/work/flatcar_production_qemu_uefi_efi_code.fd"
           export QEMU_UPDATE_PAYLOAD="/work/flatcar_test_update.gz"
           export QEMU_DEVCONTAINER_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"
           export QEMU_DEVCONTAINER_BINHOST_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"
@@ -209,8 +243,8 @@ jobs:
           set -e
 
       - name: Upload detailed test logs
-        if: always() && !cancelled()
-        uses: actions/upload-artifact@v4
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.arch }}-test-logs-and-results
           path: |
@@ -221,8 +255,8 @@ jobs:
             scripts/results-*.md
 
       - name: Upload raw TAP files of all runs for later merging
-        if: always() && !cancelled()
-        uses: actions/upload-artifact@v4
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.arch }}-raw-tapfiles
           path: |
@@ -232,8 +266,11 @@ jobs:
   merge_and_publish_results:
     name: "Merge TAP reports and post results"
     needs: tests
-    if: always() && !cancelled()
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    if: always()
+    runs-on:
+      - self-hosted
+      - debian
+      - kola
     permissions:
       pull-requests: write
 
@@ -244,9 +281,9 @@ jobs:
         run: |
           sudo rm /bin/sh
           sudo ln -s /bin/bash /bin/sh
-          sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release git bzip2 jq sqlite3
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release git bzip2 jq sqlite3
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           path: scripts
           fetch-depth: 0
@@ -271,11 +308,17 @@ jobs:
       # This is clunky. Haven't figured out how to re-use matrix.arch here for downloads,
       #  so we download each arch individually.
       - name: Download amd64 tapfiles
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
         with:
           name: amd64-raw-tapfiles
           path: scripts/__TAP__/amd64
 
+      - name: Download arm64 tapfiles
+        uses: actions/download-artifact@v3
+        with:
+          name: arm64-raw-tapfiles
+          path: scripts/__TAP__/arm64
+
       - name: Create Test Summary
         shell: bash
         run: |
@@ -308,9 +351,8 @@ jobs:
 
           cat test-results.md >> "$GITHUB_STEP_SUMMARY"
 
-      - name: If started from a PR event or a PR comment command, post test summary to PR
-        if: ${{ github.event_name == 'pull_request' || github.event.issue.pull_request }}
+      - name: If started from a PR, post test summary to PR
+        if: ${{ github.event_name == 'pull_request' }}
         uses: mshick/add-pr-comment@v2
         with:
-          issue: ${{ github.event.pull_request.number || github.event.issue.pull_request.number }}
           message-path: "scripts/test-results.md"

.github/workflows/runc-apply-patch.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
+
+prepare_git_repo
+
+if ! check_remote_branch "runc-${VERSION_NEW}-${TARGET_BRANCH}"; then
+    echo "remote branch already exists, nothing to do"
+    exit 0
+fi
+
+pushd "${SDK_OUTER_OVERLAY}"
+
+# Get the newest runc version, including official releases and rc
+# versions. We need some sed tweaks like replacing dots with
+# underscores, adding trailing underscore, sort, and trim the trailing
+# underscore and replace other underscores with dots again, so that
+# sort -V can properly sort "1.0.0" as newer than "1.0.0-rc95" and
+# "0.0.2.1" as newer than "0.0.2".
+VERSION_OLD=$(sed -n "s/^DIST docker-runc-\([0-9]*\.[0-9]*.*\)\.tar.*/\1_/p" app-emulation/docker-runc/Manifest | tr '.' '_' | sort -ruV | sed -e 's/_$//' | tr '_' '.' | head -n1)
+if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
+    echo "already the latest Runc, nothing to do"
+    exit 0
+fi
+
+runcEbuildOld=$(get_ebuild_filename app-emulation/docker-runc "${VERSION_OLD}")
+runcEbuildNew="app-emulation/docker-runc/docker-runc-${VERSION_NEW}.ebuild"
+git mv "${runcEbuildOld}" "${runcEbuildNew}"
+sed -i "s/${VERSION_OLD}/${VERSION_NEW}/g" "${runcEbuildNew}"
+sed -i "s/COMMIT_ID=\"\(.*\)\"/COMMIT_ID=\"${COMMIT_HASH}\"/g" "${runcEbuildNew}"
+
+# update also runc versions used by docker and containerd
+sed -i "s/docker-runc-${VERSION_OLD}/docker-runc-${VERSION_NEW}/g" app-emulation/containerd/containerd-9999.ebuild
+
+dockerVersion=$(sed -n "s/^DIST docker-\([0-9]*.[0-9]*.[0-9]*\).*/\1/p" app-emulation/docker/Manifest | sort -ruV | head -n1)
+
+# torcx ebuild file has a docker version with only major and minor versions, like 19.03.
+versionTorcx=${dockerVersion%.*}
+torcxEbuildFile=$(get_ebuild_filename app-torcx/docker "${versionTorcx}")
+sed -i "s/docker-runc-${VERSION_OLD}/docker-runc-${VERSION_NEW}/g" "${torcxEbuildFile}"
+
+popd
+
+URL="https://github.com/opencontainers/runc/releases/tag/v${VERSION_NEW}"
+
+generate_update_changelog 'runc' "${VERSION_NEW}" "${URL}" 'runc'
+
+commit_changes app-emulation/docker-runc "${VERSION_OLD}" "${VERSION_NEW}" \
+               app-emulation/containerd \
+               app-torcx/docker
+
+cleanup_repo
+
+echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}"
+echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"

.github/workflows/runc-release-main.yaml

@@ -0,0 +1,65 @@
+name: Get the latest Runc release for main
+on:
+  schedule:
+    - cron:  '50 7 * * 4'
+  workflow_dispatch:
+
+jobs:
+  get-runc-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out scripts
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+      - name: Figure out latest Runc release version
+        id: runc-latest-release
+        run: |
+          REMOTE='https://github.com/opencontainers/runc'
+          # Get the newest runc version, including official releases
+          # and rc versions. We need some sed tweaks like replacing
+          # dots with underscores, adding trailing underscore, sort,
+          # and trim the trailing underscore and replace other
+          # underscores with dots again, so that sort -V can properly
+          # sort "1.0.0" as newer than "1.0.0-rc95" and "0.0.2.1" as
+          # newer than "0.0.2".
+          versionCommitPair=( $(git ls-remote --tags "${REMOTE}" | grep 'refs/tags/v[a-z0-9._-]*$' | sed -e 's#^\([0-9a-fA-F]*\)[[:space:]]*refs/tags/v\(.*\)$#\2_ \1#g' -e 's/\./_/g' | sort --reverse --unique --version-sort --key=1,1 | sed -e 's/_ / /' -e 's/_/./g' | head --lines=1) )
+          versionNew="${versionCommitPair[0]}"
+          # Gentoo expects an underline between version and rc, so
+          # "1.1.0-rc.1" becomes "1.1.0_rc.1".
+          versionNew="${versionNew//-/_}"
+          # Gentoo expects no separators between rc and the number, so
+          # "1.1.0_rc.1" becomes "1.1.0_rc1"
+          versionNew="${versionNew//rc./rc}"
+          commitHash="${versionCommitPair[1]}"
+          echo "VERSION_NEW=${versionNew}" >>"${GITHUB_OUTPUT}"
+          echo "COMMIT_HASH=${commitHash}" >>"${GITHUB_OUTPUT}"
+      - name: Set up Flatcar SDK
+        id: setup-flatcar-sdk
+        env:
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          CHANNEL: main
+        run: scripts/.github/workflows/setup-flatcar-sdk.sh
+      - name: Apply patch for main
+        id: apply-patch-main
+        env:
+          GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          VERSION_NEW: ${{ steps.runc-latest-release.outputs.VERSION_NEW }}
+          COMMIT_HASH: ${{ steps.runc-latest-release.outputs.COMMIT_HASH }}
+          PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
+          SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
+          TARGET_BRANCH: main
+        run: scripts/.github/workflows/runc-apply-patch.sh
+      - name: Create pull request for main
+        uses: peter-evans/create-pull-request@v5
+        if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+          branch: runc-${{ steps.runc-latest-release.outputs.VERSION_NEW }}-main
+          base: main
+          title: Upgrade Runc in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.runc-latest-release.outputs.VERSION_NEW }}
+          body: Subject says it all.
+          labels: main

.github/workflows/rust-apply-patch.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh"
+
+prepare_git_repo
+
+if ! check_remote_branch "rust-${VERSION_NEW}-${TARGET_BRANCH}"; then
+    echo "remote branch already exists, nothing to do"
+    exit 0
+fi
+
+pushd "${SDK_OUTER_OVERLAY}"
+
+VERSION_OLD=$(sed -n "s/^DIST rustc-\(1\.[0-9]*\.[0-9]*\).*/\1/p" dev-lang/rust/Manifest | sort -ruV | head -n1)
+if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then
+    echo "already the latest Rust, nothing to do"
+    exit 0
+fi
+
+# Replace (dev-lang/virtual)/rust versions in profiles/, e.g. package.accept_keywords.
+# Try to match all kinds of version specifiers, e.g. >=, <=, =, ~.
+find profiles -name 'package.*' | xargs sed -i "s/\([><]*=\|~\)*dev-lang\/rust-\S\+/\1dev-lang\/rust-${VERSION_NEW}/"
+find profiles -name 'package.*' | xargs sed -i "s/\([><]*=\|~\)*virtual\/rust-\S\+/\1virtual\/rust-${VERSION_NEW}/"
+
+EBUILD_FILENAME=$(get_ebuild_filename dev-lang/rust "${VERSION_OLD}")
+git mv "${EBUILD_FILENAME}" "dev-lang/rust/rust-${VERSION_NEW}.ebuild"
+EBUILD_FILENAME=$(get_ebuild_filename virtual/rust "${VERSION_OLD}")
+git mv "${EBUILD_FILENAME}" "virtual/rust/rust-${VERSION_NEW}.ebuild"
+
+popd
+
+URL="https://github.com/rust-lang/rust/releases/tag/${VERSION_NEW}"
+
+generate_update_changelog 'Rust' "${VERSION_NEW}" "${URL}" 'rust'
+
+commit_changes dev-lang/rust "${VERSION_OLD}" "${VERSION_NEW}" \
+               profiles \
+               virtual/rust
+
+cleanup_repo
+
+echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}"
+echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}"

.github/workflows/rust-release-main.yaml

@@ -0,0 +1,48 @@
+name: Get the latest Rust release for main
+on:
+  schedule:
+    - cron:  '20 7 * * 2'
+  workflow_dispatch:
+
+jobs:
+  get-rust-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out scripts
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+      - name: Figure out latest Rust release version
+        id: rust-latest-release
+        run: |
+          version=$(git ls-remote --tags 'https://github.com/rust-lang/rust' | cut -f2 | sed -n "/refs\/tags\/1\.[0-9]*\.[0-9]*$/s/^refs\/tags\///p" | sort -ruV | head -n1)
+          echo "VERSION_NEW=${version}" >>"${GITHUB_OUTPUT}"
+      - name: Set up Flatcar SDK
+        id: setup-flatcar-sdk
+        env:
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          CHANNEL: main
+        run: scripts/.github/workflows/setup-flatcar-sdk.sh
+      - name: Apply patch for main
+        id: apply-patch-main
+        env:
+          GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts"
+          VERSION_NEW: ${{ steps.rust-latest-release.outputs.VERSION_NEW }}
+          PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }}
+          SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }}
+          TARGET_BRANCH: main
+        run: scripts/.github/workflows/rust-apply-patch.sh
+      - name: Create pull request for main
+        id: create-pull-request
+        uses: peter-evans/create-pull-request@v5
+        if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
+        with:
+          token: ${{ secrets.BOT_PR_TOKEN }}
+          path: scripts
+          branch: rust-${{ steps.rust-latest-release.outputs.VERSION_NEW }}-main
+          base: main
+          title: Upgrade dev-lang/rust and virtual/rust in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.rust-latest-release.outputs.VERSION_NEW }}
+          body: Subject says it all.
+          labels: main

.github/workflows/setup-flatcar-sdk.sh

@@ -9,7 +9,7 @@ fi
 sudo ln -sfn /bin/bash /bin/sh
 sudo apt-get update
 sudo apt-get install -y ca-certificates curl git gnupg lbzip2 lsb-release \
-    qemu-user-static zstd
+    qemu-user-static
 sudo mkdir -p /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
     | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

.github/workflows/update-metadata-glsa.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
       - name: Update GLSA metadata
@@ -22,7 +22,7 @@ jobs:
           todaydate=$(date +%Y-%m-%d)
           echo "TODAYDATE=${todaydate}" >>"${GITHUB_OUTPUT}"
       - name: Create pull request for main branch
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v5
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           branch: buildbot/monthly-glsa-metadata-updates-${{steps.update-glsa-metadata.outputs.TODAYDATE }}
@@ -33,4 +33,3 @@ jobs:
           commit-message: "portage-stable/metadata: Monthly GLSA metadata updates"
           author: Flatcar Buildbot <buildbot@flatcar-linux.org>
           labels: main
-          signoff: true

.github/workflows/update-portage-stable-packages-from-list.yaml

@@ -9,12 +9,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           path: ./scripts
       - name: Check out Gentoo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           repository: gentoo/gentoo
           path: gentoo
@@ -25,7 +25,7 @@ jobs:
           fetch-depth: 250000
           ref: master
       - name: Check out build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           repository: flatcar/flatcar-build-scripts
           path: flatcar-build-scripts
@@ -68,7 +68,7 @@ jobs:
           echo "UPDATED=${updated}" >>"${GITHUB_OUTPUT}"
           echo "TODAYDATE=${todaydate}" >>"${GITHUB_OUTPUT}"
       - name: Create pull request for main branch
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v5
         if: steps.update-listed-packages.outputs.UPDATED == 1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-sdk.yaml

@@ -1,151 +0,0 @@
-name: "Build updated SDK container"
-on:
-  workflow_dispatch:
-    inputs:
-      source_sdk_version:
-        type: string
-        required: false
-        description: |
-          Source SDK container to use. Defaults to version defined in version.txt.
-      custom_sdk_version:
-        type: string
-        required: false
-        description: |
-          Custom SDK container version to build. Defaults to source SDK w/ "-github-[DATE]" appended.
-
-  workflow_call:
-    outputs:
-      sdk_version:
-        description: "The version of the SDK container that was built"
-        value: ${{ jobs.update_sdk.outputs.sdk_version }}
-    inputs:
-      source_sdk_version:
-        type: string
-        required: false
-        description: |
-          Source SDK container to use. Defaults to version defined in version.txt.
-      custom_sdk_version:
-        type: string
-        required: false
-        description: |
-          Custom SDK container version to build. Defaults to source SDK w/ "-github-[DATE]" appended, or
-          '-github-pr-[PRNUM]-[DATE]' if the build was triggered from a PR.
-
-permissions:
-  pull-requests: write
-
-jobs:
-  update_sdk:
-    name: "Build an updated SDK container image"
-    runs-on:
-      - self-hosted
-      - ubuntu
-      - build
-      - x64
-    strategy:
-      fail-fast: false
-    outputs:
-      sdk_version: ${{ steps.step4.outputs.sdk_version }}
-    defaults:
-      run:
-        working-directory: scripts
-
-    steps:
-      - name: Prepare machine
-        id: step1
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        run: |
-          sudo rm /bin/sh
-          sudo ln -s /bin/bash /bin/sh
-          sudo apt-get install -y ca-certificates curl gnupg lsb-release qemu-user-static git jq openssh-client rsync zstd
-
-      - name: Set up Docker
-        uses: docker/setup-docker-action@v4
-
-      - uses: actions/checkout@v4
-        id: step2
-        with:
-          path: scripts
-          fetch-depth: 0
-
-      - name: Set environment
-        id: step3
-        shell: bash
-        run: |
-          if [ -n "${{ github.event.inputs.source_sdk_version }}" ] ; then
-              echo "SOURCE_SDK_VERSION=${{ github.event.inputs.source_sdk_version }}" >> $GITHUB_ENV
-          fi
-          if [ -n "${{ github.event.inputs.custom_sdk_version }}" ] ; then
-              echo "CUSTOM_SDK_VERSION=${{ github.event.inputs.custom_sdk_version }}" >> $GITHUB_ENV
-          fi
-
-      - name: Build an updated SDK container
-        id: step4
-        shell: bash
-        run: |
-          exec 2>&1
-          set -x
-          set -euo pipefail
-
-          source ci-automation/ci_automation_common.sh
-          source sdk_container/.repo/manifests/version.txt
-
-          version="alpha-$FLATCAR_VERSION_ID"
-          sdk_version="${SOURCE_SDK_VERSION:-$FLATCAR_SDK_VERSION}"
-
-          sdk_name="flatcar-sdk-all"
-          docker_sdk_vernum="$(vernum_to_docker_image_version "${sdk_version}")"
-
-          docker_image_from_registry_or_buildcache "${sdk_name}" "${docker_sdk_vernum}"
-
-          sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")"
-
-          # Create version file
-          (
-            source sdk_lib/sdk_container_common.sh
-            create_versionfile "$sdk_version" "$version"
-          )
-
-          if [ -z "${CUSTOM_SDK_VERSION:-}" ] ; then
-              if [ -n "${{ github.event.issue.pull_request }}" ] ; then
-                target_version="${sdk_version}-github-PR-${{ github.event.issue.number }}-$(date '+%Y_%m_%d__%H_%M_%S')"
-              else
-                target_version="${sdk_version}-github-$(date '+%Y_%m_%d__%H_%M_%S')"
-              fi
-          else
-              target_version="${CUSTOM_SDK_VERSION}"
-          fi
-
-          echo "setting sdk_version=${target_version} as a github output"
-          echo "sdk_version=${target_version}" >> "$GITHUB_OUTPUT"
-
-          # This also updates sdk_container/.repo/manifests/version.txt with the new SDK version.
-          ./update_sdk_container_image "${target_version}"
-
-      - name: Upload the SDK container and binary packages to bincache
-        id: step5
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          source ci-automation/ci_automation_common.sh
-
-          mkdir -p ~/.ssh
-          trap 'rm -f ~/.ssh/bincache' EXIT
-          echo "${{ secrets.BINCACHESSH }}" > ~/.ssh/bincache
-          chmod 600 ~/.ssh/bincache
-
-          echo "Host ${BUILDCACHE_SERVER}" >> ~/.ssh/config
-          echo "    User ${BUILDCACHE_USER}" >> ~/.ssh/config
-          echo "    IdentityFile ~/.ssh/bincache" >> ~/.ssh/config
-
-          source sdk_container/.repo/manifests/version.txt
-          vernum="${FLATCAR_SDK_VERSION}"
-          docker_vernum="$(vernum_to_docker_image_version "${vernum}")"
-
-          docker_image_to_buildcache "${CONTAINER_REGISTRY}/flatcar-sdk-all" "${docker_vernum}"
-          docker_image_to_buildcache "${CONTAINER_REGISTRY}/flatcar-sdk-amd64" "${docker_vernum}"
-          docker_image_to_buildcache "${CONTAINER_REGISTRY}/flatcar-sdk-arm64" "${docker_vernum}"
-
-          rm -f ~/.ssh/bincache

.github/workflows/vmware-release-main.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
           path: scripts
@@ -38,7 +38,7 @@ jobs:
           TARGET_BRANCH: main
         run: scripts/.github/workflows/vmware-apply-patch.sh
       - name: Create pull request for main
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v5
         if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1
         with:
           token: ${{ secrets.BOT_PR_TOKEN }}
@@ -48,4 +48,3 @@ jobs:
           title: Upgrade open-vm-tools in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.openvmtools-latest-release.outputs.VERSION_NEW }}
           body: Subject says it all.
           labels: main
-          signoff: true

.gitignore

@@ -15,7 +15,6 @@
 # SDK container env passing helpers
 sdk_container/.env
 sdk_container/.sdkenv
-ci-cleanup.sh
 
 # build cache / artefacts directories
 __build__/

CODEOWNERS

@@ -1,5 +0,0 @@
-# CODEOWNERS file for scripts
-# This file defines who is responsible for code review
-# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-
-* @flatcar/flatcar-maintainers

CODE_OF_CONDUCT.md

@@ -1,9 +0,0 @@
-# Code of Conduct
-
-The Flatcar project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
-
-For details on how we uphold community standards across all Flatcar repositories, please see the [main Flatcar Code of Conduct](https://github.com/flatcar/Flatcar/blob/main/CODE_OF_CONDUCT.md).
-
-## Reporting
-
-If you experience or witness unacceptable behavior, please report it following the process outlined in the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).

CONTRIBUTING.md

@@ -1,15 +1,71 @@
-Welcome! We're so glad you're here and interested in contributing to Flatcar! 💖
+# How to Contribute
 
-Whether you're fixing a bug, adding a feature, or improving docs — we appreciate you!
+CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
+GitHub pull requests.  This document outlines some of the conventions on
+development workflow, commit message formatting, contact points and other
+resources to make it easier to get your contribution accepted.
 
-For more detailed guidelines (finding issues, community meetings, PR lifecycle, commit message format, and more), check out the [main Flatcar CONTRIBUTING guide](https://github.com/flatcar/Flatcar/blob/main/CONTRIBUTING.md).
+# Certificate of Origin
 
-If you want to file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
+By contributing to this project you agree to the Developer Certificate of
+Origin (DCO). This document was created by the Linux Kernel community and is a
+simple statement that you, as a contributor, have the legal right to make the
+contribution. See the [DCO](DCO) file for details.
 
----
+# Email and Chat
 
-## Repository Specific Guidelines
+The project currently uses the general CoreOS email list and IRC channel:
+- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
+- IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
 
-Any guidelines specific to this repository that are not covered in the main contribution guide will be listed here.
+Please avoid emailing maintainers found in the MAINTAINERS file directly. They
+are very busy and read the mailing lists.
 
-<!-- Add repo-specific guidelines below this line -->
+## Getting Started
+
+- Fork the repository on GitHub
+- Read the [README](README.md) for build and test instructions
+- Play with the project, submit bugs, submit patches!
+
+## Contribution Flow
+
+This is a rough outline of what a contributor's workflow looks like:
+
+- Create a topic branch from where you want to base your work (usually master).
+- Make commits of logical units.
+- Make sure your commit messages are in the proper format (see below).
+- Push your changes to a topic branch in your fork of the repository.
+- Make sure the tests pass, and add any new tests as appropriate.
+- Submit a pull request to the original repository.
+
+Thanks for your contributions!
+
+### Format of the Commit Message
+
+We follow a rough convention for commit messages that is designed to answer two
+questions: what changed and why. The subject line should feature the what and
+the body of the commit should describe the why.
+
+```
+scripts: add the test-cluster command
+
+this uses tmux to setup a test cluster that you can easily kill and
+start for debugging.
+
+Fixes #38
+```
+
+The format can be described more formally as follows:
+
+```
+<subsystem>: <what changed>
+<BLANK LINE>
+<why this change was made>
+<BLANK LINE>
+<footer>
+```
+
+The first line is the subject and should be no longer than 70 characters, the
+second line is always blank, and other lines should be wrapped at 80 characters.
+This allows the message to be easier to read on GitHub as well as in various
+git tools.

GOVERNANCE.md

@@ -1,11 +0,0 @@
-# Governance
-
-For details on the Flatcar project governance model, decision-making process, and roles, please see the [main Flatcar Governance document](https://github.com/flatcar/Flatcar/blob/main/governance.md).
-
----
-
-## Repository-Specific Governance
-
-Any governance details specific to this repository will be listed here.
-
-<!-- Add repo-specific governance notes below this line -->

MAINTAINERS.md

@@ -1,11 +1,9 @@
 # Maintainers
 
-For the current list of maintainers and their responsibilities, please see the [main Flatcar MAINTAINERS file](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).
+* Kai Lüke @pothos
+* Gabriel Samfira @gabriel-samfira
+* Thilo Fromm @t-lo
 
----
+See [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a committer as per governance definition.
 
-## Repository-Specific Maintainers
-
-Any maintainers specific to this repository will be listed here.
-
-<!-- Add repo-specific maintainers below this line -->
+The contents of this file are synchronized from [Flatcar/MAINTAINERS.md](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).

PREFIX.md

@@ -1,98 +0,0 @@
-# Prefix - build portable, distro-independent apps
-
-**!!! NOTE: Prefix support in the Flatcar SDK is EXPERIMENTAL at this time !!!**
-
-## Path to stabilisation TODO list
-
-Before prefix build support are considered stable, the below must be implemented:
-1. Integrate `cb-bootstrap` with the Flatcar SDK.
-   Currently, `setup_prefix` uses cross-boss' `cb-bootstrap` to set up the prefix environment.
-   Bootstrapping must be fully integrated with the Flatcar SDK before prefix builds are considered stable.
-2. Integrate prefix builds with `/build/<board>` environment and use board cross toolchain.
-   Prefix builds currently use the SDK cross toolchains (`/usr/<arch>-gnu/`) instead of board toolchains in `/build/<board>`.
-   Prefix builds must be integrated with the board toolchains and stop using `cb-emerge` before considered stable.
-3. Add prefix wrappers for all portage tools (similar to board wrappers), not just `emerge`.
-4. Add test cases for prefix builds to [mantle/kola](https://github.com/flatcar/mantle/tree/main/kola).
-
-## About
-
-Prefix builds let you build and ship applications and all their dependencies in a custom directory.
-This custom directory is self-contained, all dependencies are included, and binaries are only linked against libraries in the custom directory.
-The applications' root will be `/` - i.e. there's no need to `chroot` into the custom directory.
-
-For example, applications built with the prefix `/usr/local/my-app` will ship
-* binaries in `/usr/local/my-app/bin`, `/usr/local/my-app/usr/bin`
-* libraries in `/usr/local/my-app/lib[64]`, `/usr/local/my-app/usr/lib[64]`
-
-These binaries can be called directly, e.g. `/usr/local/my-app/usr/bin/myprog`.
-`myprog` will only use libraries from `/usr/local/my-app/lib` etc., not from `/`.
-
-A good use case example for prefix builds is to create distro independent, portable [system extensions](https://www.flatcar.org/docs/latest/provisioning/sysext/).
-
-## How does it do that?
-
-Prefix uses a _staging environment_ to build binary packages, then installs these to a _final environment_.
-The _staging environment_ contains toolchains and all build tools required to create binary packages (a full `@system`).
-The _final environment_ only contains run-time dependencies.
-
-Packages are built from ebuilds in coreos-overlay, portage-stable, and prefix-overlay.
-
-A QoL `emerge` wrapper is included to install packages to the prefix.
-
-## Prerequisites
-
-Prefix utilises the [cross-boss](https://github.com/chewi/cross-boss) project to bootstrap prefixes and to build packages.
-For the time being the user is expected to provide cross-boss manually.
-By default, a `cross-boss` sub-directory is expected in the scripts repository root.
-Cross-boss location can be customised via the `--cross_boss_root` option to `setup_prefix`.
-
-* Run `git clone https://github.com/chewi/cross-boss` in the scripts directory.
-
-## Quick-start guide
-
-For working with a prefix, you will need to agree on:
-1. A name for the prefix. Should be a single word and is used for generating protage wrappers.
-2. A prefix directory where applications and libraries will live on the target system.
-   For use with systemd-sysext this should be a path below `/usr` or `/opt`.
-
-For the purpose of the example below we'll use
-* `my-prefix` as the prefix name, and
-* `/usr/local/my-stuff` as prefix directory.
-
-**TL;DR**
-* `./setup_prefix my-prefix /usr/local/my-stuff`
-* `emerge-prefix-my-stuff-amd64-usr python`
-will create a portable python installation in `__prefix__/amd64-usr/my-stuff/root`.
-
-
-**Step by step**
-
-First we'll create the prefix.
-This will create "staging" and "final" roots and cross-compile a staging environment into "staging".
-* In the SDK container, run `./setup_prefix my-prefix /usr/local/my-stuff`
-* Go fetch a coffee, bootstrapping may take some 20-ish minutes to complete.
-
-`setup_prefix` will default to `amd64-usr` architecture and will use
-* `/build/prefix-<arch>/my-stuff` for the staging environment
-* `__prefix__/<arch>/my-stuff` in the scripts directory as install root (aka "final")
-* It will also create an emerge wrapper `emerge-prefix-my-stuff-<arch>` to install packages.
-
-Time to use the wrapper! Let's build a portable python sysext.
-* `emerge-prefix-my-stuff-amd64-usr python`
-
-Now we'll use [bake.sh](https://raw.githubusercontent.com/flatcar/sysext-bakery/main/bake.sh) from Flatcar's [sysext-bakery](https://github.com/flatcar/sysext-bakery) to create a python sysext.
-```shell
-wget https://raw.githubusercontent.com/flatcar/sysext-bakery/main/bake.sh
-chmod 755 bake.sh
-cd __prefix__/amd64-usr/my-stuff
-sudo cp -R root python
-sudo ../../../bake.sh python
-```
-
-On a Flatcar instance, we now copy the resulting `python.raw` to `/etc/extensions`.
-We merge with `systemd-sysext refresh`.
-Then we can run:
-* `/usr/local/my-stuff/usr/bin/python`
-
-Note that this sysext can be used on any Linux distro that ships `systemd-sysext`.
-It is self-contained, there are no user space dependencies.

README.md

@@ -1,18 +1,3 @@
-<div style="text-align: center">
-
-[![Flatcar OS](https://img.shields.io/badge/Flatcar-Website-blue?logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAyNi4wLjMsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjxzdmcgdmVyc2lvbj0iMS4wIiBpZD0ia2F0bWFuXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4Ig0KCSB2aWV3Qm94PSIwIDAgODAwIDYwMCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgODAwIDYwMDsiIHhtbDpzcGFjZT0icHJlc2VydmUiPg0KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4NCgkuc3Qwe2ZpbGw6IzA5QkFDODt9DQo8L3N0eWxlPg0KPHBhdGggY2xhc3M9InN0MCIgZD0iTTQ0MCwxODIuOGgtMTUuOXYxNS45SDQ0MFYxODIuOHoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik00MDAuNSwzMTcuOWgtMzEuOXYxNS45aDMxLjlWMzE3Ljl6Ii8+DQo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNNTQzLjgsMzE3LjlINTEydjE1LjloMzEuOVYzMTcuOXoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik02NTUuMiw0MjAuOXYtOTUuNGgtMTUuOXY5NS40aC0xNS45VjI2MmgtMzEuOVYxMzQuOEgyMDkuNFYyNjJoLTMxLjl2MTU5aC0xNS45di05NS40aC0xNnY5NS40aC0xNS45djMxLjINCgloMzEuOXYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44SDI3M3YtMTUuOGgyNTQuOHYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44aDQ3Ljh2LTE1LjhoMzEuOXYtMzEuMkg2NTUuMnogTTQ4Ny44LDE1MWg3OS42djMxLjgNCgloLTIzLjZ2NjMuNkg1MTJ2LTYzLjZoLTI0LjJMNDg3LjgsMTUxTDQ4Ny44LDE1MXogTTIzMywyMTQuNlYxNTFoNjMuN3YyMy41aC0zMS45djE1LjhoMzEuOXYyNC4yaC0zMS45djMxLjhIMjMzVjIxNC42eiBNMzA1LDMxNy45DQoJdjE1LjhoLTQ3Ljh2MzEuOEgzMDV2NDcuN2gtOTUuNVYyODYuMUgzMDVMMzA1LDMxNy45eiBNMzEyLjYsMjQ2LjRWMTUxaDMxLjl2NjMuNmgzMS45djMxLjhMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjR6DQoJIE00NDguMywzMTcuOXY5NS40aC00Ny44di00Ny43aC0zMS45djQ3LjdoLTQ3LjhWMzAyaDE1Ljl2LTE1LjhoOTUuNVYzMDJoMTUuOUw0NDguMywzMTcuOXogTTQ0MCwyNDYuNHYtMzEuOGgtMTUuOXYzMS44aC0zMS45DQoJdi03OS41aDE1Ljl2LTE1LjhoNDcuOHYxNS44aDE1Ljl2NzkuNUg0NDB6IE01OTEuNiwzMTcuOXY0Ny43aC0xNS45djE1LjhoMTUuOXYzMS44aC00Ny44di0zMS43SDUyOHYtMTUuOGgtMTUuOXY0Ny43aC00Ny44VjI4Ni4xDQoJaDEyNy4zVjMxNy45eiIvPg0KPC9zdmc+DQo=)](https://www.flatcar.org/)
-[![Discord](https://img.shields.io/badge/Discord-Chat%20with%20us!-5865F2?logo=discord)](https://discord.gg/PMYjFUsJyq)
-[![Matrix](https://img.shields.io/badge/Matrix-Chat%20with%20us!-green?logo=matrix)](https://app.element.io/#/room/#flatcar:matrix.org)
-[![Slack](https://img.shields.io/badge/Slack-Chat%20with%20us!-4A154B?logo=slack)](https://kubernetes.slack.com/archives/C03GQ8B5XNJ)
-[![Twitter Follow](https://img.shields.io/twitter/follow/flatcar?style=social)](https://x.com/flatcar)
-[![Mastodon Follow](https://img.shields.io/badge/Mastodon-Follow-6364FF?logo=mastodon)](https://hachyderm.io/@flatcar)
-[![Bluesky](https://img.shields.io/badge/Bluesky-Follow-0285FF?logo=bluesky)](https://bsky.app/profile/flatcar.org)
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10926/badge)](https://www.bestpractices.dev/projects/10926)
-
-
-> **Note:** To file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
-</div>
-
 # Flatcar Container Linux SDK scripts
 
 Welcome to the scripts repo, your starting place for most things here in the Flatcar Container Linux SDK. To get started you can find our documentation on [the Flatcar docs website][flatcar-docs].
@@ -106,20 +91,6 @@ To clone the scripts repo and pick a version:
   * list releases (e.g. all Alpha releases): `git tag -l alpha-*`
   * check out the release version, e.g. `3033.0.0`: `git checkout 3033.0.0`
 
-### Working with forks
-
-When using GitHub's "fork" feature, please **make sure to fork all branches**, not just `main`. Forking only `main` is the default on GitHub.
-
-The SDK container wrapper script `run_sdk_container` requires release tags in our release branches and fails to start if no release branch is present (see e.g. https://github.com/flatcar/Flatcar/issues/1705).
-If you have forked manually, please make sure to include all tags. You can retrofit upstream tags to a fork by using e.g.:
-
-```bash
-git remote add upstream https://github.com/flatcar/scripts.git
-git fetch --tags upstream
-```
-
-This is necessary because the SDK uses `git describe --tags` to determine the current version, and forks don't include the original repository's tags by default.
-
 To use the SDK container:
 * Fetch image and start the SDK container: `./run_sdk_container -t`
   This will fetch the container image of the "scripts" repo's release version you checked out.
@@ -155,13 +126,3 @@ The script `./bootstrap_sdk_container` bootstraps a new SDK tarball using an exi
 # Automation stubs for continuous integration
 
 Script stubs for various build stages can be found in the [ci-automation](ci-automation) folder. These are helpful for gluing Flatcar Container Linux builds to a continuous integration system.
-
----
-
-## Community & Project Documentation
-
-- [Contributing Guidelines](CONTRIBUTING.md) — How to contribute, find issues, and submit pull requests
-- [Code of Conduct](CODE_OF_CONDUCT.md) — Standards for respectful and inclusive community participation
-- [Security Policy](SECURITY.md) — How to report vulnerabilities and security-related information
-- [Maintainers](MAINTAINERS.md) — Current project maintainers and their responsibilities
-- [Governance](GOVERNANCE.md) — Project governance model, decision-making process, and roles

SECURITY.md

@@ -1,15 +0,0 @@
-# Security Policy
-
-The Flatcar project takes security seriously. We appreciate your efforts to responsibly disclose your findings.
-
-For our full security policy, supported versions, and how to report a vulnerability, please see the [main Flatcar Security Policy](https://github.com/flatcar/Flatcar/blob/main/SECURITY.md).
-
-**Please do not open public issues for security vulnerabilities.**
-
----
-
-## Repository-Specific Security Notes
-
-Any security considerations specific to this repository will be listed here.
-
-<!-- Add repo-specific security notes below this line -->

bash_completion

@@ -106,28 +106,124 @@ _autotest_complete() {
   _complete_board_sysroot_flag && return 0
 }
 
-# Complete flatcar_workon's <command> argument.
+# Complete cros_workon's <command> argument.
 #
 # TODO(petkov): We should probably extract the list of commands from
-# flatcar_workon --help, just like we do for flags (see _flag_complete).
+# cros_workon --help, just like we do for flags (see _flag_complete).
 #
 # TODO(petkov): Currently, this assumes that the command is the first
 # argument. In practice, the command is the first non-flag
 # argument. I.e., this should be fixed to support something like
-# "flatcar_workon --all list".
-_complete_flatcar_workon_command() {
+# "cros_workon --all list".
+_complete_cros_workon_command() {
   [ ${COMP_CWORD} -eq 1 ] || return 1
   local command="${COMP_WORDS[1]}"
-  COMPREPLY=($(compgen -W "start stop list" -- "$command"))
+  COMPREPLY=($(compgen -W "start stop list iterate" -- "$command"))
   return 0
 }
 
-# Complete flatcar_workon arguments.
-_flatcar_workon() {
+# Prints the full path to the cros_workon executable, handling tilde
+# expansion for the current user.
+_cros_workon_executable() {
+  local cros_workon="${COMP_WORDS[0]}"
+  if [[ "$cros_workon" == '~/'* ]]; then
+    cros_workon="$HOME/${cros_workon#'~/'}"
+  fi
+  echo "$cros_workon"
+}
+
+# Lists the workon (or live, if --all is passed in) ebuilds. Lists
+# both the full names (e.g., chromeos-base/metrics) as well as just
+# the ebuild names (e.g., metrics).
+_cros_workon_list() {
+  local cros_workon=$(_cros_workon_executable)
+  ${cros_workon} list $1 | sed 's,\(.\+\)/\(.\+\),\1/\2 \2,'
+}
+
+# Completes the current cros_workon argument assuming it's a
+# package/ebuild name.
+_complete_cros_workon_package() {
+  [ ${COMP_CWORD} -gt 1 ] || return 1
+  local package="${COMP_WORDS[COMP_CWORD]}"
+  local command="${COMP_WORDS[1]}"
+  # If "start", complete based on all workon packages.
+  if [[ ${command} == "start" ]]; then
+    COMPREPLY=($(compgen -W "$(_cros_workon_list --all)" -- "$package"))
+    return 0
+  fi
+  # If "stop" or "iterate", complete based on all live packages.
+  if [[ ${command} == "stop" ]] || [[ ${command} == "iterate" ]]; then
+    COMPREPLY=($(compgen -W "$(_cros_workon_list)" -- "$package"))
+    return 0
+  fi
+  return 1
+}
+
+# Complete cros_workon arguments.
+_cros_workon() {
   COMPREPLY=()
   _flag_complete && return 0
   _complete_board_sysroot_flag && return 0
-  _complete_flatcar_workon_command && return 0
+  _complete_cros_workon_command && return 0
+  _complete_cros_workon_package && return 0
+  return 0
+}
+
+_list_repo_commands() {
+  local repo=${COMP_WORDS[0]}
+  "$repo" help --all | grep -E '^  ' | sed 's/  \([^ ]\+\) .\+/\1/'
+}
+
+_list_repo_branches() {
+  local repo=${COMP_WORDS[0]}
+  "$repo" branches 2>&1 | grep \| | sed 's/[ *][Pp ] *\([^ ]\+\) .*/\1/'
+}
+
+_list_repo_projects() {
+  local repo=${COMP_WORDS[0]}
+  "$repo" manifest -o /dev/stdout 2> /dev/null \
+    | grep 'project name=' \
+    | sed 's/.\+name="\([^"]\+\)".\+/\1/'
+}
+
+# Complete repo's <command> argument.
+_complete_repo_command() {
+  [ ${COMP_CWORD} -eq 1 ] || return 1
+  local command=${COMP_WORDS[1]}
+  COMPREPLY=($(compgen -W "$(_list_repo_commands)" -- "$command"))
+  return 0
+}
+
+_complete_repo_arg() {
+  [ ${COMP_CWORD} -gt 1 ] || return 1
+  local command=${COMP_WORDS[1]}
+  local current=${COMP_WORDS[COMP_CWORD]}
+  if [[ ${command} == "abandon" ]]; then
+    if [[ ${COMP_CWORD} -eq 2 ]]; then
+      COMPREPLY=($(compgen -W "$(_list_repo_branches)" -- "$current"))
+    else
+      COMPREPLY=($(compgen -W "$(_list_repo_projects)" -- "$current"))
+    fi
+    return 0
+  fi
+  if [[ ${command} == "help" ]]; then
+    [ ${COMP_CWORD} -eq 2 ] && \
+      COMPREPLY=($(compgen -W "$(_list_repo_commands)" -- "$current"))
+    return 0
+  fi
+  if [[ ${command} == "start" ]]; then
+    [ ${COMP_CWORD} -gt 2 ] && \
+      COMPREPLY=($(compgen -W "$(_list_repo_projects)" -- "$current"))
+    return 0
+  fi
+  return 1
+}
+
+# Complete repo arguments.
+_complete_repo() {
+  COMPREPLY=()
+  _complete_repo_command && return 0
+  _complete_repo_arg && return 0
   return 0
 }
 
@@ -138,7 +234,8 @@ complete -o bashdefault -o default -F _board_sysroot \
   image_to_usb.sh \
   mod_image_for_test.sh
 complete -o bashdefault -o default -o nospace -F _autotest_complete autotest
-complete -F _flatcar_workon flatcar_workon
+complete -F _cros_workon cros_workon
+complete -F _complete_repo repo
 
 ###  Local Variables:
 ###  mode: shell-script

bootstrap_sdk

@@ -4,30 +4,48 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
-# This uses Gentoo's catalyst for very thoroughly building images from scratch.
+# This uses Gentoo's catalyst for very thoroughly building images from
+# scratch. Using images based on this will eliminate some of the hackery
+# in make_chroot.sh for building up the sdk from a stock stage3 tarball.
+# 
 # For reference the procedure it performs is this:
+# 
+# 1. snapshot: Grab a snapshot of the portage-stable repo from
+#     the current SDK's /var/lib/gentoo/repos/gentoo.
+#     Alternatively, check out a git ref specified via --portage-ref.
 #
-# 1. seed: Take a recent SDK, dev container, or custom tarball as a seed to
-#     build stage 1 with. Before proceeding, update relevant packages that have
-#     changed sub-slot to avoid missing library issues later in the build.
-#
-# 2. stage1: Using the above seed tarball as a build environment, build a
-#     minimal root file system into a clean directory using ROOT=... and USE=-*
-#     The restricted USE flags are key be small and avoid circular dependencies.
+# 2. stage1: Using a "seed" tarball as a build environment, build a
+#     minimal root file system into a clean directory using ROOT=...
+#     and USE=-* The restricted USE flags are key be small and avoid
+#     circular dependencies.
 #     NOTE that stage1 LACKS PROPER STAGE ISOLATION. Binaries produced in stage1
-#     will be linked against the SEED SDK libraries, NOT against libraries built
-#     in stage 1.
+#      will be linked against the SEED SDK libraries, NOT against libraries
+#      built in stage 1. See "stage_repo()" documentation further below for more.
+#     This stage uses:
+#     - portage-stable from the SDK's /var/lib/gentoo/repos/gentoo
+#        or a custom path via --stage1_portage_path command line option
+#     - coreos-overlay  from the SDK's /var/lib/gentoo/repos/coreos-overlay
+#        or a custom path via --stage1_overlay_path command line option
+#     Command line option refs need caution though, since
+#     stage1 must not contain updated ebuilds (see build_stage1 below).
 #
-# 3. stage2: This is skipped as recommended by upstream Gentoo.
+# 3. stage2: Run portage-stable/scripts/bootstrap.sh
+#     This rebuilds the toolchain using Gentoo bootstrapping, ensuring it's not linked
+#     to or otherwise influenced by whatever was in the "seed" tarball.
+#     The toolchain rebuild may contain updated package ebuilds from
+#     third_party/(portage-stable|coreos-overlay).
+#     This and all following stages use portage-stable and coreos-overlay
+#     from third_party/... (see 1.)
 #
-# 4. stage3: Run emerge -e system to rebuild everything using the normal USE
-#     flags provided by the profile. This will also pull in assorted base system
-#     packages that weren't included in the minimal environment stage1 created.
+# 4. stage3: Run emerge -e system to rebuild everything using the fresh updated
+#     toolchain from 3., using the normal USE flags provided by the profile. This
+#     will also pull in assorted base system packages that weren't included
+#     in the minimal environment stage1 created.
 #
 # 5. stage4: Install any extra packages or other desired tweaks. For the
 #     sdk we just install all the packages normally make_chroot.sh does.
 #
-# Usage: bootstrap_sdk [stage1 stage3 etc]
+# Usage: bootstrap_sdk [stage1 stage2 etc]
 # By default all four stages will be built using the latest stage4 as a seed.
 
 SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
@@ -41,17 +59,24 @@ TYPE="flatcar-sdk"
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
 
 
+DEFINE_string stage1_portage_path "" \
+  "Path to custom portage ebuilds tree to use in stage 1 (DANGEROUS; USE WITH CAUTION)"
+DEFINE_string stage1_overlay_path "" \
+  "Path to custom overlay ebuilds tree to use in stage 1 (DANGEROUS; USE WITH CAUTION)"
+
+
 ## Define the stage4 config template
 catalyst_stage4() {
 cat <<EOF
+target: stage4
 pkgcache_path: $BINPKGS
 stage4/packages: coreos-devel/sdk-depends
 stage4/fsscript: ${BUILD_LIBRARY_DIR}/catalyst_sdk.sh
 stage4/root_overlay: ${ROOT_OVERLAY}
-stage4/empty: /root /var/cache/edb
+stage4/empty: /etc/portage/repos.conf /root /usr/portage /var/cache/edb
 stage4/rm: /etc/machine-id /etc/resolv.conf
 EOF
-catalyst_stage_default 4
+catalyst_stage_default
 }
 
 # Switch to HTTP because early boostrap stages do not have SSL support.
@@ -60,6 +85,7 @@ GENTOO_MIRRORS="${GENTOO_MIRRORS//https:\/\//http://}"
 export GENTOO_MIRRORS
 
 catalyst_init "$@"
+check_gsutil_opts
 ROOT_OVERLAY=${TEMPDIR}/stage4_overlay
 
 if [[ "$STAGES" =~ stage4 ]]; then
@@ -86,6 +112,124 @@ mkdir -p "${ROOT_OVERLAY}/tmp"
 chmod 1777 "${ROOT_OVERLAY}/tmp"
 cp "${BUILD_LIBRARY_DIR}/toolchain_util.sh" "${ROOT_OVERLAY}/tmp"
 
+
+# Stage 1 uses "known-good" ebuilds (from both coreos-overlay and portage-stable)
+#  to build a minimal toolchain (USE="-*") for stage 2.
+#
+# No package updates must happen in stage 1, so we use the portage-stable and
+#  coreos-overlay paths included with the current SDK (from the SDK chroot's
+#  /var/lib/gentoo/repos/). "Current SDK" refers to the SDK we entered with
+#  'cork enter', i.e. the SDK we run ./bootstrap_sdk in.
+#
+# Using ebuilds from the above mentioned sources will ensure that stage 1 builds
+#  a minimal stage 2 from known-good ebuild versions - the same ebuild versions
+#  that were used to build the very SDK we run ./bootstrap_sdk in.
+#
+# DANGER ZONE
+#
+# Stage 1 lacks proper isolation and will link all packages built for
+#  stage 2 against its own seed libraries ("/" in the catalyst chroot) instead of against libraries
+#  installed into the FS root of the stage 2 seed ("/tmp/stage1root" in the catalyst chroot).
+#  This is why we must prevent any updated package ebuilds to "leak" into stage 1, hence we use
+#  "known good" ebuild repo versions outlined above.
+#
+# In special circumstances it may be required to circumvent this and use custom paths
+#  for either (or both) portage and overlay. The command line options
+#  --stage1-portage-path and --stage1-overlay-path may be used to specify
+#  a repo path known to work for stage1. In that case the stage1 seed (i.e. the seed SDK)
+#  will be updated prior to starting to build stage 2.
+#  NOTE that this should never be used to introduce library updates in stage 1. All binaries
+#  produced in stage 1 are linked against libraries in the seed tarball, NOT libraries produced
+#  by stage one. Therefore, these binaries will cease to work in stage 2 when linked against
+#  outdated "seed tarball" libraries which have been updated to newer versions in stage 1.
+
+stage_repo() {
+    local repo="$1"
+    local path="$2"
+    local dest="$3"
+    local gitname="$repo"
+
+    if [ "$gitname" = "gentoo" ] ; then
+        gitname="portage-stable"
+    fi
+
+    if [ -z "$path" ]; then
+        cp -R "/var/gentoo/repos/${repo}" "$dest"
+        info "Using local SDK's ebuild repo '$repo' ('$gitname') in stage 1."
+    else
+        mkdir "$dest/$repo"
+        cp -R "${path}/"* "$dest/${repo}/"
+        info "Using custom path '$path' for ebuild repo '$repo' ('$gitname') in stage 1."
+        info "This may break stage 2. YOU HAVE BEEN WARNED. You break it, you keep it."
+    fi
+    (
+        set -euo pipefail
+        local repo_var hook name
+
+        # FLAGS_coreos_overlay for gitname coreos-overlay
+        repo_var="FLAGS_${gitname//-/_}"
+        shopt -s nullglob
+        for hook in "${FLAGS_coreos_overlay}/coreos/stage1_hooks/"*"-${gitname}.sh"; do
+            name=${hook##*/}
+            name=${name%"-${gitname}.sh"}
+            info "Invoking stage1 ${gitname} hook ${name} on ${dest}/${repo}"
+            "${hook}" "${dest}/${repo}" "${!repo_var}"
+        done
+    )
+}
+
+build_stage1() {
+    # First, write out the default 4-stage catalyst configuration files
+    write_configs
+
+    # Prepare local copies of both the "known-good" portage-stable and the
+    #  "known-good" coreos-overlay ebuild repos
+    local stage1_repos="$TEMPDIR/stage1-ebuild-repos"
+    info "Creating stage 1 ebuild repos and stage 1 snapshot in '$stage1_repos'"
+    rm -rf "$stage1_repos"
+    mkdir "$stage1_repos"
+
+    # prepare ebuild repos for stage 1, either from the local SDK (default)
+    #  or from custom paths specified via command line flags
+    stage_repo "gentoo" "${FLAGS_stage1_portage_path}" "$stage1_repos"
+    stage_repo "coreos-overlay" "${FLAGS_stage1_overlay_path}" "$stage1_repos"
+
+    # Create a snapshot of "known-good" portage-stable repo copy for use in stage 1
+    #  This requires us to create a custom catalyst config to point it to the
+    #  repo copy we just created, for snapshotting.
+    catalyst_conf > "$TEMPDIR/catalyst-stage1.conf"
+    sed -i "s:^portdir.*:portdir=\"$stage1_repos/gentoo\":" \
+         "$TEMPDIR/catalyst-stage1.conf"
+    # take the "portage directory" (portage-stable copy) snapshot
+    catalyst \
+        "${DEBUG[@]}" \
+        --verbose \
+        --config "$TEMPDIR/catalyst-stage1.conf" \
+        --snapshot "$FLAGS_version-stage1"
+
+    # Update the stage 1 spec to use the "known-good" portage-stable snapshot
+    #  and coreos-overlay copy repository versions from above.
+    sed -i -e "s/^snapshot:.*/snapshot: $FLAGS_version-stage1/" \
+           -e "s,^portage_overlay:.*,portage_overlay: $stage1_repos/coreos-overlay," \
+        "$TEMPDIR/stage1.spec"
+
+    # If we are to use a custom path for either ebuild repo we want to update the stage1 seed SDK
+    if [ -n "${FLAGS_stage1_portage_path}" -o -n "${FLAGS_stage1_overlay_path}" ] ; then
+        sed -i 's/^update_seed: no/update_seed: yes/' "$TEMPDIR/stage1.spec"
+        echo "update_seed_command: --update --deep --newuse --complete-graph --rebuild-if-new-ver --rebuild-exclude cross-*-cros-linux-gnu/* sys-devel/gcc " \
+            >>"$TEMPDIR/stage1.spec"
+    fi
+
+    # Finally, build stage 1
+    build_stage stage1 "$SEED" "$TEMPDIR/catalyst-stage1.conf"
+}
+
+if [[ "$STAGES" =~ stage1 ]]; then
+    build_stage1
+    STAGES="${STAGES/stage1/}"
+    SEED="${TYPE}/stage1-${ARCH}-latest"
+fi
+
 catalyst_build
 
 if [[ "$STAGES" =~ stage4 ]]; then
@@ -107,6 +251,18 @@ if [[ "$STAGES" =~ stage4 ]]; then
     verify_digests "${release_image}" "${release_contents}"
 
     info "SDK ready: ${release_image}"
+
+    def_upload_path="${UPLOAD_ROOT}/sdk/${ARCH}/${FLAGS_version}"
+    sign_and_upload_files "tarball" "${def_upload_path}" "" \
+        "${release_image}" "${release_contents}" "${release_digests}"
+    sign_and_upload_files "packages" "${def_upload_path}" "pkgs/" \
+        "${BINPKGS}"/*
+
+    if [ -d "${BINPKGS}/crossdev" ]; then
+        # Upload the SDK toolchain packages
+        sign_and_upload_files "cross toolchain packages" "${def_upload_path}" \
+            "toolchain/" "${BINPKGS}/crossdev"/*
+    fi
 fi
 
 command_completed

bootstrap_sdk_container

@@ -11,7 +11,6 @@ source sdk_lib/sdk_container_common.sh
 
 seed_version=""
 target_version=""
-logdir=''
 
 declare -a cleanup
 
@@ -31,7 +30,6 @@ usage() {
     echo "      -x <cleanup-script> - For each resource generated during build (container etc.)"
     echo "                             add a cleanup line to <script> which, when run, will free"
     echo "                             the resource. Useful for CI."
-    echo "      -l <directory>      - Gather build logs here."
     echo "      -h                  - Print this help."
     echo
 }
@@ -40,7 +38,6 @@ usage() {
 while [ 0 -lt $# ] ; do
     case "$1" in
     -h) usage; exit 0;;
-    -l) logdir=${2}; shift 2;;
     -x) cleanup=("-x" "$2"); shift; shift;;
     *)  if [ -z "$seed_version" ] ; then
             seed_version="$1"
@@ -75,11 +72,8 @@ if $official; then
 fi
 
 # bootstrap_sdk needs FLATCAR_SDK_VERSION set to the seed version
-failed=''
 ./run_sdk_container "${cleanup[@]}" -V "$seed_version" -v "$target_version" \
-          sudo -E ./bootstrap_sdk || failed=x
+          sudo -E ./bootstrap_sdk
 
 # Update versionfile to the actual SDK version
 create_versionfile "${target_version}"
-
-if [[ -n ${failed} ]]; then exit 1; fi

build_dev_binpkgs

@@ -1,87 +0,0 @@
-#!/bin/bash
-# Copyright (c) 2023 by the Flatcar Maintainers.
-# Use of this source code is governed by the Apache 2.0 license.
-
-. "$(dirname "$0")/common.sh" || exit 1
-
-# Script must run inside the chroot
-assert_inside_chroot
-assert_not_root_user
-
-# Dependencies and packages to include by default.
-packages_default=( "coreos-devel/board-packages" )
-
-# Packages that are rdeps of the above but should not be included.
-# (mostly large packages, e.g. programming languages etc.)
-skip_packages_default="dev-lang/rust,dev-lang/rust-bin,dev-lang/go,dev-lang/go-bootstrap,dev-go/go-md2man"
-
-
-# Developer-visible flags.
-DEFINE_string board "${DEFAULT_BOARD}" \
-  "The board to build packages for."
-DEFINE_string skip_packages "${skip_packages_default}" \
-  "Comma-separated list of packages in the dependency tree to skip."
-DEFINE_boolean pretend "${FLAGS_FALSE}" \
-  "List packages that would be built but do not actually build."
-
-FLAGS_HELP="usage: $(basename "$0") [flags] [packages]
-
-build_dev_binpkgs builds binary packages for all dependencies of [packages]
-that are not present in '/build/<board>/var/lib/portage/pkgs/'.
-Useful for publishing a complete set of packages to a binhost.
-
-[packages] defaults to '${packages_default[*]}' if not specified.
-"
-
-# Parse command line
-FLAGS "$@" || exit 1
-eval set -- "${FLAGS_ARGV}"
-
-# Die on any errors.
-switch_to_strict_mode
-
-if [[ $# -eq 0 ]]; then
-  set -- "${packages_default[@]}"
-fi
-# --
-
-function my_board_emerge() {
-  PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
-}
-# --
-
-pkg_build_list=()
-pkg_skipped_list=()
-
-info "Collecting list of binpkgs to build"
-
-# Normally, BDEPENDs are only installed to the SDK, but the point of this script
-# is to install them to the board root because the dev container uses a board
-# profile. This is easily achieved using --root-deps. Since it is still the SDK
-# doing the building, which might have different package versions available to
-# the board profile, we have to be careful not to include SDK BDEPENDs in the
-# list of binary packages to publish, hence the sed call.
-while read -r pkg; do
-  [[ -f /build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2 ]] && continue
-  IFS=,
-  for s in ${FLAGS_skip_packages}; do
-    if [[ ${pkg} == ${s}-* ]] ; then
-      pkg_skipped_list+=("${pkg}")
-      continue 2
-    fi
-  done
-  unset IFS
-  pkg_build_list+=("=${pkg}")
-  echo "      =${pkg}"
-done < <(my_board_emerge --pretend --emptytree --root-deps "${@}" |
-         sed -n "/\[ebuild .* to \/build\/${FLAGS_board}\/ /s/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/p")
-# --
-
-if [[ ${#pkg_skipped_list[@]} -gt 0 ]]; then
-  info "Skipping binpkgs '${pkg_skipped_list[*]}' because these are in the skip list."
-fi
-
-pretend=""
-[[ ${FLAGS_pretend} -eq ${FLAGS_TRUE} ]] && pretend="--pretend"
-
-my_board_emerge --buildpkg ${pretend} "${pkg_build_list[@]}"

build_docker_aci

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# Copyright (c) 2016 The CoreOS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This is a wrapper around the ebuild_aci_util.sh functions to set up the
+# necessary environment, similar to the build_image script.
+
+SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
+. "${SCRIPT_ROOT}/common.sh" || exit 1
+
+# Script must run inside the chroot
+assert_inside_chroot
+
+assert_not_root_user
+
+# Developer-visible flags.
+DEFINE_string board "${DEFAULT_BOARD}" \
+  "The board to build an image for."
+DEFINE_string build_dir "" \
+  "Directory in which to place image result directories (named by version)"
+DEFINE_boolean getbinpkg "${FLAGS_FALSE}" \
+  "Download binary packages from remote repository."
+DEFINE_string getbinpkgver "" \
+  "Use binary packages from a specific version."
+
+FLAGS_HELP="USAGE: build_docker_aci [flags] [docker version] [aci version number].
+This script is used to build a CoreOS docker-skim ACI.
+
+The docker version should identify an existent ebuild (i.e.
+app-emulation/docker-\$version).
+
+The aci version number is an atomically incrementing number that will be
+appended to the aci version (to create e.g. :v1.12.6_coreos.0).
+
+Examples:
+
+build_docker_aci --board=amd64-usr --build_dir=<build_dir> 1.12.6 0
+...
+"
+show_help_if_requested "$@"
+
+# The following options are advanced options, only available to those willing
+# to read the source code. They are not shown in help output, since they are
+# not needed for the typical developer workflow.
+DEFINE_integer build_attempt 1 \
+  "The build attempt for this image build."
+DEFINE_string group "docker-aci" \
+  "The update group (not used for actual updates here)"
+DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \
+  "Directory in which to place image result directories (named by version)"
+DEFINE_string version "" \
+  "Sets the docker version to build."
+DEFINE_integer aci_version "" \
+  "Sets the aci version tag identifier."
+
+# Parse command line.
+FLAGS "$@" || exit 1
+[ -z "${FLAGS_ARGV}" ] && echo 'No version given' && exit 0
+eval set -- "${FLAGS_ARGV}"
+
+version="${1:?Docker version}"
+aci_version="${2:?Docker version}"
+
+
+# Only now can we die on error.  shflags functions leak non-zero error codes,
+# so will die prematurely if 'switch_to_strict_mode' is specified before now.
+switch_to_strict_mode
+
+# If downloading packages is enabled ensure the board is configured properly.
+if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
+    "${SRC_ROOT}/scripts/setup_board" --board="${FLAGS_board}" \
+      --getbinpkgver="${FLAGS_getbinpkgver}" --regen_configs_only
+fi
+
+# N.B.  Ordering matters for some of the libraries below, because
+# some of the files contain initialization used by later files.
+. "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/prod_image_util.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/ebuild_aci_util.sh" || exit 1
+
+BUILD_DIR=${FLAGS_build_dir:-$BUILD_DIR}
+
+case "${version}" in
+    1.12.[0-9]*)
+        packaged_files=( 
+            "/usr/bin/docker"
+            "/usr/bin/dockerd"
+            "/usr/bin/docker-containerd"
+            "/usr/bin/docker-containerd-shim"
+            "/usr/bin/docker-proxy"
+            "/usr/bin/docker-runc"
+            "/usr/lib/flatcar/dockerd"
+        )
+        ebuild_aci_create "users.developer.core-os.net/skim/docker" \
+            "coreos_docker-${BOARD}-${version}_coreos.${aci_version}" \
+            "app-emulation/docker" \
+            "${version}" \
+            "${aci_version}" \
+            "${packaged_files[@]}"
+        ;;
+    *)
+        1>&2 echo "Unrecognized version; please enter a supported version"
+        exit 1
+        ;;
+esac

build_image

@@ -33,24 +33,24 @@ DEFINE_string base_pkg "coreos-base/coreos" \
   "The base portage package to base the build off of (only applies to prod images)"
 DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
   "The base portage package to base the build off of (only applies to dev containers)"
-DEFINE_string base_sysexts "containerd-flatcar|app-containers/containerd,docker-flatcar|app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx" \
-  "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first."
+DEFINE_string torcx_manifest "${DEFAULT_BUILD_ROOT}/torcx/${DEFAULT_BOARD}/latest/torcx_manifest.json" \
+  "The torcx manifest describing torcx packages for this image (or blank for none)"
+DEFINE_string torcx_root "${DEFAULT_BUILD_ROOT}/torcx" \
+  "Directory in which torcx packages can be found. Will update the default --torcx_manifest if set."
 DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \
   "Directory in which to place image result directories (named by version)"
 DEFINE_string disk_layout "" \
   "The disk layout type to use for this image."
 DEFINE_string group "${DEFAULT_GROUP}" \
   "The update group."
+DEFINE_boolean generate_update "${FLAGS_FALSE}" \
+  "Generate update payload. (prod only)"
 DEFINE_boolean extract_update "${FLAGS_TRUE}" \
-  "Extract the /usr partition for generating updates. Only valid for the prod image."
-DEFINE_boolean generate_update "${FLAGS_TRUE}" \
-  "Generate update payload for testing. The update is signed with a dev key. The kernel is signed with a dev key (unofficial builds) or not at all (official builds). Only valid for the prod image. Implies --extract_update."
+  "Extract the /usr partition for generating updates."
 DEFINE_string developer_data "" \
   "Insert a custom cloudinit file into the image."
 DEFINE_string devcontainer_binhost "${DEFAULT_DEVCONTAINER_BINHOST}" \
   "Override portage binhost configuration used in development container."
-DEFINE_string oem_sysexts "everything!" \
-  "A comma-separated list of OEMs to build, by default build all the OEM sysexts. Used only if building OEM sysexts"
 
 # include upload options
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
@@ -62,12 +62,10 @@ different forms.  This scripts can be used to build the following:
 prod - Production image for CoreOS. This image is for booting (default if no argument is given).
 prodtar - Production container tar ball (implies prod). This can e.g. be used to run the Flatcar production image as a container (run machinectl import-tar or docker import).
 container - Developer image with single filesystem, bootable by nspawn.
-sysext - Build extra sysexts (podman, python, zfs, etc.).
-oem_sysext - Build OEM sysexts for all supported platforms.
 
 Examples:
 
-build_image --board=<board> [prod] [prodtar] [container] [sysext] [oem_sysext] - builds developer and production images/tars.
+build_image --board=<board> [prod] [prodtar] [container] - builds developer and production images/tars.
 ...
 "
 show_help_if_requested "$@"
@@ -85,12 +83,19 @@ DEFINE_string version "" \
 # Parse command line.
 FLAGS "$@" || exit 1
 
-eval set -- "${FLAGS_ARGV:-prod oem_sysext}"
+eval set -- "${FLAGS_ARGV:-prod}"
 
 # Only now can we die on error.  shflags functions leak non-zero error codes,
 # so will die prematurely if 'switch_to_strict_mode' is specified before now.
 switch_to_strict_mode
 
+check_gsutil_opts
+
+# Patch around default values not being able to depend on other flags.
+if [ "x${FLAGS_torcx_manifest}" = "x${DEFAULT_BUILD_ROOT}/torcx/${DEFAULT_BOARD}/latest/torcx_manifest.json" ]; then
+  FLAGS_torcx_manifest="${FLAGS_torcx_root}/${FLAGS_board}/latest/torcx_manifest.json"
+fi
+
 # If downloading packages is enabled ensure the board is configured properly.
 if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
   "${SRC_ROOT}/scripts/setup_board" --board="${FLAGS_board}" \
@@ -105,22 +110,17 @@ fi
 . "${BUILD_LIBRARY_DIR}/prod_image_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/dev_container_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/torcx_manifest.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/vm_image_util.sh" || exit 1
-. "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
-. "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 
 PROD_IMAGE=0
 PROD_TAR=0
 CONTAINER=0
-SYSEXT=0
-OEM_SYSEXT=0
 for arg in "$@"; do
   case "${arg}" in
     prod) PROD_IMAGE=1 ;;
     prodtar) PROD_IMAGE=1 PROD_TAR=1 ;;
     container) CONTAINER=1 ;;
-    sysext) SYSEXT=1 ;;
-    oem_sysext) OEM_SYSEXT=1 ;;
     *)    die_notrace "Unknown image type ${arg}" ;;
   esac
 done
@@ -132,7 +132,7 @@ if [[ ${skip_test_build_root} -ne 1 ]]; then
 fi
 
 # Handle existing directory.
-if [[ -e "${BUILD_DIR}" ]] && [[ "${PROD_IMAGE}" = 1 ]]; then
+if [[ -e "${BUILD_DIR}" ]]; then
   if [[ ${FLAGS_replace} -eq ${FLAGS_TRUE} ]]; then
     sudo rm -rf "${BUILD_DIR}"
   else
@@ -146,11 +146,6 @@ fi
 # Create the output directory and temporary mount points.
 mkdir -p "${BUILD_DIR}"
 
-# --generate_update implies --extract_update.
-if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
-  FLAGS_extract_update=${FLAGS_TRUE}
-fi
-
 DISK_LAYOUT="${FLAGS_disk_layout:-base}"
 CONTAINER_LAYOUT="${FLAGS_disk_layout:-container}"
 
@@ -180,25 +175,20 @@ fi
 
 if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   IMAGE_BUILD_TYPE="prod"
-  create_prod_image ${FLATCAR_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group} ${FLAGS_base_pkg} ${FLAGS_base_sysexts}
-  if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
+  create_prod_image ${FLATCAR_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group} ${FLAGS_base_pkg}
+  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
+    generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" ${DISK_LAYOUT}
+  elif [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
     extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
-  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
-  fi
   if [[ "${PROD_TAR}" -eq 1 ]]; then
     create_prod_tar ${FLATCAR_PRODUCTION_IMAGE_NAME}
   fi
 fi
-if [[ "${SYSEXT}" -eq 1 ]]; then
-  create_prod_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
-fi
-if [[ "${OEM_SYSEXT}" -eq 1 ]]; then
-  create_oem_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_oem_sysexts}"
-fi
 
-if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
+if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]] || \
+   [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]
+then
   zip_update_tools
 fi
 
@@ -214,6 +204,8 @@ FLATCAR_BUILD_ID="${FLATCAR_BUILD_ID}"
 FLATCAR_SDK_VERSION=${FLATCAR_SDK_VERSION}
 EOF
 
+upload_image "${BUILD_DIR}/version.txt"
+
 # Create a named symlink.
 set_build_symlinks latest "${FLAGS_group}-latest"
 
@@ -240,3 +232,5 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
 fi
 
 command_completed
+
+

build_library/build_image_util.sh

@@ -19,9 +19,6 @@ fi
 BUILD_DIR="${FLAGS_output_root}/${BOARD}/${IMAGE_SUBDIR}"
 OUTSIDE_OUTPUT_DIR="../build/images/${BOARD}/${IMAGE_SUBDIR}"
 
-source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
-source "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
-
 set_build_symlinks() {
     local build=$(basename ${BUILD_DIR})
     local link
@@ -61,34 +58,34 @@ delete_prompt() {
 extract_update() {
   local image_name="$1"
   local disk_layout="$2"
-  local update="${BUILD_DIR}/${image_name%_image.bin}_update.bin"
+  local update_path="${BUILD_DIR}/${image_name%_image.bin}_update.bin"
+  local digest_path="${update_path}.DIGESTS"
 
   "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
-    extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}"
+    extract "${BUILD_DIR}/${image_name}" "USR-A" "${update_path}"
 
   # Compress image
-  files_to_evaluate+=( "${update}" )
-  compress_disk_images files_to_evaluate
-}
+  files_to_evaluate+=( "${update_path}" )
+  declare -a compressed_images
+  declare -a extra_files
+  compress_disk_images files_to_evaluate compressed_images extra_files
 
-generate_update() {
-  local image_name="$1"
-  local disk_layout="$2"
-  local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz"
-  local update="${BUILD_DIR}/${image_name%_image.bin}_update.bin"
-  local devkey="/usr/share/update_engine/update-payload-key.key.pem"
+  # Upload compressed image
+  upload_image -d "${digest_path}" "${compressed_images[@]}" "${extra_files[@]}"
 
-  # Extract the partition if it isn't extracted already.
-  [[ -s ${update} ]] ||
-    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
-      extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}"
+  # Upload legacy digests
+  upload_legacy_digests "${digest_path}" compressed_images
 
-  echo "Generating update payload, signed with a dev key"
+  # For production as well as dev builds we generate a dev-key-signed update
+  # payload for running tests (the signature won't be accepted by production systems).
+  local update_test="${BUILD_DIR}/flatcar_test_update.gz"
   delta_generator \
-      -private_key "${devkey}" \
-      -new_image "${update}" \
-      -new_kernel "${image_kernel}" \
-      -out_file "${BUILD_DIR}/flatcar_test_update.gz"
+      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
+      -new_image "${update_path}" \
+      -new_kernel "${BUILD_DIR}/${image_name%.bin}.vmlinuz" \
+      -out_file "${update_test}"
+
+  upload_image "${update_test}"
 }
 
 zip_update_tools() {
@@ -97,9 +94,42 @@ zip_update_tools() {
 
   info "Generating update tools zip"
   # Make sure some vars this script needs are exported
-  local -x REPO_MANIFESTS_DIR=${REPO_MANIFESTS_DIR} SCRIPTS_DIR=${SCRIPTS_DIR}
+  export REPO_MANIFESTS_DIR SCRIPTS_DIR
   "${BUILD_LIBRARY_DIR}/generate_au_zip.py" \
     --arch "$(get_sdk_arch)" --output-dir "${BUILD_DIR}" --zip-name "${update_zip}"
+
+  upload_image "${BUILD_DIR}/${update_zip}"
+}
+
+generate_update() {
+  local image_name="$1"
+  local disk_layout="$2"
+  local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz"
+  local update_prefix="${image_name%_image.bin}_update"
+  local update="${BUILD_DIR}/${update_prefix}"
+  local devkey="/usr/share/update_engine/update-payload-key.key.pem"
+
+  echo "Generating update payload, signed with a dev key"
+  "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
+    extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}.bin"
+  delta_generator \
+      -private_key "${devkey}" \
+      -new_image "${update}.bin" \
+      -new_kernel "${image_kernel}" \
+      -out_file "${update}.gz"
+
+  # Compress image
+  declare -a files_to_evaluate
+  declare -a compressed_images
+  declare -a extra_files
+  files_to_evaluate+=( "${update}.bin" )
+  compress_disk_images files_to_evaluate compressed_images extra_files
+
+  # Upload images
+  upload_image -d "${update}.DIGESTS" "${update}".{gz,zip} "${compressed_images[@]}" "${extra_files[@]}"
+
+  # Upload legacy digests
+  upload_legacy_digests "${update}.DIGESTS" compressed_images
 }
 
 # ldconfig cannot generate caches for non-native arches.
@@ -126,7 +156,7 @@ run_localedef() {
     loader=( "${root_fs_dir}/usr/lib64/ld-linux-x86-64.so.2" \
                --library-path "${root_fs_dir}/usr/lib64" );;
   *)
-    die "Unable to run localedef for ARCH ${ARCH}";;
+    die "Unable to run localedev for ARCH ${ARCH}";;
   esac
   info "Generating C.UTF-8 locale..."
   local i18n="${root_fs_dir}/usr/share/i18n"
@@ -134,7 +164,6 @@ run_localedef() {
   # check that the paths we want are available first.
   [[ -f "${i18n}/charmaps/UTF-8.gz" ]] || die
   [[ -f "${i18n}/locales/C" ]] || die
-  sudo mkdir -p "${root_fs_dir}/usr/lib/locale"
   sudo I18NPATH="${i18n}" "${loader[@]}" "${root_fs_dir}/usr/bin/localedef" \
       --prefix="${root_fs_dir}" --charmap=UTF-8 --inputfile=C C.UTF-8
 }
@@ -150,14 +179,9 @@ emerge_to_image() {
   fi
 
   sudo -E ROOT="${root_fs_dir}" \
-      FEATURES="-ebuild-locks -merge-wait" \
+      FEATURES="-ebuild-locks" \
       PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
-      emerge \
-      --usepkgonly \
-      --binpkg-respect-use=y \
-      --jobs="${NUM_JOBS}" \
-      --verbose \
-      "$@"
+      emerge --root-deps=rdeps --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
 
   # Shortcut if this was just baselayout
   [[ "$*" == *sys-apps/baselayout ]] && return
@@ -171,6 +195,26 @@ emerge_to_image() {
       test_image_content "${root_fs_dir}"
 }
 
+# emerge_to_image without a rootfs check; you should use emerge_to_image unless
+# here's a good reason not to.
+emerge_to_image_unchecked() {
+  local root_fs_dir="$1"; shift
+
+  if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
+    set -- --getbinpkg "$@"
+  fi
+
+  sudo -E ROOT="${root_fs_dir}" \
+      PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
+      emerge --root-deps=rdeps --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
+
+  # Shortcut if this was just baselayout
+  [[ "$*" == *sys-apps/baselayout ]] && return
+
+  # Make sure profile.env has been generated
+  sudo -E ROOT="${root_fs_dir}" env-update --no-ldconfig
+}
+
 # Switch to the dev or prod sub-profile
 set_image_profile() {
   local suffix="$1"
@@ -195,6 +239,65 @@ systemd_enable() {
   sudo ln -sf "../${unit_file}" "${wants_dir}/${unit_alias}"
 }
 
+# Generate a ls-like listing of a directory tree.
+# The ugly printf is used to predictable time format and size in bytes.
+write_contents() {
+    info "Writing ${2##*/}"
+    pushd "$1" >/dev/null
+    # %M - file permissions
+    # %n - number of hard links to file
+    # %u - file's user name
+    # %g - file's group name
+    # %s - size in bytes
+    # %Tx - modification time (Y - year, m - month, d - day, H - hours, M - minutes)
+    # %P - file's path
+    # %l - symlink target (empty if not a symlink)
+    sudo TZ=UTC find -printf \
+        '%M %2n %-7u %-7g %7s %TY-%Tm-%Td %TH:%TM ./%P -> %l\n' \
+        | sed -e 's/ -> $//' > "$2"
+    popd >/dev/null
+}
+
+# Generate a listing that can be used by other tools to analyze
+# image/file size changes.
+write_contents_with_technical_details() {
+    info "Writing ${2##*/}"
+    pushd "$1" >/dev/null
+    # %M - file permissions
+    # %D - ID of a device where file resides
+    # %i - inode number
+    # %n - number of hard links to file
+    # %s - size in bytes
+    # %P - file's path
+    sudo find -printf \
+        '%M %D %i %n %s ./%P\n' > "$2"
+    popd >/dev/null
+}
+
+# Generate a report like the following:
+#
+# File    Size  Used Avail Use% Type
+# /boot   127M   62M   65M  50% vfat
+# /usr    983M  721M  212M  78% ext2
+# /       6,0G   13M  5,6G   1% ext4
+# SUM     7,0G  796M  5,9G  12% -
+write_disk_space_usage() {
+    info "Writing ${2##*/}"
+    pushd "${1}" >/dev/null
+    # The sed's first command turns './<path>' into '/<path> ', second
+    # command replaces '- ' with 'SUM' for the total row. All this to
+    # keep the numbers neatly aligned in columns.
+    sudo df \
+         --human-readable \
+         --total \
+         --output='file,size,used,avail,pcent,fstype' \
+         ./boot ./usr ./ | \
+        sed \
+            -e 's#^\.\(/[^ ]*\)#\1 #' \
+            -e 's/^-  /SUM/' >"${2}"
+    popd >/dev/null
+}
+
 # "equery list" a potentially uninstalled board package
 query_available_package() {
     local pkg="$1"
@@ -213,8 +316,8 @@ image_packages_portage() {
     ROOT="$1" PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
         equery --no-color list --format '$cpv::$repo' '*'
 }
-
-# List packages implicitly contained in rootfs, such as in initramfs.
+# List packages implicitly contained in rootfs, such as in torcx packages or
+# initramfs.
 image_packages_implicit() {
     local profile="${BUILD_DIR}/configroot/etc/portage/profile"
 
@@ -243,6 +346,11 @@ image_packages_implicit() {
             query_available_package "${pkg}"
         done < "${profile}/package.provided"
     fi
+
+    # Include source packages of all torcx images installed on disk.
+    [ -z "${FLAGS_torcx_manifest}" ] ||
+    torcx_manifest::sources_on_disk "${FLAGS_torcx_manifest}" |
+    while read pkg ; do query_available_package "${pkg}" ; done
 }
 
 # Generate a list of packages installed in an image.
@@ -262,7 +370,7 @@ write_packages() {
 # Generate an SPDX SBOM using syft
 write_sbom() {
     info "Writing ${2##*/}"
-    sudo syft scan "${1}" -o spdx-json="$2"
+    sudo syft packages "${1}" -o spdx-json="$2"
 }
 
 # Get metadata $key for package $pkg installed under $prefix
@@ -289,16 +397,18 @@ get_metadata() {
     if [ "${key}" = "SRC_URI" ]; then
         local package_name="$(echo "${pkg%%:*}" | cut -d / -f 2)"
         local ebuild_path="${prefix}/var/db/pkg/${pkg%%:*}/${package_name}.ebuild"
+        # SRC_URI is empty for the special github.com/flatcar projects
         if [ -z "${val}" ]; then
             # The grep invocation gives errors when the ebuild file is not present.
             # This can happen when the binary packages from ./build_packages are outdated.
-            val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
+            val="$(grep "CROS_WORKON_PROJECT=" "${ebuild_path}" | cut -d '"' -f 2)"
             if [ -n "${val}" ]; then
-                # If using git, then the package was probably pinned to a commit.
+                val="https://github.com/${val}"
+                # All github.com/flatcar projects specify their commit
                 local commit=""
-                commit="$(grep "EGIT_COMMIT=" "${ebuild_path}" | cut -d '"' -f 2)"
+                commit="$(grep "CROS_WORKON_COMMIT=" "${ebuild_path}" | cut -d '"' -f 2)"
                 if [ -n "${commit}" ]; then
-                    val="${val%.git}/commit/${commit}"
+                    val="${val}/commit/${commit}"
                 fi
             fi
         fi
@@ -307,13 +417,17 @@ get_metadata() {
             # Do not attempt to postprocess by resolving ${P} and friends because it does not affect production images
             val="$(cat "${ebuild_path}" | tr '\n' ' ' | grep -P -o 'SRC_URI=".*?"' | cut -d '"' -f 2)"
         fi
+        # Some packages use nothing from the above but EGIT_REPO_URI (currently only app-crypt/go-tspi)
+        if [ -z "${val}" ]; then
+            val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
+        fi
         # Replace all mirror://MIRRORNAME/ parts with the actual URL prefix of the mirror
         new_val=""
         for v in ${val}; do
             local mirror="$(echo "${v}" | grep mirror:// | cut -d '/' -f 3)"
             if [ -n "${mirror}" ]; then
                 # Take only first mirror, those not working should be removed
-                local location="$(grep "^${mirror}"$'\t' /mnt/host/source/src/third_party/portage-stable/profiles/thirdpartymirrors | cut -d $'\t' -f 2- | cut -d ' ' -f 1 | tr -d $'\t')"
+                local location="$(grep "^${mirror}"$'\t' /var/gentoo/repos/gentoo/profiles/thirdpartymirrors | cut -d $'\t' -f 2- | cut -d ' ' -f 1 | tr -d $'\t')"
                 v="$(echo "${v}" | sed "s#mirror://${mirror}/#${location}#g")"
             fi
             new_val+="${v} "
@@ -438,7 +552,8 @@ EOF
     license_list="$(jq -r '.[] | "\(.licenses | .[])"' "${json_input}" | sort | uniq)"
     local license_dirs=(
         "/mnt/host/source/src/third_party/coreos-overlay/licenses/"
-        "/mnt/host/source/src/third_party/portage-stable/licenses/"
+        "/mnt/host/source/src/third_party/portage-stable/"
+        "/var/gentoo/repos/gentoo/licenses/"
         "none"
     )
     for license_file in ${license_list}; do
@@ -458,6 +573,8 @@ EOF
 # Add /usr/share/SLSA reports for packages indirectly contained within the rootfs
 # If the package is available in BOARD_ROOT accesses it from there, otherwise
 # needs to download binpkg.
+# Reports for torcx packages are also included when adding the torcx package to
+# rootfs.
 insert_extra_slsa() {
   info "Inserting additional SLSA file"
   local rootfs="$1"
@@ -475,8 +592,7 @@ insert_extra_slsa() {
     if [ -f "${binpkg}" ]; then
       info "Found ${atom} at ${binpkg}"
       qtbz2 -O -t "${binpkg}" | \
-        lbzcat -d -c - | \
-        sudo tar -C "${rootfs}" -x --wildcards './usr/share/SLSA'
+        sudo tar -C "${rootfs}" -xj --wildcards './usr/share/SLSA'
       continue
     fi
     warn "Missing SLSA information for ${atom}"
@@ -485,7 +601,7 @@ insert_extra_slsa() {
 
 # Add an entry to the image's package.provided
 package_provided() {
-    local p profile="${BUILD_DIR}/configroot/etc/portage/profile"
+    local p profile="${BUILD_DIR}/configroot/etc/portage/profile"    
     for p in "$@"; do
         info "Writing $p to package.provided and soname.provided"
         echo "$p" >> "${profile}/package.provided"
@@ -562,12 +678,31 @@ finish_image() {
   local image_initrd_contents="${11}"
   local image_initrd_contents_wtd="${12}"
   local image_disk_space_usage="${13}"
-  local image_realinitrd_contents="${14}"
-  local image_realinitrd_contents_wtd="${15}"
 
   local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
 
+  # Copy in packages from the torcx store that are marked as being on disk
+  if [ -n "${FLAGS_torcx_manifest}" ]; then
+    for pkg in $(torcx_manifest::get_pkg_names "${FLAGS_torcx_manifest}"); do
+      local default_version="$(torcx_manifest::default_version "${FLAGS_torcx_manifest}" "${pkg}")"
+      for version in $(torcx_manifest::get_versions "${FLAGS_torcx_manifest}" "${pkg}"); do
+        local on_disk_path="$(torcx_manifest::local_store_path "${FLAGS_torcx_manifest}" "${pkg}" "${version}")"
+        if [[ -n "${on_disk_path}" ]]; then
+          local casDigest="$(torcx_manifest::get_digest "${FLAGS_torcx_manifest}" "${pkg}" "${version}")"
+          sudo cp "${FLAGS_torcx_root}/pkgs/${BOARD}/${pkg}/${casDigest}/${pkg}:${version}.torcx.tgz" \
+            "${root_fs_dir}${on_disk_path}"
+          sudo tar xf "${root_fs_dir}${on_disk_path}" -C "${root_fs_dir}" --wildcards "./usr/share/SLSA"
+          if [[ "${version}" == "${default_version}" ]]; then
+            # Create the default symlink for this package
+            sudo ln -fns "${on_disk_path##*/}" \
+              "${root_fs_dir}/${on_disk_path%/*}/${pkg}:com.coreos.cl.torcx.tgz"
+          fi
+        fi
+      done
+    done
+  fi
+
   # Only enable rootfs verification on prod builds.
   local disable_read_write="${FLAGS_FALSE}"
   if [[ "${IMAGE_BUILD_TYPE}" == "prod" ]]; then
@@ -624,7 +759,7 @@ finish_image() {
   # --allow-user=root
   # --allow-user=core
   mapfile -t allowed_users < <(grep '^COPY_USERS=' "${root_fs_dir}/sbin/flatcar-tmpfiles" | sed -e 's/.*="\([^"]*\)"/\1/' | tr '|' '\n' | sed -e 's/^/--allow-user=/')
-  mapfile -t allowed_groups < <(grep '^COPY_GROUPS=' "${root_fs_dir}/sbin/flatcar-tmpfiles" | sed -e 's/.*="\([^"]*\)"/\1/' | tr '|' '\n' | sed -e 's/^/--allow-group=/')
+  mapfile -t allowed_users < <(grep '^COPY_GROUPS=' "${root_fs_dir}/sbin/flatcar-tmpfiles" | sed -e 's/.*="\([^"]*\)"/\1/' | tr '|' '\n' | sed -e 's/^/--allow-group=/')
   sudo "${BUILD_LIBRARY_DIR}/gen_tmpfiles.py" --root="${root_fs_dir}" \
       --output="${root_fs_dir}/usr/lib/tmpfiles.d/base_image_var.conf" \
       "${ignores[@]}" "${allowed_users[@]}" "${allowed_groups[@]}" "${root_fs_dir}/var"
@@ -686,16 +821,9 @@ EOF
   done
   sudo "${root_fs_dir}"/usr/sbin/flatcar-tmpfiles "${root_fs_dir}"
   # Now that we used the tmpfiles for creating /etc we delete them because
-  # the L, d, D, and C entries cause upcopies. Also filter out rules with ! or - but no other modifiers
+  # the L, d, and C entries cause upcopies. Also filter out rules with ! or - but no other modifiers
   # like + or = which explicitly recreate files.
-  # But before filtering, first store rules that would recreate missing files
-  # to /usr/share/flatcar/etc-no-whiteouts so that we can ensure that
-  # no overlayfs whiteouts exist for these files (example: /etc/resolv.conf).
-  # These rules are combined with the + modifier in addition.
-  # Other rules like w, e, x, do not create files that don't exist.
-  # Note: '-' must come first in the modifier pattern.
-  grep -Ph '^[fcCdDLvqQpb][-=~^!+]*[ \t]*/etc' "${root_fs_dir}"/usr/lib/tmpfiles.d/* | grep -oP '/etc[^ \t]*' | sudo_clobber "${root_fs_dir}"/usr/share/flatcar/etc-no-whiteouts
-  sudo sed -i '/^[CdDL][-=~^!]*[ \t]*\/etc\//d' "${root_fs_dir}"/usr/lib/tmpfiles.d/*
+  sudo sed -i '/^[CLd]-*!*-*[ \t]*\/etc\//d' "${root_fs_dir}"/usr/lib/tmpfiles.d/*
 
   # SELinux: Label the root filesystem for using 'file_contexts'.
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
@@ -708,17 +836,6 @@ EOF
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 
-  # Temporary hack: set group ownership of /etc/{g,}shadow to the
-  # shadow group, that way unix_chkpwd, chage and expiry can act on
-  # those files.
-  #
-  # This permissions setting should likely be done in some ebuild, but
-  # currently files in /usr/share/baselayout are installed by the
-  # baselayout package, we don't want to add more deps to it.
-  sudo chgrp \
-      --reference="${root_fs_dir}/usr/bin/chage" \
-      "${root_fs_dir}"/{etc,usr/share/baselayout}/{g,}shadow
-
   # Backup the /etc contents to /usr/share/flatcar/etc to serve as
   # source for creating missing files. Make sure that the preexisting
   # /usr/share/flatcar/etc does not have any meaningful (non-empty)
@@ -728,54 +845,22 @@ EOF
   if [[ $(sudo find "${root_fs_dir}/usr/share/flatcar/etc" -size +0 ! -type d 2>/dev/null | wc -l) -gt 0 ]]; then
     die "Unexpected non-empty files in ${root_fs_dir}/usr/share/flatcar/etc"
   fi
-  # Some backwards-compat symlinks still use this folder as target,
-  # we can't remove it yet
   sudo rm -rf "${root_fs_dir}/usr/share/flatcar/etc"
   sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/share/flatcar/etc"
-  # Now set up a default confext and enable it.
-  # It's important to use dm-verity not only for stricter image policies
-  # but also because it allows us the refresh to identify this image and
-  # skip setting it up again in the final boot, which not only saves us
-  # a daemon-reload during boot but also from /etc contents shortly
-  # disappearing until systemd-sysext uses mount beneath for an atomic
-  # remount. Instead of a temporary directory we first prepare it as
-  # folder and then convert it to a DDI and remove the folder.
-  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
-  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
-  # Do a copy because we keep /etc for the flatcar (.tar) container and the developer container
-  sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc"
-  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/"
-  echo ID=_any | sudo tee "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/extension-release.00-flatcar-default" > /dev/null
-  sudo systemd-repart \
-    --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
-    --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
-    --make-ddi=confext \
-    --copy-source="${root_fs_dir}/usr/lib/confexts/00-flatcar-default" \
-    "${root_fs_dir}/usr/lib/confexts/00-flatcar-default.raw"
-  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
 
-  # Remove the rootfs state as it should be recreated through tmpfiles
-  # (and for /etc we use a confext) and may not be present on updating machines.
-  # This makes sure our tests cover the case of missing files in the
+  # Remove the rootfs state as it should be recreated through the
+  # tmpfiles and may not be present on updating machines. This
+  # makes sure our tests cover the case of missing files in the
   # rootfs and don't rely on the new image. Not done for the developer
   # container.
   if [[ -n "${image_kernel}" ]]; then
     local folder
+    # Everything except /boot and /usr because they are mountpoints and /lost+found because e2fsck expects it
     for folder in "${root_fs_dir}/"*; do
-      case "${folder#"${root_fs_dir}"}" in
-        /boot|/usr|/oem)
-          # Keep those because they are mountpoints, so not really
-          # parts of the rootfs state.
-          :
-          ;;
-        /lost+found)
-          # Keep lost+found because e2fsck expects it.
-          :
-          ;;
-        *)
-          sudo rm --one-file-system -rf "${folder}"
-          ;;
-      esac
+      if [ "${folder}" = "${root_fs_dir}/boot" ] || [ "${folder}" = "${root_fs_dir}/usr" ] || [ "${folder}" = "${root_fs_dir}/lost+found" ]; then
+        continue
+      fi
+      sudo rm --one-file-system -rf "${folder}"
     done
   else
     # For the developer container we still need to remove the resolv.conf symlink to /run
@@ -809,11 +894,13 @@ EOF
         seek=${verity_offset} count=64 bs=1 status=none
   fi
 
-  # Sign the kernel after /usr is in a consistent state and verity is
-  # calculated. Only for unofficial builds as official builds get signed later.
+  # Sign the kernel after /usr is in a consistent state and verity is calculated
   if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
-    cleanup_sbsign_certs
+      sudo sbsign --key /usr/share/sb_keys/DB.key \
+	   --cert /usr/share/sb_keys/DB.crt \
+	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"
+      sudo mv "${root_fs_dir}/boot/flatcar/vmlinuz-a.signed" \
+	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"
   fi
 
   if [[ -n "${image_kernel}" ]]; then
@@ -868,7 +955,7 @@ EOF
 
     info "Generating $pcr_policy"
     pushd "${BUILD_DIR}" >/dev/null
-    zip --quiet -r -9 "${pcr_policy}" pcrs
+    zip --quiet -r -9 "${BUILD_DIR}/${pcr_policy}" pcrs
     popd >/dev/null
     rm -rf "${BUILD_DIR}/pcrs"
   fi
@@ -893,20 +980,6 @@ EOF
       rm -rf "${BUILD_DIR}/tmp_initrd_contents"
   fi
 
-  if [[ -n ${image_realinitrd_contents} || -n ${image_realinitrd_contents_wtd} ]]; then
-        mkdir -p "${BUILD_DIR}/tmp_initrd_contents"
-        sudo mount "${root_fs_dir}/usr/lib/flatcar/bootengine.img" "${BUILD_DIR}/tmp_initrd_contents"
-        if [[ -n ${image_realinitrd_contents} ]]; then
-            write_contents "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents}"
-        fi
-
-        if [[ -n ${image_realinitrd_contents_wtd} ]]; then
-            write_contents_with_technical_details "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents_wtd}"
-        fi
-        sudo umount "${BUILD_DIR}/tmp_initrd_contents"
-        rm -rf "${BUILD_DIR}/tmp_initrd_contents"
-    fi
-
   if [[ -n "${image_disk_space_usage}" ]]; then
       write_disk_space_usage "${root_fs_dir}" "${BUILD_DIR}/${image_disk_space_usage}"
   fi
@@ -914,67 +987,3 @@ EOF
   cleanup_mounts "${root_fs_dir}"
   trap - EXIT
 }
-
-sbsign_image() {
-  local image_name="$1"
-  local disk_layout="$2"
-  local root_fs_dir="$3"
-  local image_kernel="$4"
-  local pcr_policy="$5"
-  local image_grub="$6"
-
-  local disk_img="${BUILD_DIR}/${image_name}"
-  local EFI_ARCH
-
-  case "${BOARD}" in
-    amd64-usr) EFI_ARCH="x64" ;;
-    arm64-usr) EFI_ARCH="aa64" ;;
-    *) die "Unknown board ${BOARD@Q}" ;;
-  esac
-
-  "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
-      mount "${disk_img}" "${root_fs_dir}"
-  trap "cleanup_mounts '${root_fs_dir}'; cleanup_sbsign_certs" EXIT
-
-  # Sign the kernel with the shim-embedded key.
-  do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
-
-  if [[ -n "${image_kernel}" ]]; then
-    # copying kernel from vfat so ignore the permissions
-    cp --no-preserve=mode \
-        "${root_fs_dir}/boot/flatcar/vmlinuz-a" \
-        "${BUILD_DIR}/${image_kernel}"
-  fi
-
-  # Sign GRUB and mokmanager(mm) with the shim-embedded key.
-  do_sbsign --output "${root_fs_dir}/boot/EFI/boot/grub${EFI_ARCH}.efi"{,}
-  do_sbsign --output "${root_fs_dir}/boot/EFI/boot/mm${EFI_ARCH}.efi"{,}
-
-  # copying from vfat so ignore permissions
-  if [[ -n "${image_grub}" ]]; then
-    cp --no-preserve=mode "${root_fs_dir}/boot/EFI/boot/grub${EFI_ARCH}.efi" \
-        "${BUILD_DIR}/${image_grub}"
-  fi
-
-  if [[ -n "${pcr_policy}" ]]; then
-    mkdir -p "${BUILD_DIR}/pcrs"
-    "${BUILD_LIBRARY_DIR}"/generate_kernel_hash.py \
-        "${root_fs_dir}/boot/flatcar/vmlinuz-a" "${FLATCAR_VERSION}" \
-        >"${BUILD_DIR}/pcrs/kernel.config"
-  fi
-
-  cleanup_mounts "${root_fs_dir}"
-  cleanup_sbsign_certs
-  trap - EXIT
-
-  if [[ -n "${pcr_policy}" ]]; then
-    "${BUILD_LIBRARY_DIR}"/generate_grub_hashes.py \
-        "${disk_img}" /usr/lib/grub/ "${BUILD_DIR}/pcrs" "${FLATCAR_VERSION}"
-
-    info "Generating $pcr_policy"
-    pushd "${BUILD_DIR}" >/dev/null
-    zip --quiet -r -9 "${BUILD_DIR}/${pcr_policy}" pcrs
-    popd >/dev/null
-    rm -rf "${BUILD_DIR}/pcrs"
-  fi
-}

build_library/catalyst.sh

@@ -55,15 +55,17 @@ DEFINE_boolean debug ${FLAGS_FALSE} "Enable verbose output from catalyst."
 catalyst_conf() {
 cat <<EOF
 # catalyst.conf
-digests=["md5", "sha1", "sha512", "blake2b"]
-options=["pkgcache"]
+contents="auto"
+digests="md5 sha1 sha512 whirlpool"
+hash_function="crc32"
+options="pkgcache"
 sharedir="/usr/share/catalyst"
 storedir="$CATALYST_ROOT"
 distdir="$DISTDIR"
 envscript="$TEMPDIR/catalystrc"
 port_logdir="$CATALYST_ROOT/log"
-repo_basedir="/mnt/host/source/src/third_party"
-repo_name="portage-stable"
+portdir="$FLAGS_portage_stable"
+snapshot_cache="$CATALYST_ROOT/tmp/snapshot_cache"
 EOF
 }
 
@@ -80,42 +82,61 @@ export ac_cv_posix_semaphores_enabled=yes
 EOF
 }
 
-# Common values for all stage spec files. Takes a stage number and,
-# optionally, a profile name as parameters.
+repos_conf() {
+cat <<EOF
+[DEFAULT]
+main-repo = portage-stable
+
+[coreos]
+location = /var/gentoo/repos/local
+
+[portage-stable]
+location = /var/gentoo/repos/gentoo
+EOF
+}
+
+# Common values for all stage spec files
 catalyst_stage_default() {
 cat <<EOF
-target: stage$1
 subarch: $ARCH
 rel_type: $TYPE
 portage_confdir: $TEMPDIR/portage
-repos: $FLAGS_coreos_overlay
-keep_repos: portage-stable coreos-overlay
-profile: ${2:-$FLAGS_profile}
-snapshot_treeish: $FLAGS_version
+portage_overlay: $FLAGS_coreos_overlay
+profile: $FLAGS_profile
+snapshot: $FLAGS_version
 version_stamp: $FLAGS_version
 cflags: -O2 -pipe
 cxxflags: -O2 -pipe
 ldflags: -Wl,-O2 -Wl,--as-needed
-source_subpath: ${SEED}
 EOF
 }
 
 # Config values for each stage
 catalyst_stage1() {
 cat <<EOF
+target: stage1
 # stage1 packages aren't published, save in tmp
 pkgcache_path: ${TEMPDIR}/stage1-${ARCH}-packages
-update_seed: yes
-update_seed_command: --exclude cross-*-cros-linux-gnu/* --exclude dev-lang/rust --exclude dev-lang/rust-bin --ignore-world y --ignore-built-slot-operator-deps y @changed-subslot
+update_seed: no
 EOF
-catalyst_stage_default 1 "${FLAGS_profile}/transition"
+catalyst_stage_default
+}
+
+catalyst_stage2() {
+cat <<EOF
+target: stage2
+# stage2 packages aren't published, save in tmp
+pkgcache_path: ${TEMPDIR}/stage2-${ARCH}-packages
+EOF
+catalyst_stage_default
 }
 
 catalyst_stage3() {
 cat <<EOF
+target: stage3
 pkgcache_path: $BINPKGS
 EOF
-catalyst_stage_default 3
+catalyst_stage_default
 }
 
 catalyst_stage4() {
@@ -136,15 +157,13 @@ catalyst_init() {
     switch_to_strict_mode
     eval set -- "${FLAGS_ARGV}"
 
-    local stage
-
     if [[ -n "${FORCE_STAGES}" ]]; then
         STAGES="${FORCE_STAGES}"
     elif [[ $# -eq 0 ]]; then
-        STAGES="stage1 stage3 stage4"
+        STAGES="stage1 stage2 stage3 stage4"
     else
         for stage in "$@"; do
-            if [[ ! "$stage" =~ ^stage[134]$ ]]; then
+            if [[ ! "$stage" =~ ^stage[1234]$ ]]; then
                 die_notrace "Invalid target name $stage"
             fi
         done
@@ -159,11 +178,6 @@ catalyst_init() {
         die_notrace "catalyst not found, not installed or bad PATH?"
     fi
 
-    # Before doing anything else, ensure we have at least Catalyst 4.
-    if catalyst --version | grep -q "Catalyst [0-3]\."; then
-        emerge --verbose "--jobs=${NUM_JOBS}" --oneshot ">=dev-util/catalyst-4" || exit 1
-    fi
-
     DEBUG=()
     if [[ ${FLAGS_debug} -eq ${FLAGS_TRUE} ]]; then
         DEBUG=("--debug")
@@ -191,8 +205,8 @@ catalyst_init() {
     # so far so good, expand path to work with weird comparison code below
     FLAGS_seed_tarball=$(readlink -f "$FLAGS_seed_tarball")
 
-    if [[ ! "$FLAGS_seed_tarball" =~ .\.tar\.(bz2|xz) ]]; then
-        die_notrace "Seed tarball doesn't end in .tar.bz2 or .tar.xz :-/"
+    if [[ ! "$FLAGS_seed_tarball" =~ .*\.tar\.bz2 ]]; then
+        die_notrace "Seed tarball doesn't end in .tar.bz2 :-/"
     fi
 
     # catalyst is obnoxious and wants the $TYPE/stage3-$VERSION part of the
@@ -200,41 +214,47 @@ catalyst_init() {
     # directory under $TEMPDIR instead, aka the SEEDCACHE feature.)
     if [[ "$FLAGS_seed_tarball" =~ "$CATALYST_ROOT/builds/".* ]]; then
         SEED="${FLAGS_seed_tarball#$CATALYST_ROOT/builds/}"
-        SEED="${SEED%.tar.*}"
+        SEED="${SEED%.tar.bz2}"
     else
         mkdir -p "$CATALYST_ROOT/builds/seed"
         cp -n "$FLAGS_seed_tarball" "$CATALYST_ROOT/builds/seed"
         SEED="seed/${FLAGS_seed_tarball##*/}"
-        SEED="${SEED%.tar.*}"
+        SEED="${SEED%.tar.bz2}"
     fi
 }
 
 write_configs() {
     info "Creating output directories..."
-    mkdir -m 775 -p "$DISTDIR"
+    mkdir -m 775 -p "$TEMPDIR/portage/repos.conf" "$DISTDIR"
     chown portage:portage "$DISTDIR"
     info "Writing out catalyst configs..."
     info "    catalyst.conf"
     catalyst_conf > "$TEMPDIR/catalyst.conf"
     info "    catalystrc"
     catalystrc > "$TEMPDIR/catalystrc"
+    info "    portage/repos.conf/coreos.conf"
+    repos_conf > "$TEMPDIR/portage/repos.conf/coreos.conf"
     info "    stage1.spec"
     catalyst_stage1 > "$TEMPDIR/stage1.spec"
-
-    info "Configuring Portage..."
-    cp -r "${BUILD_LIBRARY_DIR}"/portage/ "${TEMPDIR}/"
-
-    ln -sfT '/mnt/host/source/src/third_party/coreos-overlay/coreos/user-patches' \
-        "${TEMPDIR}"/portage/patches
+    info "    stage2.spec"
+    catalyst_stage2 > "$TEMPDIR/stage2.spec"
+    info "    stage3.spec"
+    catalyst_stage3 > "$TEMPDIR/stage3.spec"
+    info "    stage4.spec"
+    catalyst_stage4 > "$TEMPDIR/stage4.spec"
+    info "Putting a symlink to user patches..."
+    ln -sfT '/var/gentoo/repos/local/coreos/user-patches' \
+        "$TEMPDIR/portage/patches"
 }
 
 build_stage() {
-    local stage catalyst_conf target_tarball
-
     stage="$1"
-    catalyst_conf="$TEMPDIR/catalyst.conf"
+    srcpath="$2"
+    catalyst_conf="$3"
     target_tarball="${stage}-${ARCH}-${FLAGS_version}.tar.bz2"
 
+    [ -z "$catalyst_conf" ] && catalyst_conf="$TEMPDIR/catalyst.conf"
+
     if [[ -f "$BUILDS/${target_tarball}" && $FLAGS_rebuild == $FLAGS_FALSE ]]
     then
         info "Skipping $stage, $target_tarball already exists."
@@ -242,32 +262,32 @@ build_stage() {
     fi
 
     info "Starting $stage"
-    # Clean up possible leftovers from possible previous runs
-    rm -rf "$TEMPDIR/$stage-${ARCH}-${FLAGS_version}"
     catalyst \
         "${DEBUG[@]}" \
         --verbose \
         --config "$TEMPDIR/catalyst.conf" \
-        --file "$TEMPDIR/${stage}.spec"
+        --file "$TEMPDIR/${stage}.spec" \
+        --cli "source_subpath=$srcpath"
+    # Catalyst doesn't clean up after itself...
+    rm -rf "$TEMPDIR/$stage-${ARCH}-${FLAGS_version}"
     ln -sf "$stage-${ARCH}-${FLAGS_version}.tar.bz2" \
         "$BUILDS/$stage-${ARCH}-latest.tar.bz2"
     info "Finished building $target_tarball"
 }
 
 build_snapshot() {
-    local repo_dir snapshot snapshots_dir snapshot_path
-
-    repo_dir=${1:-"${FLAGS_portage_stable}"}
-    snapshot=${2:-"${FLAGS_version}"}
-    snapshots_dir="${CATALYST_ROOT}/snapshots"
-    snapshot_path="${snapshots_dir}/portage-stable-${snapshot}.sqfs"
-    if [[ -f ${snapshot_path} && $FLAGS_rebuild == $FLAGS_FALSE ]]
+    local snapshot="portage-${FLAGS_version}.tar.bz2"
+    local snapshot_path="$CATALYST_ROOT/snapshots/${snapshot}"
+    if [[ -f "${snapshot_path}" && $FLAGS_rebuild == $FLAGS_FALSE ]]
     then
         info "Skipping snapshot, ${snapshot_path} exists"
     else
         info "Creating snapshot ${snapshot_path}"
-        mkdir -p "${snapshot_path%/*}"
-        tar -c -C "${repo_dir}" . | tar2sqfs "${snapshot_path}" -q -f -j1 -c gzip
+        catalyst \
+            "${DEBUG[@]}" \
+            --verbose \
+            --config "$TEMPDIR/catalyst.conf" \
+            --snapshot "$FLAGS_version"
     fi
 }
 
@@ -279,21 +299,25 @@ catalyst_build() {
     write_configs
     build_snapshot
 
-    local used_seed
-
     used_seed=0
     if [[ "$STAGES" =~ stage1 ]]; then
-        build_stage stage1
+        build_stage stage1 "$SEED"
+        used_seed=1
+    fi
+
+    if [[ "$STAGES" =~ stage2 ]]; then
+        if [[ $used_seed -eq 1 ]]; then
+            SEED="${TYPE}/stage1-${ARCH}-latest"
+        fi
+        build_stage stage2 "$SEED"
         used_seed=1
     fi
 
     if [[ "$STAGES" =~ stage3 ]]; then
         if [[ $used_seed -eq 1 ]]; then
-            SEED="${TYPE}/stage1-${ARCH}-latest"
+            SEED="${TYPE}/stage2-${ARCH}-latest"
         fi
-        info "    stage3.spec"
-        catalyst_stage3 > "$TEMPDIR/stage3.spec"
-        build_stage stage3
+        build_stage stage3 "$SEED"
         used_seed=1
     fi
 
@@ -301,12 +325,10 @@ catalyst_build() {
         if [[ $used_seed -eq 1 ]]; then
             SEED="${TYPE}/stage3-${ARCH}-latest"
         fi
-        info "    stage4.spec"
-        catalyst_stage4 > "$TEMPDIR/stage4.spec"
-        build_stage stage4
+        build_stage stage4 "$SEED"
         used_seed=1
     fi
 
     # Cleanup snapshots, we don't use them
-    rm -rf "$CATALYST_ROOT/snapshots/${FLAGS_portage_stable##*/}-${FLAGS_version}.sqfs"*
+    rm -rf "$CATALYST_ROOT/snapshots/portage-${FLAGS_version}.tar.bz2"*
 }

build_library/catalyst_sdk.sh

@@ -4,9 +4,6 @@ set -e
 source /tmp/chroot-functions.sh
 source /tmp/toolchain_util.sh
 
-ln -vsfT "$(portageq get_repo_path / coreos-overlay)/coreos/user-patches" \
-    /etc/portage/patches
-
 echo "Double checking everything is fresh and happy."
 run_merge -uDN --with-bdeps=y world
 
@@ -14,12 +11,20 @@ echo "Setting the default Python interpreter"
 eselect python update
 
 echo "Building cross toolchain for the SDK."
-configure_crossdev_overlay / /usr/local/portage/crossdev
+configure_crossdev_overlay / /tmp/crossdev
 
 for cross_chost in $(get_chost_list); do
     echo "Building cross toolchain for ${cross_chost}"
     PKGDIR="$(portageq envvar PKGDIR)/crossdev" \
         install_cross_toolchain "${cross_chost}" ${clst_myemergeopts}
+    PKGDIR="$(portageq envvar PKGDIR)/crossdev" \
+        install_cross_rust "${cross_chost}" ${clst_myemergeopts}
 done
 
-PKGDIR="$(portageq envvar PKGDIR)/crossdev" install_cross_rust ${clst_myemergeopts}
+echo "Saving snapshot of coreos-overlay repo for future SDK bootstraps"
+# Copy coreos-overlay, which is in /var/gentoo/repos/local/, into a
+# local directory.  /var/gentoo/repos/local/ is removed before archiving
+# and we want to keep a snapshot. This snapshot is used - alongside
+# /var/gentoo/repos/gentoo - by stage 1 of future bootstraps.
+mkdir -p /var/gentoo/repos/coreos-overlay
+cp -R /var/gentoo/repos/local/* /var/gentoo/repos/coreos-overlay

build_library/catalyst_toolchains.sh

@@ -28,40 +28,16 @@ build_target_toolchain() {
     local ROOT="/build/${board}"
     local SYSROOT="/usr/$(get_board_chost "${board}")"
 
-    function btt_emerge() {
-        # --root is required because run_merge overrides ROOT=
-        PORTAGE_CONFIGROOT="$ROOT" run_merge --root="$ROOT" --sysroot="$ROOT" "${@}"
-    }
+    mkdir -p "${ROOT}/usr"
+    cp -at "${ROOT}" "${SYSROOT}"/lib*
+    cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include "${SYSROOT}"/usr/lib*
 
-    # install baselayout first so we have the basic directory
-    # structure for libraries and binaries copied from sysroot
-    btt_emerge --oneshot --nodeps sys-apps/baselayout
-
-    # copy libraries, binaries and header files from sysroot to root -
-    # sysroot may be using split-usr, whereas root does not, so take
-    # this into account
-    (
-        shopt -s nullglob
-        local d f
-        local -a files
-        for d in "${SYSROOT}"/{,usr/}{bin,sbin,lib*}; do
-            if [[ ! -d ${d} ]]; then
-                continue
-            fi
-            files=( "${d}"/* )
-            if [[ ${#files[@]} -gt 0 ]]; then
-                f=${d##*/}
-                cp -at "${ROOT}/usr/${f}" "${files[@]}"
-            fi
-        done
-        cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include
-    )
-
-    btt_emerge --update "${TOOLCHAIN_PKGS[@]}"
-    unset -f btt_emerge
+    # --root is required because run_merge overrides ROOT=
+    PORTAGE_CONFIGROOT="$ROOT" \
+        run_merge -u --root="$ROOT" --sysroot="$ROOT" "${TOOLCHAIN_PKGS[@]}"
 }
 
-configure_crossdev_overlay / /usr/local/portage/crossdev
+configure_crossdev_overlay / /tmp/crossdev
 
 for board in $(get_board_list); do
     echo "Building native toolchain for ${board}"

build_library/check_root

@@ -107,6 +107,7 @@ IGNORE_SHEBANG = (
     "*/python[0-9].[0-9][0-9]/cgi.py",
     "*/usr/lib64/modules/*/source/scripts/*",
     "*/usr/lib/modules/*/source/scripts/*",
+    "*/usr/share/nova-agent/*/etc/gentoo/nova-agent",
     "*/tmp/*",
     "*/Documentation/*",
     "*/doc/*",

build_library/dev_container_util.sh

@@ -38,27 +38,26 @@ CHOST=$(get_board_chost $BOARD)
 DISTDIR="/var/lib/portage/distfiles"
 PKGDIR="/var/lib/portage/pkgs"
 PORT_LOGDIR="/var/log/portage"
-PORTAGE_BINHOST="$(get_binhost_url "${binhost}" "${update_group}" 'pkgs')"
+PORTAGE_BINHOST="$(get_binhost_url "${binhost}" "${update_group}" 'pkgs')
+$(get_binhost_url "${binhost}" "${update_group}" 'toolchain')"
 EOF
 
-    sudo_clobber "${root_fs_dir}/etc/portage/repos.conf/portage-stable.conf" <<EOF
+    sudo_clobber "${root_fs_dir}/etc/portage/repos.conf/coreos.conf" <<EOF
 [DEFAULT]
 main-repo = portage-stable
 
+[coreos]
+location = /var/lib/portage/coreos-overlay
+
 [portage-stable]
 location = /var/lib/portage/portage-stable
-EOF
-
-    sudo_clobber "${root_fs_dir}/etc/portage/repos.conf/coreos-overlay.conf" <<EOF
-[coreos-overlay]
-location = /var/lib/portage/coreos-overlay
 EOF
 
     # Now set the correct profile, we do not use the eselect tool - it
     # does not seem to be usable outside of the chroot without using
     # deprecated PORTDIR and PORTDIR_OVERLAY environment variables.
     local profile_name=$(get_board_profile "${BOARD}")
-    # Turn coreos-overlay:coreos/amd64/generic into coreos/amd64/generic/dev
+    # Turn coreos:coreos/amd64/generic into coreos/amd64/generic/dev
     profile_name="${profile_name#*:}/dev"
     local profile_directory="${root_fs_dir}/var/lib/portage/coreos-overlay/profiles/${profile_name}"
     if [[ ! -d "${profile_directory}" ]]; then
@@ -81,9 +80,7 @@ create_dev_container() {
   fi
 
   info "Building developer image ${image_name}"
-  # The "dev-image-rootfs" directory name is important - it is used to
-  # determine the package target in coreos/base/profile.bashrc
-  local root_fs_dir="${BUILD_DIR}/dev-image-rootfs"
+  local root_fs_dir="${BUILD_DIR}/rootfs"
   local image_contents="${image_name%.bin}_contents.txt"
   local image_contents_wtd="${image_name%.bin}_contents_wtd.txt"
   local image_packages="${image_name%.bin}_packages.txt"
@@ -116,6 +113,20 @@ create_dev_container() {
   finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
 
   declare -a files_to_evaluate
+  declare -a compressed_images
+  declare -a extra_files
+
   files_to_evaluate+=( "${BUILD_DIR}/${image_name}" )
-  compress_disk_images files_to_evaluate
+  compress_disk_images files_to_evaluate compressed_images extra_files
+
+  upload_image -d "${BUILD_DIR}/${image_name}.DIGESTS" \
+      "${BUILD_DIR}/${image_contents}" \
+      "${BUILD_DIR}/${image_contents_wtd}" \
+      "${BUILD_DIR}/${image_packages}" \
+      "${BUILD_DIR}/${image_licenses}" \
+      "${compressed_images[@]}" \
+      "${extra_files[@]}"
+
+  # Upload legacy digests
+  upload_legacy_digests "${BUILD_DIR}/${image_name}.DIGESTS" compressed_images
 }

build_library/disk_layout.json

@@ -13,10 +13,10 @@
         "label":"EFI-SYSTEM",
         "fs_label":"EFI-SYSTEM",
         "type":"efi",
-        "blocks":"2097152",
+        "blocks":"262144",
         "fs_type":"vfat",
         "mount":"/boot",
-        "features": []
+        "features": ["hybrid"]
       },
       "2":{
         "label":"BIOS-BOOT",
@@ -27,11 +27,9 @@
         "label":"USR-A",
         "uuid":"7130c94a-213a-4e5a-8e26-6cce9662f132",
         "type":"flatcar-rootfs",
-        "blocks":"4194304",
-        "extract_blocks":"2097152",
+        "blocks":"2097152",
         "fs_blocks":"260094",
-        "fs_type":"btrfs",
-        "fs_compression":"zstd",
+        "fs_type":"ext2",
         "mount":"/usr",
         "features": ["prioritize", "verity"]
       },
@@ -39,8 +37,7 @@
         "label":"USR-B",
         "uuid":"e03dd35c-7c2d-4a47-b3fe-27f15780a57c",
         "type":"flatcar-rootfs",
-        "blocks":"4194304",
-        "extract_blocks":"2097152",
+        "blocks":"2097152",
         "fs_blocks":"262144"
       },
       "5":{
@@ -53,10 +50,10 @@
         "label":"OEM",
         "fs_label":"OEM",
         "type":"data",
-        "blocks":"2097152",
+        "blocks":"262144",
         "fs_type":"btrfs",
         "fs_compression":"zlib",
-        "mount":"/oem"
+        "mount":"/usr/share/oem"
       },
       "7":{
         "label":"OEM-CONFIG",
@@ -72,7 +69,7 @@
         "label":"ROOT",
         "fs_label":"ROOT",
         "type":"flatcar-resize",
-        "blocks":"3653632",
+        "blocks":"4427776",
         "fs_type":"ext4",
         "mount":"/"
       }
@@ -88,7 +85,7 @@
       "9":{
         "label":"ROOT",
         "fs_label":"ROOT",
-        "blocks":"50876416"
+        "blocks":"58875904"
       }
     },
     "vagrant":{
@@ -98,6 +95,14 @@
         "blocks":"33845248"
       }
     },
+    "onmetal":{
+      "7":{
+        "label":"config-2",
+        "fs_label":"config-2",
+        "type":"data",
+        "fs_type":"ext2"
+      }
+    },
     "container":{
       "1":{
         "type":"blank"
@@ -129,6 +134,13 @@
         "type":"0fc63daf-8483-4772-8e79-3d69d8477de4",
         "blocks":"12582912"
       }
+    },
+    "interoute":{
+      "9":{
+        "label":"ROOT",
+        "fs_label":"ROOT",
+        "blocks":"33845248"
+      }
     }
   }
 }

build_library/disk_util

@@ -40,10 +40,10 @@ def LoadPartitionConfig(options):
       '_comment', 'type', 'num', 'label', 'blocks', 'block_size', 'fs_blocks',
       'fs_block_size', 'fs_type', 'features', 'uuid', 'part_alignment', 'mount',
       'binds', 'fs_subvolume', 'fs_bytes_per_inode', 'fs_inode_size', 'fs_label',
-      'fs_compression', 'extract_blocks'))
+      'fs_compression'))
   integer_layout_keys = set((
       'blocks', 'block_size', 'fs_blocks', 'fs_block_size', 'part_alignment',
-      'fs_bytes_per_inode', 'fs_inode_size', 'extract_blocks'))
+      'fs_bytes_per_inode', 'fs_inode_size'))
   required_layout_keys = set(('type', 'num', 'label', 'blocks'))
 
   filename = options.disk_layout_file
@@ -136,13 +136,6 @@ def LoadPartitionConfig(options):
       part.setdefault('fs_block_size', metadata['fs_block_size'])
       part.setdefault('fs_blocks', part['bytes'] // part['fs_block_size'])
       part['fs_bytes'] = part['fs_blocks'] * part['fs_block_size']
-      # The partition may specify extract_blocks to limit what content gets
-      # extracted. The use case is the /usr partition where we can grow the
-      # partition but can't directly grow the filesystem and the update
-      # payload until all (or most) nodes are running the partition layout
-      # with the grown /usr partition (which can take a few years).
-      if part.get('extract_blocks', None):
-        part['extract_bytes'] = part['extract_blocks'] * metadata['block_size']
 
       if part['fs_bytes'] > part['bytes']:
         raise InvalidLayout(
@@ -610,7 +603,7 @@ def Mount(options):
     if options.read_only or ('verity' in mount.get('features', []) and not options.writable_verity):
       mount_opts.append('ro')
       if mount.get('fs_type', None) == 'btrfs':
-        mount_opts.append('rescue=nologreplay')
+        mount_opts.append('norecovery')
 
     if mount.get('fs_subvolume', None):
       mount_opts.append('subvol=%s' % mount['fs_subvolume'])
@@ -750,29 +743,18 @@ def Tune(options):
   config, partitions = LoadPartitionConfig(options)
   GetPartitionTableFromImage(options, config, partitions)
   part = GetPartition(partitions, options.partition)
-  action_done = False
 
   if not part['image_compat']:
     raise InvalidLayout("Disk layout is incompatible with existing image")
 
   if options.disable2fs_rw is not None:
-    action_done = True
     if part.get('fs_type', None) in ('ext2', 'ext4'):
       Tune2fsReadWrite(options, part, options.disable2fs_rw)
     elif part.get('fs_type', None) == 'btrfs':
       ReadWriteSubvol(options, part, options.disable2fs_rw)
     else:
       raise Exception("Partition %s is not a ext2 or ext4 or btrfs" % options.partition)
-
-  if options.randomize_uuid is not None:
-    action_done = True
-    if part.get('fs_type', None) == 'btrfs':
-      with PartitionLoop(options, part) as loop_dev:
-        Sudo(['btrfstune', '-m', loop_dev])
-    else:
-      raise Exception("Partition %s is not btrfs" % options.partition)
-
-  if not action_done:
+  else:
     raise Exception("No options specified!")
 
 
@@ -806,7 +788,7 @@ def Verity(options):
                   '--hash-offset', part['fs_bytes'],
                   loop_dev, loop_dev]).decode('utf8')
       print(verityout.strip())
-      m = re.search(r'Root hash:\s+([a-f0-9]{64})$', verityout, re.IGNORECASE|re.MULTILINE)
+      m = re.search("Root hash:\s+([a-f0-9]{64})$", verityout, re.IGNORECASE|re.MULTILINE)
       if not m:
           raise Exception("Failed to parse verity output!")
 
@@ -830,7 +812,6 @@ def Extract(options):
   if not part['image_compat']:
     raise InvalidLayout("Disk layout is incompatible with existing image")
 
-  extract_size = part.get('extract_bytes', part['image_bytes'])
   subprocess.check_call(['dd',
                          'bs=10MB',
                          'iflag=count_bytes,skip_bytes',
@@ -839,7 +820,7 @@ def Extract(options):
                          'if=%s' % options.disk_image,
                          'of=%s' % options.output,
                          'skip=%s' % part['image_first_byte'],
-                         'count=%s' % extract_size])
+                         'count=%s' % part['image_bytes']])
 
 
 def GetPartitionByNumber(partitions, num):
@@ -1078,8 +1059,6 @@ def main(argv):
           help='disable mounting ext2 filesystems read-write')
   a.add_argument('--enable2fs_rw', action='store_false', dest='disable2fs_rw',
           help='re-enable mounting ext2 filesystems read-write')
-  a.add_argument('--randomize_uuid', action='store_true', default=None,
-                 help='randomize btrfs UUIDs in the partition')
   a.add_argument('disk_image', help='path to disk image file')
   a.add_argument('partition', help='number or label of partition to edit')
   a.set_defaults(func=Tune)

build_library/ebuild_aci_manifest.in

@@ -0,0 +1,14 @@
+{
+  "acKind": "ImageManifest",
+  "acVersion": "0.8.6",
+  "name": "@ACI_NAME@",
+  "labels": [
+    {"name": "arch", "value": "@ACI_ARCH@"},
+    {"name": "os", "value": "linux"},
+    {"name": "version", "value": "@ACI_VERSION@"}
+  ],
+  "app": {
+    "user": "0",
+    "group": "0"
+  }
+}

build_library/ebuild_aci_util.sh

@@ -0,0 +1,97 @@
+# Copyright (c) 2016 The CoreOS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Expects BOARD, BUILD_DIR, BUILD_LIBRARY_DIR, and FLATCAR_VERSION in env.
+
+# Copied from create_prod_image()
+create_ebuild_aci_image() {
+    local image_name="$1"
+    local disk_layout="$2"
+    local update_group="$3"
+    local pkg="$4"
+
+    info "Building ACI staging image ${image_name}"
+    local root_fs_dir="${BUILD_DIR}/rootfs"
+    local image_contents="${image_name%.bin}_contents.txt"
+    local image_packages="${image_name%.bin}_packages.txt"
+    local image_licenses="${image_name%.bin}_licenses.json"
+
+    start_image \
+        "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
+
+    # Install minimal GCC (libs only) and then everything else
+    extract_prod_gcc "${root_fs_dir}"
+
+    emerge_to_image_unchecked "${root_fs_dir}" "${pkg}"
+    run_ldconfig "${root_fs_dir}"
+    write_packages "${root_fs_dir}" "${BUILD_DIR}/${image_packages}"
+    write_licenses "${root_fs_dir}" "${BUILD_DIR}/${image_licenses}"
+    insert_licenses "${BUILD_DIR}/${image_licenses}" "${root_fs_dir}"
+
+    cleanup_mounts "${root_fs_dir}"
+    trap - EXIT
+}
+
+ebuild_aci_write_manifest() {
+    local manifest="${1?No output path was specified}"
+    local name="${2?No ACI name was specified}"
+    local version="${3?No ACI version was specified}"
+    local appc_arch=
+
+    case "${BOARD}" in
+        amd64-usr) appc_arch=amd64 ;;
+        arm64-usr) appc_arch=aarch64 ;;
+        *) die_notrace "Cannot map \"${BOARD}\" to an appc arch" ;;
+    esac
+
+    sudo cp "${BUILD_LIBRARY_DIR}/ebuild_aci_manifest.in" "${manifest}"
+    sudo sed "${manifest}" -i \
+        -e "s,@ACI_NAME@,${name}," \
+        -e "s,@ACI_VERSION@,${version}," \
+        -e "s,@ACI_ARCH@,${appc_arch},"
+}
+
+ebuild_aci_create() {
+    local aciroot="${BUILD_DIR}"
+    local aci_name="${1?No aci name was specified}"; shift
+    local output_image="${1?No output file specified}"; shift
+    local pkg="${1?No package given}"; shift
+    local version="${1?No package version given}"; shift
+    local extra_version="${1?No extra version number given}"; shift
+    local pkg_files=( "${@}" )
+
+    local staging_image="flatcar_pkg_staging_aci_stage.bin"
+
+    local ebuild_atom="=${pkg}-${version}"
+
+    local ebuild=$(equery-"${BOARD}" w "${ebuild_atom}" 2>/dev/null)
+    [ -n "${ebuild}" ] || die_notrace "No ebuild exists for ebuild \"${pkg}\""
+
+    # Build a staging image for this ebuild.
+    create_ebuild_aci_image "${staging_image}" container stable "${ebuild_atom}"
+
+    # Remount the staging image to brutalize the rootfs for broken services.
+    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=container \
+        mount "${BUILD_DIR}/${staging_image}" "${aciroot}/rootfs"
+    trap "cleanup_mounts '${aciroot}/rootfs' && delete_prompt" EXIT
+
+    # Substitute variables into the manifest to produce the final version.
+    ebuild_aci_write_manifest \
+        "${aciroot}/manifest" \
+        "${aci_name}" \
+        "${version}_flatcar.${extra_version}"
+
+    local pkg_files_in_rootfs=( "${pkg_files[@]/#/rootfs}" )
+
+    # Write a tar ACI file containing the manifest and desired parts of the mounted rootfs
+    sudo tar -C "${aciroot}" -hczf "${BUILD_DIR}/${output_image}.aci" \
+        manifest ${pkg_files_in_rootfs[@]}
+
+    # Unmount the staging image, and delete it to save space.
+    cleanup_mounts "${aciroot}/rootfs"
+    trap - EXIT
+    rm -f "${BUILD_DIR}/${staging_image}"
+
+    echo "Created aci for ${pkg}-${version}: ${BUILD_DIR}/${output_image}.aci"
+}

build_library/extra_sysexts.sh

@@ -1,13 +0,0 @@
-EXTRA_SYSEXTS=(
-  "overlaybd|sys-fs/overlaybd,app-containers/accelerated-container-image"
-  "incus|app-containers/incus"
-  "nvidia-drivers-535|x11-drivers/nvidia-drivers:0/535|-kernel-open persistenced|amd64"
-  "nvidia-drivers-535-open|x11-drivers/nvidia-drivers:0/535|kernel-open persistenced|amd64"
-  "nvidia-drivers-550|x11-drivers/old-nvidia-drivers:0/550|-kernel-open persistenced|amd64"
-  "nvidia-drivers-550-open|x11-drivers/old-nvidia-drivers:0/550|kernel-open persistenced|amd64"
-  "nvidia-drivers-570|x11-drivers/nvidia-drivers:0/570|-kernel-open persistenced|amd64"
-  "nvidia-drivers-570-open|x11-drivers/nvidia-drivers:0/570|kernel-open persistenced|amd64"
-  "podman|app-containers/podman,net-misc/passt"
-  "python|dev-lang/python,dev-python/pip"
-  "zfs|sys-fs/zfs"
-)

build_library/extract-initramfs-from-vmlinuz.sh

@@ -7,39 +7,51 @@
 # This will create one or more out-dir/rootfs-N directories that contain the contents of the initramfs.
 
 set -euo pipefail
-
-# check for xzcat. Will abort the script with an error message if the tool is not present.
-xzcat -V >/dev/null
-
+# check for unzstd. Will abort the script with an error message if the tool is not present.
+unzstd -V >/dev/null
 fail() {
     echo "${*}" >&2
     exit 1
 }
 
-find_xz_headers() {
-    grep --fixed-strings --text --byte-offset --only-matching $'\xFD\x37\x7A\x58\x5A\x00' "$1" | cut -d: -f1
+# Stolen from extract-vmlinux and modified.
+try_decompress() {
+    local header="${1}"
+    local no_idea="${2}"
+    local tool="${3}"
+    local image="${4}"
+    local tmp="${5}"
+    local output_basename="${6}"
+
+    local pos
+    local tool_filename=$(echo "${tool}" | cut -f1 -d' ')
+    # The obscure use of the "tr" filter is to work around older versions of
+    # "grep" that report the byte offset of the line instead of the pattern.
+
+    # Try to find the header and decompress from here.
+    for pos in $(tr "${header}\n${no_idea}" "\n${no_idea}=" < "${image}" |
+                     grep --text --byte-offset --only-matching "^${no_idea}")
+    do
+        pos=${pos%%:*}
+        # Disable error handling, because we will be potentially
+        # giving the tool garbage or a valid archive with some garbage
+        # appended to it. So let the tool extract the valid archive
+        # and then complain about the garbage at the end, but don't
+        # fail the script because of it.
+        set +e; tail "-c+${pos}" "${image}" | "${tool}" >"${tmp}/out" 2>/dev/null; set -e;
+        if [ -s "${tmp}/out" ]; then
+            mv "${tmp}/out" "${output_basename}-${tool_filename}-at-${pos}"
+        else
+            rm -f "${tmp}/out"
+        fi
+    done
 }
 
-decompress_at() {
-    # Data may not really be a valid xz, so allow for errors.
-    tail "-c+$((${2%:*} + 1))" "$1" | xzcat 2>/dev/null || true
-}
-
-try_extract() {
-    # cpio can do strange things when given garbage, so do a basic check.
-    [[ $(head -c6 "$1") == 070701 ]] || return 0
-
-    while {
-        # cpio needs the directory to exist first. Fail if it's already there.
-        { mkdir "${out}/rootfs-${ROOTFS_IDX}" || return $?; } &&
-        # There may be multiple concatenated archives so try cpio till it fails.
-        cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' 2>/dev/null
-    }; do
-        ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
-    done < "$1"
-
-    # Last cpio attempt may or may not leave an empty directory.
-    rmdir "${out}/rootfs-${ROOTFS_IDX}" 2>/dev/null || ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
+try_unzstd_decompress() {
+    local image="${1}"
+    local tmp="${2}"
+    local output_basename="${3}"
+    try_decompress '(\265/\375' xxx unzstd "${image}" "${tmp}" "${output_basename}"
 }
 
 me="${0##*/}"
@@ -53,22 +65,39 @@ if [[ ! -s "${image}" ]]; then
 fi
 mkdir -p "${out}"
 
-tmp=$(mktemp --directory -t eifv-XXXXXX)
-trap 'rm -rf -- "${tmp}"' EXIT
+tmp=$(mktemp --directory /tmp/eifv-XXXXXX)
+trap "rm -rf ${tmp}" EXIT
+
+tmp_dec="${tmp}/decompress"
+mkdir "${tmp_dec}"
+fr_prefix="${tmp}/first-round"
+
 ROOTFS_IDX=0
-
-# arm64 kernels are not compressed, so try decompressing once.
-# Other kernels are compressed, so also try decompressing twice.
-for OFF1 in $(find_xz_headers "${image}")
-do
-    decompress_at "${image}" "${OFF1}" > "${tmp}/initrd.maybe_cpio_or_elf"
-    try_extract "${tmp}/initrd.maybe_cpio_or_elf"
-
-    for OFF2 in $(find_xz_headers "${tmp}/initrd.maybe_cpio_or_elf")
-    do
-        decompress_at "${tmp}/initrd.maybe_cpio_or_elf" "${OFF2}" > "${tmp}/initrd.maybe_cpio"
-        try_extract "${tmp}/initrd.maybe_cpio"
+perform_round() {
+    local image="${1}"
+    local tmp_dec="${2}"
+    local round_prefix="${3}"
+    try_unzstd_decompress "${image}" "${tmp_dec}" "${round_prefix}"
+    for rnd in "${round_prefix}"*; do
+        if [[ $(file --brief "${rnd}") =~ 'cpio archive' ]]; then
+            mkdir -p "${out}/rootfs-${ROOTFS_IDX}"
+            while cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*'; do
+                ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
+                mkdir -p "${out}/rootfs-${ROOTFS_IDX}"
+            done <${rnd}
+            rmdir "${out}/rootfs-${ROOTFS_IDX}"
+        fi
     done
+}
+
+shopt -s nullglob
+perform_round "${image}" "${tmp_dec}" "${fr_prefix}"
+for fr in "${fr_prefix}"*; do
+    fr_files="${fr}-files"
+    fr_dec="${fr_files}/decompress"
+    mkdir -p "${fr_dec}"
+    sr_prefix="${fr_files}/second-round"
+    perform_round "${fr}" "${fr_dec}" "${sr_prefix}"
 done
 
 if [[ ${ROOTFS_IDX} -eq 0 ]]; then

build_library/flatcar-sb-dev-shim-2025.cert

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEPDCCAySgAwIBAgICCSkwDQYJKoZIhvcNAQELBQAwPTE7MDkGA1UEAxMyRmxhdGNhciBDb250
-YWluZXIgTGludXggU2VjdXJlIEJvb3QgRGV2ZWxvcG1lbnQgQ0EwHhcNMjUwMzIwMTE1NzI5WhcN
-MjgwMzIwMTE1NzI5WjBRMSAwHgYDVQQKExdGbGF0Y2FyIENvbnRhaW5lciBMaW51eDEtMCsGA1UE
-AxMkRmxhdGNhciBDb250YWluZXIgTGludXggU2hpbSBTaWduaW5nMIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEA1/GCCSfkqRgSgSqphcfkBgRVxhdhYwlTm4DMeIet/15kPEQ8h8zGm5Js
-DhYYBKJfeGCM36/pBFT61KcpOTcxuEg2VKm2zOLsGfxymZjWln1Y3nUPiWx6AY/CRM6g2vYgXYIj
-x40aJN73usdRmdk6mVssKMMokkYFuH7eOxgWCkGtBbu/UZ/MU0VfdAc12EIuk/K4LMjSFpOitH2x
-mAvFobB8YAYzwhVybNl8etXUS+I3HjCUAwl0ly/fv4Pjb8LODI22jkPV/2X1OxG59wHOxsiNSBvd
-8szcYAH49iHg2bMVljsjtnEA7b51r4I6HJWlvTOc9Z3+jVz9mPXVlh6GEOzSVMBV7KsxkWeQdoUf
-8cQm+tqdfG2xVJUAWCil7xZAk1/l5C2fWgkRHX7fmF71ZDWW240iJvKRuA1/MlU5HlZfQk0EjgYv
-VZpwklpygn5bHbzquFlqwDhmtypULfTZ/NHnf1ygRuzwi7n/RTlZMziveNIj/yJBXoXdHlta8yDo
-VfV8G/m19z+YPW3gET2H1UwU656axcw7wUspndmuZySqqHl0yTDi/B1s8lT8+VxK4dol+GVIvys3
-zD6/K5J11YbsGydogBWSjir60ObWzloPLd8cQ0OXwHddZy5fFrfHgoTfrCacAOvcYynmwoHLHwwQ
-RVtC/X7MH4R2fIcvtAUCAwEAAaMyMDAwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzAO
-BgNVHQ8BAf8EBAMCAb4wDQYJKoZIhvcNAQELBQADggEBAGdP0xWGtfrCwPTL/m/2dJDx0VWnMf7C
-sAHNmlTji7d7bO7tI7h5RVj664z2GUgjpYlnCMAiDqutG3Uksrxq59lXaV2q4em4clZtnIWPwJ5V
-UcySW5VePkTekJHzS27KjNG/l6audfutM6GkKIMjMxJE1M/a5v+FsHF9taFEJrjJDPRD7gi/c75H
-sqW8C0hwcm/6/+yaoQte6ufTZu1TFacbXPEp0cZ4JHjxILYxXNIn6x2PUFMFo1XLhjOAIC67AaUk
-/qNhqmhxD3yYhagamvPKN9mV0qlqv1tw61XYvJwL5eDfSgtQXCiZlXjQWu+lysF3p2pH7lyGdzGr
-19/6sbQ=
------END CERTIFICATE-----

build_library/generate_au_zip.py

@@ -22,6 +22,8 @@ SCRIPTS_DIR = os.environ['SCRIPTS_DIR']
 # GLOBALS
 STATIC_FILES = ['%s/version.txt' % REPO_MANIFESTS_DIR,
                 '%s/common.sh' % SCRIPTS_DIR,
+                '%s/core_pre_alpha' % SCRIPTS_DIR,
+                '%s/core_roller_upload' % SCRIPTS_DIR,
                 '%s/core_sign_update' % SCRIPTS_DIR,
                 ]
 
@@ -88,8 +90,8 @@ def _SplitAndStrip(data):
     if 'not found' in line:
       raise _LibNotFound(line)
     line = re.sub('.*not a dynamic executable.*', '', line)
-    line = re.sub(r'.* =>\s+', '', line)
-    line = re.sub(r'\(0x.*\)\s?', '', line)
+    line = re.sub('.* =>\s+', '', line)
+    line = re.sub('\(0x.*\)\s?', '', line)
     line = line.strip()
     if not len(line):
       continue

build_library/generate_grub_hashes.py

@@ -40,13 +40,13 @@ with open(os.path.join(outputdir, "grub_modules.config"), "w") as f:
     f.write(json.dumps({"9": {"binaryvalues": [{"prefix": "grub_module", "values": hashvalues}]}}))
 
 with open(os.path.join(outputdir, "kernel_cmdline.config"), "w") as f:
-    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": r"rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
+    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": "rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
 
-commands = [{"value": r'\[.*\]', "description": "Flatcar Grub configuration %s" % version},
+commands = [{"value": '\[.*\]', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'gptprio.next -d usr -u usr_uuid', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'insmod all_video', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'search --no-floppy --set randomize_disk_guid --disk-uuid 00000000-0000-0000-0000-000000000001', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'search --no-floppy --set oem --part-label OEM --hint hd0,gpt1', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'set .+', "description": "Flatcar Grub configuration %s" % version},

build_library/grub.cfg

@@ -9,9 +9,6 @@ insmod all_video
 
 # Default menuentry id and boot timeout
 set default="flatcar"
-# Retry default boot entry - this will decrement the gpt tries counter and
-# switch to previous entry when all attempts are exhausted.
-set fallback="0 0 0"
 set timeout=1
 
 # Default kernel args for root filesystem, console, and Flatcar.
@@ -26,6 +23,18 @@ set linux_append=""
 
 set secure_boot="0"
 
+if [ "$grub_platform" = "efi" ]; then
+   getenv -e SecureBoot -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b sb
+   getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode
+   if [ "$sb" = "01" -a "$setupmode" = "00" ]; then
+      set secure_boot="1"
+      getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey
+      if [ "$gpgpubkey" != "" ]; then
+         trust_var gpgpubkey
+      fi
+   fi
+fi
+
 if [ "$net_default_server" != "" ]; then
    smbios --type 1 --get-uuid 8 --set uuid
    smbios --type 1 --get-string 7 --set serial
@@ -79,7 +88,7 @@ if [ -z "$linux_console" ]; then
         terminal_output console serial_com0
     elif [ "$grub_platform" = efi ]; then
         if [ "$grub_cpu" = arm64 ]; then
-            set linux_console="console=ttyAMA0,115200n8 console=tty0"
+            set linux_console="console=ttyAMA0,115200n8"
         else
             set linux_console="console=ttyS0,115200n8 console=tty0"
        fi
@@ -95,6 +104,13 @@ fi
 
 set suf=""
 
+# UEFI uses linuxefi/initrdefi instead of linux/initrd except for arm64
+if [ "$grub_platform" = efi ]; then
+  if [ "$grub_cpu" != arm64 ]; then
+    set suf="efi"
+  fi
+fi
+
 # Assemble the options applicable to all the kernels below
 set linux_cmdline="rootflags=rw mount.usrflags=ro consoleblank=0 $linux_root $linux_console $first_boot $randomize_disk_guid $extra_options $oem $linux_append"
 

build_library/grub_install.sh

@@ -35,54 +35,52 @@ switch_to_strict_mode
 # must be sourced after flags are parsed.
 . "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
-. "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
-
-SBSIGN_DB_KEY="${SBSIGN_DB_KEY:-/usr/share/sb_keys/DB.key}"
-SBSIGN_DB_CERT="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
 
 # Our GRUB lives under flatcar/grub so new pygrub versions cannot find grub.cfg
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
 
+# GRUB install location inside the SDK
+GRUB_SRC="/usr/lib/grub/${FLAGS_target}"
+
 # Modules required to boot a standard CoreOS configuration
-CORE_MODULES=( normal search test fat part_gpt search_fs_uuid xzio search_part_label terminal gptprio configfile memdisk tar echo read btrfs )
+CORE_MODULES=( normal search test fat part_gpt search_fs_uuid gzio search_part_label terminal gptprio configfile memdisk tar echo read )
 
-SBAT_ARG=()
+# Name of the core image, depends on target
+CORE_NAME=
+
+# Whether the SDK's grub or the board root's grub is used. Once amd64 is
+# fixed up the board root's grub will always be used.
+BOARD_GRUB=0
 
 case "${FLAGS_target}" in
-    x86_64-efi)
-        EFI_ARCH="x64"
-        ;;
-    arm64-efi)
-        EFI_ARCH="aa64"
-        ;;
-esac
-
-case "${FLAGS_target}" in
-    x86_64-efi|arm64-efi)
-        GRUB_IMAGE="EFI/boot/grub${EFI_ARCH}.efi"
-        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
-        SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
-        ;;
     i386-pc)
-        GRUB_IMAGE="${GRUB_DIR}/core.img"
         CORE_MODULES+=( biosdisk serial )
+        CORE_NAME="core.img"
+        ;;
+    x86_64-efi)
+	CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet verify http tftp )
+        CORE_NAME="core.efi"
         ;;
     x86_64-xen)
-        GRUB_IMAGE="xen/pvboot-x86_64.elf"
+        CORE_NAME="core.elf"
+        ;;
+    arm64-efi)
+        CORE_MODULES+=( serial linux efi_gop getenv smbios efinet verify http tftp )
+        CORE_NAME="core.efi"
+        BOARD_GRUB=1
         ;;
     *)
         die_notrace "Unknown GRUB target ${FLAGS_target}"
         ;;
 esac
 
-info "Updating GRUB in ${BOARD_ROOT}"
-emerge-${BOARD} \
-        --nodeps --select --verbose --update --getbinpkg --usepkgonly --newuse \
-        sys-boot/grub \
-        sys-boot/shim \
-        sys-boot/shim-signed
-
-GRUB_SRC="${BOARD_ROOT}/usr/lib/grub/${FLAGS_target}"
+if [[ $BOARD_GRUB -eq 1 ]]; then
+    info "Updating GRUB in ${BOARD_ROOT}"
+    emerge-${BOARD} \
+           --nodeps --select --verbose --update --getbinpkg --usepkgonly --newuse \
+           sys-boot/grub
+    GRUB_SRC="${BOARD_ROOT}/usr/lib/grub/${FLAGS_target}"
+fi
 [[ -d "${GRUB_SRC}" ]] || die "GRUB not installed at ${GRUB_SRC}"
 
 # In order for grub-setup-bios to properly detect the layout of the disk
@@ -95,7 +93,6 @@ ESP_DIR=
 LOOP_DEV=
 
 cleanup() {
-    cleanup_sbsign_certs
     if [[ -d "${ESP_DIR}" ]]; then
         if mountpoint -q "${ESP_DIR}"; then
             sudo umount "${ESP_DIR}"
@@ -129,32 +126,21 @@ done
 if [[ -z ${MOUNTED} ]]; then
     failboat "${LOOP_DEV}p1 where art thou? udev has forsaken us!"
 fi
-sudo mkdir -p "${ESP_DIR}/${GRUB_DIR}" "${ESP_DIR}/${GRUB_IMAGE%/*}"
+sudo mkdir -p "${ESP_DIR}/${GRUB_DIR}"
 
-# Additional GRUB modules cannot be loaded with Secure Boot enabled, so only
-# copy and compress these for target that don't support it.
-case "${FLAGS_target}" in
-    x86_64-efi|arm64-efi) : ;;
-    *)
-        info "Compressing modules in ${GRUB_DIR}"
-        for file in "${GRUB_SRC}"/*{.lst,.mod}; do
-            for core_mod in "${CORE_MODULES[@]}"; do
-                [[ ${file} == ${GRUB_SRC}/${core_mod}.mod ]] && continue 2
-            done
-            out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
-            xz --stdout "${file}" | sudo_clobber "${out}"
-        done
-        ;;
-esac
+info "Compressing modules in ${GRUB_DIR}"
+for file in "${GRUB_SRC}"/*{.lst,.mod}; do
+    out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
+    gzip --best --stdout "${file}" | sudo_clobber "${out}"
+done
 
 info "Generating ${GRUB_DIR}/load.cfg"
 # Include a small initial config in the core image to search for the ESP
 # by filesystem ID in case the platform doesn't provide the boot disk.
-# $root points to memdisk here so instead use hd0,gpt1 as a hint so it is
-# searched first.
+# The existing $root value is given as a hint so it is searched first.
 ESP_FSID=$(sudo grub-probe -t fs_uuid -d "${LOOP_DEV}p1")
 sudo_clobber "${ESP_DIR}/${GRUB_DIR}/load.cfg" <<EOF
-search.fs_uuid ${ESP_FSID} root hd0,gpt1
+search.fs_uuid ${ESP_FSID} root \$root
 set prefix=(memdisk)
 set
 EOF
@@ -178,55 +164,21 @@ if [[ ! -f "${ESP_DIR}/flatcar/grub/grub.cfg.tar" ]]; then
     fi
 
     sudo tar cf "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \
-      -C "${GRUB_TEMP_DIR}" "grub.cfg"
+	 -C "${GRUB_TEMP_DIR}" "grub.cfg"
 fi
 
-info "Generating ${GRUB_IMAGE}"
+info "Generating ${GRUB_DIR}/${CORE_NAME}"
 sudo grub-mkimage \
-    --compression=xz \
+    --compression=auto \
     --format "${FLAGS_target}" \
     --directory "${GRUB_SRC}" \
     --config "${ESP_DIR}/${GRUB_DIR}/load.cfg" \
     --memdisk "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \
-    "${SBAT_ARG[@]}" \
-    --output "${ESP_DIR}/${GRUB_IMAGE}" \
+    --output "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
     "${CORE_MODULES[@]}"
 
 # Now target specific steps to make the system bootable
 case "${FLAGS_target}" in
-    x86_64-efi|arm64-efi)
-        info "Installing default ${FLAGS_target} UEFI bootloader."
-
-        if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-            # Sign GRUB and mokmanager(mm) with the shim-embedded key.
-            do_sbsign --output "${ESP_DIR}/${GRUB_IMAGE}"{,}
-            do_sbsign --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \
-                "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi"
-
-            # Unofficial build: Sign shim with our development key.
-            sudo sbsign \
-                --key "${SBSIGN_DB_KEY}" \
-                --cert "${SBSIGN_DB_CERT}" \
-                --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
-                "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
-        else
-            # Official build: Copy signed shim and mm for signing later.
-            sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \
-                "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi"
-            sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi.signed" \
-                "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi"
-        fi
-
-        # copying from vfat so ignore permissions
-        if [[ -n ${FLAGS_copy_efi_grub} ]]; then
-            cp --no-preserve=mode "${ESP_DIR}/${GRUB_IMAGE}" \
-                "${FLAGS_copy_efi_grub}"
-        fi
-        if [[ -n ${FLAGS_copy_shim} ]]; then
-            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
-                "${FLAGS_copy_shim}"
-        fi
-        ;;
     i386-pc)
         info "Installing MBR and the BIOS Boot partition."
         sudo cp "${GRUB_SRC}/boot.img" "${ESP_DIR}/${GRUB_DIR}"
@@ -237,12 +189,56 @@ case "${FLAGS_target}" in
         sudo dd bs=448 count=1 status=none if="${LOOP_DEV}" \
             of="${ESP_DIR}/${GRUB_DIR}/mbr.bin"
         ;;
+    x86_64-efi)
+        info "Installing default x86_64 UEFI bootloader."
+        sudo mkdir -p "${ESP_DIR}/EFI/boot"
+	# Use the test keys for signing unofficial builds
+	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            sudo sbsign --key /usr/share/sb_keys/DB.key \
+		--cert /usr/share/sb_keys/DB.crt \
+                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
+            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
+                "${ESP_DIR}/EFI/boot/grub.efi"
+            sudo sbsign --key /usr/share/sb_keys/DB.key \
+                 --cert /usr/share/sb_keys/DB.crt \
+                 --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                 "/usr/lib/shim/shim.efi"
+        else
+            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
+                "${ESP_DIR}/EFI/boot/grub.efi"
+            sudo cp "/usr/lib/shim/shim.efi" \
+                "${ESP_DIR}/EFI/boot/bootx64.efi"
+	fi
+        # copying from vfat so ignore permissions
+        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
+                "${FLAGS_copy_efi_grub}"
+        fi
+        if [[ -n "${FLAGS_copy_shim}" ]]; then
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                "${FLAGS_copy_shim}"
+        fi
+        ;;
     x86_64-xen)
         info "Installing default x86_64 Xen bootloader."
-        sudo mkdir -p "${ESP_DIR}/boot/grub"
+        sudo mkdir -p "${ESP_DIR}/xen" "${ESP_DIR}/boot/grub"
+        sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
+            "${ESP_DIR}/xen/pvboot-x86_64.elf"
         sudo cp "${BUILD_LIBRARY_DIR}/menu.lst" \
             "${ESP_DIR}/boot/grub/menu.lst"
         ;;
+    arm64-efi)
+        info "Installing default arm64 UEFI bootloader."
+        sudo mkdir -p "${ESP_DIR}/EFI/boot"
+        #FIXME(andrejro): shim not ported to aarch64
+        sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
+            "${ESP_DIR}/EFI/boot/bootaa64.efi"
+        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
+            # copying from vfat so ignore permissions
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootaa64.efi" \
+                "${FLAGS_copy_efi_grub}"
+        fi
+        ;;
 esac
 
 cleanup

build_library/modify_image_util.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# Copyright (c) 2014 The CoreOS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Shell library for modifying an image built with build_image.
+
+start_modify_image() {
+    # Default to the most recent image
+    if [[ -z "${FLAGS_from}" ]] ; then
+        FLAGS_from="$(${SCRIPT_ROOT}/get_latest_image.sh --board=${FLAGS_board})"
+    else
+        FLAGS_from="$(readlink -f "${FLAGS_from}")"
+    fi
+
+    local src_image="${FLAGS_from}/${FLATCAR_PRODUCTION_IMAGE_NAME}"
+    if [[ ! -f "${src_image}" ]]; then
+        die_notrace "Source image does not exist: ${src_image}"
+    fi
+
+    # Source should include version.txt, switch to its version information
+    if [[ ! -f "${FLAGS_from}/version.txt" ]]; then
+        die_notrace "Source version info does not exist: ${FLAGS_from}/version.txt"
+    fi
+    source "${FLAGS_from}/version.txt"
+    FLATCAR_VERSION_STRING="${FLATCAR_VERSION}"
+
+    # Load after version.txt to set the correct output paths
+    . "${BUILD_LIBRARY_DIR}/toolchain_util.sh"
+    . "${BUILD_LIBRARY_DIR}/board_options.sh"
+    . "${BUILD_LIBRARY_DIR}/build_image_util.sh"
+
+    # Handle existing directory.
+    if [[ -e "${BUILD_DIR}" ]]; then
+        if [[ ${FLAGS_replace} -eq ${FLAGS_TRUE} ]]; then
+            sudo rm -rf "${BUILD_DIR}"
+        else
+            error "Directory ${BUILD_DIR} already exists."
+            error "Use --build_attempt option to specify an unused attempt."
+            error "Or use --replace if you want to overwrite this directory."
+            die "Unwilling to overwrite ${BUILD_DIR}."
+        fi
+    fi
+
+    # Create the output directory and temporary mount points.
+    DST_IMAGE="${BUILD_DIR}/${FLATCAR_PRODUCTION_IMAGE_NAME}"
+    ROOT_FS_DIR="${BUILD_DIR}/rootfs"
+    mkdir -p "${ROOT_FS_DIR}"
+
+    info "Copying from ${FLAGS_from}"
+    cp "${src_image}" "${DST_IMAGE}"
+
+    # Copy all extra useful things, these do not need to be modified.
+    local update_prefix="${FLATCAR_PRODUCTION_IMAGE_NAME%_image.bin}_update"
+    local production_prefix="${FLATCAR_PRODUCTION_IMAGE_NAME%.bin}"
+    local container_prefix="${FLATCAR_DEVELOPER_CONTAINER_NAME%.bin}"
+    local pcr_data="${FLATCAR_PRODUCTION_IMAGE_NAME%.bin}_pcr_policy.zip"
+    EXTRA_FILES=(
+        "version.txt"
+        "${update_prefix}.bin"
+        "${update_prefix}.zip"
+        "${pcr_data}"
+        "${production_prefix}_contents.txt"
+        "${production_prefix}_packages.txt"
+        "${production_prefix}_kernel_config.txt"
+        "${FLATCAR_DEVELOPER_CONTAINER_NAME}"
+        "${container_prefix}_contents.txt"
+        "${container_prefix}_packages.txt"
+        )
+    for filename in "${EXTRA_FILES[@]}"; do
+        if [[ -e "${FLAGS_from}/${filename}" ]]; then
+            cp "${FLAGS_from}/${filename}" "${BUILD_DIR}/${filename}"
+        fi
+    done
+
+    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${FLAGS_disk_layout}" \
+            mount "${DST_IMAGE}" "${ROOT_FS_DIR}"
+    trap "cleanup_mounts '${ROOT_FS_DIR}'" EXIT
+}
+
+finish_modify_image() {
+    cleanup_mounts "${ROOT_FS_DIR}"
+    trap - EXIT
+
+
+    declare -a files_to_evaluate
+    declare -a compressed_images
+    declare -a extra_files
+
+    files_to_evaluate+=( "${DST_IMAGE}" )
+    compress_disk_images files_to_evaluate compressed_images extra_files
+
+    upload_image -d "${DST_IMAGE}.DIGESTS" \
+        "${compressed_images[@]}" \
+        "${extra_files[@]}"
+
+    # Upload legacy digests
+    upload_legacy_digests "${DST_IMAGE}.DIGESTS" compressed_images
+
+    for filename in "${EXTRA_FILES[@]}"; do
+        if [[ -e "${BUILD_DIR}/${filename}" ]]; then
+            upload_image "${BUILD_DIR}/${filename}"
+        fi
+    done
+
+    set_build_symlinks "${FLAGS_group}-latest"
+
+    info "Done. Updated image is in ${BUILD_DIR}"
+    cat << EOF
+To convert it to a virtual machine image, use:
+  ./image_to_vm.sh --from=${OUTSIDE_OUTPUT_DIR} --board=${BOARD}
+
+The default type is qemu, see ./image_to_vm.sh --help for other options.
+EOF
+}

build_library/niftycloud_ovf.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+
+SCRIPT_ROOT=$(readlink -f $(dirname "$0")/..)
+. "${SCRIPT_ROOT}/common.sh" || exit 1
+
+DEFINE_string vm_name "CoreOS" "Name for this VM"
+DEFINE_string disk_vmdk "" "Disk image to reference, only basename is used."
+DEFINE_integer memory_size 1024 "Memory size in MB"
+DEFINE_string output_ovf "" "Path to write ofv file to, required."
+
+# Parse command line
+FLAGS "$@" || exit 1
+eval set -- "${FLAGS_ARGV}"
+
+# Die on any errors.
+switch_to_strict_mode
+
+if [[ ! -e "${FLAGS_disk_vmdk}" ]]; then
+    echo "No such disk image '${FLAGS_disk_vmdk}'" >&2
+    exit 1
+fi
+
+DISK_NAME=$(basename "${FLAGS_disk_vmdk}")
+DISK_UUID=$(uuidgen)
+DISK_SIZE_BYTES=$(qemu-img info -f vmdk "${FLAGS_disk_vmdk}" \
+    | gawk 'match($0, /^virtual size:.*\(([0-9]+) bytes\)/, a) {print a[1]}')
+DISK_FILE_SIZE_BYTES=$(ls -l ${FLAGS_disk_vmdk} | awk '{print $5}')
+
+if [[ -z "${DISK_SIZE_BYTES}" ]]; then
+    echo "Unable to determine virtual size of ${FLAGS_disk_vmdk}" >&2
+    exit 1
+fi
+
+# Date format as used in ovf
+datez() {
+    date -u "+%Y-%m-%dT%H:%M:%SZ"
+}
+
+if [[ -n "${FLAGS_output_ovf}" ]]; then
+    cat >"${FLAGS_output_ovf}" <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<Envelope xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <References>
+    <File ovf:href="${DISK_NAME}" ovf:id="file1" ovf:size="${DISK_FILE_SIZE_BYTES}"/>
+  </References>
+  <DiskSection>
+    <Info>List of the virtual disks used in the package</Info>
+    <Disk ovf:capacity="30" ovf:capacityAllocationUnits="byte * 2^30" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" ovf:populatedSize="${DISK_SIZE_BYTES}"/>
+  </DiskSection>
+  <NetworkSection>
+    <Info>Logical networks used in the package</Info>
+    <Network ovf:name="bridged">
+      <Description>Logical network used by this appliance.</Description>
+    </Network>
+  </NetworkSection>
+  <VirtualSystem ovf:id="${FLAGS_vm_name}">
+    <Info>A virtual machine</Info>
+    <Name>${FLAGS_vm_name}</Name>
+    <OperatingSystemSection ovf:id="1" vmw:osType="*other26xLinux64Guest">
+      <Info>The kind of installed guest operating system</Info>
+    </OperatingSystemSection>
+    <VirtualHardwareSection>
+      <Info>Virtual hardware requirements for a virtual machine</Info>
+      <System>
+        <vssd:ElementName>Virtual Hardware Family</vssd:ElementName>
+        <vssd:InstanceID>0</vssd:InstanceID>
+        <vssd:VirtualSystemIdentifier>${FLAGS_vm_name}</vssd:VirtualSystemIdentifier>
+        <vssd:VirtualSystemType>vmx-08</vssd:VirtualSystemType>
+      </System>
+      <Item>
+        <rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
+        <rasd:Description>Number of virtual CPUs</rasd:Description>
+        <rasd:ElementName>1 virtual CPU(s)</rasd:ElementName>
+        <rasd:InstanceID>1</rasd:InstanceID>
+        <rasd:ResourceType>3</rasd:ResourceType>
+        <rasd:VirtualQuantity>1</rasd:VirtualQuantity>
+      </Item>
+      <Item>
+        <rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
+        <rasd:Description>Memory Size</rasd:Description>
+        <rasd:ElementName>${FLAGS_memory_size} MB of memory</rasd:ElementName>
+        <rasd:InstanceID>2</rasd:InstanceID>
+        <rasd:ResourceType>4</rasd:ResourceType>
+        <rasd:VirtualQuantity>${FLAGS_memory_size}</rasd:VirtualQuantity>
+      </Item>
+      <Item>
+        <rasd:Address>0</rasd:Address>
+        <rasd:Description>SCSI Controller</rasd:Description>
+        <rasd:ElementName>scsiController0</rasd:ElementName>
+        <rasd:InstanceID>3</rasd:InstanceID>
+        <rasd:ResourceSubType>VirtualSCSI</rasd:ResourceSubType>
+        <rasd:ResourceType>6</rasd:ResourceType>
+      </Item>
+      <Item>
+        <rasd:AddressOnParent>0</rasd:AddressOnParent>
+        <rasd:ElementName>disk0</rasd:ElementName>
+        <rasd:HostResource>ovf:/disk/vmdisk1</rasd:HostResource>
+        <rasd:InstanceID>4</rasd:InstanceID>
+        <rasd:Parent>3</rasd:Parent>
+        <rasd:ResourceType>17</rasd:ResourceType>
+      </Item>
+      <Item>
+        <rasd:AddressOnParent>2</rasd:AddressOnParent>
+        <rasd:AutomaticAllocation>true</rasd:AutomaticAllocation>
+        <rasd:Connection>bridged</rasd:Connection>
+        <rasd:Description>VmxNet3 ethernet adapter on &quot;bridged&quot;</rasd:Description>
+        <rasd:ElementName>ethernet0</rasd:ElementName>
+        <rasd:InstanceID>5</rasd:InstanceID>
+        <rasd:ResourceSubType>VmxNet3</rasd:ResourceSubType>
+        <rasd:ResourceType>10</rasd:ResourceType>
+      </Item>
+    </VirtualHardwareSection>
+  </VirtualSystem>
+</Envelope>
+EOF
+fi

build_library/oem/akamai/grub.cfg

@@ -1,3 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="akamai"

build_library/oem/ami/grub.cfg

@@ -1,17 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="ec2"
-
-# Blacklist the Xen framebuffer module so it doesn't get loaded at boot
-# Disable `ens3` style names, so eth0 is used for both ixgbevf or xen.
-set linux_append="modprobe.blacklist=xen_fbfront net.ifnames=0 nvme_core.io_timeout=4294967295"
-
-if [ "$grub_platform" = pc ]; then
-	set linux_console="console=ttyS0,115200n8"
-	serial com0 --speed=115200 --word=8 --parity=no
-	terminal_input serial_com0
-	terminal_output serial_com0
-fi
-if [ "$grub_cpu" = arm64 ]; then
-	set linux_console="console=tty1 console=ttyS0,115200n8 earlycon"
-fi

build_library/oem/azure/grub.cfg

@@ -1,15 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="azure"
-set linux_append="flatcar.autologin"
-
-# Azure only has a serial console.
-serial --unit=0 --speed=115200 --word=8 --parity=no
-terminal_input serial
-terminal_output serial
-
-if [ "$grub_cpu" = arm64 ]; then
-  set linux_console="console=tty1 console=ttyAMA0,115200n8 earlycon=pl011,0xeffec000"
-else
-  set linux_console="console=tty1 console=ttyS0,115200n8 earlyprintk=ttyS0,115200"
-fi

build_library/oem/hetzner/grub.cfg

@@ -1,3 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="hetzner"

build_library/oem/kubevirt/grub.cfg

@@ -1,3 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="kubevirt"

build_library/oem/nutanix/grub.cfg

@@ -1,3 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="nutanix"

build_library/oem/openstack/grub.cfg

@@ -1,4 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="openstack"
-set linux_append="flatcar.autologin"

build_library/oem/proxmoxve/grub.cfg

@@ -1,4 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="proxmoxve"
-set linux_append="flatcar.autologin"

build_library/oem/scaleway/grub.cfg

@@ -1,4 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="scaleway"
-set linux_console="console=ttyS0,115200n8 earlycon=ttyS0,115200"

build_library/oem/stackit/grub.cfg

@@ -1,3 +0,0 @@
-# Flatcar GRUB settings
-
-set oem_id="openstack"

build_library/oem/vagrant/build/box/Vagrantfile

@@ -1,47 +0,0 @@
-# -*- mode: ruby -*-
-# # vi: set ft=ruby :
-
-Vagrant.require_version ">= 2.2.5"
-
-require_relative 'configure_networks.rb'
-require_relative 'base_mac.rb'
-
-Vagrant.configure("2") do |config|
-  # always use Vagrants insecure key
-  config.ssh.insert_key = false
-
-  # SSH in as the default 'core' user, it has the vagrant ssh key.
-  config.ssh.username = "core"
-
-  # Disable the base shared folder, guest additions are unavailable.
-  config.vm.synced_folder ".", "/vagrant", disabled: true
-
-  config.vm.provider :virtualbox do |vb|
-    # Guest Additions are unavailable.
-    vb.check_guest_additions = false
-    vb.functional_vboxsf = false
-
-    # Fix docker not being able to resolve private registry in VirtualBox
-    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
-    vb.customize ["modifyvm", :id, "--natdnsproxy1", "on"]
-
-    if File.exist?("config.ign")
-      vb.customize ["guestproperty", "set", :id, "/Ignition/Config", File.read("config.ign")]
-    end
-  end
-
-  config.vm.provider :vmware_fusion do |vf|
-    vf.functional_hgfs = false
-  end
-
-  config.vm.provider :parallels do |prl|
-    # Guest Tools are unavailable.
-    prl.check_guest_tools = false
-    prl.functional_psf    = false
-  end
-
-  if File.exist?("user-data")
-    config.vm.provision :file, :source => "user-data", :destination => "/tmp/vagrantfile-user-data"
-    config.vm.provision :shell, :inline => "mv /tmp/vagrantfile-user-data /var/lib/flatcar-vagrant/", :privileged => true
-  end
-end

build_library/oem/vagrant/build/box/configure_networks.rb

@@ -1,20 +0,0 @@
-# -*- mode: ruby -*-
-# # vi: set ft=ruby :
-
-# NOTE: This monkey-patching is done to force cloud-init over NetworkManager.
-# Vagrant attempts to detect cloud-init, but Flatcar doesn't have an executable
-# under that name, only coreos-cloudinit.
-
-require Vagrant.source_root.join("plugins/guests/coreos/cap/configure_networks.rb")
-
-module VagrantPlugins
-  module GuestCoreOS
-    module Cap
-      class ConfigureNetworks
-        def self.configure_networks(machine, networks)
-          configure_networks_cloud_init(machine, networks)
-        end
-      end
-    end
-  end
-end

build_library/oem_aci_util.sh

@@ -0,0 +1,124 @@
+# Copyright (c) 2016 The CoreOS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Expects BOARD, BUILD_DIR, BUILD_LIBRARY_DIR, and FLATCAR_VERSION in env.
+
+# There must be a manifest template included with the ebuild at
+# files/manifest.in, which will have some variable values substituted before
+# being written into place for the ACI.  Optionally, a shell script can also be
+# included at files/manglefs.sh to be run after all packages are installed.  It
+# is intended to be used to make modifications to the file system layout and
+# program paths that some included agent software might expect.
+
+# Copied from create_prod_image()
+create_oem_aci_image() {
+    local image_name="$1"
+    local disk_layout="$2"
+    local update_group="$3"
+    local base_pkg="${4?No base package was specified}"
+
+    info "Building OEM ACI staging image ${image_name}"
+    local root_fs_dir="${BUILD_DIR}/rootfs"
+    local image_contents="${image_name%.bin}_contents.txt"
+    local image_packages="${image_name%.bin}_packages.txt"
+    local image_licenses="${image_name%.bin}_licenses.json"
+
+    start_image \
+        "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
+
+    # Install minimal GCC (libs only) and then everything else
+    set_image_profile oem-aci
+    extract_prod_gcc "${root_fs_dir}"
+    emerge_to_image "${root_fs_dir}" "${base_pkg}"
+    run_ldconfig "${root_fs_dir}"
+    write_packages "${root_fs_dir}" "${BUILD_DIR}/${image_packages}"
+    write_licenses "${root_fs_dir}" "${BUILD_DIR}/${image_licenses}"
+    insert_licenses "${BUILD_DIR}/${image_licenses}" "${root_fs_dir}"
+
+    # clean-ups of things we do not need
+    sudo rm ${root_fs_dir}/etc/csh.env
+    sudo rm -rf ${root_fs_dir}/etc/env.d
+    sudo rm -rf ${root_fs_dir}/var/db/pkg
+
+    sudo mv ${root_fs_dir}/etc/profile.env \
+        ${root_fs_dir}/usr/share/baselayout/profile.env
+
+    # Move the ld.so configs into /usr so they can be symlinked from /
+    sudo mv ${root_fs_dir}/etc/ld.so.conf ${root_fs_dir}/usr/lib
+    sudo mv ${root_fs_dir}/etc/ld.so.conf.d ${root_fs_dir}/usr/lib
+
+    sudo ln --symbolic ../usr/lib/ld.so.conf ${root_fs_dir}/etc/ld.so.conf
+
+    # Add a tmpfiles rule that symlink ld.so.conf from /usr into /
+    sudo tee "${root_fs_dir}/usr/lib/tmpfiles.d/baselayout-ldso.conf" \
+        > /dev/null <<EOF
+L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
+EOF
+
+    # Move the PAM configuration into /usr
+    sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
+    sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
+    sudo rmdir ${root_fs_dir}/etc/pam.d
+
+    # Take the non-kernel-related bits from finish_image().
+    rm -rf "${BUILD_DIR}"/configroot
+    cleanup_mounts "${root_fs_dir}"
+    trap - EXIT
+}
+
+oem_aci_write_manifest() {
+    local manifest_template="${1?No input path was specified}"
+    local manifest="${2?No output path was specified}"
+    local name="${3?No ACI name was specified}"
+    local appc_arch=
+
+    case "${BOARD}" in
+        amd64-usr) appc_arch=amd64 ;;
+        arm64-usr) appc_arch=aarch64 ;;
+        *) die_notrace "Cannot map \"${BOARD}\" to an appc arch" ;;
+    esac
+
+    sudo cp "${manifest_template}" "${manifest}"
+    sudo sed "${manifest}" -i \
+        -e "s,@ACI_NAME@,${name}," \
+        -e "s,@ACI_VERSION@,${FLATCAR_VERSION}," \
+        -e "s,@ACI_ARCH@,${appc_arch},"
+}
+
+oem_aci_create() {
+    local aciroot="${BUILD_DIR}"
+    local oem="${1?No OEM was specified}"
+    local base_pkg="coreos-base/coreos-oem-${oem}"
+    local ebuild=$(equery-"${BOARD}" w "${base_pkg}" 2>/dev/null)
+    local staging_image="coreos_oem_${oem}_aci_stage.bin"
+
+    [ -n "${ebuild}" ] || die_notrace "No ebuild exists for OEM \"${oem}\""
+    grep -Fqs '(meta package)' "${ebuild}" ||
+        die_notrace "The \"${base_pkg}\" ebuild is not a meta package"
+
+    # Build a staging image for this OEM.
+    create_oem_aci_image "${staging_image}" container stable "${base_pkg}"
+
+    # Remount the staging image to brutalize the rootfs for broken services.
+    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=container \
+        mount "${BUILD_DIR}/${staging_image}" "${aciroot}/rootfs"
+    trap "cleanup_mounts '${aciroot}/rootfs' && delete_prompt" EXIT
+    [ -r "${ebuild%/*}/files/manglefs.sh" ] &&
+        sudo sh -c "cd '${aciroot}/rootfs' && . '${ebuild%/*}/files/manglefs.sh'"
+
+    # Substitute variables into the OEM manifest to produce the final version.
+    oem_aci_write_manifest \
+        "${ebuild%/*}/files/manifest.in" \
+        "${aciroot}/manifest" \
+        "coreos.com/oem-${oem}"
+
+    # Write a tar ACI file containing the manifest and mounted rootfs contents.
+    sudo tar -C "${aciroot}" -czf "${BUILD_DIR}/flatcar-oem-${oem}.aci" \
+        manifest rootfs
+
+    # Unmount the staging image, and delete it to save space.
+    cleanup_mounts "${aciroot}/rootfs"
+    trap - EXIT
+    rm -f "${BUILD_DIR}/${staging_image}"
+}

build_library/oem_sysexts.sh

@@ -1,71 +0,0 @@
-#!/bin/bash
-# OEM sysext helpers.
-
-# Auto-detect scripts repo root from this file's location.
-# oem_sysexts.sh is at: <scripts_repo>/build_library/oem_sysexts.sh
-_OEM_SYSEXTS_SCRIPTS_ROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
-
-get_oem_overlay_root() {
-  local overlay_root="/mnt/host/source/src/third_party/coreos-overlay"
-
-  if [[ ! -d "${overlay_root}" ]]; then
-    overlay_root="${_OEM_SYSEXTS_SCRIPTS_ROOT}/sdk_container/src/third_party/coreos-overlay"
-  fi
-
-  if [[ ! -d "${overlay_root}" ]]; then
-    echo "No coreos-overlay repo found (tried SDK and ${_OEM_SYSEXTS_SCRIPTS_ROOT})" >&2
-    exit 1
-  fi
-
-  printf '%s' "${overlay_root}"
-}
-
-# Gets a list of OEMs that are using sysexts.
-#
-# 1 - arch
-# 2 - name of an array variable to store the result in
-get_oem_id_list() {
-  local arch=${1}; shift
-  local -n list_var_ref=${1}; shift
-
-  local overlay_root dir ebuild regex
-  overlay_root=$(get_oem_overlay_root)
-
-  for dir in "${overlay_root}"/coreos-base/oem-*; do
-    for ebuild in "${dir}"/*.ebuild; do
-      if [[ ! -e ${ebuild} ]]; then
-        echo "No coreos-base/oem-* ebuilds?!" >&2
-        exit 1
-      fi
-
-      # Check the KEYWORDS by sourcing the ebuild. We can't rely on Portage
-      # because this needs to work outside the SDK. OEM ebuilds are relatively
-      # boring, so this should be sufficient. This doesn't check whether the
-      # KEYWORDS are stable, but that shouldn't matter.
-      regex="\b${arch}\b"
-      if ( set +eu; . "${ebuild}" &>/dev/null; [[ ${KEYWORDS} =~ ${regex} ]] ); then
-        list_var_ref+=( "${dir##*/oem-}" )
-        break
-      fi
-    done
-  done
-}
-
-# Gets a list of OEM sysext descriptors.
-#
-# 1 - arch
-# 2 - name of an array variable to store the result in
-#
-# Format: "name|metapackage|useflags"
-get_oem_sysext_matrix() {
-  local arch=${1}; shift
-  declare -n list_var_ref=${1}; shift
-
-  local -a oem_ids
-  get_oem_id_list "${arch}" oem_ids
-
-  local oem_id
-  for oem_id in "${oem_ids[@]}"; do
-    list_var_ref+=( "oem-${oem_id}|coreos-base/oem-${oem_id}|" )
-  done
-}

build_library/prefix_util.sh

@@ -1,219 +0,0 @@
-# Copyright (c) 2023 The Flatcar Maintainers. All rights reserved.
-# Use of this source code is governed by the Apache 2.0 license.
-
-DEFAULT_STAGING_ROOT="/build/"
-
-function lineprepend() {
-  awk -v msg="$*" '{ print msg ": " $0}'
-}
-# --
-
-function set_prefix_vars() {
-  local name="${1}"
-  local prefix="${2}"
-
-  EPREFIX="${prefix}"
-  PREFIXNAME="${name}"
-  STAGINGDIR="${FLAGS_staging_dir}"
-  STAGINGROOT="${STAGINGDIR}/root"
-  FINALDIR="${FLAGS_final_dir}"
-  FINALROOT="${FINALDIR}/root"
-
-  CB_ROOT="${FLAGS_cross_boss_root}"
-
-  # the prefix profile enables unstable via MAKE_DEFAULTS; we don't want those.
-  PREFIX_BOARD="${FLAGS_board}"
-  case "${PREFIX_BOARD}" in
-    amd64-usr)
-      PREFIX_CHOST="x86_64-cros-linux-gnu"
-      PREFIX_KEYWORDS="amd64 -~amd64"
-      ;;
-    arm64-usr)
-      PREFIX_CHOST="aarch64-cros-linux-gnu"
-      PREFIX_KEYWORDS="arm64 -~arm64"
-      ;;
-  esac
-
-  export EPREFIX PREFIXNAME STAGINGDIR STAGINGROOT FINALDIR FINALROOT CB_ROOT \
-          PREFIX_CHOST PREFIX_KEYWORDS PREFIX_BOARD
-}
-# --
-
-function install_prereqs() {
-  # Make sure cross-boss prerequisites are installed in the SDK
-  local prefix_repo="${1}"
-
-  sudo emerge --newuse sys-apps/bubblewrap
-  sudo emerge --newuse -1 ">=dev-python/gpep517-15"
-
-  # HACK ALERT: needed for cb-bootstrap to build the initial toolchain in staging.
-  #             cb-bootstrap should be ported to use the prefix repos.conf instead.
-  sudo cp -r "${prefix_repo}/skel/etc/portage/repos.conf" /usr/x86_64-cros-linux-gnu/etc/portage/
-  sudo cp -r "${prefix_repo}/skel/etc/portage/repos.conf" /usr/aarch64-cros-linux-gnu/etc/portage/
-}
-# --
-
-function setup_prefix_dirs() {
-  local prefix_repo="${1}"
-  sudo mkdir -v -p \
-          "${STAGINGDIR}/logs" \
-          "${STAGINGDIR}/pkgs" \
-          "${STAGINGDIR}/tmp" \
-          "${STAGINGROOT}${EPREFIX}/etc" \
-          "${FINALDIR}/logs" \
-          "${FINALDIR}/tmp" \
-          "${FINALROOT}${EPREFIX}/etc"
-
-  sudo cp -vR "${prefix_repo}/skel/etc/portage" "${STAGINGROOT}${EPREFIX}/etc/"
-  sudo cp -vR "${prefix_repo}/skel/etc/portage" "${FINALROOT}${EPREFIX}/etc/"
-
-  local profile="/mnt/host/source/src/third_party/portage-stable/profiles/default/linux"
-  case "${PREFIX_BOARD}" in
-    amd64-usr) profile="${profile}/amd64/17.1/no-multilib/prefix/kernel-3.2+";;
-    arm64-usr) profile="${profile}/arm64/17.0/prefix/kernel-3.2+";;
-  esac
-
-  sudo ln -s "${profile}" "${STAGINGROOT}${EPREFIX}/etc/portage/make.profile"
-  sudo ln -s "${profile}" "${FINALROOT}${EPREFIX}/etc/portage/make.profile"
-}
-# --
-
-function extract_gcc_libs() {
-  # GCC libs aren't available in a separate package but a full GCC install would make final too big
-  # TODO: the below is effectively a copy of build_library/prod_image_util.sh::extract_prod_gcc()
-  #       and should eventually be reconciled.
-  gcc_ver="$(sudo -E PORTAGE_CONFIGROOT="${STAGINGROOT}${EPREFIX}" \
-                     portageq best_visible "${STAGINGROOT}${EPREFIX}" installed sys-devel/gcc)"
-  pkgdir="$(sudo -E PORTAGE_CONFIGROOT="${STAGINGROOT}${EPREFIX}" portageq pkgdir)"
-  qtbz2 -O -t "$pkgdir/$gcc_ver".tbz2 \
-          | sudo tar -v -C "${FINALROOT}" -xj \
-                     --transform "s#.${EPREFIX}/usr/lib/.*/#.${EPREFIX}/usr/lib64/#" \
-                     --wildcards ".${EPREFIX}/usr/lib/gcc/*.so*"
-}
-# --
-
-function create_make_conf() {
-  local which="${1}" \
-        filepath \
-        dir \
-        portage_profile \
-        emerge_opts
-
-  case "${which}" in
-    staging)
-      filepath="${STAGINGROOT}${EPREFIX}/etc/portage/make.conf"
-      dir="${STAGINGDIR}"
-      emerge_opts="--buildpkg"
-      ;;
-    final)
-      filepath="${FINALROOT}${EPREFIX}/etc/portage/make.conf"
-      dir="${FINALDIR}"
-      emerge_opts="--usepkgonly"
-      ;;
-  esac
-
-sudo_clobber "${filepath}" <<EOF
-DISTDIR="/mnt/host/source/.cache/distfiles"
-PKGDIR=${STAGINGDIR@Q}/pkgs
-PORT_LOGDIR=${dir@Q}/logs
-PORTAGE_TMPDIR=${dir@Q}/tmp
-PORTAGE_BINHOST=""
-PORTAGE_USERNAME="sdk"
-MAKEOPTS="--jobs=4"
-CHOST=${PREFIX_CHOST@Q}
-
-ACCEPT_KEYWORDS=${PREFIX_KEYWORDS@Q}
-
-EMERGE_DEFAULT_OPTS=${emerge_opts@Q}
-
-USE="
--desktop
--installkernel
--llvm
--nls
--openmp
--udev
--wayland
--X
-"
-EOF
-}
-# --
-
-function emerge_name() {
-  local path=""
-  if [ "${1:-}" = "with-path" ] ; then
-    path="/usr/local/bin/"
-  fi
-
-  echo "${path}emerge-prefix-${PREFIXNAME}-${PREFIX_BOARD}"
-}
-# --
-
-function create_emerge_wrapper() {
-  local filename="$(emerge_name with-path)"
-  sudo_clobber "${filename}" <<EOF
-#!/bin/bash
-
-# emerge comfort wrapper for emerging prefix packages.
-# The wrapper will build packages and dependencies in staging
-#   and then install binpkgs in prefix.
-
-set -euo pipefail
-
-PREFIXNAME=${PREFIXNAME@Q}
-EPREFIX=${EPREFIX@Q}
-STAGINGROOT=${STAGINGROOT@Q}
-FINALROOT=${FINALROOT@Q}
-CB_ROOT=${CB_ROOT@Q}
-
-EOF
-
-  sudo_append "${filename}" <<'EOF'
-if [ "${1}" = "--help" ] ; then
-    echo "$0 : emerge prefix wrapper for prefix '${PREFIXNAME}'"
-    echo "Usage:"
-    echo "  $0 [--install|--stage] <emerge-opts>"
-    echo "                          Builds packages in prefix' staging and installs w/ runtime dependencies"
-    echo "                           to prefix' final root."
-    echo "             --stage      Build binpkg in staging but don't install."
-    echo "             --install    Skip build, just install. Binpkg must exist in staging."
-    echo
-    echo "      Prefix configuration:"
-    echo "        PREFIXNAME=${PREFIXNAME@Q}"
-    echo "        EPREFIX=${EPREFIX@Q}"
-    echo "        STAGINGROOT=${STAGINGROOT@Q}"
-    echo "        FINALROOT=${FINALROOT@Q}"
-    echo "        CB_ROOT=${CB_ROOT@Q}"
-    exit
-fi
-
-skip_build="false"
-skip_install="false"
-
-case "${1}" in
-    --install) skip_build="true"; shift;;
-    --stage) skip_install="true"; shift;;
-esac
-
-if [ "${skip_build}" = "true" ]  ; then
-    echo "Skipping build into staging as requested."
-    echo "NOTE that install into final will fail if binpkgs are missing."
-else
-    echo "Building in staging..."
-    sudo -E EPREFIX="${EPREFIX}" "${CB_ROOT}/bin/cb-emerge" "${STAGINGROOT}" "$@"
-fi
-
-if [ "${skip_install}" = "true" ]  ; then
-    echo "Skipping install into final as requested."
-else
-    echo "Installing..."
-    sudo -E EPREFIX="${EPREFIX}" \
-            ROOT="${FINALROOT}" \
-            PORTAGE_CONFIGROOT="${FINALROOT}${EPREFIX}" emerge "$@"
-fi
-EOF
-
-  sudo chmod 755 "${filename}"
-}
-# --

build_library/prod_image_util.sh

@@ -3,8 +3,6 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-source "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
-
 # Lookup the current version of a binary package, downloading it if needed.
 # Usage: get_binary_pkg some-pkg/name
 # Prints: some-pkg/name-1.2.3
@@ -46,8 +44,7 @@ extract_prod_gcc() {
     #  /usr/lib/gcc/x86_64-cros-linux-gnu/$version/*
     # Instead we extract them to plain old /usr/lib
     qtbz2 -O -t "${pkg}" | \
-        lbzcat -d -c - | \
-        sudo tar -C "${root_fs_dir}" -x \
+        sudo tar -C "${root_fs_dir}" -xj \
         --transform 's#/usr/lib/.*/#/usr/lib64/#' \
         --wildcards './usr/lib/gcc/*.so*' \
         --wildcards './usr/share/SLSA'
@@ -65,13 +62,8 @@ create_prod_image() {
     exit 1
   fi
 
-  local base_sysexts="$5"
-
   info "Building production image ${image_name}"
-  # The "prod-image-rootfs" directory name is important - it is used
-  # to determine the package target in coreos/base/profile.bashrc
-  local root_fs_dir="${BUILD_DIR}/prod-image-rootfs"
-  local root_fs_sysexts_output_dir="${BUILD_DIR}/rootfs-included-sysexts"
+  local root_fs_dir="${BUILD_DIR}/rootfs"
   local image_contents="${image_name%.bin}_contents.txt"
   local image_contents_wtd="${image_name%.bin}_contents_wtd.txt"
   local image_packages="${image_name%.bin}_packages.txt"
@@ -85,9 +77,6 @@ create_prod_image() {
   local image_initrd_contents="${image_name%.bin}_initrd_contents.txt"
   local image_initrd_contents_wtd="${image_name%.bin}_initrd_contents_wtd.txt"
   local image_disk_usage="${image_name%.bin}_disk_usage.txt"
-  local image_realinitrd_contents="${image_name%.bin}_realinitrd_contents.txt"
-  local image_realinitrd_contents_wtd="${image_name%.bin}_realinitrd_contents_wtd.txt"
-  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
 
   start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
 
@@ -97,31 +86,9 @@ create_prod_image() {
   emerge_to_image "${root_fs_dir}" "${base_pkg}"
   run_ldconfig "${root_fs_dir}"
   run_localedef "${root_fs_dir}"
-
-  local root_with_everything="${root_fs_dir}"
-
-  # Call helper script for adding sysexts to the base OS.
-  # Helper will generate a rootfs dir with all packages (base OS and sysexts) included.
-  local root_sysext_mergedir="${BUILD_DIR}/rootfs-with-sysext-pkgs"
-  if [[ -n "${base_sysexts}" ]] ; then
-    "${BUILD_LIBRARY_DIR}/sysext_prod_builder" \
-        "${BOARD}" "${BUILD_DIR}" "${root_fs_dir}" \
-        "${root_sysext_mergedir}" \
-        "${root_fs_sysexts_output_dir}" \
-        "${base_sysexts}"
-    root_with_everything="${root_sysext_mergedir}"
-  fi
-
-
-  write_sbom "${root_with_everything}" "${BUILD_DIR}/${image_sbom}"
-  write_licenses "${root_with_everything}" "${BUILD_DIR}/${image_licenses}"
-
-  if [[ -n "${base_sysexts}" ]] ; then
-    sudo rm -rf "${root_sysext_mergedir}"
-  fi
-
   write_packages "${root_fs_dir}" "${BUILD_DIR}/${image_packages}"
-
+  write_sbom "${root_fs_dir}" "${BUILD_DIR}/${image_sbom}"
+  write_licenses "${root_fs_dir}" "${BUILD_DIR}/${image_licenses}"
   insert_licenses "${BUILD_DIR}/${image_licenses}" "${root_fs_dir}"
   insert_extra_slsa "${root_fs_dir}"
 
@@ -133,11 +100,6 @@ create_prod_image() {
           || die_notrace "coreos-au-key is missing the 'official' use flag"
   fi
 
-  sudo cp -a "${root_fs_dir}" "${BUILD_DIR}/root_fs_dir2"
-  sudo rsync -a --delete  "${BUILD_DIR}/configroot/etc/portage" "${BUILD_DIR}/root_fs_dir2/etc"
-  sudo mksquashfs "${BUILD_DIR}/root_fs_dir2"  "${BUILD_DIR}/${image_sysext_base}" -noappend -xattrs-exclude '^btrfs.'
-  sudo rm -rf "${BUILD_DIR}/root_fs_dir2"
-
   # clean-ups of things we do not need
   sudo rm ${root_fs_dir}/etc/csh.env
   sudo rm -rf ${root_fs_dir}/etc/env.d
@@ -160,25 +122,14 @@ create_prod_image() {
 L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
 EOF
 
-  local -a bad_pam_files
-  mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0)
-  if [[ ${#bad_pam_files[@]} -gt 0 ]]; then
-    error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}"
-    error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)."
-    error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file."
-    die "PAM config errors spotted"
-  fi
+  # Move the PAM configuration into /usr
+  sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
+  sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
+  sudo rmdir ${root_fs_dir}/etc/pam.d
 
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/
 
-  # Inject ephemeral sysext signing certificate
-  sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
-  sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
-
-  # Finish image will move files from /etc to /usr/share/flatcar/etc.
-  # Note that image filesystem contents generated by finish_image will not
-  # include sysext contents (only the sysext squashfs files themselves).
   finish_image \
       "${image_name}" \
       "${disk_layout}" \
@@ -192,21 +143,39 @@ EOF
       "${image_kconfig}" \
       "${image_initrd_contents}" \
       "${image_initrd_contents_wtd}" \
-      "${image_disk_usage}" \
-      "${image_realinitrd_contents}" \
-      "${image_realinitrd_contents_wtd}"
+      "${image_disk_usage}"
 
-  # Official builds will sign and upload these files later, so remove them to
-  # prevent them from being uploaded now.
-  if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
-    rm -v \
-        "${BUILD_DIR}/${image_kernel}" \
-        "${BUILD_DIR}/${image_pcr_policy}" \
-        "${BUILD_DIR}/${image_grub}"
-  fi
+  # Upload
+  local to_upload=(
+    "${BUILD_DIR}/${image_contents}"
+    "${BUILD_DIR}/${image_contents_wtd}"
+    "${BUILD_DIR}/${image_packages}"
+    "${BUILD_DIR}/${image_sbom}"
+    "${BUILD_DIR}/${image_licenses}"
+    "${BUILD_DIR}/${image_kernel}"
+    "${BUILD_DIR}/${image_pcr_policy}"
+    "${BUILD_DIR}/${image_grub}"
+    "${BUILD_DIR}/${image_kconfig}"
+    "${BUILD_DIR}/${image_initrd_contents}"
+    "${BUILD_DIR}/${image_initrd_contents_wtd}"
+    "${BUILD_DIR}/${image_disk_usage}"
+  )
 
   local files_to_evaluate=( "${BUILD_DIR}/${image_name}" )
-  compress_disk_images files_to_evaluate
+  declare -a compressed_images
+  declare -a extra_files
+  compress_disk_images files_to_evaluate compressed_images extra_files
+  to_upload+=( "${compressed_images[@]}" )
+  to_upload+=( "${extra_files[@]}" )
+
+  # FIXME(bgilbert): no shim on arm64
+  if [[ -f "${BUILD_DIR}/${image_shim}" ]]; then
+    to_upload+=("${BUILD_DIR}/${image_shim}")
+  fi
+  upload_image -d "${BUILD_DIR}/${image_name}.DIGESTS" "${to_upload[@]}"
+
+  # Upload legacy digests
+  upload_legacy_digests "${BUILD_DIR}/${image_name}.DIGESTS" compressed_images
 }
 
 create_prod_tar() {
@@ -223,136 +192,5 @@ create_prod_tar() {
   sudo umount "/mnt/${lodevbase}p9"
   sudo rmdir "/mnt/${lodevbase}p9"
   sudo losetup --detach "${lodev}"
-}
-
-create_prod_sysexts() {
-  local image_name="$1"
-  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
-  for sysext in "${EXTRA_SYSEXTS[@]}"; do
-    local name pkgs useflags arches
-    IFS="|" read -r name pkgs useflags arches <<< "$sysext"
-    name="flatcar-$name"
-    local pkg_array=(${pkgs//,/ })
-    local arch_array=(${arches//,/ })
-    local useflags_array=(${useflags//,/ })
-
-    local mangle_script="${BUILD_LIBRARY_DIR}/sysext_mangle_${name}"
-    if [[ ! -x "${mangle_script}" ]]; then
-      mangle_script=
-    fi
-
-    if [[ -n "$arches" ]]; then
-      should_skip=1
-      for arch in "${arch_array[@]}"; do
-        if [[ $arch == "$ARCH" ]]; then
-          should_skip=0
-        fi
-      done
-      if [[ $should_skip -eq 1 ]]; then
-        continue
-      fi
-    fi
-
-    sudo rm -f "${BUILD_DIR}/${name}.raw" \
-	"${BUILD_DIR}/flatcar-test-update-${name}.gz" \
-	"${BUILD_DIR}/${name}_*"
-    # we use -E to pass the USE flags, but also MODULES_SIGN variables
-    #
-    # The --install_root_basename="${name}-extra-sysext-rootfs" flag
-    # is important - it sets the name of a rootfs directory, which is
-    # used to determine the package target in
-    # coreos/base/profile.bashrc
-    USE="${useflags_array[*]}" sudo -E "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
-        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
-        --image_builddir="${BUILD_DIR}" \
-        --install_root_basename="${name}-extra-sysext-rootfs" \
-        ${mangle_script:+--manglefs_script=${mangle_script}} \
-        "${name}" "${pkg_array[@]}"
-    delta_generator \
-      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
-      -new_image "${BUILD_DIR}/${name}.raw" \
-      -out_file "${BUILD_DIR}/flatcar_test_update-${name}.gz"
-  done
-}
-
-create_oem_sysexts() {
-  local image_name=${1}; shift
-  local requested_oem_sysexts_csv=${1}; shift
-  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
-  local overlay_path
-  overlay_path=$(portageq get_repo_path / coreos-overlay)
-
-  local -a oem_sysexts
-  get_oem_sysext_matrix "${ARCH}" oem_sysexts
-  if [[ ${requested_oem_sysexts_csv} != 'everything!' ]]; then
-      local -a all_oems requested_oems invalid_oems
-      all_oems=( "${oem_sysexts[@]}" )
-      all_oems=( "${all_oems[@]%%|*}" )
-      all_oems=( "${all_oems[@]#oem-}" )
-      mapfile -t requested_oems <<<"${requested_oem_sysexts_csv//,/$'\n'}"
-      mapfile -t invalid_oems < <(comm -23 <(printf '%s\n' "${requested_oems[@]}" | sort -u) <(printf '%s\n' "${all_oems[@]}" | sort -u))
-      if [[ ${#invalid_oems[@]} -gt 0 ]]; then
-          die "Requested OEMs to build sysexts for are invalid: ${invalid_oems[*]}, valid OEMs are ${all_oems[*]}"
-      fi
-      mapfile -t oem_sysexts < <(printf '%s\n' "${oem_sysexts[@]}" | grep '^oem-\('"${requested_oem_sysexts_csv//,/'\|'}"'\)|')
-  fi
-
-  local sysext name metapkg useflags
-  for sysext in "${oem_sysexts[@]}"; do
-    IFS="|" read -r name metapkg useflags <<< "${sysext}"
-
-    # Check for manglefs script in the package's files directory
-    local mangle_script="${overlay_path}/${metapkg}/files/manglefs.sh"
-    if [[ ! -x "${mangle_script}" ]]; then
-      mangle_script=
-    fi
-
-    sudo rm -f "${BUILD_DIR}/${name}.raw" \
-        "${BUILD_DIR}/flatcar_test_update-${name}.gz" \
-        "${BUILD_DIR}/${name}_"*
-
-    info "Building OEM sysext ${name} with USE=${useflags}"
-    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
-    # important - it sets the name of a rootfs directory, which is
-    # used to determine the package target in
-    # coreos/base/profile.bashrc
-    #
-    # OEM sysexts use no compression here since they will be stored
-    # in a compressed OEM partition.
-    USE="${useflags}" sudo -E "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
-        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
-        --image_builddir="${BUILD_DIR}" \
-        --metapkgs="${metapkg}" \
-        --install_root_basename="${name}-oem-sysext-rootfs" \
-        --compression=none \
-        ${mangle_script:+--manglefs_script="${mangle_script}"} \
-        "${name}"
-    delta_generator \
-      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
-      -new_image "${BUILD_DIR}/${name}.raw" \
-      -out_file "${BUILD_DIR}/flatcar_test_update-${name}.gz"
-  done
-}
-
-sbsign_prod_image() {
-  local image_name="$1"
-  local disk_layout="$2"
-
-  info "Signing production image ${image_name} for Secure Boot"
-  local root_fs_dir="${BUILD_DIR}/rootfs"
-  local image_prefix="${image_name%.bin}"
-  local image_kernel="${image_prefix}.vmlinuz"
-  local image_pcr_policy="${image_prefix}_pcr_policy.zip"
-  local image_grub="${image_prefix}.grub"
-
-  sbsign_image \
-      "${image_name}" \
-      "${disk_layout}" \
-      "${root_fs_dir}" \
-      "${image_kernel}" \
-      "${image_pcr_policy}" \
-      "${image_grub}"
-
-  local files_to_evaluate=( "${BUILD_DIR}/${image_name}" )
-  compress_disk_images files_to_evaluate
+  upload_image "${container}"
 }

build_library/qemu_template.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 SCRIPT_DIR="$(dirname "$0")"
 VM_BOARD=
@@ -17,11 +17,7 @@ SSH_KEYS=""
 CLOUD_CONFIG_FILE=""
 IGNITION_CONFIG_FILE=""
 CONFIG_IMAGE=""
-SWTPM_DIR=
 SAFE_ARGS=0
-FORWARDED_PORTS=""
-PRIMARY_DISK_OPTS=""
-DISKS=()
 USAGE="Usage: $0 [-a authorized_keys] [--] [qemu options...]
 Options:
     -i FILE     File containing an Ignition config
@@ -29,25 +25,7 @@ Options:
     -u FILE     Cloudinit user-data as either a cloud config or script.
     -c FILE     Config drive as an iso or fat filesystem image.
     -a FILE     SSH public keys for login access. [~/.ssh/id_{dsa,rsa}.pub]
-    -d DISK     Setup additional disk. Can be used multiple times to
-                setup multiple disks. The value is a path to an image
-                file, optionally followed by a comma and options to
-                pass to virtio-blk-pci device. For example -d
-                /tmp/qcow2-disk,serial=secondary.
-    -D OPTS     Additional virtio-blk-pci options for primary
-                disk. For example serial=primary-disk.
     -p PORT     The port on localhost to map to the VM's sshd. [2222]
-    -I FILE     Set a custom image file.
-    -f PORT     Forward host_port:guest_port.
-    -M MB       Set VM memory in MBs.
-    -T DIR      Add a software TPM2 device through swtpm which stores secrets
-                and the control socket to the given directory. This may need
-                some configuration first with 'swtpm_setup --tpmstate DIR ...'
-                (see https://github.com/stefanberger/swtpm/wiki/Certificates-created-by-swtpm_setup).
-    -R FILE     Set up pflash ro content, e.g., for UEFI (with -W).
-    -W FILE     Set up pflash rw content, e.g., for UEFI (with -R).
-    -K FILE     Set kernel for direct boot used to simulate a PXE boot (with -r).
-    -r FILE     Set initrd for direct boot used to simulate a PXE boot (with -K).
     -s          Safe settings: single simple cpu and no KVM.
     -h          this ;-)
 
@@ -64,8 +42,8 @@ used as an explicit separator. See the qemu(1) man page for more details.
 "
 
 die(){
-    echo "${1}"
-    exit 1
+	echo "${1}"
+	exit 1
 }
 
 check_conflict() {
@@ -92,42 +70,12 @@ while [ $# -ge 1 ]; do
             check_conflict
             SSH_KEYS="$2"
             shift 2 ;;
-        -d|-disk)
-            DISKS+=( "$2" )
-            shift 2 ;;
-        -D|-image-disk-opts)
-            PRIMARY_DISK_OPTS="$2"
-            shift 2 ;;
         -p|-ssh-port)
             SSH_PORT="$2"
             shift 2 ;;
-        -f|-forward-port)
-            FORWARDED_PORTS="${FORWARDED_PORTS} $2"
-            shift 2 ;;
         -s|-safe)
             SAFE_ARGS=1
             shift ;;
-        -I|-image-file)
-            VM_IMAGE="$2"
-            shift 2 ;;
-        -M|-memory)
-            VM_MEMORY="$2"
-            shift 2 ;;
-        -T|-tpm)
-            SWTPM_DIR="$2"
-            shift 2 ;;
-        -R|-pflash-ro)
-            VM_PFLASH_RO="$2"
-            shift 2 ;;
-        -W|-pflash-rw)
-            VM_PFLASH_RW="$2"
-            shift 2 ;;
-        -K|-kernel-file)
-            VM_KERNEL="$2"
-            shift 2 ;;
-        -r|-initrd-file)
-            VM_INITRD="$2"
-            shift 2 ;;
         -v|-verbose)
             set -x
             shift ;;
@@ -161,29 +109,6 @@ write_ssh_keys() {
     sed -e 's/^/ - /'
 }
 
-if [ -n "${SWTPM_DIR}" ]; then
-    mkdir -p "${SWTPM_DIR}"
-    if ! command -v swtpm >/dev/null; then
-        echo "$0: swtpm command not found!" >&2
-        exit 1
-    fi
-    case "${VM_BOARD}" in
-        amd64-usr)
-            TPM_DEV=tpm-tis ;;
-        arm64-usr)
-            TPM_DEV=tpm-tis-device ;;
-        *) die "Unsupported arch" ;;
-    esac
-    SWTPM_SOCK="${SWTPM_DIR}/socket"
-    swtpm socket --tpmstate "dir=${SWTPM_DIR}" --ctrl "type=unixio,path=${SWTPM_SOCK},terminate" --tpm2 &
-    SWTPM_PROC=$!
-    PARENT=$$
-    # The swtpm process exits if qemu disconnects but if we never started qemu because
-    # this script fails or qemu failed to start, we need to kill the process.
-    # The EXIT trap is already in use by the config drive cleanup and anyway doesn't work with kill -9.
-    (while [ -e "/proc/${PARENT}" ]; do sleep 1; done; kill "${SWTPM_PROC}" 2>/dev/null; exit 0) &
-    set -- -chardev "socket,id=chrtpm,path=${SWTPM_SOCK}" -tpmdev emulator,id=tpm0,chardev=chrtpm -device "${TPM_DEV}",tpmdev=tpm0 "$@"
-fi
 
 if [ -z "${CONFIG_IMAGE}" ]; then
     CONFIG_DRIVE=$(mktemp -d)
@@ -223,15 +148,6 @@ if [ -z "${CONFIG_IMAGE}" ]; then
     fi
 fi
 
-# Process port forwards
-QEMU_FORWARDED_PORTS=""
-for port in ${FORWARDED_PORTS}; do
-    host_port=${port%:*}
-    guest_port=${port#*:}
-    QEMU_FORWARDED_PORTS="${QEMU_FORWARDED_PORTS},hostfwd=tcp::${host_port}-:${guest_port}"
-done
-QEMU_FORWARDED_PORTS="${QEMU_FORWARDED_PORTS#,}"
-
 # Start assembling our default command line arguments
 if [ "${SAFE_ARGS}" -eq 1 ]; then
     # Disable KVM, for testing things like UEFI which don't like it
@@ -239,16 +155,12 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then
 else
     case "${VM_BOARD}+$(uname -m)" in
         amd64-usr+x86_64)
-            set -- -global ICH9-LPC.disable_s3=1 \
-                   -global driver=cfi.pflash01,property=secure,value=on \
-                   "$@"
             # Emulate the host CPU closely in both features and cores.
-            set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@"
-            ;;
+            set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;;
         amd64-usr+*)
-            set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;;
-        arm64-usr+aarch64|arm64-usr+arm64)
-            set -- -machine virt,accel=kvm:hvf:tcg,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
+            set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;;
+        arm64-usr+aarch64)
+            set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
         arm64-usr+*)
             if test "${VM_NCPUS}" -gt 4 ; then
                 VM_NCPUS=4
@@ -273,36 +185,23 @@ if [ -n "${CONFIG_IMAGE}" ]; then
 fi
 
 if [ -n "${VM_IMAGE}" ]; then
-    if [[ ,${PRIMARY_DISK_OPTS}, = *,drive=* || ,${PRIMARY_DISK_OPTS}, = *,bootindex=* ]]; then
-        die "Can't override drive or bootindex options for primary disk"
-    fi
-    set -- -drive if=none,id=blk,file="${VM_IMAGE}" \
-        -device virtio-blk-pci,drive=blk,bootindex=1${PRIMARY_DISK_OPTS:+,}${PRIMARY_DISK_OPTS:-} "$@"
+    case "${VM_BOARD}" in
+        amd64-usr)
+            set -- -drive if=virtio,file="${SCRIPT_DIR}/${VM_IMAGE}" "$@" ;;
+        arm64-usr)
+            set -- -drive if=none,id=blk,file="${SCRIPT_DIR}/${VM_IMAGE}" \
+            -device virtio-blk-device,drive=blk "$@"
+            ;;
+        *) die "Unsupported arch" ;;
+    esac
 fi
 
-declare -i id_counter=1
-
-for disk in "${DISKS[@]}"; do
-    disk_id="flatcar-extra-disk-$((id_counter++))"
-    if [[ ${disk} = *,* ]]; then
-        disk_path=${disk%%,*}
-        disk_opts=${disk#*,}
-    else
-        disk_path=${disk}
-        disk_opts=
-    fi
-    set -- \
-        -drive "if=none,id=${disk_id},file=${disk_path}" \
-        -device "virtio-blk-pci,drive=${disk_id}${disk_opts:+,}${disk_opts:-}" \
-        "${@}"
-done
-
 if [ -n "${VM_KERNEL}" ]; then
-    set -- -kernel "${VM_KERNEL}" "$@"
+    set -- -kernel "${SCRIPT_DIR}/${VM_KERNEL}" "$@"
 fi
 
 if [ -n "${VM_INITRD}" ]; then
-    set -- -initrd "${VM_INITRD}" "$@"
+    set -- -initrd "${SCRIPT_DIR}/${VM_INITRD}" "$@"
 fi
 
 if [ -n "${VM_UUID}" ]; then
@@ -311,13 +210,13 @@ fi
 
 if [ -n "${VM_CDROM}" ]; then
     set -- -boot order=d \
-        -drive file="${VM_CDROM}",media=cdrom,format=raw "$@"
+	-drive file="${SCRIPT_DIR}/${VM_CDROM}",media=cdrom,format=raw "$@"
 fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,unit=0,file="${VM_PFLASH_RO}",format=qcow2,readonly=on \
-        -drive if=pflash,unit=1,file="${VM_PFLASH_RW}",format=qcow2 "$@"
+        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then
@@ -326,18 +225,25 @@ fi
 
 case "${VM_BOARD}" in
     amd64-usr)
-        QEMU_BIN=qemu-system-x86_64 ;;
+        # Default to KVM, fall back on full emulation
+        qemu-system-x86_64 \
+            -name "$VM_NAME" \
+            -m ${VM_MEMORY} \
+            -netdev user,id=eth0,hostfwd=tcp::"${SSH_PORT}"-:22,hostname="${VM_NAME}" \
+            -device virtio-net-pci,netdev=eth0 \
+            -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \
+            "$@"
+        ;;
     arm64-usr)
-        QEMU_BIN=qemu-system-aarch64 ;;
+        qemu-system-aarch64 \
+            -name "$VM_NAME" \
+            -m ${VM_MEMORY} \
+            -netdev user,id=eth0,hostfwd=tcp::"${SSH_PORT}"-:22,hostname="${VM_NAME}" \
+            -device virtio-net-device,netdev=eth0 \
+            -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \
+            "$@"
+        ;;
     *) die "Unsupported arch" ;;
 esac
 
-"$QEMU_BIN" \
-    -name "$VM_NAME" \
-    -m ${VM_MEMORY} \
-    -netdev user,id=eth0${QEMU_FORWARDED_PORTS:+,}${QEMU_FORWARDED_PORTS},hostfwd=tcp::"${SSH_PORT}"-:22,hostname="${VM_NAME}" \
-    -device virtio-net-pci,netdev=eth0 \
-    -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \
-    "$@"
-
 exit $?

build_library/release_util.sh

@@ -2,8 +2,44 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+GSUTIL_OPTS=
+UPLOAD_ROOT=
+UPLOAD_PATH=
+TORCX_UPLOAD_ROOT=
+UPLOAD_DEFAULT=${FLAGS_FALSE}
 DEFAULT_IMAGE_COMPRESSION_FORMAT="bz2"
 
+# Default upload root can be overridden from the environment.
+_user="${USER}"
+[[ ${USER} == "root" ]] && _user="${SUDO_USER}"
+: ${FLATCAR_UPLOAD_ROOT:=gs://users.developer.core-os.net/${_user}}
+: ${FLATCAR_TORCX_UPLOAD_ROOT:=${FLATCAR_UPLOAD_ROOT}/torcx}
+unset _user
+
+DEFINE_boolean parallel ${FLAGS_TRUE} \
+  "Enable parallelism in gsutil."
+DEFINE_boolean upload ${UPLOAD_DEFAULT} \
+  "Upload all packages/images via gsutil."
+DEFINE_boolean private ${FLAGS_TRUE} \
+  "Upload the image as a private object."
+DEFINE_string upload_root "${FLATCAR_UPLOAD_ROOT}" \
+  "Upload prefix, board/version/etc will be appended. Must be a gs:// URL."
+DEFINE_string upload_path "" \
+  "Full upload path, overrides --upload_root. Must be a full gs:// URL."
+DEFINE_string download_root "" \
+  "HTTP download prefix, board/version/etc will be appended."
+DEFINE_string download_path "" \
+  "HTTP download path, overrides --download_root."
+DEFINE_string torcx_upload_root "${FLATCAR_TORCX_UPLOAD_ROOT}" \
+  "Tectonic torcx package and manifest Upload prefix. Must be a gs:// URL."
+DEFINE_string tectonic_torcx_download_root "" \
+  "HTTP download prefix for tectonic torcx packages and manifests."
+DEFINE_string tectonic_torcx_download_path "" \
+  "HTTP download path, overrides --tectonic_torcx_download_root."
+DEFINE_string sign "" \
+  "Sign all files to be uploaded with the given GPG key."
+DEFINE_string sign_digests "" \
+  "Sign image DIGESTS files with the given GPG key."
 DEFINE_string image_compression_formats "${DEFAULT_IMAGE_COMPRESSION_FORMAT}" \
   "Compress the resulting images using thise formats. This option acceps a list of comma separated values. Options are: none, bz2, gz, zip, zst"
 DEFINE_boolean only_store_compressed ${FLAGS_TRUE} \
@@ -39,21 +75,9 @@ compress_file() {
         ;;
     esac
 
-    # Check if symlink in which case we set up a "compressed" symlink
-    local compressed_name="${filepath}.${compression_format}"
-    if [ -L "${filepath}" ]; then
-        # We could also test if the target exists and otherwise do the compression
-        # but we might then end up with two different compressed artifacts
-        local link_target
-        link_target=$(readlink -f "${filepath}")
-        local target_basename
-        target_basename=$(basename "${link_target}")
-        ln -fs "${target_basename}.${compression_format}" "${compressed_name}"
-    else
-        ${IMAGE_ZIPPER} -f "${filepath}" 2>&1 >/dev/null || die "failed to compress ${filepath}"
-    fi
+    ${IMAGE_ZIPPER} -f "${filepath}" 2>&1 >/dev/null || die "failed to compress ${filepath}"
 
-    echo -n "${compressed_name}"
+    echo -n "${filepath}.${compression_format}"
 }
 
 compress_disk_images() {
@@ -61,11 +85,19 @@ compress_disk_images() {
     # among them.
     local -n local_files_to_evaluate="$1"
 
-    info "Compressing ${#local_files_to_evaluate[@]} images"
+    # An array that will hold the path on disk to the resulting disk image archives.
+    # Multiple compression formats may be requested, so this array may hold
+    # multiple archives for the same image.
+    local -n local_resulting_archives="$2"
+
+    # Files that did not match the filter for disk images.
+    local -n local_extra_files="$3"
+
+    info "Compressing images"
     # We want to compress images, but we also want to remove the uncompressed files
     # from the list of uploadable files.
     for filename in "${local_files_to_evaluate[@]}"; do
-        if [[ "${filename}" =~ \.(img|bin|vdi|vhd|vhdx|vmdk|qcow[2]?)$ ]]; then
+        if [[ "${filename}" =~ \.(img|bin|vdi|vhd|vmdk)$ ]]; then
             # Parse the formats as an array. This will yield an extra empty
             # array element at the end.
             readarray -td, FORMATS<<<"${FLAGS_image_compression_formats},"
@@ -74,14 +106,12 @@ compress_disk_images() {
 
             # An associative array we set an element on whenever we process a format.
             # This way we don't process the same format twice. A unique for array elements.
-            # (But first we need to unset the previous loop or we can only compress a single
-            # file per list of files).
-            unset processed_format
             declare -A processed_format
             for format in "${FORMATS[@]}";do
                 if [ -z "${processed_format[${format}]}" ]; then
                     info "Compressing ${filename##*/} to ${format}"
                     COMPRESSED_FILENAME=$(compress_file "${filename}" "${format}")
+                    local_resulting_archives+=( "$COMPRESSED_FILENAME" )
                     processed_format["${format}"]=1
                 fi
             done
@@ -91,11 +121,281 @@ compress_disk_images() {
                [ "${filename##*/}" != "flatcar_production_image.bin" ] &&
                [ "${filename##*/}" != "flatcar_production_update.bin" ] &&
                ! echo "${FORMATS[@]}" | grep -q "none"; then
-                info "Removing ${filename}"
                 rm "${filename}"
-            else
-                info "Keeping ${filename}"
             fi
+        else
+            local_extra_files+=( "${filename}" )            
         fi
     done
 }
+
+upload_legacy_digests() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+
+    local local_digest_file="$1"
+    local -n local_compressed_files="$2"
+
+    [[ "${#local_compressed_files[@]}" -gt 0 ]] || return 0
+
+    # Upload legacy digests
+    declare -a digests_to_upload
+    for file in "${local_compressed_files[@]}";do
+        legacy_digest_file="${file}.DIGESTS"
+        cp "${local_digest_file}" "${legacy_digest_file}"
+        digests_to_upload+=( "${legacy_digest_file}" )
+    done
+    local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${FLATCAR_VERSION}"
+    upload_files "digests" "${def_upload_path}" "" "${digests_to_upload[@]}"
+}
+
+check_gsutil_opts() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+
+    if [[ ${FLAGS_parallel} -eq ${FLAGS_TRUE} ]]; then
+        GSUTIL_OPTS="-m"
+    fi
+
+    if [[ -n "${FLAGS_upload_root}" ]]; then
+        if [[ "${FLAGS_upload_root}" != gs://* ]] \
+           && [[ "${FLAGS_upload_root}" != rsync://* ]] ; then
+            die_notrace "--upload_root must be a gs:// or rsync:// URL"
+        fi
+        # Make sure the path doesn't end with a slash
+        UPLOAD_ROOT="${FLAGS_upload_root%%/}"
+    fi
+
+    if [[ -n "${FLAGS_torcx_upload_root}" ]]; then
+        if [[ "${FLAGS_torcx_upload_root}" != gs://* ]] \
+           && [[ "${FLAGS_torcx_upload_root}" != rsync://* ]] ; then
+            die_notrace "--torcx_upload_root must be a gs:// or rsync:// URL"
+        fi
+        # Make sure the path doesn't end with a slash
+        TORCX_UPLOAD_ROOT="${FLAGS_torcx_upload_root%%/}"
+    fi
+
+    if [[ -n "${FLAGS_upload_path}" ]]; then
+        if [[ "${FLAGS_upload_path}" != gs://* ]] \
+           && [[ "${FLAGS_upload_path}" != rsync://* ]] ; then
+            die_notrace "--upload_path must be a gs:// or rsync:// URL"
+        fi
+        # Make sure the path doesn't end with a slash
+        UPLOAD_PATH="${FLAGS_upload_path%%/}"
+    fi
+
+    # Ensure scripts run via sudo can use the user's gsutil/boto configuration.
+    if [[ -n "${SUDO_USER}" ]]; then
+        : ${BOTO_PATH:="$HOME/.boto:/home/$SUDO_USER/.boto"}
+        export BOTO_PATH
+    fi
+}
+
+# Generic upload function
+# Usage: upload_files "file type" "${UPLOAD_ROOT}/default/path" "" files...
+#  arg1: file type reported via log
+#  arg2: default upload path, overridden by --upload_path
+#  arg3: upload path suffix that can't be overridden, must end in /
+#  argv: remaining args are files or directories to upload
+upload_files() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+
+    local msg="$1"
+    local local_upload_path="$2"
+    local extra_upload_suffix="$3"
+    shift 3
+
+    if [[ -n "${UPLOAD_PATH}" ]]; then
+        local_upload_path="${UPLOAD_PATH}"
+    fi
+
+    if [[ -n "${extra_upload_suffix}" && "${extra_upload_suffix}" != */ ]]
+    then
+        die "upload suffix '${extra_upload_suffix}' doesn't end in /"
+    fi
+
+    info "Uploading ${msg} to ${local_upload_path}"
+
+    if [[ "${local_upload_path}" = 'rsync://'* ]]; then
+        local rsync_upload_path="${local_upload_path#rsync://}"
+        local sshcmd="ssh -o BatchMode=yes "
+              sshcmd="$sshcmd -o StrictHostKeyChecking=no"
+              sshcmd="$sshcmd -o UserKnownHostsFile=/dev/null"
+              sshcmd="$sshcmd -o NumberOfPasswordPrompts=0"
+
+        # ensure the target path exists
+        local sshuserhost="${rsync_upload_path%:*}"
+        local destpath="${rsync_upload_path#*:}"
+        ${sshcmd} "${sshuserhost}" \
+            "mkdir -p ${destpath}/${extra_upload_suffix}"
+
+        # now sync
+        rsync -Pav -e "${sshcmd}" "$@" \
+            "${rsync_upload_path}/${extra_upload_suffix}"
+    else
+        gsutil ${GSUTIL_OPTS} cp -R "$@" \
+            "${local_upload_path}/${extra_upload_suffix}"
+    fi
+}
+
+
+# Identical to upload_files but GPG signs every file if enabled.
+# Usage: sign_and_upload_files "file type" "${UPLOAD_ROOT}/default/path" "" files...
+#  arg1: file type reported via log
+#  arg2: default upload path, overridden by --upload_path
+#  arg3: upload path suffix that can't be overridden, must end in /
+#  argv: remaining args are files or directories to upload
+sign_and_upload_files() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+
+    local msg="$1"
+    local path="$2"
+    local suffix="$3"
+    shift 3
+
+    # run a subshell to possibly clean the temporary directory with
+    # signatures without clobbering the global EXIT trap
+    (
+    # Create simple GPG detached signature for all uploads.
+    local sigs=()
+    if [[ -n "${FLAGS_sign}" ]]; then
+        local file
+        local sigfile
+        local sigdir=$(mktemp --directory)
+        trap "rm -rf ${sigdir}" EXIT
+        for file in "$@"; do
+            if [[ "${file}" =~ \.(asc|gpg|sig)$ ]]; then
+                continue
+            fi
+
+            for sigfile in $(find "${file}" ! -type d); do
+                mkdir -p "${sigdir}/${sigfile%/*}"
+                gpg --batch --local-user "${FLAGS_sign}" \
+                    --output "${sigdir}/${sigfile}.sig" \
+                    --detach-sign "${sigfile}" || die "gpg failed"
+            done
+
+            [ -d "${file}" ] &&
+            sigs+=( "${sigdir}/${file}" ) ||
+            sigs+=( "${sigdir}/${file}.sig" )
+        done
+    fi
+
+    upload_files "${msg}" "${path}" "${suffix}" "$@" "${sigs[@]}"
+    )
+}
+
+upload_packages() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+    [[ -n "${BOARD}" ]] || die "board_options.sh must be sourced first"
+
+    local board_packages="${1:-"${BOARD_ROOT}/packages"}"
+    local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${FLATCAR_VERSION}"
+    sign_and_upload_files packages ${def_upload_path} "pkgs/" \
+        "${board_packages}"/*
+}
+
+# Upload a set of files (usually images) and digest, optionally w/ gpg sig
+# If more than one file is specified -d must be the first argument
+# Usage: upload_image [-d file.DIGESTS] file1 [file2...]
+upload_image() {
+    [[ ${FLAGS_upload} -eq ${FLAGS_TRUE} ]] || return 0
+    [[ -n "${BOARD}" ]] || die "board_options.sh must be sourced first"
+
+    # The name to use for .DIGESTS and .DIGESTS.asc must be explicit if
+    # there is more than one file to upload to avoid potential confusion.
+    local digests
+    if [[ "$1" == "-d" ]]; then
+        [[ -n "$2" ]] || die "-d requires an argument"
+        digests="$2"
+        shift 2
+    else
+        [[ $# -eq 1 ]] || die "-d is required for multi-file uploads"
+        # digests is assigned after image is possibly compressed/renamed
+    fi
+
+    local uploads=()
+    local filename
+    for filename in "$@"; do
+        if [[ ! -f "${filename}" ]]; then
+            die "File '${filename}' does not exist!"
+        fi
+        uploads+=( "${filename}" )
+    done
+
+    if [[ -z "${digests}" ]]; then
+        digests="${uploads[0]}.DIGESTS"
+    fi
+
+    # For consistency generate a .DIGESTS file similar to the one catalyst
+    # produces for the SDK tarballs and up upload it too.
+    make_digests -d "${digests}" "${uploads[@]}"
+    uploads+=( "${digests}" )
+
+    # Create signature as ...DIGESTS.asc as Gentoo does.
+    if [[ -n "${FLAGS_sign_digests}" ]]; then
+      rm -f "${digests}.asc"
+      gpg --batch --local-user "${FLAGS_sign_digests}" \
+          --clearsign "${digests}" || die "gpg failed"
+      uploads+=( "${digests}.asc" )
+    fi
+
+    local log_msg=$(basename "$digests" .DIGESTS)
+    local def_upload_path="${UPLOAD_ROOT}/boards/${BOARD}/${FLATCAR_VERSION}"
+    sign_and_upload_files "${log_msg}" "${def_upload_path}" "" "${uploads[@]}"
+}
+
+# Translate the configured upload URL to a download URL
+# Usage: download_image_url "path/suffix"
+download_image_url() {
+    if [[ ${FLAGS_upload} -ne ${FLAGS_TRUE} ]]; then
+        echo "$1"
+        return 0
+    fi
+
+    local download_root="${FLAGS_download_root:-${UPLOAD_ROOT}}"
+
+    local download_path
+    local download_channel
+    if [[ -n "${FLAGS_download_path}" ]]; then
+        download_path="${FLAGS_download_path%%/}"
+    elif [[ "${download_root}" == *flatcar-jenkins* ]]; then
+        download_channel="${download_root##*/}"
+        download_root="gs://${download_channel}.release.flatcar-linux.net"
+        # Official release download paths don't include the boards directory
+        download_path="${download_root%%/}/${BOARD}/${FLATCAR_VERSION}"
+    else
+        download_path="${download_root%%/}/boards/${BOARD}/${FLATCAR_VERSION}"
+    fi
+
+    # Just in case download_root was set from UPLOAD_ROOT
+    if [[ "${download_path}" == gs://* ]]; then
+        download_path="https://${download_path#gs://}"
+    fi
+
+    echo "${download_path}/$1"
+}
+
+# Translate the configured torcx upload URL to a download url
+# This is similar to the download_image_url, other than assuming the release
+# bucket is the tectonic_torcx one.
+download_tectonic_torcx_url() {
+    if [[ ${FLAGS_upload} -ne ${FLAGS_TRUE} ]]; then
+        echo "$1"
+        return 0
+    fi
+
+    local download_root="${FLAGS_tectonic_torcx_download_root:-${TORCX_UPLOAD_ROOT}}"
+
+    local download_path
+    if [[ -n "${FLAGS_tectonic_torcx_download_path}" ]]; then
+        download_path="${FLAGS_tectonic_torcx_download_path%%/}"
+    else
+        download_path="${download_root%%/}"
+    fi
+
+    # Just in case download_root was set from UPLOAD_ROOT
+    if [[ "${download_path}" == gs://* ]]; then
+        download_path="http://${download_path#gs://}"
+    fi
+
+    echo "${download_path}/$1"
+}

build_library/reports_util.sh

@@ -1,121 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) 2023 The Flatcar Maintainers.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-if [[ -n "${FLATCAR_REPORTS_UTIL_SH_INCLUDED:-}" ]]; then
-    return 0
-fi
-
-FLATCAR_REPORTS_UTIL_SH_INCLUDED=1
-
-# Generate a ls-like listing of a directory tree.
-# The ugly printf is used to predictable time format and size in bytes.
-#
-# Usage:
-#  write_contents "${rootfs}" ${contents_file}"
-write_contents() {
-    local rootfs="${1}"; shift
-    local output="${1}"; shift
-    info "Writing ${output##*/}"
-    # Ensure output is an absolute path before we change the working
-    # directory.
-    output=$(realpath "${output}")
-    pushd "${rootfs}" >/dev/null
-    # %M - file permissions
-    # %n - number of hard links to file
-    # %u - file's user name
-    # %g - file's group name
-    # %s - size in bytes
-    # %Tx - modification time (Y - year, m - month, d - day, H - hours, M - minutes)
-    # %P - file's path
-    # %l - symlink target (empty if not a symlink)
-    sudo TZ=UTC find -printf \
-        '%M %2n %-7u %-7g %7s %TY-%Tm-%Td %TH:%TM ./%P -> %l\n' \
-        | sort --key=8 \
-        | sed -e 's/ -> $//' >"${output}"
-    popd >/dev/null
-}
-
-# Generate a listing that can be used by other tools to analyze
-# image/file size changes.
-#
-# Usage:
-#  write_contents_with_technical_details "${rootfs}" ${output_file}"
-write_contents_with_technical_details() {
-    local rootfs="${1}"; shift
-    local output="${1}"; shift
-    info "Writing ${output##*/}"
-    # Ensure output is an absolute path before we change the working
-    # directory.
-    output=$(realpath "${output}")
-    pushd "${rootfs}" >/dev/null
-    # %M - file permissions
-    # %D - ID of a device where file resides
-    # %i - inode number
-    # %n - number of hard links to file
-    # %s - size in bytes
-    # %P - file's path
-    sudo find -printf \
-        '%M %D %i %n %s ./%P\n' \
-        | sort --key=6 >"${output}"
-    popd >/dev/null
-}
-
-# Generate a report like the following if more than one relative path
-# in rootfs was passed:
-#
-# File    Size  Used Avail Use% Type
-# /boot   127M   62M   65M  50% vfat
-# /usr    983M  721M  212M  78% ext2
-# /       6,0G   13M  5,6G   1% ext4
-# SUM     7,0G  796M  5,9G  12% -
-#
-# or, in case of 0 or 1 relative path:
-#
-# File  Size  Used Avail Use% Type
-# /      27M   27M     0 100% squashfs
-#
-# Usage:
-#  write_disk_space_usage_in_paths "${rootfs}" "${output_file}" ./boot ./usr ./
-write_disk_space_usage_in_paths() {
-    local rootfs="${1}"; shift
-    local output="${1}"; shift
-    info "Writing ${output##*/}"
-    # Ensure output is an absolute path before we change the working
-    # directory.
-    output=$(realpath "${output}")
-    pushd "${rootfs}" >/dev/null
-    local extra_flags
-    extra_flags=()
-    if [[ ${#} -eq 0 ]]; then
-        set -- ./
-    fi
-    if [[ ${#} -gt 1 ]]; then
-        extra_flags+=('--total')
-    fi
-    # The sed's first command turns './<path>' into '/<path> ', second
-    # command replaces '- ' with 'SUM' for the total row. All this to
-    # keep the numbers neatly aligned in columns.
-    sudo df \
-         --human-readable \
-         "${extra_flags[@]}" \
-         --output='file,size,used,avail,pcent,fstype' \
-         "${@}" | \
-        sed \
-            -e 's#^\.\(/[^ ]*\)#\1 #' \
-            -e 's/^-  /SUM/' >"${output}"
-    popd >/dev/null
-}
-
-# Generate a report like the following:
-#
-# File    Size  Used Avail Use% Type
-# /boot   127M   62M   65M  50% vfat
-# /usr    983M  721M  212M  78% ext2
-# /       6,0G   13M  5,6G   1% ext4
-# SUM     7,0G  796M  5,9G  12% -
-write_disk_space_usage() {
-    write_disk_space_usage_in_paths "${1}" "${2}" ./boot ./usr ./
-}

build_library/sbsign_util.sh

@@ -1,55 +0,0 @@
-# Copyright (c) 2024 The Flatcar Maintainers.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    SBSIGN_KEY="${SBSIGN_KEY:-/usr/share/sb_keys/shim.key}"
-    SBSIGN_CERT="${SBSIGN_CERT:-/usr/share/sb_keys/shim.pem}"
-else
-    SBSIGN_KEY="pkcs11:token=flatcar-secure-boot-prod-2026-04"
-    unset SBSIGN_CERT
-fi
-
-PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure-keyvault-pkcs11.so"
-
-PKCS11_ENV=(
-    AZURE_KEYVAULT_URL="https://flatcar-hsm0001.vault.azure.net/"
-    PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}"
-    AZURE_KEYVAULT_PKCS11_DEBUG=1
-)
-
-get_sbsign_cert() {
-    if [[ ${SBSIGN_KEY} != pkcs11:* || -s ${SBSIGN_CERT-} ]]; then
-        return
-    fi
-
-    SBSIGN_CERT=$(mktemp -t signing-cert.XXXXXXXXXX.pem)
-    info "Fetching ${SBSIGN_KEY} from Azure"
-
-    # Needs Key Vault Reader role.
-    env "${PKCS11_ENV[@]}" p11-kit export-object \
-        --provider "${PKCS11_MODULE_PATH}" \
-        "${SBSIGN_KEY};type=cert" \
-        | tee "${SBSIGN_CERT}"
-}
-
-cleanup_sbsign_certs() {
-    if [[ ${SBSIGN_CERT-} == "${TMPDIR-/tmp}"/* ]]; then
-        rm -f -- "${SBSIGN_CERT}"
-    fi
-}
-
-do_sbsign() {
-    get_sbsign_cert
-    info "Signing ${@:$#} with ${SBSIGN_KEY}"
-
-    if [[ ${SBSIGN_KEY} == pkcs11:* ]]; then
-        set -- --engine pkcs11 "${@}"
-    fi
-
-    # Needs Key Vault Crypto User role.
-    sudo env "${PKCS11_ENV[@]}" sbsign \
-        --key "${SBSIGN_KEY}" \
-        --cert "${SBSIGN_CERT}" \
-        "${@}"
-}

build_library/set_lsb_release

@@ -25,38 +25,40 @@ ROOT_FS_DIR="$FLAGS_root"
 [ -n "$ROOT_FS_DIR" ] || die "--root is required."
 [ -d "$ROOT_FS_DIR" ] || die "Root FS does not exist? ($ROOT_FS_DIR)"
 
-# These variables are set in the base profile.
-eval $("portageq${FLAGS_board:+-}${FLAGS_board}" envvar -v BRANDING_OS_\*)
-BRANDING_OS_PRETTY_NAME="${BRANDING_OS_NAME} ${FLATCAR_VERSION}"
+OS_NAME="Flatcar Container Linux by Kinvolk"
+OS_CODENAME="Oklo"
+OS_ID="flatcar"
+OS_ID_LIKE="coreos"
+OS_PRETTY_NAME="$OS_NAME $FLATCAR_VERSION (${OS_CODENAME})"
 
 FLATCAR_APPID="{e96281a6-d1af-4bde-9a0a-97b76e56dc57}"
 
 # DISTRIB_* are the standard lsb-release names
 sudo mkdir -p "${ROOT_FS_DIR}/usr/share/flatcar" "${ROOT_FS_DIR}/etc/flatcar"
 sudo_clobber "${ROOT_FS_DIR}/usr/share/flatcar/lsb-release" <<EOF
-DISTRIB_ID="$BRANDING_OS_NAME"
+DISTRIB_ID="$OS_NAME"
 DISTRIB_RELEASE=$FLATCAR_VERSION
-DISTRIB_DESCRIPTION="$BRANDING_OS_PRETTY_NAME"
+DISTRIB_CODENAME="$OS_CODENAME"
+DISTRIB_DESCRIPTION="$OS_PRETTY_NAME"
 EOF
 sudo ln -sf "../usr/share/flatcar/lsb-release" "${ROOT_FS_DIR}/etc/lsb-release"
 
 # And the new standard, os-release
 # https://www.freedesktop.org/software/systemd/man/os-release.html
 sudo_clobber "${ROOT_FS_DIR}/usr/lib/os-release" <<EOF
-NAME="$BRANDING_OS_NAME"
-ID="$BRANDING_OS_ID"
-ID_LIKE="$BRANDING_OS_ID_LIKE"
-VERSION="$FLATCAR_VERSION"
-VERSION_ID="$FLATCAR_VERSION_ID"
-BUILD_ID="$FLATCAR_BUILD_ID"
-SYSEXT_LEVEL="1.0"
-PRETTY_NAME="$BRANDING_OS_PRETTY_NAME"
+NAME="$OS_NAME"
+ID=$OS_ID
+ID_LIKE=$OS_ID_LIKE
+VERSION=$FLATCAR_VERSION
+VERSION_ID=$FLATCAR_VERSION_ID
+BUILD_ID=$FLATCAR_BUILD_ID
+SYSEXT_LEVEL=1.0
+PRETTY_NAME="$OS_PRETTY_NAME"
 ANSI_COLOR="38;5;75"
-HOME_URL="$BRANDING_OS_HOME_URL"
-BUG_REPORT_URL="$BRANDING_OS_BUG_REPORT_URL"
-SUPPORT_URL="$BRANDING_OS_SUPPORT_URL"
+HOME_URL="https://flatcar.org/"
+BUG_REPORT_URL="https://issues.flatcar.org"
 FLATCAR_BOARD="$FLAGS_board"
-CPE_NAME="cpe:2.3:o:${BRANDING_OS_ID}-linux:${BRANDING_OS_ID}_linux:${FLATCAR_VERSION}:*:*:*:*:*:*:*"
+CPE_NAME="cpe:2.3:o:${OS_ID}-linux:${OS_ID}_linux:${FLATCAR_VERSION}:*:*:*:*:*:*:*"
 EOF
 sudo ln -sf "../usr/lib/os-release" "${ROOT_FS_DIR}/etc/os-release"
 sudo ln -sf "../../lib/os-release" "${ROOT_FS_DIR}/usr/share/flatcar/os-release"

build_library/sysext_mangle_containerd-flatcar

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-pushd "${rootfs}"
-
-# No manpages on Flatcar, no need to ship "stress" tool
-rm -rf ./usr/{bin/{containerd-stress,gen-manpages},lib/debug/}
-
-dir=$(dirname "${BASH_SOURCE[0]}")
-files_dir="${dir}/../sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
-
-echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-# ATTENTION: don't preserve ownership as repo is owned by sdk user
-cp -vdR --preserve=mode,timestamps "${files_dir}/"* ./
-
-install -D -m0644 /dev/stdin ./usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf <<EOF
-[Unit]
-Upholds=containerd.service
-EOF
-
-popd

build_library/sysext_mangle_docker-flatcar

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-# Remove debug and contrib
-echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext"
-rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/"
-# For Docker 27.2.1, two files are symlinked to /usr/share/docker/contrib
-# There were previously shipped directly in /usr/share/docker/contrib folder
-rm -f "${rootfs}/usr/bin/dockerd-rootless-setuptool.sh" "${rootfs}/usr/bin/dockerd-rootless.sh"
-
-script_root="$(cd "$(dirname "$0")/../"; pwd)"
-files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
-
-echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-# ATTENTION: don't preserve ownership as repo is owned by sdk user
-cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
-
-mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
-{ echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

build_library/sysext_mangle_flatcar-incus

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-pushd "${rootfs}"
-
-rm -rf ./usr/{lib/debug,lib64/pkgconfig,include}/
-
-pushd ./usr/lib/systemd/system
-mkdir -p "multi-user.target.d"
-{ echo "[Unit]"; echo "Upholds=incus.service"; } > "multi-user.target.d/10-incus.conf"
-popd
-
-mkdir -p ./usr/lib/tmpfiles.d
-pushd ./usr/lib/tmpfiles.d
-cat <<EOF >./10-incus.conf
-d  /var/lib/lxc/rootfs	0755  root  root  -  -
-EOF
-popd
-
-# Add 'core' user to 'incus-admin' group to avoid prefixing
-# all commands with sudo.
-mkdir -p ./usr/lib/userdb/
-echo " " > ./usr/lib/userdb/core:incus-admin.membership
-
-popd

build_library/sysext_mangle_flatcar-nvidia-drivers-535

@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-SCRIPT_NAME=$(basename "$(realpath "${BASH_SOURCE[0]}")")
-SYSEXT_NAME=${SCRIPT_NAME#sysext_mangle_}
-SYSEXT_NAME=${SYSEXT_NAME%.sh}
-DIR=$(dirname "$(realpath "${BASH_SOURCE[0]}")")
-. "$DIR/sysext_mangle_kmod"
-
-rootfs="${1}"
-
-cd "${rootfs}"
-configure_modprobe "$SYSEXT_NAME"

build_library/sysext_mangle_flatcar-nvidia-drivers-535-open

@@ -1 +0,0 @@
-sysext_mangle_flatcar-nvidia-drivers-535

build_library/sysext_mangle_flatcar-nvidia-drivers-550

@@ -1 +0,0 @@
-sysext_mangle_flatcar-nvidia-drivers-535

build_library/sysext_mangle_flatcar-nvidia-drivers-550-open

@@ -1 +0,0 @@
-sysext_mangle_flatcar-nvidia-drivers-535

build_library/sysext_mangle_flatcar-nvidia-drivers-570

@@ -1 +0,0 @@
-sysext_mangle_flatcar-nvidia-drivers-535

build_library/sysext_mangle_flatcar-nvidia-drivers-570-open

@@ -1 +0,0 @@
-sysext_mangle_flatcar-nvidia-drivers-535

build_library/sysext_mangle_flatcar-overlaybd

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-pushd "${rootfs}"
-
-rm -rf ./usr/lib/debug/
-
-pushd ./usr/lib/systemd/system
-mkdir -p "multi-user.target.d"
-{ echo "[Unit]"; echo "Upholds=overlaybd-tcmu.service overlaybd-snapshotter.service"; } > "multi-user.target.d/10-overlaybd.conf"
-popd
-
-popd

build_library/sysext_mangle_flatcar-podman

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-pushd "${rootfs}"
-
-rm -rf ./usr/{lib/debug,lib64/cmake,lib64/pkgconfig,include,share/aclocal,share/fish}/
-
-mkdir -p ./usr/share/podman/etc
-cp -a ./etc/{fuse.conf,containers} ./usr/share/podman/etc/
-
-cat <<EOF >>./usr/lib/tmpfiles.d/podman.conf
-C /etc/containers - - - - /usr/share/podman/etc/containers
-C /etc/fuse.conf - - - - /usr/share/podman/etc/fuse.conf
-EOF
-
-popd

build_library/sysext_mangle_flatcar-python

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-pushd "${rootfs}"
-
-rm -rf ./usr/{lib/debug,share,include,lib64/pkgconfig}
-
-# Remove test stuff from python - it's quite large.
-for p in ./usr/lib/python*; do
-    if [[ ! -d ${p} ]]; then
-        continue
-    fi
-    # find directories named tests or test and remove them (-prune
-    # avoids searching below those directories)
-    find "${p}" \( -name tests -o -name test \) -type d -prune -exec rm -rf '{}' '+'
-done
-
-popd

build_library/sysext_mangle_flatcar-zfs

@@ -1,47 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
-. "$DIR/sysext_mangle_kmod"
-
-pushd "${rootfs}"
-
-rm -rf ./usr/{lib/debug/,lib64/cmake/,include/}
-rm -rf ./usr/lib/dracut/
-rm -rf ./usr/share/initramfs-tools
-rm -rf ./usr/src
-
-mkdir -p ./usr/share/zfs/etc
-rm -rf ./etc/{csh.env,environment.d/,profile.env}
-cp -a ./etc/. ./usr/share/zfs/etc/
-
-pushd ./usr/lib/systemd/system
-while read cmd unit; do
-  if [ "$cmd" = enable ]; then
-    target=$(awk -F= '/WantedBy/ { print $2 }' $unit)
-    mkdir -p "${target}.wants"
-    ln -svr "${unit}" "${target}".wants/
-  fi
-done < <(grep -v '^#' "${rootfs}"/usr/lib/systemd/system-preset/50-zfs.preset)
-mkdir -p "multi-user.target.d"
-{ echo "[Unit]"; echo "Upholds=zfs.target"; } > "multi-user.target.d/10-zfs.conf"
-popd
-
-mkdir -p ./usr/lib/tmpfiles.d
-cat <<EOF >./usr/lib/tmpfiles.d/10-zfs.conf
-d  /etc/zfs                                                 0755  root  root  -  -
-L  /etc/zfs/zed.d                                           -     -     -     -  /usr/share/zfs/etc/zfs/zed.d
-L  /etc/zfs/zfs-functions                                   -     -     -     -  /usr/share/zfs/etc/zfs/zfs-functions
-L  /etc/zfs/zpool.d                                         -     -     -     -  /usr/share/zfs/etc/zfs/zpool.d
-C  /etc/systemd/system/systemd-udevd.service.d/10-zfs.conf  -     -     -     -  /usr/lib/systemd/system/systemd-udevd.service.d/10-zfs.conf
-EOF
-
-mkdir -p ./usr/lib/systemd/system/systemd-udevd.service.d
-cat <<EOF >./usr/lib/systemd/system/systemd-udevd.service.d/10-zfs.conf
-[Unit]
-After=systemd-sysext.service
-EOF
-configure_modprobe flatcar-zfs
-popd

build_library/sysext_mangle_kmod

@@ -1,48 +0,0 @@
-#!/bin/bash
-
-configure_modprobe() {
-  local sysext_name="${1}"
-  shift
-
-  local module_directories=(./usr/lib/modules/*-flatcar/)
-
-  mkdir -p ./usr/lib/modprobe.d/
-  for module_name in $(find "${module_directories[@]}" -type f \( -name "*.ko" -o -name "*.ko.*" \) -printf "%f\n" | sed -E 's/\.ko(\.\w+)?$//'); do
-    cat <<EOF >> "./usr/lib/modprobe.d/10-${sysext_name}-kmod-sysext.conf"
-install $module_name /usr/libexec/_${sysext_name}_modprobe_helper $module_name
-remove $module_name /usr/libexec/_${sysext_name}_modprobe_helper -r $module_name
-EOF
-  done
-
-  mkdir -p ./usr/libexec/
-  install -m0755 -D /dev/stdin "./usr/libexec/_${sysext_name}_modprobe_helper" <<'EOF'
-#!/bin/bash
-
-set -euo pipefail
-
-action="Loading"
-for arg in "$@"; do
-    if [[ $arg == "-r" ]]; then
-        action="Unloading"
-    fi
-done
-echo "$action kernel module from a sysext..."
-
-KMOD_PATH=/usr/lib/modules/$(uname -r)
-TMP_DIR=$(mktemp -d)
-trap "rm -rf -- '${TMP_DIR}'" EXIT
-mkdir "${TMP_DIR}"/{upper,work}
-
-unshare -m bash -s -- "${@}" <<FOE
-set -euo pipefail
-if ! mountpoint -q "${KMOD_PATH}"; then
-    mount -t overlay overlay -o lowerdir="${KMOD_PATH}",upperdir="${TMP_DIR}"/upper,workdir="${TMP_DIR}"/work "${KMOD_PATH}"
-    depmod
-fi
-modprobe --ignore-install "\${@}"
-FOE
-EOF
-
-  # prevent the sysext from masking /usr/lib/modules/*-flatcar/modules.XXX
-  find "${module_directories[@]}" -maxdepth 1 -mindepth 1 -type f -delete
-}

build_library/sysext_prod_builder

@@ -1,186 +0,0 @@
-#!/bin/bash
-# Copyright (c) 2023 by the Flatcar Maintainers.
-# Use of this source code is governed by the Apache 2.0 license.
-
-# Helper script for building OS images w/ sysexts included.
-# Called by build_image -> prod_image_util.sh.
-# This is a separate script mainly so we can trap EXIT and clean up our mounts
-#  without interfering with traps set by build_image.
-
-# We're in build_library/, script root is one up
-SCRIPT_ROOT="$(cd "$(dirname "$(readlink -f "$0")")/../"; pwd)"
-. "${SCRIPT_ROOT}/common.sh" || exit 1
-
-# Script must run inside the chroot
-assert_inside_chroot
-switch_to_strict_mode
-
-. "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
-. "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1
-
-# Create a sysext from a package and install it to the OS image.
-# Conventions:
-# - For each <group>/<package>, <group>_<package>_pkginfo will be built. Can be used in subsequent calls
-#   to build dependent sysexts.
-# - If ${BUILD_LIBRARY_DIR}/sysext_mangle_<group>_<package> exists it will be used as FS mangle script
-#   when building the sysext.
-create_prod_sysext() {
-  local BOARD="$1"
-  local output_dir="$2"
-  local workdir="$3"
-  local base_sysext="$4"
-  local install_root="$5"
-  local name="$6"
-  local grp_pkgs="$7"
-  local pkginfo="${8:-}"
-
-  local -a build_sysext_opts=()
-
-  local -a grp_pkg
-  mapfile -t grp_pkg <<<"${grp_pkgs//&/$'\n'}"
-  local msg="Installing ${grp_pkg[*]} in sysext ${name}.raw"
-
-  # Include previous sysexts' pkginfo if supplied
-  if [[ -n "${pkginfo}" ]] ; then
-    if [[ ! -f "${output_dir}/${pkginfo}" ]] ; then
-      die "Sysext build '${name}': unable to find package info at '${output_dir}/${pkginfo}'."
-    fi
-    msg="${msg} w/ package info '${pkginfo}'"
-    build_sysext_opts+=( "--base_pkginfo=${output_dir}/${pkginfo}" )
-  fi
-
-  # Include FS mangle script if present
-  if [[ -x "${BUILD_LIBRARY_DIR}/sysext_mangle_${name}" ]] ; then
-    build_sysext_opts+=( "--manglefs_script=${BUILD_LIBRARY_DIR}/sysext_mangle_${name}" )
-    msg="${msg}, FS mangle script 'sysext_mangle_${name}'"
-  fi
-
-  info "${msg}."
-
-  # Pass the build ID extracted from root FS to build_sysext. This prevents common.sh
-  #   in build_sysext to generate a (timestamp based) build ID during a DEV build of a
-  #   release tag (which breaks its version check).
-  #
-  # The --install_root_basename="${name}-base-sysext-rootfs" flag is
-  # important - it sets the name of a rootfs directory, which is used
-  # to determine the package target in coreos/base/profile.bashrc
-  #
-  # Built-in sysexts are stored in the compressed /usr partition, so we
-  # disable compression to avoid double-compression.
-  sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
-            --board="${BOARD}" \
-            --image_builddir="${workdir}/sysext-build" \
-            --squashfs_base="${base_sysext}" \
-            --generate_pkginfo \
-            --compression=none \
-            --install_root_basename="${name}-base-sysext-rootfs" \
-            "${build_sysext_opts[@]}" \
-            "${name}" "${grp_pkg[@]}"
-
-  sudo mv "${workdir}/sysext-build/${name}.raw" "${workdir}/sysext-build/${name}_pkginfo.raw" \
-                              "${workdir}/sysext-build/${name}"_*.txt "${output_dir}"
-
-  sudo mkdir -p "${install_root}"/usr/share/flatcar/sysext
-  sudo install -m 0644 -D "${output_dir}/${name}.raw" "${install_root}"/usr/share/flatcar/sysext/
-
-  sudo mkdir -p "${install_root}"/etc/extensions/
-  sudo ln -sf "/usr/share/flatcar/sysext/${name}.raw" "${install_root}/etc/extensions/${name}.raw"
-}
-# --
-
-BOARD="$1"
-BUILD_DIR="$2"
-root_fs_dir="$3"
-
-merged_rootfs_dir="$4"
-sysext_output_dir="$5"
-
-sysexts_list="$6"
-
-grp_pkg=""
-prev_pkginfo=""
-sysext_workdir="${BUILD_DIR}/prod-sysext-work"
-sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
-sysext_base="${sysext_workdir}/base-os.squashfs"
-
-function cleanup() {
-  IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
-  # skip the rootfs
-  mounted_sysexts=("${mounted_sysexts[@]:1}")
-
-  for sysext in "${mounted_sysexts[@]}"; do
-    sudo systemd-dissect --umount --rmdir "$sysext"
-  done
-
-  sudo umount "${sysext_mountdir}"/* || true
-  rm -rf "${sysext_workdir}" || true
-}
-# --
-
-trap cleanup EXIT
-
-rm -rf "${sysext_workdir}" "${sysext_output_dir}"
-mkdir "${sysext_workdir}" "${sysext_output_dir}"
-
-info "creating temporary base OS squashfs"
-sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^btrfs.'
-
-# Build sysexts on top of root fs and mount sysexts' squashfs + pkginfo squashfs
-# for combined overlay later.
-prev_pkginfo=""
-sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
-mkdir -p "${sysext_mountdir}"
-for sysext in ${sysexts_list//,/ }; do
-  # format is "<name>:<group>/<package>"
-  name="${sysext%|*}"
-  grp_pkg="${sysext#*|}"
-  create_prod_sysext "${BOARD}" \
-                     "${sysext_output_dir}" \
-                     "${sysext_workdir}" \
-                     "${sysext_base}" \
-                     "${root_fs_dir}"\
-                     "${name}" \
-                     "${grp_pkg}" \
-                     "${prev_pkginfo}"
-
-  sudo systemd-dissect \
-    --read-only \
-    --mount \
-    --mkdir \
-    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
-    "${sysext_output_dir}/${name}.raw" \
-    "${sysext_mountdir}/${name}"
-
-  sudo systemd-dissect \
-    --read-only \
-    --mount \
-    --mkdir \
-    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
-    "${sysext_output_dir}/${name}_pkginfo.raw" \
-    "${sysext_mountdir}/${name}_pkginfo"
-
-  sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
-  sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"
-
-  prev_pkginfo="${name}_pkginfo.raw"
-done
-
-# Mount the combined overlay (base OS, sysexts, and syset pkginfos) and copy a snapshot
-# into the designated output dir for upper layers to process.
-mkdir -p "${sysext_mountdir}/rootfs-lower" 
-sudo mount -rt squashfs -o loop,nodev "${sysext_base}" "${sysext_mountdir}/rootfs-lower"
-
-# Mount overlay for report generation
-mkdir -p "${sysext_workdir}/.work"
-mkdir -p "${sysext_mountdir}/rootfs-upper" 
-sudo mount -t overlay overlay \
-         -o lowerdir="${sysext_lowerdirs}",upperdir="${sysext_mountdir}/rootfs-upper",workdir="${sysext_workdir}/.work" \
-         "${sysext_mountdir}/rootfs-upper"
-
-
-sudo rm -rf "${merged_rootfs_dir}"
-sudo cp -a "${sysext_mountdir}/rootfs-upper" "${merged_rootfs_dir}"
-
-
-cleanup
-trap -- EXIT

build_library/template_interoute.ovf

@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--Generated by VMware ovftool 4.0.0 (build-2301625), UTC time: 2015-08-28T15:12:13.106013Z-->
+<Envelope vmw:buildId="build-2301625" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <References>
+    <File ovf:href="@@VMDK_FILE_NAME@@" ovf:id="file1" ovf:size="@@VMDK_FILE_SIZE@@"/>
+  </References>
+  <DiskSection>
+    <Info>Virtual disk information</Info>
+    <Disk ovf:capacity="@@VMDK_CAPACITY@@" ovf:capacityAllocationUnits="byte" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" ovf:populatedSize="0"/>
+  </DiskSection>
+  <NetworkSection>
+    <Info>The list of logical networks</Info>
+    <Network ovf:name="VM Network">
+      <Description>The VM Network network</Description>
+    </Network>
+  </NetworkSection>
+  <VirtualSystem ovf:id="@@NAME@@">
+    <Info>A virtual machine</Info>
+    <Name>@@NAME@@</Name>
+    <OperatingSystemSection ovf:id="100" vmw:osType="other26xLinux64Guest">
+      <Info>The kind of installed guest operating system</Info>
+    </OperatingSystemSection>
+    <VirtualHardwareSection>
+      <Info>Virtual hardware requirements</Info>
+      <System>
+        <vssd:ElementName>Virtual Hardware Family</vssd:ElementName>
+        <vssd:InstanceID>0</vssd:InstanceID>
+        <vssd:VirtualSystemIdentifier>@@NAME@@</vssd:VirtualSystemIdentifier>
+        <vssd:VirtualSystemType>vmx-08</vssd:VirtualSystemType>
+      </System>
+      <Item>
+        <rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
+        <rasd:Description>Number of Virtual CPUs</rasd:Description>
+        <rasd:ElementName>@@NUM_CPUS@@ virtual CPU(s)</rasd:ElementName>
+        <rasd:InstanceID>1</rasd:InstanceID>
+        <rasd:ResourceType>3</rasd:ResourceType>
+        <rasd:VirtualQuantity>@@NUM_CPUS@@</rasd:VirtualQuantity>
+      </Item>
+      <Item>
+        <rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
+        <rasd:Description>Memory Size</rasd:Description>
+        <rasd:ElementName>@@MEM_SIZE@@MB of memory</rasd:ElementName>
+        <rasd:InstanceID>2</rasd:InstanceID>
+        <rasd:ResourceType>4</rasd:ResourceType>
+        <rasd:VirtualQuantity>@@MEM_SIZE@@</rasd:VirtualQuantity>
+      </Item>
+      <Item>
+        <rasd:Address>0</rasd:Address>
+        <rasd:Description>SCSI Controller</rasd:Description>
+        <rasd:ElementName>scsiController0</rasd:ElementName>
+        <rasd:InstanceID>3</rasd:InstanceID>
+        <rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
+        <rasd:ResourceType>6</rasd:ResourceType>
+      </Item>
+      <Item>
+        <rasd:Address>1</rasd:Address>
+        <rasd:Description>IDE Controller</rasd:Description>
+        <rasd:ElementName>ideController1</rasd:ElementName>
+        <rasd:InstanceID>4</rasd:InstanceID>
+        <rasd:ResourceType>5</rasd:ResourceType>
+      </Item>
+      <Item ovf:required="false">
+        <rasd:AddressOnParent>0</rasd:AddressOnParent>
+        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
+        <rasd:ElementName>cdrom0</rasd:ElementName>
+        <rasd:InstanceID>5</rasd:InstanceID>
+        <rasd:Parent>4</rasd:Parent>
+        <rasd:ResourceType>15</rasd:ResourceType>
+      </Item>
+      <Item>
+        <rasd:AddressOnParent>0</rasd:AddressOnParent>
+        <rasd:ElementName>disk0</rasd:ElementName>
+        <rasd:HostResource>ovf:/disk/vmdisk1</rasd:HostResource>
+        <rasd:InstanceID>6</rasd:InstanceID>
+        <rasd:Parent>3</rasd:Parent>
+        <rasd:ResourceType>17</rasd:ResourceType>
+      </Item>
+      <Item>
+        <rasd:AddressOnParent>2</rasd:AddressOnParent>
+        <rasd:AutomaticAllocation>true</rasd:AutomaticAllocation>
+        <rasd:Connection>VM Network</rasd:Connection>
+        <rasd:Description>E1000 ethernet adapter on &quot;VM Network&quot;</rasd:Description>
+        <rasd:ElementName>ethernet0</rasd:ElementName>
+        <rasd:InstanceID>7</rasd:InstanceID>
+        <rasd:ResourceSubType>E1000</rasd:ResourceSubType>
+        <rasd:ResourceType>10</rasd:ResourceType>
+        <vmw:Config ovf:required="false" vmw:key="wakeOnLanEnabled" vmw:value="false"/>
+      </Item>
+      <Item ovf:required="false">
+        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
+        <rasd:ElementName>video</rasd:ElementName>
+        <rasd:InstanceID>8</rasd:InstanceID>
+        <rasd:ResourceType>24</rasd:ResourceType>
+      </Item>
+      <Item ovf:required="false">
+        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
+        <rasd:ElementName>vmci</rasd:ElementName>
+        <rasd:InstanceID>9</rasd:InstanceID>
+        <rasd:ResourceSubType>vmware.vmci</rasd:ResourceSubType>
+        <rasd:ResourceType>1</rasd:ResourceType>
+      </Item>
+      <vmw:Config ovf:required="false" vmw:key="powerOpInfo.powerOffType" vmw:value="soft"/>
+      <vmw:Config ovf:required="false" vmw:key="powerOpInfo.resetType" vmw:value="soft"/>
+      <vmw:Config ovf:required="false" vmw:key="powerOpInfo.suspendType" vmw:value="soft"/>
+      <vmw:Config ovf:required="false" vmw:key="tools.syncTimeWithHost" vmw:value="true"/>
+      <vmw:Config ovf:required="false" vmw:key="tools.toolsUpgradePolicy" vmw:value="upgradeAtPowerCycle"/>
+    </VirtualHardwareSection>
+  </VirtualSystem>
+</Envelope>