New version: stable-4459.2.4

Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>

.github/workflows/ci.yaml

@@ -34,7 +34,11 @@ permissions:
 jobs:
   packages:
     name: "Build Flatcar packages"
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
+      - self-hosted
+      - ubuntu
+      - build
+      - amd64
     strategy:
       fail-fast: false
       matrix:
@@ -177,7 +181,7 @@ jobs:
           ./run_sdk_container -n "${container_name}" \
                   ./build_image --board="${arch}-usr" --group="${channel}" \
                                 --output_root="${CI_CONTAINER_ARTIFACT_ROOT}" \
-                                prodtar container sysext oem_sysext
+                                prodtar container sysext
 
       - name: Build VM image(s)
         shell: bash

.github/workflows/portage-stable-packages-list

@@ -3,8 +3,6 @@
 acct-group/adm
 acct-group/audio
 acct-group/cdrom
-acct-group/clock
-acct-group/cuse
 acct-group/dialout
 acct-group/disk
 acct-group/dnsmasq
@@ -13,7 +11,6 @@ acct-group/floppy
 acct-group/incus
 acct-group/incus-admin
 acct-group/input
-acct-group/jobserver
 acct-group/kmem
 acct-group/kvm
 acct-group/lp
@@ -32,7 +29,6 @@ acct-group/portage
 acct-group/render
 acct-group/root
 acct-group/sgx
-acct-group/shadow
 acct-group/sshd
 acct-group/systemd-coredump
 acct-group/systemd-journal
@@ -83,7 +79,6 @@ app-alternatives/awk
 app-alternatives/bc
 app-alternatives/bzip2
 app-alternatives/cpio
-app-alternatives/gpg
 app-alternatives/gzip
 app-alternatives/lex
 app-alternatives/ninja
@@ -154,7 +149,6 @@ app-editors/nano
 app-editors/vim
 app-editors/vim-core
 
-app-emulation/open-vmdk
 app-emulation/qemu
 app-emulation/qemu-guest-agent
 app-emulation/virt-firmware
@@ -184,11 +178,9 @@ app-shells/gentoo-bashcomp
 app-text/asciidoc
 app-text/build-docbook-catalog
 app-text/docbook-xml-dtd
-app-text/docbook-xsl-ns-stylesheets
 app-text/docbook-xsl-stylesheets
 app-text/mandoc
 app-text/manpager
-app-text/scdoc
 app-text/sgml-common
 app-text/xmlto
 
@@ -215,7 +207,6 @@ dev-cpp/gflags
 dev-cpp/glog
 dev-cpp/gtest
 
-dev-db/etcd
 dev-db/sqlite
 
 dev-debug/gdb
@@ -252,7 +243,6 @@ dev-libs/gmp
 dev-libs/gobject-introspection-common
 dev-libs/inih
 dev-libs/jansson
-dev-libs/jose
 dev-libs/json-c
 dev-libs/jsoncpp
 dev-libs/libaio
@@ -296,15 +286,12 @@ dev-libs/openssl
 dev-libs/popt
 dev-libs/protobuf
 dev-libs/raft
-dev-libs/rapidjson
 dev-libs/tree-sitter
 dev-libs/tree-sitter-bash
 dev-libs/userspace-rcu
 dev-libs/xmlsec
-dev-libs/xxhash
 dev-libs/yajl
 
-dev-perl/File-Slurper
 dev-perl/Parse-Yapp
 
 dev-python/backports-tarfile
@@ -324,13 +311,14 @@ dev-python/docutils
 dev-python/editables
 dev-python/ensurepip-pip
 dev-python/ensurepip-setuptools
+dev-python/ensurepip-wheels
 dev-python/fasteners
 dev-python/fastjsonschema
 dev-python/flit-core
 dev-python/gentoo-common
 dev-python/gpep517
-dev-python/hatch-vcs
 dev-python/hatchling
+dev-python/hatch-vcs
 dev-python/idna
 dev-python/installer
 dev-python/jaraco-collections
@@ -347,9 +335,11 @@ dev-python/markupsafe
 dev-python/mdurl
 dev-python/more-itertools
 dev-python/msgpack
+dev-python/olefile
 dev-python/packaging
 dev-python/pathspec
 dev-python/pefile
+dev-python/pillow
 dev-python/pip
 dev-python/platformdirs
 dev-python/pluggy
@@ -380,7 +370,6 @@ dev-python/wheel
 dev-util/bpftool
 dev-util/bsdiff
 dev-util/catalyst
-dev-util/debugedit
 dev-util/gdbus-codegen
 dev-util/glib-utils
 dev-util/gperf
@@ -393,7 +382,6 @@ dev-util/pkgcheck
 dev-util/pkgconf
 dev-util/re2c
 dev-util/xdelta
-dev-util/xxd
 
 dev-vcs/git
 
@@ -403,7 +391,6 @@ eclass/alternatives.eclass
 eclass/app-alternatives.eclass
 eclass/autotools.eclass
 eclass/bash-completion-r1.eclass
-eclass/branding.eclass
 eclass/cargo.eclass
 eclass/check-reqs.eclass
 eclass/cmake-multilib.eclass
@@ -516,8 +503,8 @@ licenses
 
 media-libs/libpng
 
-net-analyzer/netperf
 net-analyzer/openbsd-netcat
+net-analyzer/netperf
 net-analyzer/tcpdump
 net-analyzer/traceroute
 
@@ -525,6 +512,7 @@ net-dialup/lrzsz
 net-dialup/minicom
 
 net-dns/bind
+net-dns/bind-tools
 net-dns/c-ares
 net-dns/dnsmasq
 net-dns/libidn2
@@ -548,6 +536,7 @@ net-libs/libnetfilter_cttimeout
 net-libs/libnetfilter_queue
 net-libs/libnfnetlink
 net-libs/libnftnl
+net-libs/libnsl
 net-libs/libpcap
 net-libs/libpsl
 net-libs/libslirp
@@ -592,7 +581,6 @@ sys-apps/acl
 sys-apps/attr
 sys-apps/azure-vm-utils
 sys-apps/bubblewrap
-sys-apps/busybox
 sys-apps/checkpolicy
 sys-apps/config-site
 sys-apps/coreutils
@@ -636,14 +624,12 @@ sys-apps/sed
 sys-apps/semodule-utils
 sys-apps/shadow
 sys-apps/smartmontools
-sys-apps/systemd
 sys-apps/texinfo
 sys-apps/usbutils
 sys-apps/util-linux
 sys-apps/which
 sys-apps/zram-generator
 
-sys-auth/pambase
 sys-auth/polkit
 sys-auth/sssd
 
@@ -662,7 +648,6 @@ sys-devel/binutils
 sys-devel/binutils-config
 sys-devel/bison
 sys-devel/crossdev
-sys-devel/dwz
 sys-devel/flex
 sys-devel/gcc
 sys-devel/gcc-config
@@ -681,7 +666,6 @@ sys-fs/btrfs-progs
 sys-fs/cryptsetup
 sys-fs/dosfstools
 sys-fs/e2fsprogs
-sys-fs/erofs-utils
 sys-fs/fuse
 sys-fs/fuse-common
 sys-fs/fuse-overlayfs
@@ -707,6 +691,7 @@ sys-libs/cracklib
 sys-libs/efivar
 sys-libs/gdbm
 sys-libs/glibc
+sys-libs/ldb
 sys-libs/libcap
 sys-libs/libcap-ng
 sys-libs/libnvme
@@ -717,7 +702,6 @@ sys-libs/libunwind
 sys-libs/liburing
 sys-libs/libxcrypt
 sys-libs/ncurses
-sys-libs/pam
 sys-libs/readline
 sys-libs/talloc
 sys-libs/tdb
@@ -750,10 +734,10 @@ virtual/openssh
 virtual/os-headers
 virtual/package-manager
 virtual/pager
-virtual/perl-Carp
+virtual/perl-Data-Dumper
 virtual/perl-Encode
-virtual/perl-Exporter
 virtual/perl-ExtUtils-MakeMaker
+virtual/perl-Unicode-Collate
 virtual/pkgconfig
 virtual/resolvconf
 virtual/service-manager

.github/workflows/pr-comment-build-dispatcher.yaml

@@ -13,7 +13,7 @@ concurrency:
 jobs:
   run_pre_checks:
     # Only run if this is a PR comment that contains a valid command
-    if: ${{ github.event.issue.pull_request && (contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk')) }}
+    if: ${{ github.event.issue.pull_request }} && ( contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk'))
     name: Check if commenter is in the Flatcar maintainers team
     outputs:
       maintainers: steps.step1.output.maintainers

.github/workflows/run-kola-tests.yaml

@@ -17,11 +17,15 @@ on:
 jobs:
   tests:
     name: "Run Kola tests"
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
+      - self-hosted
+      - ubuntu
+      - kola
+      - ${{ matrix.arch }}
     strategy:
       fail-fast: false
       matrix:
-        arch: ["amd64"]
+        arch: ["amd64", "arm64"]
 
     steps:
       - name: Prepare machine
@@ -30,7 +34,9 @@ jobs:
         run: |
           sudo rm /bin/sh
           sudo ln -s /bin/bash /bin/sh
-          sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release qemu-system git bzip2 jq dnsmasq python3 zstd iproute2 iptables
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release qemu-system git bzip2 jq dnsmasq python3 zstd
+          sudo systemctl stop dnsmasq
+          sudo systemctl mask dnsmasq
 
           # Set up MASQUERADE. Don't care much to secure it.
           # This is needed for the VMs kola spins up to have internet access.
@@ -180,7 +186,7 @@ jobs:
 
           source ci-automation/test.sh
 
-          PARALLEL_ARCH=5
+          PARALLEL_ARCH=10
 
           cat > sdk_container/.env <<EOF
           # export the QEMU_IMAGE_NAME to avoid to download it.
@@ -233,7 +239,10 @@ jobs:
     name: "Merge TAP reports and post results"
     needs: tests
     if: always() && !cancelled()
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
+      - self-hosted
+      - ubuntu
+      - kola
     permissions:
       pull-requests: write
 
@@ -244,7 +253,7 @@ jobs:
         run: |
           sudo rm /bin/sh
           sudo ln -s /bin/bash /bin/sh
-          sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release git bzip2 jq sqlite3
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release git bzip2 jq sqlite3
 
       - uses: actions/checkout@v4
         with:
@@ -276,6 +285,12 @@ jobs:
           name: amd64-raw-tapfiles
           path: scripts/__TAP__/amd64
 
+      - name: Download arm64 tapfiles
+        uses: actions/download-artifact@v4
+        with:
+          name: arm64-raw-tapfiles
+          path: scripts/__TAP__/arm64
+
       - name: Create Test Summary
         shell: bash
         run: |

CODE_OF_CONDUCT.md

@@ -1,9 +0,0 @@
-# Code of Conduct
-
-The Flatcar project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
-
-For details on how we uphold community standards across all Flatcar repositories, please see the [main Flatcar Code of Conduct](https://github.com/flatcar/Flatcar/blob/main/CODE_OF_CONDUCT.md).
-
-## Reporting
-
-If you experience or witness unacceptable behavior, please report it following the process outlined in the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).

CONTRIBUTING.md

@@ -1,15 +1,71 @@
-Welcome! We're so glad you're here and interested in contributing to Flatcar! 💖
+# How to Contribute
 
-Whether you're fixing a bug, adding a feature, or improving docs — we appreciate you!
+CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
+GitHub pull requests.  This document outlines some of the conventions on
+development workflow, commit message formatting, contact points and other
+resources to make it easier to get your contribution accepted.
 
-For more detailed guidelines (finding issues, community meetings, PR lifecycle, commit message format, and more), check out the [main Flatcar CONTRIBUTING guide](https://github.com/flatcar/Flatcar/blob/main/CONTRIBUTING.md).
+# Certificate of Origin
 
-If you want to file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
+By contributing to this project you agree to the Developer Certificate of
+Origin (DCO). This document was created by the Linux Kernel community and is a
+simple statement that you, as a contributor, have the legal right to make the
+contribution. See the [DCO](DCO) file for details.
 
----
+# Email and Chat
 
-## Repository Specific Guidelines
+The project currently uses the general CoreOS email list and IRC channel:
+- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
+- IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
 
-Any guidelines specific to this repository that are not covered in the main contribution guide will be listed here.
+Please avoid emailing maintainers found in the MAINTAINERS file directly. They
+are very busy and read the mailing lists.
 
-<!-- Add repo-specific guidelines below this line -->
+## Getting Started
+
+- Fork the repository on GitHub
+- Read the [README](README.md) for build and test instructions
+- Play with the project, submit bugs, submit patches!
+
+## Contribution Flow
+
+This is a rough outline of what a contributor's workflow looks like:
+
+- Create a topic branch from where you want to base your work (usually master).
+- Make commits of logical units.
+- Make sure your commit messages are in the proper format (see below).
+- Push your changes to a topic branch in your fork of the repository.
+- Make sure the tests pass, and add any new tests as appropriate.
+- Submit a pull request to the original repository.
+
+Thanks for your contributions!
+
+### Format of the Commit Message
+
+We follow a rough convention for commit messages that is designed to answer two
+questions: what changed and why. The subject line should feature the what and
+the body of the commit should describe the why.
+
+```
+scripts: add the test-cluster command
+
+this uses tmux to setup a test cluster that you can easily kill and
+start for debugging.
+
+Fixes #38
+```
+
+The format can be described more formally as follows:
+
+```
+<subsystem>: <what changed>
+<BLANK LINE>
+<why this change was made>
+<BLANK LINE>
+<footer>
+```
+
+The first line is the subject and should be no longer than 70 characters, the
+second line is always blank, and other lines should be wrapped at 80 characters.
+This allows the message to be easier to read on GitHub as well as in various
+git tools.

GOVERNANCE.md

@@ -1,11 +0,0 @@
-# Governance
-
-For details on the Flatcar project governance model, decision-making process, and roles, please see the [main Flatcar Governance document](https://github.com/flatcar/Flatcar/blob/main/governance.md).
-
----
-
-## Repository-Specific Governance
-
-Any governance details specific to this repository will be listed here.
-
-<!-- Add repo-specific governance notes below this line -->

MAINTAINERS.md

@@ -1,11 +1,9 @@
 # Maintainers
 
-For the current list of maintainers and their responsibilities, please see the [main Flatcar MAINTAINERS file](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).
+* Kai Lüke @pothos
+* Gabriel Samfira @gabriel-samfira
+* Thilo Fromm @t-lo
 
----
+See [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a committer as per governance definition.
 
-## Repository-Specific Maintainers
-
-Any maintainers specific to this repository will be listed here.
-
-<!-- Add repo-specific maintainers below this line -->
+The contents of this file are synchronized from [Flatcar/MAINTAINERS.md](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).

README.md

@@ -1,20 +1,16 @@
+# Flatcar Container Linux SDK scripts
+
 <div style="text-align: center">
 
 [![Flatcar OS](https://img.shields.io/badge/Flatcar-Website-blue?logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAyNi4wLjMsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjxzdmcgdmVyc2lvbj0iMS4wIiBpZD0ia2F0bWFuXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4Ig0KCSB2aWV3Qm94PSIwIDAgODAwIDYwMCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgODAwIDYwMDsiIHhtbDpzcGFjZT0icHJlc2VydmUiPg0KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4NCgkuc3Qwe2ZpbGw6IzA5QkFDODt9DQo8L3N0eWxlPg0KPHBhdGggY2xhc3M9InN0MCIgZD0iTTQ0MCwxODIuOGgtMTUuOXYxNS45SDQ0MFYxODIuOHoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik00MDAuNSwzMTcuOWgtMzEuOXYxNS45aDMxLjlWMzE3Ljl6Ii8+DQo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNNTQzLjgsMzE3LjlINTEydjE1LjloMzEuOVYzMTcuOXoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik02NTUuMiw0MjAuOXYtOTUuNGgtMTUuOXY5NS40aC0xNS45VjI2MmgtMzEuOVYxMzQuOEgyMDkuNFYyNjJoLTMxLjl2MTU5aC0xNS45di05NS40aC0xNnY5NS40aC0xNS45djMxLjINCgloMzEuOXYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44SDI3M3YtMTUuOGgyNTQuOHYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44aDQ3Ljh2LTE1LjhoMzEuOXYtMzEuMkg2NTUuMnogTTQ4Ny44LDE1MWg3OS42djMxLjgNCgloLTIzLjZ2NjMuNkg1MTJ2LTYzLjZoLTI0LjJMNDg3LjgsMTUxTDQ4Ny44LDE1MXogTTIzMywyMTQuNlYxNTFoNjMuN3YyMy41aC0zMS45djE1LjhoMzEuOXYyNC4yaC0zMS45djMxLjhIMjMzVjIxNC42eiBNMzA1LDMxNy45DQoJdjE1LjhoLTQ3Ljh2MzEuOEgzMDV2NDcuN2gtOTUuNVYyODYuMUgzMDVMMzA1LDMxNy45eiBNMzEyLjYsMjQ2LjRWMTUxaDMxLjl2NjMuNmgzMS45djMxLjhMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjR6DQoJIE00NDguMywzMTcuOXY5NS40aC00Ny44di00Ny43aC0zMS45djQ3LjdoLTQ3LjhWMzAyaDE1Ljl2LTE1LjhoOTUuNVYzMDJoMTUuOUw0NDguMywzMTcuOXogTTQ0MCwyNDYuNHYtMzEuOGgtMTUuOXYzMS44aC0zMS45DQoJdi03OS41aDE1Ljl2LTE1LjhoNDcuOHYxNS44aDE1Ljl2NzkuNUg0NDB6IE01OTEuNiwzMTcuOXY0Ny43aC0xNS45djE1LjhoMTUuOXYzMS44aC00Ny44di0zMS43SDUyOHYtMTUuOGgtMTUuOXY0Ny43aC00Ny44VjI4Ni4xDQoJaDEyNy4zVjMxNy45eiIvPg0KPC9zdmc+DQo=)](https://www.flatcar.org/)
-[![Discord](https://img.shields.io/badge/Discord-Chat%20with%20us!-5865F2?logo=discord)](https://discord.gg/PMYjFUsJyq)
 [![Matrix](https://img.shields.io/badge/Matrix-Chat%20with%20us!-green?logo=matrix)](https://app.element.io/#/room/#flatcar:matrix.org)
 [![Slack](https://img.shields.io/badge/Slack-Chat%20with%20us!-4A154B?logo=slack)](https://kubernetes.slack.com/archives/C03GQ8B5XNJ)
 [![Twitter Follow](https://img.shields.io/twitter/follow/flatcar?style=social)](https://x.com/flatcar)
 [![Mastodon Follow](https://img.shields.io/badge/Mastodon-Follow-6364FF?logo=mastodon)](https://hachyderm.io/@flatcar)
 [![Bluesky](https://img.shields.io/badge/Bluesky-Follow-0285FF?logo=bluesky)](https://bsky.app/profile/flatcar.org)
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10926/badge)](https://www.bestpractices.dev/projects/10926)
 
-
-> **Note:** To file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
 </div>
 
-# Flatcar Container Linux SDK scripts
-
 Welcome to the scripts repo, your starting place for most things here in the Flatcar Container Linux SDK. To get started you can find our documentation on [the Flatcar docs website][flatcar-docs].
 
 The SDK can be used to
@@ -155,13 +151,3 @@ The script `./bootstrap_sdk_container` bootstraps a new SDK tarball using an exi
 # Automation stubs for continuous integration
 
 Script stubs for various build stages can be found in the [ci-automation](ci-automation) folder. These are helpful for gluing Flatcar Container Linux builds to a continuous integration system.
-
----
-
-## Community & Project Documentation
-
-- [Contributing Guidelines](CONTRIBUTING.md) — How to contribute, find issues, and submit pull requests
-- [Code of Conduct](CODE_OF_CONDUCT.md) — Standards for respectful and inclusive community participation
-- [Security Policy](SECURITY.md) — How to report vulnerabilities and security-related information
-- [Maintainers](MAINTAINERS.md) — Current project maintainers and their responsibilities
-- [Governance](GOVERNANCE.md) — Project governance model, decision-making process, and roles

SECURITY.md

@@ -1,15 +0,0 @@
-# Security Policy
-
-The Flatcar project takes security seriously. We appreciate your efforts to responsibly disclose your findings.
-
-For our full security policy, supported versions, and how to report a vulnerability, please see the [main Flatcar Security Policy](https://github.com/flatcar/Flatcar/blob/main/SECURITY.md).
-
-**Please do not open public issues for security vulnerabilities.**
-
----
-
-## Repository-Specific Security Notes
-
-Any security considerations specific to this repository will be listed here.
-
-<!-- Add repo-specific security notes below this line -->

build_image

@@ -49,8 +49,6 @@ DEFINE_string developer_data "" \
   "Insert a custom cloudinit file into the image."
 DEFINE_string devcontainer_binhost "${DEFAULT_DEVCONTAINER_BINHOST}" \
   "Override portage binhost configuration used in development container."
-DEFINE_string oem_sysexts "everything!" \
-  "A comma-separated list of OEMs to build, by default build all the OEM sysexts. Used only if building OEM sysexts"
 
 # include upload options
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
@@ -62,12 +60,10 @@ different forms.  This scripts can be used to build the following:
 prod - Production image for CoreOS. This image is for booting (default if no argument is given).
 prodtar - Production container tar ball (implies prod). This can e.g. be used to run the Flatcar production image as a container (run machinectl import-tar or docker import).
 container - Developer image with single filesystem, bootable by nspawn.
-sysext - Build extra sysexts (podman, python, zfs, etc.).
-oem_sysext - Build OEM sysexts for all supported platforms.
 
 Examples:
 
-build_image --board=<board> [prod] [prodtar] [container] [sysext] [oem_sysext] - builds developer and production images/tars.
+build_image --board=<board> [prod] [prodtar] [container] - builds developer and production images/tars.
 ...
 "
 show_help_if_requested "$@"
@@ -85,7 +81,7 @@ DEFINE_string version "" \
 # Parse command line.
 FLAGS "$@" || exit 1
 
-eval set -- "${FLAGS_ARGV:-prod oem_sysext}"
+eval set -- "${FLAGS_ARGV:-prod}"
 
 # Only now can we die on error.  shflags functions leak non-zero error codes,
 # so will die prematurely if 'switch_to_strict_mode' is specified before now.
@@ -107,20 +103,17 @@ fi
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/vm_image_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
-. "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 
 PROD_IMAGE=0
 PROD_TAR=0
 CONTAINER=0
 SYSEXT=0
-OEM_SYSEXT=0
 for arg in "$@"; do
   case "${arg}" in
     prod) PROD_IMAGE=1 ;;
     prodtar) PROD_IMAGE=1 PROD_TAR=1 ;;
     container) CONTAINER=1 ;;
     sysext) SYSEXT=1 ;;
-    oem_sysext) OEM_SYSEXT=1 ;;
     *)    die_notrace "Unknown image type ${arg}" ;;
   esac
 done
@@ -194,9 +187,6 @@ fi
 if [[ "${SYSEXT}" -eq 1 ]]; then
   create_prod_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
 fi
-if [[ "${OEM_SYSEXT}" -eq 1 ]]; then
-  create_oem_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_oem_sysexts}"
-fi
 
 if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
   zip_update_tools

build_library/build_image_util.sh

@@ -150,14 +150,9 @@ emerge_to_image() {
   fi
 
   sudo -E ROOT="${root_fs_dir}" \
-      FEATURES="-ebuild-locks -merge-wait" \
+      FEATURES="-ebuild-locks" \
       PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
-      emerge \
-      --usepkgonly \
-      --binpkg-respect-use=y \
-      --jobs="${NUM_JOBS}" \
-      --verbose \
-      "$@"
+      emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
 
   # Shortcut if this was just baselayout
   [[ "$*" == *sys-apps/baselayout ]] && return
@@ -171,6 +166,26 @@ emerge_to_image() {
       test_image_content "${root_fs_dir}"
 }
 
+# emerge_to_image without a rootfs check; you should use emerge_to_image unless
+# here's a good reason not to.
+emerge_to_image_unchecked() {
+  local root_fs_dir="$1"; shift
+
+  if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
+    set -- --getbinpkg "$@"
+  fi
+
+  sudo -E ROOT="${root_fs_dir}" \
+      PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
+      emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
+
+  # Shortcut if this was just baselayout
+  [[ "$*" == *sys-apps/baselayout ]] && return
+
+  # Make sure profile.env has been generated
+  sudo -E ROOT="${root_fs_dir}" env-update --no-ldconfig
+}
+
 # Switch to the dev or prod sub-profile
 set_image_profile() {
   local suffix="$1"
@@ -289,12 +304,13 @@ get_metadata() {
     if [ "${key}" = "SRC_URI" ]; then
         local package_name="$(echo "${pkg%%:*}" | cut -d / -f 2)"
         local ebuild_path="${prefix}/var/db/pkg/${pkg%%:*}/${package_name}.ebuild"
+        # SRC_URI is empty for the special github.com/flatcar projects
         if [ -z "${val}" ]; then
             # The grep invocation gives errors when the ebuild file is not present.
             # This can happen when the binary packages from ./build_packages are outdated.
             val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
             if [ -n "${val}" ]; then
-                # If using git, then the package was probably pinned to a commit.
+                # All github.com/flatcar projects specify their commit
                 local commit=""
                 commit="$(grep "EGIT_COMMIT=" "${ebuild_path}" | cut -d '"' -f 2)"
                 if [ -n "${commit}" ]; then
@@ -307,6 +323,10 @@ get_metadata() {
             # Do not attempt to postprocess by resolving ${P} and friends because it does not affect production images
             val="$(cat "${ebuild_path}" | tr '\n' ' ' | grep -P -o 'SRC_URI=".*?"' | cut -d '"' -f 2)"
         fi
+        # Some packages use nothing from the above but EGIT_REPO_URI (currently only app-crypt/go-tspi)
+        if [ -z "${val}" ]; then
+            val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
+        fi
         # Replace all mirror://MIRRORNAME/ parts with the actual URL prefix of the mirror
         new_val=""
         for v in ${val}; do
@@ -562,8 +582,6 @@ finish_image() {
   local image_initrd_contents="${11}"
   local image_initrd_contents_wtd="${12}"
   local image_disk_space_usage="${13}"
-  local image_realinitrd_contents="${14}"
-  local image_realinitrd_contents_wtd="${15}"
 
   local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
@@ -708,17 +726,6 @@ EOF
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 
-  # Temporary hack: set group ownership of /etc/{g,}shadow to the
-  # shadow group, that way unix_chkpwd, chage and expiry can act on
-  # those files.
-  #
-  # This permissions setting should likely be done in some ebuild, but
-  # currently files in /usr/share/baselayout are installed by the
-  # baselayout package, we don't want to add more deps to it.
-  sudo chgrp \
-      --reference="${root_fs_dir}/usr/bin/chage" \
-      "${root_fs_dir}"/{etc,usr/share/baselayout}/{g,}shadow
-
   # Backup the /etc contents to /usr/share/flatcar/etc to serve as
   # source for creating missing files. Make sure that the preexisting
   # /usr/share/flatcar/etc does not have any meaningful (non-empty)
@@ -728,35 +735,12 @@ EOF
   if [[ $(sudo find "${root_fs_dir}/usr/share/flatcar/etc" -size +0 ! -type d 2>/dev/null | wc -l) -gt 0 ]]; then
     die "Unexpected non-empty files in ${root_fs_dir}/usr/share/flatcar/etc"
   fi
-  # Some backwards-compat symlinks still use this folder as target,
-  # we can't remove it yet
   sudo rm -rf "${root_fs_dir}/usr/share/flatcar/etc"
   sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/share/flatcar/etc"
-  # Now set up a default confext and enable it.
-  # It's important to use dm-verity not only for stricter image policies
-  # but also because it allows us the refresh to identify this image and
-  # skip setting it up again in the final boot, which not only saves us
-  # a daemon-reload during boot but also from /etc contents shortly
-  # disappearing until systemd-sysext uses mount beneath for an atomic
-  # remount. Instead of a temporary directory we first prepare it as
-  # folder and then convert it to a DDI and remove the folder.
-  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
-  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
-  # Do a copy because we keep /etc for the flatcar (.tar) container and the developer container
-  sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc"
-  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/"
-  echo ID=_any | sudo tee "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/extension-release.00-flatcar-default" > /dev/null
-  sudo systemd-repart \
-    --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
-    --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
-    --make-ddi=confext \
-    --copy-source="${root_fs_dir}/usr/lib/confexts/00-flatcar-default" \
-    "${root_fs_dir}/usr/lib/confexts/00-flatcar-default.raw"
-  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
 
-  # Remove the rootfs state as it should be recreated through tmpfiles
-  # (and for /etc we use a confext) and may not be present on updating machines.
-  # This makes sure our tests cover the case of missing files in the
+  # Remove the rootfs state as it should be recreated through the
+  # tmpfiles and may not be present on updating machines. This
+  # makes sure our tests cover the case of missing files in the
   # rootfs and don't rely on the new image. Not done for the developer
   # container.
   if [[ -n "${image_kernel}" ]]; then
@@ -893,20 +877,6 @@ EOF
       rm -rf "${BUILD_DIR}/tmp_initrd_contents"
   fi
 
-  if [[ -n ${image_realinitrd_contents} || -n ${image_realinitrd_contents_wtd} ]]; then
-        mkdir -p "${BUILD_DIR}/tmp_initrd_contents"
-        sudo mount "${root_fs_dir}/usr/lib/flatcar/bootengine.img" "${BUILD_DIR}/tmp_initrd_contents"
-        if [[ -n ${image_realinitrd_contents} ]]; then
-            write_contents "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents}"
-        fi
-
-        if [[ -n ${image_realinitrd_contents_wtd} ]]; then
-            write_contents_with_technical_details "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents_wtd}"
-        fi
-        sudo umount "${BUILD_DIR}/tmp_initrd_contents"
-        rm -rf "${BUILD_DIR}/tmp_initrd_contents"
-    fi
-
   if [[ -n "${image_disk_space_usage}" ]]; then
       write_disk_space_usage "${root_fs_dir}" "${BUILD_DIR}/${image_disk_space_usage}"
   fi

build_library/catalyst.sh

@@ -80,8 +80,7 @@ export ac_cv_posix_semaphores_enabled=yes
 EOF
 }
 
-# Common values for all stage spec files. Takes a stage number and,
-# optionally, a profile name as parameters.
+# Common values for all stage spec files
 catalyst_stage_default() {
 cat <<EOF
 target: stage$1
@@ -90,7 +89,7 @@ rel_type: $TYPE
 portage_confdir: $TEMPDIR/portage
 repos: $FLAGS_coreos_overlay
 keep_repos: portage-stable coreos-overlay
-profile: ${2:-$FLAGS_profile}
+profile: $FLAGS_profile
 snapshot_treeish: $FLAGS_version
 version_stamp: $FLAGS_version
 cflags: -O2 -pipe
@@ -108,7 +107,7 @@ pkgcache_path: ${TEMPDIR}/stage1-${ARCH}-packages
 update_seed: yes
 update_seed_command: --exclude cross-*-cros-linux-gnu/* --exclude dev-lang/rust --exclude dev-lang/rust-bin --ignore-world y --ignore-built-slot-operator-deps y @changed-subslot
 EOF
-catalyst_stage_default 1 "${FLAGS_profile}/transition"
+catalyst_stage_default 1
 }
 
 catalyst_stage3() {

build_library/catalyst_toolchains.sh

@@ -28,37 +28,13 @@ build_target_toolchain() {
     local ROOT="/build/${board}"
     local SYSROOT="/usr/$(get_board_chost "${board}")"
 
-    function btt_emerge() {
-        # --root is required because run_merge overrides ROOT=
-        PORTAGE_CONFIGROOT="$ROOT" run_merge --root="$ROOT" --sysroot="$ROOT" "${@}"
-    }
+    mkdir -p "${ROOT}/usr"
+    cp -at "${ROOT}" "${SYSROOT}"/lib*
+    cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include "${SYSROOT}"/usr/lib*
 
-    # install baselayout first so we have the basic directory
-    # structure for libraries and binaries copied from sysroot
-    btt_emerge --oneshot --nodeps sys-apps/baselayout
-
-    # copy libraries, binaries and header files from sysroot to root -
-    # sysroot may be using split-usr, whereas root does not, so take
-    # this into account
-    (
-        shopt -s nullglob
-        local d f
-        local -a files
-        for d in "${SYSROOT}"/{,usr/}{bin,sbin,lib*}; do
-            if [[ ! -d ${d} ]]; then
-                continue
-            fi
-            files=( "${d}"/* )
-            if [[ ${#files[@]} -gt 0 ]]; then
-                f=${d##*/}
-                cp -at "${ROOT}/usr/${f}" "${files[@]}"
-            fi
-        done
-        cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include
-    )
-
-    btt_emerge --update "${TOOLCHAIN_PKGS[@]}"
-    unset -f btt_emerge
+    # --root is required because run_merge overrides ROOT=
+    PORTAGE_CONFIGROOT="$ROOT" \
+        run_merge -u --root="$ROOT" --sysroot="$ROOT" "${TOOLCHAIN_PKGS[@]}"
 }
 
 configure_crossdev_overlay / /usr/local/portage/crossdev

build_library/disk_layout.json

@@ -13,7 +13,7 @@
         "label":"EFI-SYSTEM",
         "fs_label":"EFI-SYSTEM",
         "type":"efi",
-        "blocks":"2097152",
+        "blocks":"262144",
         "fs_type":"vfat",
         "mount":"/boot",
         "features": []
@@ -27,8 +27,7 @@
         "label":"USR-A",
         "uuid":"7130c94a-213a-4e5a-8e26-6cce9662f132",
         "type":"flatcar-rootfs",
-        "blocks":"4194304",
-        "extract_blocks":"2097152",
+        "blocks":"2097152",
         "fs_blocks":"260094",
         "fs_type":"btrfs",
         "fs_compression":"zstd",
@@ -39,8 +38,7 @@
         "label":"USR-B",
         "uuid":"e03dd35c-7c2d-4a47-b3fe-27f15780a57c",
         "type":"flatcar-rootfs",
-        "blocks":"4194304",
-        "extract_blocks":"2097152",
+        "blocks":"2097152",
         "fs_blocks":"262144"
       },
       "5":{
@@ -53,7 +51,7 @@
         "label":"OEM",
         "fs_label":"OEM",
         "type":"data",
-        "blocks":"2097152",
+        "blocks":"262144",
         "fs_type":"btrfs",
         "fs_compression":"zlib",
         "mount":"/oem"
@@ -72,7 +70,7 @@
         "label":"ROOT",
         "fs_label":"ROOT",
         "type":"flatcar-resize",
-        "blocks":"3653632",
+        "blocks":"4427776",
         "fs_type":"ext4",
         "mount":"/"
       }
@@ -88,7 +86,7 @@
       "9":{
         "label":"ROOT",
         "fs_label":"ROOT",
-        "blocks":"50876416"
+        "blocks":"58875904"
       }
     },
     "vagrant":{

build_library/disk_util

@@ -40,10 +40,10 @@ def LoadPartitionConfig(options):
       '_comment', 'type', 'num', 'label', 'blocks', 'block_size', 'fs_blocks',
       'fs_block_size', 'fs_type', 'features', 'uuid', 'part_alignment', 'mount',
       'binds', 'fs_subvolume', 'fs_bytes_per_inode', 'fs_inode_size', 'fs_label',
-      'fs_compression', 'extract_blocks'))
+      'fs_compression'))
   integer_layout_keys = set((
       'blocks', 'block_size', 'fs_blocks', 'fs_block_size', 'part_alignment',
-      'fs_bytes_per_inode', 'fs_inode_size', 'extract_blocks'))
+      'fs_bytes_per_inode', 'fs_inode_size'))
   required_layout_keys = set(('type', 'num', 'label', 'blocks'))
 
   filename = options.disk_layout_file
@@ -136,13 +136,6 @@ def LoadPartitionConfig(options):
       part.setdefault('fs_block_size', metadata['fs_block_size'])
       part.setdefault('fs_blocks', part['bytes'] // part['fs_block_size'])
       part['fs_bytes'] = part['fs_blocks'] * part['fs_block_size']
-      # The partition may specify extract_blocks to limit what content gets
-      # extracted. The use case is the /usr partition where we can grow the
-      # partition but can't directly grow the filesystem and the update
-      # payload until all (or most) nodes are running the partition layout
-      # with the grown /usr partition (which can take a few years).
-      if part.get('extract_blocks', None):
-        part['extract_bytes'] = part['extract_blocks'] * metadata['block_size']
 
       if part['fs_bytes'] > part['bytes']:
         raise InvalidLayout(
@@ -830,7 +823,6 @@ def Extract(options):
   if not part['image_compat']:
     raise InvalidLayout("Disk layout is incompatible with existing image")
 
-  extract_size = part.get('extract_bytes', part['image_bytes'])
   subprocess.check_call(['dd',
                          'bs=10MB',
                          'iflag=count_bytes,skip_bytes',
@@ -839,7 +831,7 @@ def Extract(options):
                          'if=%s' % options.disk_image,
                          'of=%s' % options.output,
                          'skip=%s' % part['image_first_byte'],
-                         'count=%s' % extract_size])
+                         'count=%s' % part['image_bytes']])
 
 
 def GetPartitionByNumber(partitions, num):

build_library/generate_au_zip.py

@@ -88,8 +88,8 @@ def _SplitAndStrip(data):
     if 'not found' in line:
       raise _LibNotFound(line)
     line = re.sub('.*not a dynamic executable.*', '', line)
-    line = re.sub(r'.* =>\s+', '', line)
-    line = re.sub(r'\(0x.*\)\s?', '', line)
+    line = re.sub('.* =>\s+', '', line)
+    line = re.sub('\(0x.*\)\s?', '', line)
     line = line.strip()
     if not len(line):
       continue

build_library/generate_grub_hashes.py

@@ -40,13 +40,13 @@ with open(os.path.join(outputdir, "grub_modules.config"), "w") as f:
     f.write(json.dumps({"9": {"binaryvalues": [{"prefix": "grub_module", "values": hashvalues}]}}))
 
 with open(os.path.join(outputdir, "kernel_cmdline.config"), "w") as f:
-    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": r"rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
+    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": "rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
 
-commands = [{"value": r'\[.*\]', "description": "Flatcar Grub configuration %s" % version},
+commands = [{"value": '\[.*\]', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'gptprio.next -d usr -u usr_uuid', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'insmod all_video', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'search --no-floppy --set randomize_disk_guid --disk-uuid 00000000-0000-0000-0000-000000000001', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'search --no-floppy --set oem --part-label OEM --hint hd0,gpt1', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'set .+', "description": "Flatcar Grub configuration %s" % version},

build_library/grub.cfg

@@ -79,7 +79,7 @@ if [ -z "$linux_console" ]; then
         terminal_output console serial_com0
     elif [ "$grub_platform" = efi ]; then
         if [ "$grub_cpu" = arm64 ]; then
-            set linux_console="console=ttyAMA0,115200n8 console=tty0"
+            set linux_console="console=ttyAMA0,115200n8"
         else
             set linux_console="console=ttyS0,115200n8 console=tty0"
        fi

build_library/grub_install.sh

@@ -37,9 +37,6 @@ switch_to_strict_mode
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
 
-SBSIGN_DB_KEY="${SBSIGN_DB_KEY:-/usr/share/sb_keys/DB.key}"
-SBSIGN_DB_CERT="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
-
 # Our GRUB lives under flatcar/grub so new pygrub versions cannot find grub.cfg
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
 
@@ -205,8 +202,8 @@ case "${FLAGS_target}" in
 
             # Unofficial build: Sign shim with our development key.
             sudo sbsign \
-                --key "${SBSIGN_DB_KEY}" \
-                --cert "${SBSIGN_DB_CERT}" \
+                --key /usr/share/sb_keys/DB.key \
+                --cert /usr/share/sb_keys/DB.crt \
                 --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
                 "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
         else

build_library/oem_sysexts.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-# OEM sysext helpers.
-
-# Auto-detect scripts repo root from this file's location.
-# oem_sysexts.sh is at: <scripts_repo>/build_library/oem_sysexts.sh
-_OEM_SYSEXTS_SCRIPTS_ROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
-
-get_oem_overlay_root() {
-  local overlay_root="/mnt/host/source/src/third_party/coreos-overlay"
-
-  if [[ ! -d "${overlay_root}" ]]; then
-    overlay_root="${_OEM_SYSEXTS_SCRIPTS_ROOT}/sdk_container/src/third_party/coreos-overlay"
-  fi
-
-  if [[ ! -d "${overlay_root}" ]]; then
-    echo "No coreos-overlay repo found (tried SDK and ${_OEM_SYSEXTS_SCRIPTS_ROOT})" >&2
-    exit 1
-  fi
-
-  printf '%s' "${overlay_root}"
-}
-
-_get_oem_ids() {
-  local arch list_var_name
-  arch=${1}; shift
-  list_var_name=${1}; shift
-
-  local overlay_root
-  overlay_root=$(get_oem_overlay_root)
-
-  local -a ebuilds=("${overlay_root}/coreos-base/common-oem-files/common-oem-files-"*'.ebuild')
-  if [[ ${#ebuilds[@]} -eq 0 ]] || [[ ! -e ${ebuilds[0]} ]]; then
-    echo "No coreos-base/common-oem-files ebuilds?!" >&2
-    exit 1
-  fi
-
-  # This defines local COMMON_OEMIDS, AMD64_ONLY_OEMIDS,
-  # ARM64_ONLY_OEMIDS and OEMIDS variable. We don't use the last
-  # one. Also defines global-by-default EAPI, which we make local
-  # here to avoid making it global.
-  local EAPI
-  source "${ebuilds[0]}" flatcar-local-variables
-
-  local -n arch_oemids_ref="${arch^^}_ONLY_OEMIDS"
-  local all_oemids=(
-    "${COMMON_OEMIDS[@]}"
-    "${arch_oemids_ref[@]}"
-  )
-
-  mapfile -t "${list_var_name}" < <(printf '%s\n' "${all_oemids[@]}" | sort)
-}
-
-# Gets a list of OEMs that are using sysexts.
-#
-# 1 - arch
-# 2 - name of an array variable to store the result in
-get_oem_id_list() {
-  _get_oem_ids "$@"
-}
-
-# Gets a list of OEM sysext descriptors.
-#
-# 1 - arch
-# 2 - name of an array variable to store the result in
-#
-# Format: "name|metapackage|useflags"
-get_oem_sysext_matrix() {
-  local arch list_var_name
-  arch=${1}; shift
-  list_var_name=${1}; shift
-
-  local -a oem_ids
-  _get_oem_ids "${arch}" oem_ids
-
-  local -a matrix=()
-  local oem_id
-  for oem_id in "${oem_ids[@]}"; do
-    matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|${oem_id}")
-  done
-
-  local -n matrix_ref="${list_var_name}"
-  matrix_ref=("${matrix[@]}")
-}

build_library/prod_image_util.sh

@@ -3,8 +3,6 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-source "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
-
 # Lookup the current version of a binary package, downloading it if needed.
 # Usage: get_binary_pkg some-pkg/name
 # Prints: some-pkg/name-1.2.3
@@ -85,8 +83,6 @@ create_prod_image() {
   local image_initrd_contents="${image_name%.bin}_initrd_contents.txt"
   local image_initrd_contents_wtd="${image_name%.bin}_initrd_contents_wtd.txt"
   local image_disk_usage="${image_name%.bin}_disk_usage.txt"
-  local image_realinitrd_contents="${image_name%.bin}_realinitrd_contents.txt"
-  local image_realinitrd_contents_wtd="${image_name%.bin}_realinitrd_contents_wtd.txt"
   local image_sysext_base="${image_name%.bin}_sysext.squashfs"
 
   start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
@@ -160,22 +156,14 @@ create_prod_image() {
 L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
 EOF
 
-  local -a bad_pam_files
-  mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0)
-  if [[ ${#bad_pam_files[@]} -gt 0 ]]; then
-    error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}"
-    error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)."
-    error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file."
-    die "PAM config errors spotted"
-  fi
+  # Move the PAM configuration into /usr
+  sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
+  sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
+  sudo rmdir ${root_fs_dir}/etc/pam.d
 
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/
 
-  # Inject ephemeral sysext signing certificate
-  sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
-  sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
-
   # Finish image will move files from /etc to /usr/share/flatcar/etc.
   # Note that image filesystem contents generated by finish_image will not
   # include sysext contents (only the sysext squashfs files themselves).
@@ -192,9 +180,7 @@ EOF
       "${image_kconfig}" \
       "${image_initrd_contents}" \
       "${image_initrd_contents_wtd}" \
-      "${image_disk_usage}" \
-      "${image_realinitrd_contents}" \
-      "${image_realinitrd_contents_wtd}"
+      "${image_disk_usage}"
 
   # Official builds will sign and upload these files later, so remove them to
   # prevent them from being uploaded now.
@@ -275,65 +261,6 @@ create_prod_sysexts() {
   done
 }
 
-create_oem_sysexts() {
-  local image_name=${1}; shift
-  local requested_oem_sysexts_csv=${1}; shift
-  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
-  local overlay_path
-  overlay_path=$(portageq get_repo_path / coreos-overlay)
-
-  local -a oem_sysexts
-  get_oem_sysext_matrix "${ARCH}" oem_sysexts
-  if [[ ${requested_oem_sysexts_csv} != 'everything!' ]]; then
-      local -a all_oems requested_oems invalid_oems
-      all_oems=( "${oem_sysexts[@]}" )
-      all_oems=( "${all_oems[@]%%|*}" )
-      all_oems=( "${all_oems[@]#oem-}" )
-      mapfile -t requested_oems <<<"${requested_oem_sysexts_csv//,/$'\n'}"
-      mapfile -t invalid_oems < <(comm -23 <(printf '%s\n' "${requested_oems[@]}" | sort -u) <(printf '%s\n' "${all_oems[@]}" | sort -u))
-      if [[ ${#invalid_oems[@]} -gt 0 ]]; then
-          die "Requested OEMs to build sysexts for are invalid: ${invalid_oems[*]}, valid OEMs are ${all_oems[*]}"
-      fi
-      mapfile -t oem_sysexts < <(printf '%s\n' "${oem_sysexts[@]}" | grep '^oem-\('"${requested_oem_sysexts_csv//,/'\|'}"'\)|')
-  fi
-
-  local sysext name metapkg useflags
-  for sysext in "${oem_sysexts[@]}"; do
-    IFS="|" read -r name metapkg useflags <<< "${sysext}"
-
-    # Check for manglefs script in the package's files directory
-    local mangle_script="${overlay_path}/${metapkg}/files/manglefs.sh"
-    if [[ ! -x "${mangle_script}" ]]; then
-      mangle_script=
-    fi
-
-    sudo rm -f "${BUILD_DIR}/${name}.raw" \
-        "${BUILD_DIR}/flatcar_test_update-${name}.gz" \
-        "${BUILD_DIR}/${name}_"*
-
-    info "Building OEM sysext ${name} with USE=${useflags}"
-    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
-    # important - it sets the name of a rootfs directory, which is
-    # used to determine the package target in
-    # coreos/base/profile.bashrc
-    #
-    # OEM sysexts use no compression here since they will be stored
-    # in a compressed OEM partition.
-    USE="${useflags}" sudo -E "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
-        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
-        --image_builddir="${BUILD_DIR}" \
-        --metapkgs="${metapkg}" \
-        --install_root_basename="${name}-oem-sysext-rootfs" \
-        --compression=none \
-        ${mangle_script:+--manglefs_script="${mangle_script}"} \
-        "${name}"
-    delta_generator \
-      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
-      -new_image "${BUILD_DIR}/${name}.raw" \
-      -out_file "${BUILD_DIR}/flatcar_test_update-${name}.gz"
-  done
-}
-
 sbsign_prod_image() {
   local image_name="$1"
   local disk_layout="$2"

build_library/sbsign_util.sh

@@ -3,17 +3,17 @@
 # found in the LICENSE file.
 
 if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    SBSIGN_KEY="${SBSIGN_KEY:-/usr/share/sb_keys/shim.key}"
-    SBSIGN_CERT="${SBSIGN_CERT:-/usr/share/sb_keys/shim.pem}"
+    SBSIGN_KEY="/usr/share/sb_keys/shim.key"
+    SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
 else
-    SBSIGN_KEY="pkcs11:token=flatcar-secure-boot-prod-2026-04"
+    SBSIGN_KEY="pkcs11:token=flatcar-sb-dev-hsm-sign-2025"
     unset SBSIGN_CERT
 fi
 
 PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure-keyvault-pkcs11.so"
 
 PKCS11_ENV=(
-    AZURE_KEYVAULT_URL="https://flatcar-hsm0001.vault.azure.net/"
+    AZURE_KEYVAULT_URL="https://flatcar-sb-dev-kv.vault.azure.net/"
     PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}"
     AZURE_KEYVAULT_PKCS11_DEBUG=1
 )

build_library/set_lsb_release

@@ -25,38 +25,40 @@ ROOT_FS_DIR="$FLAGS_root"
 [ -n "$ROOT_FS_DIR" ] || die "--root is required."
 [ -d "$ROOT_FS_DIR" ] || die "Root FS does not exist? ($ROOT_FS_DIR)"
 
-# These variables are set in the base profile.
-eval $("portageq${FLAGS_board:+-}${FLAGS_board}" envvar -v BRANDING_OS_\*)
-BRANDING_OS_PRETTY_NAME="${BRANDING_OS_NAME} ${FLATCAR_VERSION}"
+OS_NAME="Flatcar Container Linux by Kinvolk"
+OS_CODENAME="Oklo"
+OS_ID="flatcar"
+OS_ID_LIKE="coreos"
+OS_PRETTY_NAME="$OS_NAME $FLATCAR_VERSION (${OS_CODENAME})"
 
 FLATCAR_APPID="{e96281a6-d1af-4bde-9a0a-97b76e56dc57}"
 
 # DISTRIB_* are the standard lsb-release names
 sudo mkdir -p "${ROOT_FS_DIR}/usr/share/flatcar" "${ROOT_FS_DIR}/etc/flatcar"
 sudo_clobber "${ROOT_FS_DIR}/usr/share/flatcar/lsb-release" <<EOF
-DISTRIB_ID="$BRANDING_OS_NAME"
+DISTRIB_ID="$OS_NAME"
 DISTRIB_RELEASE=$FLATCAR_VERSION
-DISTRIB_DESCRIPTION="$BRANDING_OS_PRETTY_NAME"
+DISTRIB_CODENAME="$OS_CODENAME"
+DISTRIB_DESCRIPTION="$OS_PRETTY_NAME"
 EOF
 sudo ln -sf "../usr/share/flatcar/lsb-release" "${ROOT_FS_DIR}/etc/lsb-release"
 
 # And the new standard, os-release
 # https://www.freedesktop.org/software/systemd/man/os-release.html
 sudo_clobber "${ROOT_FS_DIR}/usr/lib/os-release" <<EOF
-NAME="$BRANDING_OS_NAME"
-ID="$BRANDING_OS_ID"
-ID_LIKE="$BRANDING_OS_ID_LIKE"
-VERSION="$FLATCAR_VERSION"
-VERSION_ID="$FLATCAR_VERSION_ID"
-BUILD_ID="$FLATCAR_BUILD_ID"
-SYSEXT_LEVEL="1.0"
-PRETTY_NAME="$BRANDING_OS_PRETTY_NAME"
+NAME="$OS_NAME"
+ID=$OS_ID
+ID_LIKE=$OS_ID_LIKE
+VERSION=$FLATCAR_VERSION
+VERSION_ID=$FLATCAR_VERSION_ID
+BUILD_ID=$FLATCAR_BUILD_ID
+SYSEXT_LEVEL=1.0
+PRETTY_NAME="$OS_PRETTY_NAME"
 ANSI_COLOR="38;5;75"
-HOME_URL="$BRANDING_OS_HOME_URL"
-BUG_REPORT_URL="$BRANDING_OS_BUG_REPORT_URL"
-SUPPORT_URL="$BRANDING_OS_SUPPORT_URL"
+HOME_URL="https://flatcar.org/"
+BUG_REPORT_URL="https://issues.flatcar.org"
 FLATCAR_BOARD="$FLAGS_board"
-CPE_NAME="cpe:2.3:o:${BRANDING_OS_ID}-linux:${BRANDING_OS_ID}_linux:${FLATCAR_VERSION}:*:*:*:*:*:*:*"
+CPE_NAME="cpe:2.3:o:${OS_ID}-linux:${OS_ID}_linux:${FLATCAR_VERSION}:*:*:*:*:*:*:*"
 EOF
 sudo ln -sf "../usr/lib/os-release" "${ROOT_FS_DIR}/etc/os-release"
 sudo ln -sf "../../lib/os-release" "${ROOT_FS_DIR}/usr/share/flatcar/os-release"

build_library/sysext_mangle_containerd-flatcar

@@ -3,21 +3,17 @@
 set -euo pipefail
 rootfs="${1}"
 
-pushd "${rootfs}"
 
 # No manpages on Flatcar, no need to ship "stress" tool
-rm -rf ./usr/{bin/{containerd-stress,gen-manpages},lib/debug/}
+echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext"
+rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress"
 
-dir=$(dirname "${BASH_SOURCE[0]}")
-files_dir="${dir}/../sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
+script_root="$(cd "$(dirname "$0")/../"; pwd)"
+files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
 # ATTENTION: don't preserve ownership as repo is owned by sdk user
-cp -vdR --preserve=mode,timestamps "${files_dir}/"* ./
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
-install -D -m0644 /dev/stdin ./usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf <<EOF
-[Unit]
-Upholds=containerd.service
-EOF
-
-popd
+mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
+{ echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"

build_library/sysext_mangle_flatcar-incus

@@ -5,8 +5,6 @@ rootfs="${1}"
 
 pushd "${rootfs}"
 
-rm -rf ./usr/{lib/debug,lib64/pkgconfig,include}/
-
 pushd ./usr/lib/systemd/system
 mkdir -p "multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=incus.service"; } > "multi-user.target.d/10-incus.conf"
@@ -25,3 +23,4 @@ mkdir -p ./usr/lib/userdb/
 echo " " > ./usr/lib/userdb/core:incus-admin.membership
 
 popd
+

build_library/sysext_mangle_flatcar-overlaybd

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-rootfs="${1}"
-
-pushd "${rootfs}"
-
-rm -rf ./usr/lib/debug/
-
-pushd ./usr/lib/systemd/system
-mkdir -p "multi-user.target.d"
-{ echo "[Unit]"; echo "Upholds=overlaybd-tcmu.service overlaybd-snapshotter.service"; } > "multi-user.target.d/10-overlaybd.conf"
-popd
-
-popd

build_library/sysext_mangle_flatcar-podman

@@ -5,7 +5,7 @@ rootfs="${1}"
 
 pushd "${rootfs}"
 
-rm -rf ./usr/{lib/debug,lib64/cmake,lib64/pkgconfig,include,share/aclocal,share/fish}/
+rm -rf ./usr/{lib/debug/,lib64/cmake/,lib64/pkgconfig,include/,share/fish,share/aclocal,share/SLSA}
 
 mkdir -p ./usr/share/podman/etc
 cp -a ./etc/{fuse.conf,containers} ./usr/share/podman/etc/

build_library/sysext_prod_builder

@@ -63,15 +63,11 @@ create_prod_sysext() {
   # The --install_root_basename="${name}-base-sysext-rootfs" flag is
   # important - it sets the name of a rootfs directory, which is used
   # to determine the package target in coreos/base/profile.bashrc
-  #
-  # Built-in sysexts are stored in the compressed /usr partition, so we
-  # disable compression to avoid double-compression.
-  sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
+  sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
             --board="${BOARD}" \
             --image_builddir="${workdir}/sysext-build" \
             --squashfs_base="${base_sysext}" \
             --generate_pkginfo \
-            --compression=none \
             --install_root_basename="${name}-base-sysext-rootfs" \
             "${build_sysext_opts[@]}" \
             "${name}" "${grp_pkg[@]}"
@@ -103,14 +99,6 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
 sysext_base="${sysext_workdir}/base-os.squashfs"
 
 function cleanup() {
-  IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
-  # skip the rootfs
-  mounted_sysexts=("${mounted_sysexts[@]:1}")
-
-  for sysext in "${mounted_sysexts[@]}"; do
-    sudo systemd-dissect --umount --rmdir "$sysext"
-  done
-
   sudo umount "${sysext_mountdir}"/* || true
   rm -rf "${sysext_workdir}" || true
 }
@@ -128,7 +116,6 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt
 # for combined overlay later.
 prev_pkginfo=""
 sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
-mkdir -p "${sysext_mountdir}"
 for sysext in ${sysexts_list//,/ }; do
   # format is "<name>:<group>/<package>"
   name="${sysext%|*}"
@@ -142,21 +129,12 @@ for sysext in ${sysexts_list//,/ }; do
                      "${grp_pkg}" \
                      "${prev_pkginfo}"
 
-  sudo systemd-dissect \
-    --read-only \
-    --mount \
-    --mkdir \
-    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
-    "${sysext_output_dir}/${name}.raw" \
-    "${sysext_mountdir}/${name}"
-
-  sudo systemd-dissect \
-    --read-only \
-    --mount \
-    --mkdir \
-    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
-    "${sysext_output_dir}/${name}_pkginfo.raw" \
-    "${sysext_mountdir}/${name}_pkginfo"
+  mkdir -p "${sysext_mountdir}/${name}" \
+           "${sysext_mountdir}/${name}_pkginfo"
+  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \
+                                    "${sysext_mountdir}/${name}"
+  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \
+                                    "${sysext_mountdir}/${name}_pkginfo"
 
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"

build_library/toolchain_util.sh

@@ -490,14 +490,10 @@ binutils_set_latest_profile() {
 # The extra flag can be blank, hardenednopie, and so on. See gcc-config -l
 # Usage: gcc_get_latest_profile chost [extra]
 gcc_get_latest_profile() {
-    local prefix=${1}
-    local suffix=${2+-${2}}
+    local prefix="${1}-"
+    local suffix="${2+-$2}"
     local status
-    NO_COLOR=1 gcc-config --list-profiles | \
-        sed -e 's/^\s*//' | \
-        cut -d' ' -f2 | \
-        grep "^${prefix}-[0-9\\.]*${suffix}$" | \
-        tail -n1
+    gcc-config -l | cut -d' ' -f3 | grep "^${prefix}[0-9\\.]*${suffix}$" | tail -n1
 
     # return 1 if anything in the above pipe failed
     for status in ${PIPESTATUS[@]}; do

build_library/vm_image_util.sh

@@ -225,11 +225,9 @@ IMG_ami_vmdk_DISK_FORMAT=vmdk_stream
 IMG_ami_vmdk_OEM_USE=ami
 IMG_ami_vmdk_OEM_PACKAGE=common-oem-files
 IMG_ami_vmdk_SYSEXT=oem-ami
-IMG_ami_vmdk_DISK_LAYOUT=vm
 IMG_ami_OEM_USE=ami
 IMG_ami_OEM_PACKAGE=common-oem-files
 IMG_ami_OEM_SYSEXT=oem-ami
-IMG_ami_DISK_LAYOUT=vm
 
 ## openstack
 IMG_openstack_DISK_FORMAT=qcow2
@@ -345,7 +343,6 @@ IMG_kubevirt_OEM_SYSEXT=oem-kubevirt
 IMG_kubevirt_DISK_EXTENSION=qcow2
 
 ## akamai (Linode)
-IMG_akamai_DISK_LAYOUT=vm
 IMG_akamai_OEM_PACKAGE=common-oem-files
 IMG_akamai_OEM_USE=akamai
 IMG_akamai_OEM_SYSEXT=oem-akamai
@@ -568,8 +565,7 @@ install_oem_package() {
     sudo rm -rf "${oem_tmp}"
 }
 
-# Install the prebuilt OEM sysext file into the OEM partition.
-# The sysext should have been built by 'build_image oem_sysext'.
+# Write the OEM sysext file into the OEM partition.
 install_oem_sysext() {
     local oem_sysext=$(_get_vm_opt OEM_SYSEXT)
 
@@ -577,24 +573,59 @@ install_oem_sysext() {
         return 0
     fi
 
-    local prebuilt_sysext_filename="${oem_sysext}.raw"
-    local prebuilt_sysext_path="${FLAGS_from}/${prebuilt_sysext_filename}"
+    local built_sysext_dir="${FLAGS_to}/${oem_sysext}-sysext"
+    local built_sysext_filename="${oem_sysext}.raw"
+    local built_sysext_path="${built_sysext_dir}/${built_sysext_filename}"
     local version="${FLATCAR_VERSION}"
-
-    if [[ ! -f "${prebuilt_sysext_path}" ]]; then
-        die "Prebuilt OEM sysext not found at ${prebuilt_sysext_path}. Run 'build_image oem_sysext' first."
+    local metapkg="coreos-base/${oem_sysext}"
+    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
+    # important - it sets the name of a rootfs directory, which is
+    # used to determine the package target in
+    # coreos/base/profile.bashrc
+    local build_sysext_flags=(
+        --board="${BOARD}"
+        --squashfs_base="${VM_SRC_SYSEXT_IMG}"
+        --image_builddir="${built_sysext_dir}"
+        --metapkgs="${metapkg}"
+        --install_root_basename="${VM_IMG_TYPE}-oem-sysext-rootfs"
+    )
+    local overlay_path mangle_fs
+    overlay_path=$(portageq get_repo_path / coreos-overlay)
+    mangle_fs="${overlay_path}/${metapkg}/files/manglefs.sh"
+    if [[ -x "${mangle_fs}" ]]; then
+        build_sysext_flags+=(
+            --manglefs_script="${mangle_fs}"
+        )
     fi
 
+    mkdir -p "${built_sysext_dir}"
+    sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
+
     local installed_sysext_oem_dir='/oem/sysext'
     local installed_sysext_file_prefix="${oem_sysext}-${version}"
     local installed_sysext_filename="${installed_sysext_file_prefix}.raw"
     local installed_sysext_abspath="${installed_sysext_oem_dir}/${installed_sysext_filename}"
-
-    info "Installing ${oem_sysext} sysext from prebuilt image"
+    info "Installing ${oem_sysext} sysext"
     sudo install -Dpm 0644 \
-         "${prebuilt_sysext_path}" \
+         "${built_sysext_path}" \
          "${VM_TMP_ROOT}${installed_sysext_abspath}" ||
         die "Could not install ${oem_sysext} sysext"
+    # Move sysext image and reports to a destination directory to
+    # upload them, thus making them available as separate artifacts to
+    # download.
+    local upload_dir to_move
+    upload_dir="$(_dst_dir)"
+    for to_move in "${built_sysext_dir}/${oem_sysext}"*; do
+        mv "${to_move}" "${upload_dir}/${to_move##*/}"
+    done
+    # Generate dev-key-signed update payload for testing
+    delta_generator \
+      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
+      -new_image "${upload_dir}/${built_sysext_filename}" \
+      -out_file "${upload_dir}/flatcar_test_update-${oem_sysext}.gz"
+    # Remove sysext_dir if building sysext and installing it
+    # succeeded.
+    rm -rf "${built_sysext_dir}"
 
     # Mark the installed sysext as active.
     sudo touch "${VM_TMP_ROOT}${installed_sysext_oem_dir}/active-${oem_sysext}"
@@ -806,12 +837,12 @@ _write_qemu_common() {
     cat >"${VM_README}" <<EOF
 If you have qemu installed (or in the SDK), you can start the image with:
   cd path/to/image
-  ./$(basename "${script}") -display curses
+  ./$(basename "${script}") -curses
 
 If you need to use a different ssh key or different ssh port:
-  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -display curses
+  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -curses
 
-If you rather you can use the -nographic option instad of '-display curses'. In this
+If you rather you can use the -nographic option instad of -curses. In this
 mode you can switch from the vm to the qemu monitor console with: Ctrl-a c
 See the qemu man page for more details on the monitor console.
 
@@ -890,17 +921,11 @@ _write_qemu_uefi_secure_conf() {
     esac
 
     # TODO: Remove the temporary flatcar shim signing cert
-    local _sb_db_cert="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
-    local _sb_extra_db_certs=()
-    if [[ -z ${SBSIGN_DB_CERT:-} ]]; then
-        # Default behavior: include the temporary dev shim cert alongside DB.crt
-        _sb_extra_db_certs=( --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert" )
-    fi
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --add-db "${owner}" "${_sb_db_cert}" \
-        "${_sb_extra_db_certs[@]}"
+        --add-db "${owner}" /usr/share/sb_keys/DB.crt \
+        --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert"
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
@@ -917,7 +942,7 @@ _write_pxe_conf() {
     cat >>"${VM_README}" <<EOF
 
 You can pass extra kernel parameters with -append, for example:
-  ./$(basename "${script}") -display curses -append 'sshkey="PUT AN SSH KEY HERE"'
+  ./$(basename "${script}") -curses -append 'sshkey="PUT AN SSH KEY HERE"'
 
 When using -nographic or -serial you must also enable the serial console:
   ./$(basename "${script}") -nographic -append 'console=ttyS0,115200n8'

build_packages

@@ -118,7 +118,6 @@ fi
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
-. "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 
 # Setup all the emerge command/flags.
 EMERGE_FLAGS=( --update --deep --newuse --verbose --backtrack=30 --select )
@@ -267,20 +266,13 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
   # lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd
-  # systemd[tpm] -> tpm2-tss -> util-linux[udev] -> virtual/udev -> systemd
   # curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl
-  # sys-libs/pam[systemd] -> sys-apps/systemd[pam] -> sys-libs/pam
-  #   dropping USE=pam from sys-apps/systemd requires dropping
-  #   USE=systemd from sys-auth/pambase
-  # sys-auth/pambase[sssd] -> sys-auth/sssd -> sys-apps/shadow[pam] -> sys-auth/pambase
-  break_dep_loop sys-apps/util-linux cryptsetup,systemd,udev \
+  break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \
                  sys-fs/cryptsetup udev \
-                 sys-fs/lvm2 systemd,udev \
-                 sys-apps/systemd cryptsetup,pam,tpm \
+                 sys-fs/lvm2 udev,systemd \
+                 sys-apps/systemd cryptsetup,tpm \
                  net-misc/curl http2 \
-                 net-libs/nghttp2 systemd \
-                 sys-libs/pam systemd \
-                 sys-auth/pambase sssd,systemd
+                 net-libs/nghttp2 systemd
 fi
 
 if [[ "${FLAGS_only_resolve_circular_deps}" -eq "${FLAGS_TRUE}" ]]; then
@@ -291,55 +283,50 @@ fi
 export KBUILD_BUILD_USER="${BUILD_USER:-build}"
 export KBUILD_BUILD_HOST="${BUILD_HOST:-pony-truck.infra.kinvolk.io}"
 
-# Build sysext packages from an array of sysext definitions.
-# Usage: build_sysext_packages "description" "${SYSEXT_ARRAY[@]}"
-# Array format: "name|packages|useflags|arches"
-build_sysext_packages() {
-  local description="$1"
-  shift
-  local sysexts=("$@")
-
-  info "Merging ${description} packages now"
-  for sysext in "${sysexts[@]}"; do
-    local sysext_name package_atoms useflags arches
-    IFS="|" read -r sysext_name package_atoms useflags arches <<< "$sysext"
-    [[ -z ${arches} || ,${arches}, == *,"${ARCH}",* ]] || continue
-
-    info "Building packages for $sysext_name sysext with USE=$useflags"
-    IFS=,
-    for package in $package_atoms; do
-       # --buildpkgonly does not install dependencies, so we install them
-       # separately before building the binary package
-       sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
-         env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
-         "${EMERGE_FLAGS[@]}" \
-         --quiet \
-         --onlydeps \
-         --binpkg-respect-use=y \
-         "${package}"
-
-       sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
-         env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
-         "${EMERGE_FLAGS[@]}" \
-         --quiet \
-         --buildpkgonly \
-         --binpkg-respect-use=y \
-         "${package}"
-    done
-    unset IFS
-  done
-}
-
 info "Merging board packages now"
 sudo -E "${EMERGE_CMD[@]}" "${EMERGE_FLAGS[@]}" "$@"
 
-build_sysext_packages "extra sysexts" "${EXTRA_SYSEXTS[@]}"
+info "Merging sysext packages now"
+for sysext in "${EXTRA_SYSEXTS[@]}"; do
+  IFS="|" read -r SYSEXT_NAME PACKAGE_ATOMS USEFLAGS ARCHES <<< "$sysext"
 
-declare -a oem_sysexts
-get_oem_sysext_matrix "${ARCH}" oem_sysexts
-if [[ ${#oem_sysexts[@]} -gt 0 ]]; then
-  build_sysext_packages "OEM sysexts" "${oem_sysexts[@]}"
-fi
+  arch_array=("${ARCHES//,/ }")
+  if [[ -n $ARCHES ]]; then
+    should_skip=1
+    for arch in "${arch_array[@]}"; do
+      if [[ $arch == "$ARCH" ]]; then
+        should_skip=0
+      fi
+    done
+    if [[ $should_skip -eq 1 ]]; then
+      continue
+    fi
+  fi
+
+
+  info "Building packages for $SYSEXT_NAME sysext with USE=$USEFLAGS"
+  IFS=,
+  for package in $PACKAGE_ATOMS; do
+     # --buildpkgonly does not install dependencies, so we install them
+     # separately before building the binary package
+     sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
+       env USE="$USEFLAGS" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
+       "${EMERGE_FLAGS[@]}" \
+       --quiet \
+       --onlydeps \
+       --binpkg-respect-use=y \
+       "${package}"
+
+     sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
+       env USE="$USEFLAGS" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
+       "${EMERGE_FLAGS[@]}" \
+       --quiet \
+       --buildpkgonly \
+       --binpkg-respect-use=y \
+       "${package}"
+  done
+  unset IFS
+done
 
 info "Removing obsolete packages"
 # The return value of emerge is not clearly reliable. It may fail with

build_sdk_container_image

@@ -137,7 +137,7 @@ else
     if [ -n "$cleanup" ] ; then
         echo "$docker image rm -f '${import_image}'" >> "$cleanup"
     fi
-    docker_build -t "$import_image" \
+    $docker build -t "$import_image" \
                  --build-arg VERSION="${docker_vernum}" \
                  -f sdk_lib/Dockerfile.sdk-import \
                  .
@@ -208,7 +208,7 @@ else
     if [ -n "$cleanup" ] ; then
         echo "$docker image rm -f '${sdk_build_image}'" >> "$cleanup"
     fi
-    docker_build -t "${sdk_build_image}" \
+    $docker build -t "${sdk_build_image}" \
                  --build-arg VERSION="${docker_vernum}" \
                  --build-arg BINHOST="http://${binhost}" \
                  --build-arg OFFICIAL="${official}" \
@@ -231,7 +231,7 @@ for a in all arm64 amd64; do
         arm64) rmarch="amd64-usr"; rmcross="x86_64-cros-linux-gnu";;
         amd64) rmarch="arm64-usr"; rmcross="aarch64-cros-linux-gnu";;
     esac
-    docker_build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \
+    $docker build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \
                  --build-arg VERSION="${docker_vernum}" \
                  --build-arg RMARCH="${rmarch}" \
                  --build-arg RMCROSS="${rmcross}" \

build_sysext

@@ -35,10 +35,10 @@ DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \
   "Generate an additional squashfs '<sysext_name>_pkginfo.raw' with portage package meta-information (/var/db ...). Useful for creating sysext dependencies; see 'base_pkginfo' below."
 DEFINE_string base_pkginfo "" \
   "Colon-separated list of pkginfo squashfs paths / files generated via 'generate_pkginfo' to base this sysext on. The corresponding base sysexts are expected to be merged with the sysext generated."
-DEFINE_string compression "lz4hc" \
-  "Compression to use for sysext EROFS image. Options: 'lz4', 'lz4hc', 'zstd', or 'none'. Default is 'lz4hc'."
-DEFINE_string mkerofs_opts "" \
-  "Additional mkfs.erofs options to pass via SYSTEMD_REPART_MKFS_OPTIONS_EROFS. If not specified, defaults are used based on compression type."
+DEFINE_string compression "zstd" \
+  "Compression to use for sysext squashfs. One of 'gzip', 'lzo', 'lz4', 'xz', or 'zstd'. Must be supported by the Flatcar squashfs kernel module in order for the sysext to work."
+DEFINE_string mksquashfs_opts "" \
+  "Additional command line options to pass to mksquashfs. See 'man 1 mksquashfs'. If <compression> is 'zstd' (the default), this option defaults to '-Xcompression-level 22 -b 512K'. Otherwise the default is empty."
 DEFINE_boolean ignore_version_mismatch "${FLAGS_FALSE}" \
   "Ignore version mismatch between SDK board packages and base squashfs. DANGEROUS."
 DEFINE_string install_root_basename "${default_install_root_basename}" \
@@ -112,6 +112,10 @@ fi
 BUILD_DIR=$(realpath "${FLAGS_image_builddir}")
 mkdir -p "${BUILD_DIR}"
 
+if [[ "${FLAGS_compression}" = "zstd" && -z "${FLAGS_mksquashfs_opts}" ]] ; then
+    FLAGS_mksquashfs_opts="-Xcompression-level 22 -b 512k"
+fi
+
 source "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
@@ -216,7 +220,7 @@ if [[ ${#} -lt 1 ]]; then
    show_help_if_requested -h
 fi
 
-info "Building '${SYSEXTNAME}' sysext with (meta-)packages '${@}' in '${BUILD_DIR}' using '${FLAGS_compression}' compression".
+info "Building '${SYSEXTNAME}' squashfs with (meta-)packages '${@}' in '${BUILD_DIR}' using '${FLAGS_compression}' compression".
 
 for package; do
   echo "Installing package into sysext image: $package"
@@ -244,11 +248,11 @@ if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then
   mkdir -p "${BUILD_DIR}/img-pkginfo/var/db"
   cp -R "${BUILD_DIR}/${FLAGS_install_root_basename}/var/db/pkg" "${BUILD_DIR}/img-pkginfo/var/db/"
   mksquashfs "${BUILD_DIR}/img-pkginfo" "${BUILD_DIR}/${SYSEXTNAME}_pkginfo.raw" \
-              -noappend -xattrs-exclude '^btrfs.' -comp zstd -Xcompression-level 22 -b 512k
+              -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 fi
 
 info "Writing ${SYSEXTNAME}_packages.txt"
-ROOT="${BUILD_DIR}/${FLAGS_install_root_basename}" PORTAGE_CONFIGROOT="/build/${FLAGS_board}" \
+ROOT="${BUILD_DIR}/${FLAGS_install_root_basename}" PORTAGE_CONFIGROOT="${BUILD_DIR}/${FLAGS_install_root_basename}" \
       equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
 
 
@@ -288,7 +292,6 @@ all_fields=(
   'ID=flatcar'
   "${version_field}"
   "ARCHITECTURE=${ARCH}"
-  "EXTENSION_RELOAD_MANAGER=1"
 )
 printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/${FLAGS_install_root_basename}/usr/lib/extension-release.d/extension-release.${SYSEXTNAME}"
 
@@ -301,44 +304,14 @@ if [[ -n "${invalid_files}" ]]; then
   die "Invalid file ownership: ${invalid_files}"
 fi
 
-# Set up EROFS compression options based on compression type
-if [[ "${FLAGS_compression}" != "none" ]]; then
-  export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="-z${FLAGS_compression}"
-
-  if [[ -n "${FLAGS_mkerofs_opts}" ]]; then
-    # User provided custom options
-    export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS} ${FLAGS_mkerofs_opts}"
-  elif [[ "${FLAGS_compression}" = "lz4hc" ]]; then
-    # Default options for lz4hc
-    export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS},12 -C65536 -Efragments,ztailpacking"
-  elif [[ "${FLAGS_compression}" = "zstd" ]]; then
-    # Default options for zstd
-    export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS},level=22 -C524288 -Efragments,ztailpacking"
-  fi
-  info "Building sysext with ${FLAGS_compression} compression"
-else
-  info "Building sysext without compression (built-in sysexts)"
-fi
-
-systemd-repart \
-  --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
-  --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
-  --make-ddi=sysext \
-  --copy-source="${BUILD_DIR}/${FLAGS_install_root_basename}" \
-  "${BUILD_DIR}/${SYSEXTNAME}.raw"
-
+mksquashfs "${BUILD_DIR}/${FLAGS_install_root_basename}" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
+               -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 rm -rf "${BUILD_DIR}"/{fs-root,"${FLAGS_install_root_basename}",workdir}
 
 # Generate reports
 mkdir "${BUILD_DIR}/img-rootfs"
-systemd-dissect --read-only \
-  --mount \
-  --mkdir \
-  --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
-  "${BUILD_DIR}/${SYSEXTNAME}.raw" \
-  "${BUILD_DIR}/img-rootfs"
-
+mount -rt squashfs -o loop,nodev "${BUILD_DIR}/${SYSEXTNAME}.raw" "${BUILD_DIR}/img-rootfs"
 write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt"
 write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt"
 write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt"
-systemd-dissect --umount --rmdir "${BUILD_DIR}/img-rootfs"
+umount "${BUILD_DIR}/img-rootfs"

changelog/bugfixes/2025-10-01-overlaybd-autostart.md

@@ -1 +0,0 @@
-- Configured the services in the overlaybd sysext to start automatically like the other sysexts. Note that the sysext must be enabled at boot time for this to happen, otherwise you need to call `systemd-tmpfiles --create` and `systemctl daemon-reload` first.

changelog/bugfixes/2025-10-28-initrd-module-warning.md

@@ -1 +0,0 @@
-- Fixed a kernel boot warning when loading an explicit list of kernel modules in the minimal first-stage initrd ([Flatcar#1934](https://github.com/flatcar/Flatcar/issues/1934))

changelog/bugfixes/2025-10-31-fix-input-xml.md

@@ -1 +0,0 @@
-- Alpha only: Fixed systemd-sysext payload handling for air-gapped/self-hosted updates which was a known bug for 4487.0.0 ([ue-rs#93](https://github.com/flatcar/ue-rs/pull/93))

changelog/bugfixes/2025-11-07-initrd-fusion-drivers.md

@@ -1 +0,0 @@
-- Alpha only: Added Fusion SCSI disk drivers back to the initrd after they got lost in the rework ([Flatcar#1924](https://github.com/flatcar/Flatcar/issues/1924))

changelog/bugfixes/2025-11-11-sysext-no-debug.md

@@ -1 +0,0 @@
-- Dropped debug symbols from containerd, incus, and overlaybd system extensions to reduce download size.

changelog/bugfixes/2025-11-12-sssd.md

@@ -1 +0,0 @@
-- Fixed SSSD startup failure by adding back LDB modules into the image, which got lost after a Samba update ([Flatcar#1919](https://github.com/flatcar/Flatcar/issues/1919))

changelog/bugfixes/2026-02-10-sssd.md

@@ -1 +0,0 @@
-- Enabled back PAM sssd support for LDAP authentication ([scripts#3696](https://github.com/flatcar/scripts/pull/3696))

changelog/bugfixes/2026-02-23-terminfo.md

@@ -1 +0,0 @@
-- Added full terminfo database to support modern terminals like foot and Alacritty.

changelog/bugfixes/2026-03-03-pxe-oem.md

@@ -1 +0,0 @@
-- Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. ([Flatcar#2023](https://github.com/flatcar/Flatcar/issues/2023))

changelog/bugfixes/2026-03-25-ignition-oem.md

@@ -1 +0,0 @@
-- Fixed loading Ignition config from the initrd with `ignition.config.url=oem:///myconf.ign`. This was broken since moving to the minimal initrd. ([scripts#3853](https://github.com/flatcar/scripts/pull/3853))

changelog/changes/2025-09-19-minimal-initrd.md

@@ -1 +0,0 @@
-- Reduced the kernel+initrd size on `/boot` by half. Flatcar now uses a minimal first stage initrd just to access the `/usr` partition and then switches to the full initrd that does the full system preparation as before. Since this means that the set of kernel modules available in the first initrd is reduced, please report any impact.

changelog/changes/2025-10-09-partition-sizes.md

@@ -1 +0,0 @@
-- Increased all partition sizes: `/boot` to 1 GB, the two `/usr` partitions to 2 GB, `/oem` to 1 GB so that we can use more space in a few years when we can assume that most nodes run the new partition layout - existing nodes can still update for the next years ([scripts#3027](https://github.com/flatcar/scripts/pull/3027))

changelog/changes/2025-10-13-custom-release-server.md

@@ -1 +0,0 @@
-- Added support for the kernel cmdline parameters `flatcar.release_file_server_url` and `flatcar.dev_file_server_url` to specify custom servers where Flatcar extensions should be downloaded on boot ([bootengine#112](https://github.com/flatcar/bootengine/pull/112))

changelog/changes/2025-10-30-kmod-build.md

@@ -1 +0,0 @@
-- The way that files for building custom kernel modules are installed has changed from a Ubuntu-inspired method to the standard upstream kernel method. In the unlikely event that this breaks your module builds, please let the Flatcar team know immediately.

changelog/changes/2025-11-03-azure-size.md

@@ -1 +0,0 @@
-- Alpha only: Reduced Azure image size again to 30 GB as before by shrinking the root partition to compensate for the growth of the other partitions ([scripts#3460](https://github.com/flatcar/scripts/pull/3460))

changelog/changes/2025-11-04-enable-amd-gpu-module.md

@@ -1 +0,0 @@
-- Build AMD GPU driver as module ([#3461](https://github.com/flatcar/scripts/pull/3461))

changelog/changes/2025-11-05-signed-os-dependent-sysexts.md

@@ -1 +0,0 @@
-- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar, podman, zfs, nvidia) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). OEM sysexts (e.g., oem-azure, oem-gce) are now also signed and built during the image phase to ensure consistent signing with the same ephemeral key. ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))

changelog/changes/2025-11-28-weekly-updates.md

@@ -1 +0,0 @@
-- `/etc/shadow`, `/etc/gshadow` are now owned by the `shadow` group, `/usr/bin/unix_chkpwd`, `/usr/bin/chage` and `/usr/bin/expiry` are now also owned by the `shadow` group with a sticky bit enabled.

changelog/changes/2025-12-01-netkit.md

@@ -1 +0,0 @@
-- Enabled netkit module ([scripts#3524](https://github.com/flatcar/scripts/pull/3524))

changelog/changes/2025-12-12-default-systemd-confext.md

@@ -1,2 +0,0 @@
-- Switched `/etc/` from a custom overlayfs for A/B updates to using a systemd-confext extension providing the default contents by using systemd-confext in the mutable mode where `/etc/` gets used as upperdir [scripts#3555](https://github.com/flatcar/scripts/pull/3555)
-- Moved systemd-sysext image mounting into the initrd, so that system extensions can better define the behavior of the final system at boot without workarounds to apply settings late at boot. This means `.wants` symlinks for systemd units work as expected now and, therefore, we dropped the `ensure-sysext.service` workaround. We still recommend extensions to keep their workarounds, e.g., using `.upholds` instead of `.wants`, to better support live reloading. A skipping logic prevents an extension refresh late at boot but only if no changes were found. For extensions that are not stored on a custom filesystem, such as a separate `/var` partition, the new extension mounting from the initrd won't be able to load them early but they will be picked up late at boot through the extension refresh. This is another case where it's good if extensions keep workarounds for late loading.

changelog/changes/2026-01-02-sshd-config.md

@@ -1 +0,0 @@
-- Dropped Ciphers, MACs, and KexAlgorithms from the sshd configuration so that the OpenSSH upstream defaults are used. This introduces post-quantum key exchange algorithms for better security. ([Flatcar#1921](https://github.com/flatcar/Flatcar/issues/1921)). Users requiring legacy Ciphers, MACs, and/or KexAlgos can override / re-enable this by deploying a custom drop-in config  to `/etc/ssh/sshd_config.d/`.

changelog/changes/2026-02-23-oklo-codename.md

@@ -1 +0,0 @@
-- Dropped the "Oklo" release codename as it was never updated in a meaningful way.

changelog/changes/2026-02-4-enable-tracer-on-arm.md

@@ -1 +0,0 @@
-- Function tracer (ftrace) enabled in ARM64 builds. (Enables CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE for observability and security tools) ([flatcar/scripts#3685](https://github.com/flatcar/scripts/pull/3685))

changelog/changes/2026-03-25-erofs-tools.md

@@ -1 +0,0 @@
-- Add EROFS tools for containerd ([Flatcar#2047](https://github.com/flatcar/Flatcar/issues/2047))

changelog/changes/2026-04-15-ignition-oem.md

@@ -1 +0,0 @@
-- Reworked how the OEM partition is mounted at boot time so that Ignition no longer has to handle this by itself, thereby requiring less patching. This should not affect any existing usage, but it is a significant underlying change, so it needs to be called out. Please report any unexpected issues. ([flatcar/script#3934](https://github.com/flatcar/scripts/pull/3934))

changelog/changes/2026-04-28-enable-vnc-console-logs-on-arm.md

@@ -1 +0,0 @@
-- Enable VNC console serial logs on ARM64 QEMU/KVM instances ([flatcar/scripts#2359](https://github.com/flatcar/scripts/pull/2359))

changelog/security/2025-09-16-weekly-updates.md

@@ -1,4 +0,0 @@
-- libpcre2 ([CVE-2025-58050](https://www.cve.org/CVERecord?id=CVE-2025-58050))
-- libxml2 ([libxml2-20250908](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9))
-- libxslt ([CVE-2025-7424](https://www.cve.org/CVERecord?id=CVE-2025-7424), [CVE-2025-7425](https://www.cve.org/CVERecord?id=CVE-2025-7425))
-- net-tools ([CVE-2025-46836](https://www.cve.org/CVERecord?id=CVE-2025-46836))

changelog/security/2025-09-24-weekly-updates.md

@@ -1,3 +0,0 @@
-- binutils ([CVE-2025-5244](https://www.cve.org/CVERecord?id=CVE-2025-5244), [CVE-2025-5245](https://www.cve.org/CVERecord?id=CVE-2025-5245) [CVE-2025-8225](https://www.cve.org/CVERecord?id=CVE-2025-8225))
-- curl ([CVE-2025-9086](https://www.cve.org/CVERecord?id=CVE-2025-9086), [CVE-2025-10148](https://www.cve.org/CVERecord?id=CVE-2025-10148))
-- go ([CVE-2025-47910](https://www.cve.org/CVERecord?id=CVE-2025-47910))

changelog/security/2025-10-14-weekly-updates.md

@@ -1,5 +0,0 @@
-- expat ([CVE-2025-59375](https://www.cve.org/CVERecord?id=CVE-2025-59375))
-- intel-microcode ([CVE-2024-28956](https://www.cve.org/CVERecord?id=CVE-2024-28956), [CVE-2024-43420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43420), [CVE-2024-45332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45332), [CVE-2025-20012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20012), [CVE-2025-20054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20054), [CVE-2025-20103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20103), [CVE-2025-20623](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20623), [CVE-2025-24495](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24495), [CVE-2025-20053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20053), [CVE-2025-20109](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20109), [CVE-2025-22839](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22839), [CVE-2025-22840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22840), [CVE-2025-22889](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22889), [CVE-2025-26403](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26403))
-- nvidia-drivers ([CVE-2025-23280](https://www.cve.org/CVERecord?id=CVE-2025-23280), [CVE-2025-23282](https://www.cve.org/CVERecord?id=CVE-2025-23282), [CVE-2025-23300](https://www.cve.org/CVERecord?id=CVE-2025-23300), [CVE-2025-23330](https://www.cve.org/CVERecord?id=CVE-2025-23330), [CVE-2025-23332](https://www.cve.org/CVERecord?id=CVE-2025-23332), [CVE-2025-23345](https://www.cve.org/CVERecord?id=CVE-2025-23345))
-- openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985))
-- openssl ([CVE-2025-9230](https://www.cve.org/CVERecord?id=CVE-2025-9230), [CVE-2025-9231](https://www.cve.org/CVERecord?id=CVE-2025-9231), [CVE-2025-9232](https://www.cve.org/CVERecord?id=CVE-2025-9232))

changelog/security/2025-10-29-pam.md

@@ -1 +0,0 @@
-- pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020))

changelog/security/2025-11-05-weekly-updates.md

@@ -1,2 +0,0 @@
-- coreutils ([CVE-2025-5278](https://www.cve.org/CVERecord?id=CVE-2025-5278))
-- go ([CVE-2025-47912](https://www.cve.org/CVERecord?id=CVE-2025-47912), [CVE-2025-58183](https://www.cve.org/CVERecord?id=CVE-2025-58183), [CVE-2025-58185](https://www.cve.org/CVERecord?id=CVE-2025-58185), [CVE-2025-58186](https://www.cve.org/CVERecord?id=CVE-2025-58186), [CVE-2025-58187](https://www.cve.org/CVERecord?id=CVE-2025-58187), [CVE-2025-58188](https://www.cve.org/CVERecord?id=CVE-2025-58188), [CVE-2025-58189](https://www.cve.org/CVERecord?id=CVE-2025-58189), [CVE-2025-61723](https://www.cve.org/CVERecord?id=CVE-2025-61723), [CVE-2025-61724](https://www.cve.org/CVERecord?id=CVE-2025-61724), [CVE-2025-61725](https://www.cve.org/CVERecord?id=CVE-2025-61725))

changelog/security/2026-01-23-gnupg.md

@@ -1 +0,0 @@
-- gnupg ([CVE-2025-68972](https://www.cve.org/CVERecord/?id=CVE-2025-68972), [CVE-2025-68973](https://www.cve.org/CVERecord/?id=CVE-2025-68973), [gnupg-20251228-notdash](https://gpg.fail/notdash))

changelog/security/2026-02-12-openssh.md

@@ -0,0 +1 @@
+- openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985))

changelog/security/2026-02-20-weekly-updates.md

@@ -1,6 +0,0 @@
-- bind ([CVE-2025-40778](https://www.cve.org/CVERecord?id=CVE-2025-40778), [CVE-2025-40780](https://www.cve.org/CVERecord?id=CVE-2025-40780), [CVE-2025-8677](https://www.cve.org/CVERecord?id=CVE-2025-8677))
-- gnutls ([CVE-2025-9820](https://www.cve.org/CVERecord?id=CVE-2025-9820))
-- go ([CVE-2025-61727](https://www.cve.org/CVERecord?id=CVE-2025-61727), [CVE-2025-61729](https://www.cve.org/CVERecord?id=CVE-2025-61729))
-- libarchive ([CVE-2025-60753](https://www.cve.org/CVERecord?id=CVE-2025-60753))
-- podman ([CVE-2025-9566](https://www.cve.org/CVERecord?id=CVE-2025-9566), [CVE-2025-52881](https://www.cve.org/CVERecord?id=CVE-2025-52881))
-- urllib3 ([CVE-2025-66418](https://www.cve.org/CVERecord?id=CVE-2025-66418), [CVE-2025-66471](https://www.cve.org/CVERecord?id=CVE-2025-66471))

changelog/security/2026-03-04-weekly-updates.md

@@ -1,17 +0,0 @@
-- c-ares ([CVE-2025-62408](https://www.cve.org/CVERecord?id=CVE-2025-62408))
-- curl ([CVE-2025-13034](https://www.cve.org/CVERecord?id=CVE-2025-13034), [CVE-2025-14017](https://www.cve.org/CVERecord?id=CVE-2025-14017), [CVE-2025-14524](https://www.cve.org/CVERecord?id=CVE-2025-14524), [CVE-2025-14819](https://www.cve.org/CVERecord?id=CVE-2025-14819), [CVE-2025-15079](https://www.cve.org/CVERecord?id=CVE-2025-15079), [CVE-2025-15224](https://www.cve.org/CVERecord?id=CVE-2025-15224))
-- expat ([CVE-2026-24515](https://www.cve.org/CVERecord?id=CVE-2026-24515), [CVE-2026-25210](https://www.cve.org/CVERecord?id=CVE-2026-25210))
-- glib ([CVE-2025-13601](https://www.cve.org/CVERecord?id=CVE-2025-13601), [CVE-2025-14087](https://www.cve.org/CVERecord?id=CVE-2025-14087))
-- glibc ([CVE-2026-0861](https://www.cve.org/CVERecord?id=CVE-2026-0861), [CVE-2026-0915](https://www.cve.org/CVERecord?id=CVE-2026-0915), [CVE-2025-15281](https://www.cve.org/CVERecord?id=CVE-2025-15281))
-- gnupg ([CVE-2026-24881](https://www.cve.org/CVERecord?id=CVE-2026-24881), [CVE-2026-24882](https://www.cve.org/CVERecord?id=CVE-2026-24882), [CVE-2026-24883](https://www.cve.org/CVERecord?id=CVE-2026-24883))
-- gnutls ([CVE-2025-14831](https://www.cve.org/CVERecord?id=CVE-2025-14831), [CVE-2026-1584](https://www.cve.org/CVERecord?id=CVE-2026-1584))
-- incus ([CVE-2026-23953](https://www.cve.org/CVERecord?id=CVE-2026-23953))
-- intel-microcode ([CVE-2025-31648](https://www.cve.org/CVERecord?id=CVE-2025-31648))
-- libpcap ([CVE-2025-11961](https://www.cve.org/CVERecord?id=CVE-2025-11961), [CVE-2025-11964](https://www.cve.org/CVERecord?id=CVE-2025-11964))
-- libtasn1 ([CVE-2025-13151](https://www.cve.org/CVERecord?id=CVE-2025-13151))
-- libxslt ([CVE-2025-10911](https://www.cve.org/CVERecord?id=CVE-2025-10911), [CVE-2025-11731](https://www.cve.org/CVERecord?id=CVE-2025-9714))
-- nvidia-drivers ([CVE-2025-33219](https://www.cve.org/CVERecord?id=CVE-2025-33219))
-- p11-kit ([CVE-2026-2100](https://www.cve.org/CVERecord?id=CVE-2026-2100))
-- rsync ([CVE-2025-10158](https://www.cve.org/CVERecord?id=CVE-2025-10158))
-- sssd ([CVE-2025-11561](https://www.cve.org/CVERecord?id=CVE-2025-11561))
-- util-linux ([CVE-2025-14104](https://www.cve.org/CVERecord?id=CVE-2025-14104))

changelog/updates/2025-09-16-weekly-updates.md

@@ -1,12 +0,0 @@
-- SDK: azure-core ([1.16.1](https://github.com/Azure/azure-sdk-for-cpp/releases/tag/azure-core_1.16.1))
-- SDK: azure-identity ([1.13.1](https://github.com/Azure/azure-sdk-for-cpp/releases/tag/azure-identity_1.13.1))
-- base, dev: coreutils ([9.7](https://lists.gnu.org/archive/html/info-gnu/2025-04/msg00006.html) (includes [9.6](https://savannah.gnu.org/news/?id=10715)))
-- base, dev: libffi ([3.5.2](https://github.com/libffi/libffi/releases/tag/v3.5.2))
-- base, dev: libnftnl ([1.3.0](https://lwn.net/Articles/1032725/))
-- base, dev: libxml2 ([2.13.9](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9))
-- base, dev: ncurses ([6.5_p20250802](https://invisible-island.net/ncurses/NEWS.html#t20250802))
-- base, dev: nftables ([1.1.4](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.4.txt))
-- dev, sysext-incus: squashfs-tools ([4.7.2](https://github.com/plougher/squashfs-tools/releases/tag/4.7.2) (includes [4.7.1](https://github.com/plougher/squashfs-tools/releases/tag/4.7.1)))
-- sysext-podman: gpgme ([2.0.0](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob_plain;f=NEWS;h=cd0e093bf83fe47b6773fb478fced07d8409fbe0;hb=e17ba578861905857da0a514b4fc9b88a57f7346))
-- sysext-python: charset-normalizer ([3.4.3](https://github.com/jawah/charset_normalizer/releases/tag/3.4.3))
-- sysext-python: pip ([25.2](https://raw.githubusercontent.com/pypa/pip/refs/tags/25.2/NEWS.rst))

changelog/updates/2025-09-18-linux-firmware-20250917-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20250917](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20250917))

changelog/updates/2025-09-24-weekly-updates.md

@@ -1,21 +0,0 @@
-- SDK: go ([1.24.7](https://go.dev/doc/devel/release#go1.24.minor))
-- SDK: pkgcheck ([0.10.37](https://github.com/pkgcore/pkgcheck/releases/tag/v0.10.37))
-- SDK: rust ([1.89.0](https://blog.rust-lang.org/2025/08/07/Rust-1.89.0/))
-- base, dev: bash ([5.3_p3](https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html))
-- base, dev: btrfs-progs ([6.16](https://github.com/kdave/btrfs-progs/releases/tag/v6.16))
-- base, dev: cryptsetup ([2.8.1](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.1/docs/v2.8.1-ReleaseNotes))
-- base, dev: curl ([8.16.0](https://curl.se/ch/8.16.0.html))
-- base, dev: expat ([2.7.2](https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes))
-- base, dev: gcc ([14.3.1_p20250801](https://gcc.gnu.org/pipermail/gcc/2025-May/246078.html))
-- base, dev: hwdata ([0.398](https://github.com/vcrhonek/hwdata/releases/tag/v0.398))
-- base, dev: readline ([8.3_p1](https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html))
-- base, dev: samba ([4.22.3](https://www.samba.org/samba/history/samba-4.22.3.html) (includes [4.22.2](https://www.samba.org/samba/history/samba-4.22.2.html), [4.22.1](https://www.samba.org/samba/history/samba-4.22.1.html), [4.22.0](https://www.samba.org/samba/history/samba-4.22.0.html), [4.21.0](https://www.samba.org/samba/history/samba-4.21.0.html)))
-- base, dev: talloc ([2.4.3](https://gitlab.com/samba-team/samba/-/commit/77229f73c20af69ab0f3c96efbb229ff64a9dfe4))
-- base, dev: tdb ([1.4.13](https://gitlab.com/samba-team/samba/-/commit/70a8c7a89a6d62d2ff172d79b5f4e6439300b88d))
-- base, dev: tevent ([0.16.2](https://gitlab.com/samba-team/samba/-/commit/8d398acbbb7fdc0ff50fe6ba80433deaf92515c6))
-- dev: binutils ([2.45](https://lists.gnu.org/archive/html/info-gnu/2025-07/msg00009.html))
-- sysext-incus, sysext-podman, vmware: fuse ([3.17.4](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.4))
-- sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers (570.190)
-- sysext-python: jaraco-functools ([4.3.0](https://raw.githubusercontent.com/jaraco/jaraco.functools/refs/tags/v4.3.0/NEWS.rst))
-- sysext-python: markdown-it-py ([4.0.0](https://github.com/executablebooks/markdown-it-py/releases/tag/v4.0.0))
-- sysext-python: requests ([2.32.5](https://github.com/psf/requests/releases/tag/v2.32.5))

changelog/updates/2025-09-26-linux-6.12.49-update.md

@@ -1 +0,0 @@
-- Linux ([6.12.49](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.49))

changelog/updates/2025-10-01-open-vm-tools-13.0.5-update.md

@@ -1 +0,0 @@
-- open-vm-tools ([13.0.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-13.0.5))

changelog/updates/2025-10-03-linux-6.12.50-update.md

@@ -1 +0,0 @@
-- Linux ([6.12.50](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.50))

changelog/updates/2025-10-07-linux-6.12.51-update.md

@@ -1 +1 @@
-- Linux ([6.12.51](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.51))
+- Linux ([6.12.51](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.51) (includes [6.12.50](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.50), [6.12.49](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.49)))

changelog/updates/2025-10-09-afterburn-5.10.md

@@ -1 +0,0 @@
-- Afterburn ([5.10.0](https://coreos.github.io/afterburn/release-notes/#afterburn-5100))

changelog/updates/2025-10-14-weekly-updates.md

@@ -1,26 +0,0 @@
-- SDK: cmake ([3.31.9](https://cmake.org/cmake/help/v3.31/release/3.31.html#id1))
-- SDK: go ([1.25.1](https://go.dev/doc/devel/release#go1.25.minor) (includes [1.25](https://go.dev/doc/go1.25)))
-- SDK: qemu ([10.0.5](https://wiki.qemu.org/ChangeLog/10.0))
-- azure, dev: inotify-tools ([4.25.9.0](https://github.com/inotify-tools/inotify-tools/releases/tag/4.25.9.0))
-- azure, stackit: chrony ([4.8](https://gitlab.com/chrony/chrony/-/raw/4.8/NEWS))
-- base, dev: bind ([9.18.38](https://bind9.readthedocs.io/en/v9.18.38/notes.html#notes-for-bind-9-18-38))
-- base, dev: bpftool ([7.6.0](https://github.com/libbpf/bpftool/releases/tag/v7.6.0))
-- base, dev: btrfs-progs ([6.16.1](https://github.com/kdave/btrfs-progs/releases/tag/v6.16.1))
-- base, dev: expat ([2.7.3](https://raw.githubusercontent.com/libexpat/libexpat/refs/tags/R_2_7_3/expat/Changes))
-- base, dev: gettext ([0.23.2](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=a5cc8a63eb4f06e4a1171afda862812feb67d693;hb=e8e6cb71aec0de1f5758ac21327bb8cd69e33731) (includes [0.23.1](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=4aafedf9b10a66891838e1f35c7af020c6124ee0;hb=d9b0432a825bfe3fc72f9a081d295a9528cd8aac), [0.23.0](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=9d87d45408f510d15856a1dda8a9376573f0a9c5;hb=c12b25dc82104691ca80c4da1cbc538fcab42bf5)))
-- base, dev: git ([2.51.0](https://github.com/git/git/blob/v2.51.0/Documentation/RelNotes/2.51.0.adoc) (includes [2.50.0](https://github.com/git/git/blob/v2.50.0/Documentation/RelNotes/2.50.0.adoc)))
-- base, dev: intel-microcode ([20250812](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812) (includes [20250512](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512)))
-- base, dev: libxml2 ([2.14.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.6) (includes [2.14.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5), [2.14.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.4), [2.14.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.3), [2.14.2](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.2), [2.14.1](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.1), [2.14.0](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.0)))
-- base, dev: nftables ([1.1.5](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.5.txt))
-- base, dev: nvidia-drivers-service (amd64) ([535.274.02](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-274-02/index.html))
-- base, dev: nvidia-drivers-service (arm64) ([570.195.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-195-03/index.html))
-- base, dev: openssh ([10.2_p1](https://www.openssh.com/txt/release-10.2) (includes [10.1](https://www.openssh.com/txt/release-10.1)))
-- base, dev: openssl ([3.4.3](https://github.com/openssl/openssl/releases/tag/openssl-3.4.3))
-- base, dev: xfsprogs ([6.16.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.16.0) (includes [6.15.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.15.0)))
-- sysext-nvidia-drivers-535, sysext-nvidia-drivers-535-open: nvidia-drivers ([535.274.02](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-274-02/index.html))
-- sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers ([570.195.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-195-03/index.html))
-- sysext-podman: crun ([1.21](https://github.com/containers/crun/releases/tag/1.21))
-- sysext-podman: netavark ([1.15.2](https://github.com/containers/netavark/releases/tag/v1.15.2) (includes [1.15.1](https://github.com/containers/netavark/releases/tag/v1.15.1), [1.15.0](https://github.com/containers/netavark/releases/tag/v1.15.0)))
-- sysext-podman: passt ([2025.06.11](https://archives.passt.top/passt-user/20250611175947.7d540ddc@elisabeth/T/#u))
-- sysext-python: platformdirs ([4.4.0](https://github.com/tox-dev/platformdirs/releases/tag/4.4.0))
-- sysext-python: typing-extensions ([4.15.0](https://raw.githubusercontent.com/python/typing_extensions/refs/tags/4.15.0/CHANGELOG.md))

changelog/updates/2025-10-16-linux-firmware-20251011-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20251011](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251011))

changelog/updates/2025-10-23-linux-firmware-20251021-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20251021](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251021))

changelog/updates/2025-10-29-pam.md

@@ -1,2 +0,0 @@
-- base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0)))
-- base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013))

changelog/updates/2025-10-29-systemd-update.md

@@ -1 +0,0 @@
-- systemd (257.9)

changelog/updates/2025-10-30-containerd.md

@@ -1,2 +0,0 @@
-- sysext-containerd: runc ([1.3.1](https://github.com/opencontainers/runc/releases/tag/v1.3.1))
-- sysext-containerd: containerd ([2.1.4](https://github.com/containerd/containerd/releases/tag/v2.1.4))

changelog/updates/2025-11-05-weekly-updates.md

@@ -1,19 +0,0 @@
-- SDK: cmake ([4.1.2](https://cmake.org/cmake/help/v4.1/release/4.1.html#id22) (includes [4.1.1](https://cmake.org/cmake/help/v4.1/release/4.1.html#id21), [4.1](https://cmake.org/cmake/help/v4.1/release/4.1.html), [4.0](https://cmake.org/cmake/help/v4.0/release/4.0.html)))
-- SDK: go ([1.25.3](https://go.dev/doc/devel/release#go1.25.minor))
-- base, dev: btrfs-progs ([6.17](https://github.com/kdave/btrfs-progs/releases/tag/v6.17))
-- base, dev: cifs-utils ([7.4](https://lwn.net/Articles/1024956/))
-- base, dev: coreutils ([9.8](https://lists.gnu.org/archive/html/info-gnu/2025-09/msg00005.html))
-- base, dev: hwdata ([0.399](https://github.com/vcrhonek/hwdata/releases/tag/v0.399))
-- base, dev: inih ([62](https://github.com/benhoyt/inih/releases/tag/r62) (includes [61](https://github.com/benhoyt/inih/releases/tag/r61)))
-- base, dev: iproute2 ([6.17.0](https://lore.kernel.org/all/20250929095042.48200315@hermes.local/))
-- base, dev: kbd ([2.9.0](https://github.com/legionus/kbd/releases/tag/v2.9.0))
-- base, dev: libtirpc ([1.3.7](https://git.linux-nfs.org/?p=steved/libtirpc.git;a=log;h=refs/tags/libtirpc-1-3-7))
-- base, dev: samba ([4.22.5](https://www.samba.org/samba/history/samba-4.22.5.html) (includes [4.22.4](https://www.samba.org/samba/history/samba-4.22.4.html)))
-- base, dev: strace ([6.17](https://github.com/strace/strace/releases/tag/v6.17))
-- base, dev: util-linux ([2.41.2](https://github.com/util-linux/util-linux/blob/v2.41.2/Documentation/releases/v2.41.2-ReleaseNotes))
-- dev: portage ([3.0.69.3](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69.3) (includes [3.0.69.2](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69.2), [3.0.69.1](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69.1), [3.0.69](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69)))
-- sysext-overlaybd: overlaybd ([1.0.16](https://github.com/containerd/overlaybd/releases/tag/v1.0.16))
-- sysext-podman: netavark ([1.16.1](https://github.com/containers/netavark/releases/tag/v1.16.1) (includes [1.16.0](https://github.com/containers/netavark/releases/tag/v1.16.0)))
-- sysext-python: more-itertools ([10.8.0](https://github.com/more-itertools/more-itertools/releases/tag/v10.8.0))
-- sysext-python: setuptools-scm ([9.2.0](https://github.com/pypa/setuptools-scm/releases/tag/v9.2.0) (includes [9.1.0](https://github.com/pypa/setuptools-scm/releases/tag/v9.1.0), [9.0.0](https://github.com/pypa/setuptools-scm/releases/tag/v9.0.0)))
-- sysext-python: trove-classifiers ([2025.9.11.17](https://github.com/pypa/trove-classifiers/releases/tag/2025.9.11.17) (includes (2025.9.9.12)[https://github.com/pypa/trove-classifiers/releases/tag/2025.9.9.12], [2025.9.8.13](https://github.com/pypa/trove-classifiers/releases/tag/2025.9.8.13)))

changelog/updates/2025-11-07-runc-containerd.md

@@ -1,2 +1,2 @@
-- runc ([1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3) (includes [1.3.2](https://github.com/opencontainers/runc/releases/tag/v1.3.2)))
-- containerd ([2.1.5](https://github.com/containerd/containerd/releases/tag/v2.1.5))
+- runc ([1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3) (includes [1.3.2](https://github.com/opencontainers/runc/releases/tag/v1.3.2), [1.3.1](https://github.com/opencontainers/runc/releases/tag/v1.3.1), [1.3.0](https://github.com/opencontainers/runc/releases/tag/v1.3.0)))
+- containerd ([2.0.7](https://github.com/containerd/containerd/releases/tag/v2.0.7) (includes [2.0.6](https://github.com/containerd/containerd/releases/tag/v2.0.6)))

changelog/updates/2025-11-13-linux-firmware-20251111-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20251111](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251111))

changelog/updates/2025-11-24-weekly-updates.md

@@ -1,13 +0,0 @@
-- SDK: meson ([1.9.1](https://mesonbuild.com/Release-notes-for-1-9-0.html) (includes [1.8.0](https://mesonbuild.com/Release-notes-for-1-8-0.html)))
-- SDK: nasm ([3.01](https://www.nasm.us/docs/3.01/nasmac.html) (includes [3.00](https://www.nasm.us/docs/3.00/nasmac.html)))
-- base, dev: hwdata ([0.400](https://github.com/vcrhonek/hwdata/releases/tag/v0.400))
-- base, dev: intel-microcode ([20251111_p20251112](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20251111))
-- base, dev: jose ([14](https://github.com/latchset/jose/releases/tag/v14) (includes [13](https://github.com/latchset/jose/releases/tag/v13)))
-- base, dev: less ([685](https://greenwoodsoftware.com/less/news.685.html))
-- base, dev: libgpg-error ([1.56](https://github.com/gpg/libgpg-error/releases/tag/libgpg-error-1.56))
-- base, dev: openssl ([3.5.4](https://github.com/openssl/openssl/releases/tag/openssl-3.5.4) (includes [3.5.3](https://github.com/openssl/openssl/releases/tag/openssl-3.5.3), [3.5.2](https://github.com/openssl/openssl/releases/tag/openssl-3.5.2), [3.5.1](https://github.com/openssl/openssl/releases/tag/openssl-3.5.1), [3.5.0](https://github.com/openssl/openssl/releases/tag/openssl-3.5.0)))
-- base, dev: thin-provisioning-tools ([1.3.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.3.0/CHANGES) (includes [1.2.2](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.2/CHANGES), [1.2.1](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.1/CHANGES), [1.2.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.0/CHANGES), [1.1.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.1.0/CHANGES), [1.0.14](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.14/CHANGES), [1.0.13](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.13/CHANGES), [1.0.12](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.12/CHANGES), [1.0.11](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.11/CHANGES)))
-- sysext-podman: aardvark-dns ([1.15.0](https://github.com/containers/aardvark-dns/releases/tag/v1.15.0))
-- sysext-python: platformdirs ([4.5.0](https://github.com/tox-dev/platformdirs/releases/tag/4.5.0))
-- sysext-python: resolvelib ([1.2.1](https://raw.githubusercontent.com/sarugaku/resolvelib/refs/tags/1.2.1/CHANGELOG.rst))
-- sysext-python: rich ([14.2.0](https://github.com/Textualize/rich/releases/tag/v14.2.0))

changelog/updates/2025-11-27-linux-firmware-20251125-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20251125](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251125))

changelog/updates/2025-12-02-linux-6.12.60-update.md

@@ -1 +1 @@
-- Linux ([6.12.60](https://lwn.net/Articles/1048757))
+- Linux ([6.12.60](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.60))

changelog/updates/2025-12-03-ignition.md

@@ -1 +0,0 @@
-- Ignition ([2.24.0](https://coreos.github.io/ignition/release-notes/#ignition-2240-2024-10-14))

changelog/updates/2025-12-08-update-systemd.md

@@ -1 +0,0 @@
-- systemd (258.2)

changelog/updates/2025-12-11-etcdctl.md

@@ -1 +0,0 @@
-- etcdctl ([3.5.18](https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3518-2025-01-24))

changelog/updates/2026-01-06-draacut-109.md

@@ -1 +0,0 @@
-- dracut ([109](https://github.com/dracut-ng/dracut-ng/releases/tag/109) (includes [108](https://github.com/dracut-ng/dracut-ng/releases/tag/108), [107](https://github.com/dracut-ng/dracut-ng/releases/tag/107)))

changelog/updates/2026-01-07-python-bump.md

@@ -1 +0,0 @@
-- python ([3.12.12](https://www.python.org/downloads/release/python-31212/) (includes [3.12.0](https://www.python.org/downloads/release/python-3120/)))

changelog/updates/2026-01-15-linux-firmware-20260110-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20260110](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20260110))

changelog/updates/2026-01-23-gnupg.md

@@ -1,3 +0,0 @@
-- base, dev: gnupg ([2.5.16](https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000500.html https://lists.gnupg.org/pipermail/gnupg-announce/2024q3/000484.html) (includes [2.5](https://lists.gnu.org/archive/html/info-gnu/2024-07/msg00005.html)))
-- base, dev: libgpg-error ([1.57](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=blob_plain;f=NEWS;h=52ac1464a0c0af091a3d69e8c5f2f3afa2cc3c9f;hb=39d7b85a7d69975f1dfec5a0add10b4d57dcfc9e))
-- sysext-podman: gpgme ([2.0.1](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob_plain;f=NEWS;h=1fd34dbd9143829e9163d402ab0191a9fc6adab2;hb=e4adebe020b07bc47e583817576ce98ca93e9711))

changelog/updates/2026-01-28-open-vm-tools-13.0.10-update.md

@@ -1 +0,0 @@
-- open-vm-tools ([13.0.10](https://github.com/vmware/open-vm-tools/releases/tag/stable-13.0.10))

changelog/updates/2026-01-28-openssl.md

@@ -1 +1 @@
-- OpenSSL ([3.5.5](https://github.com/openssl/openssl/blob/openssl-3.5/CHANGES.md#changes-between-354-and-355-27-jan-2026))
+- OpenSSL ([3.4.4](https://github.com/openssl/openssl/blob/openssl-3.4/CHANGES.md#changes-between-343-and-344-27-jan-2026) (includes [3.4.3](https://github.com/openssl/openssl/blob/openssl-3.4/CHANGES.md#changes-between-342-and-343-30-sep-2025)))