diff --git a/build_library/oem_sysexts.sh b/build_library/oem_sysexts.sh index 7d50efc4bed..ff30d07b2ca 100644 --- a/build_library/oem_sysexts.sh +++ b/build_library/oem_sysexts.sh @@ -75,7 +75,7 @@ get_oem_sysext_matrix() { local -a matrix=() local oem_id for oem_id in "${oem_ids[@]}"; do - matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|${oem_id}") + matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|flatcar-oem") done local -n matrix_ref="${list_var_name}" diff --git a/build_packages b/build_packages index da1d1e9b916..1cb4df92c2b 100755 --- a/build_packages +++ b/build_packages @@ -307,13 +307,17 @@ build_sysext_packages() { IFS=, for package in $package_atoms; do # --buildpkgonly does not install dependencies, so we install them - # separately before building the binary package + # separately before building the binary package. --ignore-world is needed + # to allow packages to be installed to both /usr and sysexts with + # conflicting USE flags. This will "break" the board root, but it's not + # used for execution, and affected packages will be rebuilt as needed. sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \ env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \ "${EMERGE_FLAGS[@]}" \ --quiet \ --onlydeps \ --binpkg-respect-use=y \ + --ignore-world=y \ "${package}" sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \ @@ -322,6 +326,7 @@ build_sysext_packages() { --quiet \ --buildpkgonly \ --binpkg-respect-use=y \ + --ignore-world=y \ "${package}" done unset IFS diff --git a/changelog/bugfixes/2025-12-29-gce-udev.md b/changelog/bugfixes/2025-12-29-gce-udev.md new file mode 100644 index 00000000000..d8458d9f4db --- /dev/null +++ b/changelog/bugfixes/2025-12-29-gce-udev.md @@ -0,0 +1 @@ +- Updated the GCE udev disk rules to include NVMe disks. diff --git a/sdk_container/src/third_party/coreos-overlay/README.md b/sdk_container/src/third_party/coreos-overlay/README.md index 150fb7b6493..363fdfb20a3 100644 --- a/sdk_container/src/third_party/coreos-overlay/README.md +++ b/sdk_container/src/third_party/coreos-overlay/README.md @@ -23,13 +23,12 @@ gets built into a developer image and is not OEM specific. gets built into the Container Linux SDK. `coreos-devel/board-packages` is everything that could be built into a -development or production image, plus any OEM specific packages. +development or production image. `coreos-base/oem-*` are the OEM specific packages. They mostly install things -that belong in the OEM partition. Any RDEPENDS from these packages should -be copied to the RDEPENDS in `board-packages` to ensure they are built. +that belong in the OEM partition. -`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs. +`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs. # Updating diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest new file mode 100644 index 00000000000..d444561ad31 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest @@ -0,0 +1 @@ +DIST google-guest-configs-20260116.00.tar.gz 50190 BLAKE2B a9d546c87245114bd650c1b5116a9619b927e9afb0702adb0d3b41efeab680da65055f37490fe88d4923ceb7a5f596a3f59848f74cb9f8ce074d3f2568f40757 SHA512 995b350700feba28cdd6250c2ca0788539f1e58f3bae9d23081671fff82c7ff139ec9a0f56411e9ead6bfca62ced2c4bb729f516352982441c6a769162d9f4f2 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch new file mode 100644 index 00000000000..4ac9d275cbc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch @@ -0,0 +1,50 @@ +diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf +index b40085b..d89d87d 100644 +--- a/src/etc/sysctl.d/60-gce-network-security.conf ++++ b/src/etc/sysctl.d/60-gce-network-security.conf +@@ -14,45 +14,6 @@ + # + # Google-recommended kernel parameters + +-# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss +-# of TCP functionality/features under normal conditions. When flood +-# protections kick in under high unanswered-SYN load, the system +-# should remain more stable, with a trade off of some loss of TCP +-# functionality/features (e.g. TCP Window scaling). +-net.ipv4.tcp_syncookies=1 +- +-# Ignore source-routed packets +-net.ipv4.conf.all.accept_source_route=0 +-net.ipv4.conf.default.accept_source_route=0 +- +-# Ignore ICMP redirects from non-GW hosts +-net.ipv4.conf.all.accept_redirects=0 +-net.ipv4.conf.default.accept_redirects=0 +-net.ipv4.conf.all.secure_redirects=1 +-net.ipv4.conf.default.secure_redirects=1 +- +-# Don't pass traffic between networks or act as a router +-net.ipv4.ip_forward=0 +-net.ipv4.conf.all.send_redirects=0 +-net.ipv4.conf.default.send_redirects=0 +- +-# Turn on Source Address Verification in all interfaces to +-# prevent some spoofing attacks. +-net.ipv4.conf.all.rp_filter=1 +-net.ipv4.conf.default.rp_filter=1 +- +-# Ignore ICMP broadcasts to avoid participating in Smurf attacks +-net.ipv4.icmp_echo_ignore_broadcasts=1 +- +-# Ignore bad ICMP errors +-net.ipv4.icmp_ignore_bogus_error_responses=1 +- + # Log spoofed, source-routed, and redirect packets + net.ipv4.conf.all.log_martians=1 + net.ipv4.conf.default.log_martians=1 +- +-# Addresses of mmap base, heap, stack and VDSO page are randomized +-kernel.randomize_va_space=2 +- +-# Reboot the machine soon after a kernel panic. +-kernel.panic=10 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch new file mode 100644 index 00000000000..04be008feb3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch @@ -0,0 +1,25 @@ +From a848f8f181e2a7080a7ee06fb87ffbfe05e66a24 Mon Sep 17 00:00:00 2001 +From: James Le Cuirot +Date: Tue, 20 Jan 2026 15:55:29 +0000 +Subject: [PATCH] dracut: Install dd and ln as these are used by google_nvme_id + +I found that the disk name symlink was missing on Flatcar due to the +lack of dd. I thought about using pure Bash, but it can't handle the +null bytes. I also thought about using tail, but this is just as likely +to be missing. + +I've also added ln for good measure. +--- a/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh ++++ b/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh +@@ -4,7 +4,7 @@ + + # called by dracut + install() { +- inst_multiple nvme grep sed ++ inst_multiple nvme dd ln grep sed + inst_simple /usr/lib/udev/google_nvme_id + inst_simple /usr/lib/udev/rules.d/65-gce-disk-naming.rules + } +-- +2.51.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild new file mode 100644 index 00000000000..0cf843420a4 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild @@ -0,0 +1,66 @@ +# Copyright 2026 The Flatcar Container Linux Maintainers +# Distributed under the terms of the Apache License 2.0 + +# IMPORTANT! When bumping, ensure that the Dracut modules do not install files +# that would make runtime changes to systems to other than GCE VMs because the +# initrd is shared between image types. The udev disk rules are currently safe. + +EAPI=8 + +inherit udev + +DESCRIPTION="Configuration and scripts to support the Google Compute Engine guest environment" +HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs" +SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/guest-configs-${PV}" + +LICENSE="Apache-2.0 BSD ZLIB" +SLOT="0" +KEYWORDS="amd64" +IUSE="flatcar-oem" + +RDEPEND=" + ! + + + + GoogleCloudPlatform/guest-configs + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild index 2235e90a901..76c1ada09d8 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild @@ -28,3 +28,10 @@ RDEPEND=" sys-apps/iproute2 sys-apps/shadow " + +src_install() { + distutils-r1_src_install + + # Newer versions are installed by app-admin/google-guest-configs. + rm -v "${ED}"/usr/bin/google_{optimize_local_ssd,set_multiqueue} || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index c3b64c56b9a..84598dd6cd4 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -212,6 +212,7 @@ RDEPEND="${RDEPEND} # OEM specific bits that need to go in USR RDEPEND+=" amd64? ( + app-admin/google-guest-configs[-flatcar-oem] sys-auth/google-oslogin ) " diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild deleted file mode 100644 index 5baa71325b6..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright (c) 2013 CoreOS, Inc.. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 -# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit systemd - -DESCRIPTION="OEM suite for Google Compute Engine images" -HOMEPAGE="https://cloud.google.com/products/compute-engine/" -SRC_URI="" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64" -IUSE="" - -# no source directory -S="${WORKDIR}" - -RDEPEND=" - app-emulation/google-compute-engine -" - -OEM_NAME="Google Compute Engine" - -src_install() { - systemd_dounit "${FILESDIR}/units/oem-gce.service" - systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service" - systemd_dounit "${FILESDIR}/units/setup-oem.service" - systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf" - systemd_enable_service "multi-user.target" "ntpd.service" - - dobin "${FILESDIR}/bin/enable-oslogin" - dobin "${FILESDIR}/bin/init.sh" - - # These files will be symlinked to /etc via 'setup-oem.service' - insinto /usr/share/gce/ - doins "${FILESDIR}/files/hosts" - doins "${FILESDIR}/files/google-cloud-sdk.sh" -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild new file mode 100644 index 00000000000..f8097afd48b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild @@ -0,0 +1,35 @@ +# Copyright (c) 2013 CoreOS, Inc.. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 +# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd + +DESCRIPTION="OEM suite for Google Compute Engine images" +HOMEPAGE="https://cloud.google.com/products/compute-engine/" +S="${WORKDIR}" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64" + +RDEPEND=" + app-admin/google-guest-configs[flatcar-oem] + app-emulation/google-compute-engine +" + +OEM_NAME="Google Compute Engine" + +src_install() { + systemd_dounit "${FILESDIR}"/units/{oem-gce,oem-gce-enable-oslogin,setup-oem}.service + systemd_install_dropin multi-user.target "${FILESDIR}"/units/10-oem-gce.conf + systemd_enable_service multi-user.target ntpd.service + + dobin "${FILESDIR}"/bin/{enable-oslogin,init.sh} + + # These files will be symlinked to /etc via 'setup-oem.service' + insinto /usr/share/gce + doins "${FILESDIR}"/files/{google-cloud-sdk.sh,hosts} +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r17.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r18.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r17.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r18.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index e89d4114449..eca6b0bb1fb 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -2,47 +2,19 @@ # Distributed under the terms of the GNU General Public License v2 # $Header: $ -EAPI=7 +EAPI=8 -DESCRIPTION="Meta ebuild for building all binary packages." -HOMEPAGE="http://coreos.com/docs/sdk/" -SRC_URI="" +DESCRIPTION="Meta ebuild for building all binary packages" +HOMEPAGE="https://www.flatcar.org/" LICENSE="GPL-2" SLOT="0" KEYWORDS="amd64 arm64" -IUSE="" -# Depend on everything OEMs need, but not the OEMs themselves. -# This makes the built packages available for image_vm_util.sh but -# avoids copying the oem specific files (e.g. grub configs) before -# the oem partition is set up. -DEPEND="" RDEPEND=" - amd64? ( - app-emulation/google-compute-engine - app-emulation/open-vm-tools - coreos-base/nova-agent-container - coreos-base/nova-agent-watcher - ) + coreos-base/coreos + coreos-base/coreos-dev sys-boot/grub sys-boot/shim sys-boot/shim-signed - app-containers/containerd - app-containers/docker - app-containers/docker-buildx - app-containers/docker-cli - app-containers/incus - app-emulation/amazon-ssm-agent - app-emulation/hv-daemons - app-emulation/wa-linux-agent - coreos-base/coreos - coreos-base/coreos-dev - coreos-base/flatcar-eks - net-misc/chrony - sys-fs/zfs - app-containers/podman - net-misc/passt - dev-lang/python - dev-python/pip - " +" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd index defe7e8d0ba..53124d02a8a 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -173,6 +173,16 @@ After=ensure-sysext.service EOF ) + ( + insinto "$(systemd_get_systemunitdir)/systemd-sysctl.service.d" + newins - flatcar.conf <<'EOF' +# sysctl runs early from the initrd, so wait for sysexts with additional +# configuration to be mounted before running it again. +[Unit] +After=ensure-sysext.service +EOF + ) + ( # Allow @mount syscalls for systemd-udevd.service insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/use.desc b/sdk_container/src/third_party/coreos-overlay/profiles/use.desc new file mode 100644 index 00000000000..3e2055cfb89 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/use.desc @@ -0,0 +1 @@ +flatcar-oem - Configure for use in a Flatcar OEM sysext diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest index 611db5b5f89..8c6adc49d88 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest @@ -1 +1 @@ -DIST bootengine-7d9895ce55617b18a78294975197975ac17b5bc3.tar.gz 36752 BLAKE2B 88c0478fd368203f3184f3e98ef8b277b725b6a7da6f39198c8366e71cb587705eb3859ccd92f701b4f7da4ed9571d645ddebc32293671477fed524fe31429e7 SHA512 6f8551e9b9fac5cedd8ee9fcb6d958092032b636f64c9d15f954a64c76ad9cbd8648bbb480bc92a6e98f7503d26f49e6c47989537cb1bdfb35d21eb2859e7923 +DIST bootengine-8854e0fd9fb77bf10eb8484a989d1b76a635264c.tar.gz 36865 BLAKE2B 71d9173321eae6856fc33f01f761864f2827e445d1671d9cd8cb8563fd76c06c3361df898b902448efe0bc1661ba42fc9167d71b164ba92daddac0fa2203d130 SHA512 3fd9575e22d5808caa099425beb0911d429ff4cec6b9d86a1371cf6f437306c693cae7d6e39e4814f5d15207d9ec82c95aa037a1ad0c5bb05c675ba13137b81b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r39.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r40.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r39.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r40.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild index 7ccfb49009c..b9bb5bc689a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild @@ -10,7 +10,7 @@ if [[ ${PV} == 9999 ]]; then EGIT_REPO_URI="https://github.com/flatcar/bootengine.git" inherit git-r3 else - EGIT_VERSION="7d9895ce55617b18a78294975197975ac17b5bc3" # flatcar-master + EGIT_VERSION="8854e0fd9fb77bf10eb8484a989d1b76a635264c" # chewi/sysctl-rerun SRC_URI="https://github.com/flatcar/bootengine/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz" S="${WORKDIR}/${PN}-${EGIT_VERSION}" KEYWORDS="amd64 arm arm64 x86" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild index 49be09709cc..5cdf8bbe068 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild @@ -56,7 +56,10 @@ DEPEND=" >=sys-kernel/coreos-firmware-20180103-r1:= sys-process/procps virtual/udev - amd64? ( sys-firmware/intel-microcode:= ) + amd64? ( + app-admin/google-guest-configs[-flatcar-oem] + sys-firmware/intel-microcode:= + ) " src_prepare() {