From 3a4df096e308042804f604898984a60d707a08f4 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 10:00:37 +0000 Subject: [PATCH 01/14] coreos-overlay/app-admin: Import GCP Agent packages from COS Import google-guest-agent, google-guest-configs, google-osconfig-agent and oslogin packages from COS. These are sourced from the Git repo: https://cos.googlesource.com/cos/overlays/board-overlays, commit 8a6d617d85df03028c9c6d51a1bb3a3bc2eb0933, folder project-lakitu. Signed-off-by: Jeremi Piotrowski --- .../app-admin/google-guest-agent/Manifest | 2 + .../20201102-instance_configs.cfg.distro | 38 ++++++ ...0-create-hostkey-and-instanceID-dirs.patch | 42 ++++++ .../files/20231016.00-homedir-gid.patch | 120 ++++++++++++++++++ .../files/get_metadata_value | 76 +++++++++++ .../google-guest-agent-20240314.00-r1.ebuild | 1 + .../google-guest-agent-20240314.00.ebuild | 70 ++++++++++ .../app-admin/google-guest-configs/Manifest | 1 + ...gle-guest-configs-20211116.00-sysctl.patch | 50 ++++++++ ...google-guest-configs-20240304.00-r1.ebuild | 1 + .../google-guest-configs-20240304.00.ebuild | 47 +++++++ .../app-admin/google-osconfig-agent/Manifest | 2 + .../files/google-osconfig-init.service | 11 ++ .../google-osconfig-agent/files/no_ssh.sh | 18 +++ ...oogle-osconfig-agent-20240320.00-r1.ebuild | 1 + .../google-osconfig-agent-20240320.00.ebuild | 52 ++++++++ .../coreos-overlay/app-admin/oslogin/Manifest | 1 + .../files/oslogin-20231004.00-fix-build.patch | 40 ++++++ .../oslogin/oslogin-20231004.00-r1.ebuild | 1 + .../oslogin/oslogin-20231004.00.ebuild | 43 +++++++ 20 files changed, 617 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest new file mode 100644 index 00000000000..0036a5f84ca --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest @@ -0,0 +1,2 @@ +DIST google-guest-agent-20240314.00-deps.tar.xz 100146672 BLAKE2B 5d59bad49c536a73f8be83f567cca3018fa1d56a78232e33eaefd1b8472174018da789bc1a432a56686568a01f932e9da2aee8c1f813cee829394037bcf694cd SHA512 1a00e48f54f74449b0289bf826aee5788d40a8406086a2f70f57d5e0d0c0c1bdf448b12e54962020a2dca4ff9d8586d7d94ae3dc3c5372e4622fbb18904cfb77 +DIST google-guest-agent-20240314.00.tar.gz 194225 BLAKE2B 2c3a69507b3a66b7b9e541f021a050bc3b050896fd27726b46307ecb940a72fc287d8b5b8794f6bf5363c5f2ad85b411b352a680f805d50d34836d63caca1d6b SHA512 8cfaa7ed3d7b34ae224b3cb3df7b747e2e2d305b034f53b674fd984b4b609bd67c7a0115c876a7b01e869172d970e4dcd7de2c87f27fff7d46648ef0cf1c32d8 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro new file mode 100644 index 00000000000..40a838bd4f2 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro @@ -0,0 +1,38 @@ +# +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COS specific settings for the Linux Guest Environment for Google Compute +# Engine. + +[InstanceSetup] +set_boto_config = false +host_key_dir = /mnt/stateful_partition/etc/ssh + +[Instance] +instance_id_dir = /mnt/stateful_partition/etc + +[MetadataScripts] +run_dir = /var/lib/google/ + +[NetworkInterfaces] +setup = false + +[IpForwarding] +ip_aliases = false + +[Accounts] +reuse_homedir = true +# Use usermod instead of gpasswd to avoid race between gpasswd and cloud-init. +gpasswd_add_cmd = usermod -aG {group} {user} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch new file mode 100644 index 00000000000..3e56e927250 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch @@ -0,0 +1,42 @@ +From e6ffb5fccf86931a79f551fdc960a659044042ce Mon Sep 17 00:00:00 2001 +From: Oleksandr Tymoshenko +Date: Wed, 8 Nov 2023 01:55:51 +0000 +Subject: [PATCH 2/2] Create missing directories + +Create missing directories for instance ID file and for SSH host key +--- + google_guest_agent/instance_setup.go | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/google_guest_agent/instance_setup.go b/google_guest_agent/instance_setup.go +index d8cbc02bf94e..86b91b5c4636 100644 +--- a/google_guest_agent/instance_setup.go ++++ b/google_guest_agent/instance_setup.go +@@ -171,7 +171,12 @@ func agentInit(ctx context.Context) { + // Check if instance ID has changed, and if so, consider this + // the first boot of the instance. + // TODO Also do this for windows. liamh@13-11-2019 +- instanceIDFile := config.Instance.InstanceIDDir ++ instanceIDDir := config.Instance.InstanceIDDir ++ // Create the instance ID directory, if it doesn't exist. ++ if err := os.MkdirAll(instanceIDDir, 0755); err != nil { ++ logger.Warningf("Failed to create instance ID directory: %v", err) ++ } ++ instanceIDFile := instanceIDDir + "/google_instance_id" + instanceID, err := os.ReadFile(instanceIDFile) + if err != nil && !os.IsNotExist(err) { + logger.Warningf("Not running first-boot actions, error reading instance ID: %v", err) +@@ -220,6 +225,10 @@ func agentInit(ctx context.Context) { + func generateSSHKeys(ctx context.Context) error { + config := cfg.Get() + hostKeyDir := config.InstanceSetup.HostKeyDir ++ // Create the host key directory, if it doesn't exist. ++ if err := os.MkdirAll(hostKeyDir, 0755); err != nil { ++ logger.Warningf("Failed to create host key directory: %v", err) ++ } + dir, err := os.Open(hostKeyDir) + if err != nil { + return err +-- +2.42.0.869.gea05f2083d-goog + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch new file mode 100644 index 00000000000..a2bd9de5051 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch @@ -0,0 +1,120 @@ +From a28e8fa46b5ef09c8a83763a6163d7b63d04f156 Mon Sep 17 00:00:00 2001 +From: Oleksandr Tymoshenko +Date: Thu, 2 Nov 2023 00:23:19 +0000 +Subject: [PATCH 1/2] Add stable gid for added users + +Use gid obtained from the home directory to create users with a +volatile /etc directory. +--- + google_guest_agent/accounts_unix.go | 17 +++++++++++++---- + google_guest_agent/accounts_windows.go | 6 +++--- + google_guest_agent/non_windows_accounts.go | 6 +++--- + google_guest_agent/windows_accounts.go | 4 ++-- + 4 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/google_guest_agent/accounts_unix.go b/google_guest_agent/accounts_unix.go +index 94cedd3d480a..0cc6470f15f2 100644 +--- a/google_guest_agent/accounts_unix.go ++++ b/google_guest_agent/accounts_unix.go +@@ -27,21 +27,30 @@ import ( + "github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/run" + ) + +-func getUID(path string) string { ++func getUIDAndGID(path string) (string, string) { + if dir, err := os.Stat(path); err == nil { + if stat, ok := dir.Sys().(*syscall.Stat_t); ok { +- return fmt.Sprintf("%d", stat.Uid) ++ return fmt.Sprintf("%d", stat.Uid), fmt.Sprintf("%d", stat.Gid) + } + } +- return "" ++ return "", "" + } + +-func createUser(ctx context.Context, username, uid string) error { ++func createUser(ctx context.Context, username, uid, gid string) error { + config := cfg.Get() + useradd := config.Accounts.UserAddCmd + if uid != "" { + useradd = fmt.Sprintf("%s -u %s", useradd, uid) + } ++ if gid != "" { ++ groupadd := config.Accounts.GroupAddCmd ++ groupadd = fmt.Sprintf("%s -g %s", groupadd, gid) ++ cmd, args := createUserGroupCmd(groupadd, "", username) ++ if err := run.Quiet(ctx, cmd, args...); err != nil { ++ return err ++ } ++ useradd = fmt.Sprintf("%s -g %s", useradd, gid) ++ } + cmd, args := createUserGroupCmd(useradd, username, "") + return run.Quiet(ctx, cmd, args...) + } +diff --git a/google_guest_agent/accounts_windows.go b/google_guest_agent/accounts_windows.go +index 5f0087afd6eb..c66b3e6cc211 100644 +--- a/google_guest_agent/accounts_windows.go ++++ b/google_guest_agent/accounts_windows.go +@@ -138,7 +138,7 @@ func addUserToGroup(ctx context.Context, username, group string) error { + return nil + } + +-func createUser(ctx context.Context, username, pwd string) error { ++func createUser(ctx context.Context, username, pwd, _ string) error { + uPtr, err := syscall.UTF16PtrFromString(username) + if err != nil { + return fmt.Errorf("error encoding username to UTF16: %v", err) +@@ -184,6 +184,6 @@ func userExists(name string) (bool, error) { + return true, nil + } + +-func getUID(path string) string { +- return "" ++func getUIDAndGID(path string) (string, string) { ++ return "", "" + } +diff --git a/google_guest_agent/non_windows_accounts.go b/google_guest_agent/non_windows_accounts.go +index 2fa6f5de6487..c8640624064c 100644 +--- a/google_guest_agent/non_windows_accounts.go ++++ b/google_guest_agent/non_windows_accounts.go +@@ -343,12 +343,12 @@ func createUserGroupCmd(cmd, user, group string) (string, []string) { + // createGoogleUser creates a Google managed user account if needed and adds it + // to the configured groups. + func createGoogleUser(ctx context.Context, config *cfg.Sections, user string) error { +- var uid string ++ var uid, gid string + if config.Accounts.ReuseHomedir { +- uid = getUID(fmt.Sprintf("/home/%s", user)) ++ uid, gid = getUIDAndGID(fmt.Sprintf("/home/%s", user)) + } + +- if err := createUser(ctx, user, uid); err != nil { ++ if err := createUser(ctx, user, uid, gid); err != nil { + return err + } + groups := config.Accounts.Groups +diff --git a/google_guest_agent/windows_accounts.go b/google_guest_agent/windows_accounts.go +index 248bf399e436..a46b60759129 100644 +--- a/google_guest_agent/windows_accounts.go ++++ b/google_guest_agent/windows_accounts.go +@@ -133,7 +133,7 @@ func createOrResetPwd(ctx context.Context, k metadata.WindowsKey) (*credsJSON, e + } + } else { + logger.Infof("Creating user %s", k.UserName) +- if err := createUser(ctx, k.UserName, pwd); err != nil { ++ if err := createUser(ctx, k.UserName, pwd, ""); err != nil { + return nil, fmt.Errorf("error running createUser: %v", err) + } + if k.AddToAdministrators == nil || *k.AddToAdministrators { +@@ -155,7 +155,7 @@ func createSSHUser(ctx context.Context, user string) error { + return nil + } + logger.Infof("Creating user %s", user) +- if err := createUser(ctx, user, pwd); err != nil { ++ if err := createUser(ctx, user, pwd, ""); err != nil { + return fmt.Errorf("error running createUser: %v", err) + } + +-- +2.42.0.869.gea05f2083d-goog + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value new file mode 100644 index 00000000000..4ffd7e6bf55 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value @@ -0,0 +1,76 @@ +#! /bin/bash +# +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Get a metadata value from the metadata server. +# curl exit codes: https://everything.curl.dev/usingcurl/returns +declare -r VARNAME=$1 +declare -r MDS_PREFIX=http://metadata.google.internal/computeMetadata/v1 +declare -r MDS_TRIES=${MDS_TRIES:-100} + +function print_metadata_value() { + local readonly tmpfile=$(mktemp) + http_code=$(curl -f "${1}" -H "Metadata-Flavor: Google" -w "%{http_code}" \ + -s -o ${tmpfile} 2>/dev/null) + local readonly return_code=$? + # If the command completed successfully, print the metadata value to stdout. + if [[ ${return_code} == 0 && ${http_code} == 200 ]]; then + cat ${tmpfile} + fi + rm -f ${tmpfile} + return ${return_code} +} + +function print_metadata_value_if_exists() { + local return_code=1 + local readonly url=$1 + print_metadata_value ${url} + return_code=$? + return ${return_code} +} + +function get_metadata_value() { + local readonly varname=$1 + # Print the instance metadata value. + print_metadata_value_if_exists ${MDS_PREFIX}/instance/${varname} + return_code=$? + # If the instance doesn't have the value, try the project. + if [[ ${return_code} != 0 && ${return_code} != 6 && ${return_code} != 7 ]]; + then + print_metadata_value_if_exists ${MDS_PREFIX}/project/${varname} + return_code=$? + fi + return ${return_code} +} + +function get_metadata_value_with_retries() { + local return_code=1 # General error code. + for ((count=0; count <= ${MDS_TRIES}; count++)); do + get_metadata_value $VARNAME + return_code=$? + case $return_code in + # No error. We're done. + 0) exit ${return_code};; + # Failed to resolve host or connect to host. Retry. + 6|7) sleep 0.3; continue;; + # A genuine error. Exit. + *) exit ${return_code}; + esac + done + # Exit with the last return code we got. + exit ${return_code} +} + +get_metadata_value_with_retries diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild new file mode 120000 index 00000000000..e07d85119e1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild @@ -0,0 +1 @@ +google-guest-agent-20240314.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild new file mode 100644 index 00000000000..c3cf46b3eeb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild @@ -0,0 +1,70 @@ +# +# Copyright 2023 Google LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +EAPI=7 + +inherit go-module systemd + +DESCRIPTION="Google Guest Agent" +HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-agent" + +SRC_URI="https://github.com/GoogleCloudPlatform/guest-agent/archive/${PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" ${P}-deps.tar.xz" + +LICENSE="Apache-2.0 BSD ZLIB" +SLOT="0" +KEYWORDS="*" +IUSE="" +RDEPEND="!app-admin/compute-image-packages + >=app-admin/oslogin-20231004.00 +" + +S=${WORKDIR}/guest-agent-${PV} + +PATCHES=( + "${FILESDIR}/20231016.00-homedir-gid.patch" + "${FILESDIR}/20231016.00-create-hostkey-and-instanceID-dirs.patch" +) + +src_compile() { + export GOTRACEBACK="crash" + GO=$(tc-getGO) + pushd google_guest_agent || die + CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + -mod=readonly || die + popd || die + pushd google_metadata_script_runner || die + CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + -mod=readonly || die + popd || die +} + +src_install() { + dobin google_guest_agent/google_guest_agent + dobin google_metadata_script_runner/google_metadata_script_runner + systemd_dounit google-guest-agent.service + systemd_dounit google-startup-scripts.service + systemd_dounit google-shutdown-scripts.service + systemd_enable_service multi-user.target google-guest-agent.service + systemd_enable_service multi-user.target google-startup-scripts.service + systemd_enable_service multi-user.target google-shutdown-scripts.service + + # Backports the get_metadata_value script from compute-image-packages. + # We have users that still rely on this script, so we need to continue + # to install it. + exeinto /usr/share/google/ + newexe "${FILESDIR}/get_metadata_value" get_metadata_value + + # Install COS specific configuration + insinto /etc/default + newins "${FILESDIR}/20201102-instance_configs.cfg.distro" instance_configs.cfg.distro +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest new file mode 100644 index 00000000000..2f6cac02686 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest @@ -0,0 +1 @@ +DIST google-guest-configs-20240304.00.tar.gz 24918 BLAKE2B 08f8e5b8c2abd720f5af6682e110b78579e4c8788dfe3b0f243de5aaf98b40f03bcb885d1706d166e08b6e987ed4d86dc4140d444173f0c03aee82ce4d8759ea SHA512 6ae4335c31e1265dcf1bf9b45532571276a50103b482662e8d8ff393a11783a51c5ce0fd266ed41342a1db046114be3b1fe1675b9c4d3e97e52486d7ededcf41 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch new file mode 100644 index 00000000000..4ac9d275cbc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch @@ -0,0 +1,50 @@ +diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf +index b40085b..d89d87d 100644 +--- a/src/etc/sysctl.d/60-gce-network-security.conf ++++ b/src/etc/sysctl.d/60-gce-network-security.conf +@@ -14,45 +14,6 @@ + # + # Google-recommended kernel parameters + +-# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss +-# of TCP functionality/features under normal conditions. When flood +-# protections kick in under high unanswered-SYN load, the system +-# should remain more stable, with a trade off of some loss of TCP +-# functionality/features (e.g. TCP Window scaling). +-net.ipv4.tcp_syncookies=1 +- +-# Ignore source-routed packets +-net.ipv4.conf.all.accept_source_route=0 +-net.ipv4.conf.default.accept_source_route=0 +- +-# Ignore ICMP redirects from non-GW hosts +-net.ipv4.conf.all.accept_redirects=0 +-net.ipv4.conf.default.accept_redirects=0 +-net.ipv4.conf.all.secure_redirects=1 +-net.ipv4.conf.default.secure_redirects=1 +- +-# Don't pass traffic between networks or act as a router +-net.ipv4.ip_forward=0 +-net.ipv4.conf.all.send_redirects=0 +-net.ipv4.conf.default.send_redirects=0 +- +-# Turn on Source Address Verification in all interfaces to +-# prevent some spoofing attacks. +-net.ipv4.conf.all.rp_filter=1 +-net.ipv4.conf.default.rp_filter=1 +- +-# Ignore ICMP broadcasts to avoid participating in Smurf attacks +-net.ipv4.icmp_echo_ignore_broadcasts=1 +- +-# Ignore bad ICMP errors +-net.ipv4.icmp_ignore_bogus_error_responses=1 +- + # Log spoofed, source-routed, and redirect packets + net.ipv4.conf.all.log_martians=1 + net.ipv4.conf.default.log_martians=1 +- +-# Addresses of mmap base, heap, stack and VDSO page are randomized +-kernel.randomize_va_space=2 +- +-# Reboot the machine soon after a kernel panic. +-kernel.panic=10 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild new file mode 120000 index 00000000000..ae939291df3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild @@ -0,0 +1 @@ +google-guest-configs-20240304.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild new file mode 100644 index 00000000000..7d960aa1a56 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild @@ -0,0 +1,47 @@ +# +# Copyright 2021 Google LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +EAPI=7 + +inherit udev + +DESCRIPTION="Google Guest Configs" +HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs" + +SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD ZLIB" +KEYWORDS="*" +SLOT="0" +IUSE="" + +S=${WORKDIR}/guest-configs-${PV} + +src_prepare() { + eapply "${FILESDIR}"/google-guest-configs-20211116.00-sysctl.patch + + eapply_user +} + +src_install() { + exeinto /lib/udev + doexe "${S}"/src/lib/udev/google_nvme_id + + udev_dorules "${S}"/src/lib/udev/rules.d/65-gce-disk-naming.rules + + insinto /etc/sysctl.d + doins "${S}"/src/etc/sysctl.d/60-gce-network-security.conf + + exeinto /usr/bin + doexe "${S}"/src/usr/bin/google_set_multiqueue +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest new file mode 100644 index 00000000000..c3ff780f961 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest @@ -0,0 +1,2 @@ +DIST google-osconfig-agent-20240320.00-deps.tar.xz 116159132 BLAKE2B 3d1ed39518de1a58ca1c157c2d4ccca714548027e4d7f044dbcb28017d0adafbfdba441f7a15235de268cbabf2547817482ac52e6ad5d458e45a3f7121b89f8e SHA512 18956585bf8af490cbea75bdc201d100f18ba9e2795a9c4188f3dd95b7ad966af390747f945971f349f3a8b370c91f4facb2408abc62954fcee16d3c608e7575 +DIST google-osconfig-agent-20240320.00.tar.gz 380118 BLAKE2B 96d1ba4c3be376159c786045ceef07f961656422b6c9e4eab9d5da94814002eb53e2aaffdb1b4671c54d13b8bf7d8036a5728688bddb9e8138e36bd9145e0740 SHA512 c9fb4fd17a4e6f8a8333baa37c97015e1468cd58f9f85a856c47ce202d24f53b7b0e746738aacbbd3c5727954978b23544a1060e190513f7a9c80e9298b09ecc diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service new file mode 100644 index 00000000000..3e2b0c2689e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service @@ -0,0 +1,11 @@ +[Unit] +Description=Delete recipe database used by osconfig-agent before it starts +Before=google-osconfig-agent.service + +[Service] +Type=oneshot +ExecStart=/bin/rm -f /var/lib/google/osconfig_recipedb +RemainAfterExit=yes + +[Install] +WantedBy=google-osconfig-agent.service diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh new file mode 100644 index 00000000000..dcccbe66cf4 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# Copyright 2020 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# Disables ssh. +systemctl stop sshd.service +systemctl mask sshd.service +systemctl -q is-active sshd.service +IS_ACTIVE=$? +IS_ENABLED=$(systemctl is-enabled sshd.service) + +if [[ "$IS_ACTIVE" -eq 0 ]] || [[ "$IS_ENABLED" != "masked" ]]; then + echo "Failed to disable sshd.service" + exit 1 +else + echo "sshd.service is disabled" +fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild new file mode 120000 index 00000000000..7c060072321 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild @@ -0,0 +1 @@ +google-osconfig-agent-20240320.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild new file mode 100644 index 00000000000..ae125ebe0af --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild @@ -0,0 +1,52 @@ +# +# Copyright 2023 Google LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +EAPI=7 + +inherit go-module systemd + +DESCRIPTION="Google OS Config Agent" +HOMEPAGE="https://github.com/GoogleCloudPlatform/osconfig" + +SRC_URI="https://github.com/GoogleCloudPlatform/osconfig/archive/${PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" ${P}-deps.tar.xz" + +LICENSE="Apache-2.0 BSD" +SLOT="0" +KEYWORDS="*" +IUSE="" + +S="${WORKDIR}/osconfig-${PV}" + +src_compile() { + export GOTRACEBACK="crash" + GO=$(tc-getGO) + export GO + # These compilation flags are from packaging/debian/rules, + # packaging/google-osconfig-agent.spec, and + # packaging/googet/google-osconfig-agent.goospec in the osconfig source tree. + CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + -mod=readonly -o google_osconfig_agent || die +} + +src_install() { + dobin google_osconfig_agent + systemd_dounit google-osconfig-agent.service + systemd_enable_service multi-user.target google-osconfig-agent.service + + systemd_dounit "${FILESDIR}"/google-osconfig-init.service + systemd_enable_service google-osconfig-agent.service google-osconfig-init.service + + exeinto /usr/share/google + doexe "${FILESDIR}"/no_ssh.sh +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest new file mode 100644 index 00000000000..7d4152dca5c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest @@ -0,0 +1 @@ +DIST oslogin-20231004.00.tar.gz 57637 BLAKE2B 836148239f7ffc302ea39b51cb1940ae190d63134552f2487820dd7516977df41bd53893717aba01709cd2c9767a17d5e023c17813596a7db085e215d2ce1f5a SHA512 1f9d31c26ebe33c6e02a7f59d77ce71212244a3bdc20c5b8de32b9ceb1c523bdfe1332f0a095e7383eebab5172bf9a7a76c87d8e02f339b58f151ca9f801b83a diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch new file mode 100644 index 00000000000..2c2b9191753 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch @@ -0,0 +1,40 @@ +From 9de91cfab8fc31fb043da1b15f7b2ce632a0e9ee Mon Sep 17 00:00:00 2001 +From: Oleksandr Tymoshenko +Date: Wed, 1 Nov 2023 05:01:59 +0000 +Subject: [PATCH] Make json-c include dir configurable + +--- + src/Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index a633c7ca61cf..04d90d24a281 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -1,7 +1,7 @@ + SHELL = /bin/sh + TOPDIR = $(realpath ..) + +-CPPFLAGS = -Iinclude -I/usr/include/json-c -I$(TOPDIR)/third_party/include ++CPPFLAGS = -Iinclude -I$(JSON_INCLUDE_PATH) -I$(TOPDIR)/third_party/include + FLAGS = -fPIC -Wall -g + CFLAGS = $(FLAGS) -Wstrict-prototypes + CXXFLAGS = $(FLAGS) +@@ -52,12 +52,12 @@ $(NSS_CACHE_OSLOGIN): nss/nss_cache_oslogin.o nss/compat/getpwent_r.o oslogin_ut + + # PAM modules + +-$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o include/oslogin_sshca.h ++$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS) + + # Utilities. + +-google_authorized_principals: authorized_principals/authorized_principals.o oslogin_utils.o oslogin_sshca.o include/oslogin_sshca.h ++google_authorized_principals: authorized_principals/authorized_principals.o oslogin_utils.o oslogin_sshca.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) + + google_authorized_keys: authorized_keys/authorized_keys.o oslogin_utils.o +-- +2.42.0.820.g83a721a137-goog + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild new file mode 120000 index 00000000000..f87620f271d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild @@ -0,0 +1 @@ +oslogin-20231004.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild new file mode 100644 index 00000000000..1cc83a4b75b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild @@ -0,0 +1,43 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +EAPI=7 + +inherit eutils pam flag-o-matic + +DESCRIPTION="Google Compute Engine OS Login libraries, applications and configurations." +HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin" + +# Release tag of compute-image-packages. +SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> oslogin-${PV}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="*" + +DEPEND=" + net-misc/curl + dev-libs/json-c + sys-libs/pam +" +RDEPEND="${DEPEND} + >=app-admin/google-guest-agent-20231016.00 +" + +S="${WORKDIR}/guest-oslogin-${PV}" + +PATCHES=( + "${FILESDIR}/oslogin-20231004.00-fix-build.patch" +) + +src_compile() { + emake JSON_INCLUDE_PATH="${SYSROOT}/usr/include/json-c" VERSION="${PV}" +} + +src_install() { + emake DESTDIR="${D}/" LIBDIR="$(get_libdir)" VERSION="${PV}" \ + PAMDIR="$(getpam_mod_dir)" install + dosym libnss_oslogin-"${PV}".so \ + "$(get_libdir)"/libnss_oslogin.so.2 +} From c611e633ef181a50a6254d3c01b9309411249587 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 10:43:30 +0000 Subject: [PATCH 02/14] app-admin/google-guest-agent: Depend on coreos-go for x-compile support Signed-off-by: Jeremi Piotrowski --- .../google-guest-agent-20240314.00.ebuild | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild index c3cf46b3eeb..03f8c986f76 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild @@ -12,7 +12,9 @@ # EAPI=7 -inherit go-module systemd +# Flatcar: inherit coreos-go-depend +COREOS_GO_VERSION=go1.21 +inherit coreos-go-depend go-module systemd DESCRIPTION="Google Guest Agent" HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-agent" @@ -35,15 +37,22 @@ PATCHES=( "${FILESDIR}/20231016.00-create-hostkey-and-instanceID-dirs.patch" ) +# Flatcar: export GO variables +src_prepare() { + go_export + default +} + src_compile() { export GOTRACEBACK="crash" - GO=$(tc-getGO) pushd google_guest_agent || die - CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + # Flatcar: switch to EGO + CGO_ENABLED=0 ${EGO} build -ldflags="-s -w -X main.version=${PV}" \ -mod=readonly || die popd || die pushd google_metadata_script_runner || die - CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + # Flatcar: switch to EGO + CGO_ENABLED=0 ${EGO} build -ldflags="-s -w -X main.version=${PV}" \ -mod=readonly || die popd || die } From fa5bbbab676b23714b546b610cb3607c9bdbc670 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 10:47:31 +0000 Subject: [PATCH 03/14] app-admin/google-osconfig-agent: Depend on coreos-go for x-compile support Signed-off-by: Jeremi Piotrowski --- .../google-osconfig-agent-20240320.00.ebuild | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild index ae125ebe0af..d8dfdd2d1cb 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild @@ -13,7 +13,9 @@ EAPI=7 -inherit go-module systemd +# Flatcar: inherit coreos-go-depend +COREOS_GO_VERSION=go1.21 +inherit coreos-go-depend go-module systemd DESCRIPTION="Google OS Config Agent" HOMEPAGE="https://github.com/GoogleCloudPlatform/osconfig" @@ -28,14 +30,19 @@ IUSE="" S="${WORKDIR}/osconfig-${PV}" +# Flatcar: export GO variables +src_prepare() { + go_export + default +} + src_compile() { export GOTRACEBACK="crash" - GO=$(tc-getGO) - export GO # These compilation flags are from packaging/debian/rules, # packaging/google-osconfig-agent.spec, and # packaging/googet/google-osconfig-agent.goospec in the osconfig source tree. - CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + # Flatcar: switch to EGO + CGO_ENABLED=0 ${EGO} build -ldflags="-s -w -X main.version=${PV}" \ -mod=readonly -o google_osconfig_agent || die } From c9821533b0facfc635937f0146b78544b0eb15c6 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 10:53:20 +0000 Subject: [PATCH 04/14] app-admin/google-guest-configs: Install ssd optimize script Signed-off-by: Jeremi Piotrowski --- .../google-guest-configs-20240304.00.ebuild | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild index 7d960aa1a56..ad3de41b7ef 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild @@ -44,4 +44,6 @@ src_install() { exeinto /usr/bin doexe "${S}"/src/usr/bin/google_set_multiqueue + # Flatcar: why don't they install this? + doexe "${S}"/src/usr/bin/google_optimize_local_ssd } From 90faf6ab4816f24173ff76097c3c221ad2bd1442 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 10:56:59 +0000 Subject: [PATCH 05/14] app-admin/oslogin: Fix eclasses and export CC/CXX eutils is not supported by the latest EAPIs, but COS hasn't noticed. We also need CC/CXX exported to use the correct tools. Signed-off-by: Jeremi Piotrowski --- .../app-admin/oslogin/oslogin-20231004.00.ebuild | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild index 1cc83a4b75b..155e99a0811 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild @@ -4,7 +4,8 @@ EAPI=7 -inherit eutils pam flag-o-matic +# Flatcar: remove eutils add toolchain-funcs +inherit pam flag-o-matic toolchain-funcs DESCRIPTION="Google Compute Engine OS Login libraries, applications and configurations." HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin" @@ -32,6 +33,8 @@ PATCHES=( ) src_compile() { + # Flatcar: export compile env + tc-export CC CXX emake JSON_INCLUDE_PATH="${SYSROOT}/usr/include/json-c" VERSION="${PV}" } From 40685757f7cfcc4c3550c5206127af6150159f10 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:00:08 +0000 Subject: [PATCH 06/14] coreos-base/coreos: No longer install google-oslogin It is no longer needed in the image, oslogin can be included in the GCP sysext. Remove the unused ebuild as well. Signed-off-by: Jeremi Piotrowski --- .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 - .../sys-auth/google-oslogin/Manifest | 1 - ...am_module-use-var-lib-instead-of-var.patch | 39 ------------- .../files/60-flatcar-google-oslogin.conf | 3 - .../sys-auth/google-oslogin/files/group.conf | 2 - .../google-oslogin/files/nsswitch.conf | 19 ------- .../google-oslogin/files/oslogin-sudoers | 1 - .../sys-auth/google-oslogin/files/pam_sshd | 12 ---- .../sys-auth/google-oslogin/files/sshd_config | 17 ------ .../google-oslogin-20200910.00-r3.ebuild | 57 ------------------- 10 files changed, 152 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/oslogin-sudoers delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index a91885d5546..63f0f6bc7e2 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -211,6 +211,5 @@ RDEPEND="${RDEPEND} RDEPEND+=" amd64? ( app-emulation/qemu-guest-agent - sys-auth/google-oslogin ) " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest deleted file mode 100644 index f1bedb2e82f..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch deleted file mode 100644 index 65fae86284b..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 66c1d03b541211ed4707b0608422856ece90f1c2 Mon Sep 17 00:00:00 2001 -From: Andrew Jeddeloh -Date: Fri, 6 Jul 2018 15:54:40 -0700 -Subject: [PATCH] pam_module: use /var/lib/ instead of /var - ---- - guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +- - guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc -index 04d0808..376916e 100644 ---- a/guest-oslogin/src/pam/pam_oslogin_admin.cc -+++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc -@@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail; - using oslogin_utils::UrlEncode; - using oslogin_utils::kMetadataServerUrl; - --static const char kSudoersDir[] = "/var/google-sudoers.d/"; -+static const char kSudoersDir[] = "/var/lib/google-sudoers.d/"; - - extern "C" { - -diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc -index 9e708f4..428600b 100644 ---- a/guest-oslogin/src/pam/pam_oslogin_login.cc -+++ b/guest-oslogin/src/pam/pam_oslogin_login.cc -@@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail; - using oslogin_utils::UrlEncode; - using oslogin_utils::kMetadataServerUrl; - --static const char kUsersDir[] = "/var/google-users.d/"; -+static const char kUsersDir[] = "/var/lib/google-users.d/"; - - extern "C" { - --- -2.16.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf deleted file mode 100644 index d9f62661bf3..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Needed for google oslogin -AuthorizedKeysCommand /usr/libexec/google_authorized_keys -AuthorizedKeysCommandUser root diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf deleted file mode 100644 index 881c111e1df..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Instruct oslogin to add the docker group to user that login via ssh -sshd;*;*;Al0000-2400;docker diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf deleted file mode 100644 index 07af435bc04..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/nsswitch.conf: -# Keep this in sync with nsswitch.conf from coreos/baselayout -passwd: files usrfiles sss systemd cache_oslogin oslogin -shadow: files usrfiles sss -group: files usrfiles sss systemd cache_oslogin oslogin - -hosts: files usrfiles dns myhostname -networks: files usrfiles dns - -services: files usrfiles -protocols: files usrfiles -rpc: files usrfiles - -ethers: files -netmasks: files -netgroup: files -bootparams: files -automount: files -aliases: files diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/oslogin-sudoers b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/oslogin-sudoers deleted file mode 100644 index fed889fb8c6..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/oslogin-sudoers +++ /dev/null @@ -1 +0,0 @@ -#includedir /var/lib/google-sudoers.d diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd deleted file mode 100644 index 9452354ce56..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd +++ /dev/null @@ -1,12 +0,0 @@ -# Needed for oslogin support (needs to be prepended) -auth [default=ignore] pam_group.so -auth [success=done perm_denied=die default=ignore] pam_oslogin_login.so -account [success=ok default=ignore] pam_oslogin_admin.so -account [success=ok ignore=ignore default=die] pam_oslogin_login.so -session [success=ok default=ignore] pam_mkhomedir.so - -# Keep this file in sync with the net-misc/openssh/files/sshd.pam_include.2 -auth include system-remote-login -account include system-remote-login -password include system-remote-login -session include system-remote-login diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config deleted file mode 100644 index 7b51b214e4d..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config +++ /dev/null @@ -1,17 +0,0 @@ -# This is an old SSHD config file, unused in new Flatcar -# installations. We provide it for backward compatibility. - -# Use most defaults for sshd configuration. -Subsystem sftp internal-sftp -ClientAliveInterval 180 -UseDNS no -UsePAM yes -PrintLastLog no # handled by PAM -PrintMotd no # handled by PAM -# Needed for google oslogin -AuthorizedKeysCommand /usr/libexec/google_authorized_keys -AuthorizedKeysCommandUser root -# Temporarily accept ssh-rsa algorithm for openssh >= 8.8, -# until most ssh clients could deprecate ssh-rsa. -HostkeyAlgorithms +ssh-rsa -PubkeyAcceptedAlgorithms +ssh-rsa diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild deleted file mode 100644 index 679e0c0b3a8..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR" -HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin" -SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64" -IUSE="" - -inherit pam toolchain-funcs - -DEPEND=" - net-misc/curl[ssl] - dev-libs/json-c - sys-libs/pam -" - -RDEPEND="${DEPEND}" - -S=${WORKDIR}/guest-oslogin-${PV}/ - -src_prepare() { - eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch" - default -} - -src_compile() { - emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \ - VERSION=${PV} \ - JSON_INCLUDE_PATH="${SYSROOT%/}/usr/include/json-c" -} - -src_install() { - dolib.so src/libnss_cache_oslogin-${PV}.so - dolib.so src/libnss_oslogin-${PV}.so - - exeinto /usr/libexec - doexe src/google_authorized_keys - doexe src/google_oslogin_nss_cache - - dopammod src/pam_oslogin_admin.so - dopammod src/pam_oslogin_login.so - - # config files the base Ignition config will create links to - insinto /usr/share/google-oslogin - doins "${FILESDIR}/sshd_config" - doins "${FILESDIR}/60-flatcar-google-oslogin.conf" - doins "${FILESDIR}/nsswitch.conf" - doins "${FILESDIR}/pam_sshd" - doins "${FILESDIR}/oslogin-sudoers" - doins "${FILESDIR}/group.conf" -} From 18c65e1165cb933076141226614523ff191c9194 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:02:37 +0000 Subject: [PATCH 07/14] WIP: dev-lang/go: Add Go 1.21.8 Signed-off-by: Jeremi Piotrowski --- .../src/third_party/coreos-overlay/dev-lang/go/Manifest | 1 + .../coreos-overlay/dev-lang/go/go-1.21.8.ebuild | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.21.8.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest index c1cb573db06..5694e534844 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest @@ -1,2 +1,3 @@ DIST go1.19.13.src.tar.gz 26578128 BLAKE2B 085e26f9cc6f54472c6e7bb710987895def7a1de774c5f02d468ce8d39ec70a79ef9332e75275921df5fbd9b1ee2cc04ea674e43197f0318c7288ffba8c57f3c SHA512 59405e9b8e061ddaf99b0fb60aa3795bb6a8cf8743ca191a82ba9a4fa3c83da300de2519f13d6fe664f95c7e34fd75259a9e1c92471d219590701572ff0f26e6 DIST go1.20.14.src.tar.gz 26202564 BLAKE2B 21a97555d086502d7b41398e02d8c7a07be17ec0961a15b11e0b452f05face85f95e8745b68a0e5bbadb7b9a3c014117829f6e45d6acc1adb465125560489442 SHA512 d97951fedf87a999e3f09819a8ac23608980e68173ae141fa11140f0117a35639308de0ea37d3b209bfb709cd5758cd39016dd0f2dd6c3959e1ea3ea29c6fef4 +DIST go1.21.8.src.tar.gz 26992984 BLAKE2B bebcd1a0b5e6d844d272fbd351709344a41856d16ebedad5ab58ac905695dcdd8ca29936a0534a895de7d0bffabed395a6169f1671bcca01e449e960405a4b0b SHA512 dde764ee12fbf58a603d31c20ea239805ffec359a90b0aad7575cc857e241393c2adc47d2f00136db5dff2cbe11b90e8d009d67f9329d363e75a0720067123b0 diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.21.8.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.21.8.ebuild new file mode 100644 index 00000000000..7951a795c11 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.21.8.ebuild @@ -0,0 +1,8 @@ +# Copyright 2022 Flatcar Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit coreos-go-lang + +KEYWORDS="-* amd64 arm64" From a6acec317643c917b33d2547092b43baeb2b5f2a Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:09:44 +0000 Subject: [PATCH 08/14] coreos-base/oem-gce: Switch to Go-based agents The Go-based agents imported from COS are up-to-date and apply all the required configuration automatically. Signed-off-by: Jeremi Piotrowski --- .../coreos-base/oem-gce/files/manglefs.sh | 7 ++++ .../oem-gce/oem-gce-20180823-r7.ebuild | 42 ------------------- .../oem-gce/oem-gce-20240326-r1.ebuild | 33 +++++++++++++++ 3 files changed, 40 insertions(+), 42 deletions(-) create mode 100755 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh new file mode 100755 index 00000000000..f131cb54ab3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +set -euo pipefail + +rootfs="${1}" + +find "${rootfs}/" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild deleted file mode 100644 index 5baa71325b6..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright (c) 2013 CoreOS, Inc.. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 -# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit systemd - -DESCRIPTION="OEM suite for Google Compute Engine images" -HOMEPAGE="https://cloud.google.com/products/compute-engine/" -SRC_URI="" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64" -IUSE="" - -# no source directory -S="${WORKDIR}" - -RDEPEND=" - app-emulation/google-compute-engine -" - -OEM_NAME="Google Compute Engine" - -src_install() { - systemd_dounit "${FILESDIR}/units/oem-gce.service" - systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service" - systemd_dounit "${FILESDIR}/units/setup-oem.service" - systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf" - systemd_enable_service "multi-user.target" "ntpd.service" - - dobin "${FILESDIR}/bin/enable-oslogin" - dobin "${FILESDIR}/bin/init.sh" - - # These files will be symlinked to /etc via 'setup-oem.service' - insinto /usr/share/gce/ - doins "${FILESDIR}/files/hosts" - doins "${FILESDIR}/files/google-cloud-sdk.sh" -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild new file mode 100644 index 00000000000..d6aeee0eb7d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild @@ -0,0 +1,33 @@ +# Copyright (c) 2013 CoreOS, Inc.. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 +# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd + +DESCRIPTION="OEM suite for Google Compute Engine images" +HOMEPAGE="https://cloud.google.com/products/compute-engine/" +SRC_URI="" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64" +IUSE="" + +# no source directory +S="${WORKDIR}" + +RDEPEND=" + app-admin/google-guest-agent + app-admin/google-guest-configs + app-admin/google-osconfig-agent + app-admin/oslogin +" + +OEM_NAME="Google Compute Engine" + +src_install() { + : +} From e04edde03067443318d7fcc11d94464d70a42ab8 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:13:29 +0000 Subject: [PATCH 09/14] coreos-devel/board-packages: Remove google-compute-engine Nothing depends on it any longer. Signed-off-by: Jeremi Piotrowski --- .../google-compute-engine/Manifest | 1 - .../google-compute-engine-20190124-r1.ebuild | 41 ------------------- .../board-packages-0.0.1.ebuild | 1 - 3 files changed, 43 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/Manifest deleted file mode 100644 index ff0c0c21a2e..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST 20190124.tar.gz 126211 BLAKE2B 7608ec8370f9c1aa1da4cf0f0ec20ff86ef07846bdcb6aabac6de441326a78e98b559502b11ee4028065eb8056f9ee6c2f3247e26485e8c9af70892d955236f7 SHA512 8f12c2a361ebd833b0eb3fa6ef26f42a82b4ef6497d8e5231eeaaf5b2e6dd1662ec596e1bbad73e06207ac29e098863311538c360c62efe9fd5cc9b58d1b8ad4 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r1.ebuild deleted file mode 100644 index 0d61ec344af..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r1.ebuild +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright (c) 2016-2018 CoreOS, Inc. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit eutils - -DESCRIPTION="Linux Guest Environment for Google Compute Engine" -HOMEPAGE="https://github.com/GoogleCloudPlatform/compute-image-packages" -SRC_URI="https://github.com/GoogleCloudPlatform/compute-image-packages/archive/${PV}.tar.gz" - -LICENSE="MIT" -SLOT="0" -KEYWORDS="amd64 x86" -IUSE="" - -DEPEND="dev-python/setuptools" - -# These dependencies cover all commands called by the scripts. -RDEPEND=" - app-admin/sudo - dev-python/boto - dev-python/distro - dev-python/setuptools - sys-apps/ethtool - sys-apps/coreutils - sys-apps/gawk - sys-apps/grep - sys-apps/iproute2 - sys-apps/shadow -" - -S="${WORKDIR}/compute-image-packages-${PV}" - -src_compile() { - (cd "${S}" && exec python3 setup.py build) -} - -src_install() { - (cd "${S}" && exec python3 setup.py install -O1 --skip-build --root "${D}") -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index 5e24ad96daf..e2a9d9dbc17 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -20,7 +20,6 @@ IUSE="" DEPEND="" RDEPEND=" amd64? ( - app-emulation/google-compute-engine app-emulation/open-vm-tools coreos-base/nova-agent-container coreos-base/nova-agent-watcher From 8d3f25d3801a90dc953a470d5c625b146e1fbc2a Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:17:06 +0000 Subject: [PATCH 10/14] coreos-devel/board-packages: Add GCP OEM packages to RDEPENDS So that they can be included in a sysext. Signed-off-by: Jeremi Piotrowski --- ...kages-0.0.1-r14.ebuild => board-packages-0.0.1-r15.ebuild} | 0 .../coreos-devel/board-packages/board-packages-0.0.1.ebuild | 4 ++++ 2 files changed, 4 insertions(+) rename sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/{board-packages-0.0.1-r14.ebuild => board-packages-0.0.1-r15.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r14.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r15.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r14.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r15.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index e2a9d9dbc17..529aa189319 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -20,6 +20,10 @@ IUSE="" DEPEND="" RDEPEND=" amd64? ( + app-admin/google-guest-agent + app-admin/google-guest-configs + app-admin/google-osconfig-agent + app-admin/oslogin app-emulation/open-vm-tools coreos-base/nova-agent-container coreos-base/nova-agent-watcher From 1c8b3a5497b3d309bbeba45c31923a0d28e6cc44 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:18:59 +0000 Subject: [PATCH 11/14] dev-python/boto: Remove unused ebuild Google-compute-engine used to depend on boto, but it has been booted from our tree so we can remove boto as well. Signed-off-by: Jeremi Piotrowski --- .../coreos-overlay/dev-python/boto/Manifest | 1 - .../coreos-overlay/dev-python/boto/README.md | 8 -- .../dev-python/boto/boto-2.49.0-r6.ebuild | 63 ----------- .../boto/files/boto-2.49.0-mock-spec.patch | 12 -- .../boto-2.49.0-py3-httplib-strict.patch | 35 ------ .../files/boto-2.49.0-py3-server-port.patch | 42 ------- .../files/boto-2.49.0-py3-socket-binary.patch | 59 ---------- .../boto/files/boto-2.49.0-py310.patch | 44 -------- .../boto/files/boto-2.49.0-py38.patch | 54 --------- ...oto-2.49.0-try-to-add-SNI-support-v3.patch | 104 ------------------ .../boto/files/boto-2.49.0-unbundle-six.patch | 28 ----- .../dev-python/boto/metadata.xml | 14 --- 12 files changed, 464 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/README.md delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/boto-2.49.0-r6.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-mock-spec.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-server-port.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py310.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py38.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-unbundle-six.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-python/boto/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/Manifest deleted file mode 100644 index 880178074c3..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST boto-2.49.0.tar.gz 1478498 BLAKE2B 6a897ea162f5f4bd34a2d488a3e3897f7f2f5b8707dd0922c01b6a0b90ea577223bf3e588b6685bda1f2bc0e92af426711fcba67a70377183465a530065c6c84 SHA512 2175cf30cd25bbc05812e83e5ade7668c3e21b1bb09aa1b43f0f0ac7d6967a646394fb52c9be673ebb65618c5b33a52d6f31f6da702f5cd1d6c9a18169476dd4 diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/README.md b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/README.md deleted file mode 100644 index 6b122c15caf..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/README.md +++ /dev/null @@ -1,8 +0,0 @@ -This is a straight copy of Gentoo package, with no modifications at -all. The reason for keeping it in overlay is that upstream plans to -drop the package on 28th March, 2024. - -The package is needed only by the app-emulation/google-compute-engine -package, which is quite old (version string mentions 2019), so work -needs to be done to update it in order to drop the dependency on the -obsolete boto package (Gentoo has dev-python/boto3 package). diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/boto-2.49.0-r6.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/boto-2.49.0-r6.ebuild deleted file mode 100644 index 00502f5ae5d..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/boto-2.49.0-r6.ebuild +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{10..11} ) -DISTUTILS_USE_PEP517=setuptools - -inherit distutils-r1 pypi - -DESCRIPTION="Amazon Web Services API" -HOMEPAGE="https://github.com/boto/boto https://pypi.org/project/boto/" - -LICENSE="MIT" -SLOT="0" -KEYWORDS="amd64 arm arm64 ppc ~ppc64 ~riscv sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" - -PATCHES=( - # taken from https://bugs.debian.org/909545 - "${FILESDIR}"/${P}-try-to-add-SNI-support-v3.patch - "${FILESDIR}"/${P}-py38.patch - "${FILESDIR}"/${P}-py3-socket-binary.patch - "${FILESDIR}"/${P}-py3-httplib-strict.patch - "${FILESDIR}"/${P}-py3-server-port.patch - "${FILESDIR}"/${P}-unbundle-six.patch - "${FILESDIR}"/${P}-py310.patch - "${FILESDIR}"/${P}-mock-spec.patch -) - -RDEPEND=" - >=dev-python/six-1.12.0[${PYTHON_USEDEP}] -" - -BDEPEND=" - ${RDEPEND} - test? ( - dev-python/httpretty[${PYTHON_USEDEP}] - dev-python/keyring[${PYTHON_USEDEP}] - dev-python/lxml[${PYTHON_USEDEP}] - dev-python/mock[${PYTHON_USEDEP}] - dev-python/paramiko[${PYTHON_USEDEP}] - dev-python/requests[${PYTHON_USEDEP}] - dev-python/rsa[${PYTHON_USEDEP}] - dev-python/selenium[${PYTHON_USEDEP}] - )" - -distutils_enable_tests nose - -src_prepare() { - # remove bundled libs. - rm -f "${S}"/boto/vendored/six.py || die - # broken, not worth fixing - rm tests/unit/cloudfront/test_signed_urls.py || die - # fix tests - mkdir -p "${HOME}"/.ssh || die - touch "${HOME}"/.ssh/known_hosts || die - - distutils-r1_src_prepare -} - -python_test() { - distutils-r1_python_test tests/unit -} diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-mock-spec.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-mock-spec.patch deleted file mode 100644 index d8c8db2f1e9..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-mock-spec.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur boto-2.49.0.orig/tests/unit/ec2/test_volume.py boto-2.49.0/tests/unit/ec2/test_volume.py ---- boto-2.49.0.orig/tests/unit/ec2/test_volume.py 2022-11-02 22:22:36.173725700 -0000 -+++ boto-2.49.0/tests/unit/ec2/test_volume.py 2022-11-02 22:24:26.502590025 -0000 -@@ -55,7 +55,7 @@ - @mock.patch("boto.resultset.ResultSet") - def test_startElement_with_name_tagSet_calls_ResultSet(self, ResultSet, startElement): - startElement.return_value = None -- result_set = mock.Mock(ResultSet([("item", Tag)])) -+ result_set = ResultSet([("item", Tag)]) - volume = Volume() - volume.tags = result_set - retval = volume.startElement("tagSet", None, None) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch deleted file mode 100644 index 209b01aa74a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-httplib-strict.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://github.com/boto/boto/commit/4f4dcb31fe852c05ce19b44eb9d5b5d747e36f7c -https://github.com/boto/boto/pull/2718 - -From 4f4dcb31fe852c05ce19b44eb9d5b5d747e36f7c Mon Sep 17 00:00:00 2001 -From: Lee Ball <43632885+catleeball@users.noreply.github.com> -Date: Mon, 10 Jun 2019 16:02:53 -0700 -Subject: [PATCH] Remove `strict=True` from http_client (#6) - -In Python 3.4, the `strict` kwarg was removed[1]. We are removing it -here too. - -Alternatively, we can leave in `strict=True` for 2.x, but I chose to -remove it entirely to maintain consistent behavior across versions. - -[1]: https://docs.python.org/3/library/http.client.html ---- - boto/connection.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/boto/connection.py b/boto/connection.py -index c731173bb4eb..54e26fb2de16 100644 ---- a/boto/connection.py -+++ b/boto/connection.py -@@ -807,7 +807,7 @@ class AWSAuthConnection(object): - sock.sendall(six.ensure_binary("\r\n")) - else: - sock.sendall(six.ensure_binary("\r\n")) -- resp = http_client.HTTPResponse(sock, strict=True, debuglevel=self.debug) -+ resp = http_client.HTTPResponse(sock, debuglevel=self.debug) - resp.begin() - - if resp.status != 200: --- -2.28.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-server-port.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-server-port.patch deleted file mode 100644 index 62e33192198..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-server-port.patch +++ /dev/null @@ -1,42 +0,0 @@ -https://github.com/boto/boto/commit/b9f6cb0ab717ea76e2780c7fddd1cd36b3bf7d63 - -From b9f6cb0ab717ea76e2780c7fddd1cd36b3bf7d63 Mon Sep 17 00:00:00 2001 -From: Matt Houglum -Date: Fri, 21 Jun 2019 15:09:11 -0700 -Subject: [PATCH] Make server_name() behave correctly for PY3 - -...because Python-2.6-or-newer doesn't just include Python 2.6 and 2.7. ---- - boto/connection.py | 14 +++++--------- - 1 file changed, 5 insertions(+), 9 deletions(-) - -diff --git a/boto/connection.py b/boto/connection.py -index 54e26fb2de16..bbb25d8fb842 100644 ---- a/boto/connection.py -+++ b/boto/connection.py -@@ -650,17 +650,13 @@ class AWSAuthConnection(object): - if port == 80: - signature_host = self.host - else: -- # This unfortunate little hack can be attributed to -- # a difference in the 2.6 version of http_client. In old -- # versions, it would append ":443" to the hostname sent -- # in the Host header and so we needed to make sure we -- # did the same when calculating the V2 signature. In 2.6 -- # (and higher!) -- # it no longer does that. Hence, this kludge. -- if ((ON_APP_ENGINE and sys.version[:3] == '2.5') or -- sys.version[:3] in ('2.6', '2.7')) and port == 443: -+ ver_int = sys.version_info[0] * 10 + sys.version_info[1] -+ if port == 443 and ver_int >= 26: # Py >= 2.6 - signature_host = self.host - else: -+ # In versions < 2.6, Python's http_client would append ":443" -+ # to the hostname sent in the Host header and so we needed to -+ # make sure we did the same when calculating the V2 signature. - signature_host = '%s:%d' % (self.host, port) - return signature_host - --- -2.28.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch deleted file mode 100644 index 1d109a3f499..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py3-socket-binary.patch +++ /dev/null @@ -1,59 +0,0 @@ -https://github.com/boto/boto/commit/d2cb697b32c297858ecc36701a5a4176818ab36d -https://github.com/boto/boto/pull/2718 -https://github.com/boto/boto/pull/2893 -https://github.com/boto/boto/pull/3699 - -From d2cb697b32c297858ecc36701a5a4176818ab36d Mon Sep 17 00:00:00 2001 -From: Cat Lee Ball -Date: Mon, 10 Jun 2019 13:31:11 -0700 -Subject: [PATCH] Ensure binary strings sent to socket - -When running pre-release tests with proxied connections, it appeared a -few spots in connection.py would fail under Python 3 since the -socket.sendall method expects binary strings rather than unicode. ---- - boto/connection.py | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/boto/connection.py b/boto/connection.py -index a0d89a51f49c..d084d1f881fb 100644 ---- a/boto/connection.py -+++ b/boto/connection.py -@@ -796,17 +796,17 @@ class AWSAuthConnection(object): - else: - sock = socket.create_connection((self.proxy, int(self.proxy_port))) - boto.log.debug("Proxy connection: CONNECT %s HTTP/1.0\r\n", host) -- sock.sendall("CONNECT %s HTTP/1.0\r\n" % host) -- sock.sendall("User-Agent: %s\r\n" % UserAgent) -+ sock.sendall(six.ensure_binary("CONNECT %s HTTP/1.0\r\n" % host)) -+ sock.sendall(six.ensure_binary("User-Agent: %s\r\n" % UserAgent)) - if self.proxy_user and self.proxy_pass: - for k, v in self.get_proxy_auth_header().items(): -- sock.sendall("%s: %s\r\n" % (k, v)) -+ sock.sendall(six.ensure_binary("%s: %s\r\n" % (k, v))) - # See discussion about this config option at - # https://groups.google.com/forum/?fromgroups#!topic/boto-dev/teenFvOq2Cc - if config.getbool('Boto', 'send_crlf_after_proxy_auth_headers', False): -- sock.sendall("\r\n") -+ sock.sendall(six.ensure_binary("\r\n")) - else: -- sock.sendall("\r\n") -+ sock.sendall(six.ensure_binary("\r\n")) - resp = http_client.HTTPResponse(sock, strict=True, debuglevel=self.debug) - resp.begin() - -@@ -814,9 +814,10 @@ class AWSAuthConnection(object): - # Fake a socket error, use a code that make it obvious it hasn't - # been generated by the socket library - raise socket.error(-71, -+ six.ensure_binary( - "Error talking to HTTP proxy %s:%s: %s (%s)" % - (self.proxy, self.proxy_port, -- resp.status, resp.reason)) -+ resp.status, resp.reason))) - - # We can safely close the response, it duped the original socket - resp.close() --- -2.28.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py310.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py310.patch deleted file mode 100644 index 7b427f1f15e..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py310.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff --git a/boto/dynamodb/types.py b/boto/dynamodb/types.py -index d9aaaa4c..3f8d8601 100644 ---- a/boto/dynamodb/types.py -+++ b/boto/dynamodb/types.py -@@ -27,7 +27,7 @@ Python types and vice-versa. - import base64 - from decimal import (Decimal, DecimalException, Context, - Clamped, Overflow, Inexact, Underflow, Rounded) --from collections import Mapping -+from collections.abc import Mapping - from boto.dynamodb.exceptions import DynamoDBNumberError - from boto.compat import filter, map, six, long_type - -diff --git a/boto/mws/connection.py b/boto/mws/connection.py -index 687fae74..3a1f5f80 100644 ---- a/boto/mws/connection.py -+++ b/boto/mws/connection.py -@@ -21,7 +21,7 @@ - import xml.sax - import hashlib - import string --import collections -+import collections.abc - from boto.connection import AWSQueryConnection - from boto.exception import BotoServerError - import boto.mws.exception -@@ -109,7 +109,7 @@ def http_body(field): - def destructure_object(value, into, prefix, members=False): - if isinstance(value, boto.mws.response.ResponseElement): - destructure_object(value.__dict__, into, prefix, members=members) -- elif isinstance(value, collections.Mapping): -+ elif isinstance(value, collections.abc.Mapping): - for name in value: - if name.startswith('_'): - continue -@@ -117,7 +117,7 @@ def destructure_object(value, into, prefix, members=False): - members=members) - elif isinstance(value, six.string_types): - into[prefix] = value -- elif isinstance(value, collections.Iterable): -+ elif isinstance(value, collections.abc.Iterable): - for index, element in enumerate(value): - suffix = (members and '.member.' or '.') + str(index + 1) - destructure_object(element, into, prefix + suffix, diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py38.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py38.patch deleted file mode 100644 index 0052c6e32e8..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-py38.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff --git a/boto/ecs/item.py b/boto/ecs/item.py -index 79177a31..292b05af 100644 ---- a/boto/ecs/item.py -+++ b/boto/ecs/item.py -@@ -21,7 +21,7 @@ - - - import xml.sax --import cgi -+import html - from boto.compat import six, StringIO - - class ResponseGroup(xml.sax.ContentHandler): -@@ -67,7 +67,7 @@ class ResponseGroup(xml.sax.ContentHandler): - return None - - def endElement(self, name, value, connection): -- self._xml.write("%s" % (cgi.escape(value).replace("&amp;", "&"), name)) -+ self._xml.write("%s" % (html.escape(value).replace("&amp;", "&"), name)) - if len(self._nodepath) == 0: - return - obj = None -diff --git a/tests/unit/utils/test_utils.py b/tests/unit/utils/test_utils.py -index db15b56d..89d1a524 100644 ---- a/tests/unit/utils/test_utils.py -+++ b/tests/unit/utils/test_utils.py -@@ -85,7 +85,7 @@ class TestPassword(unittest.TestCase): - def hmac_hashfunc(cls, msg): - if not isinstance(msg, bytes): - msg = msg.encode('utf-8') -- return hmac.new(b'mysecretkey', msg) -+ return hmac.new(b'mysecretkey', msg, digestmod='MD5') - - class HMACPassword(Password): - hashfunc = hmac_hashfunc -@@ -95,15 +95,15 @@ class TestPassword(unittest.TestCase): - password.set('foo') - - self.assertEquals(str(password), -- hmac.new(b'mysecretkey', b'foo').hexdigest()) -+ hmac.new(b'mysecretkey', b'foo', digestmod='MD5').hexdigest()) - - def test_constructor(self): -- hmac_hashfunc = lambda msg: hmac.new(b'mysecretkey', msg) -+ hmac_hashfunc = lambda msg: hmac.new(b'mysecretkey', msg, digestmod='MD5') - - password = Password(hashfunc=hmac_hashfunc) - password.set('foo') - self.assertEquals(password.str, -- hmac.new(b'mysecretkey', b'foo').hexdigest()) -+ hmac.new(b'mysecretkey', b'foo', digestmod='MD5').hexdigest()) - - - class TestPythonizeName(unittest.TestCase): diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch deleted file mode 100644 index 11d346a2199..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-try-to-add-SNI-support-v3.patch +++ /dev/null @@ -1,104 +0,0 @@ -From f5e7f6c98b46ff622f60a4661ffc9ce07216d109 Mon Sep 17 00:00:00 2001 -From: Sebastian Andrzej Siewior -Date: Sat, 29 Sep 2018 21:47:11 +0200 -Subject: [PATCH] boto: try to add SNI support - -Add SNI support. Newer OpenSSL (with TLS1.3) fail to connect if the -hostname is missing. - -Link: https://bugs.debian.org/bug=909545 -Tested-by: Witold Baryluk -Signed-off-by: Sebastian Andrzej Siewior ---- - boto/connection.py | 19 ++++++++++--------- - boto/https_connection.py | 22 +++++++++++----------- - 2 files changed, 21 insertions(+), 20 deletions(-) - -diff --git a/boto/connection.py b/boto/connection.py -index 34b428f101df7..b4867a7657465 100644 ---- a/boto/connection.py -+++ b/boto/connection.py -@@ -778,8 +778,10 @@ - - def proxy_ssl(self, host=None, port=None): - if host and port: -+ cert_host = host - host = '%s:%d' % (host, port) - else: -+ cert_host = self.host - host = '%s:%d' % (self.host, self.port) - # Seems properly to use timeout for connect too - timeout = self.http_connection_kwargs.get("timeout") -@@ -824,23 +824,24 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert - h = http_client.HTTPConnection(host) - - if self.https_validate_certificates and HAVE_HTTPS_CONNECTION: -+ context = ssl.create_default_context() -+ context.verify_mode = ssl.CERT_REQUIRED -+ context.check_hostname = True -+ - msg = "wrapping ssl socket for proxied connection; " - if self.ca_certificates_file: - msg += "CA certificate file=%s" % self.ca_certificates_file -+ context.load_verify_locations(cafile=self.ca_certificates_file) - else: - msg += "using system provided SSL certs" -+ context.load_default_certs() - boto.log.debug(msg) - key_file = self.http_connection_kwargs.get('key_file', None) - cert_file = self.http_connection_kwargs.get('cert_file', None) -- sslSock = ssl.wrap_socket(sock, keyfile=key_file, -- certfile=cert_file, -- cert_reqs=ssl.CERT_REQUIRED, -- ca_certs=self.ca_certificates_file) -- cert = sslSock.getpeercert() -- hostname = self.host.split(':', 0)[0] -- if not https_connection.ValidateCertificateHostname(cert, hostname): -- raise https_connection.InvalidCertificateException( -- hostname, cert, 'hostname mismatch') -+ if key_file: -+ context.load_cert_chain(certfile=cert_file, keyfile=key_file) -+ -+ sslSock = context.wrap_socket(sock, server_hostname=cert_host) - else: - # Fallback for old Python without ssl.wrap_socket - if hasattr(http_client, 'ssl'): -diff --git a/boto/https_connection.py b/boto/https_connection.py -index ddc31a152292e..a5076f6f9b261 100644 ---- a/boto/https_connection.py -+++ b/boto/https_connection.py -@@ -119,20 +119,20 @@ from boto.compat import six, http_client - sock = socket.create_connection((self.host, self.port), self.timeout) - else: - sock = socket.create_connection((self.host, self.port)) -+ -+ context = ssl.create_default_context() -+ context.verify_mode = ssl.CERT_REQUIRED -+ context.check_hostname = True -+ if self.key_file: -+ context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file) -+ - msg = "wrapping ssl socket; " - if self.ca_certs: - msg += "CA certificate file=%s" % self.ca_certs -+ context.load_verify_locations(cafile=self.ca_certs) - else: - msg += "using system provided SSL certs" -+ context.load_default_certs() - boto.log.debug(msg) -- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, -- certfile=self.cert_file, -- cert_reqs=ssl.CERT_REQUIRED, -- ca_certs=self.ca_certs) -- cert = self.sock.getpeercert() -- hostname = self.host.split(':', 0)[0] -- if not ValidateCertificateHostname(cert, hostname): -- raise InvalidCertificateException(hostname, -- cert, -- 'remote hostname "%s" does not match ' -- 'certificate' % hostname) -+ -+ self.sock = context.wrap_socket(sock, server_hostname=self.host) --- -2.19.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-unbundle-six.patch b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-unbundle-six.patch deleted file mode 100644 index 188dae7eb6f..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/files/boto-2.49.0-unbundle-six.patch +++ /dev/null @@ -1,28 +0,0 @@ -use the system copy of six - ---- a/boto/compat.py -+++ b/boto/compat.py -@@ -46,16 +46,16 @@ except (AttributeError, ImportError): - # This is probably running on App Engine. - expanduser = (lambda x: x) - --from boto.vendored import six -+import six - --from boto.vendored.six import BytesIO, StringIO --from boto.vendored.six.moves import filter, http_client, map, _thread, \ -+from six import BytesIO, StringIO -+from six.moves import filter, http_client, map, _thread, \ - urllib, zip --from boto.vendored.six.moves.queue import Queue --from boto.vendored.six.moves.urllib.parse import parse_qs, quote, unquote, \ -+from six.moves.queue import Queue -+from six.moves.urllib.parse import parse_qs, quote, unquote, \ - urlparse, urlsplit --from boto.vendored.six.moves.urllib.parse import unquote_plus --from boto.vendored.six.moves.urllib.request import urlopen -+from six.moves.urllib.parse import unquote_plus -+from six.moves.urllib.request import urlopen - - if six.PY3: - # StandardError was removed, so use the base exception type instead diff --git a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-python/boto/metadata.xml deleted file mode 100644 index 3ab9e0b0a8a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-python/boto/metadata.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - python@gentoo.org - Python - - - - boto - boto - boto/boto - - From ebb10a10c83a9347ace7c23d49a47f2b92e04df1 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 11:23:17 +0000 Subject: [PATCH 12/14] coreos-base/oem-gce: Remove unused files We now rely on GCP agents taking care of instance configuration. Signed-off-by: Jeremi Piotrowski --- .../oem-gce/files/bin/enable-oslogin | 35 ------------------ .../coreos-base/oem-gce/files/bin/init.sh | 36 ------------------- .../oem-gce/files/files/google-cloud-sdk.sh | 5 --- .../coreos-base/oem-gce/files/files/hosts | 2 -- .../oem-gce/files/units/10-oem-gce.conf | 2 -- .../units/oem-gce-enable-oslogin.service | 16 --------- .../oem-gce/files/units/oem-gce.service | 18 ---------- .../oem-gce/files/units/setup-oem.service | 12 ------- 8 files changed, 126 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/init.sh delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/hosts delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/10-oem-gce.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/setup-oem.service diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin deleted file mode 100644 index 7a8cd816a13..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/bash - -# Verify all the config files were not touched by the user. Do not try to -# enable oslogin if the user has messed with them - -if [ -e '/etc/pam.d/sshd' ]; then - echo '/etc/pam.d/sshd already exists. Not enabling OS Login' - exit 0 -fi - -if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf' ]; then - echo '/etc/nsswitch.conf is not a symlink to /usr/share/baselayout/nsswitch.conf. Not enabling OS Login' - exit 0 -fi - -if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then - echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login' - exit 0 -fi - -if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then - echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login' - exit 0 -fi - -# Actually start enabling things. Die if we fail. -set -e - -mkdir -m 0750 -p '/var/lib/google-sudoers.d' -mkdir -m 0750 -p '/var/lib/google-users.d' -ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd' -ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf' -ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf' -ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers' -ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf' diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/init.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/init.sh deleted file mode 100644 index 1b6c56e5b33..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/init.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -ex -# GCE can work with our normal file system, but it needs an "init system". -# Here is a better place to install this script so it doesn't get put in real -# images built from the GCE Python package. - -# Write a configuration template if it does not exist. -[ -e /etc/default/instance_configs.cfg.template ] || -echo -e > /etc/default/instance_configs.cfg.template \ - '[InstanceSetup]\nset_host_keys = false' - -# Run the initialization scripts. -/usr/bin/google_instance_setup -/usr/bin/google_metadata_script_runner --script-type startup - -# Handle the signal to shut down this service. -trap 'stopping=1 ; kill "${daemon_pids[@]}" || :' SIGTERM - -# Fork the daemon processes. -daemon_pids=() -for d in accounts clock_skew network -do - /usr/bin/google_${d}_daemon & daemon_pids+=($!) -done - -# Notify the host that everything is running. -NOTIFY_SOCKET=/run/systemd/notify /usr/bin/systemd-notify --ready - -# Pause while the daemons are running, and stop them all when one dies. -wait -n "${daemon_pids[@]}" || : -kill "${daemon_pids[@]}" || : - -# If a daemon died while we're not shutting down, fail. -test -n "$stopping" || exit 1 - -# Otherwise, run the shutdown script before quitting. -exec /usr/bin/google_metadata_script_runner --script-type shutdown diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh deleted file mode 100644 index 9114c0d4006..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -alias gcloud="(docker images google/cloud-sdk || docker pull google/cloud-sdk) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config -v /var/run/docker.sock:/var/run/docker.sock google/cloud-sdk gcloud" -alias gsutil="(docker images google/cloud-sdk || docker pull google/cloud-sdk) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config google/cloud-sdk gsutil" -alias python="(docker images python:2-slim || docker pull python:2-slim) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config -v "$PWD":/usr/src/pyapp -w /usr/src/pyapp python:2-slim python" -alias python3="(docker images python:3-slim || docker pull python:3-slim) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config -v "$PWD":/usr/src/pyapp -w /usr/src/pyapp python:3-slim python" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/hosts b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/hosts deleted file mode 100644 index 61c0c6b2651..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/hosts +++ /dev/null @@ -1,2 +0,0 @@ -169.254.169.254 metadata metadata.google.internal -127.0.0.1 localhost diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/10-oem-gce.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/10-oem-gce.conf deleted file mode 100644 index 59b5fa8e1f0..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/10-oem-gce.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -Upholds=oem-gce-enable-oslogin.service setup-oem.service oem-gce.service diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service deleted file mode 100644 index 6ffe2d37ecf..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Enable GCE OS Login -ConditionFirstBoot=true -DefaultDependencies=false -After=systemd-tmpfiles-setup.service -Before=sshd.service -Before=sshd.socket - -[Service] -Type=oneshot -RemainAfterExit=true - -ExecStart=/usr/bin/enable-oslogin - -[Install] -WantedBy=sysinit.target diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce.service deleted file mode 100644 index c03bcc740df..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=GCE Linux Agent -After=local-fs.target network-online.target - -[Service] -Type=notify -NotifyAccess=all -Restart=always -RestartSec=5 - -# There is a custom main process that kills all of the contained services. -KillMode=process -KillSignal=SIGTERM - -ExecStart=/usr/bin/init.sh - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/setup-oem.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/setup-oem.service deleted file mode 100644 index ac7aafedb31..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/setup-oem.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Setup OEM -Before=oem-gce-enable-oslogin.service -DefaultDependencies=false - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=-/usr/bin/ln --symbolic --force /usr/share/gce/hosts /etc/hosts -ExecStart=-/usr/bin/ln --symbolic /usr/share/gce/google-cloud-sdk.sh /etc/profile.d/google-cloud-sdk.sh -[Install] -WantedBy=sysinit.target From 8caa5a851207a1868b7c0d973c01bfbf6e56427e Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 12:28:32 +0000 Subject: [PATCH 13/14] app-admin/google-*-agent: Update SRC_URI for deps tarball Signed-off-by: Jeremi Piotrowski --- .../google-guest-agent/google-guest-agent-20240314.00.ebuild | 3 ++- .../google-osconfig-agent-20240320.00.ebuild | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild index 03f8c986f76..1925de583b0 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild @@ -20,7 +20,8 @@ DESCRIPTION="Google Guest Agent" HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-agent" SRC_URI="https://github.com/GoogleCloudPlatform/guest-agent/archive/${PV}.tar.gz -> ${P}.tar.gz" -SRC_URI+=" ${P}-deps.tar.xz" +# Flatcar: explicitly reference mirror +SRC_URI+=" https://commondatastorage.googleapis.com/cos-localmirror/distfiles/${P}-deps.tar.xz" LICENSE="Apache-2.0 BSD ZLIB" SLOT="0" diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild index d8dfdd2d1cb..1d0bcf10458 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild @@ -21,7 +21,8 @@ DESCRIPTION="Google OS Config Agent" HOMEPAGE="https://github.com/GoogleCloudPlatform/osconfig" SRC_URI="https://github.com/GoogleCloudPlatform/osconfig/archive/${PV}.tar.gz -> ${P}.tar.gz" -SRC_URI+=" ${P}-deps.tar.xz" +# Flatcar: explicitly reference mirror +SRC_URI+=" https://commondatastorage.googleapis.com/cos-localmirror/distfiles/${P}-deps.tar.xz" LICENSE="Apache-2.0 BSD" SLOT="0" From e1a7a9e36c3286f3b1c59fa648d86125023d589e Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 12:29:13 +0000 Subject: [PATCH 14/14] coreos-base/oem-gce: Enable timer and remove debug files Signed-off-by: Jeremi Piotrowski --- .../coreos-overlay/coreos-base/oem-gce/files/manglefs.sh | 2 +- .../coreos-base/oem-gce/oem-gce-20240326-r1.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh index f131cb54ab3..b26b8fafe26 100755 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/manglefs.sh @@ -4,4 +4,4 @@ set -euo pipefail rootfs="${1}" -find "${rootfs}/" +rm -rf "${rootfs}"/usr/lib/debug diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild index d6aeee0eb7d..6f1a36f0278 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20240326-r1.ebuild @@ -29,5 +29,5 @@ RDEPEND=" OEM_NAME="Google Compute Engine" src_install() { - : + systemd_enable_service timers.target google-oslogin-cache.timer }