From 5d48557f791a1dff38c16e0f91b1b1ea18174e61 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 4 Feb 2026 14:29:31 +0000 Subject: [PATCH 1/7] build_packages: Exclude OEM sysext packages when running eclean packages Also simplify the exclusion mechanism while we're at it. Signed-off-by: James Le Cuirot --- build_library/extra_sysexts.sh | 16 ---------------- build_packages | 14 +++++++------- 2 files changed, 7 insertions(+), 23 deletions(-) diff --git a/build_library/extra_sysexts.sh b/build_library/extra_sysexts.sh index 85ae7096fc3..444b3eb9a67 100644 --- a/build_library/extra_sysexts.sh +++ b/build_library/extra_sysexts.sh @@ -11,19 +11,3 @@ EXTRA_SYSEXTS=( "python|dev-lang/python,dev-python/pip" "zfs|sys-fs/zfs" ) - -_get_unversioned_sysext_packages_unsorted() { - for sysext in "${EXTRA_SYSEXTS[@]}"; do - IFS="|" read -r _ PACKAGE_ATOMS _ <<< "$sysext" - - IFS=, - for atom in $PACKAGE_ATOMS; do - qatom "$atom" -F "%{CATEGORY}/%{PN}" - done - unset IFS - done -} - -get_unversioned_sysext_packages() { - _get_unversioned_sysext_packages_unsorted | sort | uniq -} diff --git a/build_packages b/build_packages index da1d1e9b916..d61d3bfad11 100755 --- a/build_packages +++ b/build_packages @@ -289,6 +289,10 @@ fi export KBUILD_BUILD_USER="${BUILD_USER:-build}" export KBUILD_BUILD_HOST="${BUILD_HOST:-pony-truck.infra.kinvolk.io}" +# Gather a list of packages we build with --buildpkgonly to prevent them from +# getting cleaned by `eclean --deep packages` below. +eclean_excludes=$(mktemp) || die_notrace "Couldn't create temporary exclusions file for eclean" + # Build sysext packages from an array of sysext definitions. # Usage: build_sysext_packages "description" "${SYSEXT_ARRAY[@]}" # Array format: "name|packages|useflags|arches" @@ -305,6 +309,7 @@ build_sysext_packages() { info "Building packages for $sysext_name sysext with USE=$useflags" IFS=, + qatom -F "%{CATEGORY}/%{PN}" ${package_atoms} >> "${eclean_excludes}" for package in $package_atoms; do # --buildpkgonly does not install dependencies, so we install them # separately before building the binary package @@ -373,13 +378,8 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then fi fi -exclusions_file=$(mktemp) -if [ ! -f "$exclusions_file" ]; then - die_notrace "Couldn't create temporary exclusions file $exclusions_file for eclean" -fi -get_unversioned_sysext_packages > "$exclusions_file" -eclean-"$BOARD" -d --exclude-file="$exclusions_file" packages -rm -f "$exclusions_file" +eclean-"$BOARD" --deep --exclude-file="${eclean_excludes}" packages +rm -f "${eclean_excludes}" # run eclean again, this time without the --deep option, to clean old versions # of sysext packages (those, for which .ebuild file no longer exists) eclean-"$BOARD" packages From 0cbf8dedb5f854a4cb7994217c5daf996aba9c24 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 4 Feb 2026 15:03:38 +0000 Subject: [PATCH 2/7] build_sysext: Ensure sysexts are entirely built from binary packages It is no longer necessary to build the meta packages from source as they are now covered by build_packages. Signed-off-by: James Le Cuirot --- build_sysext | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build_sysext b/build_sysext index 4a0d450e0b8..d61856a6c14 100755 --- a/build_sysext +++ b/build_sysext @@ -22,7 +22,7 @@ default_install_root_basename='install-root' DEFINE_string board "${DEFAULT_BOARD}" \ "The board to build a sysext for." DEFINE_string metapkgs '' \ - "Comma-separated list of meta-packages to build from source and install into sysext image." + "Comma-separated list of binary meta-packages to install into the sysext image." DEFINE_string squashfs_base '' \ "The path to the squashfs base image. Defaults to the most current image built in '${default_imagedir}/${FLATCAR_PRODUCTION_IMAGE_SYSEXT_BASE}'." DEFINE_string image_builddir '' \ @@ -206,9 +206,9 @@ if [ "$VERSION_BOARD" != "$FLATCAR_VERSION" ]; then fi if [[ -n "${FLAGS_metapkgs}" ]]; then - mapfile -t metapkgs < <(tr ',' '\n' <<<"${FLAGS_metapkgs}") - "emerge-${FLAGS_board}" --nodeps --buildpkgonly --usepkg n --verbose "${metapkgs[@]}" - set -- "${metapkgs[@]}" "${@}" + IFS=, + set -- ${FLAGS_metapkgs} "${@}" + unset IFS fi if [[ ${#} -lt 1 ]]; then From b5fe6afbd74e98f78d54c62b64495fa02d760e5e Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 27 Jan 2026 16:37:30 +0000 Subject: [PATCH 3/7] coreos-devel/board-packages: Drop the OEM sysext dependencies It is no longer necessary to include these as they are explicitly built with --onlydeps in build_sysext_packages(). This new approach allows a package to be installed to both /usr and sysexts with conflicting USE flags. Portage would normally refuse to do this because it would "break" what is already installed to the board root, but --ignore-world forces the breakage. It is safe in this context because the board root is not used for execution, and affected packages will be automatically rebuilt as needed, e.g. the next time you run build_packages. Signed-off-by: James Le Cuirot --- build_packages | 11 ++++-- .../src/third_party/coreos-overlay/README.md | 7 ++-- ...ebuild => board-packages-0.0.1-r18.ebuild} | 0 .../board-packages-0.0.1.ebuild | 38 ++++--------------- 4 files changed, 18 insertions(+), 38 deletions(-) rename sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/{board-packages-0.0.1-r17.ebuild => board-packages-0.0.1-r18.ebuild} (100%) diff --git a/build_packages b/build_packages index d61d3bfad11..6de1487682e 100755 --- a/build_packages +++ b/build_packages @@ -312,13 +312,17 @@ build_sysext_packages() { qatom -F "%{CATEGORY}/%{PN}" ${package_atoms} >> "${eclean_excludes}" for package in $package_atoms; do # --buildpkgonly does not install dependencies, so we install them - # separately before building the binary package + # separately before building the binary package. --ignore-world is needed + # to allow packages to be installed to both /usr and sysexts with + # conflicting USE flags. This will "break" the board root, but it's not + # used for execution, and affected packages will be rebuilt as needed. sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \ env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \ "${EMERGE_FLAGS[@]}" \ --quiet \ --onlydeps \ --binpkg-respect-use=y \ + --ignore-world=y \ "${package}" sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \ @@ -327,6 +331,7 @@ build_sysext_packages() { --quiet \ --buildpkgonly \ --binpkg-respect-use=y \ + --ignore-world=y \ "${package}" done unset IFS @@ -378,11 +383,11 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then fi fi -eclean-"$BOARD" --deep --exclude-file="${eclean_excludes}" packages +eclean-"$BOARD" --deep --exclude-file="${eclean_excludes}" packages --unique-use rm -f "${eclean_excludes}" # run eclean again, this time without the --deep option, to clean old versions # of sysext packages (those, for which .ebuild file no longer exists) -eclean-"$BOARD" packages +eclean-"$BOARD" packages --unique-use info "Checking build root" test_image_content "${BOARD_ROOT}" diff --git a/sdk_container/src/third_party/coreos-overlay/README.md b/sdk_container/src/third_party/coreos-overlay/README.md index 150fb7b6493..363fdfb20a3 100644 --- a/sdk_container/src/third_party/coreos-overlay/README.md +++ b/sdk_container/src/third_party/coreos-overlay/README.md @@ -23,13 +23,12 @@ gets built into a developer image and is not OEM specific. gets built into the Container Linux SDK. `coreos-devel/board-packages` is everything that could be built into a -development or production image, plus any OEM specific packages. +development or production image. `coreos-base/oem-*` are the OEM specific packages. They mostly install things -that belong in the OEM partition. Any RDEPENDS from these packages should -be copied to the RDEPENDS in `board-packages` to ensure they are built. +that belong in the OEM partition. -`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs. +`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs. # Updating diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r17.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r18.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r17.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r18.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index e89d4114449..471793e05ff 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -2,47 +2,23 @@ # Distributed under the terms of the GNU General Public License v2 # $Header: $ -EAPI=7 +EAPI=8 -DESCRIPTION="Meta ebuild for building all binary packages." -HOMEPAGE="http://coreos.com/docs/sdk/" -SRC_URI="" +DESCRIPTION="Meta ebuild for building all binary packages" +HOMEPAGE="https://www.flatcar.org/" LICENSE="GPL-2" SLOT="0" KEYWORDS="amd64 arm64" -IUSE="" -# Depend on everything OEMs need, but not the OEMs themselves. -# This makes the built packages available for image_vm_util.sh but -# avoids copying the oem specific files (e.g. grub configs) before -# the oem partition is set up. -DEPEND="" RDEPEND=" - amd64? ( - app-emulation/google-compute-engine - app-emulation/open-vm-tools - coreos-base/nova-agent-container - coreos-base/nova-agent-watcher - ) - sys-boot/grub - sys-boot/shim - sys-boot/shim-signed app-containers/containerd app-containers/docker app-containers/docker-buildx app-containers/docker-cli - app-containers/incus - app-emulation/amazon-ssm-agent - app-emulation/hv-daemons - app-emulation/wa-linux-agent coreos-base/coreos coreos-base/coreos-dev - coreos-base/flatcar-eks - net-misc/chrony - sys-fs/zfs - app-containers/podman - net-misc/passt - dev-lang/python - dev-python/pip - " + sys-boot/grub + sys-boot/shim + sys-boot/shim-signed +" From bfc10b94e510a9cf100470c317e12480b7534f26 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 28 Jan 2026 16:34:22 +0000 Subject: [PATCH 4/7] Replace per-OEM USE flags with a single flatcar-oem USE flag Having a USE flag per OEM is unnecessary when we only really need to know whether the package will be installed in an OEM sysext or not. The flag names were also prone to conflicts, e.g. qemu. We don't currently make use of these flags anyway, although that is about to change. Signed-off-by: James Le Cuirot --- build_library/oem_sysexts.sh | 2 +- sdk_container/src/third_party/coreos-overlay/profiles/use.desc | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/use.desc diff --git a/build_library/oem_sysexts.sh b/build_library/oem_sysexts.sh index 7d50efc4bed..ff30d07b2ca 100644 --- a/build_library/oem_sysexts.sh +++ b/build_library/oem_sysexts.sh @@ -75,7 +75,7 @@ get_oem_sysext_matrix() { local -a matrix=() local oem_id for oem_id in "${oem_ids[@]}"; do - matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|${oem_id}") + matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|flatcar-oem") done local -n matrix_ref="${list_var_name}" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/use.desc b/sdk_container/src/third_party/coreos-overlay/profiles/use.desc new file mode 100644 index 00000000000..3e2055cfb89 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/use.desc @@ -0,0 +1 @@ +flatcar-oem - Configure for use in a Flatcar OEM sysext From 1f515e1aec451ef2306ca00f71e18ac22e1dc8fe Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 13 Jan 2026 15:04:25 +0000 Subject: [PATCH 5/7] app-admin/google-guest-configs: New package for udev rules and scripts We already have GCE disk rules in coreos-init, but a user has pointed out that the newer NVMe rules are missing. Let's take the rules directly from upstream instead. This is loosely based on the ChromiumOS package of the same name. Signed-off-by: James Le Cuirot --- changelog/bugfixes/2025-12-29-gce-udev.md | 1 + .../app-admin/google-guest-configs/Manifest | 1 + ...gle-guest-configs-20211116.00-sysctl.patch | 50 ++++++++++++++ .../google-guest-configs-dracut-deps.patch | 25 +++++++ .../google-guest-configs-20260116.00.ebuild | 66 +++++++++++++++++++ .../google-guest-configs/metadata.xml | 7 ++ ... google-compute-engine-20190124-r4.ebuild} | 7 ++ .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 + .../oem-gce/oem-gce-20180823-r7.ebuild | 42 ------------ .../oem-gce/oem-gce-20260102.ebuild | 35 ++++++++++ .../coreos-kernel-6.12.66.ebuild | 5 +- 11 files changed, 197 insertions(+), 43 deletions(-) create mode 100644 changelog/bugfixes/2025-12-29-gce-udev.md create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml rename sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/{google-compute-engine-20190124-r3.ebuild => google-compute-engine-20190124-r4.ebuild} (81%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild diff --git a/changelog/bugfixes/2025-12-29-gce-udev.md b/changelog/bugfixes/2025-12-29-gce-udev.md new file mode 100644 index 00000000000..d8458d9f4db --- /dev/null +++ b/changelog/bugfixes/2025-12-29-gce-udev.md @@ -0,0 +1 @@ +- Updated the GCE udev disk rules to include NVMe disks. diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest new file mode 100644 index 00000000000..d444561ad31 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest @@ -0,0 +1 @@ +DIST google-guest-configs-20260116.00.tar.gz 50190 BLAKE2B a9d546c87245114bd650c1b5116a9619b927e9afb0702adb0d3b41efeab680da65055f37490fe88d4923ceb7a5f596a3f59848f74cb9f8ce074d3f2568f40757 SHA512 995b350700feba28cdd6250c2ca0788539f1e58f3bae9d23081671fff82c7ff139ec9a0f56411e9ead6bfca62ced2c4bb729f516352982441c6a769162d9f4f2 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch new file mode 100644 index 00000000000..4ac9d275cbc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch @@ -0,0 +1,50 @@ +diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf +index b40085b..d89d87d 100644 +--- a/src/etc/sysctl.d/60-gce-network-security.conf ++++ b/src/etc/sysctl.d/60-gce-network-security.conf +@@ -14,45 +14,6 @@ + # + # Google-recommended kernel parameters + +-# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss +-# of TCP functionality/features under normal conditions. When flood +-# protections kick in under high unanswered-SYN load, the system +-# should remain more stable, with a trade off of some loss of TCP +-# functionality/features (e.g. TCP Window scaling). +-net.ipv4.tcp_syncookies=1 +- +-# Ignore source-routed packets +-net.ipv4.conf.all.accept_source_route=0 +-net.ipv4.conf.default.accept_source_route=0 +- +-# Ignore ICMP redirects from non-GW hosts +-net.ipv4.conf.all.accept_redirects=0 +-net.ipv4.conf.default.accept_redirects=0 +-net.ipv4.conf.all.secure_redirects=1 +-net.ipv4.conf.default.secure_redirects=1 +- +-# Don't pass traffic between networks or act as a router +-net.ipv4.ip_forward=0 +-net.ipv4.conf.all.send_redirects=0 +-net.ipv4.conf.default.send_redirects=0 +- +-# Turn on Source Address Verification in all interfaces to +-# prevent some spoofing attacks. +-net.ipv4.conf.all.rp_filter=1 +-net.ipv4.conf.default.rp_filter=1 +- +-# Ignore ICMP broadcasts to avoid participating in Smurf attacks +-net.ipv4.icmp_echo_ignore_broadcasts=1 +- +-# Ignore bad ICMP errors +-net.ipv4.icmp_ignore_bogus_error_responses=1 +- + # Log spoofed, source-routed, and redirect packets + net.ipv4.conf.all.log_martians=1 + net.ipv4.conf.default.log_martians=1 +- +-# Addresses of mmap base, heap, stack and VDSO page are randomized +-kernel.randomize_va_space=2 +- +-# Reboot the machine soon after a kernel panic. +-kernel.panic=10 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch new file mode 100644 index 00000000000..04be008feb3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch @@ -0,0 +1,25 @@ +From a848f8f181e2a7080a7ee06fb87ffbfe05e66a24 Mon Sep 17 00:00:00 2001 +From: James Le Cuirot +Date: Tue, 20 Jan 2026 15:55:29 +0000 +Subject: [PATCH] dracut: Install dd and ln as these are used by google_nvme_id + +I found that the disk name symlink was missing on Flatcar due to the +lack of dd. I thought about using pure Bash, but it can't handle the +null bytes. I also thought about using tail, but this is just as likely +to be missing. + +I've also added ln for good measure. +--- a/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh ++++ b/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh +@@ -4,7 +4,7 @@ + + # called by dracut + install() { +- inst_multiple nvme grep sed ++ inst_multiple nvme dd ln grep sed + inst_simple /usr/lib/udev/google_nvme_id + inst_simple /usr/lib/udev/rules.d/65-gce-disk-naming.rules + } +-- +2.51.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild new file mode 100644 index 00000000000..0cf843420a4 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild @@ -0,0 +1,66 @@ +# Copyright 2026 The Flatcar Container Linux Maintainers +# Distributed under the terms of the Apache License 2.0 + +# IMPORTANT! When bumping, ensure that the Dracut modules do not install files +# that would make runtime changes to systems to other than GCE VMs because the +# initrd is shared between image types. The udev disk rules are currently safe. + +EAPI=8 + +inherit udev + +DESCRIPTION="Configuration and scripts to support the Google Compute Engine guest environment" +HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs" +SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/guest-configs-${PV}" + +LICENSE="Apache-2.0 BSD ZLIB" +SLOT="0" +KEYWORDS="amd64" +IUSE="flatcar-oem" + +RDEPEND=" + ! + + + + GoogleCloudPlatform/guest-configs + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild index 2235e90a901..76c1ada09d8 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild @@ -28,3 +28,10 @@ RDEPEND=" sys-apps/iproute2 sys-apps/shadow " + +src_install() { + distutils-r1_src_install + + # Newer versions are installed by app-admin/google-guest-configs. + rm -v "${ED}"/usr/bin/google_{optimize_local_ssd,set_multiqueue} || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index c3b64c56b9a..84598dd6cd4 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -212,6 +212,7 @@ RDEPEND="${RDEPEND} # OEM specific bits that need to go in USR RDEPEND+=" amd64? ( + app-admin/google-guest-configs[-flatcar-oem] sys-auth/google-oslogin ) " diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild deleted file mode 100644 index 5baa71325b6..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright (c) 2013 CoreOS, Inc.. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 -# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit systemd - -DESCRIPTION="OEM suite for Google Compute Engine images" -HOMEPAGE="https://cloud.google.com/products/compute-engine/" -SRC_URI="" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64" -IUSE="" - -# no source directory -S="${WORKDIR}" - -RDEPEND=" - app-emulation/google-compute-engine -" - -OEM_NAME="Google Compute Engine" - -src_install() { - systemd_dounit "${FILESDIR}/units/oem-gce.service" - systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service" - systemd_dounit "${FILESDIR}/units/setup-oem.service" - systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf" - systemd_enable_service "multi-user.target" "ntpd.service" - - dobin "${FILESDIR}/bin/enable-oslogin" - dobin "${FILESDIR}/bin/init.sh" - - # These files will be symlinked to /etc via 'setup-oem.service' - insinto /usr/share/gce/ - doins "${FILESDIR}/files/hosts" - doins "${FILESDIR}/files/google-cloud-sdk.sh" -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild new file mode 100644 index 00000000000..f8097afd48b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild @@ -0,0 +1,35 @@ +# Copyright (c) 2013 CoreOS, Inc.. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 +# Copyright (c) 2020 Kinvolk GmbH. All rights reserved. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd + +DESCRIPTION="OEM suite for Google Compute Engine images" +HOMEPAGE="https://cloud.google.com/products/compute-engine/" +S="${WORKDIR}" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64" + +RDEPEND=" + app-admin/google-guest-configs[flatcar-oem] + app-emulation/google-compute-engine +" + +OEM_NAME="Google Compute Engine" + +src_install() { + systemd_dounit "${FILESDIR}"/units/{oem-gce,oem-gce-enable-oslogin,setup-oem}.service + systemd_install_dropin multi-user.target "${FILESDIR}"/units/10-oem-gce.conf + systemd_enable_service multi-user.target ntpd.service + + dobin "${FILESDIR}"/bin/{enable-oslogin,init.sh} + + # These files will be symlinked to /etc via 'setup-oem.service' + insinto /usr/share/gce + doins "${FILESDIR}"/files/{google-cloud-sdk.sh,hosts} +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild index 49be09709cc..5cdf8bbe068 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild @@ -56,7 +56,10 @@ DEPEND=" >=sys-kernel/coreos-firmware-20180103-r1:= sys-process/procps virtual/udev - amd64? ( sys-firmware/intel-microcode:= ) + amd64? ( + app-admin/google-guest-configs[-flatcar-oem] + sys-firmware/intel-microcode:= + ) " src_prepare() { From c54f1d13da1986df7db098fdbe8df8f588956867 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Tue, 20 Jan 2026 16:11:46 +0000 Subject: [PATCH 6/7] sys-kernel/bootengine: Bump for sysctl rerun fix Signed-off-by: James Le Cuirot --- .../third_party/coreos-overlay/sys-kernel/bootengine/Manifest | 2 +- ...ootengine-0.0.38-r39.ebuild => bootengine-0.0.38-r40.ebuild} | 0 .../coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/{bootengine-0.0.38-r39.ebuild => bootengine-0.0.38-r40.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest index 611db5b5f89..8c6adc49d88 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest @@ -1 +1 @@ -DIST bootengine-7d9895ce55617b18a78294975197975ac17b5bc3.tar.gz 36752 BLAKE2B 88c0478fd368203f3184f3e98ef8b277b725b6a7da6f39198c8366e71cb587705eb3859ccd92f701b4f7da4ed9571d645ddebc32293671477fed524fe31429e7 SHA512 6f8551e9b9fac5cedd8ee9fcb6d958092032b636f64c9d15f954a64c76ad9cbd8648bbb480bc92a6e98f7503d26f49e6c47989537cb1bdfb35d21eb2859e7923 +DIST bootengine-8854e0fd9fb77bf10eb8484a989d1b76a635264c.tar.gz 36865 BLAKE2B 71d9173321eae6856fc33f01f761864f2827e445d1671d9cd8cb8563fd76c06c3361df898b902448efe0bc1661ba42fc9167d71b164ba92daddac0fa2203d130 SHA512 3fd9575e22d5808caa099425beb0911d429ff4cec6b9d86a1371cf6f437306c693cae7d6e39e4814f5d15207d9ec82c95aa037a1ad0c5bb05c675ba13137b81b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r39.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r40.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r39.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-0.0.38-r40.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild index 7ccfb49009c..b9bb5bc689a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild @@ -10,7 +10,7 @@ if [[ ${PV} == 9999 ]]; then EGIT_REPO_URI="https://github.com/flatcar/bootengine.git" inherit git-r3 else - EGIT_VERSION="7d9895ce55617b18a78294975197975ac17b5bc3" # flatcar-master + EGIT_VERSION="8854e0fd9fb77bf10eb8484a989d1b76a635264c" # chewi/sysctl-rerun SRC_URI="https://github.com/flatcar/bootengine/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz" S="${WORKDIR}/${PN}-${EGIT_VERSION}" KEYWORDS="amd64 arm arm64 x86" From bc5ab47827fee312d36d837a66498dcb930e3a17 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Mon, 26 Jan 2026 16:22:38 +0000 Subject: [PATCH 7/7] sys-apps/systemd: Rerun sysctl after the sysexts have been mounted It is run early from the initrd, so wait for the sysexts, which may have additional configuration, before running it again. Signed-off-by: James Le Cuirot --- .../coreos-overlay/coreos/config/env/sys-apps/systemd | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd index defe7e8d0ba..53124d02a8a 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -173,6 +173,16 @@ After=ensure-sysext.service EOF ) + ( + insinto "$(systemd_get_systemunitdir)/systemd-sysctl.service.d" + newins - flatcar.conf <<'EOF' +# sysctl runs early from the initrd, so wait for sysexts with additional +# configuration to be mounted before running it again. +[Unit] +After=ensure-sysext.service +EOF + ) + ( # Allow @mount syscalls for systemd-udevd.service insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"