Finish merged-usr process for generic images, move SDK over to it too

changelog/changes/2024-09-05-sbin-merge.md

@@ -0,0 +1 @@
+- The `/usr/sbin` directory is now merged into `/usr/bin`, so the former became a symlink to the latter. The SDK now has the same base layout as the generic images. ([flatcar/scripts#2068](https://github.com/flatcar/scripts/pull/2068))

sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild

@@ -240,6 +240,11 @@ src_install() {
 	# Flatcar: Remove sudo.conf as it is shipped via baselayout
 	rm "${ED}/etc/sudo.conf" || die
 
+	# Flatcar: Build system installs /etc/sudoers.d, let's make
+	# sure we keep having it.
+	#
+	# Upstream PR: https://github.com/gentoo/gentoo/pull/37397
+	keepdir /etc/sudoers.d
 }
 
 pkg_postinst() {

sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild

@@ -20,7 +20,7 @@ SRC_URI=""
 
 LICENSE="BSD"
 SLOT="0"
-IUSE="cros_host +debug -delta_generator symlink-usr"
+IUSE="cros_host +debug -delta_generator"
 
 RDEPEND="!coreos-base/coreos-installer
 	app-arch/bzip2
@@ -85,11 +85,7 @@ src_test() {
 src_install() {
 	default
 
-	if use symlink-usr; then
-		dosym sbin/flatcar-postinst /usr/postinst
-	else
-		dosym usr/sbin/flatcar-postinst /postinst
-	fi
+	dosym bin/flatcar-postinst /usr/postinst
 
 	systemd_dounit systemd/update-engine.service
 	systemd_dounit systemd/update-engine-stub.service

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -8,8 +8,7 @@ USE_EXPAND="${USE_EXPAND} TESTS"
 # For now this is only informational and set by coreos-go.eclass
 USE_EXPAND="${USE_EXPAND} GO_VERSION"
 
-# Extra use flags for CoreOS SDK
-USE="${USE} cros_host expat -cracklib -introspection -cups -tcpd -berkdb"
+USE="${USE} -cracklib -introspection -cups -tcpd -berkdb"
 
 # Use Python 3 as the default version
 USE="${USE} -python_single_target_python2_7 python_single_target_python3_11"

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.force → sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.force

@@ -1,4 +1,7 @@
 # We don't have a separate /{bin,lib} and /usr/{bin,lib}. But the base
 # profile in portage-stable forces split-usr, so here we unforce it
 # and in use.mask we mask it.
+#
+# TODO: Drop it when we move to
+# default/linux/{amd64,arm64}/23.0/hardened/selinux/systemd profile
 -split-usr

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask

@@ -21,3 +21,11 @@ python_single_target_python3_13
 # We don't care about i10n, takes too much space, pulls in too many
 # extra dependencies.
 nls
+
+# We don't have a separate /{bin,lib} and /usr/{bin,lib}. But the base
+# profile in portage-stable forces split-usr, so in use.force we
+# unforce it and here we mask it.
+#
+# TODO: Drop it when we move to
+# default/linux/{amd64,arm64}/23.0/hardened/selinux/systemd profile
+split-usr

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults

@@ -1,10 +1,10 @@
 # Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 # Distributed under the terms of the GNU General Public License v2
 
-USE="acpi usb symlink-usr cryptsetup policykit"
-USE="${USE} -split-usr -cros_host -expat -cairo -X -man"
+USE="acpi usb cryptsetup policykit"
+USE="${USE} -cros_host -expat -cairo -X -man"
 USE="${USE} -acl -gpm -python"
-USE="${USE} -fortran -abiword -perl -cups -poppler-data"
+USE="${USE} -fortran -abiword -perl -poppler-data"
 
 # Exclude documentation
 FEATURES="nodoc noinfo noman"

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults

@@ -1,4 +1,4 @@
-USE="man -pam"
+USE="cros_host expat man -pam"
 
 # Used by some old goo in profiles/coreos/base/profile.bashrc
 # TODO: clean up that old goo

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/Manifest

@@ -1 +1 @@
-DIST flatcar-baselayout-937a45faef0f7fa88d3d2c3f7ba60a7f3e2e82f7.tar.gz 34560 BLAKE2B f4204cdabb87cc1618d7adcc0f3b0103686d60d1073c7539ffb1e4c0c264308b42cac1a2aaab0153c9762935d1cbf81c0e061a1aaeb53980d6ff278a6d26290b SHA512 9ca214c698fcd144c7dabcbda2226af7d2126b5d104ceb1eab7234a41326cc6a469ebaf2528709234d59019c84e277925e66309f4cb62b17f48be8834f6b611a
+DIST flatcar-baselayout-1ad3846c507888ffbb4209f6eaf294a60cda5fe6.tar.gz 36931 BLAKE2B e354aabaf99b2c0c50c05d377e3b51c33b2924640dbc9c49c359e3a50a18d7c6067e5e901f090deb181c787ba7b437d72e5a7a5d477682794d7f9e5b12f10966 SHA512 036c3d174afcf3e81a11ff0b6cf1b9ad4b16e70eeabc68d739eef24c18e8269a27d3f7aa236c885ba6ccf5f6450ee034a553d6017b26902d75274e476a211f87

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild

@@ -1,138 +1,60 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 EGIT_REPO_URI="https://github.com/flatcar/baselayout.git"
 
 if [[ "${PV}" == 9999 ]]; then
 	inherit git-r3
-	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+	KEYWORDS="~amd64 ~arm64"
 else
-	EGIT_COMMIT="937a45faef0f7fa88d3d2c3f7ba60a7f3e2e82f7" # flatcar-master
+	EGIT_COMMIT="1ad3846c507888ffbb4209f6eaf294a60cda5fe6" # flatcar-master
 	SRC_URI="https://github.com/flatcar/baselayout/archive/${EGIT_COMMIT}.tar.gz -> flatcar-${PN}-${EGIT_COMMIT}.tar.gz"
 	S="${WORKDIR}/${PN}-${EGIT_COMMIT}"
-	KEYWORDS="amd64 arm arm64 x86"
+	KEYWORDS="amd64 arm64"
 fi
 
-TMPFILES_OPTIONAL=1
-inherit multilib systemd tmpfiles
+inherit multilib
 
-DESCRIPTION="Filesystem baselayout for CoreOS"
-HOMEPAGE="http://www.coreos.com/"
+DESCRIPTION="Filesystem baselayout for Flatcar"
+HOMEPAGE="https://www.flatcar.org/"
 
 LICENSE="GPL-2"
 SLOT="0"
-IUSE="cros_host symlink-usr"
-
-# This version of baselayout replaces coreos-base
-DEPEND="sys-apps/systemd
-	net-dns/libidn2:=
-	!coreos-base/coreos-base
-	!<sys-libs/glibc-2.17-r1
-	!<=sys-libs/nss-usrfiles-2.18.1_pre"
+IUSE="cros_host"
 
 # Make sure coreos-init is not installed in the SDK
-RDEPEND="${DEPEND}
+RDEPEND="
 	>=sys-apps/gentoo-functions-0.10
-	cros_host? ( !coreos-base/coreos-init )"
-
-MOUNT_POINTS=(
-	/dev
-	/proc
-	/sys
-)
-
-declare -A USR_SYMS		# list of /foo->usr/foo symlinks
-declare -a BASE_DIRS	# list of absolute paths that should be directories
-
-# Check that a pre-existing symlink is correct
-check_sym() {
-	local path="$1" value="$2"
-	local real_path=$(readlink -f "${ROOT}${path}")
-	local real_value=$(readlink -f "${ROOT}${path%/*}/${value}")
-	if [[ -e "${read_path}" && "${read_path}" != "${read_value}" ]]; then
-		die "${path} is not a symlink to ${value}"
-	fi
-}
-
-pkg_setup() {
-	local libdirs=$(get_all_libdirs)
-
-	if [[ -z "${libdirs}" ]]; then
-		die "your DEFAULT_ABI=$DEFAULT_ABI appears to be invalid"
-	fi
-
-	# figure out which paths should be symlinks and which should be directories
-	local d
-	for d in bin sbin ${libdirs} ; do
-		if use symlink-usr; then
-			USR_SYMS["/$d"]="usr/$d"
-			BASE_DIRS+=( "/usr/$d" "/usr/local/$d" )
-		else
-			BASE_DIRS+=( "/$d" "/usr/$d" "/usr/local/$d" )
-		fi
-	done
+	cros_host? ( !coreos-base/coreos-init )
+"
 
-	# make sure any pre-existing symlinks map to the expected locations.
-	local sym
-	if use symlink-usr; then
-		for sym in "${!USR_SYMS[@]}" ; do
-			check_sym "${sym}" "${USR_SYMS[$sym]}"
-		done
-	fi
-}
-
-src_compile() {
+src_prepare() {
 	default
 
-	# generate a tmpfiles.d config to cover our /usr symlinks
-	if use symlink-usr; then
-		local tmpfiles="${T}/baselayout-usr.conf"
-		echo -n > ${tmpfiles} || die
-		for sym in "${!USR_SYMS[@]}" ; do
-			echo "L+	${sym}	-	-	-	-	${USR_SYMS[$sym]}" >> ${tmpfiles}
-		done
-	fi
-}
-
-src_install() {
-	dodir "${BASE_DIRS[@]}"
-
 	if use cros_host; then
-		# Since later systemd-tmpfiles --root is used only users from
-		# /etc/passwd are considered but we don't want to add core there
-		# because it would make emerge overwrite the system's database on
-		# installation when the SDK user is already there. Instead, just
-		# create the folder manually and remove the tmpfile directive.
-		rm "${S}/tmpfiles.d/baselayout-home.conf"
-		mkdir -p "${D}"/home/core
-		chown 500:500 "${D}"/home/core
+		# Undesirable in the SDK
+		rm -f lib/tmpfiles.d/baselayout-etc-profile-flatcar-profile.conf || die
+		# Provided by vim in the SDK
+		rm -f lib/tmpfiles.d/baselayout-etc-vim.conf || die
+		# Don't initialize /etc/passwd, group, and friends on boot.
+		rm -rf bin || die
+		rm -rf lib/systemd || die
+		# Inject custom SSL configuration required for signing
+		# payloads from the SDK container using OpenSSL.
+		mkdir -p etc/ssl || die
+		cp -a share/baselayout/pkcs11.cnf etc/ssl || die
 	else
-		# Initialize /etc/passwd, group, and friends now, so
-		# systemd-tmpfiles can resolve user information in ${D}
-		# rootfs.
-		bash "scripts/flatcar-tmpfiles" "${D}" "${S}/baselayout" || die
+		# Don't install /etc/issue since it is handled by coreos-init right now
+		rm -f lib/tmpfiles.d/baselayout-etc-issue.conf || die
 	fi
 
-	if use symlink-usr; then
-		dotmpfiles "${T}/baselayout-usr.conf"
-		systemd-tmpfiles --root="${D}" --create
+	# sssd not yet building on arm64
+	if use arm64; then
+		sed -i -e 's/ sss//' share/baselayout/nsswitch.conf || die
+		sed -i -e '/pam_sss.so/d' lib/pam.d/* || die
 	fi
 
-	emake DESTDIR="${D}" install
-
-	# Fill in all other paths defined in tmpfiles configs
-	systemd-tmpfiles --root="${D}" --create
-
-	# The above created a few mount points but leave those out of the
-	# package since they may be mounted read-only. postinst can make them.
-	local mnt
-	for mnt in "${MOUNT_POINTS[@]}"; do
-		rmdir "${D}${mnt}" || die
-	done
-
-	doenvd "env.d/99flatcar_ldpath"
-
 	# handle multilib paths.  do it here because we want this behavior
 	# regardless of the C library that you're using.  we do explicitly
 	# list paths which the native ldconfig searches, but this isn't
@@ -141,80 +63,51 @@ src_install() {
 	# path and the symlinked path doesn't change the resulting cache.
 	local libdir ldpaths
 	for libdir in $(get_all_libdirs) ; do
-		ldpaths+=":/${libdir}:/usr/${libdir}:/usr/local/${libdir}"
+		ldpaths+=":${EPREFIX}/usr/${libdir}"
+		ldpaths+=":${EPREFIX}/usr/local/${libdir}"
 	done
-	echo "LDPATH='${ldpaths#:}'" >> "${D}"/etc/env.d/00basic || die
+	echo "LDPATH='${ldpaths#:}'" >> etc/env.d/00basic || die
 
 	# Add oem/lib64 to search path towards end of the system's list.
 	# This simplifies the configuration of OEMs with dynamic libs.
 	ldpaths=
 	for libdir in $(get_all_libdirs) ; do
 		ldpaths+=":/oem/${libdir}"
 	done
-	echo "LDPATH='${ldpaths#:}'" >> "${D}"/etc/env.d/80oem || die
+	echo "LDPATH='${ldpaths#:}'" >> etc/env.d/80oem || die
+}
 
-	if ! use symlink-usr ; then
-		# modprobe uses /lib instead of /usr/lib
-		mv "${D}"/usr/lib/modprobe.d "${D}"/lib/modprobe.d || die
-	fi
+src_compile() {
+	local libdirs
 
-	if use arm64; then
-		sed -i 's/ sss//' "${D}"/usr/share/baselayout/nsswitch.conf || die
-	fi
+	libdirs=$(get_all_libdirs)
+	emake LIBDIRS="${libdirs}" all
+}
 
-	if use cros_host; then
-		# Provided by vim in the SDK
-		rm -r "${D}"/etc/vim || die
-		# Undesirable in the SDK
-		rm "${D}"/etc/profile.d/flatcar-profile.sh || die
-	else
-		# Don't install /etc/issue since it is handled by coreos-init right now
-		rm "${D}"/etc/issue || die
-		sed -i -e '/\/etc\/issue/d' \
-			"${D}"/usr/lib/tmpfiles.d/baselayout-etc.conf || die
-
-		# Initialize /etc/passwd, group, and friends on boot.
-		dosbin "scripts/flatcar-tmpfiles"
-		systemd_dounit "scripts/flatcar-tmpfiles.service"
-		systemd_enable_service sysinit.target flatcar-tmpfiles.service
-	fi
+src_install() {
+	emake DESTDIR="${ED}" install
+	# GID 190 is taken from acct-group/systemd-journal eclass
+	SYSTEMD_JOURNAL_GID=${ACCT_GROUP_SYSTEMD_JOURNAL_ID:-190} ROOT_UID=0 ROOT_GID=0 CORE_UID=500 CORE_GID=500 DESTDIR=${D} ./dumb-tmpfiles-proc.sh --exclude d "${ED}/usr/lib/tmpfiles.d" || die
+
+	insinto /usr/share/baselayout
+	doins Makefile
+	exeinto /usr/share/baselayout
+	doexe dumb-tmpfiles-proc.sh
+}
 
-	# sssd not yet building on arm64
-	if use arm64; then
-		sed -i -e '/pam_sss.so/d' "${D}"/usr/lib/pam.d/* || die
-	fi
+pkg_preinst() {
+	local libdirs
+	libdirs=$(get_all_libdirs)
+	emake -C "${ED}/usr/share/${PN}" DESTDIR="${EROOT}" LIBDIRS="${libdirs}" layout
+	SYSTEMD_JOURNAL_GID=${ACCT_GROUP_SYSTEMD_JOURNAL_ID:-190} ROOT_UID=0 ROOT_GID=0 CORE_UID=500 CORE_GID=500 DESTDIR=${D} "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" "${ED}/usr/lib/tmpfiles.d" || die
+	rm -f "${ED}/usr/share/${PN}/Makefile" "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" || die
 
-	if use cros_host; then
-		# inject custom SSL configuration required for signing payloads from the SDK container using OpenSSL.
-		insinto "/etc/ssl/"
-		doins "${S}/baselayout/pkcs11.cnf"
-	fi
+	# The default passwd/group files must exist for some ebuilds
+	touch "${ED}/etc/"{group,gshadow,passwd,shadow}
+	chmod 640 "${ED}/etc/"{gshadow,shadow}
 }
 
 pkg_postinst() {
-	# best-effort creation of mount points
-	local mnt
-	for mnt in "${MOUNT_POINTS[@]}"; do
-		[[ -d "${ROOT}${mnt}" ]] || mkdir "${ROOT}${mnt}"
-	done
-	# Set up /usr/lib/debug to match the root filesystem layout
-	# FIXME: This is done in postinst right now and all errors are ignored
-	# as a transitional scheme, this isn't important enough to migrate
-	# existing SDK environments.
-	local dir
-	for dir in "${BASE_DIRS[@]}"; do
-		mkdir -p "${ROOT}/usr/lib/debug/${dir}"
-	done
-	if use symlink-usr; then
-		for sym in "${!USR_SYMS[@]}" ; do
-			ln -sfT "${USR_SYMS[$sym]}" "${ROOT}/usr/lib/debug/${sym}"
-		done
-	fi
-	# The default passwd/group files must exist in the SDK for some ebuilds
-	if use cros_host; then
-		touch "${ROOT}/etc/"{group,gshadow,passwd,shadow}
-		chmod 640 "${ROOT}/etc/"{gshadow,shadow}
-	fi
 	# compat symlink for packages that haven't migrated to gentoo-functions
 	local func=../../lib/gentoo/functions.sh
 	if [[ "$(readlink "${ROOT}/etc/init.d/functions.sh")" != "${func}" ]]; then