Closed
Conversation
This moves the systemd unit enabling to the image build scripts to make the ebuild less Flatcar-specific. Unfortunately, Clevis is still very automagic, resulting in a poor quality ebuild. Improving this was actually the very first thing I tried to do for Flatcar back in 2022, 1½ years before I joined the team. I will try to revive this effort soon, and then we can maybe get the package upstreamed to Gentoo. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This is no longer needed by app-crypt/clevis. It seemingly wasn't explicitly included in Flatcar. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This was only required by dev-libs/libpwquality, which has been dropped. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Contributor
Author
|
On second thoughts, I want to tame Clevis a bit first. The pkcs11 module should actually depend on pcsc-lite. We have this in our repo for the SDK, but we don't actually install it in the image. If it is installed, it bloats the initrd too much. |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/13922264193 |
Member
Yeah, I think pcsc-lite was added to SDK purely for release engineering stuff. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
app-crypt/clevis: Version bump to 21
This moves the systemd unit enabling to the image build scripts to make the ebuild less Flatcar-specific.
Unfortunately, Clevis is still very automagic, resulting in a poor quality ebuild. Improving this was actually the very first thing I tried to do for Flatcar back in 2022, 1½ years before I joined the team. I will try to revive this effort soon, and then we can maybe get the package upstreamed to Gentoo.
This also drops dev-libs/libpwquality and sys-libs/cracklib, which are no longer needed. They seemingly weren't explicitly included in Flatcar.
How to use
Admittedly, I don't know much about Clevis, so I'm trusting CI.
Testing done
A QEMU-only Jenkins run passed successfully. We appear to have some Clevis-specific tests.
Size-wise, unfortunately this adds awk and socat to the initrd, which inflates it by 1,322KB uncompressed. These are needed by the new pkcs11 Clevis module. We could prevent that from being installed, but the automagic nature of Clevis currently makes this awkward. Users may also find this feature useful. I looked into replacing its awk usage with sed, but I realised that the later releases of Dracut itself also install awk. The good news is that we're still within the limit, and for some unexplained reason, the arm64 kernel actually shrank considerably between 4186 and 4230. The size reported by this new build is still smaller than it previously was since 3815. I think we'll be okay between now and when I ultimately resolve these size limitations.
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.