Merge pull request #2835 from flatcar/chewi/pre-dracut

Various changes in preparation for upgrading Dracut

Author: chewi

build_dev_binpkgs

@@ -19,18 +19,18 @@ skip_packages_default="dev-lang/rust,dev-lang/rust-bin,dev-lang/go,dev-lang/go-b
 # Developer-visible flags.
 DEFINE_string board "${DEFAULT_BOARD}" \
   "The board to build packages for."
-DEFINE_string skip_packages "${skip_packages_default[@]}" \
+DEFINE_string skip_packages "${skip_packages_default}" \
   "Comma-separated list of packages in the dependency tree to skip."
 DEFINE_boolean pretend "${FLAGS_FALSE}" \
-	"List packages that would be built but do not actually build."
+  "List packages that would be built but do not actually build."
 
-FLAGS_HELP="usage: $(basename $0) [flags] [packages]
+FLAGS_HELP="usage: $(basename "$0") [flags] [packages]
 
 build_dev_binpkgs builds binary packages for all dependencies of [packages]
 that are not present in '/build/<board>/var/lib/portage/pkgs/'.
 Useful for publishing a complete set of packages to a binhost.
 
-[packages] defaults to '${packages_default}' if not specified.
+[packages] defaults to '${packages_default[*]}' if not specified.
 "
 
 # Parse command line
@@ -46,43 +46,42 @@ fi
 # --
 
 function my_board_emerge() {
-	PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
+  PORTAGE_CONFIGROOT="/build/${FLAGS_board}" SYSROOT="${SYSROOT:-/build/${FLAGS_board}}" ROOT="/build/${FLAGS_board}" sudo -E emerge "${@}"
 }
 # --
 
-pkg_build_list="$(mktemp)"
-pkg_skipped_list="${pkg_build_list}-skip"
-trap 'rm -f "${pkg_build_list}" "${pkg_skipped_list}"' EXIT
+pkg_build_list=()
+pkg_skipped_list=()
 
 info "Collecting list of binpkgs to build"
 
-my_board_emerge --pretend --emptytree ${@}  \
-  | grep '\[ebuild' \
-  | sed 's/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/' \
-  | while read pkg; do
-  if [ -f "/build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2" ] ; then
-		continue
-	fi
-  skip=""
-  for s in ${FLAGS_skip_packages//,/ }; do
-    if [[ ${pkg} = ${s}-* ]] ; then
-    	echo -n "${pkg} " >> "${pkg_skipped_list}"
-        skip="true"
-        break
+# Normally, BDEPENDs are only installed to the SDK, but the point of this script
+# is to install them to the board root because the dev container uses a board
+# profile. This is easily achieved using --root-deps. Since it is still the SDK
+# doing the building, which might have different package versions available to
+# the board profile, we have to be careful not to include SDK BDEPENDs in the
+# list of binary packages to publish, hence the sed call.
+while read -r pkg; do
+  [[ -f /build/${FLAGS_board}/var/lib/portage/pkgs/${pkg}.tbz2 ]] && continue
+  IFS=,
+  for s in ${FLAGS_skip_packages}; do
+    if [[ ${pkg} == ${s}-* ]] ; then
+      pkg_skipped_list+=("${pkg}")
+      continue 2
     fi
   done
-  [[ -z ${skip} ]] || continue
-  echo "=${pkg}" | tee -a "${pkg_build_list}" | sed 's/^/      /'
-done
+  unset IFS
+  pkg_build_list+=("=${pkg}")
+  echo "      =${pkg}"
+done < <(my_board_emerge --pretend --emptytree --root-deps "${@}" |
+         sed -n "/\[ebuild .* to \/build\/${FLAGS_board}\/ /s/^\[[^]]\+\] \([^ :]\+\)*:.*/\1/p")
 # --
 
-if [ -f "${pkg_skipped_list}" ] ; then
-  info "Skipping binpkgs '$(cat "${pkg_skipped_list}")' because these are in the skip list."
+if [[ ${#pkg_skipped_list[@]} -gt 0 ]]; then
+  info "Skipping binpkgs '${pkg_skipped_list[*]}' because these are in the skip list."
 fi
 
 pretend=""
-if [[ "${FLAGS_pretend}" -eq "${FLAGS_TRUE}" ]]; then
-	pretend="--pretend"
-fi
+[[ ${FLAGS_pretend} -eq ${FLAGS_TRUE} ]] && pretend="--pretend"
 
-my_board_emerge --buildpkg ${pretend} $(cat "${pkg_build_list}")
+my_board_emerge --buildpkg ${pretend} "${pkg_build_list[@]}"

build_library/extract-initramfs-from-vmlinuz.sh

@@ -7,51 +7,35 @@
 # This will create one or more out-dir/rootfs-N directories that contain the contents of the initramfs.
 
 set -euo pipefail
-# check for unzstd. Will abort the script with an error message if the tool is not present.
-unzstd -V >/dev/null
+
+# check for xzcat. Will abort the script with an error message if the tool is not present.
+xzcat -V >/dev/null
+
 fail() {
     echo "${*}" >&2
     exit 1
 }
 
-# Stolen from extract-vmlinux and modified.
-try_decompress() {
-    local header="${1}"
-    local no_idea="${2}"
-    local tool="${3}"
-    local image="${4}"
-    local tmp="${5}"
-    local output_basename="${6}"
-
-    local pos
-    local tool_filename=$(echo "${tool}" | cut -f1 -d' ')
-    # The obscure use of the "tr" filter is to work around older versions of
-    # "grep" that report the byte offset of the line instead of the pattern.
+find_xz_headers() {
+    grep --fixed-strings --text --byte-offset --only-matching $'\xFD\x37\x7A\x58\x5A\x00' "$1" | cut -d: -f1
+}
 
-    # Try to find the header and decompress from here.
-    for pos in $(tr "${header}\n${no_idea}" "\n${no_idea}=" < "${image}" |
-                     grep --text --byte-offset --only-matching "^${no_idea}")
-    do
-        pos=${pos%%:*}
-        # Disable error handling, because we will be potentially
-        # giving the tool garbage or a valid archive with some garbage
-        # appended to it. So let the tool extract the valid archive
-        # and then complain about the garbage at the end, but don't
-        # fail the script because of it.
-        set +e; tail "-c+${pos}" "${image}" | "${tool}" >"${tmp}/out" 2>/dev/null; set -e;
-        if [ -s "${tmp}/out" ]; then
-            mv "${tmp}/out" "${output_basename}-${tool_filename}-at-${pos}"
-        else
-            rm -f "${tmp}/out"
-        fi
-    done
+decompress_at() {
+    # Data may not really be a valid xz, so allow for errors.
+    tail "-c+$((${2%:*} + 1))" "$1" | xzcat 2>/dev/null || true
 }
 
-try_unzstd_decompress() {
-    local image="${1}"
-    local tmp="${2}"
-    local output_basename="${3}"
-    try_decompress '(\265/\375' xxx unzstd "${image}" "${tmp}" "${output_basename}"
+try_extract() {
+    # cpio can do strange things when given garbage, so do a basic check.
+    [[ $(head -c6 "$1") == 070701 ]] || return 0
+
+    # There may be multiple concatenated archives so try cpio till it fails.
+    while cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' 2>/dev/null; do
+        ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
+    done < "$1"
+
+    # Last cpio attempt may or may not leave an empty directory.
+    rmdir "${out}/rootfs-${ROOTFS_IDX}" 2>/dev/null || ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
 }
 
 me="${0##*/}"
@@ -65,37 +49,22 @@ if [[ ! -s "${image}" ]]; then
 fi
 mkdir -p "${out}"
 
-tmp=$(mktemp --directory /tmp/eifv-XXXXXX)
-trap "rm -rf ${tmp}" EXIT
+tmp=$(mktemp --directory eifv-XXXXXX)
+trap 'rm -rf -- "${tmp}"' EXIT
+ROOTFS_IDX=0
 
-tmp_dec="${tmp}/decompress"
-mkdir "${tmp_dec}"
-fr_prefix="${tmp}/first-round"
+# arm64 kernels are not compressed, so try decompressing once.
+# Other kernels are compressed, so also try decompressing twice.
+for OFF1 in $(find_xz_headers "${image}")
+do
+    decompress_at "${image}" "${OFF1}" > "${tmp}/initrd.maybe_cpio_or_elf"
+    try_extract "${tmp}/initrd.maybe_cpio_or_elf"
 
-ROOTFS_IDX=0
-perform_round() {
-    local image="${1}"
-    local tmp_dec="${2}"
-    local round_prefix="${3}"
-    try_unzstd_decompress "${image}" "${tmp_dec}" "${round_prefix}"
-    for rnd in "${round_prefix}"*; do
-        if [[ $(file --brief "${rnd}") =~ 'cpio archive' ]]; then
-            mkdir -p "${out}/rootfs-${ROOTFS_IDX}"
-            # On Linux 6.10, the first rootfs is an extra ghost rootfs of 336K, that has a corrupted CPIO
-            cpio --quiet --extract --make-directories --directory="${out}/rootfs-${ROOTFS_IDX}" --nonmatching 'dev/*' < $rnd || true
-            ROOTFS_IDX=$(( ROOTFS_IDX + 1 ))
-        fi
+    for OFF2 in $(find_xz_headers "${tmp}/initrd.maybe_cpio_or_elf")
+    do
+        decompress_at "${tmp}/initrd.maybe_cpio_or_elf" "${OFF2}" > "${tmp}/initrd.maybe_cpio"
+        try_extract "${tmp}/initrd.maybe_cpio"
     done
-}
-
-shopt -s nullglob
-perform_round "${image}" "${tmp_dec}" "${fr_prefix}"
-for fr in "${fr_prefix}"*; do
-    fr_files="${fr}-files"
-    fr_dec="${fr_files}/decompress"
-    mkdir -p "${fr_dec}"
-    sr_prefix="${fr_files}/second-round"
-    perform_round "${fr}" "${fr_dec}" "${sr_prefix}"
 done
 
 if [[ ${ROOTFS_IDX} -eq 0 ]]; then

changelog/changes/2025-04-17-vmlinuz-compression.md

@@ -0,0 +1 @@
+- The kernel image and its embedded initrd are now compressed with xz rather than zstd. This gives greater compression at the cost of decompression performance. Systems may therefore now be ever so slightly slower to boot, but this was necessary to avoid running out of space in the /boot partition. Further measures to address the space issue are planned, and perhaps we can switch back to zstd in a later release.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords

@@ -0,0 +1,2 @@
+# Temporarily put the SDK version ahead for sd-json support in Dracut.
+=sys-apps/systemd-257.5 ~amd64 ~arm64

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest

@@ -1 +1,2 @@
 DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681
+DIST systemd-257.5.tar.gz 16232112 BLAKE2B 142baef9b09217ea117ac09923604f7520a36d4c63cf04a78d1c4fbf7b057b977f5c77418168c0308a8dc6b48ccc6324438f30c87de8642e8e9cf12b47f90475 SHA512 9e5352c20c9edac53f302a534532035185139998628ed0a85411f440df47f1dd7cce6651aec787484809bb1aa2825008d062714c37936cbfd08451fbe29a998f

sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch

@@ -0,0 +1,92 @@
+From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
+From: Sayan Chowdhury <[email protected]>
+Date: Fri, 16 Dec 2022 16:28:26 +0530
+Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
+
+This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
+
+This is to work around a SELinux denial that happens when setting up standard
+input for serial consoles (which is used for SSH connections).
+
+Signed-off-by: Sayan Chowdhury <[email protected]>
+---
+ units/console-getty.service.in    | 4 +---
+ units/[email protected] | 4 +---
+ units/[email protected]           | 4 +---
+ units/[email protected]    | 4 +---
+ 4 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/units/console-getty.service.in b/units/console-getty.service.in
+index 33e6368db1..1f2d8b910f 100644
+--- a/units/console-getty.service.in
++++ b/units/console-getty.service.in
+@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
+ Type=idle
+ Restart=always
+ UtmpIdentifier=cons
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/console
+ TTYReset=yes
+ TTYVHangup=yes
+diff --git a/units/[email protected] b/units/[email protected]
+index 7573532d6d..5f27653d1f 100644
+--- a/units/[email protected]
++++ b/units/[email protected]
+@@ -27,13 +27,11 @@ Before=rescue.service
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
+ Type=idle
+ Restart=always
+ RestartSec=0
+ UtmpIdentifier=pts/%I
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/pts/%I
+ TTYReset=yes
+ TTYVHangup=yes
+diff --git a/units/[email protected] b/units/[email protected]
+index f30bba406d..1819627d1c 100644
+--- a/units/[email protected]
++++ b/units/[email protected]
+@@ -36,13 +36,11 @@ ConditionPathExists=/dev/tty0
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
+ Type=idle
+ Restart=always
+ RestartSec=0
+ UtmpIdentifier=%I
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/%I
+ TTYReset=yes
+ TTYVHangup=yes
+diff --git a/units/[email protected] b/units/[email protected]
+index 20a5eb2754..ba4cbc0edb 100644
+--- a/units/[email protected]
++++ b/units/[email protected]
+@@ -32,12 +32,10 @@ Before=rescue.service
+ [Service]
+ # The '-o' option value tells agetty to replace 'login' arguments with '--' for
+ # safety, and then the entered username.
+-ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
++ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
+ Type=idle
+ Restart=always
+ UtmpIdentifier=%I
+-StandardInput=tty
+-StandardOutput=tty
+ TTYPath=/dev/%I
+ TTYReset=yes
+ TTYVHangup=yes