flatcar · tormath1 · May 19, 2025 · May 14, 2025 · May 14, 2025 · May 14, 2025
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
@@ -8,10 +8,13 @@ acct-group/disk
 acct-group/dnsmasq
 acct-group/docker
 acct-group/floppy
+acct-group/incus
+acct-group/incus-admin
 acct-group/input
 acct-group/kmem
 acct-group/kvm
 acct-group/lp
+acct-group/lxc
 acct-group/man
 acct-group/messagebus
 acct-group/named
@@ -45,6 +48,7 @@ acct-group/video
 acct-group/wheel
 
 acct-user/dnsmasq
+acct-user/lxc
 acct-user/man
 acct-user/messagebus
 acct-user/named
@@ -116,6 +120,8 @@ app-containers/crun
 app-containers/docker
 app-containers/docker-buildx
 app-containers/docker-cli
+app-containers/incus
+app-containers/lxc
 app-containers/netavark
 app-containers/podman
 app-containers/runc
@@ -226,6 +232,7 @@ dev-lang/tcl
 dev-lang/yasm
 
 dev-libs/cJSON
+dev-libs/cowsql
 dev-libs/cyrus-sasl
 dev-libs/dbus-glib
 dev-libs/ding-libs
@@ -278,6 +285,7 @@ dev-libs/opensc
 dev-libs/openssl
 dev-libs/popt
 dev-libs/protobuf
+dev-libs/raft
 dev-libs/tree-sitter
 dev-libs/tree-sitter-bash
 dev-libs/userspace-rcu
@@ -371,6 +379,7 @@ dev-util/perf
 dev-util/pkgcheck
 dev-util/pkgconf
 dev-util/re2c
+dev-util/xdelta
 
 dev-vcs/git
 
@@ -658,6 +667,7 @@ sys-fs/fuse-common
 sys-fs/fuse-overlayfs
 sys-fs/lsscsi
 sys-fs/lvm2
+sys-fs/lxcfs
 sys-fs/mdadm
 sys-fs/mtools
 sys-fs/multipath-tools

diff --git a/build_library/extra_sysexts.sh b/build_library/extra_sysexts.sh
@@ -1,13 +1,14 @@
 EXTRA_SYSEXTS=(
-  "zfs|sys-fs/zfs"
-  "podman|app-containers/podman,net-misc/passt"
-  "python|dev-lang/python,dev-python/pip"
+  "incus|app-containers/incus"
   "nvidia-drivers-535|x11-drivers/nvidia-drivers:0/535|-kernel-open persistenced|amd64"
   "nvidia-drivers-535-open|x11-drivers/nvidia-drivers:0/535|kernel-open persistenced|amd64"
   "nvidia-drivers-550|x11-drivers/nvidia-drivers:0/550|-kernel-open persistenced|amd64"
   "nvidia-drivers-550-open|x11-drivers/nvidia-drivers:0/550|kernel-open persistenced|amd64"
   "nvidia-drivers-570|x11-drivers/nvidia-drivers:0/570|-kernel-open persistenced|amd64"
   "nvidia-drivers-570-open|x11-drivers/nvidia-drivers:0/570|kernel-open persistenced|amd64"
+  "podman|app-containers/podman,net-misc/passt"
+  "python|dev-lang/python,dev-python/pip"
+  "zfs|sys-fs/zfs"
 )
 
 _get_unversioned_sysext_packages_unsorted() {

diff --git a/build_library/sysext_mangle_flatcar-incus b/build_library/sysext_mangle_flatcar-incus
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -euo pipefail
+rootfs="${1}"
+
+pushd "${rootfs}"
+
+pushd ./usr/lib/systemd/system
+mkdir -p "multi-user.target.d"
+{ echo "[Unit]"; echo "Upholds=incus.service"; } > "multi-user.target.d/10-incus.conf"
+popd
+
+mkdir -p ./usr/lib/tmpfiles.d
+pushd ./usr/lib/tmpfiles.d
+cat <<EOF >./10-incus.conf
+d  /var/lib/lxc/rootfs	0755  root  root  -  -
+w+ /etc/subuid - - - - root:1065536:65536
+w+ /etc/subgid - - - - root:1065536:65536
+EOF
+popd
+
+# Add 'core' user to 'incus-admin' group to avoid prefixing
+# all commands with sudo.
+mkdir -p ./usr/lib/userdb/
+echo " " > ./usr/lib/userdb/core:incus-admin.membership
+
+popd
+
diff --git a/changelog/changes/2025-05-14-incus.md b/changelog/changes/2025-05-14-incus.md
@@ -0,0 +1 @@
+- Provided an Incus Flatcar extension as optional systemd-sysext image with the release. Write 'incus' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning. ([scripts#1655](https://github.com/flatcar/scripts/pull/1655))
diff --git a/...-packages/board-packages-0.0.1-r16.ebuild → ...-packages/board-packages-0.0.1-r17.ebuild b/...-packages/board-packages-0.0.1-r16.ebuild → ...-packages/board-packages-0.0.1-r17.ebuild
diff --git a/...er/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/...er/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
@@ -30,8 +30,9 @@ RDEPEND="
 	sys-boot/shim-signed
 	app-containers/containerd
 	app-containers/docker
-	app-containers/docker-cli
 	app-containers/docker-buildx
+	app-containers/docker-cli
+	app-containers/incus
 	app-emulation/amazon-ssm-agent
 	app-emulation/hv-daemons
 	app-emulation/wa-linux-agent

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/incus b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/incus
@@ -0,0 +1,13 @@
+# This is used to convert regular user / group entries to
+# userdb entries (in JSON format) to later be consumed by userdbd
+# when loading the sysext image on the instance.
+# The user / groups will be created dynamically and if the sysext image is
+# removed the entries will be removed as well.
+cros_post_src_install_add_userdb_record(){
+	insinto /usr/lib/userdb
+	newins - ${ACCT_GROUP_NAME}.group < <(
+		printf '{"groupName":"%q","gid":%q}\n' \
+			"${ACCT_GROUP_NAME}" \
+			"${_ACCT_GROUP_ID/#-*/-}"
+	)
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/incus-admin b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/incus-admin
@@ -0,0 +1,13 @@
+# This is used to convert regular user / group entries to
+# userdb entries (in JSON format) to later be consumed by userdbd
+# when loading the sysext image on the instance.
+# The user / groups will be created dynamically and if the sysext image is
+# removed the entries will be removed as well.
+cros_post_src_install_add_userdb_record(){
+	insinto /usr/lib/userdb
+	newins - ${ACCT_GROUP_NAME}.group < <(
+		printf '{"groupName":"%q","gid":%q}\n' \
+			"${ACCT_GROUP_NAME}" \
+			"${_ACCT_GROUP_ID/#-*/-}"
+	)
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/lxc b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/lxc
@@ -0,0 +1,13 @@
+# This is used to convert regular user / group entries to
+# userdb entries (in JSON format) to later be consumed by userdbd
+# when loading the sysext image on the instance.
+# The user / groups will be created dynamically and if the sysext image is
+# removed the entries will be removed as well.
+cros_post_src_install_add_userdb_record(){
+	insinto /usr/lib/userdb
+	newins - ${ACCT_GROUP_NAME}.group < <(
+		printf '{"groupName":"%q","gid":%q}\n' \
+			"${ACCT_GROUP_NAME}" \
+			"${_ACCT_GROUP_ID/#-*/-}"
+	)
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/incus b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/incus
@@ -0,0 +1,3 @@
+cros_pre_src_compile_pkgconfig() {
+	export PKG_CONFIG="$(tc-getPKG_CONFIG)"
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -16,6 +16,10 @@
 # Needed to address CVE-2025-24965.
 =app-containers/crun-1.20 ~amd64 ~arm64
 
+# Keep versions on both arches in sync.
+=app-containers/lxc-6.0.3 ~arm64
+=app-containers/incus-6.0.3-r2 ~arm64
+
 # No stable keywords.
 =app-containers/syft-1.18.1 ~amd64 ~arm64
 
@@ -41,17 +45,24 @@
 # Keep versions on both arches in sync.
 =dev-lang/yasm-1.3.0-r1 ~arm64
 =dev-libs/ding-libs-0.6.2-r1 ~arm64
+=dev-libs/cowsql-1.15.7 ~arm64
 
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/jose-12 **
 =dev-libs/luksmeta-9-r1 **
 
+# Keep versions on both arches in sync.
+=dev-libs/raft-0.22.1 ~arm64
+
 # No arm64 keyword in package.
 =dev-util/bsdiff-4.3-r4 **
 
 # Catalyst 4 is not stable yet, but earlier versions are masked now.
 =dev-util/catalyst-4.0.0 ~amd64 ~arm64
 
+# Keep versions on both arches in sync.
+=dev-util/xdelta-3.0.11-r1 ~arm64
+
 # Needed to address CVE-2025-31498.
 =net-dns/c-ares-1.34.5 ~amd64 ~arm64
 
@@ -99,5 +110,6 @@ sys-apps/azure-vm-utils
 
 # Keep versions on both arches in sync.
 =sys-fs/fuse-3.17.2 ~arm64
+=sys-fs/lxcfs-6.0.3-r1 ~arm64
 =sys-libs/libsemanage-3.7 ~arm64
 =sys-process/audit-4.0.2-r1 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -176,3 +176,19 @@ sys-apps/systemd -gcrypt
 
 # Make dracut module available for initrd build.
 sys-apps/azure-vm-utils dracut
+
+# Enable SELinux for lxc
+app-containers/lxc selinux
+
+# required by app-containers/incus-6.0.3-r1::portage-stable
+# required by incus (argument)
+dev-libs/raft lz4
+
+# required by app-containers/incus-6.0.3-r1::portage-stable
+# required by incus (argument)
+dev-util/xdelta lzma
+
+# required by app-containers/lxc-6.0.3::portage-stable[tools,caps]
+# required by app-containers/incus-6.0.3-r1::portage-stable
+# required by incus (argument)
+sys-libs/libcap static-libs
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/incus-admin/incus-admin-0.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/incus-admin/incus-admin-0.ebuild
@@ -0,0 +1,9 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=533
+DESCRIPTION="Group for app-containers/incus"
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/incus-admin/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/incus-admin/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/incus/incus-0.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/incus/incus-0.ebuild
@@ -0,0 +1,9 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=532
+DESCRIPTION="Group for app-containers/incus"
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/incus/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/incus/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/lxc/lxc-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/lxc/lxc-0-r2.ebuild
@@ -0,0 +1,9 @@
+# Copyright 2021-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=358
+DESCRIPTION="Group for app-containers/lxc"
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/lxc/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/lxc/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-user/lxc/lxc-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-user/lxc/lxc-0-r2.ebuild
@@ -0,0 +1,12 @@
+# Copyright 2021-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-user
+
+DESCRIPTION="User for app-containers/lxc"
+ACCT_USER_ID=358
+ACCT_USER_GROUPS=( lxc )
+
+acct-user_add_deps
diff --git a/sdk_container/src/third_party/portage-stable/acct-user/lxc/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-user/lxc/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/incus/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/incus/Manifest
@@ -0,0 +1,10 @@
+DIST incus-6.0.3.tar.xz 11916020 BLAKE2B d3d998bd50124604c52ff007eefed586c216ce1a0a77d45724fd489db1d93f2fa304f5d6e1c368ff2dd4d1170b24605fd24bbf2a6e4506207686ca392936c200 SHA512 6a879e6634cf545b4c427800d923a32e5fe58a6eaf220ad8d0cb08e0ced5e6c4be09274ae095bb9dae25a55445462ea83d3d9235f67bbb9896944f596bf17e1a
+DIST incus-6.0.3.tar.xz.asc 833 BLAKE2B 38835ab036709161150992cb40df4ff1ae1887d4f3e0b037d0415f75d2bb711cb3c5945bffe1b91d289acfb7e19e726964278e5c2ab31731ba9f7534f139dec7 SHA512 7d5360ab91aafe1d047a60e38a07e24c3c7b158e753087a943ec5e59d6a27c19a872080c9007b6cf592040d3408845bc188d76f6e732408d0680a3782cebce47
+DIST incus-6.0.4.tar.xz 12000208 BLAKE2B 99a4ba40d2eea48515b88f4534c282adc925fe1b5487dc98901f000894b3781aec89f617d2246314cf9a95a7d65531e486c4092f8939722e1b3c2bf7d33063c8 SHA512 14a5cdad3f9365d58e526c8f451d9e7a57729010073caff31256e0b94d28206adc82ead4820278e7eac17b74d22a76d9f3b9f5f8424ddbfa6b74a5cea13e019f
+DIST incus-6.0.4.tar.xz.asc 833 BLAKE2B 96c94cde55cd2e9f7f28db7adb098adf4895437d300dfd42aeac540cdab6677fb604831c28f40f8581e60b89b228557d81696cd64950a1c2147b445a5ec58b30 SHA512 1ef2063eab424467c805f8c86b5b0caca848f46d2ef7ebf602049fe32ee15a7e1006d5a2710b355604aef73802b4333cd0428c772e1c5fc4da588c2cd7ee1694
+DIST incus-6.10.1.tar.xz 18023076 BLAKE2B c35c7a81448b17db6db8959458c23a58392d9e3dcfedaf6d1094964c0c35d46d551a4d6cbaab93cde4b9006bdeb064dcc50148fc2cded6c9ca122f635dab58cd SHA512 12566fef798b34e3d1f3abe4bebada50a99f0e30fd33e1c5ffab458a2ebdac484650e6bf35a48bc4680669d24c9fd912b549e43ed01318bdac52d1b1767cb275
+DIST incus-6.10.1.tar.xz.asc 833 BLAKE2B 2e2de67bae59502fdad66a7ac5b7771d4e305f87e4b3e35bc829a73bd053a7ca8256f9bfa8e4c2fc6ee2268cdc8bd9b9bac7ed319e5cda14829daeaa39108b51 SHA512 4f00405913b0d04a0eec407756928e59e477ecf4dfc07b063a13fc5683fcc6e18efe1d2947a6b9c12e5fb1b64d39dc076f4a41da129fe132d30e7cfc23af80a4
+DIST incus-6.11.tar.xz 11997736 BLAKE2B 8764c1189fceeb65caedc0b9cf562f8f78a4e905101022c4efe98693ed70ef069b580d10f74e1830e0225a5332b5b37a9068c636aec738a6496a01430d6074c3 SHA512 0d52e71ce55aa59bb2b3a4c9f7926d43a6dfae1809d42c2c0c591019eaef648a4e15159a826de382e06149aa3488d60c283f69055335124d85597199d231367f
+DIST incus-6.11.tar.xz.asc 833 BLAKE2B b399138638c2c503600b29899b81a4ce691af2ad16ab2d8f8994c92e317e0b48dc2021095346e9784f58a631b724c134186be026acb06fb9a63a01cc0d1cb970 SHA512 f2b108129fe3111e184544b4fce8d5503b59764b202582c901699602d3a7434e3876684ad0f625b7beeb8ca92e6cd9468ced804bcbb8e00336d48d4bce4de1fe
+DIST incus-6.12.tar.xz 12041616 BLAKE2B 25bb157839a6d86f45614f71cb8f61ec2d92ca96322e90dc9d4f47603aee8b246621b941cd223a3c9007bbb4dbb65ffe432a72d2e7af5fefae40bc398406424b SHA512 1234f54965f2b50fa04c286405dd3b7dcbf86f88f91dd38476695a57961dd13fbc8da3c698ce1c254da71239b4af64fda25b9de7c6db017e7728b5bc4db52bf4
+DIST incus-6.12.tar.xz.asc 833 BLAKE2B e74dbefea68db25458da3956e6b5fc99b2cc861d9a20c5d10a9fa2d1803068b2b36a350d35960bfb289e9e1e747baa8bc5d2fdb0a93fcfb8ee7b0ffcd65befe7 SHA512 11f63160366a17d7d2679eb52f318d3c0e2a6d91a76c968d6483db9fb45892006d831f85e30bedfa9237a55d9b517458b01c3d1311e7e5f9ea1c3b3bbc18975a
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.service b/sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Incus - main daemon
+After=network-online.target lxcfs.service incus.socket
+Requires=network-online.target lxcfs.service incus.socket
+
+[Service]
+EnvironmentFile=-/etc/environment
+ExecStart=/usr/sbin/incusd --group incus-admin --syslog
+ExecStartPost=/usr/sbin/incusd waitready --timeout=600
+ExecStartPre=/bin/mkdir -p /var/log/incus
+ExecStartPre=/bin/chown -R root:incus-admin /var/log/incus
+KillMode=process
+PermissionsStartOnly=true
+TimeoutStartSec=600s
+TimeoutStopSec=30s
+Restart=on-failure
+LimitNOFILE=1048576
+LimitNPROC=infinity
+TasksMax=infinity
+
+[Install]
+Also=incus-startup.service incus.socket
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.socket b/sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Incus - Daemon (unix socket)
+
+[Socket]
+ListenStream=/var/lib/incus/unix.socket
+SocketGroup=incus-admin
+SocketMode=0660
+Service=incus.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-6.0.confd b/sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-6.0.confd
@@ -0,0 +1,27 @@
+## "INCUS_OPTIONS+=" is not POSIX-compliant, so we use
+## "INCUS_OPTIONS="${INCUS_OPTIONS}"" to not rely on bashmisms.
+## bgo#929138
+
+# Group which owns the shared socket
+INCUS_OPTIONS="${INCUS_OPTIONS} --group incus-admin"
+
+# Enable cpu profiling into the specified file
+#INCUS_OPTIONS="${INCUS_OPTIONS} --cpuprofile /tmp/lxc_cpu_profile"
+
+# Enable memory profiling into the specified file
+#INCUS_OPTIONS="${INCUS_OPTIONS} --memprofile /tmp/lxc_mem_profile"
+
+# Enable debug mode
+#INCUS_OPTIONS="${INCUS_OPTIONS} --debug"
+
+# For debugging, print a complete stack trace every n seconds
+#INCUS_OPTIONS="${INCUS_OPTIONS} --print-goroutines-every 5"
+
+# Enable verbose mode
+#INCUS_OPTIONS="${INCUS_OPTIONS} -v"
+
+# Logfile to log to
+#INCUS_OPTIONS="${INCUS_OPTIONS} --logfile /var/log/incus/incus.log"
+
+# Enable syslog logging
+#INCUS_OPTIONS="${INCUS_OPTIONS} --syslog"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Provided an Incus Flatcar extension as optional systemd-sysext image with the release. Write 'incus' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning. ([scripts#1655](https://github.com/flatcar/scripts/pull/1655))