Since Amazon provides NTP servers within their network, this should
be far superior to using the default NTP pools; and since the service
is provided by Amazon there's very little risk in enabling it by
default. (If someone is able to compromise Amazon's NTP servers and
exploit them to attack EC2 instances, they would almost certainly be
able to compromise EC2 instances even without ntpd running...)
MFC after: 1 week
Relnotes: EC2 instances now keep their clocks synchronized using
the Amazon Time Sync Service (aka. NTP).
EC2 instances are normally launched with an SSH public key specified,
which is then used for logging in (by default, as 'ec2-user'). Having
ChallengeResponseAuthentication enabled (as FreeBSD's default sshd_config
does) has no functional effect in a new EC2 instance, since you can't log
in using a password until a password has been set -- but having this
enabled results in alerts from automated scanning tools which can detect
that sshd advertises support for keyboard-interactive logins (since they
can't detect that accounts have no password set).
EC2 users who want to use passwords to log in to their instances will need
to set 'ChallengeResponseAuthentication yes' in FreeBSD 12.0 and later.
Discussed with: gjb, gtetlow, emaste, des
Requested by: Amazon
X-MFC: No
Relnotes: ChallengeResponseAuthentication is turned off by default in
Amazon EC2 AMIs.
EMBEDDEDPORTS. [1]
Remove and update stale documentation from release(7) while here.
PR: 206344 [1]
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
chroot(8) to avoid mtime changes within the ports checkout,
which can cause checksum differences.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
copied from the build host. It is renamed to /etc/resolv.conf.bak
on boot, so never used anyway.
Noticed by: peter
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
Initially, only tag files that use BSD 4-Clause "Original" license.
RelNotes: yes
Differential Revision: https://reviews.freebsd.org/D13133
not already exist within ${CHROOTDIR}. This allows re-using a build
chroot with CHROOTBUILD_SKIP set to a non-empty value and CHROOTDIR
set to '/' in release.conf.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
The u-boot port for RPI-2 was updated to use u-boot-master, this cause
an update in u-boot version to v2017.09 and changing the filename.
The various firmware files for the RPI* are now in a common ports
sysutils/rpi-firmware as they are shared on all the RPI version.
Update the release files to copy the right files from the right location.
Reviewed by: gjb
MFC after: 3 days
THe u-boot port for RPI-B was updated to use u-boot-master, this cause
an update in u-boot version to v2017.09 and changing the filename.
The various firmware files for the RPI* are now in a common ports
sysutils/rpi-firmware as they are shared on all the RPI version.
Update the release files to copy the right files from the right location.
Reviewed by: gjb
MFC after: 3 days
Update the TARGET/TARGET_ARCH matching in release/release.sh and
release/Makefile.mirrors for simplification.
Discussed with: mmel
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
ubldr is the non-pie version of ubldr.bin, do not install two
copies of the same binary. This will allow us to remove ubldr
in the future.
All the u-boot ports know how to load ubldr.bin
Reviewed by: gjb (earlier version)
make(1) invocations following the OBJDIR restructuring to
ensure the output arm SoC image is in the correct directory.
Sponsored by: The FreeBSD Foundation
This changes the build OBJDIR from the older style of /usr/obj/<srcdir> for
native builds, and /usr/obj/<target>.<target_arch>/<srcdir> for cross builds to
a new simpler format of /usr/obj/<srcdir>/<target>.<target_arch>. This
new format is used regardless of cross or native build. It allows
easier management of multiple source tree object directories.
The UNIFIED_OBJDIR option will be removed and its feature made permanent
for the 12.0 release.
Relnotes: yes (don't note UNIFIED_OBJDIR option since it will be removed)
Prior work: D3711 D874
Reviewed by: gjb, sjg
Discussed at: https://lists.freebsd.org/pipermail/freebsd-arch/2016-May/017805.html
Discussed with: emaste
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12840
immediately available on instances which are running without internet
access (or which can't rely on firstboot_pkgs to install it for some
other reason).
Note that this agent is not enabled by default; to enable it, add
amazon_ssm_agent_enable="YES" to /etc/rc.conf, e.g., by placing the lines
>>/etc/rc.conf
amazon_ssm_agent_enable="YES"
into the EC2 user-data. In addition to being enabled, the agent requires
keys to be provided via IAM Roles; users are encouraged to be very careful
in using this functionality due to the inherent vulnerability in the idea
of providing credentials via a service accessible to any process which can
open an HTTP connection.
Requested by: Amazon
No objection from: re@
Relnotes: FreeBSD/EC2 AMIs now include the Amazon EC2 Systems Manager
(SSM) Agent.
A recent bug in security/sudo causes segmentation faults when
the system is not configured with a hostname, which causes issues
with some virtual machine setups, notably Vagrant. Set the default
hostname to the output of 'uname -o'.
Submitted by: Nicholas Fiorentini
Sponsored by: The FreeBSD Foundation
The original change was dealing with the build wanting to run a newer
install(1) that was not yet installed. The solution to look into the private
legacy directory of the existing build conflicts with 2 upcoming features: a
changed OBJDIR format, and splitting the host tools into arch-dependent and
arch-independent directories. Rather than hardcoding and changing the paths in
this script, just let kernel-toolchain do the work, while disabling much of the
meat. With -j15 this finishes in 25 seconds for me and 117 seconds with -j1.
All that is really needed is bootstrap-tools, but the system is not currently
written in a way that all previous dependent steps will have ran. The previous
steps, such as _worldtmp, are being reworked and renamed and so cannot be
relied upon to be right.
Sponsored by: Dell EMC Isilon
Make armv7 as a new MACHINE_ARCH.
Copy all the places we do armv6 and add armv7 as basically an
alias. clang appears to generate code for armv7 by default. armv7 hard
float isn't supported by the the in-tree gcc, so it hasn't been
updated to have a new default.
Support armv7 as a new valid MACHINE_ARCH (and by extension
TARGET_ARCH).
Add armv7 to the universe build.
Differential Revision: https://reviews.freebsd.org/D12010
build on arm/armv6 images.
Pointyhat: gjb (myself)
MFC after: immediate
MFC note: releng/10.4 has broken because of this
Sponsored by: The FreeBSD Foundation
virtual machine images and embedded images, similar to what is
done when extracting base.txz to the target root filesystem in
an new installation.
Noticed by: marius
Tested with: head@r323729
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
There's not much practical difference as far as install media is
concerned but newfs creates UFSv2 by default and it is sensible to use
the contemporary UFS version.
I also intend to change makefs to create UFSv2 by default (to match
newfs) so we'll want make-memstick.sh to be explicit, rather than
relying on the host tool's default.
Reviewed by: andrew, gjb, jhibbits
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D12231
This Makefile relies on Makefile.fat providing the correct value for
BOOT1_MAXSIZE and BOOT1_OFFSET. Since BOOT1_OFFSET had no default value
here the build would already fail if Makefile.fat did not provide
correct values.
Sponsored by: The FreeBSD Foundation
Also remove the now-redundant error handling that was only for makefs.
This change applies arm64's r308171 to the other make-memstick.sh
versions.
Reviewed by: gjb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D12195
