IBM SEL(Secure Execution for Linux) is supported for s390
KVM guests. SEL images used to start a confidential computing
protected guest contain an encrypted boot image which encapsulates
the kernel the initrd and the bootparams. The encrypted Image is
provided by the KVM/hypervisor to the Embedded zFirmware of the
system (the ultravisor device). The decryption keys are hardware
based and each system has an individual keypool unique to that
system. The root filesystem is LUKS encrypted with a random key
produced by kiwi at build time and kept inside of the initrd which
exists only inside of the encrypted boot image and the encrypted
rootfs to allow kernel updates. The commit to support secure
execution also comes with an integration test that provides
profiled image builds to target SUSE's LinuxONE as well
as IBM Cloud systems.
When building in the Open Build Service (OBS) there is no way
to create outgoing connections from the build workers. To allow
the <containers> section to fetch containers from the SUSE
registry we need to apply an OCI URI translation into a local
path. The actual OCI container image is expected to be provided
by the obs backend on the worker. Along with this commit also an
integration test named test-image-disk-containers is provided.
This Fixes jira#OBS-351
Allow to specify references to OCI containers in the
image description like in the following example:
<containers source="registry.suse.com" backend="podman">
<container name="some" tag="some" path="/some/path"/>
</containers>
During the kiwi process the containers are fetched into a
temporary location and a systemd service is configured to
one time load the containers into the local registry at
first boot of the system. This Fixes#2663
The isomd5sum tool suite is used and available on all supported
distributions except SUSE distributions, and is necessary to produce
conformant ISOs for most Linux distributions.
This change adds support for isomd5sum tool suite for kiwi, though
it does not extend the kiwi-live dracut module to use it. The upstream
dracut dmsquash-live module must be used instead.
Co-authored-by: Dan Čermák <dcermak@suse.com>
The arch flag in a namedCollection was not taken into account.
This commit fixes this and also makes sure the result information
is sorted and unique like we have it for the package lists.
This Fixes#2600
Usually custom files are managed by placing them as overlay
files or archives. However, overlay files must be structured
inside of a root/ subdirectory and archive files are binary
data. It is therefore not straight forward to just reference
one or more files as source files to the image description
to be placed into the image. This commit adds a new <file>
element which allows to do this. This Fixes#1953
The optional <volume ... arch=""/> attribute allows to create
the volume only if it matches the specified host architecture.
Multiple architecture names can be specified as comma separated
list.
The sdist tarball produced by poetry build does not include
all files and skipped symlinks in test/data. This caused the
unit test run to fail if called from within that sources
Allow to specify the stopsignal via the containerconfig
element as the following example shows
<type image="docker">
<containerconfig ...>
<stopsignal>SIGINT</stopsignal>
</containerconfig>
</type>
This Fixes#2543
Unfortunately the packaging of kiwi on Debian follows different
naming conventions for dracut module packages which causes
the runtime check to fail. This commit allows to check for
multiple package names and adds the variants used on Debian.
This Fixes#2524
So far the <ignore> stanza was only effective when placed
as part of the type="image" packages section. This commit
allows to place it also to the type="bootstrap" packages.
This Fixes#2499
systemd-boot tools like kernel-install expect a certain
entry naming policy. This commit adapts kiwi to adapt to
this policy. The name for the default entry is constructed
out of the ID information from /etc/os-release followed
by the name of the kernel as it is represented by the
directory name in /lib/modules/... This Fixes#2417
Using one of the $releasever/${releasever} variable placeholders
in an URL as part of a <signing key="..."/> element did not replace
the placeholder with the value of the <release-version> element.
This commit fixes this and also makes sure that the result list
for downloading signing keys is unique. This Fixes#2381
As part of the profile environment only the kiwi_install_volid
variable existed with the default value 'INSTALL'. This information
is correct when building an oem image with installiso set to
true. The resulting .install.iso image has the configured volid
or the mentioned default 'INSTALL'. However, when building a live
ISO image the default volid value is set to 'CDROM' but the profile
environment contains kiwi_install_volid which is misleading and
in case no volid is provided in the configuration file, the
default value would also be a wrong information. This commit cleans
up the mess and provides kiwi_install_volid for install ISO media
and kiwi_live_volid for Live ISO media with their respective
default values
With dnf5 there is a successor for dnf but there will also
be a transition period where there will be both, the former
dnf and the new dnf5 available. For a clear distinction
between the two we got the recommendation from the RedHat
team to support both in different namespaces. This commit
now implements a backward compatible change for kiwi which
includes the following modifications:
* XSL stylesheet for automatic schema transformation from
<packagemanager>dnf</packagemanager> to
<packagemanager>dnf4</packagemanager>
* Code copy of dnf API interface from
PackageManagerDnf -> PackageManagerDnf4
RepositoryDnf -> RepositoryDnf4
* Deprecation of former Dnf API interface
The code change here will force developers to adapt
their code if they used RepositoryDnf / PackageManagerDnf
classes in their python code. After this change developers
will be dropped into a raise condition which exits kiwi
at the time of the call. Related to Issue #2300
and Issue #2262
Add new attribute delta_root="true|false" which in combination with
derived_from="OCI-base-image" allows to create a delta root tree
only containing the differences between the OCI-base-image and the
actions taken by the kiwi prepare step. Based on the delta root tree
the subsequent image creation process starts. Such an incomplete
root tree is only useful under certain circumstances which is also
the reason why the feature is only available to the oci and docker
image types.
Allow to specify an optional <bootloadersettings> element
inside of the <bootloader> section. The information is used to
specify custom arguments for the tools called in a bootloader
setup procedure, e.g shim-install, grub-install or grub-mkconfig.
kiwi does not judge on the given parameters and if the provided
data is effectively used depends on the individual bootloader
implementation. In this commit the data will be effectively
handled if bootloader="grub2" is configured. More precisely
the custom additions to support SUSE's TPM model with grub2
can be configured as follows:
<bootloadersettings>
<shimoption name="--suse-enable-tpm"/>
<installoption name="--suse-enable-tpm"/>
<configoption name="--set-trusted-boot"/>
</bootloadersettings>
This Fixes#2224
The recent change from kpartx to partx caused some appliance
builds to break depending on their configuration. I spotted
issues when building disks with veritysetup or integritysetup
root devices. There are also issues with grub-install on other
architectures e.g s390. It seems partx cannot be used as a drop
in replacement and so I suggest to make this a runtime
configuration option with partx as the new default but also
allow for the old method
When using squashfs in a custom partitions setup like the following:
<partitions>
<partition ... filesystem="squashfs"/>
</partitions>
The build fails because the filesystem needs to be created
using the create_on_file() API and not the create_on_device()
API. In addition the size estimation is bogus when using
squashfs and cannot be pre-calculated because we only know
how much space the filesystem really needs after mksquashfs
as worked on the data and the compression. Thus this commit
also relaxes the required size check in case of squashfs.
Last but not least a squashfs filesystem does not provide
label or UUID and can only be referenced by the PARTUUID
it gets dumped on or by the native unix device node. As
the unix node is a loop during build time of the image and
meaningless this commit also forces by-partuuid mapping in
fstab when mounting the squashfs based device.
This change was inspired by a change done on Fedora's livecd-tools
from here: livecd-tools/livecd-tools#236. The patch corrects issues
with the setfiles SELinux relabel command. The issues become apparent
when the host and guest policies differ. Thus it becomes required
to explicitly set the policy to decouple from eventual unwanted
host settings.
Allow to specify the group id in the groups list a user
should belong to. The group id can be placed as part of
the group name separated by a colon like in the following
example:
<users>
<user groups="kiwi,admin:42,users" password="..." name="kiwi"/>
</users>
Please note kiwi checks if the provided group already
exists and only creates a group if it is not already present in
the system. As default groups are usually provided by the OS
itself including its preferred group id, you will intentionally
not be able to overwrite group id for existing groups.
This Fixes#2064
When using the apt packagemanager kiwi required the use of
debootstrap to create the initial rootfs. This works as long
as there is always a main distribution repository available
which follows the structure of the official debian mirrors.
However if such a main distribution is not present or an
alternative layout like e.g OBS repos is used, debootstrap
will refuse to work. To allow for an alternative and without
the dependency to debootstrap kiwi supports using a prebuilt
bootstrap package providing the mini rootfs to serve as
the bootstrap result. As all other package managers properly
supports installation into an empty new root, this feature
was only added when using the apt packagemanager
Added check_partuuid_persistency_type_used_with_mbr(). Not
every partition table type supports UUIDs. We don't want to
make use of the artifical values created by Linux if the
partition table doesn't support it natively
Added new luksformat element which allows to pass
along options to the luksFormat call. This allows users to
switch between LUKS and LUKS2 via e.g
<luksformat>
<option name="--type" value="luks2"/>
</luksformat>
It also allows to pass along a set of options only available
to LUKS2, e.g
<luksformat>
<option name="--type" value="luks2"/>
<option name="--cipher" value="aes-gcm-random"/>
<option name="--integrity" value="aead"/>
</luksformat>
In addition to the new attribute the existing luks attribute
can also be specified to read credentials from a keyfile by
using the file:// source locator, e.g
<type ... luks="file:///path/to/a/keyfile"/>
This Fixes#1898
Docker containers used to support the attribute `additionaltags` which
was used to provide multiple tags for the same image. Since only tags
were supported this commit renames the attribute to `additionalnames`
and now supports tags and names witht he following syntax:
* '<name>:<tag>' -> adds a full docker image reference including name
and tag
* ':<tag>' -> adds an additional tag while reusing the former name
* '<name>' -> adds an additional name while reusing the former tag
Fixes#2045
Signed-off-by: David Cassany <dcassany@suse.com>
In CentOS Stream 8 and Red Hat Enterprise Linux 8, there are
Application Streams that are offered in the form of modules
(using Fedora Modularity technology). To build images that use
this content KIWI needs to support to enable/disable various
modules. This commit allows to configure collection modules
in a new element as shown below
<packages type="bootstrap">
<collectionModule name="module" stream="stream" enable="true|false"/>
</packages>
This Fixes Issue #1999
Currently the release version is not set or set to '0'
for package managers which requires a value to operate.
However, in order to support leveraging the same description
across different releases it is important to have the
opportunity to specify a setting for the release version.
This commit adds a new optional attribute to the preferences
section which allows to specify a custom value which
serves as the release version:
<preferences>
<release-version>TEXT</release-version>
</preferences>
If not specified the default setting as before applies.
Please note the release version information is currently
used in dnf and microdnf package managers only. It might
happen that it gets applied to the other package manager
backends as well. This will happen on demand though.
Related to Issue #1918. This Fixes#1927
This commit changes the stage at which container images are compressed
to match the criteria applied to other image types. Instead of
compressing the image in OCI devoted classes now it is happening
in builder class by setting Result instance properties.
Fixes#1996
Signed-off-by: David Cassany <dcassany@suse.com>
This commit adds a new URI type called this://... The
this:// part will be resolved into the absolute path to
the image description. A source path like the following:
<source path="this://my_repo"/>
is resolved to
<source path="dir:///path/to/image/description/my_repo"/>
This change provides the requested opportunity to reference
repos provided as part of the image description and
Fixes#1964
For resolver operations through libsolv the 'kiwi image info'
module exists. So far it could not read the repos from
metalink repo definitions. This Fixes#1890
This commit adds a new and optional child element <signing>
to the repository/source element as shown in the following
example:
<repository>
<source path="...">
<signing key="keyfile"/>
</source>
</repository>
The collection of all keyfiles from all repositories will be
added to the keyring as used by the selected package manager.
Signing keys specified on the commandline and signing keys
specified in the image description will be combined.
This Fixes#1883
This commit fixes several issue connected with the use of
the <include> directive:
First and foremost the XSLT chain was broken in a way that
the include XSLT in combination with the PrettyPrinter XSLT
were called not in the chain of stylesheets but together.
This results in XML descriptions which duplicated the content
and went invalid
Another change is, when the include XSLT is called in the chain.
This commit moves it to become the very first processing
instruction such that the included data is part of all subsequent
XSLT stylesheets. This also allows to use older schema versions
in included XML data and they get automatically converted through
the chain of XSLT stylesheets.
Last change is the evaluation of the from= attribute value. This
value is now interpreted as an URI. Currently only local URIs are
supported. The reason to do this is because XSLT when processing
a document resolves relative paths according to the file path
of the master document. As kiwi does not change the original
content that path with will be a /var/tmp location if one of
the XSLT stylesheets were used. The documentation for this change
was updated as well
