When building an image with overlayroot set to true and
activated verity data, the root= parameter must be
set to root=overlay:MAPPER=verityroot instead of the standard
overlay:PARTUUID mapping.
Copying the modules creates a situation where future updates
applied to a running system can cause GRUB to crash due to mixed
modules and GRUB EFI binaries.
It is not needed anyway since GRUB EFI binaries for Secure Boot have
all modules compiled into the binaries.
Fixes: https://github.com/OSInside/kiwi/issues/2790
If called on full read-only systems, log the information
that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must
be applied and as such the fix function can be considered
an optional step.
When building an image with overlayroot set to true and
activated luks encryption, the root= parameter must be
set to root=overlay:MAPPER=luks instead of the standard
overlay:PARTUUID mapping. This Fixes#2776
Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.
For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.
Fixes: https://github.com/OSInside/kiwi/issues/2008
Fixes: https://github.com/OSInside/kiwi/issues/2777
On ppc the CHRP loader name can vary between distributions.
This commit adds a search method to lookup different ELF
loader names. In addition an integration test image for
Fedora was added. This Fixes#2741
The list of modules used to create a grub platform image for
ppc was the same list as used for the x86 bios platform.
This commit fixes this and also cleans up the inconsistency
and misleading names used for creating platform specific
output. This Fixes#2738
Rename btrfs_root_is_snapshot to btrfs_root_is_snapper_snapshot.
This happens in preparation for the changes suggested in #2697
where we want to get rid of snapper specific btrfs code which
will be available in snapper natively soon. To make sure a btrfs
layout specific to snapper(and SUSE), the implicitly used attribute
named btrfs_root_is_snapshot now becomes explicit and its new
name will indicate that snapper sits behind it. Along with the
rename a XSLT stylesheet to automatically convert the old name
into the new name for schema v8.3 will be performed.
IBM SEL(Secure Execution for Linux) is supported for s390
KVM guests. SEL images used to start a confidential computing
protected guest contain an encrypted boot image which encapsulates
the kernel the initrd and the bootparams. The encrypted Image is
provided by the KVM/hypervisor to the Embedded zFirmware of the
system (the ultravisor device). The decryption keys are hardware
based and each system has an individual keypool unique to that
system. The root filesystem is LUKS encrypted with a random key
produced by kiwi at build time and kept inside of the initrd which
exists only inside of the encrypted boot image and the encrypted
rootfs to allow kernel updates. The commit to support secure
execution also comes with an integration test that provides
profiled image builds to target SUSE's LinuxONE as well
as IBM Cloud systems.
zipl gets confused with an active sysfs mount inside
the root tree at call time of zipl. This commit
umounts the /sys bind mount in the image tree prior
calling zipl
When using the plain zipl bootloader kiwi created a /etc/zipl.conf
file. However, this file was only useful during image build as it
points to a loop target device and geometry but does not represent
a proper config file to be used in the running system. In addition
the different distributors provides their own version and layout
of the zipl.conf to be used inside of the system and with their
respective tools. Thus this commit changes the way how kiwi operates
in a way that the zipl.conf used in the initial image only exists
during the image build process. An eventual present /etc/zipl.conf
will not be touched by kiwi. This Fixes#2597
Usually custom files are managed by placing them as overlay
files or archives. However, overlay files must be structured
inside of a root/ subdirectory and archive files are binary
data. It is therefore not straight forward to just reference
one or more files as source files to the image description
to be placed into the image. This commit adds a new <file>
element which allows to do this. This Fixes#1953
When kiwi calls the bootloader config and installation modules
several files gets created as unlabeled_t because the labeling
happened earlier. This commit ensures that setfiles gets called
after BootLoaderConfig and/or BootLoaderInstall has done its
job. This Fixes#2568
The strings command is used to lookup the in-efi binary encoded
vendor path. However, if the strings or bash command is not availabe
on the build host, the command silently failed and moved into the
standard (non vendored) EFI boot path. This can lead to a broken
boot for those distros and image targets which requires a vendor
directory and should lead to an error message instead of a
successful image build. This Fixes#2565
Since commit 8aa517eb7 it is necessary to call
_mount_device_and_volumes() prior making any modifications
to boot files. In addition handle potential errors
from the grub.cfg modification better.
The change to introduce the bls parameter broke backward compatibility
with all existing kiwi descriptions for distributions that default to BLS.
This fixes that by allowing the unset state to be equivalent to enabling it.
Fixes: 8a8190098c
Check if there is already an entry file name produced by the
distribution logic/policy. If we can find an already present
entry name, prefer this name over the kiwi naming policy
If no console setting is done in the image description for grub
the default output console is set to: gfxterm and the default
input console is set to: console. This Fixes bsc#1219074
In case no bootloader implementation by kiwi should be
used, users can specify the bootloader="custom" attribute.
Instead of skipping the bootloader stage in the builders
it is better to consistently create an instance of bootloader
but raise if a method of the bootloader interface is called
for which the custom bootloader has no implementation. This
commit adds the consistency bits.
Change the Disk class to be a context manager.
All code using Disk was updated to the following
with statement:
with Disk(...) as disk:
disk.some_member()
This is related to Issue #2412
SYSLINUX has been abandoned for several years now, and it does not
even work with modern versions of the filesystems supported in kiwi.
This commit drops it and Fixes#2433
Change the BootLoaderConfig class to be a context manager.
All code using BootLoaderConfig was updated to the following
with statement:
with BootLoaderConfig.new(...) as bootloader_config:
bootloader_config.some_member()
This is related to Issue #2412
Sometime between GRUB 2.04 and GRUB 2.06, it became no longer
necessary to use "linuxefi"+"initrdefi" for UEFI boot. The
standard "linux"+"initrd" stanzas work for both legacy BIOS boot
and modern UEFI boot.
Some distributions no longer support "linuxefi"+"initrdefi" at all
anymore, so let's just use "linux"+"initrd" for everything now.
systemd-boot tools like kernel-install expect a certain
entry naming policy. This commit adapts kiwi to adapt to
this policy. The name for the default entry is constructed
out of the ID information from /etc/os-release followed
by the name of the kernel as it is represented by the
directory name in /lib/modules/... This Fixes#2417
The grub terminal setup is divided into the setting for the output
and the input console. For both settings different parameters exists.
So far kiwi did not differentiate between the two parts of the
console setup and that could lead to a wrong setting if only one
value is provided in kiwi's console= attribute which lead to the
grub setting, GRUB_TERMINAL=value. If value is set to e.g gfxterm
grub takes this for both input and output and it's obviously
wrong for the input. To make this less error prune the kiwi code
changes with this commit to set GRUB_TERMINAL_INPUT and
GRUB_TERMINAL_OUTPUT rather than GRUB_TERMINAL and also runs sanity
checks on the provided values if they are applicable. The information
for setting up the console in the schema stays untouched though.
That's because it's used for all bootloaders and also because grub
supports multiple values for the console in/out setting in one
GRUB_TERMINAL variable even though kiwi does no longer use it.
To make this clear for the users also the documentation for the
console attribute setup has been updated. If we want to wish two
distinct attributes for input and output console settings a schema
change and also differentiation between bootloaders is needed and
that I only see for the kiwi-10 branch if at all. This Fixes#2419
On filesystems without a UUID (e.g squashfs) the fallback boot id
setup should apply if neither UUID nor MBR ID is present. This
is a followup fix for Issue #2391
To identify the root device for ISO images (live and install media)
that boots via grub2, kiwi uses a grub2 --file search. The searched
file was named /boot/mbrid, however this is not a unique name and
could be found on other devices of the system as well. To connect
the search to the correct media this commit changes the search to
an ID based method which is unique to the image build process.
This Fixes#2389
kernel-install does a lot more then making the kernel available
to the ESP. It calls dracut, it creates loader entries and all
that is unexpected and also breaks the boot because the way
dracut is called in the image build case where host != target
leads to broken results. This commit refactors the systemd-boot
support in kiwi to prevent the use of kernel-install
Create proper EFI FAT image via bootctl to be used as
alt loader in xorriso. This allows to boot the ISO
via EFI e.g kvm -bios /usr/share/qemu/ovmf-x86_64.bin -cdrom file.iso
Please note, hybrid boot is done via grub's hybrid MBR and
as systemd-boot does not provide one, hybrid boot is out
of scope yet. This Fixes#2281
