The support for delta_root allows to build a delta container
image from a given base container. Due to the refactoring of
the kiwi code base using context managers no explicit deletion
of instances happens anymore. This uncovered a weakness of
the delta root code at the level of the overlay mount. At
the time of the umount there are still active temporary
mount handlers which keeps the mountpoint busy. In order to
fix this properly also the PackageManager factory is now
a context manager and the Repository factory received a
cleanup method which is called when the PackageManager goes
out of scope. This refactoring also fixes the busy state
when building deltas
Change the SystemPrepare class to context manager.
All code using SystemPrepare was updated to the following
with statement:
with SystemPrepare(...) as system_prepare:
system_prepare.some_member()
This completes the refactoring from finalizers to
context managers and Fixes#2412
Change the Repository Factory to be a context manager.
All code using Repository was updated to the following
with statement:
with Repository(...).new as repo:
repo.some_member()
This is related to Issue #2412
Command.run() currently has a bit of a confusing behavior: if raise_on_error is
False and the executable is not found, then a weird CommandT is returned (return
code is -1 and stdout+stderr is None). This makes it possible to hanlde command
not found errors separately, but it makes that needlessly verbose. So instead,
let's just return None in *this* special case.
That in turn uncovered, that in most cases when we set `raise_on_error=True`, we
actually want an error if the command is not present but no error if the command
fails to execute (e.g. because it returns -1 if you run `$cmd --version`). Hence we
introduce the flag `raise_on_command_not_found`, which causes an exception to
be raised if the command is not found. This makes it independent of the
`raise_on_error` flag.
Additionally, we add a small optimization: if command starts with /, then we
assume it's a full path and we omit the call to which (and just check whether it
exists).
Co-authored-by: Marcus Schäfer <marcus.schaefer@gmail.com>
Change the ImageSystem class to context manager.
All code using ImageSystem was updated to the following
with statement:
with ImageSystem(...) as image_system:
image_system.some_member()
This is related to Issue #2412
Change the OCI Factory to be a context manager.
All code using OCI was updated to the following
with statement:
with OCI(...).new as oci:
oci.some_member()
This is related to Issue #2412
The grub terminal setup is divided into the setting for the output
and the input console. For both settings different parameters exists.
So far kiwi did not differentiate between the two parts of the
console setup and that could lead to a wrong setting if only one
value is provided in kiwi's console= attribute which lead to the
grub setting, GRUB_TERMINAL=value. If value is set to e.g gfxterm
grub takes this for both input and output and it's obviously
wrong for the input. To make this less error prune the kiwi code
changes with this commit to set GRUB_TERMINAL_INPUT and
GRUB_TERMINAL_OUTPUT rather than GRUB_TERMINAL and also runs sanity
checks on the provided values if they are applicable. The information
for setting up the console in the schema stays untouched though.
That's because it's used for all bootloaders and also because grub
supports multiple values for the console in/out setting in one
GRUB_TERMINAL variable even though kiwi does no longer use it.
To make this clear for the users also the documentation for the
console attribute setup has been updated. If we want to wish two
distinct attributes for input and output console settings a schema
change and also differentiation between bootloaders is needed and
that I only see for the kiwi-10 branch if at all. This Fixes#2419
setup_selinux_file_contexts is now called after the config.sh
script. This makes sure that eventual policy related changes
done in the optional config.sh are covered by a late setfiles
call. In addition setup_selinux_file_contexts is called again
at the end of any chroot based script hook. So we assume that
any optional script target can change the system in a way that
a new setfiles call might be required. It can happen that
setfiles is called more often than required but as we cannot
know what custom scripts does, it's better to call it more
often compared to not often enough. This Fixes bsc#1210604
As part of the profile environment only the kiwi_install_volid
variable existed with the default value 'INSTALL'. This information
is correct when building an oem image with installiso set to
true. The resulting .install.iso image has the configured volid
or the mentioned default 'INSTALL'. However, when building a live
ISO image the default volid value is set to 'CDROM' but the profile
environment contains kiwi_install_volid which is misleading and
in case no volid is provided in the configuration file, the
default value would also be a wrong information. This commit cleans
up the mess and provides kiwi_install_volid for install ISO media
and kiwi_live_volid for Live ISO media with their respective
default values
Add new attribute delta_root="true|false" which in combination with
derived_from="OCI-base-image" allows to create a delta root tree
only containing the differences between the OCI-base-image and the
actions taken by the kiwi prepare step. Based on the delta root tree
the subsequent image creation process starts. Such an incomplete
root tree is only useful under certain circumstances which is also
the reason why the feature is only available to the oci and docker
image types.
So far kiwi was looking up kernels only on /boot. Including
other bootloaders it's no longer required that the kernel
packages of the distributions provides the kernel in /boot
Thus kiwi's lookup needs to be extended to other places
which is done by this commit.
The class allows to check for data produced on stdout
and stderr. However, programs reporting data on stderr
usually fails with an exit code != 0. If the command
is not called with raise_on_error=False it will never
be possible to catch information from stderr. As we
don't know if programs returns a failed exit code
even on their e.g --usage message we should always
pass the no raise option to make this more useful
In older versions of setfiles we need a two pass setup
First set the policy, second apply the security context.
This commit checks in the usage message of setfiles which
invocation syntax is required
This change was inspired by a change done on Fedora's livecd-tools
from here: livecd-tools/livecd-tools#236. The patch corrects issues
with the setfiles SELinux relabel command. The issues become apparent
when the host and guest policies differ. Thus it becomes required
to explicitly set the policy to decouple from eventual unwanted
host settings.
Allow to specify the group id in the groups list a user
should belong to. The group id can be placed as part of
the group name separated by a colon like in the following
example:
<users>
<user groups="kiwi,admin:42,users" password="..." name="kiwi"/>
</users>
Please note kiwi checks if the provided group already
exists and only creates a group if it is not already present in
the system. As default groups are usually provided by the OS
itself including its preferred group id, you will intentionally
not be able to overwrite group id for existing groups.
This Fixes#2064
When using the apt packagemanager kiwi required the use of
debootstrap to create the initial rootfs. This works as long
as there is always a main distribution repository available
which follows the structure of the official debian mirrors.
However if such a main distribution is not present or an
alternative layout like e.g OBS repos is used, debootstrap
will refuse to work. To allow for an alternative and without
the dependency to debootstrap kiwi supports using a prebuilt
bootstrap package providing the mini rootfs to serve as
the bootstrap result. As all other package managers properly
supports installation into an empty new root, this feature
was only added when using the apt packagemanager
The modifications in this commit allows the unit tests
to run on both, pytest 6.x (nose test layout) and the new
pytest 7.x (xunit test layout). This Fixes#2072 in a
much nicer way. Thanks much to @smarlowucf
This reverts commit 0dc2e803e0.
The pytest interface from version v6 to v7 has received
changes which requires the tests to be adapted to work for
either the old or the new interface. As there are still many
distributions which uses v6 as the standard we decided to
revert back the adaptions done to support v7 and create
a version requirement to v6 in .virtualenv.dev-requirements.txt
This Fixes#2072
Some unit tests fails if they run in an obs environment.
This is because the implementation checks the runtime
envoironment and behaves differently if the system is
an obs worker. The unit tests has to explicitly set this
condition right for the test
In case debootstrap fails there is more detailed information
in a logfile written by debootstrap itself. This commit changes
the exception information to contain this log information if
present. Related to Issue #1800
The optional pre_disk_sync.sh script is executed for the
disk image type oem only and runs right before the synchronisation
of the root tree into the disk image loop file. The script hook
can be used to change content of the root tree as a last action
before the sync to the disk image is performed. This is useful
for example to delete components from the system which were
needed before or cannot be modified afterwards when syncing
into a read-only filesystem.
The pytest interface setup() method call has changed
in a way that an additional parameter is passed to
the method which leads to a python error at invocation
time if the setup method does not define it.
When running kiwi from a filesystem tree that has custom labels applied
(such as when using kiwi from within a container on an SELinux-enabled
host), the filesystem labeling doesn't correctly apply on some files
and folders with a warning about the location being customized by
the administrator. This causes all kinds of strange results with
the built images and makes them unbootable.
To resolve this, tell setfiles to forcibly set files and folders
with the default context from the installed policy.
According to machine-id(5), an empty file does not signal that this is the
first boot of the system. Instead, the file needs to be missing or contain
the string "uninitialized". A missing file does not work if the filesystem
is initially mounted read-only, so allow "uninitialized" as well, instead
of truncating it.
Improve the documentation of the method, e.g. dracut is not involved.
Packages marked for uninstall via <package name="delete|uninstall"/>
failed to become removed for several reasons. The way this was done
in kiwi did not work because dpkg needs to be called differently
and with some nasty pre-processing in order to allow for force
deletion. In force mode we also allow to remove packages marked as
essential. In gracefull uninstall mode this commit makes sure the
environment is prepared and does not fail for false-positive
reasons.
Added helper functions and env preparation code
to allow calling podman from within a chroot. This
allows to run podman from e.g config.sh and also
inside of OBS workers
If an image is build without a kernel kiwi fails due to
some code paths expecting the presence of kernel modules
and or kernel binaries. This commit fixes this and allows
creating an image without installing a kernel.
In CentOS Stream 8 and Red Hat Enterprise Linux 8, there are
Application Streams that are offered in the form of modules
(using Fedora Modularity technology). To build images that use
this content KIWI needs to support to enable/disable various
modules. This commit allows to configure collection modules
in a new element as shown below
<packages type="bootstrap">
<collectionModule name="module" stream="stream" enable="true|false"/>
</packages>
This Fixes Issue #1999
For resolver operations through libsolv the 'kiwi image info'
module exists. So far it could not read the repos from
metalink repo definitions. This Fixes#1890
Allow to specify a bundle_format per <type> which is used
at the time of the result bundle creation to create image
output names matching the provided pattern.
This Fixes#1943
For initial provisioning of LUKS encrypted disk images an
empty passphrase key is handy to avoid interaction in the
deployment process. However, the dracut kiwi modules were
lacking the information that the luks keyfile could be an
empty passphrase key which must not be opened with the
potential risk to get prompted for input. This commit
introduces a new profile environment variable evaluated
by the dracut kiwi lib code to open the LUKS pool and
allows to distinguish the situation on key files with
or without a passphrase
In addition to the serialized Result instance kiwi.result
file this commit also creates a portable version of this
information in kiwi.result.json. Only the information that
can be expressed as json document is part of the portable
version. This is related to Issue #1918
kiwi is called with --debug in obs which triggers the scripts
to be called through screen. However the obs caller is not
associated with a terminal thus it fails. This commit creates
an exception for debug mode when running in obs