Delete duplicate information. Stick with the information
provided on the main page and drop the same information
from the overview page. Also fix a typo in the table
of supported distributions
The suse_version macro changes for code 16.1 to 1610.
Matches based on <= 1600 are going to fail. This commit
adapts the places where the spec uses the macro in this
way. This Fixes jira#PCT-899
When building live ISO images the selinux context was not created
for eventually new created files during the live ISO creation
process. This FixesOSInside/kiwi-boxed-plugin#99
Add check_checkmedia_used_with_msdos_table runtime check
to check if the used partition table type is compatible
with the selected checkmedia/tagmedia tool. So far only
plain MBR tables are supported bei checkmedia.
This Fixes#2722
With the move to open-vmdk the only ovftype supported is
vmware. Should there be support for other OVA platforms
in the open-vmdk project we are going to add them on
demand. This Fixes#2627
Add a Trusted Execution Environment in form of an image as
a read-only system that is also dm-verity baked. The image
build provides PCR measuerd UKI image (kernel+initrd+bootloader).
The PCR values can be checked against the attestation document
and can also serve as AWS KMS key to enforce boot restrictions.
The image includes an example workflow in form of an enclave
image also build via kiwi using the native eif_build tool from
AWS. The enclave runs a little server/client example application
which creates the attestion document and sends the enclave
PCR measurements as response back to the Trusted Execution
instance. The image serves as example into the AWS Nitro TPM
Attestation and AWS Nitro Enclaves services to establish a
confidential compute workflow.
Update the --add-repo argument for image info to work
in the same way as it can be specified in the system prepare/build
commands. This now also allows for using metalink repos from
the commandline as follows:
kiwi-ng image info \
--description build-tests/x86/rawhide/test-image-erofs/ \
--resolve-package-list \
--ignore-repos \
--add-repo 'https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=x86_64,,,,,,,,,,metalink'
This Fixes#2908
retry `postinst configure` with second parameter '0'
As described in #2956 some newer postinst scripts like the one of
libselinux1 fail when called without the second parameter. On the other
hand it turned out that older versions like libgcrypt20 in Debian 12
fail installation if the get a second paramter because of faulty
implmentation.
With this patch kiwi calls it the old way without a second parameter and
retries with 0 as old version if it fails on the first attempt.
* Update unit tests
---------
Co-authored-by: Marcus Schäfer <marcus.schaefer@gmail.com>
The PARTUUID value for the root partition is expected
to be present in the profile for any build time.
However, due to a bug certain layouts e.g LUKS or
RAID did try to retrieve the partition UUID from
the wrong device. This commit fixes it.
This Fixes#2949
Fixes: #2956
This patch avoids problems when building images for current Debian Sid
which currently is raising the following error:
```
[ 59s] [ ERROR ]: 08:20:03 | KiwiDebianBootstrapError: KiwiCommandError: chroot: stderr: /kiwi_debpost.rhgtuuvo/libselinux1.deb/postinst: 4: 2: parameter not set
```
Some arguments are not supported/implemented with these
repository classes. Make sure to sort them out and log
a warning that their use has no effect.
This Fixes#2953
Using --add-repo/--set-repo options on the commandline
allows to skip the repo alias setting by passing in an empty
value. That empty value however caused the alias attribute
in a repository section to be set to an empty string which
is not allowed by the schema. Instead an empty alias should
lead to no alias attribute set at all. This commit fixes it
zypper no longer provides /etc/zypp/zypp.conf. Instead the
concept of /etc/zypp/zypp.conf.d/*.conf was introduced. This
broke all integration tests which modified the former zypp.conf.
I dropped all this modifications from the integration tests
as they seem to be obsolete anyway.
When calling dracut --printconfig it creates a temporary directory
and some dracut template in it below /var/tmp. On readonly systems
this location is not writable. As such make sure that the location
is a writable tmpfs during call time
In case CommandCapabilities is called from a command
that does not exist and raise_on_error is requested
make sure to provide a better error message pointing
out that the command does not exist instead of the
misleading "Could not parse ... output" error message
In https://github.com/OSInside/kiwi/pull/2921 , based on the
commit message and the fact that the code uses an `if`, it's
pretty clear the use of `dracut --printconfig` is meant to be
optional. But setting the misleadingly-named `raise_on_error`
to `True` means it isn't. `raise_on_error` makes
`has_option_in_help` raise an exception if it *fails* - doesn't
find the specified flag - not if it *errors*. Since it does not
handle the exception, this code crashes if dracut does not have
the argument:
https://koji.fedoraproject.org/koji/taskinfo?taskID=141808928
DEBUG util.py:459: [ ERROR ]: 06:03:28 | KiwiCommandCapabilitiesError: Could not parse dracut output
I've sent https://github.com/OSInside/kiwi/pull/2943 to make the
message less of a lie, and this makes us stop crashing if the
arg isn't available.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
If I'm following this code correctly, we're not raising here
because we "could not parse" the output. We're raising because
we parsed it and it did not have the flag we were looking for.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Make sure the check only issues a warning message if the
call for the extended attributes really states that the
target doesn't support extended attributes. In any other
case do not warn as it causes misleading error information
which is not an error we care for in this scope
The provided information is SUSE Linux Enterprise
specific and is documented via the SUSE specific
documentation process and workflow. To avoid conflicting
information this chapter gets dropped from the upstream
docs
Build the API documentation via pdoc and reference it from
the main documentation. This has the advantage that new code
will be automatically included into the pdoc generated result.
Another advantage is that the search field on the main page
is not primarily hitting search results from the big API
documentation and that the search field on the API page
only searches within the API documentation.
The firstboot wizzard in YaST which allowed to run AutoYaST
from a specific trigger setup no longer exists and now
executes the yast-firstboot service. However, firstboot.xml
is something completely different than AutoYaST.xml which
obsoletes the documentation we wrote in kiwi about it and
also confuses our users. I was not able to find a proper
utility which allows an easy setup of firstboot.xml in
the same way as it existed for "yast autoyast". As SUSE
also obsoleted and dropped YaST from their products the
only stable move is to drop this chapter from the documentation.
The chapter described the setup of a menu entry for grub
to loop boot a kiwi live ISO. The information was outdated
and did not longer apply to the current state of the art.
This commit updates the documentation to be correct again.
Running on pytest < 7 causes an AttributeError:
module 'pytest' has no attribute 'Config'. Quoting
the type hint argument to be a string and accessing
the elements of pytestconfig via getattr() and a
default value workarounds the issue for older pytest
versions
Added new <environment> section to the existing <bootloadersettings>
section which allows to specify environment variables for setting
up an environment blob for the selected loader. With this commit
we add support for grub by using grub2-editenv. Other loaders
do not yet have an implementation or does not support environment
blobs. Settings will be ignored for unsupported loaders.
This Fixes#2922
Co-authored-by: Rhys Oxenham <rhys.oxenham@suse.com>
DNF5 has replaced DNF4 and MicroDNF since Fedora Linux 41, and this
replacement will take effect with CentOS Stream/RHEL 11 onward.
Furthermore, openSUSE Tumbleweed is switching to DNF5 for its support
of DNF, so switch things so that DNF5 is available for openSUSE.
The early boot script and also the ISO template should only
set this option if the conditions to set it are met. Conditions
for this option are if btrfs is in use and a default subvolume
and/or a snapper based snapshot is requested by the image
description. This Fixes#2919
Do not use a custom _dev name and stick with the UUID representation
of the disk image in RAM after deployment. Former versions of udev
did not create a by-uuid device representation which now seems to
have changed. This then leads to the device name RamDisk_rootfs
not being created the and respective .device unit times out.
In addition the timer unit for the standard device representation
changed to infinity. This fixes bsc#1254116
This commit adds support for providing custom CA certificates
during the build process. It allows a user to specify one ore
more CA file(s) via the new <certificates> section and/or
via the command line. The certificate files will be imported
directly after the image bootstrap has finished (where the
required CA update tools are available), but before any
further packages are retrieved, solving for situations where
the chroot environment needs certificates, e.g. when there's
a proxy server in the build environment.
Co-authored-by: Marcus Schaefer <marcus.schaefer@gmail.com>
This commit introduces the SnapshotManager factory to abstract Snapper
specific logic into its own class.
It also updates unit tests to reach full coverage. It essentially
adds a new snapper unit tests suite and it refactors the volume manager
tests suite.
Signed-off-by: David Cassany <dcassany@suse.com>
This commit makes use of snapper helpers to install a new
system where frist root is already a snapshot. Requires snapper
higher or equal to v0.12.1.
It also keeps old logic for backward compatibility with OSes including
older versions of snapper. The execution path is split based on the
snapper version included within the image being built.
Signed-off-by: David Cassany <dcassany@suse.com>
Chroot manager class can be used to setup
a chroot enviroment including an arbitrary
list of bind mounts. The provided paths to bind
are mounted in the chroot to the same actual root
path they are bound from.
This class is useful to setup a chroot envirment
based on the root-tree created on prepare step.
Signed-off-by: David Cassany <dcassany@suse.com>
Make sure legacy image builds which uses kiwi to create
an initrd keeps dracut such that the initrd format detection
continuous to work with the new dracut --printconfig option
With dracut-ng the output file format is a configuration
option. The detection mechanics must be extended by also
looking at the combined configuration settings which can
be obtained via the new --printconfig dracut option.
This commit adds the additional check if the used dracut
command supports that option. This Fixes#2918
efipart_id, rootpart_id, bootpart_id in <type> and
part_id in <partition>. Allow to specify a custom partition
number instead of the default numbering schema 1-N
Allow to specify a custom partition ID in the Disk
class interface and API. As of today the new parameter
partition_id in the ptable_entry_type record is not
in use by the current kiwi image description schema.
This change will be a followup to the API change and
needs further conversation upstream first. The code
changes here are based on the work from:
Co-authored-by: Caleb Wolfe <cwolfe651@gmail.com>
Co-authored-by: Caleb Wolfe (Amazon) <xcawolfe@amazon.com>
Assisted-by: Claude Opus 4.5 <noreply@anthropic.com>
This is related to #2917
Allow to specify a custom partition ID in the Partitioner
class interface and API. The code changes here are based
on the work from:
Co-authored-by: Caleb Wolfe <cwolfe651@gmail.com>
Co-authored-by: Caleb Wolfe (Amazon) <xcawolfe@amazon.com>
Assisted-by: Claude Opus 4.5 <noreply@anthropic.com>
This is related to #2917
The new root directory (/) for an image build is created
by taking the current system umask into account. However,
if that umask setting is not appropriate for the needs
of the image root directory some hard to debug after
effects can appear on the later run of the image binary.
As such this commit changes the permissions for the root
directory explicitly to the expected value.
This Fixes#2920
If root is not a snapshot and the root volume is
not (/) we forgot to self bind mount the root volume.
This must happen in the volume manager because if
done later it would shadow any other mountpoint
Update and extend integration tests with disk.sh examples.
Add a call to check that it knows about (/) and provide
proper output such that it can be checked by reading
the build logs
Add optional root_is_mountpoint parameter to the _call_script
method. When set the provided root path is turned into a bind
mount such that it appears as / being a mountpoint in the
chrooted call. Apply the argument to the call_disk_script
method such that is becomes effective for the disk.sh
script hook.
Some OS don't support the way systemd is dealing with keymaps (e.g.
Debian, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790955).
If we try to set the keymap using `systemd-firstboot --keymap`, this
will fail, and the error message from `systemd-firstboot` is misleading:
it states that the keymap is not installed.
I couldn't find out how to reliably detect if systemd's keymap
management is supported, so instead, we provide a hint in the error
message if `systemd-firstboot --keymap` fails that the reason could be
that it's unsupported.
Fixes#2904
More generic keymap/systemd error message + dedent
Adds test of warning if keymap setting unsupported
Fix linter complaints about formatting
Run keymap check under chroot
We're interested in the capabilities of the target system, since we also
run `systemd-firstboot --keymap` in there.
Fixup for setup_test after chroot'ing localectl
Remove localectl call
It talks to systemd.
Fix tests for keymap
Simple disk build enabling secure execution and attestation
for testing in the IBM Cloud and the SUSE s390 Infra.
Please note: UV attestation only works on z16, as long as
the SUSE infra is z15 based you won't be able to test
attestation
The console attribute in the bootloader section was used to
target both, output and input console setup using a space separator.
However, there can be multiple consoles specified for output
and input consoles and that turns the idea to handle both in
one attribute into a mess. This commit drops the console attribute
and offers two new attributes output_console and input_console which
can define multiple consoles each using space as a separator.
For example:
<bootloader ... output_console="console serial" input_console="console"/>
This change comes with a schema version bump to v8.4
An automatic XSL transformation template for the old console
attribute into the new output_console and input_console
attributes is also part of this commit.
This Fixes#2886
So far setting the luks= attribute on a live image build had
no impact to the generated ISO image. This commit adds the
encryption capability also for live ISO images. The read-only
part of the rootfs gets encrypted using the provided luks
passphrase. An eventual persistent storage area gets encrypted
at boot time if the rd.live.encrypt kernel cmdline parameters
is passed. encryption/decryption requires to interactively
set/provide passhphrase information at boot time. Please note
due to the read-only restrictions of an ISO image there is no
way to apply the standard re-encryption process as it is
usually performed by kiwi encrypted systems. As such the
specified luks passphrase in the kiwi image descriptions
becomes sensitive information that needs to be protected
The package requirement for binutils was set to TW (>=1650)
only but is also required for SLES16/Leap16 which is 1600
This commit fixes the condition to match with all required
distributions and fixes bsc#1253637
Using --add-repo/--set-repo options on the commandline
allows to skip the repotype setting by passing in an empty
value. That empty value however caused the type attribute
in a repository section to be set to an empty string which
is not allowed by the schema. Instead an empty type should
lead to no type attribute set at all. This commit fixes it
To run pvattest perform an attestation request binary as
well as the corresponding attestation key and the secure
execution header is required. This data should be created
as part of the image build. In this commit we are adding
support for creating the attestation data when building
a secure execution enabled image
The current kiwi-resize code was restricted to the root
partition for historical reasons. As in a partition table
only the last partition can resize, this should be the only
limitation for the resize code to perform its job. In
connection with the rd.kiwi.install.retain_last feature
it is also very likely that the last partition is not
the root partition but it should be properly restored by
the resize code after deployment
Instructs an OEM installation to retain the contents of the
last partition on the target disk. This setting is only useful
if the last partition does not belong to the main OS e.g. an
extra data partition added via the spare_part attribute in
the type setup of the image description. The implementation
also checks if the start address of the last partition on the
target disk matches with the start adress of the image to be
deployed. Only if they match the data on the last partition
can be retained.
In a kiwi repart process the <oem-systemsize> element allows to
control the size of the partition to hold the rootfs. This commit
allows to dynamically overwrite the static value, or set it via
a kernel cmdline parameter
Pip as root has issues installing modules already present on the
system. Thus let's perform actions that are not required to run
as root to be done by the standard user.
As discussed in the community meeting stale issues and PRs
will be warned and stale labeled after 60 days. In the
community meeting we will go over all stale PRs and close
them on agreement. We will also look on stale issues and
decide if closing them is useful or not. There will never
be an auto-close.
Using cp -a might lookup in proc/self/.. under certain conditions.
Make sure to mount proc for config/function that might trigger
this condition. This Fixes#2876
Update check_dracut_module_versions_compatible_to_kiwi to match
with new dracut module dirs which have changed due to recommended
dracut module ordering for out-of-tree modules.
In dracut release v108 or later the recommended ordering
for out out of tree modules is 50-59 range. The following is a section from dracut documentation:
> Not using the 50-59 range for out of tree dracut modules will likely
> lead to unintended errors in the initramfs generation process as your
> dracut module will either run too early or too late in the generation process.
> You have been warned.
When specifying a filesystem attribute for a live image build,
the rootfs gets build directly into this filesystem instead of
being a squashfs wraped ext4 which is the default layout for
compatibility reasons. In this direct filesystem mode the
exclude list was not passed along to the filesystem creation
and causes unwanted metadata to be part of the final image.
This Fixes#2873
There was a method named initialize defined and implemented
differently in the dracut modules kiwi-lib and kiwi-repart.
kiwi-lib is expected to be shared code across all kiwi dracut
modules. However if one module redefines a method of the
same name which is used in another module and expected to
work differently there, this is evil. This commit cleans
up the name conflict and names the kiwi library init function
as lib_initialize. All dracut code that is expected to make
use of this method has been adopted too.
In case the kiwi-repart module is explicitly requested in a
dracut.conf file and the image is also configured to build an
install ISO image this leads the install ISO to contain the
kiwi-repart module as well which is unwanted. This commit
explicitly omits the kiwi-repart when creating the initrd
for the install image
Add set_device_lock method which uses udevadm lock preferable
but also supports an flock fallback in case there is no lock
command provided via systemd/udev
The shell code test ... || warn A; warn B will always
print the warning for B despite the test result. This lead
to the warning message "Settings from the kiwi description will be ignored"
to be printed always. This commit fixes it with a clean if/then
condition
`_create_solvables` assumes metadata files are gzip-compressed,
but modern Fedora ones are not, they are zstd-compressed.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
If we return from the repart stage it's important to wait
for the root device to appear. This is because the device
setup from udev might still be held back due to a former
lock on the device. This means if we return fast after
locking for example when check_repart_possible() quickly
finds out that it's not possible, then udev has not yet
got the time to create the device nodes.
This Fixes#2863
The redirect type "< <(...)" is not POSIX complians and leads
to a syntax error in dracut which calls bash as "sh" leading
it to be restricted to POSIX only
Several commands during repart, resize and other actions
require a proper lock to be set for udev such that other
events knows about the locked state of a device and do
not mess with it until the command for which the lock
persists has completed. This commit applies proper udev
locks to all commands that requires it. In addition
incorrect code that was expected to prevent such race
conditions got dropped from the implementation.
This is related to bsc#1242987
The kiwi-repart implementation requires a metadata file
named config.partids which holds information about
partition ids and more stored at the time the image was
built. Depending on the complexity of the image and the
resize request some of the information can be rebuilt
in case the metadata file is missing. This commit adds
the rebuild of the minimum required information to run
a standard resize and therefore allows the kiwi-repart
dracut module to work also without config.partids to be
present in the system
The partition id metadata file is used in the kiwi-repart
module. If a user wants to use the kiwi repart module
permanently, this metadata file needs to stay in the system.
Therefore it should not be automatically deleted by the
cleanup. A disk.sh hook script can be used to force the
deletion of the file though. This is related #2851
A recent commit changed the way these are looked up and
accidentally broke image building on riscv64, with
KiwiBootLoaderGrubSecureBootError: Signed grub2 efi loader not found
now being raised for kiwi recipes that worked just fine
before that moment.
Fixes: 197572378c
Thanks: David Abdurachmanov <davidlt@rivosinc.com>
Thanks: Marcus Schäfer <marcus.schaefer@gmail.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Add script code to shellcheck and fix all reported issues.
Get rid of suseXX and baseXX methods as much as possible.
Add set -ex for all script code. Do not allow any script
code to fail.
So far the check for unallocated space was only working for GPT
and there it was also not really stable. The check was based on
verifying if the backup GPT table is really at the end of the
disk. Depending on which tool was used to dump the image on the
target this "mistake" often got corrected by the tools that
dumped the image. In this case the check no longer worked.
This commit improves the check by another test which looks
for the real free bytes on disk compared to the current
partition geometry.
When calling the helper/build_status.sh script to get an
overview about the results of the integration tests, there
is a stupid new behavior from the osc tool that it assumes
a package name according to the name of the directory you
are in probably connected to the fact that the data in this
directory is a git checkout or some other strange assumption.
This commit moves to a neutral directory where none of the
osc internal assumptions applies and it just does what it
should do... showing results of the given project.
For reproducible builds the calculation of the filesystem UUID
should be persistent with each rebuild of the image. To achieve
this the UUID is calculated using the SOURCE_DATE_EPOCH from
the environment plus a char-number representation of the filesystem
label name as random seed. In kiwi every filesystem is created
with a label, thus only in case there is no SOURCE_DATE_EPOCH
available we continue to create the UUID as random data.
This Fixes#2761
Allow to specify a filesystem label as part of a <partition>
definition. So far the label was set by the name of the
partition. With the new label attribute, a filesystem label
different from the partition name can be set. This commit
also updates/fixes the documentation in this regard.
Allow to specify which type of persistent device name should
be used to build up the list of installation disk devices.
For example rd.kiwi.install.devicepersistency=by-path would
use the by-path representations for the available disk
devices. The default (by-id) stays untouched. In case an
invalid or not present device representation is selected, kiwi
falls back to the non persistent unix node names.
Log the value of SDE so it is available to review,
even if the build system does not tell about it.
Update the tests to cover the new code-path.
Co-Authored-By: Marcus Schäfer <marcus.schaefer@gmail.com>
This helps a bit with issue #2358
Add reproducible flag for UKI too
Update tests accordingly
Co-Authored-By: Marcus Schäfer <marcus.schaefer@gmail.com>
Add missing search path for shim binary on arm based SUSE
systems. Also update the tumbleweed/test-image-live-disk
integration test for arm to build with secure boot enabled
to actually test a secure boot enabled ISO build.
This Fixes#2842
The function get_partition_node_name takes the disk device
and the partition index as arguments to match against the
respective device node for this partition index. The partition
index is the position of the partition in the partition table
according to their start offset. For the code to function
properly it is required that the list of partitions provided
by lsblk is ordered according to the start address of the
partitions in the table. The way lsblk was called did not
enforce this ordering. This commit enforces the order to
be done against the start offset and fixes bsc#1245190
If root is a snapper snapshot we have to tell the
chroot a proper root mount point which can be achieved
by a bind mount pointing to itself. This Fixes
bsc#1244668
Allow to lookup and included EFI binaries/modules for
multiple architectures. For testing the integration
test in rawhide/test-image-live-disk has been adapted
accordingly to install 32bit and 64bit EFI binaries.
This Fixes#2822
Add driver configuration support for dracut initrd
Add support for specifying kernel drivers to be included or omitted
in the dracut initrd configuration. This extends the existing dracut
configuration capabilities like in the following example
<initrd action="add">
<dracut driver="erofs"/>
</initrd>
In case a spare_part setup is combined with the root_clone feature,
the size calculation for the rootfs did not take the cloning into
account and lead to the wrong value. In addition when requesting
the spare part to be last and no size information was given, the
partition was not created at all. This commit fixes both defects
and Fixes#2831
In a btrfs based design, allow to put /boot as subvolume.
This required a small fix in the mount order in a way that
boot/efi gets mounted after the subvolume mounts are done.
The respective integration test has been updated to test
this functionality. This Fixes#2824
If the targettype is set to GPT in combination with plain
zipl as loader, the code to validate the targettype against
the targetgeometry was not effective and zipl failed.
This Fixes#2821
Use proper systemd mount units to setup the custom overlay.
The handling of fstab entries by systemd is limited and
should be better handled by self managed mount units
Make sure the final image rootfs does not contain unneeded
metadata files used during build time. The respective cleanup
call is performed after the root sync and after all initrd/boot
processing has been done. This is because up to that point it's
still possible that the information is required. This means
when building images with a read-only rootfs, it might not be
possible that the metadata can be deleted due to a chicken&egg
situation. Furthermore the cleanup is applied to the disk
builder only as other builders do not really suffer from
this data and for the container builder the metadata can
also be used for the stackbuild feature when building images
derived from containers. This Fixes#2668
Update the sdboot_uki_verity_erofs profile of the
test-image-overlayroot integration test with a custom
fstab example to overlay only parts of the system
for writing. This Fixes#2815
If overlayroot_write_partition="false" is set, no system
indicator was stored. This cause the bootloader setup to
be skipped completely which is not required for e.g.
systemd-boot.
When booting an overlayroot image with rd.root.overlay.readonly
set, the system will boot with only the read-only root mounted.
There was a bug in the dracut code which prevented this mount
from succeeding when the read-only rootfs is different from
squashfs. This commit changes the mount to be a simple bind
mount, independent of the origin filesystem. This works because
the read-only mount is performed in the dracut overlay code
anyway. This is related to Issue #2815
Since we moved to poetry and no code using setuptools anymore,
this requirement can be dropped. The commit also updates the
plugin documentation which was still based on setup.py
Like the upstream module also support the root=live:http://...
remote boot options. The kiwi-live dracut module is scheduled
to become obsolete, but it's still in use and should support
remote boot not only for AoE. As we got more issue reports than
working AoE remote boot success, this commit also updates the
documentation and switches to the capabilities of this PR.
In addition to systemd_boot also add support for UKI creation
when grub is used. This includes the creation of a UKI image
via dracut in the same way as it's done for systemd_boot.
In addition an earlyboot grub script chainloads the UKI and
bypasses any written grub configuration. In Theory this should
also allow to use the shim loader for chainloading an UKI.
However I haven't done testing in this direction and I also
expect security issues with this approach because loading
any non signed data by shim is not expected to work. A new
profile named grub_uki_verity_erofs has been added to the
integration test that experiments with UKIs
Extend scope and content of the <initrd> section to be allowed
as part of the <type> section. This allows to specify custom
call options and modules for the dracut tool. In particular
this commit implementes support for passing the uefi option
to dracut to enable building an UKI EFI binary as follows:
<initrd action="setup">
<dracut uefi="true"/>
</initrd>
This Fixes#2809 and Fixes#2408
To make sure only loader entries from /boot/efi/loader/entries
kiwi deleted eventually existing entry files from /boot/loader.
However that is a problem for read-only systems and should actually
also not performed by kiwi. This Fixes#2805
Make sure to perform setfiles only on a writable target. In case
of a read-only root it is expected that the security context set
by kiwi in an earlier stage is complete. As there is no way to
modify data when root is read-only, there is also no way to change
the security context of any file such that we skip setfiles
in this case. Should there be a read-only system that has writable
partitions such as /boot and their content changes while the rest
of the root system is read-only it is in the responsibility of
the author of the image description to call setfiles only on
the affected and still writable files via a custom disk.sh
script. Along with the fix the respective integration test was
modified to enable selinux such that this change is actually
integration tested. This Fixes#2805
Add runtime check to make sure the selected target directory
for the image and/or the image rootfs lives on a filesystem
that provides all required features like extended permissions,
ACLs or xattrs.
When requesting a new random key prior reencryption, make
sure that this new key is referenced in the current in
memory initrd crypttab such that all subsequent
tasks e.g. luks resize have permissions to complete while
inside of this initrd instance
Add another build using grub instead of systemd-boot and use
btrfs as write partition instead of xfs. Please note this test
requires a boot partition because grub cannot read from erofs
and unlike systemd-boot grub does not read all boot data from
the ESP.
If a volume capable filesystem like btrfs is requested, there
must also be a volume definition available to report that
the volume management is actively used. Just the request of
the filesystem can also mean it's being used without volumes
like it could be the case for an overlayroot setup that
requests btrfs as write partition.
So far no luck with the systemd verity generator. This
commit adds the parsing of /etc/veritytab in the existing
kiwi-verity dracut module and uses it in the overlayroot
integration test.
Switch to erofs for overlay testing. Additionally split the build
into two profiles. The first one just builds a simple overlayroot
oem disk based on erofs. The second one adds a veritysetup layer
and configures the systemd-veritysetup-generator for use in dracut.
This Fixes#2799
Add new overlayroot_readonly_filesystem attribute which allows
to select for either squashfs or erofs as the read-only filesystem
in an OEM overlay disk setup.
When building an image with overlayroot set to true and
activated verity data, the root= parameter must be
set to root=overlay:MAPPER=verityroot instead of the standard
overlay:PARTUUID mapping.
The check_efi_mode_for_disk_overlay_correctly_setup exists because
shim-install does not work on read-only devices. However, shim-install
is a SUSE only tool that runs a SUSE specific secure boot setup.
For other secure boot processes this runtime check is not useful.
As runtime checks aims to be generally useful, this one gets
dropped.
If the root_clone attribute is specified without providing a
fixed size for the system, kiwi estimates the size needed for
the root part and assigns the rest to the clone. This leads to
different partition sizes for the root clones. As per definition
of a clone the expectation is that the size is the same, this
commit changes the behavior such that the calculated size for
the system is applied to the origin root and all its clones.
As a consequence this can leave unpartitioned space free in
the image. This Fixes#2463
Make sure to use the correct passphrase for the master
key such that it can be decrypted with the same credentials
as before. The credentials reset is a subsequent task
after reencryption.
Fixed get_build_type_bootloader_bls behavior in case the bls
attribute is not set. In this case get_bls() returns a None value
which was returned. However in this case the attribute value
should not be taken into account and the method defined default
value for bls should be returned. This Fixes#2542
Using `kiwi-ng` version 10.2.18 (EL9)
Currently with:
```
sudo kiwi-ng system build \
--description kiwi/build-tests/x86/fedora/test-image-docker
--set-repo http://ftp.fau.de/fedora/linux/development/rawhide/Everything/x86_64/os/ \
--target-dir /tmp/myimage1
```
This fails with:
```
[ INFO ]: 09:46:38 | Setting up user root
[ INFO ]: 09:46:38 | --> Modifying user: root
[ INFO ]: 09:46:38 | --> Primary group for user root: root
[ ERROR ]: 09:46:38 | KiwiCommandError: chroot: stderr: /sbin/chroot: failed to run command ‘usermod’: No such file or directory
```
Install the package `shadow-utils` to provide `usermod`.
Copying the modules creates a situation where future updates
applied to a running system can cause GRUB to crash due to mixed
modules and GRUB EFI binaries.
It is not needed anyway since GRUB EFI binaries for Secure Boot have
all modules compiled into the binaries.
Fixes: https://github.com/OSInside/kiwi/issues/2790
These are the Linux distributions that are developed and actively
tested for with the latest kiwi releases.
This should offer greater clarity about what we're able to support
as an upstream project.
The ImageSystem.mount() method implemented its own handling
for mounting the volumes of a volume manager based system.
First and foremost this duplicates code that already exists
in the respective VolumeManager implementation and second
the code behaved wrong in case of btrfs when there is no
default subvolume configured
If called on full read-only systems, log the information
that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must
be applied and as such the fix function can be considered
an optional step.
When building an image with overlayroot set to true and
activated luks encryption, the root= parameter must be
set to root=overlay:MAPPER=luks instead of the standard
overlay:PARTUUID mapping. This Fixes#2776
Use .config instead of .conf for the temporary package
manager config files. Reason for this change is a bug in
dracut which reads and executes all /*.conf files from
the system. This Fixes#2780
On selinux enabled image builds we call setfiles initially
after the root tree is complete and after each script invocation
that might change the system. However the security context
also applies to mount points e.g volumes which only exists
at the time when the root tree gets synced to the actual image
binary. Thus this commit also calls setfiles on the mounted
root tree after data sync. This Fixes rh#2333743
Rephrase chapter pointing to a documentation side at VMware.
They are constantly changing their documentation URLs that
I'm tired of fixing this. This Fixes#2782
Depending on the type setup for a luks encrypted image, there
might be one or two key slots available. When kiwi is requested
to perform the reencryption process at least one key-slot and
the proper keyfile/passphrase must be provided. This commit
stores the information about the key-slot number for which
a decryption information exists in the initrd. In addition to
the code change also the corresponding integration test image
was updated.
Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.
For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.
Fixes: https://github.com/OSInside/kiwi/issues/2008
Fixes: https://github.com/OSInside/kiwi/issues/2777
When building result files that use container types like oci or docker,
kiwi creates them as archive tarballs with an extension prefix to
indicate the special nature of the archive. However, the bundler
code does not retain the prefix, which results in the wrong file
extension for these archives.
This change adds exceptions for these types and refactors the
exception handling to unify it with the Vagrant image filename
handling, which operates similarly.
Fixes: https://github.com/OSInside/kiwi/issues/2628
A bootloader setup is needed to create config.bootoptions
Even though a ramdisk deployment does not require a bootloader
setup we need it because part of the setup is the root device
reference which is still needed to pivot root into the
system
Split the build into two profiles ISO and PXE to differentiate
the build results into a small Agama for remote installations
and a standard Agama for iso based installations
So far it was only possible to specify the size of the ramdisk
via the kernel commandline option: ramdisk_size. In a remote
deployment it was therefore required to carry this size as a
mandatory information to the deployment server. With this commit
we allow to specify the size for the ramdisk to be configured as
part of the image configuration which makes this information
also available inside of the initrd. If provided the ramdisk_size
kernel commandline option still takes precedence over the
<oem-ramdisk-size> setting to avoid any behavior change and to
still allow dynamic overrides of the ramdisk size.
In case rd.kiwi.ramdisk is used as part of a remote deployment
setup, it's not needed to load the system kernel and initrd
because it's not used as kexec is not called with the system
deployed into memory. For ramdisk deployments the system is
booted using the currently active kernel and initrd and as
such we can avoid loading an extra kernel and initrd for
booting the system via kexec.
Due to the special bootstrap process, the packages unpacked
during bootstrap are not properly listed in the apt index.
Therefore the bootstrap packages are added to the install
phase which causes an install of this packages again to
fix the apt index and provide a consistent system from
an apt perspective. This Fixes#2768
When kiwi runs the reencryption it also restores an eventual
existing keyfile. However if the option rd.kiwi.oem.luks.reencrypt_randompass
is specified no former keyfile should be restored. The purpose
of reencrypt_randompass is to make sure only this in memory
passphrase can access the luks pool such that tooling at boot
time gets the opportunity to work with the luks pool for e.g.
setting up a TPM key or set a passphrase only known to the user.
For reencrypt in combination with rd.kiwi.oem.luks.reencrypt_randompass
make sure that the temporary random pass keyfile has 0400 root
owned access permissions set
Improve the log message that tells about reading the
kiwi config file to actually show the file path that
is read in. This is especially an issue if more than
one kiwi file is read in during the build process.
It should be permitted to set the "C.UTF-8" locale for minimal images
that are not preloaded with locales. The "C.UTF-8" locale has been
supported in Linux distributions for many years.
Allow to specifiy the sourcetype(metalink|baseurl|mirrorlist)
also on the commandline via --set-repo/--add-repo options. So
far this was only possible as part of the kiwi description file
Enhance poll_show_progress() method to allow polling on
stderr data too. The new parameter with_stderr is used
together with the dnf5 package manager. dnf5 has changed
in a way that a lot of useful information during the
install of packages is printed to stderr. From my perspective
a clear regression to former behavior but we can fix this
in kiwi to poll on both channels. This Fixes#2748
Even though we will add support for the typer Cli with kiwi-11
I want our integration test images to be able to build with the
open PR #2751. Debian 12 is the only target in the support matrix
which uses a too old veryion of typer. Therefore to be able to
test this target I built a newer version of typer in an update
repo for Debian 12 and added it to the integration test
description
This was just a "can this work" test but has no real
relevance for users since nobody would use dnf to build
a suse image, there is also no help when it does not
work. So let's drop this test build
Update and extend all integration tests such that they also
build outside of the Open Build Service. Along with the changes
on the descriptions a simple build-tests.sh script was added
to drive the build process. The build is based on the kiwi
boxbuild plugin in container mode to build the tests
from a given build-tests directory. A new chapter to document
how to Build the Build Tests is also provided and referenced
on the github main page.
For OEM LUKS2 encrypted disk images in combination
with rd.kiwi.oem.luks.reencrypt. Reset insecure built time
passphrase with a random onetime passphrase
On ppc the CHRP loader name can vary between distributions.
This commit adds a search method to lookup different ELF
loader names. In addition an integration test image for
Fedora was added. This Fixes#2741
In the effort of adapting to the latest snapper in Issue #2697
we overlooked the after effect of a different variable name
in the profile environment with regards to $kiwi_btrfs_root_is_snapshot
and $kiwi_btrfs_root_is_snapper_snapshot. Image builds that
references the former variable name would be broken by the change.
This commit makes sure no regression is introduced by providing
both variants. This Fixes bsc#1237772
The list of modules used to create a grub platform image for
ppc was the same list as used for the x86 bios platform.
This commit fixes this and also cleans up the inconsistency
and misleading names used for creating platform specific
output. This Fixes#2738
Newer versions of poetry set the timestamp for all source
files to epoch 0. Such sources are not accepted by e.g
Debian FTP servers and in general I don't like when tools
changes their behavior just like that. This commit forces
an older version of poetry for the purpose of creating the
sdist tarball which then gets published on pypi. The
argumentation for reproducible builds by forcing source
files to a certain timestamp doesn't fly for me. I'm open
for any better solution though. This Fixes#2730
Allow to configure the timeout value for dialogs displayed
by the kiwi dracut code. By default the timeout is set to
60 seconds. With the special value "off" the dialog will
never timeout. This Fixes#2718
Add a test case with absolute path in the target_dir
to make sure we never unpack the archive to the host
system. The actual issue was resolved together with
the implementation in #1953 and commit
78238a993c
This Fixes#2701
When building an image for profile: SOME and providing
an overlay directory named SOME/... kiwi will sync the
contents of this overlay directory to the root tree.
However it took the toplevel name SOME/ into account
which is unwanted because only the sub data structure
should be synced into the new root tree. This
Fixes#2690
On multipath systems we need to find underlying child device
instead of using parent device.
This prevents listing all parent devices for a multipath device
In reference to commit 760a65558f
the support for iso:// URI types was dropped some time ago.
However, the documentation was not properly updated. This
commit fixes it
The grub helper methods to find grub tools returns a
None value if the tool cannot be found. This None value
could be used later in a Command call where it will be
used in a join() command to log the resulting commandline.
This join() call then fails and raises an unhandled error
causing a stack trace in the application. This commit
fixes it
Installing the same image to different storage disks on the
same machine creates device conflicts with unexpected side
effects. This commit adds a validation based on the PTUUID
of the disk image to check if another device on the system
has the same ID and if yes, does not allow to install the
image again including a message which device takes the same
identifier. This references bsc#1228741
Added a new troubleshooting chapter as subsection to
the Build Host Constraints named Package Manager Behavior.
It serves the purpose to describe options for the customer
to change the default package manager behavior which
we from the kiwi side do not influence intentionally.
This is a followup change to bsc#1235448
If there is a file .kiwi.package_manager.env in the root of
the image tree it will be read and put into the caller environment for
the selected package and repository manager. There are features
in e.g zypper which can only be used via env variables.
This Fixes bsc#1235448
Rename btrfs_root_is_snapshot to btrfs_root_is_snapper_snapshot.
This happens in preparation for the changes suggested in #2697
where we want to get rid of snapper specific btrfs code which
will be available in snapper natively soon. To make sure a btrfs
layout specific to snapper(and SUSE), the implicitly used attribute
named btrfs_root_is_snapshot now becomes explicit and its new
name will indicate that snapper sits behind it. Along with the
rename a XSLT stylesheet to automatically convert the old name
into the new name for schema v8.3 will be performed.
Added rd.kiwi.oem.luks.reencrypt boot option consumed by the
kiwi-repart dracut module. For OEM LUKS2 encrypted disk images.
If set, reencrypts the disk prior an eventual resize and therefore
creates a new key pool and master key. The reencryption is advisable
if the image binary is not protected. With access to the image
binary it's possible to extract the luks header which then allows to
decrypt the data unless it was reencrypted. The reencryption process
only runs if the checksum of the luks header still matches the one
from the original disk image. Be aware that the reencryption will
ask for the passphrase if the image has been built with an initial
luks passphrase.
The test-image-MicroOS integration test builds an IBM-Cloud-Standard
profile as encrypted variant with a random key that is not protected
by an encrypted boot image. This doesn't make sense. Thus the
encryption setup for the IBM cloud standard build got removed.
Use the IBM-Cloud-Secure-Execution profile to test encrypted
secure linux builds
In contrast to the documentation, kiwi sets default values
for any gpg setting if not explicitly specified differently.
We want to avoid to inherit a behavior from how the distribution
packages the package manager. This commit fixes the documentation
to be in line with the implementation
Decommission the Checksum.md5() method and move all places
in code to sha256(). The md5 digest is considered insecure
and has also been removed from hashlib as a supported digest.
This Fixes#2696
Instead of providing a static list of filenames, provide a list
of package names. It is expected that the pilot of flake-pilot
resolves this list against the local package database to build
up the filelist for provisioning
This should make the xorriso-based ISO build path respect the
'efiparttable' and 'gpt_hybrid_mbr' settings when building a
UEFI-compatible image, making it write a GPT disk label by default
instead of an MBR (msdos) one. If it's building an image that is not
UEFI-compatible it will always write an MBR label, regardless of
this setting.
If 'gpt_hybrid_mbr' is set, xorriso will write an Ubuntu-style
MBR/GPT hybrid partition table, where the MBR partition table
includes a partition with type 00 and the bootable flag, as well
as the partition with type ee required by the UEFI spec. This
mildly violates the UEFI spec but may make the image bootable on
native BIOS or CSM firmwares which refuse to boot from a disk with
no partition marked 'bootable' in the MBR. If 'gpt_hybrid_mbr' is
not set, xorriso will write a strictly UEFI-spec compliant label,
with just the 'protective MBR' required by the UEFI spec (no
bootable partition) and the correct GPT partition table. Note
this is somewhat different from what gpt_hybrid_mbr does for
disk images.
Also, we now pass -compliance no_emul_toc when building ISOs, as
recommended by upstream in
https://lists.gnu.org/archive/html/bug-xorriso/2024-11/msg00012.html
This tool is generally always going to be building ISOs intended
for write-once use, not multi-session use (and which are rarely,
these days, written to physical discs at all anyway).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The attribute provide_system_files creates a meta file in the
root tree named 'systemfiles'. The contents of this file were
produced by just a dump of the package database so far. For
a more generic use of this data some adaptions were needed.
First we allow to skip packages matching a pattern from being
part of the system files. Next we do not put ghost and doc
files into account. And last we handle library files in a different
file named 'systemfiles.libs' where we do not add symlink targets
if the target path is also part of the package. The consumer
of this information is flake-pilot which syncs that library system
files from the host via --copy-links. This allows a more generic
use with regards to versioned libraries e.g. libc
This has created havoc in the Fedora build environments by
fully unmounting /dev/pts and breaking the builders for
subsquent tasks.
This is a partial revert of commit daf1323c5d.
The code in this method does not work correctly if the
firmware is set to 'bios'. In bios only mode the method
returned a false value which is incorrect as it should
return a true value in this case. Without this patch
ISO images will fail to boot because no loader gets
configured.
During runtime several kernel filesystems are bind mounted into
the image root system such that programs expecting it can work.
/dev/pts was not needed so far but seems to be a good addition
to the list to make tools like sudo to work properly when called
e.g. from a config.sh script. This Fixes#2686
Added the attributes provide_system_files and require_system_files
to control the provider and requester of system files in
container image builds. systemfiles is a metadata file which
contains all files from the package database at call time.
It is used in flake-pilot to provision the systemfiles data
from the host into the container instance. One possible use
case for this data is a flake registration which uses a
base container that is derived from a runtime container but
all data from the runtime should be provisioned from the
host. Using this feature tightly couples the flake to the
host OS distribution and version.
Increase livetime of the the compressor instances
to the livetime of RootImportOCI. They create temporary
files which are referenced later and need to live longer
than the block they got created in
Add support for multi inheritance to the derived_from attribute
In the order of a comma seperated list of docker source URI's
a base tree is created. This was possible only with one container
so far and Fixes#2680 as well as jira#OBS-354
Allow to pass luks="random". In random mode use the
generated keyfile as the only key to decrypt. This is
only secure if the generated initrd also gets protected
e.g. through encryption like it is done with the secure
linux execution on zSystems
IBM SEL(Secure Execution for Linux) is supported for s390
KVM guests. SEL images used to start a confidential computing
protected guest contain an encrypted boot image which encapsulates
the kernel the initrd and the bootparams. The encrypted Image is
provided by the KVM/hypervisor to the Embedded zFirmware of the
system (the ultravisor device). The decryption keys are hardware
based and each system has an individual keypool unique to that
system. The root filesystem is LUKS encrypted with a random key
produced by kiwi at build time and kept inside of the initrd which
exists only inside of the encrypted boot image and the encrypted
rootfs to allow kernel updates. The commit to support secure
execution also comes with an integration test that provides
profiled image builds to target SUSE's LinuxONE as well
as IBM Cloud systems.
According to the spec, this should be constrained to 128 characters
but also allow quite a few other special characters (as well as spaces).
We didn't allow spaces in application ID, but allowed too much for Publisher.
Now we set up both correctly.
Some kiwi env vars are initialized with an empty value
and not overwritten if another value is provided. For
the selected variables an empty value setting is not
allowed because the schema also enforces the value to
be set at least once. In addition a helpful option
named --print-kiwi-env was added to the 'image info'
command which allows to print the environment variables
and their values.
When building in the Open Build Service (OBS) there is no way
to create outgoing connections from the build workers. To allow
the <containers> section to fetch containers from the SUSE
registry we need to apply an OCI URI translation into a local
path. The actual OCI container image is expected to be provided
by the obs backend on the worker. Along with this commit also an
integration test named test-image-disk-containers is provided.
This Fixes jira#OBS-351
The SUSE documentation is produced through a conversion
of the ReST source into docbook. The name kiwi is reserved
in the index and needs to be referenced as kiwi-ng when
used as command.
tox was used as sort of a make target to run unit tests
and more in a python virtualenv. However, since we switched
everything to poetry it's no longer needed to let tox create
the python virtual environments. This commit moves the tox
targets into the Makefile and adapts the github workflow
files accordingly. In addition the scripts container based
tests were re-activated and fixed such that they succeed
again.
Move the actions done by the tox target into the
build target and call them there in a clean and easy
to spot sequence. There is no need to call tox to
prepare for the package submission, instead the
checks and poetry runs to prepare for the package
target should be called directly as part of the
build target. In the future we might get rid of
tox completely.
zipl gets confused with an active sysfs mount inside
the root tree at call time of zipl. This commit
umounts the /sys bind mount in the image tree prior
calling zipl
The pyproject.toml listed pytest-container as dependency
but it is used only to run the container based integration
tests for the shell helper methods. For building the package
this dependency should not be pulled in
Python 3.13 is shipping in Fedora Linux for Fedora Linux 41, so we
should ensure kiwi is tested against it. The testing setup is
based on the latest development version of 3.13 as it is not
yet released.
erofs-utils for SUSE only exists in Tumbleweed. The
former conditon would also add the requirement for ALP
and SLFO which is wrong. This commit fixes it
Allow to specify references to OCI containers in the
image description like in the following example:
<containers source="registry.suse.com" backend="podman">
<container name="some" tag="some" path="/some/path"/>
</containers>
During the kiwi process the containers are fetched into a
temporary location and a systemd service is configured to
one time load the containers into the local registry at
first boot of the system. This Fixes#2663
- it does not need to be an abstract base class
- use f-strings where applicable instead of format()
- change return type of _custom_args_for_format from list to tuple
Fixed _supports_bios_modules() to take an eventually
provided eficsm setup into account. The grub config still
searches for i386 grub modules even if eficsm="false"
is set.
Run scripts as commands with their native shebang and not
through bash. Not all debian package scripts uses bash, some
of them uses sh which can be a link to dash or other
interpreters. This Fixes#2660
The bootstrap procedure based on apt only runs a manual
collection of package scripts. This commit refactors the
code that unpacks the bootstrap packages to a python
implementation and adds a method to run the bootstrap
scripts from all packages resolved by apt.
When bundling result files that uses a vagrant type,
kiwi creates them with the extension .vagrant.virtualbox.box
or .vagrant.libvirt.box. The bundler code renames them using
only the .box suffix which is too short as it is missing
the subformat information. This commit fixes it and keeps
this information in the result bundle file name.
This Fixes#2656
This fixes a collection of bugs when producing erofs images.
On one hand, this ensures that an exclude of `/sys` doesn't accidentally
match `/lib/libsystemd.so`, only `/sys/whatever`.
On the other hand, this ensures that `/dev/*` does match `/dev/vda` and
not just `/dev///////////`.
This fixes libsystemd.so getting dropped in Kiwi-built FEX images.
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
All other call sites honour the custom exclude file, it's just this one
that needs to be fixed. This unblocks use of Kiwi for generating FEX
rootfs.
Closes: #2652
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
So far comments and processing instructions (PI) were
ignored when applying the XSL stylesheets. This commit
updates all stylesheets to take them into account
The SELinux policy of Fedora Rawhide when running completely in
an initrd is not suitable to let the system boot up. Thus the
current solution is to boot in permissive mode. A better solution
for the future would probably be a selinux policy for enclaves
Add a provides tag (read by the open buildservice) for the new
enclave builder. Also add a recommends to eif_builder in
the systemdeps-core meta package
The log information of the command execution was not printed
directly before the actual command invocation. There are other
actions after the log information (e.g Path.which) which itself
produce log information prior the real subprocess execution.
This is very misleading when reading the log file and fixed
in this commit.
When apt resolves packages on a multiarch repo it can happen
that dependencies for packages from other architectures are
pulled into the solver process but are not provided by any
repository. To overcome this behavior the repository can
be setup to serve packages only for a specified architecture
or list of architectures. This is related to
OSInside/kiwi-descriptions#102
Add new EnclaveBuilder class which allows to build initrd-only
image types. The first enclave implementation covers aws-nitro
images produced via the eif_build tooling.
For setting up the brd rd_size option kiwi creates
99-brd.conf used at load time of the kernel brd driver.
The location for the conf file is set to /etc/modprobe.d/
However, in newer versions the location has changed to
/usr/lib/modprobe.d/ and /etc/modprobe.d is no longer
expected to exist. This commit makes sure /etc/modprobe.d
is created if not present.
On s390, parted is used to detect the partition table type.
In contrast to blkid the name for DOS tables is reported
as 'msdos' and not 'dos' which impacts several conditions
in the kiwi initrd code which checks for 'dos'. This commit
fixes the get_partition_table_type() method to return a
consistent table name for DOS tables. This Fixes bsc#1228729
This reverts commit 15b4501884.
The change provided here entirely broke kiwi in OBS. With this
patch applied every image build in OBS fails with the following
message: 'line 1: /usr/sbin/kiwi: No such file or directory'
When bundling result files that uses an archive type like
tbz or docker, kiwi creates them with the extension tar.xz/tar.gz
The bundler code only uses the extension from the last tuple
in a "." split which is wrong for "tar." filenames. This commit
adds an exception to the prefix rule for this output filenames
and Fixes#2628
The isomd5sum tool suite is used and available on all supported
distributions except SUSE distributions, and is necessary to produce
conformant ISOs for most Linux distributions.
This change adds support for isomd5sum tool suite for kiwi, though
it does not extend the kiwi-live dracut module to use it. The upstream
dracut dmsquash-live module must be used instead.
Co-authored-by: Dan Čermák <dcermak@suse.com>
The existence of this file breaks installers on live media that
sync the full filesystem to disk and are not aware of this configuration
before generating the target system initramfs.
There are descriptions out in the wild that use "non-numeric" versions
in their descriptions, particularly without separators for splitting.
This change switches all of this to strings rather than assuming
numbers and gracefully handles the single word case.
When using --logfile, the log generated there matches the
stdout log (which without --debug, does not include any debug info).
This is in contrast to the automatically generated one in the
output directory, which always does and also not following the
way how it is documented. This Fixes#2503
The arch flag in a namedCollection was not taken into account.
This commit fixes this and also makes sure the result information
is sorted and unique like we have it for the package lists.
This Fixes#2600
When using the plain zipl bootloader kiwi created a /etc/zipl.conf
file. However, this file was only useful during image build as it
points to a loop target device and geometry but does not represent
a proper config file to be used in the running system. In addition
the different distributors provides their own version and layout
of the zipl.conf to be used inside of the system and with their
respective tools. Thus this commit changes the way how kiwi operates
in a way that the zipl.conf used in the initial image only exists
during the image build process. An eventual present /etc/zipl.conf
will not be touched by kiwi. This Fixes#2597
The former method provided a static value but there are huge
differences for the minimum size requirement of a filesystem.
For example extX is fine with 30MB whereas XFS requires 300MB.
This commit adds a more dynamic default value based on the
used filesystem.
So far 30MB was set as default volume size which is by far
too small for a number of filesystems, e.g btrfs and also XFS.
This commit increases the default volume size such that all
modern filesystems builds if the default volume size is used.
Apart from testing raid this integration test also tests
a certain LVM volume setup. The test has been updated
to use the btrfs filesystem because it has the most strict
size requirements.
Make sure to run some mandatory package pre/post scripts
such that settings like /etc/passwd, a root user, etc..
exists. This action can also be done in post_bootstrap.sh
but I think it's better to do this in the core code
The kiwi repart dracut module reads a profile file and if it
does not exists it dies in the initrd. However, that profile
file is not mandatory for the main resize functionality. Thus
this commit turns this into a warning message. In addition
the module-setup for 90kiwi-repart makes sure to include
the required and optional profile files.
This Fixes bsc#1228118
kiwi's initrd modules read a .profile file which gets included
into the initrd produced at build time. To allow rebuild of a
host-only initrd from the booted system this information should
be present such that it is possible to re-use kiwi initrd code.
Usually custom files are managed by placing them as overlay
files or archives. However, overlay files must be structured
inside of a root/ subdirectory and archive files are binary
data. It is therefore not straight forward to just reference
one or more files as source files to the image description
to be placed into the image. This commit adds a new <file>
element which allows to do this. This Fixes#1953
The get_format() method allows to check which compression format
a given input stream has. This is done by calling the supported
compression tools in a row and let them check if they can deal
with the provided data or not. As a result error messages are
logged for streams that some tool doesn't understand. However,
those error messages are no errors and only the result of the
checking. This information in the kiwi log file is confusing
and several users already complained when they see information
like:
EXEC: Failed with stderr: /usr/bin/xz: ...: File format not recognized
This commit changes how the compression tooling is called in a
way that no exception is raised (which leads to the above error message)
but the result returncode is used to decide on the success or
error of the respective compression tooling.
Add new <type ... application_id="..."/> attribute to be set in
the ISO header main block. The application ID was used as identifier
in the legacy initrd code from former kiwi versions. Because of
this there is still the compat layer which sets an App ID as MBR
identifier string unless the new application_id overwrites it.
This Fixes#1810
Update the type of the Secure profile of the live image integration
test as well as the type of the simple-disk test to make use of the
eficsm="false" attribute to switch off CSM mode and test an EFI only
layout.
This integration test builds a self-install ISO image which
drops the SUSE Agama installer into a ramdisk for performing
an interactive installation procedure to test Agama
Allow to set/overwrite type section attributes via the cmdline.
Allow to set/add the release-version element via the cmdline.
This Fixes#2478 and Fixes#2588
Detaching a loop device via 'losetup -d' is an async operation.
Once the command returns the loop can still be associated with
the block special. Therefore this commit waits until the block
device got released or a timeout is hit. This Fixes#2580
On Tumbleweed several changes caused tools like strings
or the codepage for mtools to be missing in a standard
installation. For building disk images especially EFI
capable ones with vendor information kiwi needs the above
tool. This commit adds the packages providing them on
Tumbleweed to the meta systemdeps for disk images.
This Fixes#2585
Per review of the SUSE packaging team we should split out
the bash completion into its own sub-package to give users
better control over the completion feature.
On SUSE distributions, currently the expectation is that packages
built against the Python interpreter should have fully qualified
names in the form of pythonXY-<modulename>. Additionally, all other
Linux distributions prefer something similar in the form of
pythonX.Y-<modulename>.
This ensures we have those names so that distribution dependency
generation works as expected.
The optional <volume ... arch=""/> attribute allows to create
the volume only if it matches the specified host architecture.
Multiple architecture names can be specified as comma separated
list.
Forces the disk resize process on an OEM disk image.
If set, no sanity check for unpartitioned/free space
is performed and also an eventually configured
<oem-resize-once> configuration from the image description
will not be taken into account. This Fixes bsc#1224389
The call to 'losetup -d' is in fact an async operation. Once
the command returns the loop can still be associated with the
former file because it gets lazy unbound and releases later.
Prior re-use of the same loop device it is therefore required
to wait until the kernel event queue is processed.
When specifying a repository element with imageinclude="true",
kiwi permanently adds the repo file inside of the image.
The distribution standard path is used to store the repo
file in this case. With dnf a package manager exists that is
primarily used on Fedora and RHEL systems. Thus the standard
path for the repo files is set to "/etc/yum.repos.d".
However, dnf can also be used for other rpm based distributions
e.g SUSE. On such a system the default path does not exist
or is different because another package manager is the
default. This commit makes sure that the expected path is
created prior adding any repo files.
When kiwi calls the bootloader config and installation modules
several files gets created as unlabeled_t because the labeling
happened earlier. This commit ensures that setfiles gets called
after BootLoaderConfig and/or BootLoaderInstall has done its
job. This Fixes#2568
If there are script evaluations that does not specify
an interpreter, kiwi uses bash for it. The same applies
for sub-process invocations using shell pipelines. Thus
the bash shell is a required tool for kiwi under certain
circumstances. Further details in Issue #2567
The strings command is used to lookup the in-efi binary encoded
vendor path. However, if the strings or bash command is not availabe
on the build host, the command silently failed and moved into the
standard (non vendored) EFI boot path. This can lead to a broken
boot for those distros and image targets which requires a vendor
directory and should lead to an error message instead of a
successful image build. This Fixes#2565
It's allowed to have multiple preferences sections. If those
sections provides the same value multiple times, e.g keytable,
the last one in the row will win. The setup of the variables
in .profile environment file for the preferences elements is
not following this rule and used the first section not the
last. This commit fixes the profile variables to match the
actual setup and Fixes#2560
By default kiwi stops plymouth if present and active in the
initrd. Setting rd.kiwi.allow_plymouth will keep plymouth
active in the initrd including all effects that might have
to the available consoles. This is related to bsc#1214824
isconsole was provided with the dropped kiwi-tools package.
It was a simple C application that checked the capabilities
of the current console. In the context of fbiterm it was just
used to provide proper error messages which fbiterm on its
own did not show. As also fbiterm is on its way to become
obsolete and isconsole is already no longer present, it's ok
to just drop that extra check and therefore keep the fbiterm
mode functional if one manages to include fbiterm and its
fonts into the initrd
The standard bootloader interface class provided a method
named write_meta_data which is expected to be implemented
in the specialized bootloader implementation. For BLS
bootloaders this method was missing in the BLS base class.
write_meta_data can provide additional cmdline options
for booting. If not covered some boot options might be
missing. This patch fixes it
The BootLoaderConfigGrub2 class has methods to fix the grub-mkconfig
generated files. It does that by mounting the system and changing the
respective files after the mkconfig call. However, after the change
the class instance stays open in combination with BootLoaderInstallGrub2
instance which itself under certain circumstances also mounts the
system to call grub-install. At the time grub-install is called it
cannot be guaranteed that all changes has been written unless an
explicit umount in the BootLoaderConfigGrub2 class instance happened.
This commit address the potential race condition.
This ensures that stuff is applied reliably and all sources and patches
are included as expected.
Then the added kiwi-revert-bls-default-for-suse.patch is applied
conditionally for SUSE distributions.
The "defaults" in `use_default_location` here are the dnf4
defaults, not the dnf5 defaults, so let's update them. Also, for
dnf5, we need to set `system_cachedir` instead of `cachedir` -
see https://dnf5.readthedocs.io/en/latest/misc/caching.7.html ,
`system_cachedir` is the cache location used when running as
root, `cachedir` is the cache location used when running as a
regular user.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The sdist tarball produced by poetry build does not include
all files and skipped symlinks in test/data. This caused the
unit test run to fail if called from within that sources
Since commit 8aa517eb7 it is necessary to call
_mount_device_and_volumes() prior making any modifications
to boot files. In addition handle potential errors
from the grub.cfg modification better.
Allow to specify the stopsignal via the containerconfig
element as the following example shows
<type image="docker">
<containerconfig ...>
<stopsignal>SIGINT</stopsignal>
</containerconfig>
</type>
This Fixes#2543
The change to introduce the bls parameter broke backward compatibility
with all existing kiwi descriptions for distributions that default to BLS.
This fixes that by allowing the unset state to be equivalent to enabling it.
Fixes: 8a8190098c
When building an encrypted image, the bundler never compressed
the result. This overwrite from the runtime configuration and
the default compression setting actually only makes sense when
the image is randomized because only then a compression is
for sure useless. This Fixes#2540
lsblk without the sorting option can provide the list
of devices in different order. This patch makes sure
lsblk sorts the output by the device name.
This Fixes bsc#1223374
Make sure the value passed for luks_randomize in the description
becomes effective. It was not possible to switch off luks_randomize
because any "not" value was turned into a true value. The actual
default should therefore only apply in case luks_randomize is
not specified at all which means only a None value will turn
into a true value for this setting.
dnf5 does not implement `dnf autoremove <package>` as a synonym
for `--setopt=clean_requirements_on_remove=true remove <package>`
as dnf4 did. So, we should do it this way instead.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The efifatimagesize attribute type value is set to "oem" but the documentation says
that it is intended to be also used for creating ISO images. This causes a schema error
when this attribute is set on a profile with type "iso" and blocks changing the EFI
boot image size which is a problem if the image is bigger than 20M. This commit
allows to specify the attribute also for the "iso" type
When using a custom bundle_format the kiwi result bundler renames
the output files to match the bundle_format. However, if there are
output files that references other output files, for example the
vmware binary (.vmdk) in the guest config file (.vmx) then this
renaming breaks those result files. This patch adds a reference
file check for all non binary output files if they contain a
reference to another output file and updates the data accordingly.
This Fixes bsc#1221790
Unfortunately the packaging of kiwi on Debian follows different
naming conventions for dracut module packages which causes
the runtime check to fail. This commit allows to check for
multiple package names and adds the variants used on Debian.
This Fixes#2524
For setting up the read-only property an extra mount of the
btrfs sub-volumes was issued. However, all volumes are mounted
at that time. Thus it's not required to mount them again, resulting
in a busy state because of the auto-snapshot mounts which does
not get umounted and keeps a busy state until the lazy umount
kicks in. This Fixes#2529
kiwi files using a schema version < 7.4 are no longer supported
by kiwi >= v10.x.x. Thus this commit provides the required
XSL stylesheets to upgrade older schemas to v74 such that they
can be consumed by the latest kiwi version. The needed xsltproc
instruction is placed on the main page of the documentation.
Make sure to wait for the event queue to become empty after
the creation of the write partition. When kiwi calls the
code to create the write partition this emits new udev events.
It's important to wait for the event queue to become empty
to avoid a potential regression on the use of the device nodes.
In the processing of the events it can happen that a device
gets removed and re-added. If we don't want for udev
to process the entire queue it can happen that the
wrong block device is used. This wrong selection is only
possible because the way how hybrid ISOs are designed exposes
both, the disk and the partition for the root device with
the same label. This Fixes bsc#1213595
In the setup case that btrfs is used for the system and
the root partition is on a custom named volume (not /),
this information was not passed to the zipl bootloader
instance and this caused the mounting of the overall
root system to fail. This commit fixes it
So far the <ignore> stanza was only effective when placed
as part of the type="image" packages section. This commit
allows to place it also to the type="bootstrap" packages.
This Fixes#2499
The bundle format is usually specified as part of the image
description in the bundle_format attribute. This commit also
allows to specify/overwrite the bundle format in the kiwi
result bundle command via the new --bundle-format option.
This Fixes#2509
Using an arbitrary list of rpm packages as repository is a zypper
only feature, barely tested and from our pov not really needed
as a simple createrepo call turns any custom list of packages
into a clean rpm-md repo including metadata. This commit drops
rpm-dir from the list of allowed repository types and auto
converts those image descriptions which makes use of it. Please
note this does not prevent users from using flat package
directories with zypper, because the type argument in the
repository section is an optional attribute. In case there is
no type specification zypper auto-detects and handles the data
as it handles it. This Fixes#1926
Check if there is already an entry file name produced by the
distribution logic/policy. If we can find an already present
entry name, prefer this name over the kiwi naming policy
The support for delta_root allows to build a delta container
image from a given base container. Due to the refactoring of
the kiwi code base using context managers no explicit deletion
of instances happens anymore. This uncovered a weakness of
the delta root code at the level of the overlay mount. At
the time of the umount there are still active temporary
mount handlers which keeps the mountpoint busy. In order to
fix this properly also the PackageManager factory is now
a context manager and the Repository factory received a
cleanup method which is called when the PackageManager goes
out of scope. This refactoring also fixes the busy state
when building deltas
To ensure our trick to switch between docopt and docopt-ng works,
we need to have a higher minimum version for docopt-ng where
compatibility with the original docopt was restored.
Publishing to pypi is done via pypa/gh-action-pypi-publish
and the respective auth token. Calling poetry publish does
not work because this is not authorized
kiwi called systemd-cryptsetup directly which does not take
the settings available in /etc/crypttab into account. This
commit changes the activation procedure in a way that the
generator created unit file systemd-cryptsetup@... is used
This Fixes bsc#1219009
Change the DiskFormat Factory to be a context manager.
All code using DiskFormat was updated to the following
with statement:
with DiskFormat(...).new as disk_format:
disk_format.some_member()
This is related to Issue #2412
If no console setting is done in the image description for grub
the default output console is set to: gfxterm and the default
input console is set to: console. This Fixes bsc#1219074
an instance of CommandCapabilities allows to check for specific
options of a command. If the parsing of options has failed a
warning message is created by default. Under certain circumstances
like the check for the --help option of setfiles, such a warning
message can be misleading information in the build log file.
Therefore the new silent flag allows to suppress the warning
message and the flag is used for the capabilities of the
setfiles utility. This Fixes#2350
Change the SystemPrepare class to context manager.
All code using SystemPrepare was updated to the following
with statement:
with SystemPrepare(...) as system_prepare:
system_prepare.some_member()
This completes the refactoring from finalizers to
context managers and Fixes#2412
Actually the real issue to this defect seems to live in the
anymarkup source code. It seems that the import of xmltodict
at the beginning of the core module is optional, but later on
when handling XML xmltodict seems to be mandatory, see here:
https://github.com/bkabrda/anymarkup-core/blob/08896a8215819edcc413e3f2588518046
9a4c2ed/anymarkup_core/__init__.py#L210-L229. Because this
issue can result in a "ImportError: Can't parse xml: xmltodict not installed"
turning kiwi into a bad exit condition I propose to add
this python requirement to the kiwi spec as a workaround and
try fixing the anymarkup packaging and module setup upstream
in addition. To my knowledge all relevant distributions
provides xmltodict
Change the Repository Factory to be a context manager.
All code using Repository was updated to the following
with statement:
with Repository(...).new as repo:
repo.some_member()
This is related to Issue #2412
Using rd.kiwi.term will export the TERM variable into the initrd
environment. In case the default value for the terminal emulation
is not appropriate rd.kiwi.term can be used to overwrite the default.
The environment is also passed to the systemd unit which calls
dialog based programs in kiwi dracut code, such that the TERM
setting will be effective there too. For example:
rd.kiwi.term=vt100
This is related to bsc#1218095
Change the VolumeManager Factory to be a context manager.
All code using VolumeManager was updated to the following
with statement:
with VolumeManager(...).new as volume_manager:
volume_manager.some_member()
This is related to Issue #2412
If specified oem-shutdown caused a reboot -f -p which is
a powerdown but not a graceful shutdown. This commit fixes
this by using systemctl halt for a clean shutdown.
This Fixes#2474
There is code that sends a SIGTERM to the process in case
there is no error code information. I believe in this case
sending SIGTERM will not kill the process (defunct) and I
also don't see in what good condition we would be entering
this state.
Command.run() currently has a bit of a confusing behavior: if raise_on_error is
False and the executable is not found, then a weird CommandT is returned (return
code is -1 and stdout+stderr is None). This makes it possible to hanlde command
not found errors separately, but it makes that needlessly verbose. So instead,
let's just return None in *this* special case.
That in turn uncovered, that in most cases when we set `raise_on_error=True`, we
actually want an error if the command is not present but no error if the command
fails to execute (e.g. because it returns -1 if you run `$cmd --version`). Hence we
introduce the flag `raise_on_command_not_found`, which causes an exception to
be raised if the command is not found. This makes it independent of the
`raise_on_error` flag.
Additionally, we add a small optimization: if command starts with /, then we
assume it's a full path and we omit the call to which (and just check whether it
exists).
Co-authored-by: Marcus Schäfer <marcus.schaefer@gmail.com>
Change the ImageSystem class to context manager.
All code using ImageSystem was updated to the following
with statement:
with ImageSystem(...) as image_system:
image_system.some_member()
This is related to Issue #2412
If we cherry-pick from main to master the compliance check
will notice that a commit already exists. This is not an error
and we can allow to continue the picking via --allow-empty
This commit includes partprobe, in addition to parted, on
s390 based systems. Otherwise partx is used and apparently
it does not properly support s390.
Fixes bsc#1219798
Signed-off-by: David Cassany <david@localhost.localdomain>
With Sphinx >= 6.0.0, jQuery is no longer included but the rtd theme's search
functionality needs it. The theme was changed to load sphinxcontrib-jquery
automatically with https://github.com/readthedocs/sphinx_rtd_theme/pull/1399,
but kiwi broke this fix by loading the theme in the wrong way.
Now that the theme is loaded properly, the search functionality also works
with newer versions of sphinx again and the version pinning can be lifted.
This Fixes: #2462
Allow specifying the filesystem for live image, also direct squashfs
By setting <type image="iso" filesystem="FSTYPE" .../> it's now possible
to specify the filesystem used for live images. By using "squashfs", the
rootfs container is skipped entirely.
If there is the file /.profile.extra available in the
initrd, kiwi will import this additional environment file
after the import of the standard /.profile file.
This is related to bsc#1218095
Change the OCI Factory to be a context manager.
All code using OCI was updated to the following
with statement:
with OCI(...).new as oci:
oci.some_member()
This is related to Issue #2412
When setting up the UUID for a btrfs filesystem via btrfstune
it could happen that the call becomes interactive asking
a question and give a recommendation. All this is unwanted
and can be forced via the -f switch. This Fixes#2456
In case no bootloader implementation by kiwi should be
used, users can specify the bootloader="custom" attribute.
Instead of skipping the bootloader stage in the builders
it is better to consistently create an instance of bootloader
but raise if a method of the bootloader interface is called
for which the custom bootloader has no implementation. This
commit adds the consistency bits.
Due to the refactor of BootLoaderConfig into context managers
we had two instances of BootLoaderConfig. However, the first
instance holds data the second instance needs which caused an
issue. This commit makes sure there is one BootLoaderInstance
within the lifetime of required services
The kiwi.pdf file as provided in the kiwi-man-pages package
was never really used by our users but comes with a huge
dependency chain to LaTex. We provide the documentation
online as well as converted to DocBook from where all other
formats could be derived. Thus there is no need for us to
produce an extra PDF document which is imho never consulted.
In addition to this change also the contributing chapter has
been reworked. Due to recent changes and drop of obsolete
components from kiwi as well as the effort to move the development
setup to poetry, there is only one non python tool needed
for the development of kiwi. The check for this tool has been
moved into the Makefile and all other checks formerly done
in the helper/install_devel_packages script were deleted.
For building custom initrd images kiwi provided some
optional helper tools. All these C written tools are
old and outdated and either not useful anymore or
replaced by other tools that are part of the distribution
matrix we support. Thus with the move to the next
major release those can go away. This also include the
package kiwi-tools which was used to provide them
Change the RaidDevice, LuksDevice and IntegrityDevice classes
to context manager:
with RaidDevice(...) as raid:
raid.some_member()
with LuksDevice(...) as luks:
luks.some_member()
with IntegrityDevice(...) as integrity:
integrity.some_member()
In the context of the disk builder an ExitStack is used to
handle the new context manager based classes
This is related to Issue #2412
For ova support kiwi still uses the proprietary ovftool
from VMware. The error message if the tool could not be
found was broken and the link to the VMware page was also
outdated.
The integration test build also encrypts /boot which requires
grub to open the LUKS pool using cryptomount. grub does not support
the argonID salted password hashes. Thus the integration test
description configures pbkdf2 instead
Change the Disk class to be a context manager.
All code using Disk was updated to the following
with statement:
with Disk(...) as disk:
disk.some_member()
This is related to Issue #2412
When constructing a BootLoaderConfig instance only pass
arguments appropriate to the selected bootloader. It does
not hurt but it is bad style and unnecessary data and
code points if e.g grub relevant information is passed
when we actually setup systemd-boot
SYSLINUX has been abandoned for several years now, and it does not
even work with modern versions of the filesystems supported in kiwi.
This commit drops it and Fixes#2433
Change the BootLoaderConfig class to be a context manager.
All code using BootLoaderConfig was updated to the following
with statement:
with BootLoaderConfig.new(...) as bootloader_config:
bootloader_config.some_member()
This is related to Issue #2412
In preparation to further context manager related changes
in VolumeManager, LuksDevice, RaidDevice and more the
disk builder code which uses these classes needs to be
refactored beforehand to allow switching to context
manager based cascading of the storage device classes.
This commit does the refactoring and is related to
Issue #2412
Sometime between GRUB 2.04 and GRUB 2.06, it became no longer
necessary to use "linuxefi"+"initrdefi" for UEFI boot. The
standard "linux"+"initrd" stanzas work for both legacy BIOS boot
and modern UEFI boot.
Some distributions no longer support "linuxefi"+"initrdefi" at all
anymore, so let's just use "linux"+"initrd" for everything now.
Use proper Union declaration for system variable and add
consistency layer into Filesystem/VolumeManager classes to
meet the type declaration as well as to simplify further
refactoring on these classes
systemd-boot tools like kernel-install expect a certain
entry naming policy. This commit adapts kiwi to adapt to
this policy. The name for the default entry is constructed
out of the ID information from /etc/os-release followed
by the name of the kernel as it is represented by the
directory name in /lib/modules/... This Fixes#2417
Change the FileSystem class to be a context manager. All code using
FileSystem was updated to the following with statement:
with FileSystem.new(...) as filesystem:
filesystem.some_member()
This is related to Issue #2412
The archlinux integration test used a custom iso boot
template which still contained the terminal_setup variable.
This commit fixed the template to use the new terminal_input
and terminal_output variables
Change the LoopDevice class to be a context manager.
All code using LoopDevice was updated to the following
with statement:
with LoopDevice(...) as loop_provider:
loop_provider.some_member()
This is related to Issue #2412
With the switch to schema v8.x we allow for non compatible
changes in regards to the v7.x stream. Thus this commit also
deletes the support for clicfs from the schema
clicfs was a fuse userspace implementation of an overlay
filesystem. Since overlayfs became the default overlay filesystem
there is no reason for kiwi to keep the clicfs support
We were relying on the repos being parsed from the kiwi description but this can
cause problems and gives us less flexibility when it comes to fixing repository
setup issues.
This fixes https://github.com/OSInside/kiwi/issues/2335
name:'Mark stale issues and PRs with the stale label'
on:
schedule:
- cron:'30 1 * * *'
jobs:
stale:
runs-on:ubuntu-latest
steps:
- uses:actions/stale@v10
with:
stale-issue-message:'This issue is stale because it has been open 60 days with no activity. stale label was set.'
stale-pr-message:'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed as part of the community meeting.'
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
