SUSE-RU-2025:20512-1: moderate: Recommended update for python-kiwi
SLE-UPDATES
null at suse.de
Mon Aug 4 08:33:20 UTC 2025
# Recommended update for python-kiwi
Announcement ID: SUSE-RU-2025:20512-1
Release Date: 2025-07-29T08:22:51Z
Rating: moderate
References:
* bsc#1242987
* bsc#1244668
* bsc#1245190
Affected Products:
* SUSE Linux Micro 6.0
* SUSE Linux Micro Extras 6.0
An update that has three fixes can now be installed.
## Description:
This update for python-kiwi fixes the following issues:
Bump version: 10.2.28 → 10.2.29:
* Fix return from repart stage
If we return from the repart stage it's important to wait for the root device to
appear. This is because the device setup from udev might still be held back due
to a former lock on the device. This means if we return fast after locking for
example when check_repart_possible() quickly finds out that it's not possible,
then udev has not yet got the time to create the device nodes. This Fixes #2863
* Bump version: 10.2.27 → 10.2.28
* Fix dracut code to be POSIX compliant
The redirect type "< <(...)" is not POSIX complians and leads to a syntax error
in dracut which calls bash as "sh" leading it to be restricted to POSIX only
* Extend test-image-lvm integration test
For testing a bit more complex resize procedure, update the lvm integration test
to run more resize actions with required device locking
* Apply proper udev locking
Several commands during repart, resize and other actions require a proper lock
to be set for udev such that other events knows about the locked state of a
device and do not mess with it until the command for which the lock persists has
completed. This commit applies proper udev locks to all commands that requires
it. In addition incorrect code that was expected to prevent such race conditions
got dropped from the implementation. This is related to bsc#1242987
* relocate GPT at the end of disk using sfdisk
Using sfdisk for relocation and verification makes this part more consistent. We
also want to move away from gdisk. This is related to #2851
* Do not strictly require config.partids in repart
The kiwi-repart implementation requires a metadata file named config.partids
which holds information about partition ids and more stored at the time the
image was built. Depending on the complexity of the image and the resize request
some of the information can be rebuilt in case the metadata file is missing.
This commit adds the rebuild of the minimum required information to run a
standard resize and therefore allows the kiwi-repart dracut module to work also
without config.partids to be present in the system
* Do not drop /config.partids
The partition id metadata file is used in the kiwi-repart module. If a user
wants to use the kiwi repart module permanently, this metadata file needs to
stay in the system. Therefore it should not be automatically deleted by the
cleanup. A disk.sh hook script can be used to force the deletion of the file
though. This is related #2851
* Fix centos/test-image-live-disk-v10
There is no package named iprutils
* Fix centos/test-image-live-disk-v10
Update package names
* Added centos/test-image-live-disk-v10 build test
* Fix tumbleweed/test-image-gce integration test
Drop obsolete growpart
* Followup fix to support older apt versions for bootstrap
There are apt versions that do not create missing state files. Make sure the
intermediate bootstrap state file is created in any case. This Fixes #2857
* Fixed integration test builds
Next round of fixes for integration tests. Missing or wrong service activations
* Fix arm/tumbleweed/test-image-rpi
Fix snapper setup for this integration test
* Fixed test-image-live-disk
Added missing openssh-server package
* Fixed test-image-azure
Add missing python-azure-agent-config-default package
* Fixed debian integration test builds
secure shell service is named ssh and not sshd there
* Fixed integration test builds
Second round of fixes for integration tests. Again errors now became visible due
to the refactoring of the script code
* Fixed integration test builds
Errors from scripts were no longer ignored due to the last cleanup of the
integration test script code. This commit fixes the now exposed build errors
* Fix check_target_dir_on_unsupported_filesystem
Find the first existing path in the target path and check the filesystem
capabilities for this path. This Fixes #2858
* Cleanup integration tests config.sh script code
Add script code to shellcheck and fix all reported issues. Get rid of suseXX and
baseXX methods as much as possible. Add set -ex for all script code. Do not
allow any script code to fail.
* defaults: Add patterns for shim/grub2 on riscv64
A recent commit changed the way these are looked up and accidentally broke image
building on riscv64, with
KiwiBootLoaderGrubSecureBootError: Signed grub2 efi loader not found
now being raised for kiwi recipes that worked just fine before that moment.
* Add SLFO test-image-disk-simple integration test
Add simple disk test and allow for testing the new transparent container idea
for the aws toolchain. also add SLFO builds to the helper script
* Fixed check for unallocated space on disk
So far the check for unallocated space was only working for GPT and there it was
also not really stable. The check was based on verifying if the backup GPT table
is really at the end of the disk. Depending on which tool was used to dump the
image on the target this "mistake" often got corrected by the tools that dumped
the image. In this case the check no longer worked. This commit improves the
check by another test which looks for the real free bytes on disk compared to
the current partition geometry.
* Move to neutral directory for calling osc
When calling the helper/build_status.sh script to get an overview about the
results of the integration tests, there is a stupid new behavior from the osc
tool that it assumes a package name according to the name of the directory you
are in probably connected to the fact that the data in this directory is a git
checkout or some other strange assumption. This commit moves to a neutral
directory where none of the osc internal assumptions applies and it just does
what it should do... showing results of the given project.
* Bump version: 10.2.26 → 10.2.27
* Fix regression in get_partition_node_name
backwards compat for lsblk before 2.38 if START column not supported, fall back
to default sort
* Add global option --setenv
Allow to set environment variables in the caller environment via the
commandline, e.g --setenv SOURCE_DATE_EPOCH=42
* Seed filesystem UUIDs with SOURCE_DATE_EPOCH
For reproducible builds the calculation of the filesystem UUID should be
persistent with each rebuild of the image. To achieve this the UUID is
calculated using the SOURCE_DATE_EPOCH from the environment plus a char-number
representation of the filesystem label name as random seed. In kiwi every
filesystem is created with a label, thus only in case there is no
SOURCE_DATE_EPOCH available we continue to create the UUID as random data. This
Fixes #2761
* Add label attribute for <partition> section
Allow to specify a filesystem label as part of a <partition> definition. So far
the label was set by the name of the partition. With the new label attribute, a
filesystem label different from the partition name can be set. This commit also
updates/fixes the documentation in this regard.
* Improve log message in SystemIdentifier
Add some scope information such that we know from where this log information
originates from.
* Add rd.kiwi.install.devicepersistency
Allow to specify which type of persistent device name should be used to build up
the list of installation disk devices. For example
rd.kiwi.install.devicepersistency=by-path would use the by-path representations
for the available disk devices. The default (by-id) stays untouched. In case an
invalid or not present device representation is selected, kiwi falls back to the
non persistent unix node names.
* Update test-image-disk
Add NetworkManager for better remote debugging capabilities
* Make mbr-id deterministic
Log the value of SDE so it is available to review, even if the build system does
not tell about it.
Update the tests to cover the new code-path.
* Ensure dracut initrd is reproducible
This helps a bit with issue #2358
Add reproducible flag for UKI too
Update tests accordingly
* Bump version: 10.2.25 → 10.2.26
* Add kernel parameter support for dm-verity options
Implement rd.kiwi.verity_options= parameter to allow runtime customization of
veritysetup options
* Fix shim lookup for arm on SUSE
Add missing search path for shim binary on arm based SUSE systems. Also update
the tumbleweed/test-image-live-disk integration test for arm to build with
secure boot enabled to actually test a secure boot enabled ISO build. This Fixes
#2842
* Add container_import template test
* Fixed get_partition_node_name
The function get_partition_node_name takes the disk device and the partition
index as arguments to match against the respective device node for this
partition index. The partition index is the position of the partition in the
partition table according to their start offset. For the code to function
properly it is required that the list of partitions provided by lsblk is ordered
according to the start address of the partitions in the table. The way lsblk was
called did not enforce this ordering. This commit enforces the order to be done
against the start offset and fixes bsc#1245190
* Add support for container-snap as a container-image engine
With this commit, we can now pre-load images using container-snap directly
during the kiwi image build
* Update test-image-MicroOS for local build
Fix bootstrap setup such that micro-os patterns can resolve
* Fix logging of stderr data in command calls
The stderr data was presented as one blob without line breaks. Hard to read and
smells like a bug. This commit fixes the output to become readable
* Update test-image-MicroOS/disk.sh
Add a findmnt for / to check if there is a proper root device reference
* Fix mount system for root_is_snapper_snapshot
If root is a snapper snapshot we have to tell the chroot a proper root mount
point which can be achieved by a bind mount pointing to itself. This Fixes
bsc#1244668
* There is no shim for aarch64 on SUSE
Fix integration test for standard EFI (no secure boot) setup on arm
* Add driver configuration support for dracut initrd
Add driver configuration support for dracut initrd
Add support for specifying kernel drivers to be included or omitted in the
dracut initrd configuration. This extends the existing dracut configuration
capabilities like in the following example
<initrd action="add"> <dracut driver="erofs"/> </initrd>
* Fixed rootfs size calculation with spare part
In case a spare_part setup is combined with the root_clone feature, the size
calculation for the rootfs did not take the cloning into account and lead to the
wrong value. In addition when requesting the spare part to be last and no size
information was given, the partition was not created at all. This commit fixes
both defects and Fixes #2831
* Add dependency for isomd5sum for iso images and set in kiwi-settings
This ensures that isomd5sum is pulled into the environment for ISO image builds,
and the updated settings makes it so that kiwi boxes will use it.
* Allow /boot to be a btrfs subvolume
In a btrfs based design, allow to put /boot as subvolume. This required a small
fix in the mount order in a way that boot/efi gets mounted after the subvolume
mounts are done. The respective integration test has been updated to test this
functionality. This Fixes #2824
* Use f-strings where feasible
This is a slightly shorter and easier to read syntax
* Allow multiple EFI arch binaries/modules
Allow to lookup and included EFI binaries/modules for multiple architectures.
For testing the integration test in rawhide/test-image-live-disk has been
adapted accordingly to install 32bit and 64bit EFI binaries. This Fixes #2822
* Log warning message for disabled runtime checks
Complete type hints for RuntimeConfig class and log a warning message for each
disabled runtime check
* Fix static type argument int vs. str
* Move it inside the context that actually uses it
also rename it to "supported" as that seems to closer match what it resembles
* Add overlayfs as supporting xattr/ACLs as well
* Fix disk_type validation for zipl loader
If the targettype is set to GPT in combination with plain zipl as loader, the
code to validate the targettype against the targetgeometry was not effective and
zipl failed. This Fixes #2821
* Fixup overlay unit enablement
* Fixup overlay mount dependencies
* Update test-image-overlayroot integration test
Use proper systemd mount units to setup the custom overlay. The handling of
fstab entries by systemd is limited and should be better handled by self managed
mount units
* Use proper mount units for overlay setup
Instead of manual mounting create a proper systemd mount unit. This allows to
manage mount dependencies and the order of nested mounts in a clean way
* Cleanup build metadata
Make sure the final image rootfs does not contain unneeded metadata files used
during build time. The respective cleanup call is performed after the root sync
and after all initrd/boot processing has been done. This is because up to that
point it's still possible that the information is required. This means when
building images with a read-only rootfs, it might not be possible that the
metadata can be deleted due to a chicken&egg situation. Furthermore the cleanup
is applied to the disk builder only as other builders do not really suffer from
this data and for the container builder the metadata can also be used for the
stackbuild feature when building images derived from containers. This Fixes
#2668
* Update overlay integration test for partial write
Update the sdboot_uki_verity_erofs profile of the test-image-overlayroot
integration test with a custom fstab example to overlay only parts of the system
for writing. This Fixes #2815
* bootloader setup without overlay write partition
If overlayroot_write_partition="false" is set, no system indicator was stored.
This cause the bootloader setup to be skipped completely which is not required
for e.g. systemd-boot.
* Make sure to create overlay directories
Create overlay directories even if rd.root.overlay.readonly is set. This allows
individual fstab overlays mounts to be performed
* Fixed rd.root.overlay.readonly overlay mode
When booting an overlayroot image with rd.root.overlay.readonly set, the system
will boot with only the read-only root mounted. There was a bug in the dracut
code which prevented this mount from succeeding when the read-only rootfs is
different from squashfs. This commit changes the mount to be a simple bind
mount, independent of the origin filesystem. This works because the read-only
mount is performed in the dracut overlay code anyway. This is related to Issue
#2815
* The way we build debs requires setuptools
debbuild doesn't work when setuptools is not there
* Drop use of setuptools
Since we moved to poetry and no code using setuptools anymore, this requirement
can be dropped. The commit also updates the plugin documentation which was still
based on setup.py
* Update live boot remote boot features
Like the upstream module also support the root=live:http://... remote boot
options. The kiwi-live dracut module is scheduled to become obsolete, but it's
still in use and should support remote boot not only for AoE. As we got more
issue reports than working AoE remote boot success, this commit also updates the
documentation and switches to the capabilities of this PR.
* Add UKI support for the grub bootloader
In addition to systemd_boot also add support for UKI creation when grub is used.
This includes the creation of a UKI image via dracut in the same way as it's
done for systemd_boot. In addition an earlyboot grub script chainloads the UKI
and bypasses any written grub configuration. In Theory this should also allow to
use the shim loader for chainloading an UKI. However I haven't done testing in
this direction and I also expect security issues with this approach because
loading any non signed data by shim is not expected to work. A new profile named
grub_uki_verity_erofs has been added to the integration test that experiments
with UKIs
* Add support for <initrd> section as part of <type>
Extend scope and content of the <initrd> section to be allowed as part of the
<type> section. This allows to specify custom call options and modules for the
dracut tool. In particular this commit implementes support for passing the uefi
option to dracut to enable building an UKI EFI binary as follows:
<initrd action="setup"> <dracut uefi="true"/> </initrd>
This Fixes #2809 and Fixes #2408
* Fix systemd-boot loader setup
To make sure only loader entries from /boot/efi/loader/entries kiwi deleted
eventually existing entry files from /boot/loader. However that is a problem for
read-only systems and should actually also not performed by kiwi. This Fixes
#2805
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-400=1
* SUSE Linux Micro Extras 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-400=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* dracut-kiwi-oem-dump-10.2.29-1.1
* dracut-kiwi-lib-10.2.29-1.1
* dracut-kiwi-oem-repart-10.2.29-1.1
* SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
* kiwi-systemdeps-iso-media-10.2.29-1.1
* kiwi-systemdeps-bootloaders-10.2.29-1.1
* python3-kiwi-10.2.29-1.1
* kiwi-systemdeps-core-10.2.29-1.1
* kiwi-systemdeps-disk-images-10.2.29-1.1
* kiwi-systemdeps-filesystems-10.2.29-1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1242987
* https://bugzilla.suse.com/show_bug.cgi?id=1244668
* https://bugzilla.suse.com/show_bug.cgi?id=1245190
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250804/0b861d87/attachment.htm>
More information about the sle-updates
mailing list