SUSE-RU-2025:20172-1: important: Recommended update for python-kiwi
SLE-UPDATES
null at suse.de
Wed Jun 4 08:25:58 UTC 2025
# Recommended update for python-kiwi
Announcement ID: SUSE-RU-2025:20172-1
Release Date: 2025-04-01T10:26:32Z
Rating: important
References:
* bsc#1214824
* bsc#1221469
* bsc#1221790
* bsc#1223374
* bsc#1224389
* bsc#1228118
* bsc#1228729
* bsc#1228741
* bsc#1229257
* bsc#1235448
* bsc#1237772
Affected Products:
* SUSE Linux Micro 6.0
* SUSE Linux Micro Extras 6.0
An update that has 11 fixes can now be installed.
## Description:
This update for python-kiwi fixes the following issues:
* Bump version: 10.2.11 to 10.2.12
* Fix profile env variable name regression In the effort of adapting to the
latest snapper in Issue #2697 we overlooked the after effect of a different
variable name in the profile environment with regards to
$kiwi_btrfs_root_is_snapshot and $kiwi_btrfs_root_is_snapper_snapshot. Image
builds that references the former variable name would be broken by the
change. This commit makes sure no regression is introduced by providing both
variants (bsc#1237772).
* Fix grub mkimage call for the ppc platform The list of modules used to
create a grub platform image for ppc was the same list as used for the x86
bios platform. This commit fixes this and also cleans up the inconsistency
and misleading names used for creating platform specific output.
* Bump version: 10.2.10 to 10.2.11
* Update box plugin documentation Add chapter about new container build
feature. The box plugin can now also run the build in containers
* The ubuntu 20.04 github runner is closing down Make sure to move to another
runner for workloads which still uses ubuntu 20.04
* Bump version: 10.2.9 to 10.2.10
* Poetry build sdist timestamps set to epoch 0 Newer versions of poetry set
the timestamp for all source files to epoch 0. Such sources are not accepted
by e.g Debian FTP servers and in general I don't like when tools changes
their behavior just like that. This commit forces an older version of poetry
for the purpose of creating the sdist tarball which then gets published on
pypi. The argumentation for reproducible builds by forcing source files to a
certain timestamp doesn't fly for me. I'm open for any better solution
though.
* Bump version: 10.2.8 to 10.2.9
* Classify missing chkstat as debug message chkstat is a distribution specific
tool. If it is present we use it, if not we don't but it's not worth a
warning.
* Allow to run setfiles multi threaded Use option -T0 for newer setfiles
version.
* Add rd.kiwi.dialog.timeout option Allow to configure the timeout value for
dialogs displayed by the kiwi dracut code. By default the timeout is set to
60 seconds. With the special value "off" the dialog will never timeout.
* Make sure copy actions does not drop context Use shutil.copy2 to copy files
preserving their attributes in the grub BootLoader space.
* Improve unit test for archive target_dir Add a test case with absolute path
in the target_dir to make sure we never unpack the archive to the host
system.
* Fixed profiled overlay imports When building an image for profile: SOME and
providing an overlay directory named SOME/... kiwi will sync the contents of
this overlay directory to the root tree. However it took the toplevel name
SOME/ into account which is unwanted because only the sub data structure
should be synced into the new root tree. This
* Bump version: 10.2.7 to 10.2.8
* Use multipath child instead of parent device On multipath systems we need to
find underlying child device instead of using parent device. This prevents
listing all parent devices for a multipath device
* Increase size for agama integration test build Agama needs more space to
build now
* Fixed agama integration test rubygem-byebug and rubygem-agama-yast seems to
no longer exist
* Update TW integration tests Package nscd was dropped from TW
* Fix documentation regarding URI styles In reference to commit
760a65558f9e2e91d3eaa3a2f9503ff596984b48 the support for iso:// URI types
was dropped some time ago. However, the documentation was not properly
updated. This commit fixes it
* Fix return value of grub helper methods The grub helper methods to find grub
tools returns a None value if the tool cannot be found. This None value
could be used later in a Command call where it will be used in a join()
command to log the resulting commandline. This join() call then fails and
raises an unhandled error causing a stack trace in the application. This
commit fixes it
* Added disk validation for duplicate installs Installing the same image to
different storage disks on the same machine creates device conflicts with
unexpected side effects. This commit adds a validation based on the PTUUID
of the disk image to check if another device on the system has the same ID
and if yes, does not allow to install the image again including a message
which device takes the same identifier. This references bsc#1228741
* Fixed documentation for signing key attribute The source locator name for
local files was incorrect
* Bump version: 10.2.6 to 10.2.7
* Update documentation Added a new troubleshooting chapter as subsection to
the Build Host Constraints named Package Manager Behavior. It serves the
purpose to describe options for the customer to change the default package
manager behavior which we from the kiwi side do not influence intentionally.
This is a followup change to bsc#1235448
* Drop still present tox artifacts There were still some left over tox files
and the documentation contribution chapter was also wrong at several places
* Add support for reading optional pkgmgr env file If there is a file
.kiwi.package_manager.env in the root of the image tree it will be read and
put into the caller environment for the selected package and repository
manager. There are features in e.g zypper which can only be used via env
variables (bsc#1235448).
* Auto convert unit test XML data to schema v8.3
* Rename btrfs_root_is_snapshot Rename btrfs_root_is_snapshot to
btrfs_root_is_snapper_snapshot. This happens in preparation for the changes
suggested in #2697 where we want to get rid of snapper specific btrfs code
which will be available in snapper natively soon. To make sure a btrfs
layout specific to snapper(and SUSE), the implicitly used attribute named
btrfs_root_is_snapshot now becomes explicit and its new name will indicate
that snapper sits behind it. Along with the rename a XSLT stylesheet to
automatically convert the old name into the new name for schema v8.3 will be
performed.
* Bump version: 10.2.5 to 10.2.6
* Fixed donate button target
* Added LUKS reencryption support Added rd.kiwi.oem.luks.reencrypt boot option
consumed by the kiwi-repart dracut module. For OEM LUKS2 encrypted disk
images. If set, reencrypts the disk prior an eventual resize and therefore
creates a new key pool and master key. The reencryption is advisable if the
image binary is not protected. With access to the image binary it's possible
to extract the luks header which then allows to decrypt the data unless it
was reencrypted. The reencryption process only runs if the checksum of the
luks header still matches the one from the original disk image. Be aware
that the reencryption will ask for the passphrase if the image has been
built with an initial luks passphrase.
* Fixed arm/tumbleweed/test-image-rpi No ruby required for this integration
test build
* Plain zipl loader needs boot partition If the rootfs is something zipl
cannot read, we need an extra boot partition using a supported filesystem
* Fixed IBM-Cloud-Standard profile The test-image-MicroOS integration test
builds an IBM-Cloud-Standard profile as encrypted variant with a random key
that is not protected by an encrypted boot image. This doesn't make sense.
Thus the encryption setup for the IBM cloud standard build got removed. Use
the IBM-Cloud-Secure-Execution profile to test encrypted secure linux builds
* Fixed test-image-qcow-openstack rsh package was dropped from TW
* Fix genprotimg for s390 builds A recent change on genprotimg now forbids to
use --cert in combination with --no-verify, even though this was allowed
before.
* Fix documentation for repo, package gpg settings In contrast to the
documentation, kiwi sets default values for any gpg setting if not
explicitly specified differently. We want to avoid to inherit a behavior
from how the distribution packages the package manager. This commit fixes
the documentation to be in line with the implementation
* Drop insecure and unsupported md5 digest Decommission the Checksum.md5()
method and move all places in code to sha256(). The md5 digest is considered
insecure and has also been removed from hashlib as a supported digest.
* Fix config functions action The action failed on the setup of the runtime
because the upgrade of pip failed.
* Bump version: 10.2.4 to 10.2.5
* Changed systemfiles provider Instead of providing a static list of
filenames, provide a list of package names. It is expected that the pilot of
flake-pilot resolves this list against the local package database to build
up the filelist for provisioning
* Bump version: 10.2.3 to 10.2.4
* Update system files setup for containers The attribute provide_system_files
creates a meta file in the root tree named 'systemfiles'. The contents of
this file were produced by just a dump of the package database so far. For a
more generic use of this data some adaptions were needed. First we allow to
skip packages matching a pattern from being part of the system files. Next
we do not put ghost and doc files into account. And last we handle library
files in a different file named 'systemfiles.libs' where we do not add
symlink targets if the target path is also part of the package. The consumer
of this information is flake-pilot which syncs that library system files
from the host via --copy-links. This allows a more generic use with regards
to versioned libraries e.g. libc
* Drop /dev/pts from bind mount locations This has created havoc in the Fedora
build environments by fully unmounting /dev/pts and breaking the builders
for subsquent tasks. This is a partial revert of commit
daf1323c5ded7e4e7783205f5e30457b40eb322f.
* Don't take ghost files into account When creating the system files
information do not take ghost files and artifact files into account
* Bump version: 10.2.2 to 10.2.3
* Update STYLEROOT to SUSE 2022
* Fix broken links in the documentation
* Fix legacy_bios_mode detection The code in this method does not work
correctly if the firmware is set to 'bios'. In bios only mode the method
returned a false value which is incorrect as it should return a true value
in this case. Without this patch ISO images will fail to boot because no
loader gets configured.
* Added /dev/pts to bind mount locations During runtime several kernel
filesystems are bind mounted into the image root system such that programs
expecting it can work. /dev/pts was not needed so far but seems to be a good
addition to the list to make tools like sudo to work properly when called
e.g. from a config.sh script.
* xorriso: respect efiparttable and gpt_hybrid_mbr This should make the
xorriso-based ISO build path respect the 'efiparttable' and 'gpt_hybrid_mbr'
settings when building a UEFI-compatible image, making it write a GPT disk
label by default instead of an MBR (msdos) one. If it's building an image
that is not UEFI-compatible it will always write an MBR label, regardless of
this setting. If 'gpt_hybrid_mbr' is set, xorriso will write an Ubuntu-style
MBR/GPT hybrid partition table, where the MBR partition table includes a
partition with type 00 and the bootable flag, as well as the partition with
type ee required by the UEFI spec. This mildly violates the UEFI spec but
may make the image bootable on native BIOS or CSM firmwares which refuse to
boot from a disk with no partition marked 'bootable' in the MBR. If
'gpt_hybrid_mbr' is not set, xorriso will write a strictly UEFI-spec
compliant label, with just the 'protective MBR' required by the UEFI spec
(no bootable partition) and the correct GPT partition table. Note this is
somewhat different from what gpt_hybrid_mbr does for disk images. Also, we
now pass -compliance no_emul_toc when building ISOs, as recommended by
upstream in https://lists.gnu.org/archive/html/bug-
xorriso/2024-11/msg00012.html This tool is generally always going to be
building ISOs intended for write-once use, not multi-session use (and which
are rarely, these days, written to physical discs at all anyway).
* Added provide/require system files for containers Added the attributes
provide_system_files and require_system_files to control the provider and
requester of system files in container image builds. systemfiles is a
metadata file which contains all files from the package database at call
time. It is used in flake-pilot to provision the systemfiles data from the
host into the container instance. One possible use case for this data is a
flake registration which uses a base container that is derived from a
runtime container but all data from the runtime should be provisioned from
the host. Using this feature tightly couples the flake to the host OS
distribution and version.
* Bump version: 10.2.1 to 10.2.2
* Fix scope issue Increase livetime of the the compressor instances to the
livetime of RootImportOCI. They create temporary files which are referenced
later and need to live longer than the block they got created in
* Bump version: 10.2.0 to 10.2.1
* Fixed use of fscreateoptions for iso type The information for
fscreateoptions was not passed along to the tooling if a custom filesystem
attribute was specified.
* Allow to derive from multiple containers Add support for multi inheritance
to the derived_from attribute In the order of a comma seperated list of
docker source URI's a base tree is created. This was possible only with one
container so far and Fixes #2680 as well as jira#OBS-354
* Bump version: 10.1.18 to 10.2.0
* Add selinux test build to TW Also update derived docker integration test to
latest Leap
* kiwi/schema: Fix allowed value type for ISO publisher and application ID
According to the spec, this should be constrained to 128 characters but also
allow quite a few other special characters (as well as spaces). We didn't
allow spaces in application ID, but allowed too much for Publisher. Now we
set up both correctly.
* Fix setup of kiwi environment variables Some kiwi env vars are initialized
with an empty value and not overwritten if another value is provided. For
the selected variables an empty value setting is not allowed because the
schema also enforces the value to be set at least once. In addition a
helpful option named --print-kiwi-env was added to the 'image info' command
which allows to print the environment variables and their values.
* Add random key support for LUKS encryption Allow to pass luks="random". In
random mode use the generated keyfile as the only key to decrypt. This is
only secure if the generated initrd also gets protected e.g. through
encryption like it is done with the secure linux execution on zSystems
* Added development group in pyproject setup generateDS and other tools are
needed and were forgotten to be added when we deleted the tox dependency
* Added containers integration with OBS When building in the Open Build
Service (OBS) there is no way to create outgoing connections from the build
workers. To allow the containers section to fetch containers from the SUSE
registry we need to apply an OCI URI translation into a local path. The
actual OCI container image is expected to be provided by the obs backend on
the worker. Along with this commit also an integration test named test-
image-disk-containers is provided (jira#OBS-351).
* Fix rendering of SUSE docs The SUSE documentation is produced through a
conversion of the ReST source into docbook. The name kiwi is reserved in the
index and needs to be referenced as kiwi-ng when used as command.
* Remove tox dependency tox was used as sort of a make target to run unit
tests and more in a python virtualenv. However, since we switched everything
to poetry it's no longer needed to let tox create the python virtual
environments. This commit moves the tox targets into the Makefile and adapts
the github workflow files accordingly. In addition the scripts container
based tests were re-activated and fixed such that they succeed again.
* Fix make build target Move the actions done by the tox target into the build
target and call them there in a clean and easy to spot sequence. There is no
need to call tox to prepare for the package submission, instead the checks
and poetry runs to prepare for the package target should be called directly
as part of the build target. In the future we might get rid of tox
completely.
* Bump version: 10.1.17 to 10.1.18
* Fixed zipl caller environment zipl gets confused with an active sysfs mount
inside the root tree at call time of zipl. This commit umounts the /sys bind
mount in the image tree prior calling zipl
* Fix s390 test-image-disk build Add missing kernel links used by suse tools
* Bump version: 10.1.16 to 10.1.17
* Fix coloring of build_status.sh flags Depending on the place of the status
flag the color setup might fail. This commit fixes it
* Add pytest-container as optional dependency The pyproject.toml listed
pytest-container as dependency but it is used only to run the container
based integration tests for the shell helper methods. For building the
package this dependency should not be pulled in
* Fix networking in erofs integration test The network setup was systemd-
networkd based but the provided network config was not for systemd
* Bump version: 10.1.15 to 10.1.16
* Fix erofs requires in spec erofs-utils for SUSE only exists in Tumbleweed.
The former conditon would also add the requirement for ALP and SLFO which is
wrong. This commit fixes it
* Add vagrantconfig rule for vagrant format If the format="vagrant" attribute
is set, a vagrantconfig section becomes mandatory. This commit enforces this
rule on the schema.
* Bump version: 10.1.14 to 10.1.15
* Fixed sphinx_rtd_theme setup Delete obsolete display_version attribute
* Evaluate eficsm everywhere Fixed _supports_bios_modules() to take an
eventually provided eficsm setup into account. The grub config still
searches for i386 grub modules even if eficsm="false" is set.
* Fixed debian bootstrap script calls Run scripts as commands with their
native shebang and not through bash. Not all debian package scripts uses
bash, some of them uses sh which can be a link to dash or other
interpreters.
* Update TW integration tests The package x86info was dropped from TW
* Turn DiskFormat into an ordinary class
* it does not need to be an abstract base class
* use f-strings where applicable instead of format()
* change return type of _custom_args_for_format from list to tuple
* Add new containers section Allow to specify references to OCI containers in
the image description During the kiwi process the containers are fetched
into a temporary location and a systemd service is configured to one time
load the containers into the local registry at first boot of the system.
* Bump version: 10.1.13 to 10.1.14
* Revert "Install usrmerge for Debian integration test" This reverts commit
95ac861741f14c4f35611c16328384c18e53dcfb. Solution needs to be provided in
code
* Install usrmerge for Debian integration test
* Support older apt versions for bootstrap
* Run package scripts in apt bootstrap phase The bootstrap procedure based on
apt only runs a manual collection of package scripts. This commit refactors
the code that unpacks the bootstrap packages to a python implementation and
adds a method to run the bootstrap scripts from all packages resolved by
apt.
* Bump version: 10.1.12 to 10.1.13
* Fix bundle extension for vagrant type When bundling result files that uses a
vagrant type, kiwi creates them with the extension .vagrant.virtualbox.box
or .vagrant.libvirt.box. The bundler code renames them using only the .box
suffix which is too short as it is missing the subformat information. This
commit fixes it and keeps this information in the result bundle file name.
* Use simple quotas (squota) for volumes
* Add quota attribute to volume section Allow to set quota per volume for the
btrfs filesystem
* Fix globbing with exclude with regex This fixes a collection of bugs when
producing erofs images. On one hand, this ensures that an exclude of `/sys`
doesn't accidentally match `/lib/libsystemd.so`, only `/sys/whatever`. On
the other hand, this ensures that `/dev/*` does match `/dev/vda` and not
just `/dev///////////`. This fixes libsystemd.so getting dropped in Kiwi-
built FEX images.
* Honour custom exclude for filesystem builds All other call sites honour the
custom exclude file, it's just this one that needs to be fixed. This
unblocks use of Kiwi for generating FEX rootfs.
* test: storage: update clone_device tests with new block size
* storage: clone_device: increase dd block size Increasing the block size used
for dd reduces the time needed to clone a device.
* Bump version: 10.1.11 to 10.1.12
* Add missing erofscompression validation In the filesystem builder I forgot
to evaluate the erofscompression attribute.
* Include PI and comments in XSL stylesheets So far comments and processing
instructions (PI) were ignored when applying the XSL stylesheets. This
commit updates all stylesheets to take them into account
* Bump version: 10.1.10 to 10.1.11
* doc: Add login information test build test images
* Bump version: 10.1.9 to 10.1.10
* bootloader: Fix up ppc64 bootinfo again To make the code look pretty extra
newline is inserted at the start of bootinfo file. This appears to break
boot on Power9 PowerVM LPARs.
* Add support for erofs erofs is an alternative readonly filesystem that can
be used as alternative to squashfs.
* Fixed enclave integration test The SELinux policy of Fedora Rawhide when
running completely in an initrd is not suitable to let the system boot up.
Thus the current solution is to boot in permissive mode. A better solution
for the future would probably be a selinux policy for enclaves
* limit eif_build requires to fedora greater than or equal to 42
* Bump version: 10.1.8 to 10.1.9
* Added sshd to nitro-enclave integration test
* Fixed container sync options Do not exclude/filter any security/xattr
capabilities.
* Update container integration test Add getcap to check on filesystem
capabilities
* Add new build type provides for enclave Add a provides tag (read by the open
buildservice) for the new enclave builder. Also add a recommends to
eif_builder in the systemdeps-core meta package
* Update enclave documentation Fixup repo setup in the build documentation
* Bump version: 10.1.7 to 10.1.8
* Fixed enclave documentation
* Update test-image-nitro-enclave package list Fixup package list to match
Fedora rawhide
* Move test-image-nitro-enclave to rawhide
* Fix ppc64 chrp bootinfo generation
* Fixed documentation header Fixed double H1 headers from the boxbuild tweaks
chapter.
* Bump version: 10.1.6 to 10.1.7
* Move EXEC log message to the right place The log information of the command
execution was not printed directly before the actual command invocation.
There are other actions after the log information (e.g Path.which) which
itself produce log information prior the real subprocess execution. This is
very misleading when reading the log file and fixed in this commit.
* Add support for architectures in deb source file When apt resolves packages
on a multiarch repo it can happen that dependencies for packages from other
architectures are pulled into the solver process but are not provided by any
repository. To overcome this behavior the repository can be setup to serve
packages only for a specified architecture or list of architectures. This is
related to OSInside/kiwi-descriptions#102
* Bump version: 10.1.5 to 10.1.6
* add allowExtraConfig and exportFlags to ovftool options Add allowExtraConfig
and exportFlags to ovftool options
* Bump version: 10.1.4 to 10.1.5
* create EFI/BOOT only if UEFI boot is intended
* Fix boot support for ISO media on ppc64 add CHRP boot support for ppc64 and
add xorriso option to avoid file name reduction to MS-DOS compatible 8.3
format
* Fix initrd permissions kiwi stored the initrd for ISO images as 600 which
might be too restrictive. This commit makes sure the initrd is stored as 644
and Fixes bsc#1229257
* Fixed ramdisk size setup For setting up the brd rd_size option kiwi creates
99-brd.conf used at load time of the kernel brd driver. The location for the
conf file is set to /etc/modprobe.d/ However, in newer versions the location
has changed to /usr/lib/modprobe.d/ and /etc/modprobe.d is no longer
expected to exist. This commit makes sure /etc/modprobe.d is created if not
present.
* Bump version: 10.1.3 to 10.1.4
* Add note about guestOS values for vmware ovftools.
* Add note about guestOS values for vmware platform.
* Fixed resize of dos table type on s390 On s390, parted is used to detect the
partition table type. In contrast to blkid the name for DOS tables is
reported as 'msdos' and not 'dos' which impacts several conditions in the
kiwi initrd code which checks for 'dos'. This commit fixes the
get_partition_table_type() method to return a consistent table name for DOS
tables (bsc#1228729)
* Revert "remove dependency on /usr/bin/python" This reverts commit
15b450188483b567ca10bb459bf50ed90e905bb7. The change provided here entirely
broke kiwi in OBS. With this patch applied every image build in OBS fails
with the following message: 'line 1: /usr/sbin/kiwi: No such file or
directory'
* Bump version: 10.1.2 to 10.1.3
* Fix bundle extension for archive types When bundling result files that uses
an archive type like tbz or docker, kiwi creates them with the extension
tar.xz/tar.gz The bundler code only uses the extension from the last tuple
in a "." split which is wrong for "tar." filenames. This commit adds an
exception to the prefix rule for this output filenames and Fixes
* Fix ImageSystem mount procedure The mount() method did not take custom
partitions into account. This commit fixes it.
* remove dependency on /usr/bin/python
* Add support for isomd5sum for tagging iso files The isomd5sum tool suite is
used and available on all supported distributions except SUSE distributions,
and is necessary to produce conformant ISOs for most Linux distributions.
This change adds support for isomd5sum tool suite for kiwi, though it does
not extend the kiwi-live dracut module to use it. The upstream dracut
dmsquash-live module must be used instead.
* kiwi/builder/live: Log the correct value for Application ID Since it is now
possible to set a custom application ID, we want to see this when it is
being used for the image.
* kiwi/builder/live: Clean up leftover dracut configuration file The existence
of this file breaks installers on live media that sync the full filesystem
to disk and are not aware of this configuration before generating the target
system initramfs.
* Allow string versions and test "word" versions There are descriptions out in
the wild that use "non-numeric" versions in their descriptions, particularly
without separators for splitting. This change switches all of this to
strings rather than assuming numbers and gracefully handles the single word
case.
* Add documentation for boxbuild tweaks
* Fixed wrong log level on --logfile When using --logfile, the log generated
there matches the stdout log (which without --debug, does not include any
debug info). This is in contrast to the automatically generated one in the
output directory, which always does and also not following the way how it is
documented.
* Fixed arch flag for namedCollection The arch flag in a namedCollection was
not taken into account. This commit fixes this and also makes sure the
result information is sorted and unique like we have it for the package
lists.
* Fix handling of zipl.conf in plain zipl bootloader When using the plain zipl
bootloader kiwi created a /etc/zipl.conf file. However, this file was only
useful during image build as it points to a loop target device and geometry
but does not represent a proper config file to be used in the running
system. In addition the different distributors provides their own version
and layout of the zipl.conf to be used inside of the system and with their
respective tools. Thus this commit changes the way how kiwi operates in a
way that the zipl.conf used in the initial image only exists during the
image build process. An eventual present /etc/zipl.conf will not be touched
by kiwi.
* Bump version: 10.1.1 to 10.1.2
* Improve error reporting for remote deployment Add new method called
show_log_and_quit which displays the written error log file as a file box to
the user
* Update test-image-orthos integration test Update the test such that you can
also build it locally. Change the remote installation target to be a ramdisk
for easy testing of remote deployments
* Setup default minimum volume size per filesystem The former method provided
a static value but there are huge differences for the minimum size
requirement of a filesystem. For example extX is fine with 30MB whereas XFS
requires 300MB. This commit adds a more dynamic default value based on the
used filesystem.
* Increase default volume size So far 30MB was set as default volume size
which is by far too small for a number of filesystems, e.g btrfs and also
XFS. This commit increases the default volume size such that all modern
filesystems builds if the default volume size is used.
* Update test-image-raid Apart from testing raid this integration test also
tests a certain LVM volume setup. The test has been updated to use the btrfs
filesystem because it has the most strict size requirements.
* Use shutil.which for Path.which Both methods were only used in one place
each and it makes much more sense to use the pathlib builtin methods instead
* Replace Path.create implementation with pathlib builtin
* Bump version: 10.1.0 to 10.1.1
* Mandatory package scripts for Debian bootstrap Make sure to run some
mandatory package pre/post scripts such that settings like /etc/passwd, a
root user, etc.. exists. This action can also be done in post_bootstrap.sh
but I think it's better to do this in the core code
* Bump version: 10.0.28 to 10.1.0
* kiwi no longer uses debootstrap For building Debian based images we used
debootstrap to bootstrap an empty root until apt-get could be used to
complete the job. This has now changed such hat apt-get is also used for
bootstrapping a new system. The concept and also potential alternatives to
the way kiwi bootstraps Debian based systems can be found here:
*
https://osinside.github.io/kiwi/working_with_images/build_without_debianbootstrap.html
Due to the drop of debootstrap it might happen that package lists of
existing image descriptions needs to be extended with packages that were
formerly pulled in by debootstrap but did not get properly pulled in with
the new apt based bootstrap. As reference please check out the integration
tests from here:
* https://github.com/OSInside/kiwi/tree/main/build-tests/x86/ubuntu
* https://github.com/OSInside/kiwi/tree/main/build-tests/x86/debian
* Bump version: 10.0.27 to 10.0.28
* Update documentation
* kiwi no longer uses debootstrap
* Fix test_process_result_bundle_as_rpm
* Fix Debian/Ubuntu integration tests Remove package hacks for debootstrap,
explicitly add required packages and or configurations.
* Drop types-pkg_resources Got removed from PyPI
* Fix test_process_result_bundle_as_rpm os.path.basename was called on a
MagicMock object which sometimes confused pytest
* CI: Add testing against Python 3.13 Python 3.13 is shipping in Fedora Linux
for Fedora Linux 41, so we should ensure kiwi is tested against it. The
testing setup is based on the latest development version of 3.13 as it is
not yet released.
* Fix kiwi-repart restrictions The kiwi repart dracut module reads a profile
file and if it does not exists it dies in the initrd. However, that profile
file is not mandatory for the main resize functionality. Thus this commit
turns this into a warning message. In addition the module-setup for 90kiwi-
repart makes sure to include the required and optional profile files
(bsc#1228118).
* Do not exclude the .profile env file by default kiwi's initrd modules read a
.profile file which gets included into the initrd produced at build time. To
allow rebuild of a host-only initrd from the booted system this information
should be present such that it is possible to re-use kiwi initrd code.
* Get rid of debootstrap Replace debootstrap with an apt-get based pre-
download of packages followed by a dpkg-deb extraction.
* Bump version: 10.0.26 to 10.0.27
* Fix dracut-interactive with systemd 256 With systemd 256, /usr (and thus
also /bin/) is read-only in the initrd. Move dracut-interactive and its
.service into /run instead.
* Bump version: 10.0.25 to 10.0.26
* Revise scripts_testing.rst
* Revise schema_extensions.rst
* Pass kernel cmdline to agama In the agama integration test make sure to pass
along the kernel boot parameters to allow controlling the behavior of agama
better
* Add file directive to incorporate custom files Usually custom files are
managed by placing them as overlay files or archives. However, overlay files
must be structured inside of a root/ subdirectory and archive files are
binary data. It is therefore not straight forward to just reference one or
more files as source files to the image description to be placed into the
image.
* Bump version: 10.0.24 to 10.0.25
* Fix mocking of test_process_result_bundle_as_rpm
* Fixed logging behavior of Compress::get_format The get_format() method
allows to check which compression format a given input stream has. This is
done by calling the supported compression tools in a row and let them check
if they can deal with the provided data or not. As a result error messages
are logged for streams that some tool doesn't understand. However, those
error messages are no errors and only the result of the checking. This
information in the kiwi log file is confusing and several users already
complained when they see information like: EXEC: Failed with stderr:
/usr/bin/xz: ...: File format not recognized This commit changes how the
compression tooling is called in a way that no exception is raised (which
leads to the above error message) but the result returncode is used to
decide on the success or error of the respective compression tooling.
* Allow to set custom ISO Application ID The application ID was used as
identifier in the legacy initrd code from former kiwi versions. Because of
this there is still the compat layer which sets an App ID as MBR identifier
string unless the new application_id overwrites it.
* Bump version: 10.0.23 to 10.0.24
* Added integration test for SUSE agama installer This integration test builds
a self-install ISO image which drops the SUSE Agama installer into a ramdisk
for performing an interactive installation procedure to test Agama
* Add --set-type-attr and --set-release-version Allow to set/overwrite type
section attributes via the cmdline. Allow to set/add the release-version
element via the cmdline.
* Update integration test for eficsm Update the type of the Secure profile of
the live image integration test as well as the type of the simple-disk test
to make use of the eficsm="false" attribute to switch off CSM mode and test
an EFI only layout.
* Add new eficsm type attribute Allow to produce EFI/UEFI images without
hybrid CSM capabilities.
* kiwi_plugin_architecture.rst
* Revise kiwi_from_python.rst
* Wait for loop device detach to complete Detaching a loop device via 'losetup
-d' is an async operation. Once the command returns the loop can still be
associated with the block special. Therefore this commit waits until the
block device got released or a timeout is hit.
* Update requires for kiwi-systemdeps-disk-images On Tumbleweed several
changes caused tools like strings or the codepage for mtools to be missing
in a standard installation. For building disk images especially EFI capable
ones with vendor information kiwi needs the above tool. This commit adds the
packages providing them on Tumbleweed to the meta systemdeps for disk
images.
* Supplements are not understood by Debian/Ubuntu
* Add new builder for enclaves Add new EnclaveBuilder class which allows to
build initrd-only image types. The first enclave implementation covers aws-
nitro images produced via the eif_build tooling.
* Split out bash completion into a sub-package Per review of the SUSE
packaging team we should split out the bash completion into its own sub-
package to give users better control over the completion feature.
* Bump version: 10.0.22 to 10.0.23
* package: Add fully qualified provides for python3-kiwi in spec On SUSE
distributions, currently the expectation is that packages built against the
Python interpreter should have fully qualified names in the form of
pythonXY-<modulename>. Additionally, all other Linux distributions prefer
something similar in the form of pythonX.Y-<modulename>. This ensures we
have those names so that distribution dependency generation works as
expected.
* Add support for arch selector on volumes Multiple architecture names can be
specified as comma separated list.
* Add rd.kiwi.oem.force_resize boot option Forces the disk resize process on
an OEM disk image. If set, no sanity check for unpartitioned/free space is
performed and also an eventually configured <oem-resize-once> configuration
from the image description will not be taken into account (bsc#1224389).
* Fixed leap integration tests For whatever reason procps is not longer pulled
in by the core dependencies. Thus we have to explicitly request it
* Fix potential race condition in loop detach The call to 'losetup -d' is in
fact an async operation. Once the command returns the loop can still be
associated with the former file because it gets lazy unbound and releases
later. Prior re-use of the same loop device it is therefore required to wait
until the kernel event queue is processed.
* Fixed repository include to image with dnf When specifying a repository
element with imageinclude="true", kiwi permanently adds the repo file inside
of the image. The distribution standard path is used to store the repo file
in this case. With dnf a package manager exists that is primarily used on
Fedora and RHEL systems. Thus the standard path for the repo files is set to
"/etc/yum.repos.d". However, dnf can also be used for other rpm based
distributions e.g SUSE. On such a system the default path does not exist or
is different because another package manager is the default. This commit
makes sure that the expected path is created prior adding any repo files.
* Bump version: 10.0.21 to 10.0.22
* Fixed selinux labels for boot files When kiwi calls the bootloader config
and installation modules several files gets created as unlabeled_t because
the labeling happened earlier. This commit ensures that setfiles gets called
after BootLoaderConfig and/or BootLoaderInstall has done its job.
* Add bash to package requirements If there are script evaluations that does
not specify an interpreter, kiwi uses bash for it. The same applies for sub-
process invocations using shell pipelines. Thus the bash shell is a required
tool for kiwi under certain circumstances.
* test-image-live: add shadow package
* Fix displaying the image verification failure dialog Kiwi must wait for the
previous dialog to finish before showing another one as it's the same
systemd service behind it.
* Allow to customize the path of the isoscan cowfile Added
rd.live.cowfile.path option to specify the cowfile at any path below the
isoscan-loop-mount.
* Better error handling on grub vendor dir lookup The strings command is used
to lookup the in-efi binary encoded vendor path. However, if the strings or
bash command is not availabe on the build host, the command silently failed
and moved into the standard (non vendored) EFI boot path. This can lead to a
broken boot for those distros and image targets which requires a vendor
directory and should lead to an error message instead of a successful image
build.
* Fixed profile variable settings for preferences It's allowed to have
multiple preferences sections. If those sections provides the same value
multiple times, e.g keytable, the last one in the row will win. The setup of
the variables in .profile environment file for the preferences elements is
not following this rule and used the first section not the last. This commit
fixes the profile variables to match the actual setup
* Revise users.rst
* REvise systemdeps.rst
* Revise shell_scripts.rst
* Add initrd boot option rd.kiwi.allow_plymouth By default kiwi stops plymouth
if present and active in the initrd. Setting rd.kiwi.allow_plymouth will
keep plymouth active in the initrd including all effects that might have to
the available consoles. This is related to bsc#1214824
* Drop use of obsolete tool isconsole isconsole was provided with the dropped
kiwi-tools package. It was a simple C application that checked the
capabilities of the current console. In the context of fbiterm it was just
used to provide proper error messages which fbiterm on its own did not show.
As also fbiterm is on its way to become obsolete and isconsole is already no
longer present, it's ok to just drop that extra check and therefore keep the
fbiterm mode functional if one manages to include fbiterm and its fonts into
the initrd
* Bump version: 10.0.20 to 10.0.21
* Add missing write_meta_data method to BLS base The standard bootloader
interface class provided a method named write_meta_data which is expected to
be implemented in the specialized bootloader implementation. For BLS
bootloaders this method was missing in the BLS base class. write_meta_data
can provide additional cmdline options for booting. If not covered some boot
options might be missing. This patch fixes it
* Fix TW integration test to build outside OBS
* Make sure BootLoaderConfig fixes are effective The BootLoaderConfigGrub2
class has methods to fix the grub-mkconfig generated files. It does that by
mounting the system and changing the respective files after the mkconfig
call. However, after the change the class instance stays open in combination
with BootLoaderInstallGrub2 instance which itself under certain
circumstances also mounts the system to call grub-install. At the time grub-
install is called it cannot be guaranteed that all changes has been written
unless an explicit umount in the BootLoaderConfigGrub2 class instance
happened. This commit address the potential race condition.
* Bump version: 10.0.19 to 10.0.20
* Update rawhide integration test Use new arch attribute for testing in the
repository element of the rawhide/test-image-live-disk integration test.
* Add support for arch attr in repository element Allow to provide different
repository sections per architecture
* Add --list-profiles to image info Allow to list available profiles from the
processed image description
* Bump version: 10.0.18 to 10.0.19
* package: Always include patches and number all sources and patches This
ensures that stuff is applied reliably and all sources and patches are
included as expected.
* Bump version: 10.0.17 to 10.0.18
* package: adjust openSUSE patch
* Bump version: 10.0.16 to 10.0.17
* Fixed box plugin documentation The provided example was no longer correct
according to changes on the image description referenced in the example
* Add procps to Tumbleweed integration tests
* Add procps to Tumbleweed integration tests
* Fix sdist upstream tarball contents The .virtualenv.dev-requirements.txt
file is referenced by tox.ini but not put into the sdist tarball and
therefore missing in the pypi upstream data.
* Drop use of obsolete pkg_resources As documented in
https://setuptools.pypa.io/en/latest/pkg_resources.html the use of
pkg_resources is obsolete and will cause issues. So happened on Debian
unstable.
* RepositoryDnf5: correct defaults, set system_cachedir The "defaults" in
`use_default_location` here are the dnf4 defaults, not the dnf5 defaults, so
let's update them. Also, for dnf5, we need to set `system_cachedir` instead
of `cachedir` \- see
https://dnf5.readthedocs.io/en/latest/misc/caching.7.html ,
`system_cachedir` is the cache location used when running as root,
`cachedir` is the cache location used when running as a regular user.
* Bump version: 10.0.15 to 10.0.16
* poetry build doesn't like symlinks The sdist tarball produced by poetry
build does not include all files and skipped symlinks in test/data. This
caused the unit test run to fail if called from within that sources
* Fix spec file Require docopt-ng for Fedora 41+
* Bump version: 10.0.14 to 10.0.15
* REview runtime_configuration.rst
* Review repository_setup.rst
* Add support for stopsignal in containerconfig Allow to specify the
stopsignal via the containerconfig element
* Fix set_disk_password to be effective Since commit 8aa517eb7 it is necessary
to call _mount_device_and_volumes() prior making any modifications to boot
files. In addition handle potential errors from the grub.cfg modification
better.
* Update Makefile Make sure custom patches are part of the package sources
* Bump version: 10.0.13 to 10.0.14
* doc: Document the bls option for the grub bootloader
* Temporarily revert grub-bls default to false for SUSE distributions For the
time being, SUSE distributions cannot handle KIWI's default to use BLS with
GRUB2. Until they catch up, revert this for them only.
* kiwi/bootloader: restore backward compatibility for grub2 with bls The
change to introduce the bls parameter broke backward compatibility with all
existing kiwi descriptions for distributions that default to BLS. This fixes
that by allowing the unset state to be equivalent to enabling it.
* Bump version: 10.0.12 to 10.0.13
* Overwrite compression setting only if randomized When building an encrypted
image, the bundler never compressed the result. This overwrite from the
runtime configuration and the default compression setting actually only
makes sense when the image is randomized because only then a compression is
for sure useless.
* Make sure lsblk output is sorted by dev name lsblk without the sorting
option can provide the list of devices in different order. This patch makes
sure lsblk sorts the output by the device name (bsc#1223374).
* Stop leaking plugins/{priorities,versionlock}.conf file with dnf4/5. This
fixes the fedora issue https://bugzilla.redhat.com/show_bug.cgi?id=2270364
* Fix luks_randomize setting Make sure the value passed for luks_randomize in
the description becomes effective. It was not possible to switch off
luks_randomize because any "not" value was turned into a true value. The
actual default should therefore only apply in case luks_randomize is not
specified at all which means only a None value will turn into a true value
for this setting.
* Fix package removal with dnf5
* Add 'bls' parameter for the bootloader
* Fix efifatimagesize attribute type The efifatimagesize attribute type value
is set to "oem" but the documentation says that it is intended to be also
used for creating ISO images. This causes a schema error when this attribute
is set on a profile with type "iso" and blocks changing the EFI boot image
size which is a problem if the image is bigger than 20M. This commit allows
to specify the attribute also for the "iso" type
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-267=1
* SUSE Linux Micro Extras 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-267=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* dracut-kiwi-oem-dump-10.2.12-1.1
* dracut-kiwi-oem-repart-10.2.12-1.1
* dracut-kiwi-lib-10.2.12-1.1
* SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
* python3-kiwi-10.2.12-1.1
* kiwi-systemdeps-iso-media-10.2.12-1.1
* kiwi-systemdeps-bootloaders-10.2.12-1.1
* kiwi-systemdeps-filesystems-10.2.12-1.1
* kiwi-systemdeps-disk-images-10.2.12-1.1
* kiwi-systemdeps-core-10.2.12-1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1214824
* https://bugzilla.suse.com/show_bug.cgi?id=1221469
* https://bugzilla.suse.com/show_bug.cgi?id=1221790
* https://bugzilla.suse.com/show_bug.cgi?id=1223374
* https://bugzilla.suse.com/show_bug.cgi?id=1224389
* https://bugzilla.suse.com/show_bug.cgi?id=1228118
* https://bugzilla.suse.com/show_bug.cgi?id=1228729
* https://bugzilla.suse.com/show_bug.cgi?id=1228741
* https://bugzilla.suse.com/show_bug.cgi?id=1229257
* https://bugzilla.suse.com/show_bug.cgi?id=1235448
* https://bugzilla.suse.com/show_bug.cgi?id=1237772
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250604/689584b3/attachment.htm>
More information about the sle-updates
mailing list