SUSE-RU-2025:20428-1: moderate: Recommended update for python-kiwi
SLE-UPDATES
null at suse.de
Thu Jun 26 16:34:22 UTC 2025
# Recommended update for python-kiwi
Announcement ID: SUSE-RU-2025:20428-1
Release Date: 2025-06-20T14:06:08Z
Rating: moderate
References:
Affected Products:
* SUSE Linux Micro 6.0
* SUSE Linux Micro Extras 6.0
An update that can now be installed.
## Description:
This update for python-kiwi fixes the following issues:
* Apply security context on writable root only
* Docs: fix typo in users.rst
* Docs: minor punctuation and grammar fixes
* Give test-image-overlayroot enough space
* Allow ext2/ext3 as valid build target stat reports the value 'ext2/ext3'
which is a valid target
* Added check_target_dir_on_unsupported_filesystem
* Fix rd.kiwi.oem.luks.reencrypt_randompass workflow
* Add support for new tarball-based WSL format
* Update SL-Micro build test
* Required read-only-root-fs for SL-Micro test build Changes from the SL-Micro
team requires adaptions to the integration test description
* Delete fstab.script from SL-Micro test build This was only needed when /var
was an extra partition, but it's a volume with copy-on-write disabled for
some time
* Add systemd-resolved to TW integration tests For some reason it's not longer
part of the systemd standard installation
* Add dkms to test-image-embedded integration test
* Fixed access issue to etc/kernel for sdboot
* Update test-image-overlayroot
* Fixed get_volume_management
* Update test-image-overlayroot Move to systemd-boot as bootloader, activate
secure boot and drop the extra boot partition. Use XFS for the write space
* Allow initrd updates on read-only devices Move initrd to ESP for boot
loaders that reads data from there
* Fix ordering issue for device assignment wrong assignment of a boot
partition in overlayroot setup without boot partition
* Add kiwi-settings package for TW de-blacklist erofs to allow building
integration tests with this filesystem
* Switch to dracut-kiwi-verity
* Update test-image-overlayroot integration test
* Add documentation for new attribute Add details how to use the new
overlayroot_readonly_filesystem attribute
* Add support for selecting the overlay read-only fs
* Fixed root setup for verity overlay disk
* Make sure the verity record has a superblock
* Drop distro specific runtime check
* Fix root clone size setup
* Fix reencryption master key passphrase
* Fixed targettype setup in zipl.conf The special targettype set to GPT still
indicates SCSI for the zipl.conf but tells kiwi to create a GPT disk layout
* Fixed s390 integration test targettype attribute in wrong section
* Add support for GPT targettype on s390 Allow to build s390 images using GPT
instead of the old DOS partition table. zipl has added support to read from
GPT.
* Add --no-compress option to bundler Allow to skip the compression for bundle
files marked to become compressed.
* Rawhide (F43) has removed basesystem package
* rawhide install shadow-utils for usermod
* Fixed default bls value setup
* Fix setup of use_disk_password for random secret When using luks="random" in
combination with use_disk_password="true" the resulting cryptomount call in
grub is wrong. This commit fixes it
* Drop copying GRUB2 modules to /boot with Secure Boot UEFI images Copying the
modules creates a situation where future updates applied to a running system
can cause GRUB to crash due to mixed modules and GRUB EFI binaries. It is
not needed anyway since GRUB EFI binaries for Secure Boot have all modules
compiled into the binaries.
* Make sure editbootinstall runs offline editbootinstall expects the system to
be umounted
* Make sure post sync actions are in scope
* Follow up fix for overlayroot builds for EFI path Only perform the boot
overlay if there is an extra boot partition
* Only remove entries from exclude list if present
* Fix overlayroot builds for EFI path make sure to keep boot/efi mountpoint
directories in the read-only area as they can't be created later
* doc: overview: Add list of supported Linux distributions These are the Linux
distributions that are developed and actively tested for with the latest
kiwi releases. This should offer greater clarity about what we're able to
support as an upstream project.
* Fixed mount of image system for volume managers The ImageSystem.mount()
method implemented its own handling for mounting the volumes of a volume
manager based system. First and foremost this duplicates code that already
exists in the respective VolumeManager implementation and second the code
behaved wrong in case of btrfs when there is no default subvolume configured
* Handle grub fix functions less strict If called on full read-only systems,
log the information that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must be applied and as such
the fix function can be considered an optional step.
* Fixed root setup for encrypted overlay disk
* Change suffix for package manager config files
* Set security context after root sync On selinux enabled image builds we call
setfiles initially after the root tree is complete and after each script
invocation that might change the system. However the security context also
applies to mount points e.g volumes which only exists at the time when the
root tree gets synced to the actual image binary. Thus this commit also
calls setfiles on the mounted root tree after data sync.
* Fix broken doc link Rephrase chapter pointing to a documentation side at
VMware. They are constantly changing their documentation URLs that I'm tired
of fixing this.
* Fix key slot selection for luks reencrypt Depending on the type setup for a
luks encrypted image, there might be one or two key slots available. When
kiwi is requested to perform the reencryption process at least one key-slot
and the proper keyfile/passphrase must be provided. This commit stores the
information about the key-slot number for which a decryption information
exists in the initrd. In addition to the code change also the corresponding
integration test image was updated.
* Fixed test-image-gce integration test python3-gcemetadata was renamed to
python-gcemetadata
* Fixed integration test builds for TW Request dracut explicitly when needed
* Add support for filtering out files from the ESP image for GRUB Prior to
this change, KIWI blindly synced the ESP directory into the embedded ESP
image. Depending on the distribution and packages included for the created
image, this can have undesirable side-effects. For image builds that need
some more fine-grained control over the creation of the embedded ESP image
(particularly for ISO images), this change introduces the ability to inject
an exclusion list similar to what is used to filter out files for the root
filesystem.
* Fix bundle extension for container types When building result files that use
container types like oci or docker, kiwi creates them as archive tarballs
with an extension prefix to indicate the special nature of the archive.
However, the bundler code does not retain the prefix, which results in the
wrong file extension for these archives. This change adds exceptions for
these types and refactors the exception handling to unify it with the
Vagrant image filename handling, which operates similarly.
* Update LOADER_TYPE setup for grub If the bootloader attribute: bls is set to
true, make sure the LOADER_TYPE changes to grub2-bls.
* Fix Agama PXE build A bootloader setup is needed to create
config.bootoptions Even though a ramdisk deployment does not require a
bootloader setup we need it because part of the setup is the root device
reference which is still needed to pivot root into the system
* Fix firmware setting for Agama PXE image
* Added obs BUILD_FLAVOR for agama Required for multibuild (multiple profiles)
build
* Update Agama integration test Split the build into two profiles ISO and PXE
to differentiate the build results into a small Agama for remote
installations and a standard Agama for iso based installations
* Prevent loading unused data in oem deployment In case rd.kiwi.ramdisk is
used as part of a remote deployment setup, it's not needed to load the
system kernel and initrd because it's not used as kexec is not called with
the system deployed into memory. For ramdisk deployments the system is
booted using the currently active kernel and initrd and as such we can avoid
loading an extra kernel and initrd for booting the system via kexec.
* Update Agama integration test
* Added <oem-ramdisk-size> element So far it was only possible to specify the
size of the ramdisk via the kernel commandline option: ramdisk_size. In a
remote deployment it was therefore required to carry this size as a
mandatory information to the deployment server. With this commit we allow to
specify the size for the ramdisk to be configured as part of the image
configuration which makes this information also available inside of the
initrd. If provided the ramdisk_size kernel commandline option still takes
precedence over the <oem-ramdisk-size> setting to avoid any behavior change
and to still allow dynamic overrides of the ramdisk size.
* reinstall bootstrap packs in image phase for apt Due to the special
bootstrap process, the packages unpacked during bootstrap are not properly
listed in the apt index. Therefore the bootstrap packages are added to the
install phase which causes an install of this packages again to fix the apt
index and provide a consistent system from an apt perspective.
* Fixed restore of keyfile after reencryption When kiwi runs the reencryption
it also restores an eventual existing keyfile. However if the option
rd.kiwi.oem.luks.reencrypt_randompass is specified no former keyfile should
be restored. The purpose of reencrypt_randompass is to make sure only this
in memory passphrase can access the luks pool such that tooling at boot time
gets the opportunity to work with the luks pool for e.g. setting up a TPM
key or set a passphrase only known to the user.
* Update dracut kiwi-lib module setup Make sure all tools used in code are
requested for inclusion
* keep /usr/bin/sha256sum dropping md5sum was okay, but now we need the
current tool to verify the checksum
* Restrict keyfile permissions For reencrypt in combination with
rd.kiwi.oem.luks.reencrypt_randompass make sure that the temporary random
pass keyfile has 0400 root owned access permissions set
* package: Add kiwi-image:oci Provides to -systemdeps-containers This allows
the Open Build Service to correctly resolve dependencies when building OCI
images.
* Better logging which kiwi file is read Improve the log message that tells
about reading the kiwi config file to actually show the file path that is
read in. This is especially an issue if more than one kiwi file is read in
during the build process.
* also keep the ts binary, might be needed to provide timestamped logfiles
* Update documentation Add information about new apk (Alpine) support
* Add support for Alpine Add apk repository and package manager support and
provide an integration test build for the Alpine distribution
* Fix F824 flake check for global assignments
* Use metalink repos for local test builds
* schema: Allow C as a valid locale It should be permitted to set the
"C.UTF-8" locale for minimal images that are not preloaded with locales. The
"C.UTF-8" locale has been supported in Linux distributions for many years.
* Support sourcetype setting on the commandline Allow to specifiy the
sourcetype(metalink|baseurl|mirrorlist) also on the commandline via --set-
repo/--add-repo options. So far this was only possible as part of the kiwi
description file
* Fix gh-pages deployment poetry install was not called, thus sphinx was not
present
* Drop use of travis-sphinx According to the documentation of
peaceiris/actions-gh-pages the sphinx-build output can be directly consumed
to publish to github pages
* Allow stderr data in CommandProcess Enhance poll_show_progress() method to
allow polling on stderr data too. The new parameter with_stderr is used
together with the dnf5 package manager. dnf5 has changed in a way that a lot
of useful information during the install of packages is printed to stderr.
From my perspective a clear regression to former behavior but we can fix
this in kiwi to poll on both channels.
* Support arch attribute for <users> section Allow to setup users per arch.
* Add Debian_12_update repo for testing with typer
* Fixed python3_sitelib for debbuild in OBS
* Fixed test-image-agama Service setup-systemd-proxy-env.path no longer exists
* Explicitly request shadow-utils Make sure shadow-utils gets installed for
rawhide integration tests
* Drop test-image-suse-on-dnf test This was just a "can this work" test but
has no real relevance for users since nobody would use dnf to build a suse
image, there is also no help when it does not work. So let's drop this test
build
* distutils sysconfig is deprecated
* Make integration tests to build outside of OBS Update and extend all
integration tests such that they also build outside of the Open Build
Service. Along with the changes on the descriptions a simple build-tests.sh
script was added to drive the build process. The build is based on the kiwi
boxbuild plugin in container mode to build the tests from a given build-
tests directory. A new chapter to document how to Build the Build Tests is
also provided and referenced on the github main page.
* Add rd.kiwi.oem.luks.reencrypt_randompass For OEM LUKS2 encrypted disk
images in combination with rd.kiwi.oem.luks.reencrypt. Reset insecure built
time passphrase with a random onetime passphrase
* Lookup CHRP loader instead of using a static name
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-362=1
* SUSE Linux Micro Extras 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-362=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* dracut-kiwi-oem-repart-10.2.22-1.1
* dracut-kiwi-lib-10.2.22-1.1
* dracut-kiwi-oem-dump-10.2.22-1.1
* SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
* python3-kiwi-10.2.22-1.1
* kiwi-systemdeps-iso-media-10.2.22-1.1
* kiwi-systemdeps-bootloaders-10.2.22-1.1
* kiwi-systemdeps-core-10.2.22-1.1
* kiwi-systemdeps-filesystems-10.2.22-1.1
* kiwi-systemdeps-disk-images-10.2.22-1.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250626/6549aeae/attachment.htm>
More information about the sle-updates
mailing list