SUSE-RU-2025:20443-1: moderate: Recommended update for python-kiwi
SLE-UPDATES
null at suse.de
Mon Jun 30 16:34:49 UTC 2025
# Recommended update for python-kiwi
Announcement ID: SUSE-RU-2025:20443-1
Release Date: 2025-06-20T14:28:38Z
Rating: moderate
References:
Affected Products:
* SUSE Linux Micro 6.1
* SUSE Linux Micro Extras 6.1
An update that can now be installed.
## Description:
This update for python-kiwi fixes the following issues:
Bump version: 10.2.21 → 10.2.22:
* Apply security context on writable root only
Make sure to perform setfiles only on a writable target. In case of a read-only
root it is expected that the security context set by kiwi in an earlier stage is
complete. As there is no way to modify data when root is read-only, there is
also no way to change the security context of any file such that we skip
setfiles in this case. Should there be a read-only system that has writable
partitions such as /boot and their content changes while the rest of the root
system is read-only it is in the responsibility of the author of the image
description to call setfiles only on the affected and still writable files via a
custom disk.sh script. Along with the fix the respective integration test was
modified to enable selinux such that this change is actually integration tested.
This Fixes #2805
* Docs: fix typo in users.rst
* Docs: minor punctuation and grammar fixes
* Give test-image-overlayroot enough space
* Allow ext2/ext3 as valid build target
stat reports the value 'ext2/ext3' which is a valid target
* Added check_target_dir_on_unsupported_filesystem
Add runtime check to make sure the selected target directory for the image
and/or the image rootfs lives on a filesystem that provides all required
features like extended permissions, ACLs or xattrs.
* Fix rd.kiwi.oem.luks.reencrypt_randompass workflow
When requesting a new random key prior reencryption, make sure that this new key
is referenced in the current in memory initrd crypttab such that all subsequent
tasks e.g. luks resize have permissions to complete while inside of this initrd
instance
* Add support for new tarball-based WSL format
With the new image="wsl" type one can build a WSL container image that uses the
new tarball format. This Fixes #2678
* Update SL-Micro build test
For details see: https://build.opensuse.org/request/show/1272418
* Required read-only-root-fs for SL-Micro test build
Changes from the SL-Micro team requires adaptions to the integration test
description
* Delete fstab.script from SL-Micro test build
This was only needed when /var was an extra partition, but it's a volume with
copy-on-write disabled for some time
* Add systemd-resolved to TW integration tests
For some reason it's not longer part of the systemd standard installation
Bump version: 10.2.20 → 10.2.21:
* Add dkms to test-image-embedded integration test
* Fixed access issue to etc/kernel for sdboot
In case of an overlayroot setup we have to make sure that etc/kernel is
writable. This is done by a bind mount of the ESP
* Update test-image-overlayroot
Add another build using grub instead of systemd-boot and use btrfs as write
partition instead of xfs. Please note this test requires a boot partition
because grub cannot read from erofs and unlike systemd-boot grub does not read
all boot data from the ESP.
* Fixed get_volume_management
If a volume capable filesystem like btrfs is requested, there must also be a
volume definition available to report that the volume management is actively
used. Just the request of the filesystem can also mean it's being used without
volumes like it could be the case for an overlayroot setup that requests btrfs
as write partition.
* Update test-image-overlayroot
Move to systemd-boot as bootloader, activate secure boot and drop the extra boot
partition. Use XFS for the write space
* Allow initrd updates on read-only devices
Move initrd to ESP for boot loaders that reads data from there
* Fix ordering issue for device assignment
wrong assignment of a boot partition in overlayroot setup without boot partition
* Add kiwi-settings package for TW
de-blacklist erofs to allow building integration tests with this filesystem
* Switch to dracut-kiwi-verity
So far no luck with the systemd verity generator. This commit adds the parsing
of /etc/veritytab in the existing kiwi-verity dracut module and uses it in the
overlayroot integration test.
* Update test-image-overlayroot integration test
Switch to erofs for overlay testing. Additionally split the build into two
profiles. The first one just builds a simple overlayroot oem disk based on
erofs. The second one adds a veritysetup layer and configures the systemd-
veritysetup-generator for use in dracut. This Fixes #2799
* Add documentation for new attribute
Add details how to use the new overlayroot_readonly_filesystem attribute
* Add support for selecting the overlay read-only fs
Add new overlayroot_readonly_filesystem attribute which allows to select for
either squashfs or erofs as the read-only filesystem in an OEM overlay disk
setup.
* Fixed root setup for verity overlay disk
When building an image with overlayroot set to true and activated verity data,
the root= parameter must be set to root=overlay:MAPPER=verityroot instead of the
standard overlay:PARTUUID mapping.
* Make sure the verity record has a superblock
* Drop distro specific runtime check
The check_efi_mode_for_disk_overlay_correctly_setup exists because shim-install
does not work on read-only devices. However, shim-install is a SUSE only tool
that runs a SUSE specific secure boot setup. For other secure boot processes
this runtime check is not useful. As runtime checks aims to be generally useful,
this one gets dropped.
* Fix root clone size setup
If the root_clone attribute is specified without providing a fixed size for the
system, kiwi estimates the size needed for the root part and assigns the rest to
the clone. This leads to different partition sizes for the root clones. As per
definition of a clone the expectation is that the size is the same, this commit
changes the behavior such that the calculated size for the system is applied to
the origin root and all its clones. As a consequence this can leave
unpartitioned space free in the image. This Fixes #2463
Bump version: 10.2.19 → 10.2.20:
* Fix reencryption master key passphrase
Make sure to use the correct passphrase for the master key such that it can be
decrypted with the same credentials as before. The credentials reset is a
subsequent task after reencryption.
Bump version: 10.2.18 → 10.2.19:
* Fixed targettype setup in zipl.conf
The special targettype set to GPT still indicates SCSI for the zipl.conf but
tells kiwi to create a GPT disk layout
* Fixed s390 integration test
targettype attribute in wrong section
* Add support for GPT targettype on s390
Allow to build s390 images using GPT instead of the old DOS partition table.
zipl has added support to read from GPT. This Fixes #2694
* Add --no-compress option to bundler
Allow to skip the compression for bundle files marked to become compressed. This
Fixes #2736
* Rawhide (F43) has removed basesystem package
The basesystem package was retired with rawhide (F43).
https://src.fedoraproject.org/rpms/filesystem/pull-request/20
* rawhide install shadow-utils for usermod
Using `kiwi-ng` version 10.2.18 (EL9)
Currently with:
`sudo kiwi-ng system build \ --description kiwi/build-tests/x86/fedora/test-
image-docker --set-repo
http://ftp.fau.de/fedora/linux/development/rawhide/Everything/x86_64/os/ \
--target-dir /tmp/myimage1`
This fails with:
`[ INFO ]: 09:46:38 | Setting up user root [ INFO ]: 09:46:38 | --> Modifying
user: root [ INFO ]: 09:46:38 | --> Primary group for user root: root [ ERROR
]: 09:46:38 | KiwiCommandError: chroot: stderr: /sbin/chroot: failed to run
command ‘usermod’: No such file or directory`
Install the package `shadow-utils` to provide `usermod`.
* Fixed default bls value setup
Fixed get_build_type_bootloader_bls behavior in case the bls attribute is not
set. In this case get_bls() returns a None value which was returned. However in
this case the attribute value should not be taken into account and the method
defined default value for bls should be returned. This Fixes #2542
Bump version: 10.2.17 → 10.2.18:
* Fix setup of use_disk_password for random secret
When using luks="random" in combination with use_disk_password="true" the
resulting cryptomount call in grub is wrong. This commit fixes it
* Drop copying GRUB2 modules to /boot with Secure Boot UEFI images
Copying the modules creates a situation where future updates applied to a
running system can cause GRUB to crash due to mixed modules and GRUB EFI
binaries.
It is not needed anyway since GRUB EFI binaries for Secure Boot have all modules
compiled into the binaries.
Fixes: https://github.com/OSInside/kiwi/issues/2790
* Make sure editbootinstall runs offline
editbootinstall expects the system to be umounted
* Make sure post sync actions are in scope
* Follow up fix for overlayroot builds for EFI path
Only perform the boot overlay if there is an extra boot partition
* Only remove entries from exclude list if present
* Fix overlayroot builds for EFI path
make sure to keep boot/efi mountpoint directories in the read-only area as they
can't be created later
* doc: overview: Add list of supported Linux distributions
These are the Linux distributions that are developed and actively tested for
with the latest kiwi releases.
This should offer greater clarity about what we're able to support as an
upstream project.
* Fixed mount of image system for volume managers
The ImageSystem.mount() method implemented its own handling for mounting the
volumes of a volume manager based system. First and foremost this duplicates
code that already exists in the respective VolumeManager implementation and
second the code behaved wrong in case of btrfs when there is no default
subvolume configured
* Handle grub fix functions less strict
If called on full read-only systems, log the information that the files can't be
modified but do not fail. On such systems the expectation is that no fix code
must be applied and as such the fix function can be considered an optional step.
* Fixed root setup for encrypted overlay disk
When building an image with overlayroot set to true and activated luks
encryption, the root= parameter must be set to root=overlay:MAPPER=luks instead
of the standard overlay:PARTUUID mapping. This Fixes #2776
* Change suffix for package manager config files
Use .config instead of .conf for the temporary package manager config files.
Reason for this change is a bug in dracut which reads and executes all /*.conf
files from the system. This Fixes #2780
* Set security context after root sync
On selinux enabled image builds we call setfiles initially after the root tree
is complete and after each script invocation that might change the system.
However the security context also applies to mount points e.g volumes which only
exists at the time when the root tree gets synced to the actual image binary.
Thus this commit also calls setfiles on the mounted root tree after data sync.
This Fixes rh#2333743
* Fix broken doc link
Rephrase chapter pointing to a documentation side at VMware. They are constantly
changing their documentation URLs that I'm tired of fixing this. This Fixes
#2782
Bump version: 10.2.16 → 10.2.17:
* Fix key slot selection for luks reencrypt
Depending on the type setup for a luks encrypted image, there might be one or
two key slots available. When kiwi is requested to perform the reencryption
process at least one key-slot and the proper keyfile/passphrase must be
provided. This commit stores the information about the key-slot number for which
a decryption information exists in the initrd. In addition to the code change
also the corresponding integration test image was updated.
* Fixed test-image-gce integration test
python3-gcemetadata was renamed to python-gcemetadata
* Fixed integration test builds for TW
Request dracut explicitly when needed
* Add support for filtering out files from the ESP image for GRUB
Prior to this change, KIWI blindly synced the ESP directory into the embedded
ESP image. Depending on the distribution and packages included for the created
image, this can have undesirable side-effects.
For image builds that need some more fine-grained control over the creation of
the embedded ESP image (particularly for ISO images), this change introduces the
ability to inject an exclusion list similar to what is used to filter out files
for the root filesystem.
Fixes: https://github.com/OSInside/kiwi/issues/2008 Fixes:
https://github.com/OSInside/kiwi/issues/2777
* Fix bundle extension for container types
When building result files that use container types like oci or docker, kiwi
creates them as archive tarballs with an extension prefix to indicate the
special nature of the archive. However, the bundler code does not retain the
prefix, which results in the wrong file extension for these archives.
This change adds exceptions for these types and refactors the exception handling
to unify it with the Vagrant image filename handling, which operates similarly.
Fixes: https://github.com/OSInside/kiwi/issues/2628
* Update LOADER_TYPE setup for grub
If the bootloader attribute: bls is set to true, make sure the LOADER_TYPE
changes to grub2-bls. This is related to Issue #2773
* Fix Agama PXE build
A bootloader setup is needed to create config.bootoptions Even though a ramdisk
deployment does not require a bootloader setup we need it because part of the
setup is the root device reference which is still needed to pivot root into the
system
* Fix firmware setting for Agama PXE image
* Added obs BUILD_FLAVOR for agama
Required for multibuild (multiple profiles) build
* Update Agama integration test
Split the build into two profiles ISO and PXE to differentiate the build results
into a small Agama for remote installations and a standard Agama for iso based
installations
* Prevent loading unused data in oem deployment
In case rd.kiwi.ramdisk is used as part of a remote deployment setup, it's not
needed to load the system kernel and initrd because it's not used as kexec is
not called with the system deployed into memory. For ramdisk deployments the
system is booted using the currently active kernel and initrd and as such we can
avoid loading an extra kernel and initrd for booting the system via kexec.
* Update Agama integration test
Make use of <oem-ramdisk-size> in the Agama integration test
* Added <oem-ramdisk-size> element
So far it was only possible to specify the size of the ramdisk via the kernel
commandline option: ramdisk_size. In a remote deployment it was therefore
required to carry this size as a mandatory information to the deployment server.
With this commit we allow to specify the size for the ramdisk to be configured
as part of the image configuration which makes this information also available
inside of the initrd. If provided the ramdisk_size kernel commandline option
still takes precedence over the <oem-ramdisk-size> setting to avoid any behavior
change and to still allow dynamic overrides of the ramdisk size.
* reinstall bootstrap packs in image phase for apt
Due to the special bootstrap process, the packages unpacked during bootstrap are
not properly listed in the apt index. Therefore the bootstrap packages are added
to the install phase which causes an install of this packages again to fix the
apt index and provide a consistent system from an apt perspective. This Fixes
#2768
* Fixed restore of keyfile after reencryption
When kiwi runs the reencryption it also restores an eventual existing keyfile.
However if the option rd.kiwi.oem.luks.reencrypt_randompass is specified no
former keyfile should be restored. The purpose of reencrypt_randompass is to
make sure only this in memory passphrase can access the luks pool such that
tooling at boot time gets the opportunity to work with the luks pool for e.g.
setting up a TPM key or set a passphrase only known to the user.
* Update dracut kiwi-lib module setup
Make sure all tools used in code are requested for inclusion
* keep /usr/bin/sha256sum
dropping md5sum was okay, but now we need the current tool to verify the
checksum
* Restrict keyfile permissions
For reencrypt in combination with rd.kiwi.oem.luks.reencrypt_randompass make
sure that the temporary random pass keyfile has 0400 root owned access
permissions set
* package: Add kiwi-image:oci Provides to -systemdeps-containers
This allows the Open Build Service to correctly resolve dependencies when
building OCI images.
* Better logging which kiwi file is read
Improve the log message that tells about reading the kiwi config file to
actually show the file path that is read in. This is especially an issue if more
than one kiwi file is read in during the build process.
* also keep the ts binary, might be needed to provide timestamped logfiles
* Update documentation
Add information about new apk (Alpine) support
* Add support for Alpine
Add apk repository and package manager support and provide an integration test
build for the Alpine distribution
* Fix F824 flake check for global assignments
* Use metalink repos for local test builds
* schema: Allow C as a valid locale
It should be permitted to set the "C.UTF-8" locale for minimal images that are
not preloaded with locales. The "C.UTF-8" locale has been supported in Linux
distributions for many years.
Bump version: 10.2.15 → 10.2.16:
* Support sourcetype setting on the commandline
Allow to specifiy the sourcetype(metalink|baseurl|mirrorlist) also on the
commandline via --set-repo/--add-repo options. So far this was only possible as
part of the kiwi description file
Bump version: 10.2.14 → 10.2.15:
* Fix gh-pages deployment
poetry install was not called, thus sphinx was not present
Bump version: 10.2.13 → 10.2.14:
* Drop use of travis-sphinx
According to the documentation of peaceiris/actions-gh-pages the sphinx-build
output can be directly consumed to publish to github pages
* Allow stderr data in CommandProcess
Enhance poll_show_progress() method to allow polling on stderr data too. The new
parameter with_stderr is used together with the dnf5 package manager. dnf5 has
changed in a way that a lot of useful information during the install of packages
is printed to stderr. From my perspective a clear regression to former behavior
but we can fix this in kiwi to poll on both channels. This Fixes #2748
* Support arch attribute for <users> section
Allow to setup users per arch. This Fixes #2737
* Add Debian_12_update repo for testing with typer
Even though we will add support for the typer Cli with kiwi-11 I want our
integration test images to be able to build with the open PR #2751. Debian 12 is
the only target in the support matrix which uses a too old veryion of typer.
Therefore to be able to test this target I built a newer version of typer in an
update repo for Debian 12 and added it to the integration test description
* Fixed python3_sitelib for debbuild in OBS
* Fixed test-image-agama
Service setup-systemd-proxy-env.path no longer exists
* Explicitly request shadow-utils
Make sure shadow-utils gets installed for rawhide integration tests
* Drop test-image-suse-on-dnf test
This was just a "can this work" test but has no real relevance for users since
nobody would use dnf to build a suse image, there is also no help when it does
not work. So let's drop this test build
* distutils sysconfig is deprecated
Move to sysconfig module
* Make integration tests to build outside of OBS
Update and extend all integration tests such that they also build outside of the
Open Build Service. Along with the changes on the descriptions a simple build-
tests.sh script was added to drive the build process. The build is based on the
kiwi boxbuild plugin in container mode to build the tests from a given build-
tests directory. A new chapter to document how to Build the Build Tests is also
provided and referenced on the github main page.
* Add rd.kiwi.oem.luks.reencrypt_randompass
For OEM LUKS2 encrypted disk images in combination with
rd.kiwi.oem.luks.reencrypt. Reset insecure built time passphrase with a random
onetime passphrase
Bump version: 10.2.12 → 10.2.13:
* Lookup CHRP loader instead of using a static name
On ppc the CHRP loader name can vary between distributions. This commit adds a
search method to lookup different ELF loader names. In addition an integration
test image for Fedora was added. This Fixes #2741
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.1
zypper in -t patch SUSE-SLE-Micro-6.1-152=1
* SUSE Linux Micro Extras 6.1
zypper in -t patch SUSE-SLE-Micro-6.1-152=1
## Package List:
* SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
* dracut-kiwi-lib-10.2.22-slfo.1.1_1.1
* dracut-kiwi-oem-dump-10.2.22-slfo.1.1_1.1
* dracut-kiwi-oem-repart-10.2.22-slfo.1.1_1.1
* SUSE Linux Micro Extras 6.1 (aarch64 ppc64le s390x x86_64)
* python3-kiwi-10.2.22-slfo.1.1_1.1
* kiwi-systemdeps-core-10.2.22-slfo.1.1_1.1
* SUSE Linux Micro Extras 6.1 (noarch)
* python311-xmltodict-0.13.0-slfo.1.1_1.2
* python311-docopt-0.6.2-slfo.1.1_1.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250630/029e7afd/attachment.htm>
More information about the sle-updates
mailing list