<div class="container">
<h1>Recommended update for python-kiwi</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:20172-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-04-01T10:26:32Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1214824">bsc#1214824</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221469">bsc#1221469</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221790">bsc#1221790</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1223374">bsc#1223374</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224389">bsc#1224389</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228118">bsc#1228118</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228729">bsc#1228729</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228741">bsc#1228741</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1229257">bsc#1229257</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1235448">bsc#1235448</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1237772">bsc#1237772</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
<li class="list-group-item">SUSE Linux Micro Extras 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has 11 fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-kiwi fixes the following issues:</p>
<ul>
<li>Bump version: 10.2.11 to 10.2.12</li>
<li>Fix profile env variable name regression
In the effort of adapting to the latest snapper in Issue #2697
we overlooked the after effect of a different variable name
in the profile environment with regards to $kiwi_btrfs_root_is_snapshot
and $kiwi_btrfs_root_is_snapper_snapshot. Image builds that
references the former variable name would be broken by the change.
This commit makes sure no regression is introduced by providing
both variants (bsc#1237772).</li>
<li>Fix grub mkimage call for the ppc platform
The list of modules used to create a grub platform image for
ppc was the same list as used for the x86 bios platform.
This commit fixes this and also cleans up the inconsistency
and misleading names used for creating platform specific
output.</li>
<li>Bump version: 10.2.10 to 10.2.11</li>
<li>Update box plugin documentation
Add chapter about new container build feature. The
box plugin can now also run the build in containers</li>
<li>The ubuntu 20.04 github runner is closing down
Make sure to move to another runner for workloads which
still uses ubuntu 20.04</li>
<li>Bump version: 10.2.9 to 10.2.10</li>
<li>Poetry build sdist timestamps set to epoch 0
Newer versions of poetry set the timestamp for all source
files to epoch 0. Such sources are not accepted by e.g
Debian FTP servers and in general I don't like when tools
changes their behavior just like that. This commit forces
an older version of poetry for the purpose of creating the
sdist tarball which then gets published on pypi. The
argumentation for reproducible builds by forcing source
files to a certain timestamp doesn't fly for me. I'm open
for any better solution though.</li>
<li>Bump version: 10.2.8 to 10.2.9</li>
<li>Classify missing chkstat as debug message
chkstat is a distribution specific tool. If it is
present we use it, if not we don't but it's not worth
a warning.</li>
<li>Allow to run setfiles multi threaded
Use option -T0 for newer setfiles version.</li>
<li>Add rd.kiwi.dialog.timeout option
Allow to configure the timeout value for dialogs displayed
by the kiwi dracut code. By default the timeout is set to
60 seconds. With the special value "off" the dialog will
never timeout.</li>
<li>Make sure copy actions does not drop context
Use shutil.copy2 to copy files preserving their
attributes in the grub BootLoader space.</li>
<li>Improve unit test for archive target_dir
Add a test case with absolute path in the target_dir
to make sure we never unpack the archive to the host
system.</li>
<li>Fixed profiled overlay imports
When building an image for profile: SOME and providing
an overlay directory named SOME/... kiwi will sync the
contents of this overlay directory to the root tree.
However it took the toplevel name SOME/ into account
which is unwanted because only the sub data structure
should be synced into the new root tree. This</li>
<li>Bump version: 10.2.7 to 10.2.8</li>
<li>Use multipath child instead of parent device
On multipath systems we need to find underlying child device
instead of using parent device.
This prevents listing all parent devices for a multipath device</li>
<li>Increase size for agama integration test build
Agama needs more space to build now</li>
<li>Fixed agama integration test
rubygem-byebug and rubygem-agama-yast seems to
no longer exist</li>
<li>Update TW integration tests
Package nscd was dropped from TW</li>
<li>Fix documentation regarding URI styles
In reference to commit 760a65558f9e2e91d3eaa3a2f9503ff596984b48
the support for iso:// URI types was dropped some time ago.
However, the documentation was not properly updated. This
commit fixes it</li>
<li>Fix return value of grub helper methods
The grub helper methods to find grub tools returns a
None value if the tool cannot be found. This None value
could be used later in a Command call where it will be
used in a join() command to log the resulting commandline.
This join() call then fails and raises an unhandled error
causing a stack trace in the application. This commit
fixes it</li>
<li>Added disk validation for duplicate installs
Installing the same image to different storage disks on the
same machine creates device conflicts with unexpected side
effects. This commit adds a validation based on the PTUUID
of the disk image to check if another device on the system
has the same ID and if yes, does not allow to install the
image again including a message which device takes the same
identifier. This references bsc#1228741</li>
<li>Fixed documentation for signing key attribute
The source locator name for local files was incorrect</li>
<li>Bump version: 10.2.6 to 10.2.7</li>
<li>Update documentation
Added a new troubleshooting chapter as subsection to
the Build Host Constraints named Package Manager Behavior.
It serves the purpose to describe options for the customer
to change the default package manager behavior which
we from the kiwi side do not influence intentionally.
This is a followup change to bsc#1235448</li>
<li>Drop still present tox artifacts
There were still some left over tox files and the
documentation contribution chapter was also wrong at
several places</li>
<li>Add support for reading optional pkgmgr env file
If there is a file .kiwi.package_manager.env in the root of
the image tree it will be read and put into the caller environment for
the selected package and repository manager. There are features
in e.g zypper which can only be used via env variables (bsc#1235448).</li>
<li>Auto convert unit test XML data to schema v8.3</li>
<li>Rename btrfs_root_is_snapshot
Rename btrfs_root_is_snapshot to btrfs_root_is_snapper_snapshot.
This happens in preparation for the changes suggested in #2697
where we want to get rid of snapper specific btrfs code which
will be available in snapper natively soon. To make sure a btrfs
layout specific to snapper(and SUSE), the implicitly used attribute
named btrfs_root_is_snapshot now becomes explicit and its new
name will indicate that snapper sits behind it. Along with the
rename a XSLT stylesheet to automatically convert the old name
into the new name for schema v8.3 will be performed.</li>
<li>Bump version: 10.2.5 to 10.2.6</li>
<li>Fixed donate button target</li>
<li>Added LUKS reencryption support
Added rd.kiwi.oem.luks.reencrypt boot option consumed by the
kiwi-repart dracut module. For OEM LUKS2 encrypted disk images.
If set, reencrypts the disk prior an eventual resize and therefore
creates a new key pool and master key. The reencryption is advisable
if the image binary is not protected. With access to the image
binary it's possible to extract the luks header which then allows to
decrypt the data unless it was reencrypted. The reencryption process
only runs if the checksum of the luks header still matches the one
from the original disk image. Be aware that the reencryption will
ask for the passphrase if the image has been built with an initial
luks passphrase.</li>
<li>Fixed arm/tumbleweed/test-image-rpi
No ruby required for this integration test build</li>
<li>Plain zipl loader needs boot partition
If the rootfs is something zipl cannot read, we need an
extra boot partition using a supported filesystem</li>
<li>Fixed IBM-Cloud-Standard profile
The test-image-MicroOS integration test builds an IBM-Cloud-Standard
profile as encrypted variant with a random key that is not protected
by an encrypted boot image. This doesn't make sense. Thus the
encryption setup for the IBM cloud standard build got removed.
Use the IBM-Cloud-Secure-Execution profile to test encrypted
secure linux builds</li>
<li>Fixed test-image-qcow-openstack
rsh package was dropped from TW</li>
<li>Fix genprotimg for s390 builds
A recent change on genprotimg now forbids to use --cert in
combination with --no-verify, even though this was allowed
before.</li>
<li>Fix documentation for repo, package gpg settings
In contrast to the documentation, kiwi sets default values
for any gpg setting if not explicitly specified differently.
We want to avoid to inherit a behavior from how the distribution
packages the package manager. This commit fixes the documentation
to be in line with the implementation</li>
<li>Drop insecure and unsupported md5 digest
Decommission the Checksum.md5() method and move all places
in code to sha256(). The md5 digest is considered insecure
and has also been removed from hashlib as a supported digest.</li>
<li>Fix config functions action
The action failed on the setup of the runtime because the upgrade
of pip failed.</li>
<li>Bump version: 10.2.4 to 10.2.5</li>
<li>Changed systemfiles provider
Instead of providing a static list of filenames, provide a list
of package names. It is expected that the pilot of flake-pilot
resolves this list against the local package database to build
up the filelist for provisioning</li>
<li>Bump version: 10.2.3 to 10.2.4</li>
<li>Update system files setup for containers
The attribute provide_system_files creates a meta file in the
root tree named 'systemfiles'. The contents of this file were
produced by just a dump of the package database so far. For
a more generic use of this data some adaptions were needed.
First we allow to skip packages matching a pattern from being
part of the system files. Next we do not put ghost and doc
files into account. And last we handle library files in a different
file named 'systemfiles.libs' where we do not add symlink targets
if the target path is also part of the package. The consumer
of this information is flake-pilot which syncs that library system
files from the host via --copy-links. This allows a more generic
use with regards to versioned libraries e.g. libc</li>
<li>Drop /dev/pts from bind mount locations
This has created havoc in the Fedora build environments by
fully unmounting /dev/pts and breaking the builders for
subsquent tasks.
This is a partial revert of commit daf1323c5ded7e4e7783205f5e30457b40eb322f.</li>
<li>Don't take ghost files into account
When creating the system files information do not
take ghost files and artifact files into account</li>
<li>Bump version: 10.2.2 to 10.2.3</li>
<li>Update STYLEROOT to SUSE 2022</li>
<li>Fix broken links in the documentation</li>
<li>Fix legacy_bios_mode detection
The code in this method does not work correctly if the
firmware is set to 'bios'. In bios only mode the method
returned a false value which is incorrect as it should
return a true value in this case. Without this patch
ISO images will fail to boot because no loader gets
configured.</li>
<li>Added /dev/pts to bind mount locations
During runtime several kernel filesystems are bind mounted into
the image root system such that programs expecting it can work.
/dev/pts was not needed so far but seems to be a good addition
to the list to make tools like sudo to work properly when called
e.g. from a config.sh script.</li>
<li>xorriso: respect efiparttable and gpt_hybrid_mbr
This should make the xorriso-based ISO build path respect the
'efiparttable' and 'gpt_hybrid_mbr' settings when building a
UEFI-compatible image, making it write a GPT disk label by default
instead of an MBR (msdos) one. If it's building an image that is not
UEFI-compatible it will always write an MBR label, regardless of
this setting.
If 'gpt_hybrid_mbr' is set, xorriso will write an Ubuntu-style
MBR/GPT hybrid partition table, where the MBR partition table
includes a partition with type 00 and the bootable flag, as well
as the partition with type ee required by the UEFI spec. This
mildly violates the UEFI spec but may make the image bootable on
native BIOS or CSM firmwares which refuse to boot from a disk with
no partition marked 'bootable' in the MBR. If 'gpt_hybrid_mbr' is
not set, xorriso will write a strictly UEFI-spec compliant label,
with just the 'protective MBR' required by the UEFI spec (no
bootable partition) and the correct GPT partition table. Note
this is somewhat different from what gpt_hybrid_mbr does for
disk images.
Also, we now pass -compliance no_emul_toc when building ISOs, as
recommended by upstream in
https://lists.gnu.org/archive/html/bug-xorriso/2024-11/msg00012.html
This tool is generally always going to be building ISOs intended
for write-once use, not multi-session use (and which are rarely,
these days, written to physical discs at all anyway).</li>
<li>Added provide/require system files for containers
Added the attributes provide_system_files and require_system_files
to control the provider and requester of system files in
container image builds. systemfiles is a metadata file which
contains all files from the package database at call time.
It is used in flake-pilot to provision the systemfiles data
from the host into the container instance. One possible use
case for this data is a flake registration which uses a
base container that is derived from a runtime container but
all data from the runtime should be provisioned from the
host. Using this feature tightly couples the flake to the
host OS distribution and version.</li>
<li>Bump version: 10.2.1 to 10.2.2</li>
<li>Fix scope issue
Increase livetime of the the compressor instances
to the livetime of RootImportOCI. They create temporary
files which are referenced later and need to live longer
than the block they got created in</li>
<li>Bump version: 10.2.0 to 10.2.1</li>
<li>Fixed use of fscreateoptions for iso type
The information for fscreateoptions was not passed along to the
tooling if a custom filesystem attribute was specified.</li>
<li>Allow to derive from multiple containers
Add support for multi inheritance to the derived_from attribute
In the order of a comma seperated list of docker source URI's
a base tree is created. This was possible only with one container
so far and Fixes #2680 as well as jira#OBS-354</li>
<li>Bump version: 10.1.18 to 10.2.0</li>
<li>Add selinux test build to TW
Also update derived docker integration test to latest Leap</li>
<li>kiwi/schema: Fix allowed value type for ISO publisher and application ID
According to the spec, this should be constrained to 128 characters
but also allow quite a few other special characters (as well as spaces).
We didn't allow spaces in application ID, but allowed too much for Publisher.
Now we set up both correctly.</li>
<li>Fix setup of kiwi environment variables
Some kiwi env vars are initialized with an empty value
and not overwritten if another value is provided. For
the selected variables an empty value setting is not
allowed because the schema also enforces the value to
be set at least once. In addition a helpful option
named --print-kiwi-env was added to the 'image info'
command which allows to print the environment variables
and their values.</li>
<li>Add random key support for LUKS encryption
Allow to pass luks="random". In random mode use the
generated keyfile as the only key to decrypt. This is
only secure if the generated initrd also gets protected
e.g. through encryption like it is done with the secure
linux execution on zSystems</li>
<li>Added development group in pyproject setup
generateDS and other tools are needed and were forgotten
to be added when we deleted the tox dependency</li>
<li>Added containers integration with OBS
When building in the Open Build Service (OBS) there is no way
to create outgoing connections from the build workers. To allow
the containers section to fetch containers from the SUSE
registry we need to apply an OCI URI translation into a local
path. The actual OCI container image is expected to be provided
by the obs backend on the worker. Along with this commit also an
integration test named test-image-disk-containers is provided (jira#OBS-351).</li>
<li>Fix rendering of SUSE docs
The SUSE documentation is produced through a conversion
of the ReST source into docbook. The name kiwi is reserved
in the index and needs to be referenced as kiwi-ng when
used as command.</li>
<li>Remove tox dependency
tox was used as sort of a make target to run unit tests
and more in a python virtualenv. However, since we switched
everything to poetry it's no longer needed to let tox create
the python virtual environments. This commit moves the tox
targets into the Makefile and adapts the github workflow
files accordingly. In addition the scripts container based
tests were re-activated and fixed such that they succeed
again.</li>
<li>Fix make build target
Move the actions done by the tox target into the
build target and call them there in a clean and easy
to spot sequence. There is no need to call tox to
prepare for the package submission, instead the
checks and poetry runs to prepare for the package
target should be called directly as part of the
build target. In the future we might get rid of
tox completely.</li>
<li>Bump version: 10.1.17 to 10.1.18</li>
<li>Fixed zipl caller environment
zipl gets confused with an active sysfs mount inside
the root tree at call time of zipl. This commit
umounts the /sys bind mount in the image tree prior
calling zipl</li>
<li>Fix s390 test-image-disk build
Add missing kernel links used by suse tools</li>
<li>Bump version: 10.1.16 to 10.1.17</li>
<li>Fix coloring of build_status.sh flags
Depending on the place of the status flag the color
setup might fail. This commit fixes it</li>
<li>Add pytest-container as optional dependency
The pyproject.toml listed pytest-container as dependency
but it is used only to run the container based integration
tests for the shell helper methods. For building the package
this dependency should not be pulled in</li>
<li>Fix networking in erofs integration test
The network setup was systemd-networkd based but
the provided network config was not for systemd</li>
<li>Bump version: 10.1.15 to 10.1.16</li>
<li>Fix erofs requires in spec
erofs-utils for SUSE only exists in Tumbleweed. The
former conditon would also add the requirement for ALP
and SLFO which is wrong. This commit fixes it</li>
<li>Add vagrantconfig rule for vagrant format
If the format="vagrant" attribute is set, a vagrantconfig
section becomes mandatory. This commit enforces this rule
on the schema.</li>
<li>Bump version: 10.1.14 to 10.1.15</li>
<li>Fixed sphinx_rtd_theme setup
Delete obsolete display_version attribute</li>
<li>Evaluate eficsm everywhere
Fixed _supports_bios_modules() to take an eventually
provided eficsm setup into account. The grub config still
searches for i386 grub modules even if eficsm="false"
is set.</li>
<li>Fixed debian bootstrap script calls
Run scripts as commands with their native shebang and not
through bash. Not all debian package scripts uses bash, some
of them uses sh which can be a link to dash or other
interpreters.</li>
<li>Update TW integration tests
The package x86info was dropped from TW</li>
<li>Turn DiskFormat into an ordinary class</li>
<li>it does not need to be an abstract base class</li>
<li>use f-strings where applicable instead of format()</li>
<li>change return type of _custom_args_for_format from list to tuple</li>
<li>Add new containers section
Allow to specify references to OCI containers in the
image description
During the kiwi process the containers are fetched into a
temporary location and a systemd service is configured to
one time load the containers into the local registry at
first boot of the system.</li>
<li>Bump version: 10.1.13 to 10.1.14</li>
<li>Revert "Install usrmerge for Debian integration test"
This reverts commit 95ac861741f14c4f35611c16328384c18e53dcfb.
Solution needs to be provided in code</li>
<li>Install usrmerge for Debian integration test</li>
<li>Support older apt versions for bootstrap</li>
<li>Run package scripts in apt bootstrap phase
The bootstrap procedure based on apt only runs a manual
collection of package scripts. This commit refactors the
code that unpacks the bootstrap packages to a python
implementation and adds a method to run the bootstrap
scripts from all packages resolved by apt.</li>
<li>Bump version: 10.1.12 to 10.1.13</li>
<li>Fix bundle extension for vagrant type
When bundling result files that uses a vagrant type,
kiwi creates them with the extension .vagrant.virtualbox.box
or .vagrant.libvirt.box. The bundler code renames them using
only the .box suffix which is too short as it is missing
the subformat information. This commit fixes it and keeps
this information in the result bundle file name.</li>
<li>Use simple quotas (squota) for volumes</li>
<li>Add quota attribute to volume section
Allow to set quota per volume for the btrfs filesystem</li>
<li>Fix globbing with exclude with regex
This fixes a collection of bugs when producing erofs images.
On one hand, this ensures that an exclude of <code>/sys</code> doesn't accidentally
match <code>/lib/libsystemd.so</code>, only <code>/sys/whatever</code>.
On the other hand, this ensures that <code>/dev/*</code> does match <code>/dev/vda</code> and
not just <code>/dev///////////</code>.
This fixes libsystemd.so getting dropped in Kiwi-built FEX images.</li>
<li>Honour custom exclude for filesystem builds
All other call sites honour the custom exclude file, it's just this one
that needs to be fixed. This unblocks use of Kiwi for generating FEX
rootfs.</li>
<li>test: storage: update clone_device tests with new block size</li>
<li>storage: clone_device: increase dd block size
Increasing the block size used for dd reduces the time needed to clone a
device.</li>
<li>Bump version: 10.1.11 to 10.1.12</li>
<li>Add missing erofscompression validation
In the filesystem builder I forgot to evaluate the
erofscompression attribute.</li>
<li>Include PI and comments in XSL stylesheets
So far comments and processing instructions (PI) were
ignored when applying the XSL stylesheets. This commit
updates all stylesheets to take them into account</li>
<li>Bump version: 10.1.10 to 10.1.11</li>
<li>doc: Add login information test build test images</li>
<li>Bump version: 10.1.9 to 10.1.10</li>
<li>bootloader: Fix up ppc64 bootinfo again
To make the code look pretty extra newline is inserted at the start of
bootinfo file. This appears to break boot on Power9 PowerVM LPARs.</li>
<li>Add support for erofs
erofs is an alternative readonly filesystem that can be
used as alternative to squashfs.</li>
<li>Fixed enclave integration test
The SELinux policy of Fedora Rawhide when running completely in
an initrd is not suitable to let the system boot up. Thus the
current solution is to boot in permissive mode. A better solution
for the future would probably be a selinux policy for enclaves</li>
<li>limit eif_build requires to fedora greater than or equal to 42</li>
<li>Bump version: 10.1.8 to 10.1.9</li>
<li>Added sshd to nitro-enclave integration test</li>
<li>Fixed container sync options
Do not exclude/filter any security/xattr capabilities.</li>
<li>Update container integration test
Add getcap to check on filesystem capabilities</li>
<li>Add new build type provides for enclave
Add a provides tag (read by the open buildservice) for the new
enclave builder. Also add a recommends to eif_builder in
the systemdeps-core meta package</li>
<li>Update enclave documentation
Fixup repo setup in the build documentation</li>
<li>Bump version: 10.1.7 to 10.1.8</li>
<li>Fixed enclave documentation</li>
<li>Update test-image-nitro-enclave package list
Fixup package list to match Fedora rawhide</li>
<li>Move test-image-nitro-enclave to rawhide</li>
<li>Fix ppc64 chrp bootinfo generation</li>
<li>Fixed documentation header
Fixed double H1 headers from the boxbuild tweaks chapter.</li>
<li>Bump version: 10.1.6 to 10.1.7</li>
<li>Move EXEC log message to the right place
The log information of the command execution was not printed
directly before the actual command invocation. There are other
actions after the log information (e.g Path.which) which itself
produce log information prior the real subprocess execution.
This is very misleading when reading the log file and fixed
in this commit.</li>
<li>Add support for architectures in deb source file
When apt resolves packages on a multiarch repo it can happen
that dependencies for packages from other architectures are
pulled into the solver process but are not provided by any
repository. To overcome this behavior the repository can
be setup to serve packages only for a specified architecture
or list of architectures. This is related to
OSInside/kiwi-descriptions#102</li>
<li>Bump version: 10.1.5 to 10.1.6</li>
<li>add allowExtraConfig and exportFlags to ovftool options
Add allowExtraConfig and exportFlags to ovftool options</li>
<li>Bump version: 10.1.4 to 10.1.5</li>
<li>create EFI/BOOT only if UEFI boot is intended</li>
<li>Fix boot support for ISO media on ppc64
add CHRP boot support for ppc64 and add xorriso option to avoid
file name reduction to MS-DOS compatible 8.3 format</li>
<li>Fix initrd permissions
kiwi stored the initrd for ISO images as 600 which might
be too restrictive. This commit makes sure the initrd is
stored as 644 and Fixes bsc#1229257</li>
<li>Fixed ramdisk size setup
For setting up the brd rd_size option kiwi creates
99-brd.conf used at load time of the kernel brd driver.
The location for the conf file is set to /etc/modprobe.d/
However, in newer versions the location has changed to
/usr/lib/modprobe.d/ and /etc/modprobe.d is no longer
expected to exist. This commit makes sure /etc/modprobe.d
is created if not present.</li>
<li>Bump version: 10.1.3 to 10.1.4</li>
<li>Add note about guestOS values for vmware ovftools.</li>
<li>Add note about guestOS values for vmware platform.</li>
<li>Fixed resize of dos table type on s390
On s390, parted is used to detect the partition table type.
In contrast to blkid the name for DOS tables is reported
as 'msdos' and not 'dos' which impacts several conditions
in the kiwi initrd code which checks for 'dos'. This commit
fixes the get_partition_table_type() method to return a
consistent table name for DOS tables (bsc#1228729)</li>
<li>Revert "remove dependency on /usr/bin/python"
This reverts commit 15b450188483b567ca10bb459bf50ed90e905bb7.
The change provided here entirely broke kiwi in OBS. With this
patch applied every image build in OBS fails with the following
message: 'line 1: /usr/sbin/kiwi: No such file or directory'</li>
<li>Bump version: 10.1.2 to 10.1.3</li>
<li>Fix bundle extension for archive types
When bundling result files that uses an archive type like
tbz or docker, kiwi creates them with the extension tar.xz/tar.gz
The bundler code only uses the extension from the last tuple
in a "." split which is wrong for "tar." filenames. This commit
adds an exception to the prefix rule for this output filenames
and Fixes</li>
<li>Fix ImageSystem mount procedure
The mount() method did not take custom partitions into account.
This commit fixes it.</li>
<li>remove dependency on /usr/bin/python</li>
<li>Add support for isomd5sum for tagging iso files
The isomd5sum tool suite is used and available on all supported
distributions except SUSE distributions, and is necessary to produce
conformant ISOs for most Linux distributions.
This change adds support for isomd5sum tool suite for kiwi, though
it does not extend the kiwi-live dracut module to use it. The upstream
dracut dmsquash-live module must be used instead.</li>
<li>kiwi/builder/live: Log the correct value for Application ID
Since it is now possible to set a custom application ID, we want
to see this when it is being used for the image.</li>
<li>kiwi/builder/live: Clean up leftover dracut configuration file
The existence of this file breaks installers on live media that
sync the full filesystem to disk and are not aware of this configuration
before generating the target system initramfs.</li>
<li>Allow string versions and test "word" versions
There are descriptions out in the wild that use "non-numeric" versions
in their descriptions, particularly without separators for splitting.
This change switches all of this to strings rather than assuming
numbers and gracefully handles the single word case.</li>
<li>Add documentation for boxbuild tweaks</li>
<li>Fixed wrong log level on --logfile
When using --logfile, the log generated there matches the
stdout log (which without --debug, does not include any debug info).
This is in contrast to the automatically generated one in the
output directory, which always does and also not following the
way how it is documented.</li>
<li>Fixed arch flag for namedCollection
The arch flag in a namedCollection was not taken into account.
This commit fixes this and also makes sure the result information
is sorted and unique like we have it for the package lists.</li>
<li>Fix handling of zipl.conf in plain zipl bootloader
When using the plain zipl bootloader kiwi created a /etc/zipl.conf
file. However, this file was only useful during image build as it
points to a loop target device and geometry but does not represent
a proper config file to be used in the running system. In addition
the different distributors provides their own version and layout
of the zipl.conf to be used inside of the system and with their
respective tools. Thus this commit changes the way how kiwi operates
in a way that the zipl.conf used in the initial image only exists
during the image build process. An eventual present /etc/zipl.conf
will not be touched by kiwi.</li>
<li>Bump version: 10.1.1 to 10.1.2</li>
<li>Improve error reporting for remote deployment
Add new method called show_log_and_quit which displays
the written error log file as a file box to the user</li>
<li>Update test-image-orthos integration test
Update the test such that you can also build it locally.
Change the remote installation target to be a ramdisk
for easy testing of remote deployments</li>
<li>Setup default minimum volume size per filesystem
The former method provided a static value but there are huge
differences for the minimum size requirement of a filesystem.
For example extX is fine with 30MB whereas XFS requires 300MB.
This commit adds a more dynamic default value based on the
used filesystem.</li>
<li>Increase default volume size
So far 30MB was set as default volume size which is by far
too small for a number of filesystems, e.g btrfs and also XFS.
This commit increases the default volume size such that all
modern filesystems builds if the default volume size is used.</li>
<li>Update test-image-raid
Apart from testing raid this integration test also tests
a certain LVM volume setup. The test has been updated
to use the btrfs filesystem because it has the most strict
size requirements.</li>
<li>Use shutil.which for Path.which
Both methods were only used in one place each and it makes much more sense to
use the pathlib builtin methods instead</li>
<li>Replace Path.create implementation with pathlib builtin</li>
<li>Bump version: 10.1.0 to 10.1.1</li>
<li>Mandatory package scripts for Debian bootstrap
Make sure to run some mandatory package pre/post scripts
such that settings like /etc/passwd, a root user, etc..
exists. This action can also be done in post_bootstrap.sh
but I think it's better to do this in the core code</li>
<li>Bump version: 10.0.28 to 10.1.0</li>
<li>kiwi no longer uses debootstrap
For building Debian based images we used debootstrap to
bootstrap an empty root until apt-get could be used to
complete the job. This has now changed such hat apt-get
is also used for bootstrapping a new system. The concept
and also potential alternatives to the way kiwi bootstraps
Debian based systems can be found here:</li>
<li>https://osinside.github.io/kiwi/working_with_images/build_without_debianbootstrap.html
Due to the drop of debootstrap it might happen that
package lists of existing image descriptions needs to be
extended with packages that were formerly pulled in by
debootstrap but did not get properly pulled in with the
new apt based bootstrap. As reference please check out the
integration tests from here:</li>
<li>https://github.com/OSInside/kiwi/tree/main/build-tests/x86/ubuntu</li>
<li>https://github.com/OSInside/kiwi/tree/main/build-tests/x86/debian</li>
<li>Bump version: 10.0.27 to 10.0.28</li>
<li>Update documentation</li>
<li>kiwi no longer uses debootstrap</li>
<li>Fix test_process_result_bundle_as_rpm</li>
<li>Fix Debian/Ubuntu integration tests
Remove package hacks for debootstrap, explicitly add
required packages and or configurations.</li>
<li>Drop types-pkg_resources
Got removed from PyPI</li>
<li>Fix test_process_result_bundle_as_rpm
os.path.basename was called on a MagicMock object which
sometimes confused pytest</li>
<li>CI: Add testing against Python 3.13
Python 3.13 is shipping in Fedora Linux for Fedora Linux 41, so we
should ensure kiwi is tested against it. The testing setup is
based on the latest development version of 3.13 as it is not
yet released.</li>
<li>Fix kiwi-repart restrictions
The kiwi repart dracut module reads a profile file and if it
does not exists it dies in the initrd. However, that profile
file is not mandatory for the main resize functionality. Thus
this commit turns this into a warning message. In addition
the module-setup for 90kiwi-repart makes sure to include
the required and optional profile files (bsc#1228118).</li>
<li>Do not exclude the .profile env file by default
kiwi's initrd modules read a .profile file which gets included
into the initrd produced at build time. To allow rebuild of a
host-only initrd from the booted system this information should
be present such that it is possible to re-use kiwi initrd code.</li>
<li>Get rid of debootstrap
Replace debootstrap with an apt-get based pre-download of
packages followed by a dpkg-deb extraction.</li>
<li>Bump version: 10.0.26 to 10.0.27</li>
<li>Fix dracut-interactive with systemd 256
With systemd 256, /usr (and thus also /bin/) is read-only in the initrd.
Move dracut-interactive and its .service into /run instead.</li>
<li>Bump version: 10.0.25 to 10.0.26</li>
<li>Revise scripts_testing.rst</li>
<li>Revise schema_extensions.rst</li>
<li>Pass kernel cmdline to agama
In the agama integration test make sure to pass along
the kernel boot parameters to allow controlling the
behavior of agama better</li>
<li>Add file directive to incorporate custom files
Usually custom files are managed by placing them as overlay
files or archives. However, overlay files must be structured
inside of a root/ subdirectory and archive files are binary
data. It is therefore not straight forward to just reference
one or more files as source files to the image description
to be placed into the image.</li>
<li>Bump version: 10.0.24 to 10.0.25</li>
<li>Fix mocking of test_process_result_bundle_as_rpm</li>
<li>Fixed logging behavior of Compress::get_format
The get_format() method allows to check which compression format
a given input stream has. This is done by calling the supported
compression tools in a row and let them check if they can deal
with the provided data or not. As a result error messages are
logged for streams that some tool doesn't understand. However,
those error messages are no errors and only the result of the
checking. This information in the kiwi log file is confusing
and several users already complained when they see information
like:
EXEC: Failed with stderr: /usr/bin/xz: ...: File format not recognized
This commit changes how the compression tooling is called in a
way that no exception is raised (which leads to the above error message)
but the result returncode is used to decide on the success or
error of the respective compression tooling.</li>
<li>Allow to set custom ISO Application ID
The application ID was used as identifier
in the legacy initrd code from former kiwi versions. Because of
this there is still the compat layer which sets an App ID as MBR
identifier string unless the new application_id overwrites it.</li>
<li>Bump version: 10.0.23 to 10.0.24</li>
<li>Added integration test for SUSE agama installer
This integration test builds a self-install ISO image which
drops the SUSE Agama installer into a ramdisk for performing
an interactive installation procedure to test Agama</li>
<li>Add --set-type-attr and --set-release-version
Allow to set/overwrite type section attributes via the cmdline.
Allow to set/add the release-version element via the cmdline.</li>
<li>Update integration test for eficsm
Update the type of the Secure profile of the live image integration
test as well as the type of the simple-disk test to make use of the
eficsm="false" attribute to switch off CSM mode and test an EFI only
layout.</li>
<li>Add new eficsm type attribute
Allow to produce EFI/UEFI images without hybrid CSM capabilities.</li>
<li>kiwi_plugin_architecture.rst</li>
<li>Revise kiwi_from_python.rst</li>
<li>Wait for loop device detach to complete
Detaching a loop device via 'losetup -d' is an async operation.
Once the command returns the loop can still be associated with
the block special. Therefore this commit waits until the block
device got released or a timeout is hit.</li>
<li>Update requires for kiwi-systemdeps-disk-images
On Tumbleweed several changes caused tools like strings
or the codepage for mtools to be missing in a standard
installation. For building disk images especially EFI
capable ones with vendor information kiwi needs the above
tool. This commit adds the packages providing them on
Tumbleweed to the meta systemdeps for disk images.</li>
<li>Supplements are not understood by Debian/Ubuntu</li>
<li>Add new builder for enclaves
Add new EnclaveBuilder class which allows to build initrd-only
image types. The first enclave implementation covers aws-nitro
images produced via the eif_build tooling.</li>
<li>Split out bash completion into a sub-package
Per review of the SUSE packaging team we should split out
the bash completion into its own sub-package to give users
better control over the completion feature.</li>
<li>Bump version: 10.0.22 to 10.0.23</li>
<li>package: Add fully qualified provides for python3-kiwi in spec
On SUSE distributions, currently the expectation is that packages
built against the Python interpreter should have fully qualified
names in the form of pythonXY-<modulename>. Additionally, all other
Linux distributions prefer something similar in the form of
pythonX.Y-<modulename>.
This ensures we have those names so that distribution dependency
generation works as expected.</li>
<li>Add support for arch selector on volumes
Multiple architecture names can be specified as comma separated list.</li>
<li>Add rd.kiwi.oem.force_resize boot option
Forces the disk resize process on an OEM disk image.
If set, no sanity check for unpartitioned/free space
is performed and also an eventually configured
<oem-resize-once> configuration from the image description
will not be taken into account (bsc#1224389).</li>
<li>Fixed leap integration tests
For whatever reason procps is not longer pulled in by the
core dependencies. Thus we have to explicitly request it</li>
<li>Fix potential race condition in loop detach
The call to 'losetup -d' is in fact an async operation. Once
the command returns the loop can still be associated with the
former file because it gets lazy unbound and releases later.
Prior re-use of the same loop device it is therefore required
to wait until the kernel event queue is processed.</li>
<li>Fixed repository include to image with dnf
When specifying a repository element with imageinclude="true",
kiwi permanently adds the repo file inside of the image.
The distribution standard path is used to store the repo
file in this case. With dnf a package manager exists that is
primarily used on Fedora and RHEL systems. Thus the standard
path for the repo files is set to "/etc/yum.repos.d".
However, dnf can also be used for other rpm based distributions
e.g SUSE. On such a system the default path does not exist
or is different because another package manager is the
default. This commit makes sure that the expected path is
created prior adding any repo files.</li>
<li>Bump version: 10.0.21 to 10.0.22</li>
<li>Fixed selinux labels for boot files
When kiwi calls the bootloader config and installation modules
several files gets created as unlabeled_t because the labeling
happened earlier. This commit ensures that setfiles gets called
after BootLoaderConfig and/or BootLoaderInstall has done its job.</li>
<li>Add bash to package requirements
If there are script evaluations that does not specify
an interpreter, kiwi uses bash for it. The same applies
for sub-process invocations using shell pipelines. Thus
the bash shell is a required tool for kiwi under certain
circumstances.</li>
<li>test-image-live: add shadow package</li>
<li>Fix displaying the image verification failure dialog
Kiwi must wait for the previous dialog to finish before showing another
one as it's the same systemd service behind it.</li>
<li>Allow to customize the path of the isoscan cowfile
Added rd.live.cowfile.path option to specify the cowfile at
any path below the isoscan-loop-mount.</li>
<li>Better error handling on grub vendor dir lookup
The strings command is used to lookup the in-efi binary encoded
vendor path. However, if the strings or bash command is not availabe
on the build host, the command silently failed and moved into the
standard (non vendored) EFI boot path. This can lead to a broken
boot for those distros and image targets which requires a vendor
directory and should lead to an error message instead of a
successful image build.</li>
<li>Fixed profile variable settings for preferences
It's allowed to have multiple preferences sections. If those
sections provides the same value multiple times, e.g keytable,
the last one in the row will win. The setup of the variables
in .profile environment file for the preferences elements is
not following this rule and used the first section not the
last. This commit fixes the profile variables to match the
actual setup</li>
<li>Revise users.rst</li>
<li>REvise systemdeps.rst</li>
<li>Revise shell_scripts.rst</li>
<li>Add initrd boot option rd.kiwi.allow_plymouth
By default kiwi stops plymouth if present and active in the
initrd. Setting rd.kiwi.allow_plymouth will keep plymouth
active in the initrd including all effects that might have
to the available consoles. This is related to bsc#1214824</li>
<li>Drop use of obsolete tool isconsole
isconsole was provided with the dropped kiwi-tools package.
It was a simple C application that checked the capabilities
of the current console. In the context of fbiterm it was just
used to provide proper error messages which fbiterm on its
own did not show. As also fbiterm is on its way to become
obsolete and isconsole is already no longer present, it's ok
to just drop that extra check and therefore keep the fbiterm
mode functional if one manages to include fbiterm and its
fonts into the initrd</li>
<li>Bump version: 10.0.20 to 10.0.21</li>
<li>Add missing write_meta_data method to BLS base
The standard bootloader interface class provided a method
named write_meta_data which is expected to be implemented
in the specialized bootloader implementation. For BLS
bootloaders this method was missing in the BLS base class.
write_meta_data can provide additional cmdline options
for booting. If not covered some boot options might be
missing. This patch fixes it</li>
<li>Fix TW integration test to build outside OBS</li>
<li>Make sure BootLoaderConfig fixes are effective
The BootLoaderConfigGrub2 class has methods to fix the grub-mkconfig
generated files. It does that by mounting the system and changing the
respective files after the mkconfig call. However, after the change
the class instance stays open in combination with BootLoaderInstallGrub2
instance which itself under certain circumstances also mounts the
system to call grub-install. At the time grub-install is called it
cannot be guaranteed that all changes has been written unless an
explicit umount in the BootLoaderConfigGrub2 class instance happened.
This commit address the potential race condition.</li>
<li>Bump version: 10.0.19 to 10.0.20</li>
<li>Update rawhide integration test
Use new arch attribute for testing in the repository
element of the rawhide/test-image-live-disk integration
test.</li>
<li>Add support for arch attr in repository element
Allow to provide different repository sections per architecture</li>
<li>Add --list-profiles to image info
Allow to list available profiles from the processed image
description</li>
<li>Bump version: 10.0.18 to 10.0.19</li>
<li>package: Always include patches and number all sources and patches
This ensures that stuff is applied reliably and all sources and patches
are included as expected.</li>
<li>Bump version: 10.0.17 to 10.0.18</li>
<li>package: adjust openSUSE patch</li>
<li>Bump version: 10.0.16 to 10.0.17</li>
<li>Fixed box plugin documentation
The provided example was no longer correct according to
changes on the image description referenced in the example</li>
<li>Add procps to Tumbleweed integration tests</li>
<li>Add procps to Tumbleweed integration tests</li>
<li>Fix sdist upstream tarball contents
The .virtualenv.dev-requirements.txt file is referenced by tox.ini
but not put into the sdist tarball and therefore missing in the
pypi upstream data.</li>
<li>Drop use of obsolete pkg_resources
As documented in https://setuptools.pypa.io/en/latest/pkg_resources.html
the use of pkg_resources is obsolete and will cause issues.
So happened on Debian unstable.</li>
<li>RepositoryDnf5: correct defaults, set system_cachedir
The "defaults" in <code>use_default_location</code> here are the dnf4
defaults, not the dnf5 defaults, so let's update them. Also, for
dnf5, we need to set <code>system_cachedir</code> instead of <code>cachedir</code> -
see https://dnf5.readthedocs.io/en/latest/misc/caching.7.html ,
<code>system_cachedir</code> is the cache location used when running as
root, <code>cachedir</code> is the cache location used when running as a
regular user.</li>
<li>Bump version: 10.0.15 to 10.0.16</li>
<li>poetry build doesn't like symlinks
The sdist tarball produced by poetry build does not include
all files and skipped symlinks in test/data. This caused the
unit test run to fail if called from within that sources</li>
<li>Fix spec file
Require docopt-ng for Fedora 41+</li>
<li>Bump version: 10.0.14 to 10.0.15</li>
<li>REview runtime_configuration.rst</li>
<li>Review repository_setup.rst</li>
<li>Add support for stopsignal in containerconfig
Allow to specify the stopsignal via the containerconfig
element</li>
<li>Fix set_disk_password to be effective
Since commit 8aa517eb7 it is necessary to call
_mount_device_and_volumes() prior making any modifications
to boot files. In addition handle potential errors
from the grub.cfg modification better.</li>
<li>Update Makefile
Make sure custom patches are part of the package sources</li>
<li>Bump version: 10.0.13 to 10.0.14</li>
<li>doc: Document the bls option for the grub bootloader</li>
<li>Temporarily revert grub-bls default to false for SUSE distributions
For the time being, SUSE distributions cannot handle KIWI's default
to use BLS with GRUB2. Until they catch up, revert this for them only.</li>
<li>kiwi/bootloader: restore backward compatibility for grub2 with bls
The change to introduce the bls parameter broke backward compatibility
with all existing kiwi descriptions for distributions that default to BLS.
This fixes that by allowing the unset state to be equivalent to enabling it.</li>
<li>Bump version: 10.0.12 to 10.0.13</li>
<li>Overwrite compression setting only if randomized
When building an encrypted image, the bundler never compressed
the result. This overwrite from the runtime configuration and
the default compression setting actually only makes sense when
the image is randomized because only then a compression is
for sure useless.</li>
<li>Make sure lsblk output is sorted by dev name
lsblk without the sorting option can provide the list
of devices in different order. This patch makes sure
lsblk sorts the output by the device name (bsc#1223374).</li>
<li>Stop leaking plugins/{priorities,versionlock}.conf file with dnf4/5.
This fixes the fedora issue
https://bugzilla.redhat.com/show_bug.cgi?id=2270364</li>
<li>Fix luks_randomize setting
Make sure the value passed for luks_randomize in the description
becomes effective. It was not possible to switch off luks_randomize
because any "not" value was turned into a true value. The actual
default should therefore only apply in case luks_randomize is
not specified at all which means only a None value will turn
into a true value for this setting.</li>
<li>Fix package removal with dnf5</li>
<li>Add 'bls' parameter for the bootloader</li>
<li>Fix efifatimagesize attribute type
The efifatimagesize attribute type value is set to "oem" but the documentation says
that it is intended to be also used for creating ISO images. This causes a schema error
when this attribute is set on a profile with type "iso" and blocks changing the EFI
boot image size which is a problem if the image is bigger than 20M. This commit
allows to specify the attribute also for the "iso" type</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-267=1</code>
</li>
<li class="list-group-item">
SUSE Linux Micro Extras 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-267=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>dracut-kiwi-oem-dump-10.2.12-1.1</li>
<li>dracut-kiwi-lib-10.2.12-1.1</li>
<li>dracut-kiwi-oem-repart-10.2.12-1.1</li>
</ul>
</li>
<li>
SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
<ul>
<li>kiwi-systemdeps-core-10.2.12-1.1</li>
<li>python3-kiwi-10.2.12-1.1</li>
<li>kiwi-systemdeps-iso-media-10.2.12-1.1</li>
<li>kiwi-systemdeps-bootloaders-10.2.12-1.1</li>
<li>kiwi-systemdeps-filesystems-10.2.12-1.1</li>
<li>kiwi-systemdeps-disk-images-10.2.12-1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1214824">https://bugzilla.suse.com/show_bug.cgi?id=1214824</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221469">https://bugzilla.suse.com/show_bug.cgi?id=1221469</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221790">https://bugzilla.suse.com/show_bug.cgi?id=1221790</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1223374">https://bugzilla.suse.com/show_bug.cgi?id=1223374</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224389">https://bugzilla.suse.com/show_bug.cgi?id=1224389</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228118">https://bugzilla.suse.com/show_bug.cgi?id=1228118</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228729">https://bugzilla.suse.com/show_bug.cgi?id=1228729</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228741">https://bugzilla.suse.com/show_bug.cgi?id=1228741</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1229257">https://bugzilla.suse.com/show_bug.cgi?id=1229257</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1235448">https://bugzilla.suse.com/show_bug.cgi?id=1235448</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1237772">https://bugzilla.suse.com/show_bug.cgi?id=1237772</a>
</li>
</ul>
</div>