<div class="container">
<h1>Recommended update for python-kiwi</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:20428-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-06-20T14:06:08Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
<li class="list-group-item">SUSE Linux Micro Extras 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-kiwi fixes the following issues:</p>
<ul>
<li>Apply security context on writable root only</li>
<li>Docs: fix typo in users.rst</li>
<li>Docs: minor punctuation and grammar fixes</li>
<li>Give test-image-overlayroot enough space</li>
<li>Allow ext2/ext3 as valid build target
stat reports the value 'ext2/ext3' which is a valid target</li>
<li>Added check_target_dir_on_unsupported_filesystem</li>
<li>Fix rd.kiwi.oem.luks.reencrypt_randompass workflow</li>
<li>Add support for new tarball-based WSL format</li>
<li>Update SL-Micro build test</li>
<li>Required read-only-root-fs for SL-Micro test build
Changes from the SL-Micro team requires adaptions to the
integration test description</li>
<li>Delete fstab.script from SL-Micro test build
This was only needed when /var was an extra partition, but
it's a volume with copy-on-write disabled for some time</li>
<li>Add systemd-resolved to TW integration tests
For some reason it's not longer part of the systemd standard
installation</li>
<li>Add dkms to test-image-embedded integration test</li>
<li>Fixed access issue to etc/kernel for sdboot</li>
<li>Update test-image-overlayroot</li>
<li>Fixed get_volume_management</li>
<li>Update test-image-overlayroot
Move to systemd-boot as bootloader, activate secure boot
and drop the extra boot partition. Use XFS for the write
space</li>
<li>Allow initrd updates on read-only devices
Move initrd to ESP for boot loaders that reads data
from there</li>
<li>Fix ordering issue for device assignment
wrong assignment of a boot partition in overlayroot setup
without boot partition</li>
<li>Add kiwi-settings package for TW
de-blacklist erofs to allow building integration tests
with this filesystem</li>
<li>Switch to dracut-kiwi-verity</li>
<li>Update test-image-overlayroot integration test</li>
<li>Add documentation for new attribute
Add details how to use the new overlayroot_readonly_filesystem attribute</li>
<li>Add support for selecting the overlay read-only fs</li>
<li>Fixed root setup for verity overlay disk</li>
<li>Make sure the verity record has a superblock</li>
<li>Drop distro specific runtime check</li>
<li>Fix root clone size setup</li>
<li>Fix reencryption master key passphrase</li>
<li>Fixed targettype setup in zipl.conf
The special targettype set to GPT still indicates SCSI for
the zipl.conf but tells kiwi to create a GPT disk layout</li>
<li>Fixed s390 integration test
targettype attribute in wrong section</li>
<li>Add support for GPT targettype on s390
Allow to build s390 images using GPT instead of the old DOS
partition table. zipl has added support to read from GPT.</li>
<li>Add --no-compress option to bundler
Allow to skip the compression for bundle files marked
to become compressed.</li>
<li>Rawhide (F43) has removed basesystem package</li>
<li>rawhide install shadow-utils for usermod</li>
<li>Fixed default bls value setup</li>
<li>Fix setup of use_disk_password for random secret
When using luks="random" in combination with use_disk_password="true"
the resulting cryptomount call in grub is wrong. This commit fixes it</li>
<li>Drop copying GRUB2 modules to /boot with Secure Boot UEFI images
Copying the modules creates a situation where future updates
applied to a running system can cause GRUB to crash due to mixed
modules and GRUB EFI binaries.
It is not needed anyway since GRUB EFI binaries for Secure Boot have
all modules compiled into the binaries.</li>
<li>Make sure editbootinstall runs offline
editbootinstall expects the system to be umounted</li>
<li>Make sure post sync actions are in scope</li>
<li>Follow up fix for overlayroot builds for EFI path
Only perform the boot overlay if there is an extra boot partition</li>
<li>Only remove entries from exclude list if present</li>
<li>Fix overlayroot builds for EFI path
make sure to keep boot/efi mountpoint directories
in the read-only area as they can't be created later</li>
<li>doc: overview: Add list of supported Linux distributions
These are the Linux distributions that are developed and actively
tested for with the latest kiwi releases.
This should offer greater clarity about what we're able to support
as an upstream project.</li>
<li>Fixed mount of image system for volume managers
The ImageSystem.mount() method implemented its own handling
for mounting the volumes of a volume manager based system.
First and foremost this duplicates code that already exists
in the respective VolumeManager implementation and second
the code behaved wrong in case of btrfs when there is no
default subvolume configured</li>
<li>Handle grub fix functions less strict
If called on full read-only systems, log the information
that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must
be applied and as such the fix function can be considered
an optional step.</li>
<li>Fixed root setup for encrypted overlay disk</li>
<li>Change suffix for package manager config files</li>
<li>Set security context after root sync
On selinux enabled image builds we call setfiles initially
after the root tree is complete and after each script invocation
that might change the system. However the security context
also applies to mount points e.g volumes which only exists
at the time when the root tree gets synced to the actual image
binary. Thus this commit also calls setfiles on the mounted
root tree after data sync.</li>
<li>Fix broken doc link
Rephrase chapter pointing to a documentation side at VMware.
They are constantly changing their documentation URLs that
I'm tired of fixing this.</li>
<li>Fix key slot selection for luks reencrypt
Depending on the type setup for a luks encrypted image, there
might be one or two key slots available. When kiwi is requested
to perform the reencryption process at least one key-slot and
the proper keyfile/passphrase must be provided. This commit
stores the information about the key-slot number for which
a decryption information exists in the initrd. In addition to
the code change also the corresponding integration test image
was updated.</li>
<li>Fixed test-image-gce integration test
python3-gcemetadata was renamed to python-gcemetadata</li>
<li>Fixed integration test builds for TW
Request dracut explicitly when needed</li>
<li>Add support for filtering out files from the ESP image for GRUB
Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.
For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.</li>
<li>Fix bundle extension for container types
When building result files that use container types like oci or docker,
kiwi creates them as archive tarballs with an extension prefix to
indicate the special nature of the archive. However, the bundler
code does not retain the prefix, which results in the wrong file
extension for these archives.
This change adds exceptions for these types and refactors the
exception handling to unify it with the Vagrant image filename
handling, which operates similarly.</li>
<li>Update LOADER_TYPE setup for grub
If the bootloader attribute: bls is set to true, make sure
the LOADER_TYPE changes to grub2-bls.</li>
<li>Fix Agama PXE build
A bootloader setup is needed to create config.bootoptions
Even though a ramdisk deployment does not require a bootloader
setup we need it because part of the setup is the root device
reference which is still needed to pivot root into the
system</li>
<li>Fix firmware setting for Agama PXE image</li>
<li>Added obs BUILD_FLAVOR for agama
Required for multibuild (multiple profiles) build</li>
<li>Update Agama integration test
Split the build into two profiles ISO and PXE to differentiate
the build results into a small Agama for remote installations
and a standard Agama for iso based installations</li>
<li>Prevent loading unused data in oem deployment
In case rd.kiwi.ramdisk is used as part of a remote deployment
setup, it's not needed to load the system kernel and initrd
because it's not used as kexec is not called with the system
deployed into memory. For ramdisk deployments the system is
booted using the currently active kernel and initrd and as
such we can avoid loading an extra kernel and initrd for
booting the system via kexec.</li>
<li>Update Agama integration test</li>
<li>Added <oem-ramdisk-size> element
So far it was only possible to specify the size of the ramdisk
via the kernel commandline option: ramdisk_size. In a remote
deployment it was therefore required to carry this size as a
mandatory information to the deployment server. With this commit
we allow to specify the size for the ramdisk to be configured as
part of the image configuration which makes this information
also available inside of the initrd. If provided the ramdisk_size
kernel commandline option still takes precedence over the
<oem-ramdisk-size> setting to avoid any behavior change and to
still allow dynamic overrides of the ramdisk size.</li>
<li>reinstall bootstrap packs in image phase for apt
Due to the special bootstrap process, the packages unpacked
during bootstrap are not properly listed in the apt index.
Therefore the bootstrap packages are added to the install
phase which causes an install of this packages again to
fix the apt index and provide a consistent system from
an apt perspective.</li>
<li>Fixed restore of keyfile after reencryption
When kiwi runs the reencryption it also restores an eventual
existing keyfile. However if the option rd.kiwi.oem.luks.reencrypt_randompass
is specified no former keyfile should be restored. The purpose
of reencrypt_randompass is to make sure only this in memory
passphrase can access the luks pool such that tooling at boot
time gets the opportunity to work with the luks pool for e.g.
setting up a TPM key or set a passphrase only known to the user.</li>
<li>Update dracut kiwi-lib module setup
Make sure all tools used in code are requested for inclusion</li>
<li>keep /usr/bin/sha256sum
dropping md5sum was okay, but now we need
the current tool to verify the checksum</li>
<li>Restrict keyfile permissions
For reencrypt in combination with rd.kiwi.oem.luks.reencrypt_randompass
make sure that the temporary random pass keyfile has 0400 root
owned access permissions set</li>
<li>package: Add kiwi-image:oci Provides to -systemdeps-containers
This allows the Open Build Service to correctly resolve dependencies
when building OCI images.</li>
<li>Better logging which kiwi file is read
Improve the log message that tells about reading the
kiwi config file to actually show the file path that
is read in. This is especially an issue if more than
one kiwi file is read in during the build process.</li>
<li>also keep the ts binary, might be needed to provide timestamped logfiles</li>
<li>Update documentation
Add information about new apk (Alpine) support</li>
<li>Add support for Alpine
Add apk repository and package manager support and provide
an integration test build for the Alpine distribution</li>
<li>Fix F824 flake check for global assignments</li>
<li>Use metalink repos for local test builds</li>
<li>schema: Allow C as a valid locale
It should be permitted to set the "C.UTF-8" locale for minimal images
that are not preloaded with locales. The "C.UTF-8" locale has been
supported in Linux distributions for many years.</li>
<li>Support sourcetype setting on the commandline
Allow to specifiy the sourcetype(metalink|baseurl|mirrorlist)
also on the commandline via --set-repo/--add-repo options. So
far this was only possible as part of the kiwi description file</li>
<li>Fix gh-pages deployment
poetry install was not called, thus sphinx was not present</li>
<li>Drop use of travis-sphinx
According to the documentation of peaceiris/actions-gh-pages
the sphinx-build output can be directly consumed to publish
to github pages</li>
<li>Allow stderr data in CommandProcess
Enhance poll_show_progress() method to allow polling on
stderr data too. The new parameter with_stderr is used
together with the dnf5 package manager. dnf5 has changed
in a way that a lot of useful information during the
install of packages is printed to stderr. From my perspective
a clear regression to former behavior but we can fix this
in kiwi to poll on both channels.</li>
<li>Support arch attribute for <users> section
Allow to setup users per arch. </li>
<li>Add Debian_12_update repo for testing with typer</li>
<li>Fixed python3_sitelib for debbuild in OBS</li>
<li>Fixed test-image-agama
Service setup-systemd-proxy-env.path no longer exists</li>
<li>Explicitly request shadow-utils
Make sure shadow-utils gets installed for rawhide
integration tests</li>
<li>Drop test-image-suse-on-dnf test
This was just a "can this work" test but has no real
relevance for users since nobody would use dnf to build
a suse image, there is also no help when it does not
work. So let's drop this test build</li>
<li>distutils sysconfig is deprecated</li>
<li>Make integration tests to build outside of OBS
Update and extend all integration tests such that they also
build outside of the Open Build Service. Along with the changes
on the descriptions a simple build-tests.sh script was added
to drive the build process. The build is based on the kiwi
boxbuild plugin in container mode to build the tests
from a given build-tests directory. A new chapter to document
how to Build the Build Tests is also provided and referenced
on the github main page.</li>
<li>Add rd.kiwi.oem.luks.reencrypt_randompass
For OEM LUKS2 encrypted disk images in combination
with rd.kiwi.oem.luks.reencrypt. Reset insecure built time
passphrase with a random onetime passphrase</li>
<li>Lookup CHRP loader instead of using a static name</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-362=1</code>
</li>
<li class="list-group-item">
SUSE Linux Micro Extras 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-362=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>dracut-kiwi-oem-repart-10.2.22-1.1</li>
<li>dracut-kiwi-lib-10.2.22-1.1</li>
<li>dracut-kiwi-oem-dump-10.2.22-1.1</li>
</ul>
</li>
<li>
SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
<ul>
<li>python3-kiwi-10.2.22-1.1</li>
<li>kiwi-systemdeps-iso-media-10.2.22-1.1</li>
<li>kiwi-systemdeps-bootloaders-10.2.22-1.1</li>
<li>kiwi-systemdeps-core-10.2.22-1.1</li>
<li>kiwi-systemdeps-filesystems-10.2.22-1.1</li>
<li>kiwi-systemdeps-disk-images-10.2.22-1.1</li>
</ul>
</li>
</ul>
</div>