<div class="container">
<h1>Recommended update for python-kiwi</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:20443-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-06-20T14:28:38Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.1</li>
<li class="list-group-item">SUSE Linux Micro Extras 6.1</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-kiwi fixes the following issues:</p>
<p>Bump version: 10.2.21 → 10.2.22:</p>
<ul>
<li>Apply security context on writable root only</li>
</ul>
<p>Make sure to perform setfiles only on a writable target. In case
of a read-only root it is expected that the security context set
by kiwi in an earlier stage is complete. As there is no way to
modify data when root is read-only, there is also no way to change
the security context of any file such that we skip setfiles
in this case. Should there be a read-only system that has writable
partitions such as /boot and their content changes while the rest
of the root system is read-only it is in the responsibility of
the author of the image description to call setfiles only on
the affected and still writable files via a custom disk.sh
script. Along with the fix the respective integration test was
modified to enable selinux such that this change is actually
integration tested. This Fixes #2805</p>
<ul>
<li>
<p>Docs: fix typo in users.rst</p>
</li>
<li>
<p>Docs: minor punctuation and grammar fixes</p>
</li>
<li>
<p>Give test-image-overlayroot enough space</p>
</li>
<li>
<p>Allow ext2/ext3 as valid build target</p>
</li>
</ul>
<p>stat reports the value 'ext2/ext3' which is a valid target</p>
<ul>
<li>Added check_target_dir_on_unsupported_filesystem</li>
</ul>
<p>Add runtime check to make sure the selected target directory
for the image and/or the image rootfs lives on a filesystem
that provides all required features like extended permissions,
ACLs or xattrs.</p>
<ul>
<li>Fix rd.kiwi.oem.luks.reencrypt_randompass workflow</li>
</ul>
<p>When requesting a new random key prior reencryption, make
sure that this new key is referenced in the current in
memory initrd crypttab such that all subsequent
tasks e.g. luks resize have permissions to complete while
inside of this initrd instance</p>
<ul>
<li>Add support for new tarball-based WSL format</li>
</ul>
<p>With the new image="wsl" type one can build a WSL container
image that uses the new tarball format. This Fixes #2678</p>
<ul>
<li>Update SL-Micro build test</li>
</ul>
<p>For details see: https://build.opensuse.org/request/show/1272418</p>
<ul>
<li>Required read-only-root-fs for SL-Micro test build</li>
</ul>
<p>Changes from the SL-Micro team requires adaptions to the
integration test description</p>
<ul>
<li>Delete fstab.script from SL-Micro test build</li>
</ul>
<p>This was only needed when /var was an extra partition, but
it's a volume with copy-on-write disabled for some time</p>
<ul>
<li>Add systemd-resolved to TW integration tests</li>
</ul>
<p>For some reason it's not longer part of the systemd standard
installation</p>
<p>Bump version: 10.2.20 → 10.2.21:</p>
<ul>
<li>
<p>Add dkms to test-image-embedded integration test</p>
</li>
<li>
<p>Fixed access issue to etc/kernel for sdboot</p>
</li>
</ul>
<p>In case of an overlayroot setup we have to make sure
that etc/kernel is writable. This is done by a bind
mount of the ESP</p>
<ul>
<li>Update test-image-overlayroot</li>
</ul>
<p>Add another build using grub instead of systemd-boot and use
btrfs as write partition instead of xfs. Please note this test
requires a boot partition because grub cannot read from erofs
and unlike systemd-boot grub does not read all boot data from
the ESP.</p>
<ul>
<li>Fixed get_volume_management</li>
</ul>
<p>If a volume capable filesystem like btrfs is requested, there
must also be a volume definition available to report that
the volume management is actively used. Just the request of
the filesystem can also mean it's being used without volumes
like it could be the case for an overlayroot setup that
requests btrfs as write partition.</p>
<ul>
<li>Update test-image-overlayroot</li>
</ul>
<p>Move to systemd-boot as bootloader, activate secure boot
and drop the extra boot partition. Use XFS for the write
space</p>
<ul>
<li>Allow initrd updates on read-only devices</li>
</ul>
<p>Move initrd to ESP for boot loaders that reads data
from there</p>
<ul>
<li>Fix ordering issue for device assignment</li>
</ul>
<p>wrong assignment of a boot partition in overlayroot setup
without boot partition</p>
<ul>
<li>Add kiwi-settings package for TW</li>
</ul>
<p>de-blacklist erofs to allow building integration tests
with this filesystem</p>
<ul>
<li>Switch to dracut-kiwi-verity</li>
</ul>
<p>So far no luck with the systemd verity generator. This
commit adds the parsing of /etc/veritytab in the existing
kiwi-verity dracut module and uses it in the overlayroot
integration test.</p>
<ul>
<li>Update test-image-overlayroot integration test</li>
</ul>
<p>Switch to erofs for overlay testing. Additionally split the build
into two profiles. The first one just builds a simple overlayroot
oem disk based on erofs. The second one adds a veritysetup layer
and configures the systemd-veritysetup-generator for use in dracut.
This Fixes #2799</p>
<ul>
<li>Add documentation for new attribute</li>
</ul>
<p>Add details how to use the new overlayroot_readonly_filesystem attribute</p>
<ul>
<li>Add support for selecting the overlay read-only fs</li>
</ul>
<p>Add new overlayroot_readonly_filesystem attribute which allows
to select for either squashfs or erofs as the read-only filesystem
in an OEM overlay disk setup.</p>
<ul>
<li>Fixed root setup for verity overlay disk</li>
</ul>
<p>When building an image with overlayroot set to true and
activated verity data, the root= parameter must be
set to root=overlay:MAPPER=verityroot instead of the standard
overlay:PARTUUID mapping.</p>
<ul>
<li>
<p>Make sure the verity record has a superblock</p>
</li>
<li>
<p>Drop distro specific runtime check</p>
</li>
</ul>
<p>The check_efi_mode_for_disk_overlay_correctly_setup exists because
shim-install does not work on read-only devices. However, shim-install
is a SUSE only tool that runs a SUSE specific secure boot setup.
For other secure boot processes this runtime check is not useful.
As runtime checks aims to be generally useful, this one gets
dropped.</p>
<ul>
<li>Fix root clone size setup</li>
</ul>
<p>If the root_clone attribute is specified without providing a
fixed size for the system, kiwi estimates the size needed for
the root part and assigns the rest to the clone. This leads to
different partition sizes for the root clones. As per definition
of a clone the expectation is that the size is the same, this
commit changes the behavior such that the calculated size for
the system is applied to the origin root and all its clones.
As a consequence this can leave unpartitioned space free in
the image. This Fixes #2463</p>
<p>Bump version: 10.2.19 → 10.2.20:</p>
<ul>
<li>Fix reencryption master key passphrase</li>
</ul>
<p>Make sure to use the correct passphrase for the master
key such that it can be decrypted with the same credentials
as before. The credentials reset is a subsequent task
after reencryption.</p>
<p>Bump version: 10.2.18 → 10.2.19:</p>
<ul>
<li>Fixed targettype setup in zipl.conf</li>
</ul>
<p>The special targettype set to GPT still indicates SCSI for
the zipl.conf but tells kiwi to create a GPT disk layout</p>
<ul>
<li>Fixed s390 integration test</li>
</ul>
<p>targettype attribute in wrong section</p>
<ul>
<li>Add support for GPT targettype on s390</li>
</ul>
<p>Allow to build s390 images using GPT instead of the old DOS
partition table. zipl has added support to read from GPT.
This Fixes #2694</p>
<ul>
<li>Add --no-compress option to bundler</li>
</ul>
<p>Allow to skip the compression for bundle files marked
to become compressed. This Fixes #2736</p>
<ul>
<li>Rawhide (F43) has removed basesystem package</li>
</ul>
<p>The basesystem package was retired with rawhide (F43).</p>
<p>https://src.fedoraproject.org/rpms/filesystem/pull-request/20</p>
<ul>
<li>rawhide install shadow-utils for usermod</li>
</ul>
<p>Using <code>kiwi-ng</code> version 10.2.18 (EL9)</p>
<p>Currently with:</p>
<p><code>sudo kiwi-ng system build \
--description kiwi/build-tests/x86/fedora/test-image-docker
--set-repo http://ftp.fau.de/fedora/linux/development/rawhide/Everything/x86_64/os/ \
--target-dir /tmp/myimage1</code></p>
<p>This fails with:</p>
<p><code>[ INFO ]: 09:46:38 | Setting up user root
[ INFO ]: 09:46:38 | --> Modifying user: root
[ INFO ]: 09:46:38 | --> Primary group for user root: root
[ ERROR ]: 09:46:38 | KiwiCommandError: chroot: stderr: /sbin/chroot: failed to run command ‘usermod’: No such file or directory</code></p>
<p>Install the package <code>shadow-utils</code> to provide <code>usermod</code>.</p>
<ul>
<li>Fixed default bls value setup</li>
</ul>
<p>Fixed get_build_type_bootloader_bls behavior in case the bls
attribute is not set. In this case get_bls() returns a None value
which was returned. However in this case the attribute value
should not be taken into account and the method defined default
value for bls should be returned. This Fixes #2542</p>
<p>Bump version: 10.2.17 → 10.2.18:</p>
<ul>
<li>Fix setup of use_disk_password for random secret</li>
</ul>
<p>When using luks="random" in combination with use_disk_password="true"
the resulting cryptomount call in grub is wrong. This commit fixes it</p>
<ul>
<li>Drop copying GRUB2 modules to /boot with Secure Boot UEFI images</li>
</ul>
<p>Copying the modules creates a situation where future updates
applied to a running system can cause GRUB to crash due to mixed
modules and GRUB EFI binaries.</p>
<p>It is not needed anyway since GRUB EFI binaries for Secure Boot have
all modules compiled into the binaries.</p>
<p>Fixes: https://github.com/OSInside/kiwi/issues/2790</p>
<ul>
<li>Make sure editbootinstall runs offline</li>
</ul>
<p>editbootinstall expects the system to be umounted</p>
<ul>
<li>
<p>Make sure post sync actions are in scope</p>
</li>
<li>
<p>Follow up fix for overlayroot builds for EFI path</p>
</li>
</ul>
<p>Only perform the boot overlay if there is an extra boot partition</p>
<ul>
<li>
<p>Only remove entries from exclude list if present</p>
</li>
<li>
<p>Fix overlayroot builds for EFI path</p>
</li>
</ul>
<p>make sure to keep boot/efi mountpoint directories
in the read-only area as they can't be created later</p>
<ul>
<li>doc: overview: Add list of supported Linux distributions</li>
</ul>
<p>These are the Linux distributions that are developed and actively
tested for with the latest kiwi releases.</p>
<p>This should offer greater clarity about what we're able to support
as an upstream project.</p>
<ul>
<li>Fixed mount of image system for volume managers</li>
</ul>
<p>The ImageSystem.mount() method implemented its own handling
for mounting the volumes of a volume manager based system.
First and foremost this duplicates code that already exists
in the respective VolumeManager implementation and second
the code behaved wrong in case of btrfs when there is no
default subvolume configured</p>
<ul>
<li>Handle grub fix functions less strict</li>
</ul>
<p>If called on full read-only systems, log the information
that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must
be applied and as such the fix function can be considered
an optional step.</p>
<ul>
<li>Fixed root setup for encrypted overlay disk</li>
</ul>
<p>When building an image with overlayroot set to true and
activated luks encryption, the root= parameter must be
set to root=overlay:MAPPER=luks instead of the standard
overlay:PARTUUID mapping. This Fixes #2776</p>
<ul>
<li>Change suffix for package manager config files</li>
</ul>
<p>Use .config instead of .conf for the temporary package
manager config files. Reason for this change is a bug in
dracut which reads and executes all /*.conf files from
the system. This Fixes #2780</p>
<ul>
<li>Set security context after root sync</li>
</ul>
<p>On selinux enabled image builds we call setfiles initially
after the root tree is complete and after each script invocation
that might change the system. However the security context
also applies to mount points e.g volumes which only exists
at the time when the root tree gets synced to the actual image
binary. Thus this commit also calls setfiles on the mounted
root tree after data sync. This Fixes rh#2333743</p>
<ul>
<li>Fix broken doc link</li>
</ul>
<p>Rephrase chapter pointing to a documentation side at VMware.
They are constantly changing their documentation URLs that
I'm tired of fixing this. This Fixes #2782</p>
<p>Bump version: 10.2.16 → 10.2.17:</p>
<ul>
<li>Fix key slot selection for luks reencrypt</li>
</ul>
<p>Depending on the type setup for a luks encrypted image, there
might be one or two key slots available. When kiwi is requested
to perform the reencryption process at least one key-slot and
the proper keyfile/passphrase must be provided. This commit
stores the information about the key-slot number for which
a decryption information exists in the initrd. In addition to
the code change also the corresponding integration test image
was updated.</p>
<ul>
<li>Fixed test-image-gce integration test</li>
</ul>
<p>python3-gcemetadata was renamed to python-gcemetadata</p>
<ul>
<li>Fixed integration test builds for TW</li>
</ul>
<p>Request dracut explicitly when needed</p>
<ul>
<li>Add support for filtering out files from the ESP image for GRUB</li>
</ul>
<p>Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.</p>
<p>For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.</p>
<p>Fixes: https://github.com/OSInside/kiwi/issues/2008
Fixes: https://github.com/OSInside/kiwi/issues/2777</p>
<ul>
<li>Fix bundle extension for container types</li>
</ul>
<p>When building result files that use container types like oci or docker,
kiwi creates them as archive tarballs with an extension prefix to
indicate the special nature of the archive. However, the bundler
code does not retain the prefix, which results in the wrong file
extension for these archives.</p>
<p>This change adds exceptions for these types and refactors the
exception handling to unify it with the Vagrant image filename
handling, which operates similarly.</p>
<p>Fixes: https://github.com/OSInside/kiwi/issues/2628</p>
<ul>
<li>Update LOADER_TYPE setup for grub</li>
</ul>
<p>If the bootloader attribute: bls is set to true, make sure
the LOADER_TYPE changes to grub2-bls. This is related to
Issue #2773</p>
<ul>
<li>Fix Agama PXE build</li>
</ul>
<p>A bootloader setup is needed to create config.bootoptions
Even though a ramdisk deployment does not require a bootloader
setup we need it because part of the setup is the root device
reference which is still needed to pivot root into the
system</p>
<ul>
<li>
<p>Fix firmware setting for Agama PXE image</p>
</li>
<li>
<p>Added obs BUILD_FLAVOR for agama</p>
</li>
</ul>
<p>Required for multibuild (multiple profiles) build</p>
<ul>
<li>Update Agama integration test</li>
</ul>
<p>Split the build into two profiles ISO and PXE to differentiate
the build results into a small Agama for remote installations
and a standard Agama for iso based installations</p>
<ul>
<li>Prevent loading unused data in oem deployment</li>
</ul>
<p>In case rd.kiwi.ramdisk is used as part of a remote deployment
setup, it's not needed to load the system kernel and initrd
because it's not used as kexec is not called with the system
deployed into memory. For ramdisk deployments the system is
booted using the currently active kernel and initrd and as
such we can avoid loading an extra kernel and initrd for
booting the system via kexec.</p>
<ul>
<li>Update Agama integration test</li>
</ul>
<p>Make use of <oem-ramdisk-size> in the Agama integration test</p>
<ul>
<li>Added <oem-ramdisk-size> element</li>
</ul>
<p>So far it was only possible to specify the size of the ramdisk
via the kernel commandline option: ramdisk_size. In a remote
deployment it was therefore required to carry this size as a
mandatory information to the deployment server. With this commit
we allow to specify the size for the ramdisk to be configured as
part of the image configuration which makes this information
also available inside of the initrd. If provided the ramdisk_size
kernel commandline option still takes precedence over the
<oem-ramdisk-size> setting to avoid any behavior change and to
still allow dynamic overrides of the ramdisk size.</p>
<ul>
<li>reinstall bootstrap packs in image phase for apt</li>
</ul>
<p>Due to the special bootstrap process, the packages unpacked
during bootstrap are not properly listed in the apt index.
Therefore the bootstrap packages are added to the install
phase which causes an install of this packages again to
fix the apt index and provide a consistent system from
an apt perspective. This Fixes #2768</p>
<ul>
<li>Fixed restore of keyfile after reencryption</li>
</ul>
<p>When kiwi runs the reencryption it also restores an eventual
existing keyfile. However if the option rd.kiwi.oem.luks.reencrypt_randompass
is specified no former keyfile should be restored. The purpose
of reencrypt_randompass is to make sure only this in memory
passphrase can access the luks pool such that tooling at boot
time gets the opportunity to work with the luks pool for e.g.
setting up a TPM key or set a passphrase only known to the user.</p>
<ul>
<li>Update dracut kiwi-lib module setup</li>
</ul>
<p>Make sure all tools used in code are requested for inclusion</p>
<ul>
<li>keep /usr/bin/sha256sum</li>
</ul>
<p>dropping md5sum was okay, but now we need
the current tool to verify the checksum</p>
<ul>
<li>Restrict keyfile permissions</li>
</ul>
<p>For reencrypt in combination with rd.kiwi.oem.luks.reencrypt_randompass
make sure that the temporary random pass keyfile has 0400 root
owned access permissions set</p>
<ul>
<li>package: Add kiwi-image:oci Provides to -systemdeps-containers</li>
</ul>
<p>This allows the Open Build Service to correctly resolve dependencies
when building OCI images.</p>
<ul>
<li>Better logging which kiwi file is read</li>
</ul>
<p>Improve the log message that tells about reading the
kiwi config file to actually show the file path that
is read in. This is especially an issue if more than
one kiwi file is read in during the build process.</p>
<ul>
<li>
<p>also keep the ts binary, might be needed to provide timestamped logfiles</p>
</li>
<li>
<p>Update documentation</p>
</li>
</ul>
<p>Add information about new apk (Alpine) support</p>
<ul>
<li>Add support for Alpine</li>
</ul>
<p>Add apk repository and package manager support and provide
an integration test build for the Alpine distribution</p>
<ul>
<li>
<p>Fix F824 flake check for global assignments</p>
</li>
<li>
<p>Use metalink repos for local test builds</p>
</li>
<li>
<p>schema: Allow C as a valid locale</p>
</li>
</ul>
<p>It should be permitted to set the "C.UTF-8" locale for minimal images
that are not preloaded with locales. The "C.UTF-8" locale has been
supported in Linux distributions for many years.</p>
<p>Bump version: 10.2.15 → 10.2.16:</p>
<ul>
<li>Support sourcetype setting on the commandline</li>
</ul>
<p>Allow to specifiy the sourcetype(metalink|baseurl|mirrorlist)
also on the commandline via --set-repo/--add-repo options. So
far this was only possible as part of the kiwi description file</p>
<p>Bump version: 10.2.14 → 10.2.15:</p>
<ul>
<li>Fix gh-pages deployment</li>
</ul>
<p>poetry install was not called, thus sphinx was not present</p>
<p>Bump version: 10.2.13 → 10.2.14:</p>
<ul>
<li>Drop use of travis-sphinx</li>
</ul>
<p>According to the documentation of peaceiris/actions-gh-pages
the sphinx-build output can be directly consumed to publish
to github pages</p>
<ul>
<li>Allow stderr data in CommandProcess</li>
</ul>
<p>Enhance poll_show_progress() method to allow polling on
stderr data too. The new parameter with_stderr is used
together with the dnf5 package manager. dnf5 has changed
in a way that a lot of useful information during the
install of packages is printed to stderr. From my perspective
a clear regression to former behavior but we can fix this
in kiwi to poll on both channels. This Fixes #2748</p>
<ul>
<li>Support arch attribute for <users> section</li>
</ul>
<p>Allow to setup users per arch. This Fixes #2737</p>
<ul>
<li>Add Debian_12_update repo for testing with typer</li>
</ul>
<p>Even though we will add support for the typer Cli with kiwi-11
I want our integration test images to be able to build with the
open PR #2751. Debian 12 is the only target in the support matrix
which uses a too old veryion of typer. Therefore to be able to
test this target I built a newer version of typer in an update
repo for Debian 12 and added it to the integration test
description</p>
<ul>
<li>
<p>Fixed python3_sitelib for debbuild in OBS</p>
</li>
<li>
<p>Fixed test-image-agama</p>
</li>
</ul>
<p>Service setup-systemd-proxy-env.path no longer exists</p>
<ul>
<li>Explicitly request shadow-utils</li>
</ul>
<p>Make sure shadow-utils gets installed for rawhide
integration tests</p>
<ul>
<li>Drop test-image-suse-on-dnf test</li>
</ul>
<p>This was just a "can this work" test but has no real
relevance for users since nobody would use dnf to build
a suse image, there is also no help when it does not
work. So let's drop this test build</p>
<ul>
<li>distutils sysconfig is deprecated</li>
</ul>
<p>Move to sysconfig module</p>
<ul>
<li>Make integration tests to build outside of OBS</li>
</ul>
<p>Update and extend all integration tests such that they also
build outside of the Open Build Service. Along with the changes
on the descriptions a simple build-tests.sh script was added
to drive the build process. The build is based on the kiwi
boxbuild plugin in container mode to build the tests
from a given build-tests directory. A new chapter to document
how to Build the Build Tests is also provided and referenced
on the github main page.</p>
<ul>
<li>Add rd.kiwi.oem.luks.reencrypt_randompass</li>
</ul>
<p>For OEM LUKS2 encrypted disk images in combination
with rd.kiwi.oem.luks.reencrypt. Reset insecure built time
passphrase with a random onetime passphrase</p>
<p>Bump version: 10.2.12 → 10.2.13:</p>
<ul>
<li>Lookup CHRP loader instead of using a static name</li>
</ul>
<p>On ppc the CHRP loader name can vary between distributions.
This commit adds a search method to lookup different ELF
loader names. In addition an integration test image for
Fedora was added. This Fixes #2741</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.1
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.1-152=1</code>
</li>
<li class="list-group-item">
SUSE Linux Micro Extras 6.1
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.1-152=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dracut-kiwi-lib-10.2.22-slfo.1.1_1.1</li>
<li>dracut-kiwi-oem-dump-10.2.22-slfo.1.1_1.1</li>
<li>dracut-kiwi-oem-repart-10.2.22-slfo.1.1_1.1</li>
</ul>
</li>
<li>
SUSE Linux Micro Extras 6.1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python3-kiwi-10.2.22-slfo.1.1_1.1</li>
<li>kiwi-systemdeps-core-10.2.22-slfo.1.1_1.1</li>
</ul>
</li>
<li>
SUSE Linux Micro Extras 6.1 (noarch)
<ul>
<li>python311-xmltodict-0.13.0-slfo.1.1_1.2</li>
<li>python311-docopt-0.6.2-slfo.1.1_1.2</li>
</ul>
</li>
</ul>
</div>