<div class="container">
<h1>Recommended update for python-kiwi</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:20534-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-07-29T08:38:24Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242987">bsc#1242987</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244668">bsc#1244668</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1245190">bsc#1245190</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.1</li>
<li class="list-group-item">SUSE Linux Micro Extras 6.1</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has three fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-kiwi fixes the following issues:</p>
<p>Bump version: 10.2.28 → 10.2.29:</p>
<ul>
<li>Fix return from repart stage</li>
</ul>
<p>If we return from the repart stage it's important to wait
for the root device to appear. This is because the device
setup from udev might still be held back due to a former
lock on the device. This means if we return fast after
locking for example when check_repart_possible() quickly
finds out that it's not possible, then udev has not yet
got the time to create the device nodes.
This Fixes #2863</p>
<ul>
<li>Fix dracut code to be POSIX compliant</li>
</ul>
<p>The redirect type "< <(...)" is not POSIX complians and leads
to a syntax error in dracut which calls bash as "sh" leading
it to be restricted to POSIX only</p>
<ul>
<li>Extend test-image-lvm integration test</li>
</ul>
<p>For testing a bit more complex resize procedure, update
the lvm integration test to run more resize actions
with required device locking</p>
<ul>
<li>Apply proper udev locking</li>
</ul>
<p>Several commands during repart, resize and other actions
require a proper lock to be set for udev such that other
events knows about the locked state of a device and do
not mess with it until the command for which the lock
persists has completed. This commit applies proper udev
locks to all commands that requires it. In addition
incorrect code that was expected to prevent such race
conditions got dropped from the implementation.
This is related to bsc#1242987</p>
<ul>
<li>relocate GPT at the end of disk using sfdisk</li>
</ul>
<p>Using sfdisk for relocation and verification makes this
part more consistent. We also want to move away from gdisk.
This is related to #2851</p>
<ul>
<li>Do not strictly require config.partids in repart</li>
</ul>
<p>The kiwi-repart implementation requires a metadata file
named config.partids which holds information about
partition ids and more stored at the time the image was
built. Depending on the complexity of the image and the
resize request some of the information can be rebuilt
in case the metadata file is missing. This commit adds
the rebuild of the minimum required information to run
a standard resize and therefore allows the kiwi-repart
dracut module to work also without config.partids to be
present in the system</p>
<ul>
<li>Do not drop /config.partids</li>
</ul>
<p>The partition id metadata file is used in the kiwi-repart
module. If a user wants to use the kiwi repart module
permanently, this metadata file needs to stay in the system.
Therefore it should not be automatically deleted by the
cleanup. A disk.sh hook script can be used to force the
deletion of the file though. This is related #2851</p>
<ul>
<li>Fix centos/test-image-live-disk-v10</li>
</ul>
<p>There is no package named iprutils</p>
<ul>
<li>Fix centos/test-image-live-disk-v10</li>
</ul>
<p>Update package names</p>
<ul>
<li>
<p>Added centos/test-image-live-disk-v10 build test</p>
</li>
<li>
<p>Fix tumbleweed/test-image-gce integration test</p>
</li>
</ul>
<p>Drop obsolete growpart</p>
<ul>
<li>Followup fix to support older apt versions for bootstrap</li>
</ul>
<p>There are apt versions that do not create missing state files.
Make sure the intermediate bootstrap state file is created in
any case. This Fixes #2857</p>
<ul>
<li>Fixed integration test builds</li>
</ul>
<p>Next round of fixes for integration tests. Missing
or wrong service activations</p>
<ul>
<li>Fix arm/tumbleweed/test-image-rpi</li>
</ul>
<p>Fix snapper setup for this integration test</p>
<ul>
<li>Fixed test-image-live-disk</li>
</ul>
<p>Added missing openssh-server package</p>
<ul>
<li>Fixed test-image-azure</li>
</ul>
<p>Add missing python-azure-agent-config-default package</p>
<ul>
<li>Fixed debian integration test builds</li>
</ul>
<p>secure shell service is named ssh and not sshd there</p>
<ul>
<li>Fixed integration test builds</li>
</ul>
<p>Second round of fixes for integration tests. Again errors
now became visible due to the refactoring of the script code</p>
<ul>
<li>Fixed integration test builds</li>
</ul>
<p>Errors from scripts were no longer ignored due to the last
cleanup of the integration test script code. This commit
fixes the now exposed build errors</p>
<ul>
<li>Fix check_target_dir_on_unsupported_filesystem</li>
</ul>
<p>Find the first existing path in the target path and
check the filesystem capabilities for this path.
This Fixes #2858</p>
<ul>
<li>Cleanup integration tests config.sh script code</li>
</ul>
<p>Add script code to shellcheck and fix all reported issues.
Get rid of suseXX and baseXX methods as much as possible.
Add set -ex for all script code. Do not allow any script
code to fail.</p>
<ul>
<li>defaults: Add patterns for shim/grub2 on riscv64</li>
</ul>
<p>A recent commit changed the way these are looked up and
accidentally broke image building on riscv64, with</p>
<p>KiwiBootLoaderGrubSecureBootError: Signed grub2 efi loader not found</p>
<p>now being raised for kiwi recipes that worked just fine
before that moment.</p>
<ul>
<li>Add SLFO test-image-disk-simple integration test</li>
</ul>
<p>Add simple disk test and allow for testing the new
transparent container idea for the aws toolchain. also
add SLFO builds to the helper script</p>
<ul>
<li>Fixed check for unallocated space on disk</li>
</ul>
<p>So far the check for unallocated space was only working for GPT
and there it was also not really stable. The check was based on
verifying if the backup GPT table is really at the end of the
disk. Depending on which tool was used to dump the image on the
target this "mistake" often got corrected by the tools that
dumped the image. In this case the check no longer worked.
This commit improves the check by another test which looks
for the real free bytes on disk compared to the current
partition geometry.</p>
<ul>
<li>Move to neutral directory for calling osc</li>
</ul>
<p>When calling the helper/build_status.sh script to get an
overview about the results of the integration tests, there
is a stupid new behavior from the osc tool that it assumes
a package name according to the name of the directory you
are in probably connected to the fact that the data in this
directory is a git checkout or some other strange assumption.
This commit moves to a neutral directory where none of the
osc internal assumptions applies and it just does what it
should do... showing results of the given project.</p>
<ul>
<li>Fix regression in get_partition_node_name</li>
</ul>
<p>backwards compat for lsblk before 2.38
if START column not supported, fall back to default sort</p>
<ul>
<li>Add global option --setenv</li>
</ul>
<p>Allow to set environment variables in the caller environment
via the commandline, e.g --setenv SOURCE_DATE_EPOCH=42</p>
<ul>
<li>Seed filesystem UUIDs with SOURCE_DATE_EPOCH</li>
</ul>
<p>For reproducible builds the calculation of the filesystem UUID
should be persistent with each rebuild of the image. To achieve
this the UUID is calculated using the SOURCE_DATE_EPOCH from
the environment plus a char-number representation of the filesystem
label name as random seed. In kiwi every filesystem is created
with a label, thus only in case there is no SOURCE_DATE_EPOCH
available we continue to create the UUID as random data.
This Fixes #2761</p>
<ul>
<li>Add label attribute for <partition> section</li>
</ul>
<p>Allow to specify a filesystem label as part of a <partition>
definition. So far the label was set by the name of the
partition. With the new label attribute, a filesystem label
different from the partition name can be set. This commit
also updates/fixes the documentation in this regard.</p>
<ul>
<li>Improve log message in SystemIdentifier</li>
</ul>
<p>Add some scope information such that we know from where
this log information originates from.</p>
<ul>
<li>Add rd.kiwi.install.devicepersistency</li>
</ul>
<p>Allow to specify which type of persistent device name should
be used to build up the list of installation disk devices.
For example rd.kiwi.install.devicepersistency=by-path would
use the by-path representations for the available disk
devices. The default (by-id) stays untouched. In case an
invalid or not present device representation is selected, kiwi
falls back to the non persistent unix node names.</p>
<ul>
<li>Update test-image-disk</li>
</ul>
<p>Add NetworkManager for better remote debugging capabilities</p>
<ul>
<li>Make mbr-id deterministic</li>
</ul>
<p>Log the value of SDE so it is available to review,
even if the build system does not tell about it.</p>
<p>Update the tests to cover the new code-path.</p>
<ul>
<li>Ensure dracut initrd is reproducible</li>
</ul>
<p>This helps a bit with issue #2358</p>
<p>Add reproducible flag for UKI too</p>
<p>Update tests accordingly</p>
<ul>
<li>Add kernel parameter support for dm-verity options</li>
</ul>
<p>Implement rd.kiwi.verity_options= parameter to allow runtime customization of veritysetup options</p>
<ul>
<li>Fix shim lookup for arm on SUSE</li>
</ul>
<p>Add missing search path for shim binary on arm based SUSE
systems. Also update the tumbleweed/test-image-live-disk
integration test for arm to build with secure boot enabled
to actually test a secure boot enabled ISO build.
This Fixes #2842</p>
<ul>
<li>
<p>Add container_import template test</p>
</li>
<li>
<p>Fixed get_partition_node_name</p>
</li>
</ul>
<p>The function get_partition_node_name takes the disk device
and the partition index as arguments to match against the
respective device node for this partition index. The partition
index is the position of the partition in the partition table
according to their start offset. For the code to function
properly it is required that the list of partitions provided
by lsblk is ordered according to the start address of the
partitions in the table. The way lsblk was called did not
enforce this ordering. This commit enforces the order to
be done against the start offset and fixes bsc#1245190</p>
<ul>
<li>Add support for container-snap as a container-image engine</li>
</ul>
<p>With this commit, we can now pre-load images using container-snap directly
during the kiwi image build</p>
<ul>
<li>Update test-image-MicroOS for local build</li>
</ul>
<p>Fix bootstrap setup such that micro-os patterns can resolve</p>
<ul>
<li>Fix logging of stderr data in command calls</li>
</ul>
<p>The stderr data was presented as one blob without line
breaks. Hard to read and smells like a bug. This commit
fixes the output to become readable</p>
<ul>
<li>Update test-image-MicroOS/disk.sh</li>
</ul>
<p>Add a findmnt for / to check if there is a proper root
device reference</p>
<ul>
<li>Fix mount system for root_is_snapper_snapshot</li>
</ul>
<p>If root is a snapper snapshot we have to tell the
chroot a proper root mount point which can be achieved
by a bind mount pointing to itself. This Fixes
bsc#1244668</p>
<ul>
<li>There is no shim for aarch64 on SUSE</li>
</ul>
<p>Fix integration test for standard EFI (no secure boot)
setup on arm</p>
<ul>
<li>Add driver configuration support for dracut initrd</li>
</ul>
<p>Add driver configuration support for dracut initrd</p>
<p>Add support for specifying kernel drivers to be included or omitted
in the dracut initrd configuration. This extends the existing dracut
configuration capabilities like in the following example</p>
<p><initrd action="add">
<dracut driver="erofs"/>
</initrd></p>
<ul>
<li>Fixed rootfs size calculation with spare part</li>
</ul>
<p>In case a spare_part setup is combined with the root_clone feature,
the size calculation for the rootfs did not take the cloning into
account and lead to the wrong value. In addition when requesting
the spare part to be last and no size information was given, the
partition was not created at all. This commit fixes both defects
and Fixes #2831</p>
<ul>
<li>Add dependency for isomd5sum for iso images and set in kiwi-settings</li>
</ul>
<p>This ensures that isomd5sum is pulled into the environment for ISO image
builds, and the updated settings makes it so that kiwi boxes will use it.</p>
<ul>
<li>Allow /boot to be a btrfs subvolume</li>
</ul>
<p>In a btrfs based design, allow to put /boot as subvolume.
This required a small fix in the mount order in a way that
boot/efi gets mounted after the subvolume mounts are done.
The respective integration test has been updated to test
this functionality. This Fixes #2824</p>
<ul>
<li>Use f-strings where feasible</li>
</ul>
<p>This is a slightly shorter and easier to read syntax</p>
<ul>
<li>Allow multiple EFI arch binaries/modules</li>
</ul>
<p>Allow to lookup and included EFI binaries/modules for
multiple architectures. For testing the integration
test in rawhide/test-image-live-disk has been adapted
accordingly to install 32bit and 64bit EFI binaries.
This Fixes #2822</p>
<ul>
<li>Log warning message for disabled runtime checks</li>
</ul>
<p>Complete type hints for RuntimeConfig class and log
a warning message for each disabled runtime check</p>
<ul>
<li>
<p>Fix static type argument int vs. str</p>
</li>
<li>
<p>Move it inside the context that actually uses it</p>
</li>
</ul>
<p>also rename it to "supported" as that seems to closer match
what it resembles</p>
<ul>
<li>
<p>Add overlayfs as supporting xattr/ACLs as well</p>
</li>
<li>
<p>Fix disk_type validation for zipl loader</p>
</li>
</ul>
<p>If the targettype is set to GPT in combination with plain
zipl as loader, the code to validate the targettype against
the targetgeometry was not effective and zipl failed.
This Fixes #2821</p>
<ul>
<li>
<p>Fixup overlay unit enablement</p>
</li>
<li>
<p>Fixup overlay mount dependencies</p>
</li>
<li>
<p>Update test-image-overlayroot integration test</p>
</li>
</ul>
<p>Use proper systemd mount units to setup the custom overlay.
The handling of fstab entries by systemd is limited and
should be better handled by self managed mount units</p>
<ul>
<li>Use proper mount units for overlay setup</li>
</ul>
<p>Instead of manual mounting create a proper systemd mount
unit. This allows to manage mount dependencies and the order
of nested mounts in a clean way</p>
<ul>
<li>Cleanup build metadata</li>
</ul>
<p>Make sure the final image rootfs does not contain unneeded
metadata files used during build time. The respective cleanup
call is performed after the root sync and after all initrd/boot
processing has been done. This is because up to that point it's
still possible that the information is required. This means
when building images with a read-only rootfs, it might not be
possible that the metadata can be deleted due to a chicken&egg
situation. Furthermore the cleanup is applied to the disk
builder only as other builders do not really suffer from
this data and for the container builder the metadata can
also be used for the stackbuild feature when building images
derived from containers. This Fixes #2668</p>
<ul>
<li>Update overlay integration test for partial write</li>
</ul>
<p>Update the sdboot_uki_verity_erofs profile of the
test-image-overlayroot integration test with a custom
fstab example to overlay only parts of the system
for writing. This Fixes #2815</p>
<ul>
<li>bootloader setup without overlay write partition</li>
</ul>
<p>If overlayroot_write_partition="false" is set, no system
indicator was stored. This cause the bootloader setup to
be skipped completely which is not required for e.g.
systemd-boot.</p>
<ul>
<li>Make sure to create overlay directories</li>
</ul>
<p>Create overlay directories even if rd.root.overlay.readonly
is set. This allows individual fstab overlays mounts to be
performed</p>
<ul>
<li>Fixed rd.root.overlay.readonly overlay mode</li>
</ul>
<p>When booting an overlayroot image with rd.root.overlay.readonly
set, the system will boot with only the read-only root mounted.
There was a bug in the dracut code which prevented this mount
from succeeding when the read-only rootfs is different from
squashfs. This commit changes the mount to be a simple bind
mount, independent of the origin filesystem. This works because
the read-only mount is performed in the dracut overlay code
anyway. This is related to Issue #2815</p>
<ul>
<li>The way we build debs requires setuptools</li>
</ul>
<p>debbuild doesn't work when setuptools is not there</p>
<ul>
<li>Drop use of setuptools</li>
</ul>
<p>Since we moved to poetry and no code using setuptools anymore,
this requirement can be dropped. The commit also updates the
plugin documentation which was still based on setup.py</p>
<ul>
<li>Update live boot remote boot features</li>
</ul>
<p>Like the upstream module also support the root=live:http://...
remote boot options. The kiwi-live dracut module is scheduled
to become obsolete, but it's still in use and should support
remote boot not only for AoE. As we got more issue reports than
working AoE remote boot success, this commit also updates the
documentation and switches to the capabilities of this PR.</p>
<ul>
<li>Add UKI support for the grub bootloader</li>
</ul>
<p>In addition to systemd_boot also add support for UKI creation
when grub is used. This includes the creation of a UKI image
via dracut in the same way as it's done for systemd_boot.
In addition an earlyboot grub script chainloads the UKI and
bypasses any written grub configuration. In Theory this should
also allow to use the shim loader for chainloading an UKI.
However I haven't done testing in this direction and I also
expect security issues with this approach because loading
any non signed data by shim is not expected to work. A new
profile named grub_uki_verity_erofs has been added to the
integration test that experiments with UKIs</p>
<ul>
<li>Add support for <initrd> section as part of <type></li>
</ul>
<p>Extend scope and content of the <initrd> section to be allowed
as part of the <type> section. This allows to specify custom
call options and modules for the dracut tool. In particular
this commit implementes support for passing the uefi option
to dracut to enable building an UKI EFI binary as follows:</p>
<p><initrd action="setup">
<dracut uefi="true"/>
</initrd></p>
<p>This Fixes #2809 and Fixes #2408</p>
<ul>
<li>Fix systemd-boot loader setup</li>
</ul>
<p>To make sure only loader entries from /boot/efi/loader/entries
kiwi deleted eventually existing entry files from /boot/loader.
However that is a problem for read-only systems and should actually
also not performed by kiwi. This Fixes #2805</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.1
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.1-194=1</code>
</li>
<li class="list-group-item">
SUSE Linux Micro Extras 6.1
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.1-194=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dracut-kiwi-oem-repart-10.2.29-slfo.1.1_1.1</li>
<li>dracut-kiwi-oem-dump-10.2.29-slfo.1.1_1.1</li>
<li>dracut-kiwi-lib-10.2.29-slfo.1.1_1.1</li>
</ul>
</li>
<li>
SUSE Linux Micro Extras 6.1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python3-kiwi-10.2.29-slfo.1.1_1.1</li>
<li>kiwi-systemdeps-core-10.2.29-slfo.1.1_1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242987">https://bugzilla.suse.com/show_bug.cgi?id=1242987</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244668">https://bugzilla.suse.com/show_bug.cgi?id=1244668</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1245190">https://bugzilla.suse.com/show_bug.cgi?id=1245190</a>
</li>
</ul>
</div>