linux/meta-virtualization.git/recipes-support, branch master-next

ca-certificates: remove conditional SRC_URI entries

2026-04-28T11:27:58+00:00

The entire file is conditional, we don't need protections on the SRC_URI entries. Signed-off-by: Bruce Ashfield

ca-certificates: Ensure changes only apply with the selected DISTRO_FEATURES

2026-04-28T11:27:58+00:00

This fixes yocto-check-layer failures: ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220 List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})' Variable SRC_URI value changed: @@ -1 +1,2 @@ -${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch +${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)} +DISTRO_FEATURES{virtualization} = Unset Signed-off-by: Richard Purdie Signed-off-by: Bruce Ashfield

ca-certificates: guard bbappend with virtualization DISTRO_FEATURES

2026-04-14T11:26:00+00:00

The unconditional bbappend to ca-certificates breaks yocto-check-layer compatibility when the layer is included without 'virtualization' in DISTRO_FEATURES. Guard both the SRC_URI additions and the do_install append with a bb.utils.contains check, matching the pattern used by other bbappends in the layer (busybox, qemu, etc.). Signed-off-by: Bruce Ashfield

vcontainer: fix registry login and TLS certificate chain

2026-04-13T01:08:31+00:00

vcontainer-common.sh: - Fix docker/podman login hanging silently in daemon mode. The login command requires interactive stdin for the password prompt, which the non-interactive daemon-send channel cannot provide. Use daemon-interactive mode (same as vshell/exec -it) which provides TTY passthrough via the virtio-serial + socat + expect channel. ca-certificates bbappend: - Add Let's Encrypt E8 (ECDSA) and R11 (RSA) intermediate certificates via a ca-certificates bbappend. Certs are fetched at build time from letsencrypt.org and installed into the standard CA certificate path. update-ca-certificates incorporates them into the system CA bundle. - Some registries (e.g., registry.yocto.io) don't send the full certificate chain, causing TLS verification to fail with Go programs (Docker, skopeo, podman) even though the root CAs are present. vdkr-rootfs-image.bb: - Add ca-certificates to IMAGE_INSTALL Signed-off-by: Bruce Ashfield

dnsmasq: add dnsmasq.d entries for lxc and libvirt

2017-12-28T16:12:26+00:00

A while ago changes were merged to meta-openembedded to make /etc/dnsmasq.d (and specifically the files it contains) referenced when the main instance of dnsmasq is run (see dnsmasq.service and commit ba665493a0dd [dnsmasq: allow for dnsmasq instances to reuse default dnsmasq.conf]). We, however, continued to modify the global configuration (/etc/dnsmasq.conf) to keep the main instance of dnsmasq from attaching to virbr0 and lxcbr0, by using 'bind-dynamic'. This approach is problematic, since it is common that other instances of dnsmasq will make use of the global configuration file and may have incompatible options. We see this for example when attempting to start lxc-net which will attempt to use 'bind-interface' which is incompatible with 'bind-dynamic' that we were adding to the global configuration. Here we remove our change to the global configuration (leaving it mostly empty as it should be) and instead have lxc and libvirt packages instruct the global instance not to bind to virbr0 and lxcbr0 by adding configuration files to /etc/dnsmasq.d (setting except-interface). The added benefit to this approach is that if lxc or libvirt are not part of an image the global configuration will not be modified in such a way as to expect that they are present. Signed-off-by: Mark Asselstine Signed-off-by: Bruce Ashfield

dnsmasq: allow for multiple instances (per libvirt)

2015-09-10T18:42:43+00:00

We have had a persistent issue of contention with multiple instances of dnsmasq. When libvirtd is started it will attempt and fail to create virbr0 that includes a dnsmasq binding (dnsmasq complains that the port is already in use). The root cause being that the base dnsmasq configuration uses the 'default' binding, meaning it will be greedy and bind to all available interfaces, along with any new interfaces that appear. This prevents any new instances of dnsmasq to fail. By changing the base dnsmasq configuration to use 'bind-dynamic' we will be able to create new interfaces and if we want to attach a new dnsmasq instance for the new interface we can, without contention. Overall this change should not change the default behavior (other then fixing the contention) as the 'bind-dynamic' mode will allow the base config to attach to new interfaces which are not be bound to new dnsmasq instances. Removing dnsmasq_exclude_virbr.conf which was a previous (partial) attempt that was made to resolve this issue. Signed-off-by: Mark Asselstine Signed-off-by: Bruce Ashfield