| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ptest support was disabled in commit 816d4c6e0e7c due to breakage in
source handling that prevented proper installation of test files.
Fix the ptest installation by:
- Copying test binaries from the build directory, preserving subdirectory
structure (e.g., oss-fuzz/) for optional test components
- Installing *.at test definitions and *.py test scripts from the source tree
- Fixing PYTHONPATH in atlocal to use runtime paths instead of build paths
- Symlinking schema files already provided by the main package to avoid
file duplication
Re-enable ptest now that installation works correctly.
Test results on genericx86-64:
PASS: checkpatch - catastrophic backtracking
PASS: checkpatch - Unicode code
PASS: appctl-bashcomp - complex completion check 4
PASS: appctl-bashcomp - complex completion check 2
PASS: checkpatch - check misuse APIs
PASS: checkpatch - whitespace around cast
PASS: checkpatch - comments
PASS: checkpatch - check egrep / fgrep
PASS: checkpatch - file contents checks - bare return
PASS: checkpatch - subject
PASS: appctl-bashcomp - negative test
...
...
...
PASS: drop-stats - bridge sampling
PASS: drop-stats - sampling action
PASS: ovsdb-idl - Check Python IDL reconnects to leader - Python3 (leader only)
PASS: monitor-cond-change with many sessions pending
2658 tests were successful.
89 tests were skipped.
Signed-off-by: Haitao Liu <haitao.liu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumping ovs to version v3.7.1-18-g04b05b31a, which comprises the following commits:
04b05b31a ofproto-dpif: Fix bundle floodable flag when disabling STP/RSTP.
ea4ac2dd5 ovsdb-cs: Fix resource leak in ovsdb_cs_parse_schema().
e2a95595a configure: Allow disabling POSIX async I/O and disable in FreeBSD CI.
8dbcfcc4c cirrus: Remove Cirrus CI for running FreeBSD test builds.
73057faec github: Migrate FreeBSD CI from Cirrus CI to GitHub Actions.
47446a693 ofproto-dpif: Remove unused rule->recirc_id.
502e13a8b ofproto-dpif: Rename recirc_free_ofproto to better match the code.
9b63c2ead ofproto-dpif: Avoid race between recirc id free and the leak check.
bc4498ced docs: Remove a few remaining references to the OOT module.
b7d221174 vswitch.xml: Remove the claim that OVS processes are single-threaded.
1f28a59dc vswitch.xml: Remove the claim that L3 GRE is not supported.
04ad744ff dpif-netdev: Fix mega flow ufid collisions for different wild cards.
332081017 ofproto-dpif-xlate: Classify ct_clear as non-reversible for clone().
45443e077 docs: Fix OpenFlow port range.
1a77b18d0 github: Re-enable system tests for DPDK and AF_XDP.
b53965f1a netdev-dpdk: Fix memory leak when configuring rx-steering.
1c9b2cefd stream-ssl: Disable TLS session tickets.
78aa10ca3 Prepare for 3.7.2.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumping to version 1.35.5, which comprises the following commits:
6636cbce3bb Release commit for Kubernetes v1.35.5
b9ffe7c06a9 kubeadm: use dedicated ClusterRole for apiserver kubelet client
7909267f8b4 kubeadm: skip LocalAPIEndpoint defaulting on worker join
f79279632e9 kubeadm: use the localAPIEndpoint for all API calls in 'init'
faa81128567 kube-proxy: don't do full periodic syncs on large cluster mode
943d9419438 Delete remote endpoint if it has same ip as local endpoint in the system.
d550d458d34 Delete remote endpoint if it has same ip as local endpoint in the system.
6d314b2fd9a Add a (*Client) addEndpoint method
feb7fa11123 Evaluate etcd cluster health using quorum
1a7f0b3dec6 Escape path inside the container
6953afbad16 scheduler: address recreated pod review feedback
bf14155eb41 scheduler: skip requeueing recreated pods on scheduling failure
55f12e8477a scheduler: fix inFlightPods leak when pod is recreated during scheduling failure
31d47ca373f Update CHANGELOG/CHANGELOG-1.35.md for v1.35.4
7b8c6cf0edd Release commit for Kubernetes v1.35.4
1687aa8c94e Update github.com/moby/spdystream from v0.5.0 to v0.5.1
e87f6b927bf update go.opentelemetry.io/otel to v1.41.0
97ccbdf2ee8 Bump images and versions to go 1.25.9 and distroless iptables
69dd59d5b4f podStartSLOduration excludes init container runtime and image pulling time, includes only stateless and immediately schedulable pods
46ba1c3c279 Deflake TestPodSubresourceAuth by waiting for effective permissions before testing
1d5e94efa21 podresources: filter out inactive pods in Get()
91a1e8b2db6 e2e: node: podresources: fix expectations for Get() and terminated pods
9d8bbea593e Fix device plugin admission failure after container restart
d8a562b6476 Fix backport differences for 1.35 (remove WithOrigin and MarkAlpha)
b6ee759d8ea Add slice and map union member support with tests
3d39627cd98 Use IsZero instead of IsNil for union ratcheting check
7b708cc7c64 Add DRA test for device attribute with no value set
863ed56ac0e Add nil OldValue test coverage for union doc_tests
9a39e5c49fa Fix union validation ratcheting when oldObj is nil
b0ec348c24d KEP-961: demote maxUnavailable feature in statefulset to off by default
570f471d7cb kubelet: fix sidecar restart after kubelet restart
4c0429295c7 Update CHANGELOG/CHANGELOG-1.35.md for v1.35.3
6c1cd99aef0 Release commit for Kubernetes v1.35.3
93de120edff pkg/proxy/nftables: fix kube-proxy crash with newer nftables versions
6b5673451a8 Update knftables to v0.0.21
38378d5df7c Bugfix: calculate request latency properly in audit log filter
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumping skopeo to version v1.22.2, which comprises the following commits:
267465e1 [release-1.22] Bump Skopeo to 1.22.2
fefb9971 Merge pull request #2847 from wking/proxy-validate-manifest-too
f195baca proxy: Verify *either* toplevel or target
81e67ab5 proxy: Move policycontext into global state
8fd0e2e6 Merge pull request #2845 from lsm5/backport-packit-post-modifications
3bb7f313 Packit: fix downstream post-modifications action
e7d174ba Merge pull request #2842 from TomSweeneyRedHat/dev/tsweeney/skopeo-1.22.1
ecdbb551 [release-1.22] Bump Skopeo to v1.22.1
b0b024aa [release-1.20] CVE-2026-34986 gojose v4.1.4
0bf3b382 [release-1.22] Bump google.golang.org/grpc to v1.79.3
e5890ebb [release-1.22] Bump c/common to v0.67.1, c/image v5.39.2
fd3ba47e Merge pull request #2800 from TomSweeneyRedHat/dev/tsweeney/skopeo-v1.22.0-1
Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumping buildah to version v1.43.1-4-g1d61d5217, which comprises the following commits:
0203efa67 tests: remove dependencies on online apt repositories
c2e1324b1 Cite go module change
310b1c8f5 [release-1.43] Bump Buildah to v1.43.1
fb349f2d6 [release-1.43] Bump c/common v0.67.1, c/image v5.39.2
ccba7c460 update module github.com/go-jose/go-jose/v4 to v4.1.4 [security]
0d8e18550 ignore ErrLayerUnknown in cache lookup
8499b1a41 fix setting of gid
3780f1490 fix call to chown
0158b5b31 [release-1.43] Bump Buildah to v1.43.0
f40d38a2f [release-1.43] fix source test
07b8495c8 [release-1.43] Bump common 0.67.0, image 5.39.1, storage 1.62.0
7178b10ac [release-1.43] Bump dest branch in cirrus to 1.43
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
| |
During the last upgradeing, the source has been upgraded to v2.2.1,
but the PV is not. So make it be accurate.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
| |
When docker-compose was updated, the hash was set properly but the
PV was not. We are actually building docker compose 5.1.x, so we
adjust the PV to be accurate.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building kvm-image-minimal fails without the 'kvm' DISTRO_FEATURE,
requiring users to manually add it to local.conf. Every other
virtualization platform (Xen, Docker, Podman, k3s, containerd) already
has a composable configuration fragment in conf/distro/include/ that
can be included with a single require line.
Add kvm-host.conf following the same pattern as xen-host.conf: a pure
delta fragment that appends the kvm DISTRO_FEATURE. Composable with
any container profile and the base meta-virt-host.conf.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Xen's hypervisor Makefile overrides CFLAGS entirely with its own flags
(nostdinc, fno-builtin, etc.), so OE's DEBUG_PREFIX_MAP flags added via
CFLAGS never reach the hypervisor compilation. The existing prefix map
entries in xen.inc appeared to work only because sstate was caching
pre-built packages — a fresh rebuild exposes the embedded TMPDIR paths
in the EFI binary and debug symbols.
Inject the prefix maps through EXTRA_CFLAGS_XEN_CORE, which is Xen's
own mechanism for accepting additional compiler flags and is already
passed through to oe_runmake. This fixes the EFI binary paths.
The xen-syms debug binary retains one source path in .debug_str from
the linker/assembly stage, which does not honor the C compiler's
-fdebug-prefix-map. Since xen-syms is only shipped in the -dbg package
(not a deployment target), skip buildpaths for xen-dbg. This is an
optional QA test — not in CHECKLAYER_REQUIRED_TESTS — so it has no
impact on yocto-check-layer compatibility.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default Popen expects all the streams to be bytes-like objects but,
in the Popen.communicate() function call, the "input" argument is a
string, making the call fail with the error:
qemu hook error: a bytes-like object is required, not 'str'
Fix the error by setting text mode to True in the subprocess creation.
Also fix the "SyntaxWarning: invalid escape sequence '\w'" in the regex
used to match script names.
Signed-off-by: Massimiliano Minella <massimiliano.minella@se.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The multi-layer 'directories', 'files', and 'host' branches in IMAGE_CMD:oci
copy delta content into the OCI bundle rootfs with 'cp -a'. 'cp -a' implies
'--preserve=all', which calls lchown() on the destination to copy ownership
from the source. When a directories/files layer copies a symbolic link whose
target does not exist at build time (for example, the '/dev/stdout' and
'/dev/stderr' log forwarding symlinks used by the official nginx Docker
image), lchown() can return EINVAL under pseudo and 'cp' aborts with:
cp: failed to preserve ownership for .../var/log/nginx/access.log: Invalid argument
failing the whole do_image_oci task.
The single-layer rootfs copy already handles this correctly:
cp -r -a --no-preserve=ownership ${IMAGE_ROOTFS}/* $image_bundle_name/rootfs
and the multi-layer 'packages' branch uses 'rsync -a --no-owner --no-group'
for the same reason. Bring the three remaining cp -a sites in line by adding
'--no-preserve=ownership'. Ownership inside an OCI image is set by umoci
based on the image config and source ownership has no meaning for symlinks
to runtime device nodes anyway, so dropping preservation is the correct
behaviour.
Reproduce: declare a directories: layer that copies a path containing a
symlink to '/dev/stdout' or '/dev/stderr' (e.g. a postprocess that creates
/var/log/nginx/{access,error}.log -> /dev/{stdout,stderr} to mirror the
upstream nginx Docker image).
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Podlet generates Podman Quadlet files from a Podman command, compose file, or existing object.
Signed-off-by: Patrick Vogelaar <patrick.vogelaar@belden.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial vcontainer distro had no BBMASK at all, making it
effectively poky with fewer DISTRO_FEATURES. Every multiconfig parsed
the entire recipe universe even though container image builds only
need a small subset. With 4+ multiconfigs, the parse overhead is
significant.
Add vcontainer-bbmask.inc as a lighter alternative to vruntime's
aggressive BBMASK. It masks the same categories irrelevant to any
container/VM build (graphics, multimedia, desktop, virtualization
platforms, orchestration tools, meta-python, meta-filesystems,
meta-webserver) but keeps the OCI tooling that vruntime blocks:
umoci, container-registry, image recipes, sloci, oci-image-tools.
Masking entire layers (meta-python, meta-filesystems, meta-webserver)
produces BBFILE_PATTERN warnings because the layers are registered in
bblayers.conf (shared with the main build) but have zero recipes after
masking. BitBake provides BBFILE_PATTERN_IGNORE_EMPTY_<collection>
to suppress this, but checks it on self.data (the base datastore),
not per-multiconfig datastores. Setting it in the distro config has
no effect. Move the suppression to meta-virt-host.conf which is
included by the main build's local.conf and therefore visible to
the base datastore.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The registry push script (container-registry-index.bb) treated all OCI
directories as single-arch, calling 'skopeo copy oci:<dir>' which fails
with "more than one image in oci, choose an image" when the directory
contains a multi-arch image index. The original push implementation
predated multi-arch OCI support and only handled the single-manifest
case.
Detect multi-arch OCI Image Index directories (both flat and nested
layouts) in the direct-path push mode and use 'skopeo copy --all' to
push the entire manifest list to the registry in one operation. This
preserves the multi-platform structure so that clients pulling from the
registry automatically get the correct architecture.
Also strip the '-multiarch' suffix from directory names when deriving
the registry image name, so container-base-multiarch-multiarch-oci
pushes as 'container-base' rather than 'container-base-multiarch'.
Add build-profiles.md documentation for the vcontainer distro, container
multiconfigs, and multi-arch container build workflow.
Add test_vcontainer_distro.py with 54 tests across three tiers:
- Tier 1: Static file assertions (vruntime-base.inc, vcontainer.conf,
multiconfigs, bbclass defaults, recipe structure)
- Tier 2: Cross-file consistency (shared base, distro-MC alignment,
bbclass-to-multiconfig file matching)
- Tier 3: Build output verification (OCI index structure, platform
entries, blob integrity, manifest validation)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The multi-arch OCI functions (is_oci_image_index, get_oci_platforms,
select_platform_manifest) only checked index.json directly for platform
information. With the skopeo-compatible nested OCI layout — where
index.json references a single image index blob that in turn contains
the per-platform manifests — the functions failed to detect multi-arch
images because index.json no longer contains platform entries.
Add _resolve_oci_platform_file() helper that handles both layouts:
- Flat: platform info directly in index.json (legacy/simple case)
- Nested: index.json → image index blob → platform manifests
All three multi-arch functions now use this single helper, eliminating
the layout resolution logic that would otherwise be duplicated in each.
Also fixes two issues in the vimport case block:
- 'local' keyword used outside a function (bash error on line 1879).
The vimport handler is in a case statement in the main script body,
not inside a function, so 'local' is invalid. The original multi-arch
code was written assuming it would be inside a function.
- OCI_SELECTED_PLATFORM was blank in output because select_platform_manifest
sets it inside a $() subshell, where variable assignments are lost.
Use normalize_arch_to_oci directly for the display message instead.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three issues prevented oci-multiarch.bbclass from producing usable
multi-architecture container images:
1. MC defaults pointed to vruntime-* multiconfigs, whose BBMASK blocks
OCI tooling. Changed to container-* multiconfigs which use the new
vcontainer distro without BBMASK.
2. mcdepends targeted do_image_oci, but the OCI output is only deployed
to deploy/images/ by the later do_image_complete task. The bbclass
then failed to find the OCI directory at the expected deploy path.
The original implementation assumed do_image_oci was the final step,
but OE-core's image pipeline has a separate deploy phase.
3. The OCI Image Index was written directly into index.json with
multiple manifest entries. This is valid per the OCI spec but skopeo
requires index.json to reference a single entry when there are
multiple images. The fix writes the multi-platform image index as a
blob in blobs/sha256/ and has index.json reference it with a single
entry of mediaType application/vnd.oci.image.index.v1+json. This
nested layout is what tools like buildah and crane produce for
multi-arch images, and is required for 'skopeo copy --all' to work.
Also adds container-base-multiarch.bb recipe that wires up container-base
for aarch64 + x86_64 builds via the oci-multiarch class.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The oci-multiarch.bbclass was dead code because vruntime's BBMASK blocks
the OCI tooling (umoci, skopeo) needed to build container images. We
could not simply use the vruntime multiconfigs for OCI image builds
because the aggressive recipe masking that keeps vruntime rootfs minimal
also removes the packages needed for container image creation.
Rather than maintaining two independent distro configs with duplicated
DISTRO_FEATURES, extract the common configuration into a shared base
fragment and create a new distro that omits the BBMASK.
Changes:
- Extract vruntime-base.inc from vruntime.conf with shared settings:
stripped DISTRO_FEATURES, opted-out features, native class overrides
- Simplify vruntime.conf to require vruntime-base.inc, keeping only
VM-specific settings (BBMASK, busybox init, ptest disable)
- Add vcontainer.conf: requires the same shared base but without BBMASK,
giving OCI tooling full access to the package set
- Add container-aarch64 and container-x86-64 multiconfigs using the
vcontainer distro with separate TMPDIRs
- Add container multiconfigs to BBMULTICONFIG in meta-virt-host.conf
- Remove unused container.conf placeholder from 2022
IMAGE_FSTYPES is intentionally NOT set in vcontainer.conf because the
'oci' type requires image-oci.bbclass which only container image recipes
inherit. Setting it distro-wide breaks non-container images parsed under
this distro (e.g., core-image-multilib-example from meta-skeleton).
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a VDKR_CONFIG / VPDMN_CONFIG env var and a matching --config <path>
CLI flag that passes an existing docker config.json / podman auth.json
into the QEMU-hosted container runtime so pulls from private registries
work without having to retype --registry-user / --registry-pass on every
command.
Security posture (defence in depth):
- Host-side pre-flight validation in vrunner.sh (validate_auth_config):
reject symlinks, non-regular files, missing / unreadable files, files
smaller than 2 bytes (minimum "{}") or larger than 1 MiB, and any
permissions other than 0400 / 0600 / 0200. WARN if not owned by the
invoking user.
- Stage the file into a dedicated per-invocation directory under
$TEMP_DIR at mode 0400 inside a 0700 parent; auto-cleanup rides the
existing EXIT/INT/TERM trap.
- Expose the staged file over a *separate* read-only virtio-9p tag
("${TOOL_NAME}_auth") so credentials cannot leak into the general
/mnt/share input/output directory or into storage.tar outputs.
- Only a boolean flag ("${CMDLINE_PREFIX}_auth=1") is appended to the
kernel cmdline - never the path, the env var name, or the contents.
- Guest mounts /mnt/auth ro,nosuid,nodev,noexec, copies to the runtime's
canonical path, then unmounts immediately so neither the runtime nor
user workloads keep a reference to the host staging directory.
vrunner.sh:
- Initialise AUTH_CONFIG from $VDKR_CONFIG / $VPDMN_CONFIG
- Parse --config <path> (overrides the env vars)
- Add validate_auth_config() and setup_auth_share() with the rules above
- Call setup_auth_share in both the daemon start path and the
non-daemon / batch-import path
vcontainer-init-common.sh:
- Default RUNTIME_AUTH="0" and parse ${VCONTAINER_RUNTIME_PREFIX}_auth=*
from the kernel cmdline
- Define mount_auth_share() / unmount_auth_share() using the per-runtime
"${VCONTAINER_RUNTIME_NAME}_auth" 9p tag, mounted at /mnt/auth with
ro,nosuid,nodev,noexec
vdkr-init.sh:
- install_auth_config() copies /mnt/auth/config.json to
/root/.docker/config.json (mode 0600; parent dir 0700)
- Called after install_registry_ca in main flow so --config takes
precedence over --registry-user / --registry-pass; logs a NOTE when
both mechanisms are supplied
- Unmounts /mnt/auth after copy
vpdmn-init.sh:
- install_auth_config() copies to /run/containers/0/auth.json (the
rootful podman canonical path) and exports REGISTRY_AUTH_FILE so the
creds are picked up regardless of podman's search order
- Mode 0600 on the file, 0700 on the containing directory
- Unmounts /mnt/auth after copy
vcontainer-common.sh:
- Honour $VDKR_CONFIG / $VPDMN_CONFIG, parse --config, and forward
AUTH_CONFIG to vrunner.sh via --config in build_runner_args
- Document the flag and env vars in show_usage
README.md:
- New "Passing an existing docker/podman auth file (--config)" section
with examples for both runtimes, a table of target paths, and the
full security model
AI-Generated: Claude Cowork Opus 4.7
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new pytest module (tests/test_vcontainer_auth_config.py) covering
the registry-auth-config feature introduced in the previous commit.
Split into two tiers:
TestAuthConfigStaticPlumbing (40 static/shell-level assertions):
- vrunner.sh: AUTH_CONFIG picks up VDKR_CONFIG/VPDMN_CONFIG; --config
parsing; validate_auth_config and setup_auth_share definitions; every
validator reject rule (symlink / non-regular / unreadable / missing /
<2B / >1MiB / mode whitelist 400|600|200 / non-owner WARN); 0700
staging dir and 0400 staged file; readonly=on on the 9p share;
dedicated ${TOOL_NAME}_auth tag. Critically also asserts that
AUTH_CONFIG, VDKR_CONFIG and VPDMN_CONFIG never appear in
KERNEL_APPEND - only the ${CMDLINE_PREFIX}_auth=1 flag does.
- vcontainer-common.sh: env-var init, --config parsing, AUTH_CONFIG
forwarding via --config to vrunner, and show_usage documentation.
- vcontainer-init-common.sh: RUNTIME_AUTH default, cmdline parsing,
mount_auth_share/unmount_auth_share presence, dedicated per-runtime
${VCONTAINER_RUNTIME_NAME}_auth tag, and the ro,nosuid,nodev,noexec
mount options.
- vdkr-init.sh: install_auth_config present, writes to
/root/.docker/config.json with 0600 and 0700 parent, mount + unmount
pairing, precedence NOTE logged, and ordering after
install_registry_ca so --config wins over --registry-user/-pass.
- vpdmn-init.sh: writes to /run/containers/0/auth.json with matching
modes, exports REGISTRY_AUTH_FILE, mount/unmount pairing, and
ordering after verify_podman.
- README.md: --config section exists and documents both env vars and
both runtime target paths.
TestAuthConfigValidator (13 functional cases):
- Extracts validate_auth_config() from vrunner.sh with a brace-matching
parser, sources it in a bash subshell with a stubbed log() helper,
and drives it with real files: accepts modes 0600 / 0400, accepts
the 2-byte minimum "{}", rejects missing / symlink / directory /
empty / 1-byte / >1 MiB / 0644 (world-readable) / 0640 / 0700
(owner-exec) / 0000 (unreadable, skipped when running as root).
Path resolution is resilient: VCONTAINER_FILES_DIR env override first,
otherwise repo-relative to the test file, falling back to the
/opt/bruce/poky path used elsewhere in the suite. No tests need QEMU,
a registry, or network. All 53 tests complete in ~0.1s.
Add tests/__pycache__ to .gitignore.
AI-Generated: Claude Cowork Opus 4.7
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Backported from [1], verified with the test script from [2].
[1] https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311
[2] https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-28684
Signed-off-by: Bin Cao <bin.cao.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
vstorage list/df/clean scanned DEFAULT_STATE_DIR (~/.vpdmn/) for arch
subdirectories, ignoring --state-dir. On CI where tests use
--state-dir ~/.vpdmn-test/x86_64, the default directory doesn't exist
so vstorage list reports "(no storage directories found)" and
test_vstorage_shows_memres_status fails.
Derive VSTORAGE_ROOT from the parent of STATE_DIR when --state-dir is
set, so all vstorage subcommands scan the correct storage root.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUILDTAGS_EXTRA was gated on VIRTUAL-RUNTIME_container_networking == "cni",
which excluded the cni build tag in vruntime builds where that variable is
intentionally blank (vpdmn-rootfs-image installs cni packages directly).
This caused podman to be compiled with netavark-only support, failing at
runtime with "cni support is not enabled in this build" when containers.conf
sets network_backend = "cni".
Include the cni build tag unless the distro explicitly selects netavark.
This respects the podman profile's upstream preference for netavark-only
while ensuring all other configurations (containerd, default, docker, k3s,
vruntime) retain CNI support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The existing environment-setup-* script uses BASH_SOURCE to derive
VCONTAINER_DIR, which is empty when parsed by yocto-autobuilder-helper's
enable_tools_tarball() since it doesn't evaluate shell expressions.
Generate a separate environment-setup-ci with flat export lines using
baked-in absolute paths from ${SDKPATH}/${SDKPATHNATIVE}. The AB parser
picks these up directly. SDK relocation rewrites the paths at install
time. The interactive bash script is unchanged.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add --scan-licenses to oe-go-mod-fetcher.py which scans Go module zips
for license files and generates go-mod-licenses.inc with LICENSE and
LIC_FILES_CHKSUM entries matching OE-core's go-mod-update-modules format.
License detection uses OE-core's glob patterns and MD5 + crunched MD5
matching against known SPDX licenses. The hash database resolves from:
1. --common-license-dir (explicit path)
2. Auto-detected poky tree common-licenses
3. Bundled scripts/data/license-hashes.csv (offline fallback)
New files:
- scripts/generate-license-hashes.py: regenerate bundled CSV
- scripts/data/license-hashes.csv: pre-computed hash DB (704 entries)
bbclass changes:
- go-mod-discovery: pass --scan-licenses during do_generate_modules
- GO_MOD_DISCOVERY_SKIP_LICENSES variable to bypass scanning
- do_update_license_hashes task to refresh bundled CSV
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
| |
Replace the go-mod-update-modules generated cosign-licenses.inc with
go-mod-licenses.inc produced by oe-go-mod-fetcher --scan-licenses.
The new file is generated during discover_and_generate alongside the
other .inc files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert from go-mod + go-mod-update-modules to go-mod-vcs hybrid
fetch mode, consistent with other Go recipes in the layer (k3s,
nerdctl, docker-compose, etc.).
- Replace cosign-go-mods.inc (gomod:// only) with generated
go-mod-hybrid-{gomod,git,cache}.inc and go-mod-{git,cache}.inc
- Keep cosign-licenses.inc for dependency license tracking (our
go-mod-vcs tooling does not yet generate license metadata)
- Add GO_MOD_VCS_EXCLUDE for buf.build (no git repo) and
software.sslmate.com/src/go-pkcs12 (unreachable commit)
- Set GO_MOD_DISCOVERY_SRCDIR to match go.bbclass source layout
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the fetcher encounters unverifiable commits or modules with no
repository metadata, the error messages now show two equivalent options:
Option 1: For bitbake users (most common) — add GO_MOD_VCS_EXCLUDE
and a gomod:// SRC_URI entry to the recipe, fetching the module via
the Go module proxy instead of git.
Option 2: For direct oe-go-mod-fetcher.py invocation — pass
--inject-commit / --set-repo on the command line with a complete
example showing all required arguments.
Both options produce the same result. The previous messages only
suggested --inject-commit and --set-repo without context on where
or how to use them.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add cosign [1] recipe for sigstore's [2] container signing, verification
and storage tool [3]. Includes auto-generated Go module dependencies and
license tracking via go-mod-update-modules.
[1] https://github.com/sigstore/cosign/releases/tag/v3.0.6
[2] https://www.sigstore.dev/
[3] https://docs.sigstore.dev/cosign/signing/overview/
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On sstate-accelerated builds, the kernel binary (bzImage/Image) was
missing from MC_DEPLOY because do_compile depended on the image
recipes' do_image_complete, which runs before do_build. The kernel
deploy dependency (virtual/kernel:do_deploy) is attached to do_build
in image.bbclass, so depending on do_image_complete cut the chain
short and virtual/kernel:do_deploy was never guaranteed to have run.
Fix by depending on do_build instead of do_image_complete. The image
artifacts (cpio.gz, squashfs) are already in DEPLOY_DIR_IMAGE after
do_image_complete, so they remain available. do_build additionally
ensures virtual/kernel:do_deploy has completed, placing the kernel
in MC_DEPLOY for our do_compile to copy.
This avoids adding an explicit virtual/kernel:do_deploy dependency
which would couple this recipe to the kernel and prevent use cases
where the kernel is provided externally.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
vdkr.run() merges stderr into stdout (see conftest.py), so the
error message ends up in result.stdout even though the script
writes it to stderr (>&2).
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PACKAGECONFIG[systemd] variable is assigned twice, with the second assignment overriding the first.
This patch removes the unused assignment to avoid confusion.
The duplication was introduced in an August 25, 2022 patch:
05f316f7 lxc: update to 5.x and meson
Verfied that the build did not change after this deletion by checking the log files before and after
and finding the same message:
export systemd_system_unitdir="/usr/lib/systemd/system"
export systemd_unitdir="/usr/lib/systemd"
export systemd_user_unitdir="/usr/lib/systemd/user"
Signed-off-by: Kris Gavvala <kris.gavvala@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
libvirt has removed support for avahi in version 5.5.0 in 2019:
* Remove Avahi mDNS support
This feature was never used outside of virt-manager, which has itself
stopped using it a while ago.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Louis Rannou <louis.rannou@semalibre.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The update cycle used the git tags to update the PV version,
but when you build podman, the version pulled into the
executables is from: version/rawversion/version.go
Which currently reports: 5.8.3-dev
Bumping the PV to match.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
The entire file is conditional, we don't need protections on the
SRC_URI entries.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DISTRO_FEATURES_DEFAULT has been obsoleted [1][2].
Follow the pattern in meta-yocto [3] and remove it.
Fixes:
ERROR: Nothing PROVIDES 'nativesdk-libseccomp' ...
[1] https://git.openembedded.org/openembedded-core/commit/meta/conf?id=0548ea447445834647be7ef35ed0ae8d1d3387b3
[2] https://git.openembedded.org/openembedded-core/commit/meta/conf?id=159148f4de2595556fef6e8678578df83383857b
[3] https://git.yoctoproject.org/meta-yocto/commit/?id=96085aaec5bfb33c4e4322465eaf0af370db6fc0
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes yocto-check-layer failures:
ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220
List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})'
Variable SRC_URI value changed:
@@ -1 +1,2 @@
-${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)}
+DISTRO_FEATURES{virtualization} = Unset
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
OE-Core needs to make some improvements to the way DISTRO_FEATURES is being built
but this will break the way meta-virtualization is handling native propagation.
Use DISTRO_FEATURES_FILTER_NATIVE which is designed for this.
That then means updating the bbappend just to look at DISTRO_FEATURES and to
look for both possible values.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Podman is hosted under github as podman and not libpod. Accessing
github.com/containers/libpod automatically forwards to
github.com/containers/podman.
This commit does not really fix a problem but reflects more the current
repository name.
Signed-off-by: Patrick Vogelaar <patrick.vogelaar@belden.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumping libpod to version v5.8.2-5-g88c5aaeec6, which comprises the following commits:
78da75528f Install WiX v5.0.2 to build the Windows installer
7a47175665 Bump Podman to v5.8.3-dev
5b263b5f5b Bump to v5.8.2
884cd28228 Release notes for v5.8.2
6cffe93d88 hyperV: fix powershell path escape
f13de01b6d cirrus: bump linux machine aarch64 test timeout
d1cf366b0f Remove iptables references in upgrade tests
add385e31c bindings: artifact extract reject invalid names
a49ad4be81 use chrootarchive over plain archive package
92cd24903f fix symlink handling in checkpoint restore
0fa3043415 add missing O_CLOEXEC to open calls
9c262736e4 Fix Quadlet `Lookup()` stripping unmatched quotes
75820ddac5 Add e2e test for shell driver DriverOpts cross-contamination fix
e9fe245626 Fix shell driver DriverOpts cross-contamination in secret creation
7250b06e25 libpod: fix data race on deferredErr in attachExecHTTP
51b5c59310 Consolidate build secret tests and assert no podman-build-secret leak
15a2a7d605 Remote build: `nTar` secrets with relative paths and ignore bypass
e5fe3fdf69 api: fix missing return after error in SystemCheck handler
c91cd99291 test: relax rootless runc pid namespace assertion
26047f43b5 New images 2026-03-19
d49a9208bd cirrus: ensure NOTIFY_SOCKET is properly unset for all tests
1a9ae9dcba update fedoral base image to 43 and related tests
759df25a88 new image sfx for debian 14
28a39dd1ba libpod: Don't dereference ctrSpec.Linux if it is nil
7f37fbd6af quadlet: allow empty Entrypoint to clear image default
24fd9eb605 [v5.8] Bump Buildah to 1.43.1, c/common v0.67.1, c/image v5.39.2
42ac589e4d bump go-jose/go-jose to v4.1.4
fcc6ae217c [v5.8] Fix `unless-stopped` containers not restarting after ...
6a9ea849a0 Bump Podman to v5.8.2-dev
c6077f6457 Bump to v5.8.1
dfe5dae2d6 Release notes for v5.8.1
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change VdkrRunner.run() and VpdmnRunner.run() to use Popen with
start_new_session=True, stdin=DEVNULL, and file-based stdout instead
of subprocess.run(capture_output=True). This prevents daemon background
processes from inheriting pipe FDs, which causes communicate() to hang
in CI/test harness environments (e.g., buildbot).
The fix applies to all commands, not just memres start, because any
vdkr command can auto-start the daemon (auto-daemon is enabled by
default).
Also fix test_volume_mount_requires_memres to check both stdout and
stderr for the error message, since stderr is now merged into stdout
by the Popen approach.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The memres start operation spawns long-running background processes
(host-side idle watchdog and Xen domain monitor) that persist beyond
the vrunner.sh script. These processes inherited file descriptors
0/1/2 from the parent shell without redirection.
When invoked through a harness capturing output via pipes—such as
pytest's subprocess.run(..., capture_output=True)—the inherited pipe
write-ends kept the caller's read/communicate() operations blocked
until memres stop executed, potentially for up to 30 minutes
(IDLE_TIMEOUT default).
The fix fully detaches stdio from three background spawners:
- vrunner.sh: Watchdog subshell now redirects stdin from /dev/null,
stdout/stderr to /dev/null, and uses disown
- vrunner-backend-qemu.sh: Adds stdin redirection from /dev/null
to existing log file redirections
- vrunner-backend-xen.sh: Applies same detachment plus disown for
daemon mode; redirects stdin for ephemeral-mode console reader
From: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memres start spawns background processes (QEMU VM, idle watchdog)
that persist after the vrunner script exits. When invoked via
subprocess.run(capture_output=True), these background processes
inherit the pipe file descriptors, preventing communicate() from
returning until all pipe holders exit — which can be 30+ minutes
(the idle timeout).
Fix by using Popen with:
- stdin=subprocess.DEVNULL (no inherited stdin pipe)
- file-based stdout (no pipe FDs to inherit)
- start_new_session=True (new process group, so wait() only
waits for the parent script, not the background children)
This matches the behavior when running from a shell, where the
daemon processes are fully detached from the caller's FD table.
Applied to both VdkrRunner and VpdmnRunner memres_start methods.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test classes that depend on vmemres (daemon mode) were not marked,
causing them to run even when filtered with '-m "not memres"'. This
caused timeout failures on CI/buildbot environments where KVM may
not be available and daemon startup exceeds the test timeout.
Mark the following classes with @pytest.mark.memres in both
test_vdkr.py and test_vpdmn.py:
- TestMemresBasic
- TestPortForwarding (vdkr only)
- TestContainerLifecycle
- TestVolumeMounts
- TestSystem
- TestVstorage
- TestRun
- TestAutoStartDaemon (vdkr only)
- TestDynamicPortForwarding (vdkr only)
- TestPortForwardRegistry (vdkr only)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CVE_PRODUCT has been set to docker:registry to align with the NVD CPE
product namespace for the distribution/registry codebase.
Only a single CPE entry exists in the NVD for this product:
cpe:2.3:a:docker:registry
This ensures CVEs tracked for docker registry are matched for this recipe.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since libvirt was upgraded to v12.1.0, the new systemd service file
virt-secret-init-encryption.service has been introduced, and it requires
systemd to add openssl to PACKAGECONFIG. Because systemd-creds encrypt
command will be executed in the service file, which depends on openssl
is enabled.
Meanwhile this service was added into the dependency chain of the main service
libvirtd.service, and will be enabled by default by libvirtd service without
any build dependency detection according to the original upstream commit
https://github.com/libvirt/libvirt/commit/97758bc9a0b1fccf8c0009308658f1204b113b89
In systemd oe-core recipe, the openssl PACKAGECONFIG is disabled at default.
Finally the service file virt-secret-init-encryption.service and libvirtd will
be failed as the following error:
> # systemctl status libvirtd -l
* libvirtd.service - libvirt legacy monolithic daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: enabled)
Active: inactive (dead)
TriggeredBy: * libvirtd.socket
* libvirtd-ro.socket
* libvirtd-admin.socket
Docs: man:libvirtd(8)
https://libvirt.org/
systemd[1]: Dependency failed for libvirt legacy monolithic daemon.
systemd[1]: libvirtd.service: Job libvirtd.service/start failed with result 'dependency'
> # journalctl -xe
A start job for unit virt-secret-init-encryption.service has begun execution.
systemd-creds[1251]: Support for encrypted credentials not available.
systemd[1]: virt-secret-init-encryption.service: Main process exited, code=exited, status=1/FAILURE
The above error info "Support for encrypted credentials not available." comes
from systemd-creds command provided by systemd without HAVE_OPENSSL option at
the source code src/shared/creds-utils.c
Here we enable openssl for systemd when 'virtualization' is in distro feature.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The workaround is not needed anymore as the systemd supporting.
The libvirtd.service Type has been changed from notify to notify-reload,
so the final Type will be 'forking-reload', that's invalid for systemd.
Here we delete it to avoid the following output information:
>/lib/systemd/system/libvirtd.service:29: Failed to parse Type=forking-reload, ignoring: Invalid argument
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE_PRODUCT has been set to criu:checkpoint/restore_in_userspace to align
with the product naming used in the NVD CPE database for criu.
The slash-containing product token is intentional as NVD references this
project under checkpoint/restore_in_userspace.
Only a single CPE entry exists in the NVD for this product:
cpe:2.3:a:criu:checkpoint/restore_in_userspace
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`CVE_PRODUCT` has been set to `linuxfoundation:container_network_interface linuxfoundation:cni_network_plugins`
to align with the product naming defined in the NVD CPE database for `cni`.
The NVD CPE database contains product variants for this project under:
`cpe:2.3:a:linuxfoundation:container_network_interface`
`cpe:2.3:a:linuxfoundation:cni_network_plugins`
The NVD references for these CPEs confirm that they correspond to the
source code used in our recipe.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since upstream commit dbc920030 ("test: add new test program for
connection checks"), netavark test suite no longer uses ncat (from
nmap). The tests now use a built-in Rust-based connection tester
(netavark-connection-tester) instead. This change was included starting
from v1.16.0, so the nmap dependency is no longer needed.
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From the upstream description:
The `cdi` command-line tool is a utility for inspecting and interacting with the CDI (Container Device Interface) cache.
It allows developers and system administrators to:
- List CDI Spec files: View all available CDI specification files in the configured directories
- List vendors: Display registered device vendors in the CDI cache
- List device classes: Show available device classes from CDI Specs
- List devices: Enumerate all CDI devices available in the system
- Validate specs: Verify CDI specification files against the JSON schema
- Inject devices: Inject CDI device configurations into OCI runtime specifications
- Monitor cache: Watch for changes in the CDI cache and Spec directories
- Resolve devices: Resolve fully-qualified device names to their configurations
The CLI tool is particularly useful for debugging CDI configurations, validating spec files, and testing device assignments before deploying them in production environments.
Signed-off-by: Koen Kooi <koen.kooi@oss.qualcomm.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
