summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* tests: fix FD inheritance in test harness for all vdkr/vpdmn commandsBruce Ashfield2026-04-223-17/+38
| | | | | | | | | | | | | | | | | | Change VdkrRunner.run() and VpdmnRunner.run() to use Popen with start_new_session=True, stdin=DEVNULL, and file-based stdout instead of subprocess.run(capture_output=True). This prevents daemon background processes from inheriting pipe FDs, which causes communicate() to hang in CI/test harness environments (e.g., buildbot). The fix applies to all commands, not just memres start, because any vdkr command can auto-start the daemon (auto-daemon is enabled by default). Also fix test_volume_mount_requires_memres to check both stdout and stderr for the error message, since stderr is now merged into stdout by the Popen approach. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* vcontainer: detach background-process stdio from memres start callerBruce Ashfield2026-04-223-7/+35
| | | | | | | | | | | | | | | | | | | | | | | | The memres start operation spawns long-running background processes (host-side idle watchdog and Xen domain monitor) that persist beyond the vrunner.sh script. These processes inherited file descriptors 0/1/2 from the parent shell without redirection. When invoked through a harness capturing output via pipes—such as pytest's subprocess.run(..., capture_output=True)—the inherited pipe write-ends kept the caller's read/communicate() operations blocked until memres stop executed, potentially for up to 30 minutes (IDLE_TIMEOUT default). The fix fully detaches stdio from three background spawners: - vrunner.sh: Watchdog subshell now redirects stdin from /dev/null, stdout/stderr to /dev/null, and uses disown - vrunner-backend-qemu.sh: Adds stdin redirection from /dev/null to existing log file redirections - vrunner-backend-xen.sh: Applies same detachment plus disown for daemon mode; redirects stdin for ephemeral-mode console reader From: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* tests: fix memres start hanging in subprocess.runBruce Ashfield2026-04-221-2/+58
| | | | | | | | | | | | | | | | | | | | | | memres start spawns background processes (QEMU VM, idle watchdog) that persist after the vrunner script exits. When invoked via subprocess.run(capture_output=True), these background processes inherit the pipe file descriptors, preventing communicate() from returning until all pipe holders exit — which can be 30+ minutes (the idle timeout). Fix by using Popen with: - stdin=subprocess.DEVNULL (no inherited stdin pipe) - file-based stdout (no pipe FDs to inherit) - start_new_session=True (new process group, so wait() only waits for the parent script, not the background children) This matches the behavior when running from a shell, where the daemon processes are fully detached from the caller's FD table. Applied to both VdkrRunner and VpdmnRunner memres_start methods. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* tests: add @pytest.mark.memres to daemon-dependent testsBruce Ashfield2026-04-222-0/+16
| | | | | | | | | | | | | | | | | | | | | | Test classes that depend on vmemres (daemon mode) were not marked, causing them to run even when filtered with '-m "not memres"'. This caused timeout failures on CI/buildbot environments where KVM may not be available and daemon startup exceeds the test timeout. Mark the following classes with @pytest.mark.memres in both test_vdkr.py and test_vpdmn.py: - TestMemresBasic - TestPortForwarding (vdkr only) - TestContainerLifecycle - TestVolumeMounts - TestSystem - TestVstorage - TestRun - TestAutoStartDaemon (vdkr only) - TestDynamicPortForwarding (vdkr only) - TestPortForwardRegistry (vdkr only) Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* go-distribution: Add CVE_PRODUCT to align with NVD CPEHimanshu Jadon2026-04-211-0/+2
| | | | | | | | | | | | | CVE_PRODUCT has been set to docker:registry to align with the NVD CPE product namespace for the distribution/registry codebase. Only a single CPE entry exists in the NVD for this product: cpe:2.3:a:docker:registry This ensures CVEs tracked for docker registry are matched for this recipe. Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* systemd: add openssl PACKAGECONFIG for virtualization distro featureZhixiong Chi2026-04-212-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since libvirt was upgraded to v12.1.0, the new systemd service file virt-secret-init-encryption.service has been introduced, and it requires systemd to add openssl to PACKAGECONFIG. Because systemd-creds encrypt command will be executed in the service file, which depends on openssl is enabled. Meanwhile this service was added into the dependency chain of the main service libvirtd.service, and will be enabled by default by libvirtd service without any build dependency detection according to the original upstream commit https://github.com/libvirt/libvirt/commit/97758bc9a0b1fccf8c0009308658f1204b113b89 In systemd oe-core recipe, the openssl PACKAGECONFIG is disabled at default. Finally the service file virt-secret-init-encryption.service and libvirtd will be failed as the following error: > # systemctl status libvirtd -l * libvirtd.service - libvirt legacy monolithic daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: enabled) Active: inactive (dead) TriggeredBy: * libvirtd.socket * libvirtd-ro.socket * libvirtd-admin.socket Docs: man:libvirtd(8) https://libvirt.org/ systemd[1]: Dependency failed for libvirt legacy monolithic daemon. systemd[1]: libvirtd.service: Job libvirtd.service/start failed with result 'dependency' > # journalctl -xe A start job for unit virt-secret-init-encryption.service has begun execution. systemd-creds[1251]: Support for encrypted credentials not available. systemd[1]: virt-secret-init-encryption.service: Main process exited, code=exited, status=1/FAILURE The above error info "Support for encrypted credentials not available." comes from systemd-creds command provided by systemd without HAVE_OPENSSL option at the source code src/shared/creds-utils.c Here we enable openssl for systemd when 'virtualization' is in distro feature. Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* libvirt: Drop the deprecated workaroundZhixiong Chi2026-04-211-7/+0
| | | | | | | | | | | The workaround is not needed anymore as the systemd supporting. The libvirtd.service Type has been changed from notify to notify-reload, so the final Type will be 'forking-reload', that's invalid for systemd. Here we delete it to avoid the following output information: >/lib/systemd/system/libvirtd.service:29: Failed to parse Type=forking-reload, ignoring: Invalid argument Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* criu: Add CVE_PRODUCT to align with NVD CPEHimanshu Jadon2026-04-211-0/+2
| | | | | | | | | | | | | | CVE_PRODUCT has been set to criu:checkpoint/restore_in_userspace to align with the product naming used in the NVD CPE database for criu. The slash-containing product token is intentional as NVD references this project under checkpoint/restore_in_userspace. Only a single CPE entry exists in the NVD for this product: cpe:2.3:a:criu:checkpoint/restore_in_userspace Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* cni: Add CVE_PRODUCT to align with NVD CPEHimanshu Jadon2026-04-211-0/+3
| | | | | | | | | | | | | | | `CVE_PRODUCT` has been set to `linuxfoundation:container_network_interface linuxfoundation:cni_network_plugins` to align with the product naming defined in the NVD CPE database for `cni`. The NVD CPE database contains product variants for this project under: `cpe:2.3:a:linuxfoundation:container_network_interface` `cpe:2.3:a:linuxfoundation:cni_network_plugins` The NVD references for these CPEs confirm that they correspond to the source code used in our recipe. Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* netavark: remove nmap from ptest RDEPENDSZhang Peng2026-04-211-1/+0
| | | | | | | | | | | Since upstream commit dbc920030 ("test: add new test program for connection checks"), netavark test suite no longer uses ncat (from nmap). The tests now use a built-in Rust-based connection tester (netavark-connection-tester) instead. This change was included starting from v1.16.0, so the nmap dependency is no longer needed. Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* cdi: add container-device-interface commandline utilityKoen Kooi2026-04-216-0/+194
| | | | | | | | | | | | | | | | | | | | | From the upstream description: The `cdi` command-line tool is a utility for inspecting and interacting with the CDI (Container Device Interface) cache. It allows developers and system administrators to: - List CDI Spec files: View all available CDI specification files in the configured directories - List vendors: Display registered device vendors in the CDI cache - List device classes: Show available device classes from CDI Specs - List devices: Enumerate all CDI devices available in the system - Validate specs: Verify CDI specification files against the JSON schema - Inject devices: Inject CDI device configurations into OCI runtime specifications - Monitor cache: Watch for changes in the CDI cache and Spec directories - Resolve devices: Resolve fully-qualified device names to their configurations The CLI tool is particularly useful for debugging CDI configurations, validating spec files, and testing device assignments before deploying them in production environments. Signed-off-by: Koen Kooi <koen.kooi@oss.qualcomm.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* libvirt-dbus: update to v1.4.1-tipBruce Ashfield2026-04-211-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We drop the inline error supression, since upstream has it in commit c0fffce New upstream version installs /usr/lib/sysusers.d/libvirt-dbus.conf for systemd-sysusers user/group creation. Add the directory to FILES to fix installed-vs-shipped QA error. Bumping libvirt-dbus to version v1.4.1-46-gd1c49c2, which comprises the following commits: d1c49c2 domain: Fix incorrect free of GString variable c0fffce build: Do not use -Winline f1d2f64 ci: refresh with latest 'lcitool manifest' 2105c17 Introduce sysusers config file to create libvirtdbus user 0643cd8 ci: refresh with latest 'lcitool manifest' ded4bc8 ci: refresh with latest 'lcitool manifest' 8f06b76 ci: switch to remote git refs for dependent projects 2fa70fd ci: refresh with lcitool manifest ea96102 spec: use systemd macros to handle services d0a5650 spec: use systemd macro to specify path of user unit directory c281c50 ci: lcitool: Maintain project package deps lists here 193248a rpm: convert license to SPDX format c8bb8ac meson: bump required libvirt version to 3.1.0 08f7541 events: Remove extra white spaces at the end of line d37813b Remove GetBlockInfo method from Domain Interface 4a971c4 ci: add Fedora 37 target 58a9f53 ci: upgrade opensuse leap from 153 to 154 24e43b4 ci: refresh with latest lcitool manifest 697ef0b ci: drop unsupported targets ef9430e HACKING: Use gitlab as main repository 4fbd82e ci: refresh with latest lcitool manifest 8333b9f spec: add systemd-rpm-macros as build dependency 35173fa ci: add Fedora 36 3b070a5 ci: refresh generated files 111fe77 ci: drop unsupported Fedora 34 95ac644 README: update libvirt dbus bindings link 23267d4 ci: Add more target platforms d62b5b1 ci: Build RPMs on CentOS Stream 8 5232cb9 ci: Refresh generated files 6eb24e9 ci: Drop unsupported targets d130ab0 ci: Move Coverity job from CentOS 8 to AlmaLinux 8 2757a47 ci: Add AlmaLinux 8 053d238 ci: Drop Travis CI support 3077aa8 Add .gitattributes file 502c8b5 rpm: Drop conditional needed on RHEL 7 b685a89 Fix meson run_command with check param 87b16e9 Implement GetBlockInfo, SetBlockThreshold methods and BlockThreshold signal for Domain Interface 3d64429 Switch to new GitHub repo-lockdown configuration f4d3863 ci: remove obsolete refresh script and documentation 2b0a513 ci: re-generate containers/gitlab config from manifest fa892e3 ci: define a CI manifest file b1bd1d2 gitlab: skip tests on ubuntu 18.04 c7df361 gitlab: remove centos-7 build target 204d341 meson: Fix systemd services install when --prefix was specified 6ef9bb9 ci: refresh centos-stream container ce6cf93 gitlab: use custom docker:dind image 0c355bb Release of libvirt-dbus 1.4.1 Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* ca-certificates: guard bbappend with virtualization DISTRO_FEATURESBruce Ashfield2026-04-141-5/+7
| | | | | | | | | | The unconditional bbappend to ca-certificates breaks yocto-check-layer compatibility when the layer is included without 'virtualization' in DISTRO_FEATURES. Guard both the SRC_URI additions and the do_install append with a bb.utils.contains check, matching the pattern used by other bbappends in the layer (busybox, qemu, etc.). Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* vcontainer-initramfs-create: fix kernel path for multiconfig buildsBruce Ashfield2026-04-141-8/+12
| | | | | | | | | | | | | | | | | | | | The kernel was copied from DEPLOY_DIR_IMAGE which resolves to the main build config's deploy directory — not the multiconfig's. On autobuilder setups with sstate, this caused the kernel to be missing from the vdkr blob directory because: 1. The mcdepends (mc:<mc>::virtual/kernel:do_deploy) depended on the main config's kernel, which may be a different architecture 2. DEPLOY_DIR_IMAGE pointed to the main deploy dir, not the multiconfig's tmp-vruntime-<arch>/deploy/images/<machine>/ Fix by using MC_DEPLOY (the multiconfig's deploy directory) for the kernel path, consistent with how initramfs and rootfs are already copied. Remove the cross-multiconfig mcdepends since the kernel is built as a transitive dependency of the rootfs image within the same multiconfig. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* cockpit-machines: remove autotools inheritanceTanguy Raufflet2026-04-131-4/+14
| | | | | | | | | | | | | | | | | The commit [1] from openembedded-core, removes the possibility to use autotools bbclass when the configure script is missing. Because the cockpit-machines release tarball always ships pre-built assets in dist/, there is no need to use autotools to build the package. This commit fixes the following build error: ERROR: cockpit-machines-346-r0 do_configure: no configure script found at ./configure [1]: autotools: require that a configure script exists SHA: 6d327a39befae44a88a812bdf4acde800dcee57b Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* libvirt-dbus: disable -Werror=inline to fix build errorTanguy Raufflet2026-04-131-0/+2
| | | | | | | | | | | | | | | The meson.build from libvirt-dbus enables the flag -Winline. Combined with -Werror from Yocto, this causes a build failure because GCC refuses to inline g_autoptr_cleanup_generic_gfree() from the glib header glib-autocleanups.h, as it considers the call unlikely and estimates code size would grow. Because the function g_autoptr_cleanup_generic_gfree is defined as static inline with good reason, this patch disables -Werror=inline for libvirt-dbus to allow the build to succeed. Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* vcontainer: fix registry login and TLS certificate chainBruce Ashfield2026-04-134-3/+94
| | | | | | | | | | | | | | | | | | | | | | | vcontainer-common.sh: - Fix docker/podman login hanging silently in daemon mode. The login command requires interactive stdin for the password prompt, which the non-interactive daemon-send channel cannot provide. Use daemon-interactive mode (same as vshell/exec -it) which provides TTY passthrough via the virtio-serial + socat + expect channel. ca-certificates bbappend: - Add Let's Encrypt E8 (ECDSA) and R11 (RSA) intermediate certificates via a ca-certificates bbappend. Certs are fetched at build time from letsencrypt.org and installed into the standard CA certificate path. update-ca-certificates incorporates them into the system CA bundle. - Some registries (e.g., registry.yocto.io) don't send the full certificate chain, causing TLS verification to fail with Go programs (Docker, skopeo, podman) even though the root CAs are present. vdkr-rootfs-image.bb: - Add ca-certificates to IMAGE_INSTALL Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* vcontainer-tarball: fix PACKAGE_ARCH for SPDX do_create_spdxTim Orling2026-04-121-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | PACKAGE_ARCH must be "${SDK_ARCH}-${SDKPKGSUFFIX}" (e.g. x86_64-nativesdk) to match the pattern explicitly listed in SSTATE_ARCHS in meta/classes-global/sstate.bbclass. do_create_recipe_spdx writes the static SPDX document under DEPLOY_DIR_SPDX/${SSTATE_PKGARCH}/static/ where SSTATE_PKGARCH = PACKAGE_ARCH. do_create_spdx then calls find_jsonld() which searches only the arch directories listed in SPDX_MULTILIB_SSTATE_ARCHS (derived from SSTATE_ARCHS via all_multilib_tune_values). The previous value "${SDK_ARCH}_${SDK_OS}" evaluates to "x86_64_linux" which is NOT listed in SSTATE_ARCHS, so the static document was written to a directory never searched, causing the fatal: ERROR: Could not find a static SPDX document named static-vcontainer-tarball The correct value "${SDK_ARCH}-${SDKPKGSUFFIX}" evaluates to "x86_64-nativesdk" which IS listed in SSTATE_ARCHS as the literal "${SDK_ARCH}-${SDKPKGSUFFIX}" entry, and matches the pattern used by buildtools-tarball.bb (the reference for host-only SDK tarballs with TARGET_ARCH = "none" / TARGET_OS = "none"). Signed-off-by: Tim Orling <tim.orling@konsulko.com>
* alpine-xen-guest-bundle: fix boot with init=/bin/shBruce Ashfield2026-04-111-1/+4
| | | | | | | | | | | | Alpine minirootfs is container-oriented and doesn't include openrc. The default /sbin/init is a symlink to /sbin/openrc which doesn't exist, causing a boot loop with: can't run '/sbin/openrc': No such file or directory Add init=/bin/sh to the guest kernel cmdline so the guest boots to a shell prompt instead of failing to find the init system. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* wic: move files to files/wicRicardo Salveti2026-04-095-0/+0
| | | | | | | | Move local wic files to the new expected location files/wic, needed after the wic migration to a standalone project outside oe-core. Signed-off-by: Ricardo Salveti <ricardo.salveti@oss.qualcomm.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* yq: fix do_compile failure caused by CGO_ENABLED="0"Li Zhou2026-04-091-0/+4
| | | | | | | | | | | | | | New version of yq need set CGO_ENABLED="0" when compiling, and this causes do_compile failure for 32 bits target as below: -buildmode=pie requires external (cgo) linking, but cgo is not enabled Tool go's internal linker doesn't support PIE for linux 32 bits target, so -buildmode=pie requires external (cgo) linking on ARM and x86. To fix this conflict with CGO_ENABLED="0", remove "-buildmode=pie" from GOBUILDFLAGS. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* incus: restrict to x86-64 and aarch64Bruce Ashfield2026-04-091-0/+2
| | | | | | Incus is only tested and supported on x86-64 and aarch64. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* incus: add PACKAGECONFIG for VM supportBruce Ashfield2026-04-091-0/+3
| | | | | | | | | Enable incus VM management with PACKAGECONFIG[vm], which pulls in qemu, virtiofsd, and ovmf as runtime dependencies. Usage: PACKAGECONFIG:append:pn-incus = " vm" Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* incus: add runtime test suiteBruce Ashfield2026-04-092-0/+158
| | | | | | | | | | | | pexpect-based tests covering: - Daemon startup via systemd - incus-admin group creation - incus admin init --minimal - Alpine container launch, exec, stop, delete Run: pytest tests/test_incus_runtime.py -v --machine qemux86-64 Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* incus: add container host profileBruce Ashfield2026-04-094-0/+118
| | | | | | | | | | | Add CONTAINER_PROFILE=incus support so incus can be selected as the container engine for container-image-host: require conf/distro/include/container-host-incus.conf MACHINE = "qemux86-64" bitbake container-image-host Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* incus: add recipe for system container and VM managerBruce Ashfield2026-04-098-0/+2909
| | | | | | | | | | | Incus is the community fork of LXD, providing a unified experience for running and managing system containers and virtual machines. Built on LXC 6.0 with cowsql for distributed cluster state. Uses go-mod-discovery with hybrid fetch mode for Go module dependencies. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* cowsql: add recipe for distributed SQLite databaseBruce Ashfield2026-04-081-0/+27
| | | | | | | Distributed SQLite implementation using the Raft protocol, required by Incus for cluster database storage. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* raft: add recipe for cowsql consensus protocol libraryBruce Ashfield2026-04-081-0/+31
| | | | | | | C implementation of the Raft consensus protocol, required by cowsql for distributed SQLite used by Incus. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* tests: update k3s multi-node to use kernel cmdline role setupBruce Ashfield2026-04-071-53/+31
| | | | | | | | | | | | | | | | | | Update the multi-node test fixture to use kernel cmdline parameters (k3s.role, k3s.node-ip, k3s.node-name) instead of manual IP configuration and k3s restart. The k3s-role-setup.service handles networking and role switching automatically on boot. - Pass kernel_append to K3sRunner for k3s.role and k3s.node-ip - Remove manual ip-addr-add and k3s stop/restart from fixture - Use k3s-get-token helper to extract join token on server - Agent starts k3s agent manually with extracted token (token not known at boot time) - Remove _QEMU_ARCH_CONFIG dict (moved to run-qemu-vm.sh script) All 10 tests pass: 5 single-node + 5 multi-node. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* tests, k3s: update test suite and README for multi-nodeBruce Ashfield2026-04-072-333/+153
| | | | | | | | | | | | | | | | | test_k3s_runtime.py: - Use run-qemu-vm.sh script for multi-node QEMU launches instead of inline command building (shared infrastructure with manual testing) - Resolve script path to absolute for pexpect compatibility - Accept >= 1 Ready node in single-node test (persistent rootfs state) README.md: - Complete rewrite with current build profile workflow - Document single-node quick start and multi-node cluster setup - Document kernel cmdline parameters for role-based boot - Document k3s-get-token helper, packages, and useful commands - Add automated testing instructions Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* scripts: add QEMU VM launcher and k3s multi-node helperBruce Ashfield2026-04-072-0/+357
| | | | | | | | | | | | | | | | | | | | | | | run-qemu-vm.sh: - Architecture-aware QEMU launcher (x86-64, arm64) - Finds native QEMU binary and libraries from build sysroots - Supports KVM auto-detection, socket networking, custom rootfs - Reusable by both humans and the pytest test suite run-k3s-multinode.sh: - Launches server or agent VMs for k3s multi-node testing - Passes k3s.role, k3s.server, k3s.token, k3s.node-ip, k3s.node-name via kernel cmdline for automatic guest-side configuration - Creates rootfs copy for agent VM (can't share ext4 read-write) - Prints usage instructions when run without arguments Usage: Terminal 1: ./scripts/run-k3s-multinode.sh server Server VM: k3s-get-token Terminal 2: ./scripts/run-k3s-multinode.sh agent --token <TOKEN> Server VM: kubectl get nodes Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* k3s: add multi-node cluster support with role-based bootBruce Ashfield2026-04-078-3/+206
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add infrastructure for booting the same container-image-host image as either a k3s server or agent, controlled via kernel cmdline parameters (k3s.role=server|agent). k3s-role-setup.service / k3s-role-setup.sh: - Reads k3s.role, k3s.server, k3s.token, k3s.node-name, k3s.node-ip, k3s.iface from kernel cmdline - Configures cluster network interface IP via networkd drop-in - For agent role: masks k3s.service, writes agent environment file, starts k3s-agent.service - For server role: masks k3s-agent.service (default) 10-k3s-cluster.network: - Claims the cluster interface (eth1) via virt_networking bbclass - Disables DHCP to prevent systemd-networkd from interfering - Static IP added at boot by role-setup via drop-in k3s-get-token.sh: - Helper script to display the server join token - Waits for token file if k3s is still starting k3s-agent.service: - Add EnvironmentFile for /etc/default/k3s-agent (K3S_URL, K3S_TOKEN) - Add After=k3s-role-setup.service and network-online.target k3s.service: - Add After=k3s-role-setup.service packagegroup-kubernetes.bb: - k3s-host packagegroup now includes k3s-agent (both roles available) - Both k3s-host and k3s-node include k3s-net-conf Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* docker: fix contrip -> contrib typoBruce Ashfield2026-04-071-1/+1
| | | | | | | It has been like this for many years now, so clearly not causing an issue, but we might as well fix it. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* tests: fix k3s multi-node test suiteBruce Ashfield2026-04-061-8/+62
| | | | | | | | | | | | | | | | | | | | | | | Fix several issues discovered during multi-node testing: - Find native QEMU binary from build sysroots-components instead of relying on PATH (qemu-system-native is not in OE build env PATH) - Set LD_LIBRARY_PATH for native QEMU shared library dependencies (libSDL2, etc. from native sysroots) - Add if=virtio to drive parameter so root device appears as /dev/vda - Add CNI bin dirs to PATH when starting k3s manually (systemd service has the PATH fix but manual launch does not) - Wipe server TLS/cred/db state and kubeconfig before restarting with cluster IPs to avoid stale certificate errors (cert only valid for DHCP IP, not 192.168.50.1) - Add --tls-san for cluster IP to server start - Wipe agent k3s state to avoid "not authorized" from stale tokens - Remove server-only config.yaml on agent (disable-cloud-controller flag crashes the agent) - Set unique --node-name on agent to prevent hostname collision when both VMs boot from the same image Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* k3s: embed manifests and traefik charts, add server configBruce Ashfield2026-04-062-4/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Embed system manifests and Helm charts into the k3s binary so that k3s's deploy.Stage() can extract and process them at runtime with template variable substitution (e.g., %{SYSTEM_DEFAULT_REGISTRY}%). Previously, raw manifest files were installed directly to the server manifests directory, but template variables were not substituted, causing InvalidImageName errors for system pods. Now manifests are copied to pkg/deploy/embed/ before Go compilation, matching upstream's scripts/build workflow. Traefik ingress controller support is added as a PACKAGECONFIG option (enabled by default). When enabled, the traefik and traefik-crd Helm chart tarballs are downloaded during do_fetch and embedded into the binary at pkg/static/embed/charts/. When disabled, traefik is added to the disable list in config.yaml. A default /etc/rancher/k3s/config.yaml is installed that disables the cloud-controller-manager (not needed for standalone/QEMU environments) and conditionally disables traefik. The --disable-cloud-controller flag is removed from k3s.service since it is now in the config file. To disable traefik: PACKAGECONFIG:remove:pn-k3s = "traefik" Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* tests: add k3s runtime test suiteBruce Ashfield2026-04-061-0/+731
| | | | | | | | | | | | | | | | | | | | | | | | | | | Add test_k3s_runtime.py with 10 tests for k3s single-node and multi-node verification: Single-node (5 tests): - Boot, verify k3s binary and service unit - Start k3s server, wait for node Ready - Verify 1 node in Ready state - Deploy a busybox pod, verify Running - Delete pod, verify cleanup Multi-node (5 tests): - Boot 2 VMs via QEMU socket networking - Verify inter-VM ping on socket network - Start k3s server on VM1, join agent on VM2 - Verify 2 nodes Ready - Deploy 2-replica deployment, verify scheduling Uses architecture-aware QEMU configuration (x86-64 and arm64 supported). Multi-node tests launch QEMU directly (not runqemu) to support two concurrent VMs. kubectl commands use KUBECONFIG instead of embedded 'k3s kubectl' which is not available in the Yocto build. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* k3s: fix CNI networking, service PATH, and manifests directoryBruce Ashfield2026-04-064-3/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | Several issues prevented k3s from starting and running pods in the Yocto image: k3s.service / k3s-agent.service: - Add /opt/cni/bin and /usr/libexec/cni to PATH so k3s can find CNI plugin binaries (host-local, flannel, bridge, etc.) - Create /run/flannel/subnet.env at startup if not present — k3s's embedded flannel controller expects this file for CNI configuration - Add --disable-cloud-controller to server — the cloud controller manager is for cloud provider integration (AWS/GCP) and causes a timeout loop in standalone/QEMU environments k3s_git.bb: - Create /var/lib/rancher/k3s/server/manifests/ directory — k3s expects this at startup for auto-deploying system components - Switch CNI config from cni-containerd-net.conf (containerd bridge with 10.88.0.0/16 subnet) to cni-flannel.conflist which matches k3s's flannel networking (10.42.0.0/16 via flannel plugin) cni-flannel.conflist: - New flannel CNI config that delegates to the flannel plugin with hairpin mode, forceAddress, and portmap capabilities Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* k3s-host: set virtual-runc as container runtimeBruce Ashfield2026-04-061-1/+1
| | | | | | | | | | | | The k3s-host container profile had VIRTUAL-RUNTIME_container_runtime set to empty, which meant no OCI runtime (runc or crun) was installed. containerd's RDEPENDS uses this variable to pull in the runtime, so k3s pods failed with "runc: executable file not found in $PATH". Set to virtual-runc which is what k3s expects. The k3s-node profile inherits from k3s-host so it gets the fix too. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* vruntime, vrunner, conftest: fix multiconfig and batch import issuesBruce Ashfield2026-04-065-16/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | vruntime.conf: - Reset all VIRTUAL-RUNTIME_container_* variables to prevent CONTAINER_PROFILE selections from leaking into vruntime multiconfigs (e.g., podman profile pulling netavark into vruntime builds) - Disable ptest for glib-2.0 — its -ptest RDEPENDS chain (python3-dbusmock -> python3-pygobject -> cairo -> fontconfig) pulls the entire graphics stack which is masked in vruntime - OE-core commit 159148f4de2 replaced DISTRO_FEATURES_BACKFILL_CONSIDERED with DISTRO_FEATURES_OPTED_OUT. The old variable no longer has any effect, which meant ptest, gobject-introspection-data, wayland, and other features were no longer being blocked in vruntime builds. This caused glib-2.0's ptest RDEPENDS to pull in the cairo → fontconfig → freetype graphics stack, which is masked by the vruntime BBMASK. - Set PREFERRED_PROVIDER_virtual/runc with strong assignment to ensure the unified runc recipe is used vrunner.sh: - Fix batch import exit code handling: wrap import chain in subshell and make the images listing best-effort. The previous '&& podman images' caused false failures when podman images couldn't initialize its network backend. Using 'exit' was also wrong as the command runs inside PID 1 init's eval — exit kills init causing kernel panic. vpdmn-rootfs-image.bb: - Switch from netavark to CNI networking — netavark's dependency chain (nmap -> libpcap -> bluez5 -> python3-pygobject -> cairo) cannot be built under the vruntime BBMASK environment - Add nsswitch.conf override (files-only backend) to prevent libnss_systemd segfaults — the vruntime VM uses busybox init with no systemd running, but libnss_systemd.so is pulled in as a dependency and segfaults on NSS resolution vdkr-rootfs-image.bb: - Document skopeo requirement for batch import conftest.py: - Add --k3s-timeout option and k3s/multinode markers for upcoming K3s test suite Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* conf/distro: add build profile configuration fragmentsBruce Ashfield2026-04-0510-0/+418
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add includable configuration fragments that replace manual DISTRO_FEATURES, CONTAINER_PROFILE, and related settings in local.conf. Fragments are organized as a base + composable deltas: - meta-virt-host.conf: base for all virtualization work (virtualization, systemd, seccomp, vmsep, vcontainer, BBMULTICONFIG) - container-host-{docker,podman,containerd,k3s,k3s-node}.conf: container engine profiles setting CONTAINER_PROFILE and profile-specific DISTRO_FEATURES - xen-host.conf: Xen hypervisor support (xen, vxn distro features, xen-image-minimal packages) - meta-virt-dev.conf: QEMU development settings (IMAGE_FSTYPES, QB_MEM, debug image features) - container-registry.conf: local dev registry defaults (insecure localhost:5000) Profiles are pure deltas and do not auto-include the base to avoid BitBake duplicate inclusion warnings. Users include meta-virt-host.conf first, then add profile fragments. The BUILD_PROFILE variable enables single-line profile switching. Usage in local.conf: require conf/distro/include/meta-virt-host.conf BUILD_PROFILE ?= "podman" require conf/distro/include/container-host-${BUILD_PROFILE}.conf Tested with podman, docker, and xen builds. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* containerd: Add CVE_PRODUCT to align with NVD CPEHimanshu Jadon2026-03-301-0/+3
| | | | | | | | | | | | | | | `CVE_PRODUCT` has been set to `linuxfoundation:containerd` to align with the product naming defined in the NVD CPE database for `containerd`. Only a single CPE entry exists in the NVD for this product: `cpe:2.3:a:linuxfoundation:containerd` The NVD references for this CPE confirm that it corresponds to the source code used in our recipe. Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* libvirt: disable netcf backend by defaultMarkus Volk2026-03-301-1/+1
| | | | | | | | | | | | | | I see a failure in netcf: | ./bootstrap: .gnulib/gnulib-tool --import --no-changelog --aux-dir build-aux --doc-base doc --lib libgnu --m4-base gnulib/m4/ --source-base gnulib/lib/ --tests-base gnulib/tests --local-dir gl --lgpl=2 --with-tests --makefile-name=gnulib.mk --libtool --import ... | python3: can't open file '/home/flk/bitbake-builds/poky/build/tmp/work/corei7-64-oe-linux/netcf/0.2.8+git/sources/netcf-0.2.8+git/.gnulib/.gnulib-tool.py': [Errno 2] No such file or directory | ./bootstrap: gnulib-tool failed Since the code hasn't been updated in over seven years, and after reading this discussion, perhaps the best solution would be to disable netcf support by default? https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/755CCFUFUW6OTN7CAHB77H7YXQNE5WGG/ Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* ceph, libvirt, openvswitch: marked some CVEs as patchedYouenn Le Jeune2026-03-303-0/+12
| | | | | | | | | | | | For ceph, libvirt and openvswitch, 9 CVEs were marked as "unpatched" whereas they have been patched long ago compared to the versions of the recipes, because the NVD database does not contain patched version for those CVEs. Reviewed-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com> Reviewed-by: Erwann Roussy <erwann.roussy@savoirfairelinux.com> Signed-off-by: Youenn Le Jeune <youenn.lejeune@savoirfairelinux.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* runc: fix RUNC_VERSION to match release-1.5 branchBruce Ashfield2026-03-271-1/+1
| | | | | | | | RUNC_VERSION was still set to 1.3.0 from a previous update but the recipe is now tracking the release-1.5 branch at v1.5.0-rc.1+4. Update to match the actual upstream version. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* yq: update to 4.52.5, convert to go-mod-vcsBruce Ashfield2026-03-266-83/+250
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update yq from 4.45.1 to 4.52.5 and convert from manual vendoring (20+ individual git SRC_URI entries) to the go-mod-vcs discovery system using pure hybrid mode (all gomod://). This makes future updates trivial via: bitbake yq -c discover_and_generate Shortlog of notable changes since 4.45.1: - Add support for YAML 1.1 octal numbers - Add --header-preprocess flag - Add bitwise operators (band, bor, bxor, bnot, bsl, bsr) - Add shuffle operator for arrays - Add rotate operator for arrays - Add limit operator - Add from_props/to_props for Java properties format - Add from_csv/to_csv improvements - Add --csv-separator flag - Improve JSON output formatting - Improve error messages for invalid expressions - Fix various edge cases in YAML/JSON/XML/TOML conversions - Fix memory leaks in large document processing - Performance improvements for large files - Updated Go module dependencies Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* go-mod-vcs.bbclass: handle pure hybrid mode gracefullyBruce Ashfield2026-03-261-1/+7
| | | | | | | | | | | | | When a recipe uses only gomod:// fetches with no VCS (git://) modules, GO_MODULE_CACHE_DATA is an empty list. Previously do_create_module_cache would run with nothing to process and do_sync_go_files would fatal with "No modules found in cache". Detect the empty module list and return early with an informational message in both tasks, allowing pure hybrid recipes (like yq) to build without workarounds. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* lxcfs: update to 6.0.6Bruce Ashfield2026-03-261-2/+1
| | | | | | | | | | | | | | | | | | | | | | | Update LXCFS from 5.0.4 to 6.0.6 (LTS branch). Existing patches apply with offset. Key changes across the 5.0 to 6.0 series: 6.0.x LTS (2024-2029): - Switch to fuse3 as default (fuse2 still supported) - Reworked cgroup2 support with improved delegation - Improved /proc/cpuinfo virtualization for cgroup2 - Improved /proc/meminfo virtualization accuracy - Improved /proc/stat CPU time virtualization - Improved /proc/loadavg virtualization - Improved /proc/uptime per-container tracking - Improved /sys/devices/system/cpu virtualization - Better handling of cgroup v1/v2 hybrid setups - meson build system improvements - Various memory leak and race condition fixes - Multiple security hardening improvements Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* podman-compose: update to 1.5.0Bruce Ashfield2026-03-261-3/+3
| | | | | | | | | | | | | | Shortlog of changes since 1.4.0: - Implement 'up --no-recreate' - Add support to set --route of podman network create - Implement environment variable interpolation to YAML dictionary keys - Properly surface errors from 'push' command - Hide stack trace shown on YAML parse error by default - Migrate to PEP 621 project metadata - Migrate to SPDX identifier for the license Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* seabios: update to 1.17.0Bruce Ashfield2026-03-262-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update SeaBIOS from 1.16.0 to 1.17.0. Refresh python3.patch for shifted context. Shortlog of changes since 1.16.0: - ahci: Fix hangs due to controller reset - ahci: add controller reset - ahci: Power ON + ICC_ACTIVE into port setup code - Add LBA 64bit support for reads beyond 2TB - detect physical address space size - move 64bit pci window to end of address space - limit address space used for pci devices - pciinit: don't misalign large BARs - update pci_pad_mem64 handling - fix smbios blob length overflow - check for e820 conflict - usb-hid: Support multiple USB HID devices via linked list - boot: Force display of boot menu when boot-menu-wait is negative - esp-scsi: indicate acceptance of MESSAGE IN phase data - esp-scsi: terminate DMA transfer when ESP data transfer completes - vbe: implement function 09h (get/set palette data) - vbe: Add VBE 2.0+ OemData field - vgabios: Fix generating modes list for static_functionality - Various stdvga/vgasrc naming and interface cleanups - kconfig: fix check-lxdialog.sh to work with gcc 14+ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* go recipes: update to latest upstream releasesBruce Ashfield2026-03-2611-39/+48
| | | | | | | | | | | | | | | | | | Update all active Go library recipes to their latest releases: - go-md2man: 1.0.10 → 2.0.7 (update GO_IMPORT for v2 module path) - go-cli: 1.1.0 → 2.27.7 (moved to github.com/urfave/cli/v2) - go-connections: 0.2.1 → 0.6.0 - go-dbus: 4.0.0 → 5.2.2 (update GO_IMPORT for v5 module path) - go-distribution: 2.6.0 → 3.0.0 (repo moved to distribution/distribution) - go-fsnotify: 1.5.1 → 1.9.0 - go-logrus: 0.11.0 → 1.9.4 - go-mux: unversioned → 1.8.1 - go-patricia: 2.2.6 → 2.3.3 - go-systemd: 4 → 22.7.0 (update GO_IMPORT for v22 module path) - grpc-go: 1.59.0 → 1.79.3 Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>