| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building kvm-image-minimal fails without the 'kvm' DISTRO_FEATURE,
requiring users to manually add it to local.conf. Every other
virtualization platform (Xen, Docker, Podman, k3s, containerd) already
has a composable configuration fragment in conf/distro/include/ that
can be included with a single require line.
Add kvm-host.conf following the same pattern as xen-host.conf: a pure
delta fragment that appends the kvm DISTRO_FEATURE. Composable with
any container profile and the base meta-virt-host.conf.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Xen's hypervisor Makefile overrides CFLAGS entirely with its own flags
(nostdinc, fno-builtin, etc.), so OE's DEBUG_PREFIX_MAP flags added via
CFLAGS never reach the hypervisor compilation. The existing prefix map
entries in xen.inc appeared to work only because sstate was caching
pre-built packages — a fresh rebuild exposes the embedded TMPDIR paths
in the EFI binary and debug symbols.
Inject the prefix maps through EXTRA_CFLAGS_XEN_CORE, which is Xen's
own mechanism for accepting additional compiler flags and is already
passed through to oe_runmake. This fixes the EFI binary paths.
The xen-syms debug binary retains one source path in .debug_str from
the linker/assembly stage, which does not honor the C compiler's
-fdebug-prefix-map. Since xen-syms is only shipped in the -dbg package
(not a deployment target), skip buildpaths for xen-dbg. This is an
optional QA test — not in CHECKLAYER_REQUIRED_TESTS — so it has no
impact on yocto-check-layer compatibility.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default Popen expects all the streams to be bytes-like objects but,
in the Popen.communicate() function call, the "input" argument is a
string, making the call fail with the error:
qemu hook error: a bytes-like object is required, not 'str'
Fix the error by setting text mode to True in the subprocess creation.
Also fix the "SyntaxWarning: invalid escape sequence '\w'" in the regex
used to match script names.
Signed-off-by: Massimiliano Minella <massimiliano.minella@se.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The multi-layer 'directories', 'files', and 'host' branches in IMAGE_CMD:oci
copy delta content into the OCI bundle rootfs with 'cp -a'. 'cp -a' implies
'--preserve=all', which calls lchown() on the destination to copy ownership
from the source. When a directories/files layer copies a symbolic link whose
target does not exist at build time (for example, the '/dev/stdout' and
'/dev/stderr' log forwarding symlinks used by the official nginx Docker
image), lchown() can return EINVAL under pseudo and 'cp' aborts with:
cp: failed to preserve ownership for .../var/log/nginx/access.log: Invalid argument
failing the whole do_image_oci task.
The single-layer rootfs copy already handles this correctly:
cp -r -a --no-preserve=ownership ${IMAGE_ROOTFS}/* $image_bundle_name/rootfs
and the multi-layer 'packages' branch uses 'rsync -a --no-owner --no-group'
for the same reason. Bring the three remaining cp -a sites in line by adding
'--no-preserve=ownership'. Ownership inside an OCI image is set by umoci
based on the image config and source ownership has no meaning for symlinks
to runtime device nodes anyway, so dropping preservation is the correct
behaviour.
Reproduce: declare a directories: layer that copies a path containing a
symlink to '/dev/stdout' or '/dev/stderr' (e.g. a postprocess that creates
/var/log/nginx/{access,error}.log -> /dev/{stdout,stderr} to mirror the
upstream nginx Docker image).
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Podlet generates Podman Quadlet files from a Podman command, compose file, or existing object.
Signed-off-by: Patrick Vogelaar <patrick.vogelaar@belden.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial vcontainer distro had no BBMASK at all, making it
effectively poky with fewer DISTRO_FEATURES. Every multiconfig parsed
the entire recipe universe even though container image builds only
need a small subset. With 4+ multiconfigs, the parse overhead is
significant.
Add vcontainer-bbmask.inc as a lighter alternative to vruntime's
aggressive BBMASK. It masks the same categories irrelevant to any
container/VM build (graphics, multimedia, desktop, virtualization
platforms, orchestration tools, meta-python, meta-filesystems,
meta-webserver) but keeps the OCI tooling that vruntime blocks:
umoci, container-registry, image recipes, sloci, oci-image-tools.
Masking entire layers (meta-python, meta-filesystems, meta-webserver)
produces BBFILE_PATTERN warnings because the layers are registered in
bblayers.conf (shared with the main build) but have zero recipes after
masking. BitBake provides BBFILE_PATTERN_IGNORE_EMPTY_<collection>
to suppress this, but checks it on self.data (the base datastore),
not per-multiconfig datastores. Setting it in the distro config has
no effect. Move the suppression to meta-virt-host.conf which is
included by the main build's local.conf and therefore visible to
the base datastore.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The registry push script (container-registry-index.bb) treated all OCI
directories as single-arch, calling 'skopeo copy oci:<dir>' which fails
with "more than one image in oci, choose an image" when the directory
contains a multi-arch image index. The original push implementation
predated multi-arch OCI support and only handled the single-manifest
case.
Detect multi-arch OCI Image Index directories (both flat and nested
layouts) in the direct-path push mode and use 'skopeo copy --all' to
push the entire manifest list to the registry in one operation. This
preserves the multi-platform structure so that clients pulling from the
registry automatically get the correct architecture.
Also strip the '-multiarch' suffix from directory names when deriving
the registry image name, so container-base-multiarch-multiarch-oci
pushes as 'container-base' rather than 'container-base-multiarch'.
Add build-profiles.md documentation for the vcontainer distro, container
multiconfigs, and multi-arch container build workflow.
Add test_vcontainer_distro.py with 54 tests across three tiers:
- Tier 1: Static file assertions (vruntime-base.inc, vcontainer.conf,
multiconfigs, bbclass defaults, recipe structure)
- Tier 2: Cross-file consistency (shared base, distro-MC alignment,
bbclass-to-multiconfig file matching)
- Tier 3: Build output verification (OCI index structure, platform
entries, blob integrity, manifest validation)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The multi-arch OCI functions (is_oci_image_index, get_oci_platforms,
select_platform_manifest) only checked index.json directly for platform
information. With the skopeo-compatible nested OCI layout — where
index.json references a single image index blob that in turn contains
the per-platform manifests — the functions failed to detect multi-arch
images because index.json no longer contains platform entries.
Add _resolve_oci_platform_file() helper that handles both layouts:
- Flat: platform info directly in index.json (legacy/simple case)
- Nested: index.json → image index blob → platform manifests
All three multi-arch functions now use this single helper, eliminating
the layout resolution logic that would otherwise be duplicated in each.
Also fixes two issues in the vimport case block:
- 'local' keyword used outside a function (bash error on line 1879).
The vimport handler is in a case statement in the main script body,
not inside a function, so 'local' is invalid. The original multi-arch
code was written assuming it would be inside a function.
- OCI_SELECTED_PLATFORM was blank in output because select_platform_manifest
sets it inside a $() subshell, where variable assignments are lost.
Use normalize_arch_to_oci directly for the display message instead.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three issues prevented oci-multiarch.bbclass from producing usable
multi-architecture container images:
1. MC defaults pointed to vruntime-* multiconfigs, whose BBMASK blocks
OCI tooling. Changed to container-* multiconfigs which use the new
vcontainer distro without BBMASK.
2. mcdepends targeted do_image_oci, but the OCI output is only deployed
to deploy/images/ by the later do_image_complete task. The bbclass
then failed to find the OCI directory at the expected deploy path.
The original implementation assumed do_image_oci was the final step,
but OE-core's image pipeline has a separate deploy phase.
3. The OCI Image Index was written directly into index.json with
multiple manifest entries. This is valid per the OCI spec but skopeo
requires index.json to reference a single entry when there are
multiple images. The fix writes the multi-platform image index as a
blob in blobs/sha256/ and has index.json reference it with a single
entry of mediaType application/vnd.oci.image.index.v1+json. This
nested layout is what tools like buildah and crane produce for
multi-arch images, and is required for 'skopeo copy --all' to work.
Also adds container-base-multiarch.bb recipe that wires up container-base
for aarch64 + x86_64 builds via the oci-multiarch class.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The oci-multiarch.bbclass was dead code because vruntime's BBMASK blocks
the OCI tooling (umoci, skopeo) needed to build container images. We
could not simply use the vruntime multiconfigs for OCI image builds
because the aggressive recipe masking that keeps vruntime rootfs minimal
also removes the packages needed for container image creation.
Rather than maintaining two independent distro configs with duplicated
DISTRO_FEATURES, extract the common configuration into a shared base
fragment and create a new distro that omits the BBMASK.
Changes:
- Extract vruntime-base.inc from vruntime.conf with shared settings:
stripped DISTRO_FEATURES, opted-out features, native class overrides
- Simplify vruntime.conf to require vruntime-base.inc, keeping only
VM-specific settings (BBMASK, busybox init, ptest disable)
- Add vcontainer.conf: requires the same shared base but without BBMASK,
giving OCI tooling full access to the package set
- Add container-aarch64 and container-x86-64 multiconfigs using the
vcontainer distro with separate TMPDIRs
- Add container multiconfigs to BBMULTICONFIG in meta-virt-host.conf
- Remove unused container.conf placeholder from 2022
IMAGE_FSTYPES is intentionally NOT set in vcontainer.conf because the
'oci' type requires image-oci.bbclass which only container image recipes
inherit. Setting it distro-wide breaks non-container images parsed under
this distro (e.g., core-image-multilib-example from meta-skeleton).
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a VDKR_CONFIG / VPDMN_CONFIG env var and a matching --config <path>
CLI flag that passes an existing docker config.json / podman auth.json
into the QEMU-hosted container runtime so pulls from private registries
work without having to retype --registry-user / --registry-pass on every
command.
Security posture (defence in depth):
- Host-side pre-flight validation in vrunner.sh (validate_auth_config):
reject symlinks, non-regular files, missing / unreadable files, files
smaller than 2 bytes (minimum "{}") or larger than 1 MiB, and any
permissions other than 0400 / 0600 / 0200. WARN if not owned by the
invoking user.
- Stage the file into a dedicated per-invocation directory under
$TEMP_DIR at mode 0400 inside a 0700 parent; auto-cleanup rides the
existing EXIT/INT/TERM trap.
- Expose the staged file over a *separate* read-only virtio-9p tag
("${TOOL_NAME}_auth") so credentials cannot leak into the general
/mnt/share input/output directory or into storage.tar outputs.
- Only a boolean flag ("${CMDLINE_PREFIX}_auth=1") is appended to the
kernel cmdline - never the path, the env var name, or the contents.
- Guest mounts /mnt/auth ro,nosuid,nodev,noexec, copies to the runtime's
canonical path, then unmounts immediately so neither the runtime nor
user workloads keep a reference to the host staging directory.
vrunner.sh:
- Initialise AUTH_CONFIG from $VDKR_CONFIG / $VPDMN_CONFIG
- Parse --config <path> (overrides the env vars)
- Add validate_auth_config() and setup_auth_share() with the rules above
- Call setup_auth_share in both the daemon start path and the
non-daemon / batch-import path
vcontainer-init-common.sh:
- Default RUNTIME_AUTH="0" and parse ${VCONTAINER_RUNTIME_PREFIX}_auth=*
from the kernel cmdline
- Define mount_auth_share() / unmount_auth_share() using the per-runtime
"${VCONTAINER_RUNTIME_NAME}_auth" 9p tag, mounted at /mnt/auth with
ro,nosuid,nodev,noexec
vdkr-init.sh:
- install_auth_config() copies /mnt/auth/config.json to
/root/.docker/config.json (mode 0600; parent dir 0700)
- Called after install_registry_ca in main flow so --config takes
precedence over --registry-user / --registry-pass; logs a NOTE when
both mechanisms are supplied
- Unmounts /mnt/auth after copy
vpdmn-init.sh:
- install_auth_config() copies to /run/containers/0/auth.json (the
rootful podman canonical path) and exports REGISTRY_AUTH_FILE so the
creds are picked up regardless of podman's search order
- Mode 0600 on the file, 0700 on the containing directory
- Unmounts /mnt/auth after copy
vcontainer-common.sh:
- Honour $VDKR_CONFIG / $VPDMN_CONFIG, parse --config, and forward
AUTH_CONFIG to vrunner.sh via --config in build_runner_args
- Document the flag and env vars in show_usage
README.md:
- New "Passing an existing docker/podman auth file (--config)" section
with examples for both runtimes, a table of target paths, and the
full security model
AI-Generated: Claude Cowork Opus 4.7
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new pytest module (tests/test_vcontainer_auth_config.py) covering
the registry-auth-config feature introduced in the previous commit.
Split into two tiers:
TestAuthConfigStaticPlumbing (40 static/shell-level assertions):
- vrunner.sh: AUTH_CONFIG picks up VDKR_CONFIG/VPDMN_CONFIG; --config
parsing; validate_auth_config and setup_auth_share definitions; every
validator reject rule (symlink / non-regular / unreadable / missing /
<2B / >1MiB / mode whitelist 400|600|200 / non-owner WARN); 0700
staging dir and 0400 staged file; readonly=on on the 9p share;
dedicated ${TOOL_NAME}_auth tag. Critically also asserts that
AUTH_CONFIG, VDKR_CONFIG and VPDMN_CONFIG never appear in
KERNEL_APPEND - only the ${CMDLINE_PREFIX}_auth=1 flag does.
- vcontainer-common.sh: env-var init, --config parsing, AUTH_CONFIG
forwarding via --config to vrunner, and show_usage documentation.
- vcontainer-init-common.sh: RUNTIME_AUTH default, cmdline parsing,
mount_auth_share/unmount_auth_share presence, dedicated per-runtime
${VCONTAINER_RUNTIME_NAME}_auth tag, and the ro,nosuid,nodev,noexec
mount options.
- vdkr-init.sh: install_auth_config present, writes to
/root/.docker/config.json with 0600 and 0700 parent, mount + unmount
pairing, precedence NOTE logged, and ordering after
install_registry_ca so --config wins over --registry-user/-pass.
- vpdmn-init.sh: writes to /run/containers/0/auth.json with matching
modes, exports REGISTRY_AUTH_FILE, mount/unmount pairing, and
ordering after verify_podman.
- README.md: --config section exists and documents both env vars and
both runtime target paths.
TestAuthConfigValidator (13 functional cases):
- Extracts validate_auth_config() from vrunner.sh with a brace-matching
parser, sources it in a bash subshell with a stubbed log() helper,
and drives it with real files: accepts modes 0600 / 0400, accepts
the 2-byte minimum "{}", rejects missing / symlink / directory /
empty / 1-byte / >1 MiB / 0644 (world-readable) / 0640 / 0700
(owner-exec) / 0000 (unreadable, skipped when running as root).
Path resolution is resilient: VCONTAINER_FILES_DIR env override first,
otherwise repo-relative to the test file, falling back to the
/opt/bruce/poky path used elsewhere in the suite. No tests need QEMU,
a registry, or network. All 53 tests complete in ~0.1s.
Add tests/__pycache__ to .gitignore.
AI-Generated: Claude Cowork Opus 4.7
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Backported from [1], verified with the test script from [2].
[1] https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311
[2] https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-28684
Signed-off-by: Bin Cao <bin.cao.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
vstorage list/df/clean scanned DEFAULT_STATE_DIR (~/.vpdmn/) for arch
subdirectories, ignoring --state-dir. On CI where tests use
--state-dir ~/.vpdmn-test/x86_64, the default directory doesn't exist
so vstorage list reports "(no storage directories found)" and
test_vstorage_shows_memres_status fails.
Derive VSTORAGE_ROOT from the parent of STATE_DIR when --state-dir is
set, so all vstorage subcommands scan the correct storage root.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUILDTAGS_EXTRA was gated on VIRTUAL-RUNTIME_container_networking == "cni",
which excluded the cni build tag in vruntime builds where that variable is
intentionally blank (vpdmn-rootfs-image installs cni packages directly).
This caused podman to be compiled with netavark-only support, failing at
runtime with "cni support is not enabled in this build" when containers.conf
sets network_backend = "cni".
Include the cni build tag unless the distro explicitly selects netavark.
This respects the podman profile's upstream preference for netavark-only
while ensuring all other configurations (containerd, default, docker, k3s,
vruntime) retain CNI support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The existing environment-setup-* script uses BASH_SOURCE to derive
VCONTAINER_DIR, which is empty when parsed by yocto-autobuilder-helper's
enable_tools_tarball() since it doesn't evaluate shell expressions.
Generate a separate environment-setup-ci with flat export lines using
baked-in absolute paths from ${SDKPATH}/${SDKPATHNATIVE}. The AB parser
picks these up directly. SDK relocation rewrites the paths at install
time. The interactive bash script is unchanged.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add --scan-licenses to oe-go-mod-fetcher.py which scans Go module zips
for license files and generates go-mod-licenses.inc with LICENSE and
LIC_FILES_CHKSUM entries matching OE-core's go-mod-update-modules format.
License detection uses OE-core's glob patterns and MD5 + crunched MD5
matching against known SPDX licenses. The hash database resolves from:
1. --common-license-dir (explicit path)
2. Auto-detected poky tree common-licenses
3. Bundled scripts/data/license-hashes.csv (offline fallback)
New files:
- scripts/generate-license-hashes.py: regenerate bundled CSV
- scripts/data/license-hashes.csv: pre-computed hash DB (704 entries)
bbclass changes:
- go-mod-discovery: pass --scan-licenses during do_generate_modules
- GO_MOD_DISCOVERY_SKIP_LICENSES variable to bypass scanning
- do_update_license_hashes task to refresh bundled CSV
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
| |
Replace the go-mod-update-modules generated cosign-licenses.inc with
go-mod-licenses.inc produced by oe-go-mod-fetcher --scan-licenses.
The new file is generated during discover_and_generate alongside the
other .inc files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert from go-mod + go-mod-update-modules to go-mod-vcs hybrid
fetch mode, consistent with other Go recipes in the layer (k3s,
nerdctl, docker-compose, etc.).
- Replace cosign-go-mods.inc (gomod:// only) with generated
go-mod-hybrid-{gomod,git,cache}.inc and go-mod-{git,cache}.inc
- Keep cosign-licenses.inc for dependency license tracking (our
go-mod-vcs tooling does not yet generate license metadata)
- Add GO_MOD_VCS_EXCLUDE for buf.build (no git repo) and
software.sslmate.com/src/go-pkcs12 (unreachable commit)
- Set GO_MOD_DISCOVERY_SRCDIR to match go.bbclass source layout
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the fetcher encounters unverifiable commits or modules with no
repository metadata, the error messages now show two equivalent options:
Option 1: For bitbake users (most common) — add GO_MOD_VCS_EXCLUDE
and a gomod:// SRC_URI entry to the recipe, fetching the module via
the Go module proxy instead of git.
Option 2: For direct oe-go-mod-fetcher.py invocation — pass
--inject-commit / --set-repo on the command line with a complete
example showing all required arguments.
Both options produce the same result. The previous messages only
suggested --inject-commit and --set-repo without context on where
or how to use them.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add cosign [1] recipe for sigstore's [2] container signing, verification
and storage tool [3]. Includes auto-generated Go module dependencies and
license tracking via go-mod-update-modules.
[1] https://github.com/sigstore/cosign/releases/tag/v3.0.6
[2] https://www.sigstore.dev/
[3] https://docs.sigstore.dev/cosign/signing/overview/
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On sstate-accelerated builds, the kernel binary (bzImage/Image) was
missing from MC_DEPLOY because do_compile depended on the image
recipes' do_image_complete, which runs before do_build. The kernel
deploy dependency (virtual/kernel:do_deploy) is attached to do_build
in image.bbclass, so depending on do_image_complete cut the chain
short and virtual/kernel:do_deploy was never guaranteed to have run.
Fix by depending on do_build instead of do_image_complete. The image
artifacts (cpio.gz, squashfs) are already in DEPLOY_DIR_IMAGE after
do_image_complete, so they remain available. do_build additionally
ensures virtual/kernel:do_deploy has completed, placing the kernel
in MC_DEPLOY for our do_compile to copy.
This avoids adding an explicit virtual/kernel:do_deploy dependency
which would couple this recipe to the kernel and prevent use cases
where the kernel is provided externally.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
vdkr.run() merges stderr into stdout (see conftest.py), so the
error message ends up in result.stdout even though the script
writes it to stderr (>&2).
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PACKAGECONFIG[systemd] variable is assigned twice, with the second assignment overriding the first.
This patch removes the unused assignment to avoid confusion.
The duplication was introduced in an August 25, 2022 patch:
05f316f7 lxc: update to 5.x and meson
Verfied that the build did not change after this deletion by checking the log files before and after
and finding the same message:
export systemd_system_unitdir="/usr/lib/systemd/system"
export systemd_unitdir="/usr/lib/systemd"
export systemd_user_unitdir="/usr/lib/systemd/user"
Signed-off-by: Kris Gavvala <kris.gavvala@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
libvirt has removed support for avahi in version 5.5.0 in 2019:
* Remove Avahi mDNS support
This feature was never used outside of virt-manager, which has itself
stopped using it a while ago.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Louis Rannou <louis.rannou@semalibre.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The update cycle used the git tags to update the PV version,
but when you build podman, the version pulled into the
executables is from: version/rawversion/version.go
Which currently reports: 5.8.3-dev
Bumping the PV to match.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
The entire file is conditional, we don't need protections on the
SRC_URI entries.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DISTRO_FEATURES_DEFAULT has been obsoleted [1][2].
Follow the pattern in meta-yocto [3] and remove it.
Fixes:
ERROR: Nothing PROVIDES 'nativesdk-libseccomp' ...
[1] https://git.openembedded.org/openembedded-core/commit/meta/conf?id=0548ea447445834647be7ef35ed0ae8d1d3387b3
[2] https://git.openembedded.org/openembedded-core/commit/meta/conf?id=159148f4de2595556fef6e8678578df83383857b
[3] https://git.yoctoproject.org/meta-yocto/commit/?id=96085aaec5bfb33c4e4322465eaf0af370db6fc0
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes yocto-check-layer failures:
ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220
List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})'
Variable SRC_URI value changed:
@@ -1 +1,2 @@
-${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)}
+DISTRO_FEATURES{virtualization} = Unset
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
OE-Core needs to make some improvements to the way DISTRO_FEATURES is being built
but this will break the way meta-virtualization is handling native propagation.
Use DISTRO_FEATURES_FILTER_NATIVE which is designed for this.
That then means updating the bbappend just to look at DISTRO_FEATURES and to
look for both possible values.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Podman is hosted under github as podman and not libpod. Accessing
github.com/containers/libpod automatically forwards to
github.com/containers/podman.
This commit does not really fix a problem but reflects more the current
repository name.
Signed-off-by: Patrick Vogelaar <patrick.vogelaar@belden.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumping libpod to version v5.8.2-5-g88c5aaeec6, which comprises the following commits:
78da75528f Install WiX v5.0.2 to build the Windows installer
7a47175665 Bump Podman to v5.8.3-dev
5b263b5f5b Bump to v5.8.2
884cd28228 Release notes for v5.8.2
6cffe93d88 hyperV: fix powershell path escape
f13de01b6d cirrus: bump linux machine aarch64 test timeout
d1cf366b0f Remove iptables references in upgrade tests
add385e31c bindings: artifact extract reject invalid names
a49ad4be81 use chrootarchive over plain archive package
92cd24903f fix symlink handling in checkpoint restore
0fa3043415 add missing O_CLOEXEC to open calls
9c262736e4 Fix Quadlet `Lookup()` stripping unmatched quotes
75820ddac5 Add e2e test for shell driver DriverOpts cross-contamination fix
e9fe245626 Fix shell driver DriverOpts cross-contamination in secret creation
7250b06e25 libpod: fix data race on deferredErr in attachExecHTTP
51b5c59310 Consolidate build secret tests and assert no podman-build-secret leak
15a2a7d605 Remote build: `nTar` secrets with relative paths and ignore bypass
e5fe3fdf69 api: fix missing return after error in SystemCheck handler
c91cd99291 test: relax rootless runc pid namespace assertion
26047f43b5 New images 2026-03-19
d49a9208bd cirrus: ensure NOTIFY_SOCKET is properly unset for all tests
1a9ae9dcba update fedoral base image to 43 and related tests
759df25a88 new image sfx for debian 14
28a39dd1ba libpod: Don't dereference ctrSpec.Linux if it is nil
7f37fbd6af quadlet: allow empty Entrypoint to clear image default
24fd9eb605 [v5.8] Bump Buildah to 1.43.1, c/common v0.67.1, c/image v5.39.2
42ac589e4d bump go-jose/go-jose to v4.1.4
fcc6ae217c [v5.8] Fix `unless-stopped` containers not restarting after ...
6a9ea849a0 Bump Podman to v5.8.2-dev
c6077f6457 Bump to v5.8.1
dfe5dae2d6 Release notes for v5.8.1
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change VdkrRunner.run() and VpdmnRunner.run() to use Popen with
start_new_session=True, stdin=DEVNULL, and file-based stdout instead
of subprocess.run(capture_output=True). This prevents daemon background
processes from inheriting pipe FDs, which causes communicate() to hang
in CI/test harness environments (e.g., buildbot).
The fix applies to all commands, not just memres start, because any
vdkr command can auto-start the daemon (auto-daemon is enabled by
default).
Also fix test_volume_mount_requires_memres to check both stdout and
stderr for the error message, since stderr is now merged into stdout
by the Popen approach.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The memres start operation spawns long-running background processes
(host-side idle watchdog and Xen domain monitor) that persist beyond
the vrunner.sh script. These processes inherited file descriptors
0/1/2 from the parent shell without redirection.
When invoked through a harness capturing output via pipes—such as
pytest's subprocess.run(..., capture_output=True)—the inherited pipe
write-ends kept the caller's read/communicate() operations blocked
until memres stop executed, potentially for up to 30 minutes
(IDLE_TIMEOUT default).
The fix fully detaches stdio from three background spawners:
- vrunner.sh: Watchdog subshell now redirects stdin from /dev/null,
stdout/stderr to /dev/null, and uses disown
- vrunner-backend-qemu.sh: Adds stdin redirection from /dev/null
to existing log file redirections
- vrunner-backend-xen.sh: Applies same detachment plus disown for
daemon mode; redirects stdin for ephemeral-mode console reader
From: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memres start spawns background processes (QEMU VM, idle watchdog)
that persist after the vrunner script exits. When invoked via
subprocess.run(capture_output=True), these background processes
inherit the pipe file descriptors, preventing communicate() from
returning until all pipe holders exit — which can be 30+ minutes
(the idle timeout).
Fix by using Popen with:
- stdin=subprocess.DEVNULL (no inherited stdin pipe)
- file-based stdout (no pipe FDs to inherit)
- start_new_session=True (new process group, so wait() only
waits for the parent script, not the background children)
This matches the behavior when running from a shell, where the
daemon processes are fully detached from the caller's FD table.
Applied to both VdkrRunner and VpdmnRunner memres_start methods.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test classes that depend on vmemres (daemon mode) were not marked,
causing them to run even when filtered with '-m "not memres"'. This
caused timeout failures on CI/buildbot environments where KVM may
not be available and daemon startup exceeds the test timeout.
Mark the following classes with @pytest.mark.memres in both
test_vdkr.py and test_vpdmn.py:
- TestMemresBasic
- TestPortForwarding (vdkr only)
- TestContainerLifecycle
- TestVolumeMounts
- TestSystem
- TestVstorage
- TestRun
- TestAutoStartDaemon (vdkr only)
- TestDynamicPortForwarding (vdkr only)
- TestPortForwardRegistry (vdkr only)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CVE_PRODUCT has been set to docker:registry to align with the NVD CPE
product namespace for the distribution/registry codebase.
Only a single CPE entry exists in the NVD for this product:
cpe:2.3:a:docker:registry
This ensures CVEs tracked for docker registry are matched for this recipe.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since libvirt was upgraded to v12.1.0, the new systemd service file
virt-secret-init-encryption.service has been introduced, and it requires
systemd to add openssl to PACKAGECONFIG. Because systemd-creds encrypt
command will be executed in the service file, which depends on openssl
is enabled.
Meanwhile this service was added into the dependency chain of the main service
libvirtd.service, and will be enabled by default by libvirtd service without
any build dependency detection according to the original upstream commit
https://github.com/libvirt/libvirt/commit/97758bc9a0b1fccf8c0009308658f1204b113b89
In systemd oe-core recipe, the openssl PACKAGECONFIG is disabled at default.
Finally the service file virt-secret-init-encryption.service and libvirtd will
be failed as the following error:
> # systemctl status libvirtd -l
* libvirtd.service - libvirt legacy monolithic daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: enabled)
Active: inactive (dead)
TriggeredBy: * libvirtd.socket
* libvirtd-ro.socket
* libvirtd-admin.socket
Docs: man:libvirtd(8)
https://libvirt.org/
systemd[1]: Dependency failed for libvirt legacy monolithic daemon.
systemd[1]: libvirtd.service: Job libvirtd.service/start failed with result 'dependency'
> # journalctl -xe
A start job for unit virt-secret-init-encryption.service has begun execution.
systemd-creds[1251]: Support for encrypted credentials not available.
systemd[1]: virt-secret-init-encryption.service: Main process exited, code=exited, status=1/FAILURE
The above error info "Support for encrypted credentials not available." comes
from systemd-creds command provided by systemd without HAVE_OPENSSL option at
the source code src/shared/creds-utils.c
Here we enable openssl for systemd when 'virtualization' is in distro feature.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The workaround is not needed anymore as the systemd supporting.
The libvirtd.service Type has been changed from notify to notify-reload,
so the final Type will be 'forking-reload', that's invalid for systemd.
Here we delete it to avoid the following output information:
>/lib/systemd/system/libvirtd.service:29: Failed to parse Type=forking-reload, ignoring: Invalid argument
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE_PRODUCT has been set to criu:checkpoint/restore_in_userspace to align
with the product naming used in the NVD CPE database for criu.
The slash-containing product token is intentional as NVD references this
project under checkpoint/restore_in_userspace.
Only a single CPE entry exists in the NVD for this product:
cpe:2.3:a:criu:checkpoint/restore_in_userspace
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`CVE_PRODUCT` has been set to `linuxfoundation:container_network_interface linuxfoundation:cni_network_plugins`
to align with the product naming defined in the NVD CPE database for `cni`.
The NVD CPE database contains product variants for this project under:
`cpe:2.3:a:linuxfoundation:container_network_interface`
`cpe:2.3:a:linuxfoundation:cni_network_plugins`
The NVD references for these CPEs confirm that they correspond to the
source code used in our recipe.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since upstream commit dbc920030 ("test: add new test program for
connection checks"), netavark test suite no longer uses ncat (from
nmap). The tests now use a built-in Rust-based connection tester
(netavark-connection-tester) instead. This change was included starting
from v1.16.0, so the nmap dependency is no longer needed.
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From the upstream description:
The `cdi` command-line tool is a utility for inspecting and interacting with the CDI (Container Device Interface) cache.
It allows developers and system administrators to:
- List CDI Spec files: View all available CDI specification files in the configured directories
- List vendors: Display registered device vendors in the CDI cache
- List device classes: Show available device classes from CDI Specs
- List devices: Enumerate all CDI devices available in the system
- Validate specs: Verify CDI specification files against the JSON schema
- Inject devices: Inject CDI device configurations into OCI runtime specifications
- Monitor cache: Watch for changes in the CDI cache and Spec directories
- Resolve devices: Resolve fully-qualified device names to their configurations
The CLI tool is particularly useful for debugging CDI configurations, validating spec files, and testing device assignments before deploying them in production environments.
Signed-off-by: Koen Kooi <koen.kooi@oss.qualcomm.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We drop the inline error supression, since upstream has it in
commit c0fffce
New upstream version installs /usr/lib/sysusers.d/libvirt-dbus.conf
for systemd-sysusers user/group creation. Add the directory to FILES
to fix installed-vs-shipped QA error.
Bumping libvirt-dbus to version v1.4.1-46-gd1c49c2, which comprises the following commits:
d1c49c2 domain: Fix incorrect free of GString variable
c0fffce build: Do not use -Winline
f1d2f64 ci: refresh with latest 'lcitool manifest'
2105c17 Introduce sysusers config file to create libvirtdbus user
0643cd8 ci: refresh with latest 'lcitool manifest'
ded4bc8 ci: refresh with latest 'lcitool manifest'
8f06b76 ci: switch to remote git refs for dependent projects
2fa70fd ci: refresh with lcitool manifest
ea96102 spec: use systemd macros to handle services
d0a5650 spec: use systemd macro to specify path of user unit directory
c281c50 ci: lcitool: Maintain project package deps lists here
193248a rpm: convert license to SPDX format
c8bb8ac meson: bump required libvirt version to 3.1.0
08f7541 events: Remove extra white spaces at the end of line
d37813b Remove GetBlockInfo method from Domain Interface
4a971c4 ci: add Fedora 37 target
58a9f53 ci: upgrade opensuse leap from 153 to 154
24e43b4 ci: refresh with latest lcitool manifest
697ef0b ci: drop unsupported targets
ef9430e HACKING: Use gitlab as main repository
4fbd82e ci: refresh with latest lcitool manifest
8333b9f spec: add systemd-rpm-macros as build dependency
35173fa ci: add Fedora 36
3b070a5 ci: refresh generated files
111fe77 ci: drop unsupported Fedora 34
95ac644 README: update libvirt dbus bindings link
23267d4 ci: Add more target platforms
d62b5b1 ci: Build RPMs on CentOS Stream 8
5232cb9 ci: Refresh generated files
6eb24e9 ci: Drop unsupported targets
d130ab0 ci: Move Coverity job from CentOS 8 to AlmaLinux 8
2757a47 ci: Add AlmaLinux 8
053d238 ci: Drop Travis CI support
3077aa8 Add .gitattributes file
502c8b5 rpm: Drop conditional needed on RHEL 7
b685a89 Fix meson run_command with check param
87b16e9 Implement GetBlockInfo, SetBlockThreshold methods and BlockThreshold signal for Domain Interface
3d64429 Switch to new GitHub repo-lockdown configuration
f4d3863 ci: remove obsolete refresh script and documentation
2b0a513 ci: re-generate containers/gitlab config from manifest
fa892e3 ci: define a CI manifest file
b1bd1d2 gitlab: skip tests on ubuntu 18.04
c7df361 gitlab: remove centos-7 build target
204d341 meson: Fix systemd services install when --prefix was specified
6ef9bb9 ci: refresh centos-stream container
ce6cf93 gitlab: use custom docker:dind image
0c355bb Release of libvirt-dbus 1.4.1
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The unconditional bbappend to ca-certificates breaks yocto-check-layer
compatibility when the layer is included without 'virtualization' in
DISTRO_FEATURES. Guard both the SRC_URI additions and the do_install
append with a bb.utils.contains check, matching the pattern used by
other bbappends in the layer (busybox, qemu, etc.).
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernel was copied from DEPLOY_DIR_IMAGE which resolves to the main
build config's deploy directory — not the multiconfig's. On autobuilder
setups with sstate, this caused the kernel to be missing from the vdkr
blob directory because:
1. The mcdepends (mc:<mc>::virtual/kernel:do_deploy) depended on the
main config's kernel, which may be a different architecture
2. DEPLOY_DIR_IMAGE pointed to the main deploy dir, not the
multiconfig's tmp-vruntime-<arch>/deploy/images/<machine>/
Fix by using MC_DEPLOY (the multiconfig's deploy directory) for the
kernel path, consistent with how initramfs and rootfs are already
copied. Remove the cross-multiconfig mcdepends since the kernel is
built as a transitive dependency of the rootfs image within the same
multiconfig.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit [1] from openembedded-core, removes the possibility to use
autotools bbclass when the configure script is missing. Because the
cockpit-machines release tarball always ships pre-built assets in dist/,
there is no need to use autotools to build the package.
This commit fixes the following build error:
ERROR: cockpit-machines-346-r0 do_configure: no configure script
found at ./configure
[1]: autotools: require that a configure script exists
SHA: 6d327a39befae44a88a812bdf4acde800dcee57b
Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The meson.build from libvirt-dbus enables the flag -Winline. Combined
with -Werror from Yocto, this causes a build failure because GCC refuses
to inline g_autoptr_cleanup_generic_gfree() from the glib header
glib-autocleanups.h, as it considers the call unlikely and estimates
code size would grow.
Because the function g_autoptr_cleanup_generic_gfree is defined as
static inline with good reason, this patch disables -Werror=inline for
libvirt-dbus to allow the build to succeed.
Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vcontainer-common.sh:
- Fix docker/podman login hanging silently in daemon mode. The login
command requires interactive stdin for the password prompt, which
the non-interactive daemon-send channel cannot provide. Use
daemon-interactive mode (same as vshell/exec -it) which provides
TTY passthrough via the virtio-serial + socat + expect channel.
ca-certificates bbappend:
- Add Let's Encrypt E8 (ECDSA) and R11 (RSA) intermediate certificates
via a ca-certificates bbappend. Certs are fetched at build time from
letsencrypt.org and installed into the standard CA certificate path.
update-ca-certificates incorporates them into the system CA bundle.
- Some registries (e.g., registry.yocto.io) don't send the full
certificate chain, causing TLS verification to fail with Go programs
(Docker, skopeo, podman) even though the root CAs are present.
vdkr-rootfs-image.bb:
- Add ca-certificates to IMAGE_INSTALL
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PACKAGE_ARCH must be "${SDK_ARCH}-${SDKPKGSUFFIX}" (e.g. x86_64-nativesdk)
to match the pattern explicitly listed in SSTATE_ARCHS in
meta/classes-global/sstate.bbclass.
do_create_recipe_spdx writes the static SPDX document under
DEPLOY_DIR_SPDX/${SSTATE_PKGARCH}/static/
where SSTATE_PKGARCH = PACKAGE_ARCH. do_create_spdx then calls
find_jsonld() which searches only the arch directories listed in
SPDX_MULTILIB_SSTATE_ARCHS (derived from SSTATE_ARCHS via
all_multilib_tune_values).
The previous value "${SDK_ARCH}_${SDK_OS}" evaluates to "x86_64_linux"
which is NOT listed in SSTATE_ARCHS, so the static document was written
to a directory never searched, causing the fatal:
ERROR: Could not find a static SPDX document named static-vcontainer-tarball
The correct value "${SDK_ARCH}-${SDKPKGSUFFIX}" evaluates to
"x86_64-nativesdk" which IS listed in SSTATE_ARCHS as the literal
"${SDK_ARCH}-${SDKPKGSUFFIX}" entry, and matches the pattern used by
buildtools-tarball.bb (the reference for host-only SDK tarballs with
TARGET_ARCH = "none" / TARGET_OS = "none").
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
|
