| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The entire file is conditional, we don't need protections on the
SRC_URI entries.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes yocto-check-layer failures:
ca-certificates:do_recipe_qa: 4d7b7adb7436eeb5714c354f3c590e7e69294ea044452343d24e64c92d5c040f -> c1676ce811efe714731b666ccd683586477f7a1b52ad7597148bd9d709291220
List of dependencies for variable SRC_URI changed from 'frozenset({'PV', 'SRC_URI[sha256sum]', 'BPN'})' to 'frozenset({'SRC_URI[le-r11.sha256sum]', 'BPN', 'SRC_URI[le-e8.sha256sum]', 'PV', 'SRC_URI[sha256sum]'})'
Variable SRC_URI value changed:
@@ -1 +1,2 @@
-${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0', '', d)}
+DISTRO_FEATURES{virtualization} = Unset
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The unconditional bbappend to ca-certificates breaks yocto-check-layer
compatibility when the layer is included without 'virtualization' in
DISTRO_FEATURES. Guard both the SRC_URI additions and the do_install
append with a bb.utils.contains check, matching the pattern used by
other bbappends in the layer (busybox, qemu, etc.).
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vcontainer-common.sh:
- Fix docker/podman login hanging silently in daemon mode. The login
command requires interactive stdin for the password prompt, which
the non-interactive daemon-send channel cannot provide. Use
daemon-interactive mode (same as vshell/exec -it) which provides
TTY passthrough via the virtio-serial + socat + expect channel.
ca-certificates bbappend:
- Add Let's Encrypt E8 (ECDSA) and R11 (RSA) intermediate certificates
via a ca-certificates bbappend. Certs are fetched at build time from
letsencrypt.org and installed into the standard CA certificate path.
update-ca-certificates incorporates them into the system CA bundle.
- Some registries (e.g., registry.yocto.io) don't send the full
certificate chain, causing TLS verification to fail with Go programs
(Docker, skopeo, podman) even though the root CAs are present.
vdkr-rootfs-image.bb:
- Add ca-certificates to IMAGE_INSTALL
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A while ago changes were merged to meta-openembedded to make
/etc/dnsmasq.d (and specifically the files it contains) referenced
when the main instance of dnsmasq is run (see dnsmasq.service and
commit ba665493a0dd [dnsmasq: allow for dnsmasq instances to reuse
default dnsmasq.conf]).
We, however, continued to modify the global configuration
(/etc/dnsmasq.conf) to keep the main instance of dnsmasq from
attaching to virbr0 and lxcbr0, by using 'bind-dynamic'. This approach
is problematic, since it is common that other instances of dnsmasq
will make use of the global configuration file and may have
incompatible options. We see this for example when attempting to start
lxc-net which will attempt to use 'bind-interface' which is
incompatible with 'bind-dynamic' that we were adding to the global
configuration.
Here we remove our change to the global configuration (leaving it
mostly empty as it should be) and instead have lxc and libvirt
packages instruct the global instance not to bind to virbr0 and lxcbr0
by adding configuration files to /etc/dnsmasq.d (setting
except-interface).
The added benefit to this approach is that if lxc or libvirt are not
part of an image the global configuration will not be modified in such
a way as to expect that they are present.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
|
We have had a persistent issue of contention with multiple instances
of dnsmasq. When libvirtd is started it will attempt and fail to
create virbr0 that includes a dnsmasq binding (dnsmasq complains that
the port is already in use). The root cause being that the base
dnsmasq configuration uses the 'default' binding, meaning it will be
greedy and bind to all available interfaces, along with any new
interfaces that appear. This prevents any new instances of dnsmasq to
fail. By changing the base dnsmasq configuration to use 'bind-dynamic'
we will be able to create new interfaces and if we want to attach a
new dnsmasq instance for the new interface we can, without contention.
Overall this change should not change the default behavior (other then
fixing the contention) as the 'bind-dynamic' mode will allow the base
config to attach to new interfaces which are not be bound to new
dnsmasq instances.
Removing dnsmasq_exclude_virbr.conf which was a previous (partial)
attempt that was made to resolve this issue.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
