diff --git a/.github/policies/resourceManagement.yml b/.github/policies/resourceManagement.yml
index ad8ef417626..d104f8e857c 100644
--- a/.github/policies/resourceManagement.yml
+++ b/.github/policies/resourceManagement.yml
@@ -13,34 +13,37 @@ configuration:
- payloadType: Pull_Request
then:
- if:
- - includesModifiedFiles:
- files:
- - SPECS/
- - SPECS-EXTENDED/
- - SPECS-SIGNED/
+ - filesMatchPattern:
+ pattern: "^(SPECS|SPECS-EXTENDED|SPECS-SIGNED)/"
+ matchAny: true
then:
- addLabel:
label: Packaging
- if:
- - includesModifiedFiles:
- files:
- - toolkit/docs/
+ - filesMatchPattern:
+ pattern: "^SPECS-EXTENDED/"
+ matchAny: true
+ then:
+ - addLabel:
+ label: specs-extended
+ - if:
+ - filesMatchPattern:
+ pattern: "^toolkit/docs/"
+ matchAny: true
then:
- addLabel:
label: documentation
- if:
- - includesModifiedFiles:
- files:
- - toolkit/tools/
- - toolkit/scripts/
+ - filesMatchPattern:
+ pattern: "^toolkit/(tools|scripts)/"
+ matchAny: true
then:
- addLabel:
label: Tools
- if:
- - includesModifiedFiles:
- files:
- - toolkit/imageconfigs/
- - toolkit/tools/imagegen/configuration
+ - filesMatchPattern:
+ pattern: "^toolkit/(imageconfigs|tools/imagegen/configuration)/"
+ matchAny: true
then:
- addLabel:
label: Schema
@@ -69,16 +72,40 @@ configuration:
then:
- if:
- targetsBranch:
- branch: 1.0-dev
+ branch: main
then:
- addLabel:
- label: 1.0-dev
+ label: main
- if:
- targetsBranch:
- branch: main
+ branch: 2.0
then:
- addLabel:
- label: main
+ label: 2.0
+ - if:
+ - targetsBranch:
+ branch: 3.0-dev
+ then:
+ - addLabel:
+ label: 3.0-dev
+ - if:
+ - targetsBranch:
+ branch: 3.0
+ then:
+ - addLabel:
+ label: 3.0
+ - if:
+ - targetsBranch:
+ branch: fasttrack/2.0
+ then:
+ - addLabel:
+ label: fasttrack/2.0
+ - if:
+ - targetsBranch:
+ branch: fasttrack/3.0
+ then:
+ - addLabel:
+ label: fasttrack/3.0
description:
onFailure:
onSuccess:
diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml
index a18ed1824bd..e2d4aafa507 100644
--- a/.github/workflows/check-manifests.yml
+++ b/.github/workflows/check-manifests.yml
@@ -21,7 +21,9 @@ jobs:
# This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
- name: Define missing rpm macros
run: |
- [[ -n $(rpm --eval '%bcond test 1') ]] && echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros
+ if [[ -n $(rpm --eval '%bcond test 1') ]]; then
+ echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros
+ fi
- name: Check x86_64 manifests
run: |
diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml
index 59b72371c38..98e7cf1fdf5 100644
--- a/.github/workflows/check-package-cgmanifest.yml
+++ b/.github/workflows/check-package-cgmanifest.yml
@@ -22,7 +22,9 @@ jobs:
# This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
- name: Define missing rpm macros
run: |
- [[ -n $(rpm --eval '%bcond test 1') ]] && echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros
+ if [[ -n $(rpm --eval '%bcond test 1') ]]; then
+ echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros
+ fi
- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
diff --git a/.pipelines/containerSourceData/cuda/core.pkg b/.pipelines/containerSourceData/cuda/core.pkg
index 639a3992784..a51dbe11356 100644
--- a/.pipelines/containerSourceData/cuda/core.pkg
+++ b/.pipelines/containerSourceData/cuda/core.pkg
@@ -1,3 +1,4 @@
util-linux
ca-certificates
-kernel
\ No newline at end of file
+kernel
+kernel-drivers-gpu
\ No newline at end of file
diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml
index 314773cada9..5d7b1fb4e13 100644
--- a/.pipelines/prchecks/PackageBuildPRCheck.yml
+++ b/.pipelines/prchecks/PackageBuildPRCheck.yml
@@ -80,9 +80,11 @@ extends:
# GCC fails to build as a regular package.
ignoredSpecs: ["gcc"]
- - script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
+ - script: |
+ echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
+ echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz"
name: "ToolchainArtifactName"
- displayName: "Set variable for published artifact name"
+ displayName: "Set variables for published toolchain tarball"
# 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
# then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
@@ -104,24 +106,38 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
+ inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+ outputRPMsTarballName: "rpms.tar.gz"
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
+ toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
+ - task: DownloadPipelineArtifact@2
+ displayName: "Download toolchain"
+ inputs:
+ artifact: $(toolchainArtifactName)
+ patterns: "**/$(toolchainTarballName)"
+ targetPath: $(inputArtifactsLocation)
+
- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
- customToolchainArtifactName: $(toolchainArtifactName)
+ customToolchainTarballName: $(toolchainTarballName)
+ inputArtifactsFolder: $(inputArtifactsLocation)
isCheckBuild: true
isQuickRebuildPackages: true
isUseCCache: true
maxCPU: "${{ configuration.maxCPUs }}"
outputArtifactsFolder: $(ob_outputDirectory)
+ outputRPMsTarballName: $(outputRPMsTarballName)
pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
selfRepoName: self
testSuiteName: "[${{ configuration.name }}] Package test"
- - script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
+ - script: |
+ echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
+ echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)"
name: "RPMsArtifactName"
displayName: "Set variable for published artifact name"
@@ -142,15 +158,25 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
+ inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
+ toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
+ - task: DownloadPipelineArtifact@2
+ displayName: "Download toolchain"
+ inputs:
+ artifact: $(toolchainArtifactName)
+ patterns: "**/$(toolchainTarballName)"
+ targetPath: $(inputArtifactsLocation)
+
- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
- customToolchainArtifactName: $(toolchainArtifactName)
+ customToolchainTarballName: $(toolchainTarballName)
+ inputArtifactsFolder: $(inputArtifactsLocation)
isAllowToolchainRebuilds: true
isCheckBuild: true
isQuickRebuildPackages: true
@@ -179,8 +205,18 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
+ inputArtifactsLocation: $(Agent.TempDirectory)
rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
+ rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ]
steps:
+ - task: DownloadPipelineArtifact@2
+ displayName: "Download RPMs tarball"
+ inputs:
+ artifact: $(rpmsArtifactName)
+ patterns: "**/$(rpmsTarballName)"
+ targetPath: $(inputArtifactsLocation)
+
- template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
parameters:
- inputArtifactName: $(rpmsArtifactName)
+ inputArtifactsFolder: $(inputArtifactsLocation)
+ inputRPMsTarballName: $(rpmsTarballName)
diff --git a/.pipelines/templates/PackageBuild.yml b/.pipelines/templates/PackageBuild.yml
index 4ce30b7e65f..abb9ac1d9ca 100644
--- a/.pipelines/templates/PackageBuild.yml
+++ b/.pipelines/templates/PackageBuild.yml
@@ -14,13 +14,9 @@ parameters:
type: number
default: 12
- - name: customToolchainArtifactName
- type: string
- default: ""
-
- name: customToolchainTarballName
type: string
- default: "toolchain_built_rpms_all.tar.gz"
+ default: ""
- name: extraPackageRepos
type: string
@@ -30,12 +26,16 @@ parameters:
type: boolean
default: true
- - name: inputCacheArtifacts
+ - name: inputArtifactsFolder
+ type: string
+ default: "$(Agent.TempDirectory)"
+
+ - name: inputCacheRPMsTarballs
type: object
default: []
# Sample:
- # - name: build-artifacts
- # rpmsTarball: cache.tar.gz
+ # - cache.tar.gz
+ # - cache2.tar.gz
- name: isAllowToolchainRebuilds
type: string
@@ -160,15 +160,9 @@ steps:
artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
displayName: "Authenticate to custom pip artifact feeds"
- - ${{ if parameters.customToolchainArtifactName }}:
- - task: DownloadPipelineArtifact@2
- displayName: "Download toolchain"
- inputs:
- artifact: "${{ parameters.customToolchainArtifactName }}"
- patterns: "**/${{ parameters.customToolchainTarballName }}"
-
+ - ${{ if parameters.customToolchainTarballName }}:
- script: |
- toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
+ toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
if [[ ! -f "$toolchain_archive" ]]; then
echo "ERROR: toolchain archive not found!" >&2
exit 1
@@ -178,17 +172,11 @@ steps:
sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
displayName: "Populate toolchain"
- - ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}:
- - task: DownloadPipelineArtifact@2
- displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}"
- inputs:
- artifact: "${{ inputCacheArtifact.name }}"
- patterns: "**/${{ inputCacheArtifact.rpmsTarball }}"
-
+ - ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}:
- script: |
- rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)"
+ rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)"
if [[ ! -f "$rpms_archive" ]]; then
- echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2
+ echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2
exit 1
fi
@@ -200,7 +188,7 @@ steps:
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
fi
- if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
+ if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then
toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
fi
diff --git a/.pipelines/templatesWithCheckout/SodiffCheck.yml b/.pipelines/templatesWithCheckout/SodiffCheck.yml
index c4103caa78c..004fbaaa1e9 100644
--- a/.pipelines/templatesWithCheckout/SodiffCheck.yml
+++ b/.pipelines/templatesWithCheckout/SodiffCheck.yml
@@ -6,8 +6,9 @@ parameters:
type: string
default: "$(Build.SourcesDirectory)"
- - name: inputArtifactName
+ - name: inputArtifactsFolder
type: string
+ default: "$(Agent.TempDirectory)"
- name: inputRPMsTarballName
type: string
@@ -26,19 +27,11 @@ parameters:
default: "$(Agent.TempDirectory)/SourcesWorkspace"
steps:
- - task: DownloadPipelineArtifact@2
- displayName: "Download sources for signing"
- inputs:
- artifact: ${{ parameters.inputArtifactName }}
- patterns: |
- **/${{ parameters.inputRPMsTarballName }}
- targetPath: "$(Agent.TempDirectory)"
-
- script: |
set -e
mkdir -p "${{ parameters.sourcesWorkspace }}"
- find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
+ find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
displayName: "Extract sources tarball"
- script: |
diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index bf93a05d117..a9942f9ccd1 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -9,7 +9,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
| Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq |
| Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
| Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
-| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-64k-signed
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
zstd |
+| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
containerd2
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-64k-signed
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
zstd |
| Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan |
| Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad |
| NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | libnvidia-container
mlnx-tools
mlx-bootctl
nvidia-container-toolkit
ofed-scripts
perftest |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index 51aec95013e..80f62df89c0 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -2223,6 +2223,7 @@
"cloud-hypervisor-cvm",
"cmake-fedora",
"containerd",
+ "containerd2",
"coredns",
"dcos-cli",
"debugedit",
diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
index b0111d170d2..993e94dfb6f 100644
--- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
+++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
@@ -7,7 +7,7 @@
Summary: Signed Linux Kernel for %{buildarch} systems
Name: kernel-64k-signed-%{buildarch}
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -105,6 +105,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
%exclude /module_info.ld
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Bump release to match kernel
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Bump release to match kernel-64k
+
* Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5
- Original version for Azure Linux
- Starting with release 5 to align with kernel release.
diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
index 14c6ac12d4a..51bf71bb822 100644
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -10,7 +10,7 @@
Summary: Signed Linux Kernel for %{buildarch} systems
Name: kernel-signed-%{buildarch}
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -145,6 +145,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
%exclude /module_info.ld
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Bump release to match kernel
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Bump release to match kernel-64k
+
* Mon Nov 25 2024 Chris Co - 6.6.57.1-5
- Bump release to match kernel
diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
index 08983f26a80..bcf7c0c4cb1 100644
--- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
+++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
@@ -6,7 +6,7 @@
Summary: Signed Unified Kernel Image for %{buildarch} systems
Name: kernel-uki-signed-%{buildarch}
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -68,6 +68,12 @@ popd
/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Bump release to match kernel
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Bump release to match kernel-64k
+
* Mon Nov 25 2024 Chris Co - 6.6.57.1-5
- Bump release to match kernel
diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
index 59a3ed26055..6178a71997b 100644
--- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
+++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
@@ -14,7 +14,7 @@ Version: 255
# determine the build information from local checkout
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
%endif
-Release: 18%{?dist}
+Release: 19%{?dist}
License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -53,6 +53,9 @@ Provides: version(systemd-boot)%{_isa} = %version
Obsoletes: systemd-udev < 252.2^
Conflicts: grub2-efi-binary
+Recommends: shim >= 15.8-3
+Conflicts: shim < 15.8-3
+
%description -n systemd-boot
systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
graphical menu to select the entry to boot and an editor for the kernel command
@@ -90,6 +93,10 @@ popd
/boot/efi/EFI/BOOT/grubx64.efi
%changelog
+* Thu Dec 12 2024 Daniel McIlvaney - 255-19
+- Version bump to force signing with new Azure Linux secure boot key
+- Add confilcts/recommends on shim to ensure the keys match
+
* Fri Sep 13 2024 Thien Trung Vuong - 255-18
- Update sd-boot install location
diff --git a/SPECS/azurelinux-release/azurelinux-release.spec b/SPECS/azurelinux-release/azurelinux-release.spec
index af9f904d209..116861abf90 100644
--- a/SPECS/azurelinux-release/azurelinux-release.spec
+++ b/SPECS/azurelinux-release/azurelinux-release.spec
@@ -5,7 +5,7 @@
Summary: Azure Linux release files
Name: azurelinux-release
Version: %{dist_version}.0
-Release: 22%{?dist}
+Release: 23%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -118,6 +118,9 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
%{_sysctldir}/*.conf
%changelog
+* Sat Dec 21 2024 Jon Slobodzian - 3.0-23
+- Bump release for January 2025 Update
+
* Fri Nov 22 2024 CBL-Mariner Servicing Account - 3.0-22
- Bump release for December 2024 Update
diff --git a/SPECS/azurelinux-repos/azurelinux-amd-preview.repo b/SPECS/azurelinux-repos/azurelinux-amd-preview.repo
new file mode 100644
index 00000000000..0434974db96
--- /dev/null
+++ b/SPECS/azurelinux-repos/azurelinux-amd-preview.repo
@@ -0,0 +1,19 @@
+[azurelinux-official-amd-preview]
+name=Azure Linux Official AMD Preview $releasever $basearch
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/preview/amd/$basearch
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=1
+skip_if_unavailable=True
+sslverify=1
+
+[azurelinux-official-amd-preview-source]
+name=Azure Linux Official AMD Preview $releasever Source
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/preview/amd/srpms
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=0
+skip_if_unavailable=True
+sslverify=1
diff --git a/SPECS/azurelinux-repos/azurelinux-amd.repo b/SPECS/azurelinux-repos/azurelinux-amd.repo
new file mode 100644
index 00000000000..afcfbfe8537
--- /dev/null
+++ b/SPECS/azurelinux-repos/azurelinux-amd.repo
@@ -0,0 +1,19 @@
+[azurelinux-official-amd]
+name=Azure Linux Official AMD $releasever $basearch
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/amd/$basearch
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=1
+skip_if_unavailable=True
+sslverify=1
+
+[azurelinux-official-amd-source]
+name=Azure Linux Official AMD $releasever Source
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/amd/srpms
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=0
+skip_if_unavailable=True
+sslverify=1
diff --git a/SPECS/azurelinux-repos/azurelinux-repos.signatures.json b/SPECS/azurelinux-repos/azurelinux-repos.signatures.json
index 0dbba725064..a2771db1bd0 100644
--- a/SPECS/azurelinux-repos/azurelinux-repos.signatures.json
+++ b/SPECS/azurelinux-repos/azurelinux-repos.signatures.json
@@ -1,6 +1,8 @@
{
"Signatures": {
"MICROSOFT-RPM-GPG-KEY": "1092f37ec429e58bf9c7f898df17c3c32eb2ce3c4c037afb8ffe2d2b42e16e89",
+ "azurelinux-amd.repo": "cbe8cefea3cf99c1450d0b329c57bdb647ae15c10468c243573e33b9c4891120",
+ "azurelinux-amd-preview.repo": "723c3505d064c3b9ef436d700f748de7deca0de845d07d3fdeeafaf45949c070",
"azurelinux-debuginfo-preview.repo": "af36f823d923dd8b1a27efa7199552339f9e1315813078a4591ef855654b3017",
"azurelinux-debuginfo.repo": "ac8c1c699122e46e7501f04f1f0240e1eec322e5bb6102f6db5d1ce7215d7f5b",
"azurelinux-extended-debuginfo-preview.repo": "d29514a9962b0975cd4b32132f5cb5290930f6d0d582b46ef5d2cde6840dc9e0",
@@ -14,4 +16,4 @@
"azurelinux-official-base.repo": "b3351f3121c0600a0445a322bea8d500edaaa3d021b7cef96c1c9539d0eccab8",
"azurelinux-official-preview.repo": "a03ea4539f17fac3fdfe73fb295663778733ba84ed37bb3908784604e52b0da6"
}
-}
\ No newline at end of file
+}
diff --git a/SPECS/azurelinux-repos/azurelinux-repos.spec b/SPECS/azurelinux-repos/azurelinux-repos.spec
index 7afc1ba4195..d1680ca2bfb 100644
--- a/SPECS/azurelinux-repos/azurelinux-repos.spec
+++ b/SPECS/azurelinux-repos/azurelinux-repos.spec
@@ -1,7 +1,7 @@
Summary: AzureLinux repo files, gpg keys
Name: azurelinux-repos
Version: %{azl}.0
-Release: 3%{?dist}
+Release: 4%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -20,14 +20,39 @@ Source10: azurelinux-official-base.repo
Source11: azurelinux-official-preview.repo
Source12: azurelinux-extended-debuginfo.repo
Source13: azurelinux-extended-debuginfo-preview.repo
+Source14: azurelinux-amd.repo
+Source15: azurelinux-amd-preview.repo
Requires: %{name}-shared = %{version}-%{release}
+# Capture the built architecture before setting noarch in order to install the
+# appropriate repos for x86_64 later in this spec
+%ifarch x86_64
+%define buildx86 1
+%endif
BuildArch: noarch
%description
Azure Linux repo files and gpg keys
+%if %{defined buildx86}
+%package amd
+Summary: Azure Linux AMD GPU repo file.
+Group: System Environment/Base
+Requires: %{name}-shared = %{version}-%{release}
+
+%description amd
+%{summary}
+
+%package amd-preview
+Summary: Azure Linux AMD GPU preview repo file.
+Group: System Environment/Base
+Requires: %{name}-shared = %{version}-%{release}
+
+%description amd-preview
+%{summary}
+%endif
+
%package debug
Summary: Azure Linux Debuginfo repo file.
Group: System Environment/Base
@@ -142,6 +167,10 @@ install -m 644 %{SOURCE10} $REPO_DIRECTORY
install -m 644 %{SOURCE11} $REPO_DIRECTORY
install -m 644 %{SOURCE12} $REPO_DIRECTORY
install -m 644 %{SOURCE13} $REPO_DIRECTORY
+%if %{defined buildx86}
+install -m 644 %{SOURCE14} $REPO_DIRECTORY
+install -m 644 %{SOURCE15} $REPO_DIRECTORY
+%endif
export RPM_GPG_DIRECTORY="%{buildroot}%{_sysconfdir}/pki/rpm-gpg"
@@ -159,6 +188,16 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-official-base.repo
+%if %{defined buildx86}
+%files amd
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-amd.repo
+
+%files amd-preview
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-amd-preview.repo
+%endif
+
%files debug
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-debuginfo.repo
@@ -208,6 +247,9 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90
%{_sysconfdir}/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
%changelog
+* Fri Dec 20 2024 Gary Swalling - 3.0-4
+- Add amd .repo files.
+
* Thu May 30 2024 Andrew Phelps - 3.0-3
- Remove MICROSOFT-METADATA-GPG-KEY
diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json
index 8348c78a905..1a2a357595b 100644
--- a/SPECS/ca-certificates/ca-certificates.signatures.json
+++ b/SPECS/ca-certificates/ca-certificates.signatures.json
@@ -11,6 +11,7 @@
"README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
"bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
"certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
+ "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d",
"certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
"certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
"pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec
index 8b16547d594..9a58bad8480 100644
--- a/SPECS/ca-certificates/ca-certificates.spec
+++ b/SPECS/ca-certificates/ca-certificates.spec
@@ -6,6 +6,8 @@
%define p11_format_base_bundle ca-bundle.trust.base.p11-kit
+%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit
+
%define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
# List of packages triggering legacy certs generation if 'ca-certificates-legacy'
@@ -45,7 +47,7 @@ Name: ca-certificates
# When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
Epoch: 1
Version: %{azl}.0.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -69,6 +71,8 @@ Source21: certdata.base.txt
Source22: bundle2pem.sh
# The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
Source23: certdata.microsoft.txt
+# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program.
+Source24: certdata.distrusted.txt
BuildRequires: /bin/ln
BuildRequires: asciidoc
@@ -146,6 +150,7 @@ cp -p %{SOURCE20} .
%convert_certdata %{SOURCE21}
%convert_certdata %{SOURCE23}
+%convert_certdata %{SOURCE24}
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
@@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
# Microsoft certs
%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}
+# Distrusted certs
+%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle}
+
# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
@@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}
%files
+%defattr(-,root,root)
# Microsoft certs bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
%files base
+%defattr(-,root,root)
%{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}
%files shared
+%defattr(-,root,root)
%license LICENSE
# symlinks for old locations
@@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
+# Distrusted CAs
+%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle}
+
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
@@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%files tools
+%defattr(-,root,root)
# update/extract tool
%{_bindir}/update-ca-trust
%{_mandir}/man8/update-ca-trust.8.gz
%files legacy
+%defattr(-,root,root)
%{_bindir}/bundle2pem.sh
%changelog
+* Wed Dec 11 2024 Pawel Winogrodzki - 3.0.0-8
+- Update adding Microsoft distrusted CAs.
+- Explicitly set default file ownership to root:root.
+
* Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7
- Updating Microsoft trusted root CAs.
diff --git a/SPECS/ca-certificates/certdata.distrusted.txt b/SPECS/ca-certificates/certdata.distrusted.txt
new file mode 100644
index 00000000000..913d0e76496
--- /dev/null
+++ b/SPECS/ca-certificates/certdata.distrusted.txt
@@ -0,0 +1,302 @@
+# Release: December 2024
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# certdata.txt
+#
+# This file contains the object definitions for the certs and other
+# information "built into" NSS.
+#
+# Object definitions:
+#
+# Certificates
+#
+# -- Attribute -- -- type -- -- value --
+# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+# CKA_TOKEN CK_BBOOL CK_TRUE
+# CKA_PRIVATE CK_BBOOL CK_FALSE
+# CKA_MODIFIABLE CK_BBOOL CK_FALSE
+# CKA_LABEL UTF8 (varies)
+# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+# CKA_SUBJECT DER+base64 (varies)
+# CKA_ID byte array (varies)
+# CKA_ISSUER DER+base64 (varies)
+# CKA_SERIAL_NUMBER DER+base64 (varies)
+# CKA_VALUE DER+base64 (varies)
+# CKA_NSS_EMAIL ASCII7 (unused here)
+# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies)
+# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies)
+#
+# Trust
+#
+# -- Attribute -- -- type -- -- value --
+# CKA_CLASS CK_OBJECT_CLASS CKO_TRUST
+# CKA_TOKEN CK_BBOOL CK_TRUE
+# CKA_PRIVATE CK_BBOOL CK_FALSE
+# CKA_MODIFIABLE CK_BBOOL CK_FALSE
+# CKA_LABEL UTF8 (varies)
+# CKA_ISSUER DER+base64 (varies)
+# CKA_SERIAL_NUMBER DER+base64 (varies)
+# CKA_CERT_HASH binary+base64 (varies)
+# CKA_EXPIRES CK_DATE (not used here)
+# CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST (varies)
+# CKA_TRUST_NON_REPUDIATION CK_TRUST (varies)
+# CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST (varies)
+# CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST (varies)
+# CKA_TRUST_KEY_AGREEMENT CK_TRUST (varies)
+# CKA_TRUST_KEY_CERT_SIGN CK_TRUST (varies)
+# CKA_TRUST_CRL_SIGN CK_TRUST (varies)
+# CKA_TRUST_SERVER_AUTH CK_TRUST (varies)
+# CKA_TRUST_CLIENT_AUTH CK_TRUST (varies)
+# CKA_TRUST_CODE_SIGNING CK_TRUST (varies)
+# CKA_TRUST_EMAIL_PROTECTION CK_TRUST (varies)
+# CKA_TRUST_IPSEC_END_SYSTEM CK_TRUST (varies)
+# CKA_TRUST_IPSEC_TUNNEL CK_TRUST (varies)
+# CKA_TRUST_IPSEC_USER CK_TRUST (varies)
+# CKA_TRUST_TIME_STAMPING CK_TRUST (varies)
+# CKA_TRUST_STEP_UP_APPROVED CK_BBOOL (varies)
+# (other trust attributes can be defined)
+#
+
+#
+# The object to tell NSS that this is a root list and we don't
+# have to go looking for others.
+#
+BEGINDATA
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Microsoft Builtin Distrusted Certificates"
+
+#
+# Certificate "google.com"
+#
+# Issuer: CN=AC Certisign ICP-Brasil SSL EV G4,OU=Autoridade Certificadora Raiz Brasileira v10,O=ICP-Brasil,C=BR
+# Serial Number:28:85:34:47:39:1a:72:1e:76:94:85:49:4e:73:57:52
+# Subject: CN=google.com,UID=b27bb194-0258-47ac-acba-c6f06f39787c,OID.2.5.4.97=OFBBR-ef0d9576-f46c-4c95-b690-e882e0b49bc0,L=Sao Paulo,ST=SP,O=GOOGLE PAY BRASIL INSTITUICAO DE PAGAMENTO LTDA,C=BR,serialNumber=43394419000188,incorporationCountry=BR,businessCategory=Private Organization
+# Not Valid Before: Thu Nov 28 21:19:48 2024
+# Not Valid After : Fri Nov 28 21:19:48 2025
+# Fingerprint (SHA-256): 42:13:29:F0:DC:2F:68:3D:6E:96:C1:B5:B3:10:97:4D:09:97:AD:98:4E:F6:91:20:F5:53:72:B4:F4:8E:10:37
+# Fingerprint (SHA1): 1C:68:E6:97:AB:50:91:FE:76:16:D5:2F:A0:36:02:5C:47:43:BB:73
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "google.com"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\202\001\065\061\035\060\033\006\003\125\004\017\014\024\120
+\162\151\166\141\164\145\040\117\162\147\141\156\151\172\141\164
+\151\157\156\061\023\060\021\006\013\053\006\001\004\001\202\067
+\074\002\001\003\023\002\102\122\061\027\060\025\006\003\125\004
+\005\023\016\064\063\063\071\064\064\061\071\060\060\060\061\070
+\070\061\013\060\011\006\003\125\004\006\023\002\102\122\061\070
+\060\066\006\003\125\004\012\014\057\107\117\117\107\114\105\040
+\120\101\131\040\102\122\101\123\111\114\040\111\116\123\124\111
+\124\125\111\103\101\117\040\104\105\040\120\101\107\101\115\105
+\116\124\117\040\114\124\104\101\061\013\060\011\006\003\125\004
+\010\014\002\123\120\061\022\060\020\006\003\125\004\007\014\011
+\123\141\157\040\120\141\165\154\157\061\063\060\061\006\003\125
+\004\141\014\052\117\106\102\102\122\055\145\146\060\144\071\065
+\067\066\055\146\064\066\143\055\064\143\071\065\055\142\066\071
+\060\055\145\070\070\062\145\060\142\064\071\142\143\060\061\064
+\060\062\006\012\011\222\046\211\223\362\054\144\001\001\014\044
+\142\062\067\142\142\061\071\064\055\060\062\065\070\055\064\067
+\141\143\055\141\143\142\141\055\143\066\146\060\066\146\063\071
+\067\070\067\143\061\023\060\021\006\003\125\004\003\014\012\147
+\157\157\147\154\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\102\122
+\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
+\162\141\163\151\154\061\065\060\063\006\003\125\004\013\023\054
+\101\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151
+\146\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162
+\141\163\151\154\145\151\162\141\040\166\061\060\061\052\060\050
+\006\003\125\004\003\023\041\101\103\040\103\145\162\164\151\163
+\151\147\156\040\111\103\120\055\102\162\141\163\151\154\040\123
+\123\114\040\105\126\040\107\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\050\205\064\107\071\032\162\036\166\224\205\111\116\163
+\127\122
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\010\001\060\202\005\351\240\003\002\001\002\002\020\050
+\205\064\107\071\032\162\036\166\224\205\111\116\163\127\122\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
+\205\061\013\060\011\006\003\125\004\006\023\002\102\122\061\023
+\060\021\006\003\125\004\012\023\012\111\103\120\055\102\162\141
+\163\151\154\061\065\060\063\006\003\125\004\013\023\054\101\165
+\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146\151
+\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141\163
+\151\154\145\151\162\141\040\166\061\060\061\052\060\050\006\003
+\125\004\003\023\041\101\103\040\103\145\162\164\151\163\151\147
+\156\040\111\103\120\055\102\162\141\163\151\154\040\123\123\114
+\040\105\126\040\107\064\060\036\027\015\062\064\061\061\062\070
+\062\061\061\071\064\070\132\027\015\062\065\061\061\062\070\062
+\061\061\071\064\070\132\060\202\001\065\061\035\060\033\006\003
+\125\004\017\014\024\120\162\151\166\141\164\145\040\117\162\147
+\141\156\151\172\141\164\151\157\156\061\023\060\021\006\013\053
+\006\001\004\001\202\067\074\002\001\003\023\002\102\122\061\027
+\060\025\006\003\125\004\005\023\016\064\063\063\071\064\064\061
+\071\060\060\060\061\070\070\061\013\060\011\006\003\125\004\006
+\023\002\102\122\061\070\060\066\006\003\125\004\012\014\057\107
+\117\117\107\114\105\040\120\101\131\040\102\122\101\123\111\114
+\040\111\116\123\124\111\124\125\111\103\101\117\040\104\105\040
+\120\101\107\101\115\105\116\124\117\040\114\124\104\101\061\013
+\060\011\006\003\125\004\010\014\002\123\120\061\022\060\020\006
+\003\125\004\007\014\011\123\141\157\040\120\141\165\154\157\061
+\063\060\061\006\003\125\004\141\014\052\117\106\102\102\122\055
+\145\146\060\144\071\065\067\066\055\146\064\066\143\055\064\143
+\071\065\055\142\066\071\060\055\145\070\070\062\145\060\142\064
+\071\142\143\060\061\064\060\062\006\012\011\222\046\211\223\362
+\054\144\001\001\014\044\142\062\067\142\142\061\071\064\055\060
+\062\065\070\055\064\067\141\143\055\141\143\142\141\055\143\066
+\146\060\066\146\063\071\067\070\067\143\061\023\060\021\006\003
+\125\004\003\014\012\147\157\157\147\154\145\056\143\157\155\060
+\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
+\245\071\062\166\146\112\020\362\222\260\147\320\324\326\000\245
+\162\170\155\042\014\366\350\006\234\273\346\243\106\262\207\204
+\365\316\016\143\113\113\351\240\024\326\123\263\340\043\116\355
+\201\352\030\177\366\120\142\300\126\373\004\303\011\033\263\025
+\110\177\001\170\272\370\214\026\336\360\057\320\301\103\271\005
+\336\135\034\023\341\103\247\050\130\355\027\324\072\376\174\222
+\360\006\062\201\354\321\230\061\114\025\072\162\013\314\154\030
+\230\241\170\130\202\215\017\366\016\110\003\325\202\331\300\376
+\236\320\033\267\330\334\217\332\331\107\030\277\212\346\126\160
+\310\326\015\051\365\172\366\252\230\347\322\005\307\135\351\037
+\312\236\236\377\176\217\070\203\262\003\026\025\272\170\136\271
+\044\126\313\012\217\257\006\311\057\321\275\055\302\201\124\130
+\042\132\315\142\113\221\247\012\167\301\152\276\254\274\344\163
+\206\013\020\217\110\141\263\046\133\164\110\004\207\122\145\373
+\151\241\005\022\012\373\335\137\226\323\165\051\047\256\316\236
+\250\021\054\170\147\214\275\125\374\300\152\224\353\165\217\131
+\002\003\001\000\001\243\202\002\270\060\202\002\264\060\030\006
+\003\125\035\021\001\001\377\004\016\060\014\202\012\147\157\157
+\147\154\145\056\143\157\155\060\011\006\003\125\035\023\004\002
+\060\000\060\037\006\003\125\035\043\004\030\060\026\200\024\027
+\111\323\106\270\151\244\056\077\011\203\116\024\215\111\076\220
+\325\014\050\060\201\232\006\003\125\035\040\004\201\222\060\201
+\217\060\201\202\006\006\140\114\001\002\001\152\060\170\060\166
+\006\010\053\006\001\005\005\007\002\001\026\152\150\164\164\160
+\072\057\057\151\143\160\055\142\162\141\163\151\154\056\143\145
+\162\164\151\163\151\147\156\056\143\157\155\056\142\162\057\162
+\145\160\157\163\151\164\157\162\151\157\057\144\160\143\057\141
+\143\137\143\145\162\164\151\163\151\147\156\137\151\143\160\137
+\142\162\137\163\163\154\057\104\120\103\137\101\103\137\103\145
+\162\164\151\163\151\147\156\137\111\143\160\137\102\162\137\123
+\163\154\056\160\144\146\060\010\006\006\147\201\014\001\002\002
+\060\201\312\006\003\125\035\037\004\201\302\060\201\277\060\136
+\240\134\240\132\206\130\150\164\164\160\072\057\057\151\143\160
+\055\142\162\141\163\151\154\056\143\145\162\164\151\163\151\147
+\156\056\143\157\155\056\142\162\057\162\145\160\157\163\151\164
+\157\162\151\157\057\154\143\162\057\101\103\103\145\162\164\151
+\163\151\147\156\111\103\120\102\122\123\123\114\105\126\107\064
+\057\114\141\164\145\163\164\103\122\114\056\143\162\154\060\135
+\240\133\240\131\206\127\150\164\164\160\072\057\057\151\143\160
+\055\142\162\141\163\151\154\056\157\165\164\162\141\154\143\162
+\056\143\157\155\056\142\162\057\162\145\160\157\163\151\164\157
+\162\151\157\057\154\143\162\057\101\103\103\145\162\164\151\163
+\151\147\156\111\103\120\102\122\123\123\114\105\126\107\064\057
+\114\141\164\145\163\164\103\122\114\056\143\162\154\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\003\250\060\035\006
+\003\125\035\045\004\026\060\024\006\010\053\006\001\005\005\007
+\003\001\006\010\053\006\001\005\005\007\003\002\060\023\006\012
+\053\006\001\004\001\326\171\002\004\003\001\001\377\004\002\005
+\000\060\201\275\006\010\053\006\001\005\005\007\001\001\004\201
+\260\060\201\255\060\151\006\010\053\006\001\005\005\007\060\002
+\206\135\150\164\164\160\072\057\057\151\143\160\055\142\162\141
+\163\151\154\056\143\145\162\164\151\163\151\147\156\056\143\157
+\155\056\142\162\057\162\145\160\157\163\151\164\157\162\151\157
+\057\143\145\162\164\151\146\151\143\141\144\157\163\057\101\103
+\137\103\145\162\164\151\163\151\147\156\137\111\143\160\137\102
+\162\137\123\163\154\137\105\126\137\107\064\056\160\067\143\060
+\100\006\010\053\006\001\005\005\007\060\001\206\064\150\164\164
+\160\072\057\057\157\143\163\160\055\141\143\055\143\145\162\164
+\151\163\151\147\156\055\151\143\160\055\142\162\055\163\163\154
+\056\143\145\162\164\151\163\151\147\156\056\143\157\155\056\142
+\162\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
+\003\202\002\001\000\004\277\164\275\336\224\331\155\317\017\142
+\333\066\327\114\036\123\143\176\215\160\003\240\323\006\373\365
+\167\164\071\324\202\171\354\345\013\353\226\072\237\323\247\366
+\271\247\132\155\174\371\260\177\135\207\024\165\006\057\263\077
+\160\345\152\161\147\363\344\255\257\115\172\163\033\154\164\354
+\344\304\061\003\030\275\234\022\233\223\053\021\073\364\221\165
+\160\055\102\341\220\147\212\270\007\064\347\165\346\020\170\137
+\001\301\316\344\226\363\337\263\307\302\004\333\110\224\200\320
+\352\261\025\020\211\034\317\151\256\172\161\207\032\063\050\117
+\300\232\310\161\146\345\321\007\267\323\320\035\127\002\273\173
+\131\016\216\076\155\115\044\146\112\245\154\360\264\244\356\312
+\050\213\212\270\111\211\206\146\233\013\160\027\260\075\217\022
+\360\241\202\146\334\052\053\314\363\150\240\055\363\122\341\116
+\162\052\075\357\317\137\311\045\005\262\133\046\055\247\332\062
+\377\250\105\167\142\023\333\014\142\240\133\271\346\160\313\001
+\007\332\010\105\114\354\326\061\110\110\164\106\220\340\302\270
+\231\034\204\021\027\341\336\266\037\320\275\366\247\206\333\336
+\120\347\244\215\210\141\141\106\146\070\300\253\260\320\220\326
+\245\307\041\351\224\320\063\071\110\345\052\042\254\163\164\205
+\242\067\151\350\036\302\102\130\346\211\372\151\262\305\002\213
+\203\200\230\261\344\051\153\361\103\323\353\062\365\150\122\052
+\167\301\250\367\375\266\337\130\107\336\106\302\044\261\136\025
+\024\073\255\246\116\242\351\241\011\113\326\051\105\332\143\216
+\041\201\017\276\036\222\150\134\235\033\130\215\031\016\025\322
+\310\337\152\331\232\214\341\060\243\114\175\074\303\132\250\053
+\333\021\267\140\135\231\223\003\335\056\241\062\176\313\134\305
+\114\114\100\377\066\116\252\160\037\027\322\121\305\277\344\105
+\111\036\012\031\346\335\247\203\043\132\351\355\150\076\022\153
+\155\110\337\121\224\002\112\337\374\023\040\307\113\024\077\154
+\364\153\003\136\374\242\242\164\321\300\100\324\211\367\307\146
+\005\331\230\314\124\045\273\245\306\024\036\224\214\100\075\215
+\104\265\367\204\063\367\037\075\221\056\263\325\023\135\313\040
+\173\136\210\017\230
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "google.com"
+# Issuer: CN=AC Certisign ICP-Brasil SSL EV G4,OU=Autoridade Certificadora Raiz Brasileira v10,O=ICP-Brasil,C=BR
+# Serial Number:28:85:34:47:39:1a:72:1e:76:94:85:49:4e:73:57:52
+# Subject: CN=google.com,UID=b27bb194-0258-47ac-acba-c6f06f39787c,OID.2.5.4.97=OFBBR-ef0d9576-f46c-4c95-b690-e882e0b49bc0,L=Sao Paulo,ST=SP,O=GOOGLE PAY BRASIL INSTITUICAO DE PAGAMENTO LTDA,C=BR,serialNumber=43394419000188,incorporationCountry=BR,businessCategory=Private Organization
+# Not Valid Before: Thu Nov 28 21:19:48 2024
+# Not Valid After : Fri Nov 28 21:19:48 2025
+# Fingerprint (SHA-256): 42:13:29:F0:DC:2F:68:3D:6E:96:C1:B5:B3:10:97:4D:09:97:AD:98:4E:F6:91:20:F5:53:72:B4:F4:8E:10:37
+# Fingerprint (SHA1): 1C:68:E6:97:AB:50:91:FE:76:16:D5:2F:A0:36:02:5C:47:43:BB:73
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "google.com"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\034\150\346\227\253\120\221\376\166\026\325\057\240\066\002\134
+\107\103\273\163
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\016\067\034\146\242\243\030\173\162\334\023\136\201\340\143\150
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\102\122
+\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
+\162\141\163\151\154\061\065\060\063\006\003\125\004\013\023\054
+\101\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151
+\146\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162
+\141\163\151\154\145\151\162\141\040\166\061\060\061\052\060\050
+\006\003\125\004\003\023\041\101\103\040\103\145\162\164\151\163
+\151\147\156\040\111\103\120\055\102\162\141\163\151\154\040\123
+\123\114\040\105\126\040\107\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\050\205\064\107\071\032\162\036\166\224\205\111\116\163
+\127\122
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
\ No newline at end of file
diff --git a/SPECS/ca-certificates/certdata2pem.py b/SPECS/ca-certificates/certdata2pem.py
old mode 100644
new mode 100755
diff --git a/SPECS/containerd2/containerd.service b/SPECS/containerd2/containerd.service
new file mode 100644
index 00000000000..06b501178b9
--- /dev/null
+++ b/SPECS/containerd2/containerd.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target
+
+[Service]
+ExecStartPre=/sbin/modprobe overlay
+ExecStart=/usr/bin/containerd
+Restart=always
+Delegate=yes
+KillMode=process
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/containerd2/containerd.toml b/SPECS/containerd2/containerd.toml
new file mode 100644
index 00000000000..422716a3c33
--- /dev/null
+++ b/SPECS/containerd2/containerd.toml
@@ -0,0 +1,9 @@
+version = 2
+[plugins]
+ [plugins."io.containerd.grpc.v1.cri"]
+ [plugins."io.containerd.grpc.v1.cri".containerd]
+ [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+ [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+ runtime_type = "io.containerd.runc.v2"
+ [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+ SystemdCgroup = true
\ No newline at end of file
diff --git a/SPECS/containerd2/containerd2.signatures.json b/SPECS/containerd2/containerd2.signatures.json
new file mode 100644
index 00000000000..d49f7f913eb
--- /dev/null
+++ b/SPECS/containerd2/containerd2.signatures.json
@@ -0,0 +1,7 @@
+{
+ "Signatures": {
+ "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8",
+ "containerd.toml": "5b3821236f09b4c858e0e098bbe1400f4dbbb47d360e39d21c61858b088c2896",
+ "containerd-2.0.0.tar.gz": "346d644e1b96e1f4a39bfe9d1eb0eb01ca676f806c12d95e5dbe35325bbc1780"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec
new file mode 100644
index 00000000000..79013cc94f4
--- /dev/null
+++ b/SPECS/containerd2/containerd2.spec
@@ -0,0 +1,85 @@
+%global debug_package %{nil}
+%define upstream_name containerd
+%define commit_hash 207ad711eabd375a01713109a8a197d197ff6542
+
+Summary: Industry-standard container runtime
+Name: %{upstream_name}2
+Version: 2.0.0
+Release: 1%{?dist}
+License: ASL 2.0
+Group: Tools/Container
+URL: https://www.containerd.io
+Vendor: Microsoft Corporation
+Distribution: Azure Linux
+
+Source0: https://github.com/containerd/containerd/archive/v%{version}.tar.gz#/%{upstream_name}-%{version}.tar.gz
+Source1: containerd.service
+Source2: containerd.toml
+
+%{?systemd_requires}
+
+BuildRequires: golang
+BuildRequires: go-md2man
+BuildRequires: make
+BuildRequires: systemd-rpm-macros
+
+Requires: runc >= 1.2.2
+
+%description
+containerd is an industry-standard container runtime with an emphasis on
+simplicity, robustness and portability. It is available as a daemon for Linux
+and Windows, which can manage the complete container lifecycle of its host
+system: image transfer and storage, container execution and supervision,
+low-level storage and network attachments, etc.
+
+containerd is designed to be embedded into a larger system, rather than being
+used directly by developers or end-users.
+
+%prep
+%autosetup -p1 -n %{upstream_name}-%{version}
+
+%build
+export BUILDTAGS="-mod=vendor"
+make VERSION="%{version}" REVISION="%{commit_hash}" binaries man
+
+%check
+export BUILDTAGS="-mod=vendor"
+make VERSION="%{version}" REVISION="%{commit_hash}" test
+
+%install
+make VERSION="%{version}" REVISION="%{commit_hash}" DESTDIR="%{buildroot}" PREFIX="/usr" install install-man
+
+mkdir -p %{buildroot}/%{_unitdir}
+install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/containerd.service
+install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/containerd/config.toml
+install -vdm 755 %{buildroot}/opt/containerd/{bin,lib}
+
+%post
+%systemd_post containerd.service
+
+if [ $1 -eq 1 ]; then # Package install
+ systemctl enable containerd.service > /dev/null 2>&1 || :
+ systemctl start containerd.service > /dev/null 2>&1 || :
+fi
+
+%preun
+%systemd_preun containerd.service
+
+%postun
+%systemd_postun_with_restart containerd.service
+
+%files
+%license LICENSE NOTICE
+%{_bindir}/*
+%{_mandir}/*
+%config(noreplace) %{_unitdir}/containerd.service
+%config(noreplace) %{_sysconfdir}/containerd/config.toml
+%dir /opt/containerd
+%dir /opt/containerd/bin
+%dir /opt/containerd/lib
+
+%changelog
+* Wed Dec 11 2024 Nan Liu - 2.0.0-1
+- Created a standalone package for containerd 2.0.0
+- Initial CBL-Mariner import from Azure
+- Initial version and License verified
\ No newline at end of file
diff --git a/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch b/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch
new file mode 100644
index 00000000000..082bb7968b7
--- /dev/null
+++ b/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch
@@ -0,0 +1,38 @@
+From 6fe401628d5671cf2f7683e4e0a04b9dcefb0180 Mon Sep 17 00:00:00 2001
+From: George Mileka
+Date: Mon, 25 Nov 2024 16:27:41 -0800
+Subject: [PATCH] Handle SELinux configuration for overlayfs folders.
+
+When SELinux is enabled, the root folder '/' is expected to be marked
+'root_t' - otherwise, SELinux will deny access calls.
+
+When an overlay is created for the root folder, it is created using
+the lower and upper folders. The upper folder is created on tmpfs,
+and subsequently getted the 'tmpfs_t' assigned by inheritence.
+When the root overlay is created, it inherits the 'tmpfs_t'.
+
+Now, we have a conflict between what SELinux expects ('root_t') and
+what we ended-up with ('tmpfs_t') leading to denials and failing to
+complete the boot successfully.
+
+This patch injects a script ('azl-configure-sellinux.sh') that will
+run after Dracut's SELinux module runs, and assigns the right SELinux
+types (i.e. 'root_t') to the overlay folders. That way, when pivoting
+takes place, the visible root folder has the right SELinux labeling.
+---
+ modules.d/90overlayfs/module-setup.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/modules.d/90overlayfs/module-setup.sh b/modules.d/90overlayfs/module-setup.sh
+index dae20093..919df4f5 100755
+--- a/modules.d/90overlayfs/module-setup.sh
++++ b/modules.d/90overlayfs/module-setup.sh
+@@ -17,4 +17,5 @@ install() {
+ inst_hook pre-mount 01 "$moddir/prepare-overlayfs.sh"
+ inst_hook mount 01 "$moddir/mount-overlayfs.sh" # overlay on top of block device
+ inst_hook pre-pivot 10 "$moddir/mount-overlayfs.sh" # overlay on top of network device (e.g. nfs)
++ inst_hook pre-pivot 70 "$moddir/azl-configure-selinux.sh"
+ }
+--
+2.34.1
+
diff --git a/SPECS/dracut/90overlayfs/azl-configure-selinux.sh b/SPECS/dracut/90overlayfs/azl-configure-selinux.sh
new file mode 100644
index 00000000000..3670b00ed69
--- /dev/null
+++ b/SPECS/dracut/90overlayfs/azl-configure-selinux.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+# If SELinux is disabled exit now
+getarg "selinux=0" > /dev/null && return 0
+
+SELINUX="enforcing"
+# shellcheck disable=SC1090
+[ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"
+[ "$SELINUX" == "disabled" ] && return 0
+
+getargbool 0 rd.live.overlay.overlayfs && overlayfs="yes"
+
+if [ -n "$overlayfs" ]; then
+
+ # Get the current root folder context
+ rootDirContext=$($NEWROOT/usr/sbin/matchpathcon -f $NEWROOT/etc/selinux/targeted/contexts/files/file_contexts -m dir /)
+
+ # Parse the context to extract the root folder '/' context type.
+ # The line should be on the form: "/ system_u:object_r:root_t:s0"
+
+ # Split folder and context
+ IFS='\t' read -r _ selinuxContext <<< "$rootDirContext"
+ echo "root folder context: ($selinuxContext)"
+
+ # Split context and extract its type
+ IFS=':' read -r _ _ contextType _ <<< "$selinuxContext"
+ echo "root folder label : ($contextType)"
+
+ # Set the type on the target folders
+ [ -e /sysroot ] && chcon -t $contextType /sysroot
+ [ -e /run/overlayfs ] && chcon -t $contextType /run/overlayfs
+ [ -e /run/ovlwork ] && chcon -t $contextType /run/ovlwork
+fi
diff --git a/SPECS/dracut/dracut.signatures.json b/SPECS/dracut/dracut.signatures.json
index adc514e9058..65ce41c8701 100644
--- a/SPECS/dracut/dracut.signatures.json
+++ b/SPECS/dracut/dracut.signatures.json
@@ -6,6 +6,7 @@
"00-vrf.conf": "e2885a4b090d8ca3771e60ce6dcd8b849e28ce5002a5c7b71ff796a92deb2810",
"00-xen.conf": "8b7a89b7716cb40a9c0d681caed6994d81ff4dfad4fe50cea15cd47b885dc5a6",
"50-noxattr.conf": "61d95f05890ac6ee3355d0a386dd5645d82b7a4202d90305d997fd18c6d139dd",
+ "azl-configure-selinux.sh": "5f526509910fccdc2dffad4ef5070740847195510e3faefff39b831c9d28a439",
"azl-liveos-artifacts-download.service": "888be8c82297cccd510d7f963611c2360ae67559826b2b474da6d9935237de64",
"azl-liveos-artifacts-download.sh": "f21dc68de8c81d8a8128e7a9d7be45d25978f0b5e47a4cf1a2d97b1e171ec045",
"dracut-102.tar.gz": "601b175cbf4d2ee902bb7bda3af8826ae2ca060c1af880f6da5a833413f4ec70",
diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec
index ade311b548c..f6a3b8568bd 100644
--- a/SPECS/dracut/dracut.spec
+++ b/SPECS/dracut/dracut.spec
@@ -4,7 +4,7 @@
Summary: dracut to create initramfs
Name: dracut
Version: 102
-Release: 7%{?dist}
+Release: 8%{?dist}
# The entire source code is GPLv2+
# except install/* which is LGPLv2+
License: GPLv2+ AND LGPLv2+
@@ -30,6 +30,7 @@ Source11: 50-noxattr.conf
# code reviews given that they are new to Dracut.
Source12: 90livenet/azl-liveos-artifacts-download.service
Source13: 90livenet/azl-liveos-artifacts-download.sh
+Source14: 90overlayfs/azl-configure-selinux.sh
# allow-liveos-overlay-no-user-confirmation-prompt.patch has been introduced by
# the Azure Linux team to allow skipping the user confirmation prompt during
@@ -53,6 +54,7 @@ Patch: 0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch
Patch: 0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch
Patch: 0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch
Patch: 0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch
+Patch: 0016-Handle-SELinux-configuration-for-overlayfs-folders.patch
BuildRequires: bash
BuildRequires: kmod-devel
@@ -205,6 +207,8 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/dracut.conf.d/50-noxattr.
install -m 0644 %{SOURCE12} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.service
install -m 0755 %{SOURCE13} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.sh
+install -m 0755 %{SOURCE14} %{buildroot}%{dracutlibdir}/modules.d/90overlayfs/azl-configure-selinux.sh
+
mkdir -p %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/
install -p -m 0755 %{SOURCE4} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/
install -p -m 0755 %{SOURCE5} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/
@@ -310,6 +314,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name}
%dir %{_sharedstatedir}/%{name}/overlay
%changelog
+* Mon Dec 09 2024 George Mileka - 102-8
+- Augment overlayfs with selinux handling.
+
* Thu Oct 31 2024 George Mileka - 102-7
- Augment livenet module with a download daemon.
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
index 94177c846f3..4e8e16fa9d3 100644
--- a/SPECS/gh/gh.spec
+++ b/SPECS/gh/gh.spec
@@ -15,7 +15,6 @@ Source1: %{name}-%{version}-vendor.tar.gz
Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch
Patch1: CVE-2024-54132.patch
-
BuildRequires: golang < 1.23
BuildRequires: git
Requires: git
diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64
index f16e6660f02..f9ea766b12b 100644
--- a/SPECS/kernel-64k/config_aarch64
+++ b/SPECS/kernel-64k/config_aarch64
@@ -275,7 +275,8 @@ CONFIG_KEXEC_CORE=y
CONFIG_HAVE_IMA_KEXEC=y
# CONFIG_KEXEC is not set
CONFIG_KEXEC_FILE=y
-# CONFIG_KEXEC_SIG is not set
+CONFIG_KEXEC_SIG=y
+CONFIG_KEXEC_IMAGE_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
# end of Kexec and crash features
# end of General setup
@@ -10782,7 +10783,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y
# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set
CONFIG_PKCS7_MESSAGE_PARSER=y
# CONFIG_PKCS7_TEST_KEY is not set
-# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
# CONFIG_FIPS_SIGNATURE_SELFTEST is not set
#
diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json
index d47af0ffb56..a935b60e887 100644
--- a/SPECS/kernel-64k/kernel-64k.signatures.json
+++ b/SPECS/kernel-64k/kernel-64k.signatures.json
@@ -1,7 +1,7 @@
{
"Signatures": {
"azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
- "config_aarch64": "81527e718a88af9535ed5184f8c4d70eeece5374b197c9bade7cb6c818759cf8",
+ "config_aarch64": "2e511edb6a5a6236c6f7307f070df422bd6032b1e572f8f44ef4134ecea7d5b7",
"cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
"cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec
index 199000195e7..ff0277bfec8 100644
--- a/SPECS/kernel-64k/kernel-64k.spec
+++ b/SPECS/kernel-64k/kernel-64k.spec
@@ -25,7 +25,7 @@
Summary: Linux Kernel
Name: kernel-64k
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -370,6 +370,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Bump release to match kernel
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Enable kexec signature verification
+
* Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5
- Initial CBL-Mariner import from Photon (license: Apache2).
- Starting with release 5 to align with kernel release.
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index 330136d2c8f..96cebd1e25c 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -14,7 +14,7 @@
Summary: Linux API header files
Name: kernel-headers
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -75,6 +75,12 @@ done
%endif
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Bump release to match kernel
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Bump release to match kernel-64k
+
* Mon Nov 25 2024 Chris Co - 6.6.57.1-5
- Bump release to match kernel
diff --git a/SPECS/kernel/config b/SPECS/kernel/config
index 0eecab7d127..b225406e6b8 100644
--- a/SPECS/kernel/config
+++ b/SPECS/kernel/config
@@ -380,7 +380,7 @@ CONFIG_ARCH_CPUIDLE_HALTPOLL=y
CONFIG_PARAVIRT_CLOCK=y
# CONFIG_JAILHOUSE_GUEST is not set
# CONFIG_ACRN_GUEST is not set
-# CONFIG_INTEL_TDX_GUEST is not set
+CONFIG_INTEL_TDX_GUEST=y
# CONFIG_MK8 is not set
# CONFIG_MPSC is not set
# CONFIG_MCORE2 is not set
@@ -6157,6 +6157,7 @@ CONFIG_VMGENID=y
# CONFIG_NITRO_ENCLAVES is not set
# CONFIG_EFI_SECRET is not set
CONFIG_SEV_GUEST=y
+CONFIG_TDX_GUEST_DRIVER=m
CONFIG_VIRTIO_ANCHOR=y
CONFIG_VIRTIO=y
CONFIG_VIRTIO_PCI_LIB=y
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
index 5a0322b8ec6..3c928626a97 100644
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@@ -13,7 +13,7 @@
Summary: Unified Kernel Image
Name: kernel-uki
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -70,6 +70,12 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu
/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Bump release to match kernel
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Bump release to match kernel-64k
+
* Mon Nov 25 2024 Chris Co - 6.6.57.1-5
- Bump release to match kernel
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index 5b05220a50a..eda9fcf8ddd 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -1,7 +1,7 @@
{
"Signatures": {
"azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
- "config": "53cf68442824f43df68ee1105d1fe428474da2cc723610114d0409ad15a424d1",
+ "config": "651f9cab61a3eb370f7e6451d2115cce2c5f137f5d7e5f28234b5d07bf841d0f",
"config_aarch64": "bfb4b4344045354a2ba518d11ae81fe5e3d45e9b11253ca2e199792543a9d624",
"cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
"cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index 02f40d57d19..6533a6d2545 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -30,7 +30,7 @@
Summary: Linux Kernel
Name: kernel
Version: 6.6.57.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -424,6 +424,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
+* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7
+- Enable CONFIG_INTEL_TDX_GUEST and CONFIG_TDX_GUEST_DRIVER
+
+* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6
+- Bump release to match kernel-64k
+
* Mon Nov 25 2024 Chris Co - 6.6.57.1-5
- Enable ICE ethernet driver
diff --git a/SPECS/libseccomp/libseccomp.signatures.json b/SPECS/libseccomp/libseccomp.signatures.json
index 810e1646b60..e07a10271da 100644
--- a/SPECS/libseccomp/libseccomp.signatures.json
+++ b/SPECS/libseccomp/libseccomp.signatures.json
@@ -1,5 +1,5 @@
{
"Signatures": {
- "libseccomp-2.5.4.tar.gz": "d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb"
+ "libseccomp-2.5.5.tar.gz": "248a2c8a4d9b9858aa6baf52712c34afefcf9c9e94b76dce02c1c9aa25fb3375"
}
}
diff --git a/SPECS/libseccomp/libseccomp.spec b/SPECS/libseccomp/libseccomp.spec
index 61b68835420..3916f24b162 100644
--- a/SPECS/libseccomp/libseccomp.spec
+++ b/SPECS/libseccomp/libseccomp.spec
@@ -1,6 +1,6 @@
Summary: Enhanced seccomp library
Name: libseccomp
-Version: 2.5.4
+Version: 2.5.5
Release: 1%{?dist}
License: LGPLv2
Vendor: Microsoft Corporation
@@ -62,6 +62,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_mandir}/man3/*
%changelog
+* Tue Nov 05 2024 Nan Liu - 2.5.5-1
+- Upgrade to 2.5.5 as other older version is no longer supported upstream
+
* Fri Oct 27 2023 CBL-Mariner Servicing Account - 2.5.4-1
- Auto-upgrade to 2.5.4 - Azure Linux 3.0 - package upgrades
diff --git a/SPECS/pam/CVE-2024-10041.patch b/SPECS/pam/CVE-2024-10041.patch
new file mode 100644
index 00000000000..27fc26ee959
--- /dev/null
+++ b/SPECS/pam/CVE-2024-10041.patch
@@ -0,0 +1,89 @@
+From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin"
+Date: Mon, 1 Jan 2024 12:00:00 +0000
+Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow
+ password file entries
+
+Initially, when pam_unix.so verified the password, it used to try to
+obtain the shadow password file entry for the given user by invoking
+getspnam(3), and only when that didn't work and the effective uid
+was nonzero, pam_unix.so used to invoke the helper as a fallback.
+
+When SELinux support was introduced by commit
+67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended
+also for the case when SELinux was enabled.
+
+Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the
+fallback conditions for the case when pam_modutil_getspnam() failed
+with EACCES.
+
+Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is
+invoked as a fallback when pam_modutil_getspnam() fails for any reason.
+
+The ultimate solution for the case when pam_unix.so does not have
+permissions to obtain the shadow password file entry is to stop trying
+to use pam_modutil_getspnam() and to invoke the helper instead.
+Here are two recent examples.
+
+https://github.com/linux-pam/linux-pam/pull/484 describes a system
+configuration where libnss_systemd is enabled along with libnss_files
+in the shadow entry of nsswitch.conf, so when libnss_files is unable
+to obtain the shadow password file entry for the root user, e.g. when
+SELinux is enabled, NSS falls back to libnss_systemd which returns
+a synthesized shadow password file entry for the root user, which
+in turn locks the root user out.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes
+essentially the same problem in a similar system configuration.
+
+This commit is the final step in the direction of addressing the issue:
+for password verification pam_unix.so now invokes the helper instead of
+making the pam_modutil_getspnam() call.
+
+* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]:
+Always return PAM_UNIX_RUN_HELPER instead of trying to obtain
+the shadow password file entry.
+
+Complements: https://github.com/linux-pam/linux-pam/pull/386
+Resolves: https://github.com/linux-pam/linux-pam/pull/484
+Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
+---
+ modules/pam_unix/passverify.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 2474fa7aa4..c48e3c5a79 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -238,20 +238,21 @@ PAMH_ARG_DECL(int get_account_info,
+ return PAM_UNIX_RUN_HELPER;
+ #endif
+ } else if (is_pwd_shadowed(*pwd)) {
++#ifdef HELPER_COMPILE
+ /*
+- * ...and shadow password file entry for this user,
++ * shadow password file entry for this user,
+ * if shadowing is enabled
+ */
+- *spwdent = pam_modutil_getspnam(pamh, name);
+- if (*spwdent == NULL) {
+-#ifndef HELPER_COMPILE
+- /* still a chance the user can authenticate */
+- return PAM_UNIX_RUN_HELPER;
+-#endif
+- return PAM_AUTHINFO_UNAVAIL;
+- }
+- if ((*spwdent)->sp_pwdp == NULL)
++ *spwdent = getspnam(name);
++ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
++#else
++ /*
++ * The helper has to be invoked to deal with
++ * the shadow password file entry.
++ */
++ return PAM_UNIX_RUN_HELPER;
++#endif
+ }
+ } else {
+ return PAM_USER_UNKNOWN;
diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec
index 231a01044b7..2342234b901 100644
--- a/SPECS/pam/pam.spec
+++ b/SPECS/pam/pam.spec
@@ -1,7 +1,7 @@
Summary: Linux Pluggable Authentication Modules
Name: pam
Version: 1.5.3
-Release: 3%{?dist}
+Release: 4%{?dist}
License: BSD and GPLv2+
URL: https://github.com/linux-pam/linux-pam
Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz
@@ -17,6 +17,7 @@ Recommends: cracklib-dicts
Patch0: CVE-2024-22365.patch
Patch1: CVE-2024-10963.patch
+Patch2: CVE-2024-10041.patch
%description
The Linux PAM package contains Pluggable Authentication Modules used to
@@ -105,6 +106,9 @@ EOF
%{_libdir}/pkgconfig/pamc.pc
%changelog
+* Wed Dec 18 2024 Adit Jha - 1.5.3-4
+- Patching CVE-2024-10041.
+
* Fri Dec 06 2024 Adit Jha - 1.5.3-3
- Patching CVE-2024-10963.
diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
index 4b0f03161d2..a891db4c20c 100644
--- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
+++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
@@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates-base
# When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well.
Epoch: 1
Version: %{azl}.0.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -46,6 +46,9 @@ find %{buildroot} -name README -delete
%{_sysconfdir}/pki/java/cacerts
%changelog
+* Wed Dec 11 2024 Pawel Winogrodzki - 3.0.0-8
+- Update adding Microsoft distrusted CAs.
+
* Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7
- Making 'Release' match with 'ca-certificates'
diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
index 0c9326f5c12..f1b153e627c 100644
--- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
+++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
@@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates
# When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well.
Epoch: 1
Version: %{azl}.0.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -49,6 +49,9 @@ find %{buildroot} -name README -delete
%{_sysconfdir}/pki/java/cacerts
%changelog
+* Wed Dec 11 2024 Pawel Winogrodzki - 3.0.0-8
+- Update adding Microsoft distrusted CAs.
+
* Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7
- Making 'Release' match with 'ca-certificates'
diff --git a/SPECS/runc/runc.signatures.json b/SPECS/runc/runc.signatures.json
index 4cdcc7d971a..18a8b03544d 100644
--- a/SPECS/runc/runc.signatures.json
+++ b/SPECS/runc/runc.signatures.json
@@ -1,5 +1,5 @@
{
"Signatures": {
- "runc-1.1.12.tar.gz": "be31b07d6a54a8f234016501c300ad04b6c428c56588e7eca8c3b663308db208"
+ "runc-1.2.2.tar.gz": "0eabc936d481d123be92c429588f9d1de7cafd36b37a8a5085b1412e758796a1"
}
}
diff --git a/SPECS/runc/runc.spec b/SPECS/runc/runc.spec
index 332add7b584..8523a32c790 100644
--- a/SPECS/runc/runc.spec
+++ b/SPECS/runc/runc.spec
@@ -1,9 +1,9 @@
-%define commit_hash 51d5e94601ceffbbd85688df1c928ecccbfa4685
+%define commit_hash 7cb363254b69e10320360b63fb73e0ffb5da7bf2
Summary: CLI tool for spawning and running containers per OCI spec.
Name: runc
# update "commit_hash" above when upgrading version
-Version: 1.1.12
-Release: 2%{?dist}
+Version: 1.2.2
+Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -12,7 +12,7 @@ URL: https://github.com/opencontainers/runc
Source0: https://github.com/opencontainers/runc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
BuildRequires: git
BuildRequires: go-md2man
-BuildRequires: golang < 1.23
+BuildRequires: golang
BuildRequires: libseccomp-devel
BuildRequires: make
Requires: glibc
@@ -43,6 +43,10 @@ make install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
%{_mandir}/*
%changelog
+* Mon Nov 25 2024 Nan Liu - 1.2.2-1
+- Bump version to 1.2.2
+- Remove the golang version constraint
+
* Tue Oct 15 2024 Muhammad Falak - 1.1.12-2
- Pin golang version to <= 1.22
diff --git a/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch b/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch
new file mode 100644
index 00000000000..3d7d3cc9a92
--- /dev/null
+++ b/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch
@@ -0,0 +1,223 @@
+From 43b44054474cf139ee11afa386f0d4e5b2204a07 Mon Sep 17 00:00:00 2001
+From: George Mileka
+Date: Fri, 6 Dec 2024 14:21:18 -0800
+Subject: [PATCH] Enable LiveOS ISO Flow
+
+In the LiveOS ISO flow, when selinux is enabled, initrd loads the
+default selinux policy from the rootfs, then transitions to the
+the rootfs where the final OS processes are started.
+
+The problem is that selinux denies many of these processes access
+to a number of resources (mostly file descriptors, but here is also
+access to the boot media, and other resources).
+
+This patch allows these failing processes access to the resources
+they need.
+---
+ policy/modules/admin/usermanage.te | 2 ++
+ policy/modules/apps/loadkeys.te | 2 ++
+ policy/modules/kernel/devices.if | 18 ++++++++++++++++++
+ policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.te | 1 +
+ policy/modules/system/authlogin.te | 1 +
+ policy/modules/system/getty.te | 2 ++
+ policy/modules/system/init.te | 7 +++++++
+ policy/modules/system/locallogin.te | 1 +
+ policy/modules/system/selinuxutil.te | 2 ++
+ policy/modules/system/udev.te | 2 ++
+ 11 files changed, 57 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 57a9848bc..ef24fb85b 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -317,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
+ allow passwd_t self:sem create_sem_perms;
+ allow passwd_t self:msgq create_msgq_perms;
+ allow passwd_t self:msg { send receive };
++allow passwd_t kernel_t:fd use;
+
+ allow passwd_t crack_db_t:dir list_dir_perms;
+ read_lnk_files_pattern(passwd_t, crack_db_t, crack_db_t)
+@@ -492,6 +493,7 @@ allow useradd_t self:unix_dgram_socket create_socket_perms;
+ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
++allow useradd_t kernel_t:fd use;
+
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
+index 2263e9dba..61d098341 100644
+--- a/policy/modules/apps/loadkeys.te
++++ b/policy/modules/apps/loadkeys.te
+@@ -21,6 +21,8 @@ allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_c
+ allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+ allow loadkeys_t self:unix_stream_socket { connect create };
+
++kernel_getattr_unlabeled_dirs(loadkeys_t)
++kernel_use_fds(loadkeys_t)
+ kernel_read_system_state(loadkeys_t)
+
+ init_use_fds(loadkeys_t)
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index 35e14a021..13026d7a0 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -2206,6 +2206,24 @@ interface(`dev_setattr_input_dev',`
+ allow $1 event_device_t:chr_file setattr;
+ ')
+
++########################################
++##
++## Get the attributes of the event devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_input_dev',`
++ gen_require(`
++ type event_device_t;
++ ')
++
++ allow $1 event_device_t:chr_file read_chr_file_perms;
++')
++
+ ########################################
+ ##
+ ## Read input event devices (/dev/input).
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 1d696a07c..90583facf 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -330,6 +330,25 @@ interface(`kernel_stream_connect',`
+ allow $1 kernel_t:unix_stream_socket connectto;
+ ')
+
++########################################
++##
++## Connect to kernel using a unix
++## domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_read_write',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket { rw_socket_perms };
++')
++
+ ########################################
+ ##
+ ## Getattr on kernel unix datagram sockets.
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index ea08036b6..59c1afeaf 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -238,6 +238,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+ #
+
+ allow kernel_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
++allow kernel_t self:capability2 checkpoint_restore;
+ allow kernel_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+ allow kernel_t self:shm create_shm_perms;
+ allow kernel_t self:sem create_sem_perms;
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 9dfef7a0c..791be68c2 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -116,6 +116,7 @@ allow chkpwd_t self:process { getattr signal };
+ dontaudit chkpwd_t self:process getcap;
+
+ allow chkpwd_t shadow_t:file read_file_perms;
++allow chkpwd_t kernel_t:fd use;
+ files_list_etc(chkpwd_t)
+
+ kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index a900226bf..360f7c67f 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -37,6 +37,8 @@ dontaudit getty_t self:capability sys_tty_config;
+ allow getty_t self:capability2 checkpoint_restore;
+ allow getty_t self:process { getpgid getsession setpgid signal_perms };
+ allow getty_t self:fifo_file rw_fifo_file_perms;
++allow getty_t kernel_t:fd use;
++allow getty_t tmpfs_t:dir search;
+
+ read_files_pattern(getty_t, getty_conf_t, getty_conf_t)
+ read_lnk_files_pattern(getty_t, getty_conf_t, getty_conf_t)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 9ec685c74..a1d90762b 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1542,12 +1542,19 @@ optional_policy(`
+ zebra_read_config(initrc_t)
+ ')
+
++########################################
++#
++# Rules applied to all system processes
++#
++kernel_use_fds(systemprocess)
++
+ ########################################
+ #
+ # Rules applied to all daemons
+ #
+
+ domain_dontaudit_use_interactive_fds(daemon)
++kernel_use_fds(daemon)
+
+ # daemons started from init will
+ # inherit fds from init for the console
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 8330be8a9..9f2f160a4 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -47,6 +47,7 @@ allow local_login_t self:sem create_sem_perms;
+ allow local_login_t self:msgq create_msgq_perms;
+ allow local_login_t self:msg { send receive };
+ allow local_login_t self:key { search write link };
++allow local_login_t kernel_t:fd use;
+
+ allow local_login_t local_login_lock_t:file manage_file_perms;
+ files_lock_filetrans(local_login_t, local_login_lock_t, file)
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 8e521e583..c7fb76550 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -119,6 +119,8 @@ type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
+ type setfiles_exec_t alias restorecon_exec_t;
+ init_system_domain(setfiles_t, setfiles_exec_t)
+ domain_obj_id_change_exemption(setfiles_t)
++dev_read_input_dev(setfiles_t)
++kernel_stream_read_write(setfiles_t)
+
+ ########################################
+ #
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 8af0d90e0..a7bb89658 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -57,6 +57,8 @@ allow udev_t self:rawip_socket create_socket_perms;
+ # rdma_rename
+ allow udev_t self:netlink_rdma_socket create_socket_perms;
+
++fs_getattr_iso9660_files(udev_t)
++
+ ifdef(`init_systemd',`
+ # systemd-vconsole-setup will be called by udev during virtual terminal initialization
+ allow udev_t self:capability sys_tty_config;
+--
+2.34.1
+
diff --git a/SPECS/selinux-policy/selinux-policy.spec b/SPECS/selinux-policy/selinux-policy.spec
index 8389a1a3166..7fd00e11c04 100644
--- a/SPECS/selinux-policy/selinux-policy.spec
+++ b/SPECS/selinux-policy/selinux-policy.spec
@@ -9,7 +9,7 @@
Summary: SELinux policy
Name: selinux-policy
Version: %{refpolicy_major}.%{refpolicy_minor}
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -56,6 +56,7 @@ Patch34: 0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch
Patch35: 0035-rpm-Run-systemd-sysctl-from-post.patch
Patch36: 0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch
Patch37: 0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch
+Patch38: 0038-enable-liveos-iso-flow.patch
BuildRequires: bzip2
BuildRequires: checkpolicy >= %{CHECKPOLICYVER}
BuildRequires: m4
@@ -327,11 +328,14 @@ exit 0
selinuxenabled && semodule -nB
exit 0
%changelog
+* Wed Nov 20 2024 George Mileka - 2.20240226-9
+- Enable SELinux for LiveOS ISO.
+
* Wed Sep 11 2024 Chris PeBenito - 2.20240226-8
- Add additional required permissions for cloud-utils-growpart.
- Cherry-pick upstream fix for typo in docker module.
-* Mon Aug 13 2024 Chris PeBenito - 2.20240226-7
+* Tue Aug 13 2024 Chris PeBenito - 2.20240226-7
- Change policy composition so the base module only consits of policy modules
that must be in the base. This will allow dowstream users to disable or
override the individual policy modules.
diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
index 291aa6bbbb4..bf0b98fa483 100644
--- a/SPECS/systemd/systemd.spec
+++ b/SPECS/systemd/systemd.spec
@@ -50,7 +50,7 @@ Version: 255
# determine the build information from local checkout
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
%endif
-Release: 18%{?dist}
+Release: 19%{?dist}
# FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
%global stable 1
@@ -1216,6 +1216,9 @@ rm -f %{name}.lang
# %autochangelog. So we need to continue manually maintaining the
# changelog here.
%changelog
+* Thu Dec 12 2024 Daniel McIlvaney - 255-19
+- Version bump to force signing with new Azure Linux secure boot key
+
* Fri Sep 13 2024 Thien Trung Vuong - 255-18
- Install systemd-boot binary to ESP
diff --git a/cgmanifest.json b/cgmanifest.json
index 32f1154f835..e724680b882 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -2022,6 +2022,16 @@
}
}
},
+ {
+ "component": {
+ "type": "other",
+ "other": {
+ "name": "containerd2",
+ "version": "2.0.0",
+ "downloadUrl": "https://github.com/containerd/containerd/archive/v2.0.0.tar.gz"
+ }
+ }
+ },
{
"component": {
"type": "other",
@@ -10841,8 +10851,8 @@
"type": "other",
"other": {
"name": "libseccomp",
- "version": "2.5.4",
- "downloadUrl": "https://github.com/seccomp/libseccomp/releases/download/v2.5.4/libseccomp-2.5.4.tar.gz"
+ "version": "2.5.5",
+ "downloadUrl": "https://github.com/seccomp/libseccomp/releases/download/v2.5.5/libseccomp-2.5.5.tar.gz"
}
}
},
@@ -27064,8 +27074,8 @@
"type": "other",
"other": {
"name": "runc",
- "version": "1.1.12",
- "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.1.12.tar.gz"
+ "version": "1.2.2",
+ "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.2.2.tar.gz"
}
}
},
diff --git a/toolkit/docs/building/building.md b/toolkit/docs/building/building.md
index 35069f0195c..64e6eca98f4 100644
--- a/toolkit/docs/building/building.md
+++ b/toolkit/docs/building/building.md
@@ -589,6 +589,14 @@ also augment the URL list.
> Use the daily build sources for the given date. `lkg` will use the last known good build.
+##### `DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP=`**`n`** *(default)*
+
+> Delete the already downloaded toolchain RPMs and freshly download from LKG repo
+
+##### `DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP=`**`y`**
+
+> Don't delete the already download tolchain RPMs to save time. Use only if are sure about this behaviour.
+
#### `DISABLE_UPSTREAM_REPOS=...`
##### `DISABLE_UPSTREAM_REPOS=`**`n`** *(default)*
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index ace4de02d41..68985884f26 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,5 +1,5 @@
filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.57.1-5.azl3.noarch.rpm
+kernel-headers-6.6.57.1-7.azl3.noarch.rpm
glibc-2.38-8.azl3.aarch64.rpm
glibc-devel-2.38-8.azl3.aarch64.rpm
glibc-i18n-2.38-8.azl3.aarch64.rpm
@@ -227,17 +227,17 @@ pinentry-1.2.1-1.azl3.aarch64.rpm
gnupg2-2.4.4-2.azl3.aarch64.rpm
gnupg2-lang-2.4.4-2.azl3.aarch64.rpm
gpgme-1.23.2-2.azl3.aarch64.rpm
-azurelinux-repos-shared-3.0-3.azl3.noarch.rpm
-azurelinux-repos-3.0-3.azl3.noarch.rpm
+azurelinux-repos-shared-3.0-4.azl3.noarch.rpm
+azurelinux-repos-3.0-4.azl3.noarch.rpm
libffi-3.4.4-1.azl3.aarch64.rpm
libffi-devel-3.4.4-1.azl3.aarch64.rpm
libtasn1-4.19.0-1.azl3.aarch64.rpm
p11-kit-0.25.0-1.azl3.aarch64.rpm
p11-kit-trust-0.25.0-1.azl3.aarch64.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
dwz-0.14-2.azl3.aarch64.rpm
unzip-6.0-21.azl3.aarch64.rpm
python3-3.12.3-5.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 3a74fd00e84..d7bf3caeb7a 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,5 +1,5 @@
filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.57.1-5.azl3.noarch.rpm
+kernel-headers-6.6.57.1-7.azl3.noarch.rpm
glibc-2.38-8.azl3.x86_64.rpm
glibc-devel-2.38-8.azl3.x86_64.rpm
glibc-i18n-2.38-8.azl3.x86_64.rpm
@@ -227,17 +227,17 @@ pinentry-1.2.1-1.azl3.x86_64.rpm
gnupg2-2.4.4-2.azl3.x86_64.rpm
gnupg2-lang-2.4.4-2.azl3.x86_64.rpm
gpgme-1.23.2-2.azl3.x86_64.rpm
-azurelinux-repos-shared-3.0-3.azl3.noarch.rpm
-azurelinux-repos-3.0-3.azl3.noarch.rpm
+azurelinux-repos-shared-3.0-4.azl3.noarch.rpm
+azurelinux-repos-3.0-4.azl3.noarch.rpm
libffi-3.4.4-1.azl3.x86_64.rpm
libffi-devel-3.4.4-1.azl3.x86_64.rpm
libtasn1-4.19.0-1.azl3.x86_64.rpm
p11-kit-0.25.0-1.azl3.x86_64.rpm
p11-kit-trust-0.25.0-1.azl3.x86_64.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
dwz-0.14-2.azl3.x86_64.rpm
unzip-6.0-21.azl3.x86_64.rpm
python3-3.12.3-5.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 7b9eb17092d..c8a14aeaf25 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -10,19 +10,19 @@ audit-libs-3.1.2-1.azl3.aarch64.rpm
autoconf-2.72-2.azl3.noarch.rpm
automake-1.16.5-2.azl3.noarch.rpm
azurelinux-check-macros-3.0-7.azl3.noarch.rpm
-azurelinux-repos-3.0-3.azl3.noarch.rpm
-azurelinux-repos-debug-3.0-3.azl3.noarch.rpm
-azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-debug-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-debug-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-non-oss-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-non-oss-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-shared-3.0-3.azl3.noarch.rpm
+azurelinux-repos-3.0-4.azl3.noarch.rpm
+azurelinux-repos-debug-3.0-4.azl3.noarch.rpm
+azurelinux-repos-debug-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-debug-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-debug-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-non-oss-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-non-oss-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-oss-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-oss-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-shared-3.0-4.azl3.noarch.rpm
azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm
bash-5.2.15-3.azl3.aarch64.rpm
bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
@@ -37,11 +37,11 @@ bzip2-1.0.8-1.azl3.aarch64.rpm
bzip2-debuginfo-1.0.8-1.azl3.aarch64.rpm
bzip2-devel-1.0.8-1.azl3.aarch64.rpm
bzip2-libs-1.0.8-1.azl3.aarch64.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-legacy-3.0.0-8.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
ccache-4.8.3-3.azl3.aarch64.rpm
ccache-debuginfo-4.8.3-3.azl3.aarch64.rpm
check-0.15.2-1.azl3.aarch64.rpm
@@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm
itstool-2.0.7-1.azl3.noarch.rpm
kbd-2.2.0-2.azl3.aarch64.rpm
kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.57.1-5.azl3.noarch.rpm
+kernel-headers-6.6.57.1-7.azl3.noarch.rpm
kmod-30-1.azl3.aarch64.rpm
kmod-debuginfo-30-1.azl3.aarch64.rpm
kmod-devel-30-1.azl3.aarch64.rpm
@@ -296,10 +296,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
p11-kit-devel-0.25.0-1.azl3.aarch64.rpm
p11-kit-server-0.25.0-1.azl3.aarch64.rpm
p11-kit-trust-0.25.0-1.azl3.aarch64.rpm
-pam-1.5.3-3.azl3.aarch64.rpm
-pam-debuginfo-1.5.3-3.azl3.aarch64.rpm
-pam-devel-1.5.3-3.azl3.aarch64.rpm
-pam-lang-1.5.3-3.azl3.aarch64.rpm
+pam-1.5.3-4.azl3.aarch64.rpm
+pam-debuginfo-1.5.3-4.azl3.aarch64.rpm
+pam-devel-1.5.3-4.azl3.aarch64.rpm
+pam-lang-1.5.3-4.azl3.aarch64.rpm
patch-2.7.6-9.azl3.aarch64.rpm
patch-debuginfo-2.7.6-9.azl3.aarch64.rpm
pcre2-10.42-3.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 8bf1cde27dc..06043454bd9 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -10,19 +10,21 @@ audit-libs-3.1.2-1.azl3.x86_64.rpm
autoconf-2.72-2.azl3.noarch.rpm
automake-1.16.5-2.azl3.noarch.rpm
azurelinux-check-macros-3.0-7.azl3.noarch.rpm
-azurelinux-repos-3.0-3.azl3.noarch.rpm
-azurelinux-repos-debug-3.0-3.azl3.noarch.rpm
-azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-debug-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-debug-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-extended-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-non-oss-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-non-oss-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm
-azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-preview-3.0-3.azl3.noarch.rpm
-azurelinux-repos-shared-3.0-3.azl3.noarch.rpm
+azurelinux-repos-3.0-4.azl3.noarch.rpm
+azurelinux-repos-amd-3.0-4.azl3.noarch.rpm
+azurelinux-repos-amd-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-debug-3.0-4.azl3.noarch.rpm
+azurelinux-repos-debug-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-debug-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-debug-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-extended-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-non-oss-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-non-oss-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-oss-3.0-4.azl3.noarch.rpm
+azurelinux-repos-ms-oss-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-preview-3.0-4.azl3.noarch.rpm
+azurelinux-repos-shared-3.0-4.azl3.noarch.rpm
azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm
bash-5.2.15-3.azl3.x86_64.rpm
bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
@@ -38,11 +40,11 @@ bzip2-1.0.8-1.azl3.x86_64.rpm
bzip2-debuginfo-1.0.8-1.azl3.x86_64.rpm
bzip2-devel-1.0.8-1.azl3.x86_64.rpm
bzip2-libs-1.0.8-1.azl3.x86_64.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-legacy-3.0.0-8.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
ccache-4.8.3-3.azl3.x86_64.rpm
ccache-debuginfo-4.8.3-3.azl3.x86_64.rpm
check-0.15.2-1.azl3.x86_64.rpm
@@ -161,8 +163,8 @@ intltool-0.51.0-7.azl3.noarch.rpm
itstool-2.0.7-1.azl3.noarch.rpm
kbd-2.2.0-2.azl3.x86_64.rpm
kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.57.1-5.azl3.noarch.rpm
-kernel-headers-6.6.57.1-5.azl3.noarch.rpm
+kernel-cross-headers-6.6.57.1-7.azl3.noarch.rpm
+kernel-headers-6.6.57.1-7.azl3.noarch.rpm
kmod-30-1.azl3.x86_64.rpm
kmod-debuginfo-30-1.azl3.x86_64.rpm
kmod-devel-30-1.azl3.x86_64.rpm
@@ -302,10 +304,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
p11-kit-devel-0.25.0-1.azl3.x86_64.rpm
p11-kit-server-0.25.0-1.azl3.x86_64.rpm
p11-kit-trust-0.25.0-1.azl3.x86_64.rpm
-pam-1.5.3-3.azl3.x86_64.rpm
-pam-debuginfo-1.5.3-3.azl3.x86_64.rpm
-pam-devel-1.5.3-3.azl3.x86_64.rpm
-pam-lang-1.5.3-3.azl3.x86_64.rpm
+pam-1.5.3-4.azl3.x86_64.rpm
+pam-debuginfo-1.5.3-4.azl3.x86_64.rpm
+pam-devel-1.5.3-4.azl3.x86_64.rpm
+pam-lang-1.5.3-4.azl3.x86_64.rpm
patch-2.7.6-9.azl3.x86_64.rpm
patch-debuginfo-2.7.6-9.azl3.x86_64.rpm
pcre2-10.42-3.azl3.x86_64.rpm
diff --git a/toolkit/scripts/containerized-build/create_container_build.sh b/toolkit/scripts/containerized-build/create_container_build.sh
index 70c360c5f94..7eb72dd2c30 100755
--- a/toolkit/scripts/containerized-build/create_container_build.sh
+++ b/toolkit/scripts/containerized-build/create_container_build.sh
@@ -84,6 +84,7 @@ script_dir=$(realpath $(dirname "${BASH_SOURCE[0]}"))
topdir=/usr/src/azl
enable_local_repo=false
keep_container="--rm"
+packages_to_install="azurelinux-release vim git jq"
while (( "$#")); do
case "$1" in
@@ -92,7 +93,7 @@ while (( "$#")); do
-p ) repo_path="$(realpath $2)"; shift 2 ;;
-mo ) extra_mounts="$2"; shift 2 ;;
-b ) build_mount_dir="$(realpath $2)"; shift 2;;
- -ep ) extra_packages="$2"; shift 2;;
+ -ep ) packages_to_install="${packages_to_install} $2"; shift 2;;
-r ) enable_local_repo=true; shift ;;
-k ) keep_container=""; shift ;;
-q ) STD_OUT_REDIRECT=/dev/null; shift ;;
@@ -268,7 +269,7 @@ docker build -q \
--build-arg enable_local_repo="$enable_local_repo" \
--build-arg azl_repo="$repo_path" \
--build-arg mode="$mode" \
- --build-arg extra_packages="$extra_packages" \
+ --build-arg packages_to_install="$packages_to_install" \
.
echo "docker_image_tag is ${docker_image_tag}"
diff --git a/toolkit/scripts/containerized-build/resources/azl.Dockerfile b/toolkit/scripts/containerized-build/resources/azl.Dockerfile
index 1eda1907483..3b1ecbefdc3 100644
--- a/toolkit/scripts/containerized-build/resources/azl.Dockerfile
+++ b/toolkit/scripts/containerized-build/resources/azl.Dockerfile
@@ -4,7 +4,7 @@ ARG version
ARG enable_local_repo
ARG azl_repo
ARG mode
-ARG extra_packages
+ARG packages_to_install
LABEL containerized-rpmbuild=$azl_repo/build
COPY resources/local_repo /etc/yum.repos.d/local_repo.disabled_repo
@@ -23,5 +23,5 @@ RUN if [[ "${mode}" == "build" ]]; then echo "cd /usr/src/azl || { echo \"ERROR:
RUN if [[ "${mode}" == "test" ]]; then echo "cd /mnt || { echo \"ERROR: Could not change directory to /mnt \"; exit 1; }" >> /root/.bashrc; fi
# Install packages from bashrc so we can use the previously setup tdnf defaults.
-RUN echo "echo installing packages azurelinux-release vim git ${extra_packages}" >> /root/.bashrc && \
- echo "tdnf install --releasever=${version} -qy azurelinux-release vim git ${extra_packages}" >> /root/.bashrc
+RUN echo "echo installing packages ${packages_to_install}" >> /root/.bashrc && \
+ echo "tdnf install --releasever=${version} -qy ${packages_to_install}" >> /root/.bashrc
diff --git a/toolkit/scripts/containerized-build/resources/setup_functions.sh b/toolkit/scripts/containerized-build/resources/setup_functions.sh
index 21d5f5ce8a5..4ea299465e9 100644
--- a/toolkit/scripts/containerized-build/resources/setup_functions.sh
+++ b/toolkit/scripts/containerized-build/resources/setup_functions.sh
@@ -158,6 +158,20 @@ install_dependencies() {
# Get the list of dependencies from the spec file.
mapfile -t dep_list < <(rpmspec -q --buildrequires $spec_file)
+ # Replace the dependencies with the package providing them.
+ for i in "${!dep_list[@]}"
+ do
+ # if the dependency is a file, find the package that provides it
+ if [[ ${dep_list[$i]} == /* ]]; then
+ package=$(tdnf repoquery --file "${dep_list[$i]}" --json | jq -r 'map(.Name) | unique | .[]')
+ if [ -z "$package" ]; then
+ echo "Could not find package providing '${dep_list[$i]}'." >/dev/stderr
+ return 1
+ else
+ dep_list[$i]=$package
+ fi
+ fi
+ done
# Install all the dependencies.
tdnf install -y "${dep_list[@]}" || exit_code=$?
done
diff --git a/toolkit/scripts/daily_build.mk b/toolkit/scripts/daily_build.mk
index d990a6ca09c..418d2d6b22f 100644
--- a/toolkit/scripts/daily_build.mk
+++ b/toolkit/scripts/daily_build.mk
@@ -24,6 +24,8 @@ DAILY_BUILD_ID ?=
DAILY_BUILD_ID_UPDATE_MANIFESTS ?= y
##help:var:DAILY_BUILD_REPO={path to daily.repo}=Path to the daily build repo file to use.
DAILY_BUILD_REPO ?=
+##help:var:DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP={y,n}=Skip Deleting all downloaded toolchain RPMs when using a daily build.
+DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP ?= n
daily_lkg_workdir = $(BUILD_DIR)/daily_build_id
diff --git a/toolkit/scripts/pkggen.mk b/toolkit/scripts/pkggen.mk
index d714e29124a..aaed4f211f5 100644
--- a/toolkit/scripts/pkggen.mk
+++ b/toolkit/scripts/pkggen.mk
@@ -202,7 +202,23 @@ ifeq ($(PRECACHE),y)
$(cached_file): $(STATUS_FLAGS_DIR)/precache.flag
endif
-$(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(cached_remote_rpms) $(TOOLCHAIN_MANIFEST) $(toolchain_rpms) $(depend_EXTRA_BUILD_LAYERS) $(depend_REPO_SNAPSHOT_TIME) $(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag
+ifneq ($(strip $(PACKAGE_CACHE_SUMMARY)$(REPO_SNAPSHOT_TIME)),)
+# We MUST clear the RPM package cache ONLY in the following scenarios:
+# - the package cache summary file is used and has changed or
+# - the repo snapshot time is used and has changed.
+#
+# These scenario are meant to build with a specific set of RPMs, so we must
+# avoid contamination from previous builds.
+#
+# For other scenarios the cache is allowed to contain a mixture of packages and
+# we allow the tooling to figure out the appropriate ones to use during the build.
+#
+# IMPORTANT: update the '$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag' target
+# in tandem with updates to this one.
+$(cached_file): $(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag
+endif
+
+$(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(cached_remote_rpms) $(TOOLCHAIN_MANIFEST) $(toolchain_rpms) $(depend_EXTRA_BUILD_LAYERS) $(depend_PACKAGE_CACHE_SUMMARY) $(depend_REPO_SNAPSHOT_TIME)
mkdir -p $(remote_rpms_cache_dir) && \
$(go-graphpkgfetcher) \
--input=$(graph_file) \
@@ -265,10 +281,8 @@ clean-compress-rpms:
clean-compress-srpms:
rm -rf $(srpms_archive)
-# We need to clear the rpm package cache if we have a snapshot time. The filenames will all be
-# the same, but the actual .rpm files may be fundamentally different.
-$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag: $(depend_REPO_SNAPSHOT_TIME)
- @echo "REPO_SNAPSHOT_TIME has changed, sanitizing rpm cache"
+$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag: $(depend_PACKAGE_CACHE_SUMMARY) $(depend_REPO_SNAPSHOT_TIME)
+ @echo "Either 'PACKAGE_CACHE_SUMMARY' or 'REPO_SNAPSHOT_TIME' has changed, sanitizing rpm cache"
@if [ -d "$(remote_rpms_cache_dir)" ]; then \
find "$(remote_rpms_cache_dir)" -type f -name '*.rpm' -delete; \
fi
diff --git a/toolkit/scripts/toolchain.mk b/toolkit/scripts/toolchain.mk
index 18f551e088c..2d1aec34e16 100644
--- a/toolkit/scripts/toolchain.mk
+++ b/toolkit/scripts/toolchain.mk
@@ -94,8 +94,10 @@ clean-toolchain-rpms:
# We leave the directory structure in place since docker based builds using re-usable chroots will have mounted the
# toolchain subdirectories into the chroots. Removing the directories would break the mounts.
$(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag: $(STATUS_FLAGS_DIR)/daily_build_id.flag $(depend_VALIDATE_TOOLCHAIN_GPG)
+ifeq ($(SKIP_TOOLCHAIN_AUTO_CLEANUP),n)
@echo "Daily build ID or validation mode changed, sanitizing toolchain"
find $(TOOLCHAIN_RPMS_DIR) -type f -name '*.rpm' -exec rm -f {} +
+endif
touch $@
copy-toolchain-rpms:
diff --git a/toolkit/scripts/utils.mk b/toolkit/scripts/utils.mk
index 4cc53c4f874..197d0a76a43 100644
--- a/toolkit/scripts/utils.mk
+++ b/toolkit/scripts/utils.mk
@@ -55,10 +55,10 @@ endef
######## VARIABLE DEPENDENCY TRACKING ########
# List of variables to watch for changes.
-watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG REPO_SNAPSHOT_TIME
+watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG REPO_SNAPSHOT_TIME PACKAGE_CACHE_SUMMARY
# Current list: $(depend_PACKAGE_BUILD_LIST) $(depend_PACKAGE_REBUILD_LIST) $(depend_PACKAGE_IGNORE_LIST) $(depend_REPO_LIST) $(depend_CONFIG_FILE) $(depend_STOP_ON_PKG_FAIL)
# $(depend_TOOLCHAIN_ARCHIVE) $(depend_REBUILD_TOOLCHAIN) $(depend_SRPM_PACK_LIST) $(depend_SPECS_DIR) $(depend_EXTRA_BUILD_LAYERS) $(depend_MAX_CASCADING_REBUILDS) $(depend_RUN_CHECK) $(depend_TEST_RUN_LIST)
-# $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG) $(depend_REPO_SNAPSHOT_TIME)
+# $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG) $(depend_REPO_SNAPSHOT_TIME) $(depend_PACKAGE_CACHE_SUMMARY)
.PHONY: variable_depends_on_phony clean-variable_depends_on_phony setfacl_always_run_phony
clean: clean-variable_depends_on_phony
diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod
index 5f53072b218..f5860e9fe65 100644
--- a/toolkit/tools/go.mod
+++ b/toolkit/tools/go.mod
@@ -22,7 +22,7 @@ require (
github.com/sirupsen/logrus v1.9.3
github.com/stretchr/testify v1.9.0
github.com/ulikunitz/xz v0.5.10
- golang.org/x/sys v0.21.0
+ golang.org/x/sys v0.28.0
gonum.org/v1/gonum v0.15.0
gopkg.in/alecthomas/kingpin.v2 v2.2.6
gopkg.in/ini.v1 v1.67.0
@@ -48,8 +48,8 @@ require (
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/rivo/uniseg v0.1.0 // indirect
github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect
- golang.org/x/crypto v0.24.0 // indirect
+ golang.org/x/crypto v0.31.0 // indirect
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
- golang.org/x/net v0.26.0 // indirect
- golang.org/x/text v0.16.0 // indirect
+ golang.org/x/net v0.33.0 // indirect
+ golang.org/x/text v0.21.0 // indirect
)
diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum
index 88fbb4c6f23..da0e2a5c9cd 100644
--- a/toolkit/tools/go.sum
+++ b/toolkit/tools/go.sum
@@ -90,12 +90,12 @@ github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6GjdjIyeqR7+EVhAF9CBQmkmW7Zw0w=
github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -103,12 +103,12 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
gonum.org/v1/gonum v0.15.0 h1:2lYxjRbTYyxkJxlhC+LvJIx3SsANPdRybu1tGj9/OrQ=
gonum.org/v1/gonum v0.15.0/go.mod h1:xzZVBJBtS+Mz4q0Yl2LJTk+OxOg4jiXZ7qBoM0uISGo=
diff --git a/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go b/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go
index 4a6a0cbd654..5bc360b7b36 100644
--- a/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go
+++ b/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go
@@ -15,6 +15,7 @@ import (
"github.com/microsoft/azurelinux/toolkit/tools/imagegen/installutils"
"github.com/microsoft/azurelinux/toolkit/tools/internal/exe"
"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+ "github.com/microsoft/azurelinux/toolkit/tools/internal/pkgjson"
"github.com/microsoft/azurelinux/toolkit/tools/internal/timestamp"
"github.com/microsoft/azurelinux/toolkit/tools/pkg/profile"
@@ -114,6 +115,7 @@ func validatePackages(config configuration.Config) (err error) {
const (
validateError = "failed to validate package lists in config"
+ kernelPkgName = "kernel"
dracutFipsPkgName = "dracut-fips"
fipsKernelCmdLine = "fips=1"
userAddPkgName = "shadow-utils"
@@ -134,16 +136,24 @@ func validatePackages(config configuration.Config) (err error) {
}
for _, pkg := range packageList {
- if pkg == "kernel" {
+ // The installer tools have an undocumented feature which can support both "pkg-name" and "pkg-name=version" formats.
+ // This is in use, so we need to handle pinned versions in this check. Technically, 'tdnf' also supports "pkg-name-version" format,
+ // but it is not easily distinguishable from "long-package-name" format so it will not be supported here.
+ pkgVer, err := pkgjson.PackageStringToPackageVer(pkg)
+ if err != nil {
+ return fmt.Errorf("%s: %w", validateError, err)
+ }
+
+ if pkgVer.Name == kernelPkgName {
return fmt.Errorf("%s: kernel should not be included in a package list, add via config file's [KernelOptions] entry", validateError)
}
- if pkg == dracutFipsPkgName {
+ if pkgVer.Name == dracutFipsPkgName {
foundDracutFipsPackage = true
}
- if pkg == selinuxPkgName {
+ if pkgVer.Name == selinuxPkgName {
foundSELinuxPackage = true
}
- if pkg == userAddPkgName {
+ if pkgVer.Name == userAddPkgName {
foundUserAddPackage = true
}
}
diff --git a/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go b/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go
index 4bec21327c6..1d30b7b2df8 100644
--- a/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go
+++ b/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go
@@ -6,6 +6,7 @@ package main
import (
"fmt"
"os"
+ "path"
"path/filepath"
"strings"
"testing"
@@ -73,188 +74,159 @@ func TestShouldFailEmptySystemConfig(t *testing.T) {
assert.Equal(t, "invalid [SystemConfigs]:\nmissing [Name] field", err.Error())
}
-func TestShouldFailDeeplyNestedParsingError(t *testing.T) {
+func TestSELinuxRequiresSELinuxPackageInline(t *testing.T) {
const (
- configDirectory string = "../../imageconfigs/"
- targetPackage = "core-efi.json"
+ configDirectory = "./testdata/"
+ targetConfig = "test-config.json"
+ selinuxPkgName = "selinux-policy"
)
- configFiles, err := os.ReadDir(configDirectory)
- assert.NoError(t, err)
-
- // Pick the first config file and mess something up which is deeply
- // nested inside the json
- for _, file := range configFiles {
- if !file.IsDir() && strings.Contains(file.Name(), targetPackage) {
- configPath := filepath.Join(configDirectory, file.Name())
-
- fmt.Println("Corrupting ", configPath)
-
- config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
- assert.NoError(t, err)
-
- config.Disks[0].PartitionTableType = configuration.PartitionTableType("not_a_real_partition_type")
- err = ValidateConfiguration(config)
- assert.Error(t, err)
- assert.Equal(t, "invalid [Disks]:\ninvalid [PartitionTableType]: invalid value for PartitionTableType (not_a_real_partition_type)", err.Error())
+ configPath := filepath.Join(configDirectory, targetConfig)
- return
- }
- }
- assert.Failf(t, "Could not find config", "Could not find image config file '%s' to test", filepath.Join(configDirectory, targetPackage))
-}
-
-func TestShouldFailMissingFipsPackageWithFipsCmdLine(t *testing.T) {
- const (
- configDirectory string = "../../imageconfigs/"
- targetPackage = "core-fips.json"
- fipsPackageListFile = "fips-packages.json"
- )
- configFiles, err := os.ReadDir(configDirectory)
+ config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
assert.NoError(t, err)
- // Pick the core-fips config file, but remove the fips package list
- for _, file := range configFiles {
- if !file.IsDir() && strings.Contains(file.Name(), targetPackage) {
- configPath := filepath.Join(configDirectory, file.Name())
-
- fmt.Println("Corrupting ", configPath)
+ config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing"
- config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
- assert.NoError(t, err)
-
- newPackageList := []string{}
- for _, pl := range config.SystemConfigs[0].PackageLists {
- if !strings.Contains(pl, fipsPackageListFile) {
- newPackageList = append(newPackageList, pl)
- }
- }
-
- config.SystemConfigs[0].PackageLists = newPackageList
+ err = ValidateConfiguration(config)
+ assert.Error(t, err)
+ assert.Equal(t, "failed to validate package lists in config: [SELinux] selected, but 'selinux-policy' package is not included in the package lists", err.Error())
- err = ValidateConfiguration(config)
- assert.Error(t, err)
- assert.Equal(t, "failed to validate package lists in config: 'fips=1' provided on kernel cmdline, but 'dracut-fips' package is not included in the package lists", err.Error())
+ //Add required SELinux package in the inline package definition
+ newPackagesField := []string{selinuxPkgName}
+ config.SystemConfigs[0].Packages = newPackagesField
- return
- }
- }
- assert.Fail(t, "Could not find "+targetPackage+" to test")
+ err = ValidateConfiguration(config)
+ assert.NoError(t, err)
}
-func TestShouldFailMissingSELinuxPackageWithSELinux(t *testing.T) {
- const (
- configDirectory = "../../imageconfigs/"
- targetPackage = "core-efi.json"
- targetPackageList = "selinux.json"
- )
- configFiles, err := os.ReadDir(configDirectory)
+func TestValidationAgainstTestConfig(t *testing.T) {
+ confiDirAbsPath, err := filepath.Abs("./testdata/")
assert.NoError(t, err)
- // Pick the core-efi config file, then enable SELinux
- for _, file := range configFiles {
- if !file.IsDir() && strings.Contains(file.Name(), targetPackage) {
- configPath := filepath.Join(configDirectory, file.Name())
-
- fmt.Println("Corrupting ", configPath)
-
- config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
- for i, list := range config.SystemConfigs[0].PackageLists {
- // Delete the packagelist from the config
- if strings.Contains(list, targetPackageList) {
- config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists[:i], config.SystemConfigs[0].PackageLists[i+1:]...)
+ tests := []struct {
+ name string
+ extraListPath string
+ configModifier func(*configuration.Config)
+ expectedError1 string
+ expectedError2 string
+ }{
+ {
+ name: "Deeply nested parsing error",
+ extraListPath: "",
+ configModifier: func(config *configuration.Config) {
+ config.Disks[0].PartitionTableType = configuration.PartitionTableType("not_a_real_partition_type")
+ },
+ expectedError1: "invalid [Disks]:\ninvalid [PartitionTableType]: invalid value for PartitionTableType (not_a_real_partition_type)",
+ // No action is taken to fix the error, so it will still be present
+ expectedError2: "invalid [Disks]:\ninvalid [PartitionTableType]: invalid value for PartitionTableType (not_a_real_partition_type)",
+ },
+ {
+ name: "fips with dracut-fips",
+ extraListPath: "./testdata/fips-list.json",
+ configModifier: func(config *configuration.Config) {
+ config.SystemConfigs[0].KernelCommandLine.EnableFIPS = true
+ },
+ expectedError1: "failed to validate package lists in config: 'fips=1' provided on kernel cmdline, but 'dracut-fips' package is not included in the package lists",
+ expectedError2: "",
+ },
+ {
+ name: "selinux with selinux-policy",
+ extraListPath: "./testdata/selinux-policy-list.json",
+ configModifier: func(config *configuration.Config) {
+ config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing"
+ },
+ expectedError1: "failed to validate package lists in config: [SELinux] selected, but 'selinux-policy' package is not included in the package lists",
+ expectedError2: "",
+ },
+ {
+ name: "user with shadowutils",
+ extraListPath: "./testdata/shadowutils-list.json",
+ configModifier: func(config *configuration.Config) {
+ config.SystemConfigs[0].Users = []configuration.User{
+ {
+ Name: "testuser",
+ },
}
- }
- assert.NoError(t, err)
-
- config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing"
-
- err = ValidateConfiguration(config)
- assert.Error(t, err)
- assert.Equal(t, "failed to validate package lists in config: [SELinux] selected, but 'selinux-policy' package is not included in the package lists", err.Error())
-
- return
- }
+ },
+ expectedError1: "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups",
+ expectedError2: "",
+ },
+ {
+ name: "Shadowutils pinned version",
+ extraListPath: "./testdata/pinned-shadowutils-list.json",
+ configModifier: func(config *configuration.Config) {
+ config.SystemConfigs[0].Users = []configuration.User{
+ {
+ Name: "testuser",
+ },
+ }
+ },
+ expectedError1: "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups",
+ expectedError2: "",
+ },
+
+ {
+ name: "Shadowutils pinned version with whitespace",
+ extraListPath: "./testdata/pinned-shadowutils-ws-list.json",
+ configModifier: func(config *configuration.Config) {
+ config.SystemConfigs[0].Users = []configuration.User{
+ {
+ Name: "testuser",
+ },
+ }
+ },
+ expectedError1: "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups",
+ expectedError2: "",
+ },
+ {
+ name: "missing package list",
+ extraListPath: "./testdata/not-a-real-list.json",
+ configModifier: func(config *configuration.Config) {},
+ expectedError1: "",
+ expectedError2: "failed to validate package lists in config: open " + path.Join(confiDirAbsPath, "not-a-real-list.json") + ": no such file or directory",
+ },
+ {
+ name: "bad package name",
+ extraListPath: "./testdata/bogus-list.json",
+ configModifier: func(config *configuration.Config) {},
+ expectedError1: "",
+ expectedError2: `failed to validate package lists in config: packages list entry "bad package = bad < version" does not match the '[name][optional_condition][optional_version]' format`,
+ },
}
- assert.Fail(t, "Could not find "+targetPackage+" to test")
-}
-func TestShouldSucceedSELinuxPackageDefinedInline(t *testing.T) {
- const (
- configDirectory = "../../imageconfigs/"
- targetPackage = "core-efi.json"
- targetPackageList = "selinux.json"
- selinuxPkgName = "selinux-policy"
- )
- configFiles, err := os.ReadDir(configDirectory)
- assert.NoError(t, err)
-
- // Pick the core-efi config file, then enable SELinux
- for _, file := range configFiles {
- if !file.IsDir() && strings.Contains(file.Name(), targetPackage) {
- configPath := filepath.Join(configDirectory, file.Name())
-
- fmt.Println("Corrupting ", configPath)
-
- config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
- for i, list := range config.SystemConfigs[0].PackageLists {
- // Delete the packagelist from the config
- if strings.Contains(list, targetPackageList) {
- config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists[:i], config.SystemConfigs[0].PackageLists[i+1:]...)
- }
- }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ configPath := filepath.Join("./testdata/", "test-config.json")
+ config, err := configuration.LoadWithAbsolutePaths(configPath, "./testdata/")
assert.NoError(t, err)
- //Add required SELinux package in the inline package definition
- newPackagesField := []string{selinuxPkgName}
- config.SystemConfigs[0].Packages = newPackagesField
-
- config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing"
+ // Break the config
+ tt.configModifier(&config)
+ // Ensure the validation detects the expected failure
err = ValidateConfiguration(config)
- assert.NoError(t, err)
- return
- }
- }
- assert.Fail(t, "Could not find "+targetPackage+" to test")
-}
-
-func TestShouldFailMissingShadowUtilsPackageWithUsers(t *testing.T) {
- const (
- configDirectory = "../../imageconfigs/"
- targetPackage = "core-efi.json"
- targetPackageList = "core-packages-image.json"
- )
- configFiles, err := os.ReadDir(configDirectory)
- assert.NoError(t, err)
-
- // Pick the core-efi config file, then add a user, then remove shadow-utils from the package list (via dropping core... its a bit hacky)
- for _, file := range configFiles {
- if !file.IsDir() && strings.Contains(file.Name(), targetPackage) {
- configPath := filepath.Join(configDirectory, file.Name())
-
- fmt.Println("Corrupting ", configPath)
-
- config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
- for i, list := range config.SystemConfigs[0].PackageLists {
- // Delete the packagelist from the config
- if strings.Contains(list, targetPackageList) {
- config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists[:i], config.SystemConfigs[0].PackageLists[i+1:]...)
- }
+ if tt.expectedError1 != "" {
+ assert.Error(t, err)
+ assert.Equal(t, tt.expectedError1, err.Error())
+ } else {
+ assert.NoError(t, err)
}
- assert.NoError(t, err)
- config.SystemConfigs[0].Users = []configuration.User{
- {
- Name: "testuser",
- },
+ // Fix the config by adding the package list if provided
+ if tt.extraListPath != "" {
+ replacementPackageListAbsPath, err := filepath.Abs(tt.extraListPath)
+ assert.NoError(t, err)
+ config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists, replacementPackageListAbsPath)
}
+ // Validate again
err = ValidateConfiguration(config)
- assert.Error(t, err)
- assert.Equal(t, "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups", err.Error())
-
- return
- }
+ if tt.expectedError2 != "" {
+ assert.Error(t, err)
+ assert.Equal(t, tt.expectedError2, err.Error())
+ } else {
+ assert.NoError(t, err)
+ }
+ })
}
- assert.Fail(t, "Could not find "+targetPackage+" to test")
}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/bogus-list.json b/toolkit/tools/imageconfigvalidator/testdata/bogus-list.json
new file mode 100644
index 00000000000..bd8b2e53e0a
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/bogus-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "bad package = bad < version"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/dummy-list.json b/toolkit/tools/imageconfigvalidator/testdata/dummy-list.json
new file mode 100644
index 00000000000..b3d776e8d3a
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/dummy-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "words"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/fips-list.json b/toolkit/tools/imageconfigvalidator/testdata/fips-list.json
new file mode 100644
index 00000000000..eea216be224
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/fips-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "dracut-fips"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json
new file mode 100644
index 00000000000..07519542cf9
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "shadow-utils=some-version"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json
new file mode 100644
index 00000000000..a2e589ce3b7
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "shadow-utils = some-version"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json b/toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json
new file mode 100644
index 00000000000..34ff7c3874b
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "selinux-policy"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json b/toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json
new file mode 100644
index 00000000000..9ea75c300bc
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json
@@ -0,0 +1,5 @@
+{
+ "packages": [
+ "shadow-utils"
+ ]
+}
diff --git a/toolkit/tools/imageconfigvalidator/testdata/test-config.json b/toolkit/tools/imageconfigvalidator/testdata/test-config.json
new file mode 100644
index 00000000000..cb814a36854
--- /dev/null
+++ b/toolkit/tools/imageconfigvalidator/testdata/test-config.json
@@ -0,0 +1,59 @@
+{
+
+ "_comment": "Based on core-efi.json",
+
+ "Disks": [
+ {
+ "PartitionTableType": "gpt",
+ "MaxSize": 4096,
+ "Artifacts": [
+ {
+ "Name": "test",
+ "Type": "vhdx"
+ }
+ ],
+ "Partitions": [
+ {
+ "ID": "boot",
+ "Flags": [
+ "esp",
+ "boot"
+ ],
+ "Start": 1,
+ "End": 9,
+ "FsType": "fat32"
+ },
+ {
+ "ID": "rootfs",
+ "Start": 9,
+ "End": 0,
+ "FsType": "ext4"
+ }
+ ]
+ }
+ ],
+ "SystemConfigs": [
+ {
+ "Name": "Standard",
+ "BootType": "efi",
+ "PartitionSettings": [
+ {
+ "ID": "boot",
+ "MountPoint": "/boot/efi",
+ "MountOptions" : "umask=0077"
+ },
+ {
+ "ID": "rootfs",
+ "MountPoint": "/"
+ }
+ ],
+ "PackageLists": [
+ "dummy-list.json"
+ ],
+ "KernelOptions": {
+ "default": "kernel"
+ },
+ "Hostname": "azurelinux"
+ }
+ ]
+}
diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go
index 72f0c8e02af..7d834888f79 100644
--- a/toolkit/tools/imagegen/diskutils/diskutils.go
+++ b/toolkit/tools/imagegen/diskutils/diskutils.go
@@ -32,7 +32,9 @@ var (
DefaultMkfsOptions = map[string][]string{
"ext2": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr"},
"ext3": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal"},
- "ext4": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isize"},
+ // grub2 doesn't recognize ext4 with metadata_csum_seed enabled
+ // ^metadata_csum_seed disables filesystem to store the metadata checksum seed in the superblock, hence disables changing uuid of mounted filesystem
+ "ext4": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isize,^metadata_csum_seed"},
}
partedVersionRegex = regexp.MustCompile(`^parted \(GNU parted\) (\d+)\.(\d+)`)
diff --git a/toolkit/tools/imagegen/diskutils/encryption.go b/toolkit/tools/imagegen/diskutils/encryption.go
index 36098cf5172..aaaebd755da 100644
--- a/toolkit/tools/imagegen/diskutils/encryption.go
+++ b/toolkit/tools/imagegen/diskutils/encryption.go
@@ -173,8 +173,16 @@ func encryptRootPartition(partDevPath string, partition configuration.Partition,
return
}
+ mkfsOptions, ok := DefaultMkfsOptions[partition.FsType]
+ if !ok {
+ mkfsOptions = []string{}
+ }
+ mkfsArgs := []string{"-t", partition.FsType}
+ mkfsArgs = append(mkfsArgs, mkfsOptions...)
+ mkfsArgs = append(mkfsArgs, fullMappedPath)
+
// Create the file system
- _, stderr, err = shell.Execute("mkfs", "-t", partition.FsType, fullMappedPath)
+ _, stderr, err = shell.Execute("mkfs", mkfsArgs...)
if err != nil {
err = fmt.Errorf("failed to mkfs for partition (%v):\n%v\n%w", partDevPath, stderr, err)
}