Hi,

Thanks for your reply. The customer is currently using Thud. You
confirm our current findings so thanks. We are looking into removing
lxc and will then see what else is needed to see if we can skip the
GPLv3 packages. We will look into the GPLv3 license again but with our
current understanding our customer cannot comply with GPLv3 so we have
to avoid it at all cost.

BR
Måns Zigher

Den fre 4 feb. 2022 kl 15:15 skrev Bruce Ashfield <bruce.ashfield@...>:

Hi,

Well, does GPLv3 not require that a customer should be able to build
the GPLv3 like bash and deploy it to the target? It is not directly
secure-boot but the customer has a boot up sequence that starts with
secure boot and then the rootfs needs to be signed. So it would not be
possible to open up the device to allow a customer to deploy his own
version of bash on the target. But I might have misunderstood GPLv3. I
am not an expert.

BR
Måns Zigher

Den fre 4 feb. 2022 kl 15:19 skrev Embedded Devel <yocto@...>:

On Friday 04 February 2022 15:53:42 PM (+07:00), Mans Zigher wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target.

Okay, wait, why does enabling secure-boot prevent including GPLv3 packages??
Ive never heard this before.

On Fri, Feb 4, 2022 at 3:53 AM Mans Zigher <mans.zigher@...> wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target. We have successfully managed to add
docker to the target but we noticed that several packages have also
been added that is GPLv3

bash, gmp, gzip, libidn, libunistring, nettle, rsync, tar, wget

Those shouldn't be coming directly from the docker dependencies, but of
course packages that it depends on, may pull other dependencies, etc.

What branch are you using ?

If you look at docker.inc in the layer, it has our known dependencies:

DEPENDS = " \
go-cli \
go-pty \
go-context \
go-mux \
go-patricia \
go-logrus \
go-fsnotify \
go-dbus \
go-capability \
go-systemd \
btrfs-tools \
sqlite3 \
go-distribution \
compose-file \
go-connections \
notary \
grpc-go \
libtool-native \
libtool \
"

DEPENDS:append:class-target = " lvm2"
RDEPENDS:${PN} = "util-linux util-linux-unshare iptables \
${@bb.utils.contains('DISTRO_FEATURES', 'aufs',
'aufs-util', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd',
'', 'cgroup-lite', d)} \
bridge-utils \
ca-certificates \
"
RDEPENDS:${PN} += "virtual-containerd virtual-runc"

1. Does docker have a strict dependency to GPLv3 code?

There may be ways to avoid some GPLv3 dependencies, but it isn't
something that we've actively explored or tested. So it would be
an effort that needs experimentation.

2. For some reason that I don't understand, docker seems to pull in
LXC which in turn will pull in many of the packages. Is Docker using
LXC? I thought docker was replacing LXC doing the same thing as LXC.
3. Do you have any suggestions on how to have container support and
not pull in GPLv3 code? Is Docker moby an alternative?

It depends on how you are installing docker to your image. In the latest
branches, it doesn't have a dependency on lxc. There are some package
groups and kernel configurations that are shared, but you don't have to
install using those packagegroups if they are pulling in elements that
you don't want or need.

Bruce

BR
Måns Zigher

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

As per COPYING, this is BSD-2-Clause or GPLv2.

Signed-off-by: Ross Burton <ross.burton@...>
---
recipes-extended/libibverbs/libibverbs_1.2.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-extended/libibverbs/libibverbs_1.2.1.bb b/recipes-ex=
tended/libibverbs/libibverbs_1.2.1.bb
index 90c424e..f40eccf 100644
--- a/recipes-extended/libibverbs/libibverbs_1.2.1.bb
+++ b/recipes-extended/libibverbs/libibverbs_1.2.1.bb
@@ -3,7 +3,7 @@ DESCRIPTION =3D "Libibverbs is a library that allows user=
space processes to use In
HOMEPAGE =3D "http://www.openfabrics.org/downloads/verbs/"
SECTION =3D "libs/devel"
=20
-LICENSE =3D "BSD"
+LICENSE =3D "GPLv2 | BSD-2-Clause"
LIC_FILES_CHKSUM =3D "file://COPYING;md5=3D7c557f27dd795ba77cc419dddc656=
b51"
=20
# Official repo is at git://git.kernel.org/pub/scm/libs/infiniband/libib=
verbs.git
--=20
2.25.1

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target. We have successfully managed to add
docker to the target but we noticed that several packages have also
been added that is GPLv3

bash, gmp, gzip, libidn, libunistring, nettle, rsync, tar, wget

1. Does docker have a strict dependency to GPLv3 code?
2. For some reason that I don't understand, docker seems to pull in
LXC which in turn will pull in many of the packages. Is Docker using
LXC? I thought docker was replacing LXC doing the same thing as LXC.
3. Do you have any suggestions on how to have container support and
not pull in GPLv3 code? Is Docker moby an alternative?

BR
Måns Zigher

Thanks for the update, the series is now applied.

Bruce

In message: [meta-virtualization][meta-cloud-services][PATCH 6/8] python3-termcolor: inherit setuptools3 not distutils
on 19/01/2022 wangmy wrote:

From: Changqing Li <changqing.li@...>

Signed-off-by: Changqing Li <changqing.li@...>
---
.../libvirt/libvirt/CVE-2021-3975.patch | 43 +++++++++++++++++++
recipes-extended/libvirt/libvirt_6.3.0.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3975.patch

diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
new file mode 100644
index 0000000..72cee94
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
@@ -0,0 +1,43 @@
+From 30de45c73106cacfc0aacc8f11c88e1aa5372d77 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@...>
+Date: Sat, 29 Jan 2022 13:25:54 +0800
+Subject: [PATCH] qemu: Add missing lock in qemuProcessHandleMonitorEOF
+
+qemuMonitorUnregister will be called in multiple threads (e.g. threads
+in rpc worker pool and the vm event thread). In some cases, it isn't
+protected by the monitor lock, which may lead to call g_source_unref
+more than one time and a use-after-free problem eventually.
+
+Add the missing lock in qemuProcessHandleMonitorEOF (which is the only
+position missing lock of monitor I found).
+
+Suggested-by: Michal Privoznik <mprivozn@...>
+Signed-off-by: Peng Liang <liangpeng10@...>
+Signed-off-by: Michal Privoznik <mprivozn@...>
+Reviewed-by: Michal Privoznik <mprivozn@...>
+
+Upstream-Status: Backport [https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7]
+CVE: CVE-2021-3975
+
+Signed-off-by: Changqing Li <changqing.li@...>
+---
+ src/qemu/qemu_process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 8ea470f..64b8472 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -315,7 +315,9 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon,
+ /* We don't want this EOF handler to be called over and over while the
+ * thread is waiting for a job.
+ */
++ virObjectLock(mon);
+ qemuMonitorUnregister(mon);
++ virObjectUnlock(mon);
+
+ /* We don't want any cleanup from EOF handler (or any other
+ * thread) to enter qemu namespace. */
+--
+2.17.1
+
diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb
index 091296e..8e95ad6 100644
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://CVE-2020-25637_4.patch \
file://CVE-2021-3631.patch \
file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
+ file://CVE-2021-3975.patch \
"

SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"
--
2.17.1

commits short logs:
e4d2df62e (tag: v2.15.3) Set release date for 2.15.3.
b8baa1141 python: Add cooperative_yield() API method to Idl.
7834abc66 ofproto-dpif-xlate: Snoop ingress packets and update neigh cache if needed.
833c02daa tnl-neigh-cache: Do not refresh the entry while revalidating.
e2182eca8 tnl-neigh-cache: Include expected array sizes in prototypes.
566fe4372 tnl-neigh-cache: Read/write expires atomically.
d477f6000 compat: handle NF_REPEAT error on nf_conntrack_in.
0590e8838 flow: Consider dataofs when parsing TCP packets.
7266042d8 tests/flowgen: Fix packet data endianness.
d2e0632db ofproto: Fix resource usage explosion due to removal of large number of flows.
0a7e66e37 ofproto: Fix resource usage explosion while processing bundled FLOW_MOD.
68466efed tests/flowgen: Fix length field of 802.2 data link header.
2a2185f9e ovs-lib: Backup and remove existing DB when joining cluster.
fcbc29c6f docs/dpdk: Fix install doc.
a5d97d420 ovs-save: Save igmp flows in ofp_parse syntax.
1cbd1f0f5 faq: Update OVS/DPDK version table for OVS 2.13/2.14.
01bc910e5 ofproto-dpif-xlate: Fix check_pkt_larger incomplete translation.
08a270dda datapath-windows: Reset flow key after Ipv4 fragments are reassembled
eca2d50d4 datapath-windows:Reset PseudoChecksum value only for TX direction offload case
031cf67e0 netdev-offload-tc: Verify the flower rule installed.
952e85150 ci: Make linux-prepare trust system installs.
2cf63851a Prepare for 2.15.3.
63f9a7c5d (tag: v2.15.2) Set release date for 2.15.2.
b7d9c491e datapath-windows: add layers when adding the deferred actions
3f718857e ofproto-dpif-xlate: Fix zone set from non-frozen-metadata fields.
ea2ca0af1 dpif-netdev: Fix use-after-free on PACKET_OUT of IP fragments.
9f964354e tunnel-push-pop.at: Mask source port in tunnel header.
58397f222 dpdk-stub: Change the ERR log to DBG.
2a963fc31 python: idl: Avoid sending transactions when the DB is not synced up.
9efa2ea61 ipf: release unhandled packets from the batch
f8274b78c datapath-windows:adjust Offset when processing packet in POP_VLAN action
a2f860aa2 cirrus: Reduce memory requirements for FreeBSD VMs.
7788f1579 netdev-linux: Fix a null pointer dereference in netdev_linux_notify_sock().
dd32deba6 pcap-file: Fix memory leak in ovs_pcap_open().
9f2f66c8e odp-util: Fix a null pointer dereference in odp_flow_format().
02b0c265c odp-util: Fix a null pointer dereference in odp_nsh_key_from_attr__().
031eff456 netdev-dpdk: Fix RSS configuration for virtio.
09cd9570d ipf: Fix only nat the first fragment in the reass process.
ef8ca3e19 dpif-netdev: Fix crash when PACKET_OUT is metered.
d3ff41d60 tc: Set action flags for tunnel_key release.
079a4de72 netlink-socket: Replace error with txn->error when logging nacked transactions.
f8cc5aa35 dynamic-string: Fix a crash in ds_clone().
64d1bba91 dpif-netdev: fix memory leak in dpcls subtable set command
90b219275 dpif-netdev: Do not flush PMD offloads on reload.
b29b04f85 dpif-netdev: Fix offloads of modified flows.
1d0b89ea7 dpif-netdev: Fix flow modification after failure.
8d84a4b16 netdev-offload-dpdk: Fix IPv6 rewrite cast-align warning.
f3f7849cb daemon-unix: Fix leak of a fork error message.
8aa0f0374 ovsdb-cs: Perform forced reconnects without a backoff.
ee4e034dc datapath-windows:Correct checksum for DNAT action
72132a940 bond: Fix broken rebalancing after link state changes.
aa84cfe25 dpif-netlink: Fix report_loss() message.
aec05f7cd ovsdb-server: Fix memleak when failing to read storage.
05bdf11fc conntrack: Init hash basis first at creation.
94e3b9d9c netdev-linux: Ignore TSO packets when TSO is not enabled for userspace.
842bfb899 conntrack: Handle already natted packets.
ab873c1af conntrack: Document all-zero IP SNAT behavior and add a test case.
86d6a9ee1 python: Fix Idl.run change_seqno update.
1ba0c8365 bridge: Use correct (legacy) role names in database.
7e5293ea5 Prepare for 2.15.2.

The ptest results BEFORE uprev:
ERROR: 2231 tests were run,
27 failed unexpectedly.
62 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - recirculation after resubmit
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

The ptest results AFTER uprev:
ERROR: 2266 tests were run,
27 failed unexpectedly.
65 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop - packet_out debug_slow
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

Signed-off-by: He Zhe <zhe.he@...>
---
recipes-networking/openvswitch/openvswitch_git.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index 0fb7c132..4d413170 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -14,12 +14,12 @@ RDEPENDS:${PN}-ptest += "\
"

S = "${WORKDIR}/git"
-PV = "2.15.1+${SRCPV}"
-CVE_VERSION = "2.13.0"
+PV = "2.15.3+${SRCPV}"
+CVE_VERSION = "2.15.3"

FILESEXTRAPATHS:append := "${THISDIR}/${PN}-git:"

-SRCREV = "f8274b78c3403591e84f3c2bbacf8c86920d68ba"
+SRCREV = "e4d2df62e65a615e19f62e2fd294709be8d75cdc"
SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.15 \
file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
file://run-ptest \
--
2.17.1

Drop the following backported patch.
0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch

commits short logs:
e4d2df62e (tag: v2.15.3) Set release date for 2.15.3.
b8baa1141 python: Add cooperative_yield() API method to Idl.
7834abc66 ofproto-dpif-xlate: Snoop ingress packets and update neigh cache if needed.
833c02daa tnl-neigh-cache: Do not refresh the entry while revalidating.
e2182eca8 tnl-neigh-cache: Include expected array sizes in prototypes.
566fe4372 tnl-neigh-cache: Read/write expires atomically.
d477f6000 compat: handle NF_REPEAT error on nf_conntrack_in.
0590e8838 flow: Consider dataofs when parsing TCP packets.
7266042d8 tests/flowgen: Fix packet data endianness.
d2e0632db ofproto: Fix resource usage explosion due to removal of large number of flows.
0a7e66e37 ofproto: Fix resource usage explosion while processing bundled FLOW_MOD.
68466efed tests/flowgen: Fix length field of 802.2 data link header.
2a2185f9e ovs-lib: Backup and remove existing DB when joining cluster.
fcbc29c6f docs/dpdk: Fix install doc.
a5d97d420 ovs-save: Save igmp flows in ofp_parse syntax.
1cbd1f0f5 faq: Update OVS/DPDK version table for OVS 2.13/2.14.
01bc910e5 ofproto-dpif-xlate: Fix check_pkt_larger incomplete translation.
08a270dda datapath-windows: Reset flow key after Ipv4 fragments are reassembled
eca2d50d4 datapath-windows:Reset PseudoChecksum value only for TX direction offload case
031cf67e0 netdev-offload-tc: Verify the flower rule installed.
952e85150 ci: Make linux-prepare trust system installs.
2cf63851a Prepare for 2.15.3.
63f9a7c5d (tag: v2.15.2) Set release date for 2.15.2.
b7d9c491e datapath-windows: add layers when adding the deferred actions
3f718857e ofproto-dpif-xlate: Fix zone set from non-frozen-metadata fields.
ea2ca0af1 dpif-netdev: Fix use-after-free on PACKET_OUT of IP fragments.
9f964354e tunnel-push-pop.at: Mask source port in tunnel header.
58397f222 dpdk-stub: Change the ERR log to DBG.
2a963fc31 python: idl: Avoid sending transactions when the DB is not synced up.
9efa2ea61 ipf: release unhandled packets from the batch
f8274b78c datapath-windows:adjust Offset when processing packet in POP_VLAN action
a2f860aa2 cirrus: Reduce memory requirements for FreeBSD VMs.
7788f1579 netdev-linux: Fix a null pointer dereference in netdev_linux_notify_sock().
dd32deba6 pcap-file: Fix memory leak in ovs_pcap_open().
9f2f66c8e odp-util: Fix a null pointer dereference in odp_flow_format().
02b0c265c odp-util: Fix a null pointer dereference in odp_nsh_key_from_attr__().
031eff456 netdev-dpdk: Fix RSS configuration for virtio.
09cd9570d ipf: Fix only nat the first fragment in the reass process.
ef8ca3e19 dpif-netdev: Fix crash when PACKET_OUT is metered.
d3ff41d60 tc: Set action flags for tunnel_key release.
079a4de72 netlink-socket: Replace error with txn->error when logging nacked transactions.
f8cc5aa35 dynamic-string: Fix a crash in ds_clone().
64d1bba91 dpif-netdev: fix memory leak in dpcls subtable set command
90b219275 dpif-netdev: Do not flush PMD offloads on reload.
b29b04f85 dpif-netdev: Fix offloads of modified flows.
1d0b89ea7 dpif-netdev: Fix flow modification after failure.
8d84a4b16 netdev-offload-dpdk: Fix IPv6 rewrite cast-align warning.
f3f7849cb daemon-unix: Fix leak of a fork error message.
8aa0f0374 ovsdb-cs: Perform forced reconnects without a backoff.
ee4e034dc datapath-windows:Correct checksum for DNAT action
72132a940 bond: Fix broken rebalancing after link state changes.
aa84cfe25 dpif-netlink: Fix report_loss() message.
aec05f7cd ovsdb-server: Fix memleak when failing to read storage.
05bdf11fc conntrack: Init hash basis first at creation.
94e3b9d9c netdev-linux: Ignore TSO packets when TSO is not enabled for userspace.
842bfb899 conntrack: Handle already natted packets.
ab873c1af conntrack: Document all-zero IP SNAT behavior and add a test case.
86d6a9ee1 python: Fix Idl.run change_seqno update.
1ba0c8365 bridge: Use correct (legacy) role names in database.
7e5293ea5 Prepare for 2.15.2.
b855bbc32 (tag: v2.15.1) Set release date for 2.15.1.
007a4f48f dpif-netdev: Apply subtable-lookup-prio-set on any datapath.
c93358a56 netlink: removed incorrect optimization
31626579f ovs-actions.xml: Add missing bracket.
30596ec27 netdev-offload-tc: Use nl_msg_put_flag for OVS_TUNNEL_KEY_ATTR_CSUM.
728980291 conntrack: Increment coverage counter for all bad checksum cases.
881d71ea2 datapath-windows: Specify external include paths
934668c29 Remove Python 2 leftovers.
aaa596705 ipf: Fix a use-after-free error, and remove the 'do_not_steal' flag.
bc0aa785a ovsdb-idl: Fix the database update signaling if it has never been connected.
559426d2b ofproto: Fix potential NULL dereference in ofproto_ct_*_zone_timeout_policy().
f31070e27 ofproto: Fix potential NULL dereference in ofproto_get_datapath_cap().
8995d5311 dpif-netlink: Fix send of uninitialized memory in ct limit requests.
0c056891c ofproto-dpif: Fix use of uninitialized attributes of timeout policy.
121a67cad netdev-linux: Fix use of uninitialized LAG master name.
5f27ff1cf ofp_actions: Fix set_mpls_tc formatting.
e87adce83 dpif-netdev: Remove meter rate from the bucket size calculation.
a3ee3258e ovs-ofctl: Fix coredump when using "add-groups" command.
c5d2a6275 raft: Transfer leadership before creating snapshots.
553d52392 ovsdb-cs: Consider all tables when computing expected cond seqno.
8d0aebcc4 dpdk: Use DPDK 20.11.1 release.
21452722b github: Fix up malformed /etc/hosts.
90d1984b9 doc: automake: Add support for sphinx 4.0.
38a8bed70 cirrus: Look up existing versions of python dependencies.
255c38c74 ofp-group: Use big-enough buffer in ofputil_format_group().
f2c0744d2 ofproto/ofproto-dpif-sflow: Check sflow agent in case of race
ab157ef34 dpif: Fix use of uninitialized execute hash.
b1fded020 odp-util: Fix use of uninitialized erspan metadata.
f473ee568 dpif-netlink: Fix using uninitialized info.tc_modify_flow_deleted in out label.
2721606bd netdev-offload-tc: Probe for support for any of the ct_state flags.
091bc48d9 compat: Add ct_state flags definitions.
1307e90e3 Add test cases for ingress_policing parameters
d184c6ce6 netdev-linux: correct unit of burst parameter
cab998e50 ipsec: Fix IPv6 default route support for Libreswan.
b9ab7827e ovsdb-idl: Mark arc sources as updated when destination is deleted.
c82d2e3fb ovsdb-idl: Preserve references for deleted rows.
9a24ecbc2 ovsdb-idl.at: Make test outputs more predictable.
8d71feb1b ovs-ofctl: Fix segfault due to bad meter n_bands.
3a716b1d9 dpif-netdev: Refactor and fix the buckets calculation.
73ece9c87 dpif-netdev: Fix the meter buckets overflow.
d5dc16670 python: Send notifications after the transaction ends.
556e65e17 ovs-ctl: Allow recording hostname separately.
3982aee45 dpif-netdev: Fix crash when add dp flow without in_port field.
02096f1b3 Documentation: Fix DPDK qos example.
8f1dda316 raft: Report disconnected in cluster/status if candidate retries election.
79e9749da raft: Reintroduce jsonrpc inactivity probes.
2e84a4adb ovsdb-cs: Fix use-after-free for the request id.
d2c311dce connmgr: Check nullptr inside ofmonitor_report().
7307af690 ovsdb-client: Fix needs-conversion when SERVER is explicitly specified.
2a7a63571 windows, tests: Modify service test.
9b48549c6 netdev-linux: Fix indentation.
861a9f3b4 ofproto-dpif-upcall: Fix ukey leak on udpif destroy.
339044c3c ci: Use parallel build for distcheck.
38744b1bc ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
33abe6c05 Prepare for 2.15.1.

The ptest results BEFORE uprev:
ERROR: 2231 tests were run,
27 failed unexpectedly.
62 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - recirculation after resubmit
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

The ptest results AFTER uprev:
ERROR: 2266 tests were run,
27 failed unexpectedly.
65 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop - packet_out debug_slow
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

Signed-off-by: He Zhe <zhe.he@...>
---
recipes-networking/openvswitch/openvswitch_git.bb | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index d7f8e4b0..a66c9677 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -14,12 +14,12 @@ RDEPENDS_${PN}-ptest += "\
"

S = "${WORKDIR}/git"
-PV = "2.15+${SRCPV}"
-CVE_VERSION = "2.13.0"
+PV = "2.15.3+${SRCPV}"
+CVE_VERSION = "2.15.3"

FILESEXTRAPATHS_append := "${THISDIR}/${PN}-git:"

-SRCREV = "8dc1733eaea866dce033b3c44853e1b09bf59fc7"
+SRCREV = "e4d2df62e65a615e19f62e2fd294709be8d75cdc"
SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 \
file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
file://run-ptest \
@@ -28,7 +28,6 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
file://systemd-update-tool-paths.patch \
file://systemd-create-runtime-dirs.patch \
file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
- file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
"

LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
--
2.17.1

Just a heads up that a full round of updates are pending for a lot of
packages. I've been stuck working with the latest go, and the fact
that more projects have dropped their vendor'd dependencies. So if you
are considering updating one, it is worth asking here, or on IRC .. to
save us all wasted effort.

I'm almost through the plumbing and expect to start pushing tested
updates to master-next in the next week or so (well in time for
release).

Bruce

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

OVS is one of the upgrades that has traditionally caused us issues.

Can we capture the shortlogs of the commits that are part of the update ?

And a log of the basic tests ? (if you search the mailing list
archives, you'll see examples of the tests we've run in the past ..
and yes, the tests should be in a ptest/automated format, but I've
never quite had time to do that).

Bruce

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Drop the following backported patch.
0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch

Signed-off-by: He Zhe <zhe.he@...>
---
...use-after-free-while-decoding-RAW_EN.patch | 101 ------------------
.../openvswitch/openvswitch_git.bb | 7 +-
2 files changed, 3 insertions(+), 105 deletions(-)
delete mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch

diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
deleted file mode 100644
index c88c097d..00000000
--- a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
-From: Ilya Maximets <i.maximets@...>
-Date: Tue, 16 Feb 2021 23:27:30 +0100
-Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
-
-While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
-ofpbuf if there is no enough space left. However, function
-'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
-structure leading to write-after-free and incorrect decoding.
-
- ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
- 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
- WRITE of size 2 at 0x60600000011a thread T0
- #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
- #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
- #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
- #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
- #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
- #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
- #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
- #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
- #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
- #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
- #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
- #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
- #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
- #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
- #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
- #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
-
-Fix that by getting a new pointer before using.
-
-Credit to OSS-Fuzz.
-
-Fuzzer regression test will fail only with AddressSanitizer enabled.
-
-Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
-Fixes: f839892a206a ("OF support and translation of generic encap and decap")
-Acked-by: William Tu <u9012063@...>
-Signed-off-by: Ilya Maximets <i.maximets@...>
-
-Upstream-Status: Backport
-CVE: CVE-2021-36980
-Signed-off-by: Yanfei Xu <yanfei.xu@...>
----
- lib/ofp-actions.c | 2 ++
- tests/automake.mk | 3 ++-
- tests/fuzz-regression-list.at | 1 +
- tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
- 4 files changed, 5 insertions(+), 1 deletion(-)
- create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
-
-diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
-index e2e829772..0342a228b 100644
---- a/lib/ofp-actions.c
-+++ b/lib/ofp-actions.c
-@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
- {
- struct ofpact_encap *encap;
- const struct ofp_ed_prop_header *ofp_prop;
-+ const size_t encap_ofs = out->size;
- size_t props_len;
- uint16_t n_props = 0;
- int err;
-@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
- }
- n_props++;
- }
-+ encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
- encap->n_props = n_props;
- out->header = &encap->ofpact;
- ofpact_finish_ENCAP(out, &encap);
-diff --git a/tests/automake.mk b/tests/automake.mk
-index 677b99a6b..fc80e027d 100644
---- a/tests/automake.mk
-+++ b/tests/automake.mk
-@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
- tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
- tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
- tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
-- tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
-+ tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
-+ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
- $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
- $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
- basename=`echo $$name | sed 's,^.*/,,'`; \
-diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
-index e3173fb88..2347c690e 100644
---- a/tests/fuzz-regression-list.at
-+++ b/tests/fuzz-regression-list.at
-@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
- TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
- TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
- TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
-+TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
-diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
-new file mode 100644
-index 000000000..e69de29bb
---
-2.27.0
-
diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index d7f8e4b0..a66c9677 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -14,12 +14,12 @@ RDEPENDS_${PN}-ptest += "\
"

S = "${WORKDIR}/git"
-PV = "2.15+${SRCPV}"
-CVE_VERSION = "2.13.0"
+PV = "2.15.3+${SRCPV}"
+CVE_VERSION = "2.15.3"

FILESEXTRAPATHS_append := "${THISDIR}/${PN}-git:"

-SRCREV = "8dc1733eaea866dce033b3c44853e1b09bf59fc7"
+SRCREV = "e4d2df62e65a615e19f62e2fd294709be8d75cdc"
SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 \
file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
file://run-ptest \
@@ -28,7 +28,6 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
file://systemd-update-tool-paths.patch \
file://systemd-create-runtime-dirs.patch \
file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
- file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
"

LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
--
2.17.1

Signed-off-by: He Zhe <zhe.he@...>
---
recipes-networking/openvswitch/openvswitch_git.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index 0fb7c132..4d413170 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -14,12 +14,12 @@ RDEPENDS:${PN}-ptest += "\
"

S = "${WORKDIR}/git"
-PV = "2.15.1+${SRCPV}"
-CVE_VERSION = "2.13.0"
+PV = "2.15.3+${SRCPV}"
+CVE_VERSION = "2.15.3"

FILESEXTRAPATHS:append := "${THISDIR}/${PN}-git:"

-SRCREV = "f8274b78c3403591e84f3c2bbacf8c86920d68ba"
+SRCREV = "e4d2df62e65a615e19f62e2fd294709be8d75cdc"
SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.15 \
file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
file://run-ptest \
--
2.17.1

On Thu, Jan 20, 2022 at 2:07 AM Robert Yang <liezhi.yang@...> wrote:

Hi Bruce,

On 1/19/22 9:34 PM, Bruce Ashfield wrote:

On Wed, Jan 19, 2022 at 7:00 AM Robert Yang <liezhi.yang@...> wrote:

Fixed when kernel-module-xt-nat is not installed:
$ docker run --rm -it -p 80:80 alpine

docker: Error response from daemon: driver failed programming external connectivity on endpoint elated_cori
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)).

There's already a pending patch for similar changes, I'm still
working through the unification of the meta-virt fragments and the
kernel-cache fragments, so I'm not doing any of the RRECOMMENDS
changes at the moment, until I have that unified.

Since we can recommend all we want, but it can't fix a bad
configuration, and that's the issue.

Yes, makes sense, do you have a clue on how to figure out all of them, please?

This is something that I'm working on in cooperation with the external
kernel-cache recipe/tool that I have in meta-virt.

Your change is correct, I'm just going to let it sit on my queue for a
bit, while I work through the rest of the changes with respect to
getting the right configuration across a range of kernels and having
the ability to check for the fragments (versus the final .config,
since we don't want to start checking for individual options after the
kernel configuration runs).

Bruce

// Robert

Bruce

Signed-off-by: Robert Yang <liezhi.yang@...>
---
recipes-containers/docker/docker.inc | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index 40a3642c..e7bdc388 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -29,7 +29,13 @@ RDEPENDS:${PN} = "util-linux util-linux-unshare iptables \
"
RDEPENDS:${PN} += "virtual-containerd virtual-runc"

-RRECOMMENDS:${PN} = "kernel-module-dm-thin-pool kernel-module-nf-nat kernel-module-nf-conntrack-netlink kernel-module-xt-addrtype kernel-module-xt-masquerade"
+RRECOMMENDS:${PN} = "kernel-module-dm-thin-pool \
+ kernel-module-nf-nat \
+ kernel-module-nf-conntrack-netlink \
+ kernel-module-xt-addrtype \
+ kernel-module-xt-masquerade \
+ kernel-module-xt-nat \
+ "

PROVIDES += "virtual/docker"

--
2.17.1

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Hi Bruce,

On 1/19/22 9:34 PM, Bruce Ashfield wrote:

On Wed, Jan 19, 2022 at 7:00 AM Robert Yang <liezhi.yang@...> wrote:

Fixed when kernel-module-xt-nat is not installed:
$ docker run --rm -it -p 80:80 alpine

docker: Error response from daemon: driver failed programming external connectivity on endpoint elated_cori
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)).

There's already a pending patch for similar changes, I'm still
working through the unification of the meta-virt fragments and the
kernel-cache fragments, so I'm not doing any of the RRECOMMENDS
changes at the moment, until I have that unified.
Since we can recommend all we want, but it can't fix a bad
configuration, and that's the issue.

Yes, makes sense, do you have a clue on how to figure out all of them, please?

// Robert

Bruce

Signed-off-by: Robert Yang <liezhi.yang@...>
---
recipes-containers/docker/docker.inc | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index 40a3642c..e7bdc388 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -29,7 +29,13 @@ RDEPENDS:${PN} = "util-linux util-linux-unshare iptables \
"
RDEPENDS:${PN} += "virtual-containerd virtual-runc"

-RRECOMMENDS:${PN} = "kernel-module-dm-thin-pool kernel-module-nf-nat kernel-module-nf-conntrack-netlink kernel-module-xt-addrtype kernel-module-xt-masquerade"
+RRECOMMENDS:${PN} = "kernel-module-dm-thin-pool \
+ kernel-module-nf-nat \
+ kernel-module-nf-conntrack-netlink \
+ kernel-module-xt-addrtype \
+ kernel-module-xt-masquerade \
+ kernel-module-xt-nat \
+ "

PROVIDES += "virtual/docker"

--
2.17.1

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Wed, Jan 19, 2022 at 8:32 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:

On Wed, Jan 19, 2022 at 7:52 AM Peter Hoyes <Peter.Hoyes@...> wrote:

On 18/01/2022 13:52, Bruce Ashfield via lists.yoctoproject.org wrote:

On Tue, Jan 18, 2022 at 6:18 AM Ross Burton <ross@...> wrote:

On Mon, 17 Jan 2022 at 18:07, Bruce Ashfield <bruce.ashfield@...> wrote:

Your change + my update are now queued:

https://git.yoctoproject.org/meta-virtualization/commit/?h=master-next&id=ed4bd1de0d2e040c303a8497ac0cd961aa8b8a7b

If you have any cycles for test build, that would be great .. since
somehow my own build didn't notice the empty package, so I can't say I
fully trust it.

SETUPTOOLS_SETUP_PATH defaults to S, so you can remove the assignment entirely.

done. And pushed to master.

Bruce

Ross

Hi Bruce,

I am now seeing the following failure on our build when attempting to
use python3-dtc:

usr/lib/python3.10/site-packages/_libfdt.cpython-310-x86_64-linux-gnu.so:
undefined symbol: fdt_overlay_target_offset

I think this is because the updated SRCREV includes 45f3d1a which
requires libfdt to export the symbol above, but poky/dtc is still on an
older revision. Maybe its necessary to roll back the SRCREV patch until
poky updates?

Hmm. That's a last resort, thrashing around the SRCREVs is never a
good idea.

I'll temporarily carry a newer dtc in meta-virt to get things working.

I split the difference.

The PV was wrong on the updated package anyway, so I've pushed a
change that uses SRCPV to show that I'm running ahead of oe-core DTC,
and I've reverted the one commit that introduces the problematic
symbol.

This gets me what I need for lopper, and I can now build and construct
xen-image-mininal for qemuarm64

Bruce

Bruce

Cheers,

Peter

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Wed, Jan 19, 2022 at 7:39 AM Diego Sueiro <Diego.Sueiro@...> wrote:

Hello Bruce,

Thanks for getting this merged.

We consider these patches as bug fixing and in this case is it possible to have them backported (cherry picked) to honister branch?

Agreed. they are bug fixes, so I've done the cherry pick to honister.

Bruce

Cheers,

--
Diego Sueiro

-----Original Message-----
From: meta-virtualization@... <meta-
virtualization@...> On Behalf Of Bruce Ashfield via
lists.yoctoproject.org
Sent: 19 January 2022 03:44
To: Kamil Dzieżyk <Kamil.Dziezyk@...>
Cc: meta-virtualization@...;
christopher.w.clark@...; cardoe@...
Subject: Re: [meta-virtualization] [PATCH v3 1/2] xen-tools: Load xen related
kernel modules during system boot

merged.

Bruce

In message: [meta-virtualization] [PATCH v3 1/2] xen-tools: Load xen related
kernel modules during system boot on 13/01/2022 Kamil Dziezyk wrote:

This patch changes the location of xen.conf file, that contains list
of kernel modules to be loaded during system boot, to
"${nonarch_libdir}". This is done by removing '--with-systemd-modules-

load=' flag from EXTRA_OECONF variable.

Previous path based on "${systemd_unitdir}" was not considered by
default by systemd-modules-load.service.

Signed-off-by: Kamil Dziezyk <kamil.dziezyk@...>
---
recipes-extended/xen/xen-tools.inc | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/recipes-extended/xen/xen-tools.inc
b/recipes-extended/xen/xen-tools.inc
index ca924f4..6e25046 100644
--- a/recipes-extended/xen/xen-tools.inc
+++ b/recipes-extended/xen/xen-tools.inc
@@ -653,10 +653,10 @@ FILES:${PN}-xm = "\
"

FILES:${PN}-xencommons += "\
+ ${nonarch_libdir}/modules-load.d/xen.conf \
${sysconfdir}/default/xencommons \
${sysconfdir}/init.d/xencommons \
${sysconfdir}/xen/scripts/launch-xenstore \
- ${systemd_unitdir}/modules-load.d/xen.conf \
${systemd_unitdir}/system/proc-xen.mount \
${systemd_unitdir}/system/xen-qemu-dom0-disk-backend.service \
${systemd_unitdir}/system/xenconsoled.service \ @@ -744,7 +744,6
@@ SYSTEMD_SERVICE:${PN}-xendomains = "xendomains.service"

EXTRA_OECONF += " \
--with-systemd=${systemd_unitdir}/system \
- --with-systemd-modules-load=${systemd_unitdir}/modules-load.d \
--with-initddir=${INIT_D_DIR} \
--with-sysconfig-leaf-dir=default \
--with-system-qemu=${bindir}/qemu-system-i386 \
--
2.17.1

IMPORTANT NOTICE: The contents of this email and any attachments are

confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Wed, Jan 19, 2022 at 7:00 AM Robert Yang <liezhi.yang@...> wrote:

Fixed when kernel-module-xt-nat is not installed:
$ docker run --rm -it -p 80:80 alpine

docker: Error response from daemon: driver failed programming external connectivity on endpoint elated_cori
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)).

There's already a pending patch for similar changes, I'm still
working through the unification of the meta-virt fragments and the
kernel-cache fragments, so I'm not doing any of the RRECOMMENDS
changes at the moment, until I have that unified.

Since we can recommend all we want, but it can't fix a bad
configuration, and that's the issue.

Bruce

Signed-off-by: Robert Yang <liezhi.yang@...>
---
recipes-containers/docker/docker.inc | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index 40a3642c..e7bdc388 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -29,7 +29,13 @@ RDEPENDS:${PN} = "util-linux util-linux-unshare iptables \
"
RDEPENDS:${PN} += "virtual-containerd virtual-runc"

-RRECOMMENDS:${PN} = "kernel-module-dm-thin-pool kernel-module-nf-nat kernel-module-nf-conntrack-netlink kernel-module-xt-addrtype kernel-module-xt-masquerade"
+RRECOMMENDS:${PN} = "kernel-module-dm-thin-pool \
+ kernel-module-nf-nat \
+ kernel-module-nf-conntrack-netlink \
+ kernel-module-xt-addrtype \
+ kernel-module-xt-masquerade \
+ kernel-module-xt-nat \
+ "

PROVIDES += "virtual/docker"

--
2.17.1

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Wed, Jan 19, 2022 at 7:52 AM Peter Hoyes <Peter.Hoyes@...> wrote:

On 18/01/2022 13:52, Bruce Ashfield via lists.yoctoproject.org wrote:

On Tue, Jan 18, 2022 at 6:18 AM Ross Burton <ross@...> wrote:

On Mon, 17 Jan 2022 at 18:07, Bruce Ashfield <bruce.ashfield@...> wrote:

Your change + my update are now queued:

https://git.yoctoproject.org/meta-virtualization/commit/?h=master-next&id=ed4bd1de0d2e040c303a8497ac0cd961aa8b8a7b

If you have any cycles for test build, that would be great .. since
somehow my own build didn't notice the empty package, so I can't say I
fully trust it.

SETUPTOOLS_SETUP_PATH defaults to S, so you can remove the assignment entirely.

done. And pushed to master.

Bruce

Ross

Hi Bruce,

I am now seeing the following failure on our build when attempting to
use python3-dtc:

usr/lib/python3.10/site-packages/_libfdt.cpython-310-x86_64-linux-gnu.so:
undefined symbol: fdt_overlay_target_offset

I think this is because the updated SRCREV includes 45f3d1a which
requires libfdt to export the symbol above, but poky/dtc is still on an
older revision. Maybe its necessary to roll back the SRCREV patch until
poky updates?

Hmm. That's a last resort, thrashing around the SRCREVs is never a
good idea.

I'll temporarily carry a newer dtc in meta-virt to get things working.

Bruce

Cheers,

Peter

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II