Date   

Re: [PATCH honister] k3s: uprev from v1.21.5+k3s1 to v1.21.9+k3s1

Diego Sueiro
 

Hi Bruce,

---
recipes-containers/k3s/k3s_git.bb | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/recipes-containers/k3s/k3s_git.bb
b/recipes-containers/k3s/k3s_git.bb
index bcfa959..77ad6d4 100644
--- a/recipes-containers/k3s/k3s_git.bb
+++ b/recipes-containers/k3s/k3s_git.bb
@@ -13,10 +13,9 @@ SRC_URI =
"git://github.com/rancher/k3s.git;branch=release-1.21;name=k3s;protoco
file://0001-Finding-host-local-in-usr-
libexec.patch;patchdir=src/import \
file://k3s-killall.sh \
"
-SRC_URI[k3s.md5sum] = "363d3a08dc0b72ba6e6577964f6e94a5"
-SRCREV_k3s = "aa5a0a8c783a8a4475b727a04d6594c0fea09253"
+SRCREV_k3s = "101917b0c493dd1effac1074feb1d5462b9a189b"

-PV = "v1.21.5+k3s1"
+PV = "v1.21.9+k3s1"

CNI_NETWORKING_FILES ?= "${WORKDIR}/cni-containerd-net.conf"

@@ -30,7 +29,7 @@ PACKAGECONFIG[upx] = ",,upx-native"
GO_IMPORT = "import"
GO_BUILD_LDFLAGS = "-X
github.com/rancher/k3s/pkg/version.Version=${PV} \
-X
github.com/rancher/k3s/pkg/version.GitCommit=${@d.getVar('SRCREV_k3s',
d, 1)[:8]} \
- -w -s \
+ -w -s -v \
"
BIN_PREFIX ?= "${exec_prefix}/local"

@@ -40,11 +39,12 @@ REQUIRED_DISTRO_FEATURES ?= "seccomp"
do_compile() {
export
GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_T
ARGET}/${prefix}/local/go"
export CGO_ENABLED="1"
- export GOFLAGS="-mod=vendor"
+ export GOFLAGS="-mod=vendor -modcacherw"

TAGS="static_build ctrd no_btrfs netcgo osusergo providerless"

cd ${S}/src/import
+ ${GO} mod vendor -v && ${GO} mod tidy -v
Unfortunately .. no, we can't take this change.

I'm working on a full update to k3s in master, and it is running into similar
challenges due to the removal of vendor upstream.
Can you please elaborate a bit better what the problem is and why this solution
is not appropriate for the honister branch?
I have no knowledge in Go both in aspects of the programming language as well
as building.

--
Diego Sueiro

The solution isn't simple, since it is something that has to be generic, as it
applies to many different recipes in meta-virtualization.

Bruce

${GO} build -tags "$TAGS" -ldflags "${GO_BUILD_LDFLAGS} -w
-s" -o ./dist/artifacts/k3s ./cmd/server/main.go

# Use UPX if it is enabled (and thus exists) to compress
binary
--
2.35.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II


Re: OCI images in yocto image

Bruce Ashfield
 

On Wed, Feb 9, 2022 at 1:29 PM Peter Bergin <peter@...> wrote:

Hi,

I'm exploring the world of containers combined with Yocto. I can build a
container image and bundle that one with my rootfs image. The container
image is stored in the rootfs as a tar-file of a OCI image spec with the
content blobs, index.json and oci-layout. As per the description in
classes/image-oci.bbclass the way to run the container is to unpack the
file and the create the OCI runtime bundle and start it with runc.

I have played around with docker and tried to import OCI image directly
in to docker store but have not succeeded. Anyone that knows if it is
possible? 'docker image import <oci-image>.tar does not give any errors
and the image shows up in 'docker images' but does not import the
correct rootfs.
There's no viable way to do this on the build side, and then have it appear
in the image. I've experimented several times with this, and haven't found
a decent solution. Running docker on the build host is a non-starter, which
rules out many options.

There's more options if you use podman versus docker for the container
runtime, but I also haven't had time to finish anything there yet.

To get the OCI images into docker, I bounce them through a registry and
use docker pull. You can see the logs of that process in several of my
yocto summit presentations.


When creating the OCI image in image-oci.bbclass the process starts with
a bundle that is packaged as an image and compressed to a tar-file.
Given the above the whole process needs to be reverted on target to
start a container from that image. It should then be possible to just
install the bundle directly on target rootfs that directly can be
started with runc. Are there any drawbacks with this? I can see that a
tar-file is easier to distribute and install afterwards but my question
related to directly integrating an OCI-image to a Yocto rootfs-image.
Nope, there's no drawbacks. The tar is just a convenience for moving
the bundles around. It isn't an official OCI image format, just the unbundled
directory format (it is just a bit odd compared to other image formats, which
tend to be single files, so I created the tar step to be similar to them).

You can definitely copy the OCI image directory onto the image, and have
it be immediately runnable via runc. There's no common/defacto service
to start the images on boot, but that's a fairly trivial thing to do with your
init system of choice. (having a service to start those images on boot
is on my TODO list, but I'm still tangled up with package uprev and golang,
so I haven't gotten to it yet).

Bruce


Best regards,

/Peter




--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


OCI images in yocto image

Peter Bergin
 

Hi,

I'm exploring the world of containers combined with Yocto. I can build a container image and bundle that one with my rootfs image. The container image is stored in the rootfs as a tar-file of a OCI image spec with the content blobs, index.json and oci-layout. As per the description in classes/image-oci.bbclass the way to run the container is to unpack the file and the create the OCI runtime bundle and start it with runc.

I have played around with docker and tried to import OCI image directly in to docker store but have not succeeded. Anyone that knows if it is possible? 'docker image import <oci-image>.tar does not give any errors and the image shows up in 'docker images' but does not import the correct rootfs.

When creating the OCI image in image-oci.bbclass the process starts with a bundle that is packaged as an image and compressed to a tar-file. Given the above the whole process needs to be reverted on target to start a container from that image. It should then be possible to just install the bundle directly on target rootfs that directly can be started with runc. Are there any drawbacks with this? I can see that a tar-file is easier to distribute and install afterwards but my question related to directly integrating an OCI-image to a Yocto rootfs-image.

Best regards,

/Peter


Re: [PATCH honister] k3s: uprev from v1.21.5+k3s1 to v1.21.9+k3s1

Bruce Ashfield
 

On Wed, Feb 9, 2022 at 10:32 AM Diego Sueiro <diego.sueiro@...> wrote:

Also fix build issues related to:
Log data follows:
| DEBUG: Executing shell function do_compile
| go: inconsistent vendoring in /[...]/build/tmp/work/aarch64-poky-linux/k3s/v1.21.9+k3s1-r0/k3s-v1.21.9+k3s1/src/import:
| github.com/containerd/cgroups@....1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
| github.com/containerd/containerd@....7: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
| github.com/containerd/cri@...: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
|...
| mvdan.cc/unparam: is replaced in go.mod, but not marked as replaced in vendor/modules.txt

Short log since v1.21.5+k3s1:
101917b0c4 (tag: v1.21.9-rc1+k3s1, tag: v1.21.9+k3s1) Update to v1.21.9 (#4994)
8069a88177 Merge pull request #4978 from manuelbuil/ip6tables-release121
dc970d27ca Merge pull request #4982 from rbrtbnfgl/ipv6-nat_release-1.21
447279299b go generate
00068c92ea Fix CRD version lookup
683efbb737 Update packaged components
f856aa94d6 Upgrade: metrics server version bump from v0.5.0 to v0.5.2
900e5ff519 [Release-1.21] Adds the ability to compress etcd snapshots (#4866) (#4959)
42d160da5b Move flannel logs to logrus
de12630ec0 Added debug log for IPv6 Masquerading rule
bb3fe9b185 Added flannel-ipv6-masq flag to enable IPv6 nat
bfafe909d1 Remove ip6table rules when cleaning up k3s
758331404e Added iptables masquerade rules for ipv6 on flannel
f540db4570 Update etcd to v3.4.18-k3s1
6644357d0e Skip CGroup v2 evac when agent is disabled
f11f0748e9 Enable logging on all subcommands (#4921) (#4932)
be3c430985 (tag: v1.21.8-rc2+k3s2, tag: v1.21.8+k3s2) Move ClusterResetRestore handling ControlConfig setup
c25ffa9ea3 (tag: v1.21.8-rc1+k3s2) Add basic etcd join test
a0521c29eb Fix handling of agent-token fallback to token
4b3f5be45d Fix use of agent creds for secrets-encrypt and config validate
512268458e Merge pull request #4842 from luthermonson/rm-vendor-121
03aa6d568f drop vendor dir
1942d18447 code to remove vendor dir
d47e38e05e Add etcd sonobuoy tests
9df916e86d Add variable to enforce max test concurrency
58501554f3 Fix previous channel detection
8b4553c921 More codespell ignores
625dd61a60 Close etcd clients to avoid leaking GRPC connections
14364119f6 Build script cleanups
b39c805d52 Bump k3s-root to v0.10.1
5641f9b328 Fix panic checking name of uninitialized etcd member
046961c4c6 Update bootstrap logic to output all changed files on disk (#4800) (#4808)
7e9ac115f4 [Release-1.21] Close agentReady channel only in k3s (#4794)
cbff7350ec (tag: v1.21.8-rc2+k3s1, tag: v1.21.8+k3s1) Merge pull request #4778 from manuelbuil/fix-rke2-ha-121
8d2170f5c4 Remove Disables, Skips and DisableKubeProxy from the comparing configs
78102dcc01 (tag: v1.21.8-rc1+k3s1) Update to v1.21.8 (#4760)
6bac01fc58 [Release-1.21] Fix cold boot and reconcilation on secondary servers (#4753)
5260e4a649 (tag: v1.21.7-rc2+k3s2) Merge pull request #4734 from briandowns/backport_issue-4644-release-1.21
0d065c8491 Fix snapshot restoration on fresh nodes (#4737)
98d6d38d61 Resolve Bootstrap Migration Edge Case (#4730)
53ef842a98 (tag: v1.21.7-rc1+k3s2) Resolve restore bootstrap (#4704) (#4716)
d2f0bbb381 Bump runc to v1.0.3
3024462196 Add validation to certificate rotation (#4697)
8e1b2340c9 Bump wharfie to v0.5.1 and use shared decompression code
f468e10fcf bump kine to v0.6.5
b526e98d1b Include node-external-ip in serving-kubelet.crt SANs (#4620)
1e67a2b004 Merge pull request #4679 from manuelbuil/ha-verify-1.21
8ea26cdad1 Check HA network parameters
1055837e4f Backport secrets-encrypte command (#4658)
7b62900836 [Release-1.21] Add cert rotation command (#4632)
378201a459 Merge pull request #4616 from manuelbuil/loggingFlannel1.21
1390792919 Improve flannel logging
a622dd57f3 [release-1.21] etcd snapshot functionality enhancements (#4606)
ac70570999 (tag: v1.21.7-rc2+k3s1, tag: v1.21.7+k3s1) go generate
3f40742363 Add package version to traefik helm chart
d09821c2ed (tag: v1.21.7-rc1+k3s1) [release-1.21] Bump golang and containerd versions (#4539)
7f737097bc [release-1.21] Bump Kubernetes to v1.21.7-k3s1 (#4531)
1847a711e7 Fix regression with cluster reset (#4524)
5b456972c3 Merge pull request #4519 from manuelbuil/backport_ipv6_rh_121
fd71ed9f4a Allow svclb pod to enable ipv6 forwarding
c096668cde Merge pull request #4515 from manuelbuil/fix_dualStack
43e15c4028 Backport updating cniplugins version and klipper-lb images
256f5d504a Merge pull request #4513 from manuelbuil/backport_dual-stack
88e77fdbfd Improved regex for double equals arguments (#4508)
e777b2c767 Dual-stack support LB controller
6854470a14 Merge pull request #4503 from manuelbuil/fix_dualStack_bug
7de34a0059 Fix bug in dual-stack
93cf545ab2 [Release-1.21] Removed warning about skipping flags (#4493)
119b1aeb25 [Release-1.21] etcd-snapshot loading config fails with "flag provided but not defined" (#4482)
334eae119a [release-1.21] Add etcd extra args support for K3s (#4471)
10c854c00e Increase agent's apiserver ready timeout (#4457)
c9d4543c99 go generate
7d5d1dbb80 Add dashboard annotations to Traefik helm chart
864e800896 [Release-1.21] All bootstrap backport (#4452)
df033fa248 (tag: v1.21.6-rc3+k3s1, tag: v1.21.6+k3s1) Fix log/reap reexec
254d2f696e (tag: v1.21.6-rc2+k3s1) Fix other uses of NewForConfigOrDie in contexts where we could return err
388963440d Watch the local Node object instead of get/sleep looping
afa1981f1d Block scheduler startup on untainted node when using embedded CCM
3fba7c1021 (tag: v1.21.6-rc1+k3s1) Update to v1.21.6 (#4350)
bb50c45a6f Revert "Backport bootstrap release 1.21 (#4313)"
d413f97146 Update peer address when running cluster-reset
f0ea0a0946 Backport bootstrap release 1.21 (#4313)
63bcc307fb Bump klipper-helm version
50fb1ce065 Added configuration input to etcd-snapshot (#4280) (#4282)
944ea312be Merge pull request #4267 from manuelbuil/1.21-flannel-update
11dce34b4e Update to the newest flannel
41b0997e31 Add dual-stack support
a18c2efb4c Refactor log and reaper exec to omit MAINPID
504e249a5e Add containerd ready channel to delay etcd node join
e814850eef Fix premature etcd shutdown when joining an existing cluster
7cbdea6bd2 go mod tidy
557d425010 Minor cleanup on cribbed function
4f28561e34 Wait for apiserver readyz instead of healthz
17f1aa36e2 Merge pull request #4251 from manuelbuil/1.21-race-fix
89f5721a3a Fix race condition in cloud provider
4aa9553978 [Release-1.21] - Add etcd s3 timeout (#4207) (#4228)
22f7f1c41a Make sure there are no duplicates in etcd member list (#4025) (#4213)
e7bf7b141f Display cluster tls error only in debug mode (#4201)
aa5a0a8c78 set transport to skip verify if se skip flag passed (#4102) (#4104)
3ee5098225 Add "etcd-" prefix to etcd-snapshot commands as aliases (#4161) (#4171)
724ef700ba (tag: v1.21.5-rc1+k3s2, tag: v1.21.5+k3s2) Bump containerd to v1.4.11+k3s1
69a9f46bce Don't evacuate the root cgroup when rootless
0af55a830a Skip tests that violate version skew policy
9e66f975d5 Fix PREVIOUS_CHANNEL lookup when current minor release is not stable
38ddda587a Properly handle operation as init process
c948305076 Merge pull request #4099 from manuelbuil/sysctl_ipv6_inheritance_1.21
15f3a2ebfb Enable the inheritance of settings for ipv6
273827d4ba Update build images to python3 for compat with recent gsutil change
8c2f7ac41c Remove experimental from cluster commands
acad8ef840 (tag: v1.21.5-rc1+k3s1, tag: v1.21.5+k3s1) [release-1.21] Update Kubernetes to v1.21.5 (#4032)

Signed-off-by: Diego Sueiro <diego.sueiro@...>
---
recipes-containers/k3s/k3s_git.bb | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/recipes-containers/k3s/k3s_git.bb b/recipes-containers/k3s/k3s_git.bb
index bcfa959..77ad6d4 100644
--- a/recipes-containers/k3s/k3s_git.bb
+++ b/recipes-containers/k3s/k3s_git.bb
@@ -13,10 +13,9 @@ SRC_URI = "git://github.com/rancher/k3s.git;branch=release-1.21;name=k3s;protoco
file://0001-Finding-host-local-in-usr-libexec.patch;patchdir=src/import \
file://k3s-killall.sh \
"
-SRC_URI[k3s.md5sum] = "363d3a08dc0b72ba6e6577964f6e94a5"
-SRCREV_k3s = "aa5a0a8c783a8a4475b727a04d6594c0fea09253"
+SRCREV_k3s = "101917b0c493dd1effac1074feb1d5462b9a189b"

-PV = "v1.21.5+k3s1"
+PV = "v1.21.9+k3s1"

CNI_NETWORKING_FILES ?= "${WORKDIR}/cni-containerd-net.conf"

@@ -30,7 +29,7 @@ PACKAGECONFIG[upx] = ",,upx-native"
GO_IMPORT = "import"
GO_BUILD_LDFLAGS = "-X github.com/rancher/k3s/pkg/version.Version=${PV} \
-X github.com/rancher/k3s/pkg/version.GitCommit=${@d.getVar('SRCREV_k3s', d, 1)[:8]} \
- -w -s \
+ -w -s -v \
"
BIN_PREFIX ?= "${exec_prefix}/local"

@@ -40,11 +39,12 @@ REQUIRED_DISTRO_FEATURES ?= "seccomp"
do_compile() {
export GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_TARGET}/${prefix}/local/go"
export CGO_ENABLED="1"
- export GOFLAGS="-mod=vendor"
+ export GOFLAGS="-mod=vendor -modcacherw"

TAGS="static_build ctrd no_btrfs netcgo osusergo providerless"

cd ${S}/src/import
+ ${GO} mod vendor -v && ${GO} mod tidy -v
Unfortunately .. no, we can't take this change.

I'm working on a full update to k3s in master, and it is running into
similar challenges due to the removal of vendor upstream.

The solution isn't simple, since it is something that has to be
generic, as it applies to many different recipes in
meta-virtualization.

Bruce

${GO} build -tags "$TAGS" -ldflags "${GO_BUILD_LDFLAGS} -w -s" -o ./dist/artifacts/k3s ./cmd/server/main.go

# Use UPX if it is enabled (and thus exists) to compress binary
--
2.35.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


[PATCH honister] k3s: uprev from v1.21.5+k3s1 to v1.21.9+k3s1

Diego Sueiro
 

Also fix build issues related to:
Log data follows:
| DEBUG: Executing shell function do_compile
| go: inconsistent vendoring in /[...]/build/tmp/work/aarch64-poky-linux/k3s/v1.21.9+k3s1-r0/k3s-v1.21.9+k3s1/src/import:
| github.com/containerd/cgroups@....1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
| github.com/containerd/containerd@....7: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
| github.com/containerd/cri@...: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
|...
| mvdan.cc/unparam: is replaced in go.mod, but not marked as replaced in vendor/modules.txt

Short log since v1.21.5+k3s1:
101917b0c4 (tag: v1.21.9-rc1+k3s1, tag: v1.21.9+k3s1) Update to v1.21.9 (#4994)
8069a88177 Merge pull request #4978 from manuelbuil/ip6tables-release121
dc970d27ca Merge pull request #4982 from rbrtbnfgl/ipv6-nat_release-1.21
447279299b go generate
00068c92ea Fix CRD version lookup
683efbb737 Update packaged components
f856aa94d6 Upgrade: metrics server version bump from v0.5.0 to v0.5.2
900e5ff519 [Release-1.21] Adds the ability to compress etcd snapshots (#4866) (#4959)
42d160da5b Move flannel logs to logrus
de12630ec0 Added debug log for IPv6 Masquerading rule
bb3fe9b185 Added flannel-ipv6-masq flag to enable IPv6 nat
bfafe909d1 Remove ip6table rules when cleaning up k3s
758331404e Added iptables masquerade rules for ipv6 on flannel
f540db4570 Update etcd to v3.4.18-k3s1
6644357d0e Skip CGroup v2 evac when agent is disabled
f11f0748e9 Enable logging on all subcommands (#4921) (#4932)
be3c430985 (tag: v1.21.8-rc2+k3s2, tag: v1.21.8+k3s2) Move ClusterResetRestore handling ControlConfig setup
c25ffa9ea3 (tag: v1.21.8-rc1+k3s2) Add basic etcd join test
a0521c29eb Fix handling of agent-token fallback to token
4b3f5be45d Fix use of agent creds for secrets-encrypt and config validate
512268458e Merge pull request #4842 from luthermonson/rm-vendor-121
03aa6d568f drop vendor dir
1942d18447 code to remove vendor dir
d47e38e05e Add etcd sonobuoy tests
9df916e86d Add variable to enforce max test concurrency
58501554f3 Fix previous channel detection
8b4553c921 More codespell ignores
625dd61a60 Close etcd clients to avoid leaking GRPC connections
14364119f6 Build script cleanups
b39c805d52 Bump k3s-root to v0.10.1
5641f9b328 Fix panic checking name of uninitialized etcd member
046961c4c6 Update bootstrap logic to output all changed files on disk (#4800) (#4808)
7e9ac115f4 [Release-1.21] Close agentReady channel only in k3s (#4794)
cbff7350ec (tag: v1.21.8-rc2+k3s1, tag: v1.21.8+k3s1) Merge pull request #4778 from manuelbuil/fix-rke2-ha-121
8d2170f5c4 Remove Disables, Skips and DisableKubeProxy from the comparing configs
78102dcc01 (tag: v1.21.8-rc1+k3s1) Update to v1.21.8 (#4760)
6bac01fc58 [Release-1.21] Fix cold boot and reconcilation on secondary servers (#4753)
5260e4a649 (tag: v1.21.7-rc2+k3s2) Merge pull request #4734 from briandowns/backport_issue-4644-release-1.21
0d065c8491 Fix snapshot restoration on fresh nodes (#4737)
98d6d38d61 Resolve Bootstrap Migration Edge Case (#4730)
53ef842a98 (tag: v1.21.7-rc1+k3s2) Resolve restore bootstrap (#4704) (#4716)
d2f0bbb381 Bump runc to v1.0.3
3024462196 Add validation to certificate rotation (#4697)
8e1b2340c9 Bump wharfie to v0.5.1 and use shared decompression code
f468e10fcf bump kine to v0.6.5
b526e98d1b Include node-external-ip in serving-kubelet.crt SANs (#4620)
1e67a2b004 Merge pull request #4679 from manuelbuil/ha-verify-1.21
8ea26cdad1 Check HA network parameters
1055837e4f Backport secrets-encrypte command (#4658)
7b62900836 [Release-1.21] Add cert rotation command (#4632)
378201a459 Merge pull request #4616 from manuelbuil/loggingFlannel1.21
1390792919 Improve flannel logging
a622dd57f3 [release-1.21] etcd snapshot functionality enhancements (#4606)
ac70570999 (tag: v1.21.7-rc2+k3s1, tag: v1.21.7+k3s1) go generate
3f40742363 Add package version to traefik helm chart
d09821c2ed (tag: v1.21.7-rc1+k3s1) [release-1.21] Bump golang and containerd versions (#4539)
7f737097bc [release-1.21] Bump Kubernetes to v1.21.7-k3s1 (#4531)
1847a711e7 Fix regression with cluster reset (#4524)
5b456972c3 Merge pull request #4519 from manuelbuil/backport_ipv6_rh_121
fd71ed9f4a Allow svclb pod to enable ipv6 forwarding
c096668cde Merge pull request #4515 from manuelbuil/fix_dualStack
43e15c4028 Backport updating cniplugins version and klipper-lb images
256f5d504a Merge pull request #4513 from manuelbuil/backport_dual-stack
88e77fdbfd Improved regex for double equals arguments (#4508)
e777b2c767 Dual-stack support LB controller
6854470a14 Merge pull request #4503 from manuelbuil/fix_dualStack_bug
7de34a0059 Fix bug in dual-stack
93cf545ab2 [Release-1.21] Removed warning about skipping flags (#4493)
119b1aeb25 [Release-1.21] etcd-snapshot loading config fails with "flag provided but not defined" (#4482)
334eae119a [release-1.21] Add etcd extra args support for K3s (#4471)
10c854c00e Increase agent's apiserver ready timeout (#4457)
c9d4543c99 go generate
7d5d1dbb80 Add dashboard annotations to Traefik helm chart
864e800896 [Release-1.21] All bootstrap backport (#4452)
df033fa248 (tag: v1.21.6-rc3+k3s1, tag: v1.21.6+k3s1) Fix log/reap reexec
254d2f696e (tag: v1.21.6-rc2+k3s1) Fix other uses of NewForConfigOrDie in contexts where we could return err
388963440d Watch the local Node object instead of get/sleep looping
afa1981f1d Block scheduler startup on untainted node when using embedded CCM
3fba7c1021 (tag: v1.21.6-rc1+k3s1) Update to v1.21.6 (#4350)
bb50c45a6f Revert "Backport bootstrap release 1.21 (#4313)"
d413f97146 Update peer address when running cluster-reset
f0ea0a0946 Backport bootstrap release 1.21 (#4313)
63bcc307fb Bump klipper-helm version
50fb1ce065 Added configuration input to etcd-snapshot (#4280) (#4282)
944ea312be Merge pull request #4267 from manuelbuil/1.21-flannel-update
11dce34b4e Update to the newest flannel
41b0997e31 Add dual-stack support
a18c2efb4c Refactor log and reaper exec to omit MAINPID
504e249a5e Add containerd ready channel to delay etcd node join
e814850eef Fix premature etcd shutdown when joining an existing cluster
7cbdea6bd2 go mod tidy
557d425010 Minor cleanup on cribbed function
4f28561e34 Wait for apiserver readyz instead of healthz
17f1aa36e2 Merge pull request #4251 from manuelbuil/1.21-race-fix
89f5721a3a Fix race condition in cloud provider
4aa9553978 [Release-1.21] - Add etcd s3 timeout (#4207) (#4228)
22f7f1c41a Make sure there are no duplicates in etcd member list (#4025) (#4213)
e7bf7b141f Display cluster tls error only in debug mode (#4201)
aa5a0a8c78 set transport to skip verify if se skip flag passed (#4102) (#4104)
3ee5098225 Add "etcd-" prefix to etcd-snapshot commands as aliases (#4161) (#4171)
724ef700ba (tag: v1.21.5-rc1+k3s2, tag: v1.21.5+k3s2) Bump containerd to v1.4.11+k3s1
69a9f46bce Don't evacuate the root cgroup when rootless
0af55a830a Skip tests that violate version skew policy
9e66f975d5 Fix PREVIOUS_CHANNEL lookup when current minor release is not stable
38ddda587a Properly handle operation as init process
c948305076 Merge pull request #4099 from manuelbuil/sysctl_ipv6_inheritance_1.21
15f3a2ebfb Enable the inheritance of settings for ipv6
273827d4ba Update build images to python3 for compat with recent gsutil change
8c2f7ac41c Remove experimental from cluster commands
acad8ef840 (tag: v1.21.5-rc1+k3s1, tag: v1.21.5+k3s1) [release-1.21] Update Kubernetes to v1.21.5 (#4032)

Signed-off-by: Diego Sueiro <diego.sueiro@...>
---
recipes-containers/k3s/k3s_git.bb | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/recipes-containers/k3s/k3s_git.bb b/recipes-containers/k3s/k3s_git.bb
index bcfa959..77ad6d4 100644
--- a/recipes-containers/k3s/k3s_git.bb
+++ b/recipes-containers/k3s/k3s_git.bb
@@ -13,10 +13,9 @@ SRC_URI = "git://github.com/rancher/k3s.git;branch=release-1.21;name=k3s;protoco
file://0001-Finding-host-local-in-usr-libexec.patch;patchdir=src/import \
file://k3s-killall.sh \
"
-SRC_URI[k3s.md5sum] = "363d3a08dc0b72ba6e6577964f6e94a5"
-SRCREV_k3s = "aa5a0a8c783a8a4475b727a04d6594c0fea09253"
+SRCREV_k3s = "101917b0c493dd1effac1074feb1d5462b9a189b"

-PV = "v1.21.5+k3s1"
+PV = "v1.21.9+k3s1"

CNI_NETWORKING_FILES ?= "${WORKDIR}/cni-containerd-net.conf"

@@ -30,7 +29,7 @@ PACKAGECONFIG[upx] = ",,upx-native"
GO_IMPORT = "import"
GO_BUILD_LDFLAGS = "-X github.com/rancher/k3s/pkg/version.Version=${PV} \
-X github.com/rancher/k3s/pkg/version.GitCommit=${@d.getVar('SRCREV_k3s', d, 1)[:8]} \
- -w -s \
+ -w -s -v \
"
BIN_PREFIX ?= "${exec_prefix}/local"

@@ -40,11 +39,12 @@ REQUIRED_DISTRO_FEATURES ?= "seccomp"
do_compile() {
export GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_TARGET}/${prefix}/local/go"
export CGO_ENABLED="1"
- export GOFLAGS="-mod=vendor"
+ export GOFLAGS="-mod=vendor -modcacherw"

TAGS="static_build ctrd no_btrfs netcgo osusergo providerless"

cd ${S}/src/import
+ ${GO} mod vendor -v && ${GO} mod tidy -v
${GO} build -tags "$TAGS" -ldflags "${GO_BUILD_LDFLAGS} -w -s" -o ./dist/artifacts/k3s ./cmd/server/main.go

# Use UPX if it is enabled (and thus exists) to compress binary
--
2.35.1


Re: Docker and GPLv3

Mans Zigher
 

Thank you all for your answers

BR

Den fre 4 feb. 2022 kl 16:29 skrev Mikko Rapeli <mikko.rapeli@...>:


Hi,

On Fri, Feb 04, 2022 at 04:03:52PM +0100, Joakim Roubert wrote:
On 2022-02-04 15:30, Mans Zigher wrote:

with our current understanding our customer cannot comply with GPLv3
so we have to avoid it at all cost.
I think this is a situation where

https://layers.openembedded.org/layerindex/branch/master/layer/meta-gplv2/

might come in handy, together with something like

PREFERRED_VERSION_bash ?= "3.2.%"

in the local.conf (or similar suitable configuration place).
While this would work, I can't recommend using meta-gplv2 as it contains unmaintained
SW versions.

Just configure the build to avoid GPLv3 via distro config, e.g.

INCOMPATIBLE_LICENSE_append += " GPLv3 GPLv3+ LGPLv3 LGPLv3+"

and configure SW components to build without GPLv3 dependencies.
lxc for examples compiles just fine without rsync and bash.

Additionally a lot of GPLv3 recipes can be enabled to build but be forbidden
images images, e.g. in distro config:

WHITELIST_GPL-3.0 += "bash"
PACKAGE_EXCLUDE += "bash-ptest bash-dbg bash-staticdev bash-dev bash-doc bash-locale bashbug bash"

Some refactoring of SW architecture may be needed to remove any dependencies to GPLv3
licensed SW. For development and testing GPLv3 components can often be used.

Cheers,

-Mikko


Re: [hardknott][PATCH] libvirt: fix CVE-2021-3975

Bruce Ashfield
 

merged to hardknott.

Bruce

In message: [meta-virtualization] [hardknott][PATCH] libvirt: fix CVE-2021-3975
on 29/01/2022 Changqing Li wrote:

From: Changqing Li <changqing.li@...>

Signed-off-by: Changqing Li <changqing.li@...>
---
.../libvirt/libvirt/CVE-2021-3975.patch | 43 +++++++++++++++++++
recipes-extended/libvirt/libvirt_6.3.0.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3975.patch

diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
new file mode 100644
index 0000000..72cee94
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
@@ -0,0 +1,43 @@
+From 30de45c73106cacfc0aacc8f11c88e1aa5372d77 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@...>
+Date: Sat, 29 Jan 2022 13:25:54 +0800
+Subject: [PATCH] qemu: Add missing lock in qemuProcessHandleMonitorEOF
+
+qemuMonitorUnregister will be called in multiple threads (e.g. threads
+in rpc worker pool and the vm event thread). In some cases, it isn't
+protected by the monitor lock, which may lead to call g_source_unref
+more than one time and a use-after-free problem eventually.
+
+Add the missing lock in qemuProcessHandleMonitorEOF (which is the only
+position missing lock of monitor I found).
+
+Suggested-by: Michal Privoznik <mprivozn@...>
+Signed-off-by: Peng Liang <liangpeng10@...>
+Signed-off-by: Michal Privoznik <mprivozn@...>
+Reviewed-by: Michal Privoznik <mprivozn@...>
+
+Upstream-Status: Backport [https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7]
+CVE: CVE-2021-3975
+
+Signed-off-by: Changqing Li <changqing.li@...>
+---
+ src/qemu/qemu_process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 8ea470f..64b8472 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -315,7 +315,9 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon,
+ /* We don't want this EOF handler to be called over and over while the
+ * thread is waiting for a job.
+ */
++ virObjectLock(mon);
+ qemuMonitorUnregister(mon);
++ virObjectUnlock(mon);
+
+ /* We don't want any cleanup from EOF handler (or any other
+ * thread) to enter qemu namespace. */
+--
+2.17.1
+
diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb
index 091296e..8e95ad6 100644
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://CVE-2020-25637_4.patch \
file://CVE-2021-3631.patch \
file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
+ file://CVE-2021-3975.patch \
"

SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"
--
2.17.1



Re: [PATCH v2] openvswitch: uprev from v2.15.1 to v2.15.3

Bruce Ashfield
 

merged to master.

Bruce

In message: [meta-virtualization][PATCH v2] openvswitch: uprev from v2.15.1 to v2.15.3
on 28/01/2022 He Zhe wrote:

commits short logs:
e4d2df62e (tag: v2.15.3) Set release date for 2.15.3.
b8baa1141 python: Add cooperative_yield() API method to Idl.
7834abc66 ofproto-dpif-xlate: Snoop ingress packets and update neigh cache if needed.
833c02daa tnl-neigh-cache: Do not refresh the entry while revalidating.
e2182eca8 tnl-neigh-cache: Include expected array sizes in prototypes.
566fe4372 tnl-neigh-cache: Read/write expires atomically.
d477f6000 compat: handle NF_REPEAT error on nf_conntrack_in.
0590e8838 flow: Consider dataofs when parsing TCP packets.
7266042d8 tests/flowgen: Fix packet data endianness.
d2e0632db ofproto: Fix resource usage explosion due to removal of large number of flows.
0a7e66e37 ofproto: Fix resource usage explosion while processing bundled FLOW_MOD.
68466efed tests/flowgen: Fix length field of 802.2 data link header.
2a2185f9e ovs-lib: Backup and remove existing DB when joining cluster.
fcbc29c6f docs/dpdk: Fix install doc.
a5d97d420 ovs-save: Save igmp flows in ofp_parse syntax.
1cbd1f0f5 faq: Update OVS/DPDK version table for OVS 2.13/2.14.
01bc910e5 ofproto-dpif-xlate: Fix check_pkt_larger incomplete translation.
08a270dda datapath-windows: Reset flow key after Ipv4 fragments are reassembled
eca2d50d4 datapath-windows:Reset PseudoChecksum value only for TX direction offload case
031cf67e0 netdev-offload-tc: Verify the flower rule installed.
952e85150 ci: Make linux-prepare trust system installs.
2cf63851a Prepare for 2.15.3.
63f9a7c5d (tag: v2.15.2) Set release date for 2.15.2.
b7d9c491e datapath-windows: add layers when adding the deferred actions
3f718857e ofproto-dpif-xlate: Fix zone set from non-frozen-metadata fields.
ea2ca0af1 dpif-netdev: Fix use-after-free on PACKET_OUT of IP fragments.
9f964354e tunnel-push-pop.at: Mask source port in tunnel header.
58397f222 dpdk-stub: Change the ERR log to DBG.
2a963fc31 python: idl: Avoid sending transactions when the DB is not synced up.
9efa2ea61 ipf: release unhandled packets from the batch
f8274b78c datapath-windows:adjust Offset when processing packet in POP_VLAN action
a2f860aa2 cirrus: Reduce memory requirements for FreeBSD VMs.
7788f1579 netdev-linux: Fix a null pointer dereference in netdev_linux_notify_sock().
dd32deba6 pcap-file: Fix memory leak in ovs_pcap_open().
9f2f66c8e odp-util: Fix a null pointer dereference in odp_flow_format().
02b0c265c odp-util: Fix a null pointer dereference in odp_nsh_key_from_attr__().
031eff456 netdev-dpdk: Fix RSS configuration for virtio.
09cd9570d ipf: Fix only nat the first fragment in the reass process.
ef8ca3e19 dpif-netdev: Fix crash when PACKET_OUT is metered.
d3ff41d60 tc: Set action flags for tunnel_key release.
079a4de72 netlink-socket: Replace error with txn->error when logging nacked transactions.
f8cc5aa35 dynamic-string: Fix a crash in ds_clone().
64d1bba91 dpif-netdev: fix memory leak in dpcls subtable set command
90b219275 dpif-netdev: Do not flush PMD offloads on reload.
b29b04f85 dpif-netdev: Fix offloads of modified flows.
1d0b89ea7 dpif-netdev: Fix flow modification after failure.
8d84a4b16 netdev-offload-dpdk: Fix IPv6 rewrite cast-align warning.
f3f7849cb daemon-unix: Fix leak of a fork error message.
8aa0f0374 ovsdb-cs: Perform forced reconnects without a backoff.
ee4e034dc datapath-windows:Correct checksum for DNAT action
72132a940 bond: Fix broken rebalancing after link state changes.
aa84cfe25 dpif-netlink: Fix report_loss() message.
aec05f7cd ovsdb-server: Fix memleak when failing to read storage.
05bdf11fc conntrack: Init hash basis first at creation.
94e3b9d9c netdev-linux: Ignore TSO packets when TSO is not enabled for userspace.
842bfb899 conntrack: Handle already natted packets.
ab873c1af conntrack: Document all-zero IP SNAT behavior and add a test case.
86d6a9ee1 python: Fix Idl.run change_seqno update.
1ba0c8365 bridge: Use correct (legacy) role names in database.
7e5293ea5 Prepare for 2.15.2.

The ptest results BEFORE uprev:
ERROR: 2231 tests were run,
27 failed unexpectedly.
62 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - recirculation after resubmit
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

The ptest results AFTER uprev:
ERROR: 2266 tests were run,
27 failed unexpectedly.
65 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop - packet_out debug_slow
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

Signed-off-by: He Zhe <zhe.he@...>
---
recipes-networking/openvswitch/openvswitch_git.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index 0fb7c132..4d413170 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -14,12 +14,12 @@ RDEPENDS:${PN}-ptest += "\
"

S = "${WORKDIR}/git"
-PV = "2.15.1+${SRCPV}"
-CVE_VERSION = "2.13.0"
+PV = "2.15.3+${SRCPV}"
+CVE_VERSION = "2.15.3"

FILESEXTRAPATHS:append := "${THISDIR}/${PN}-git:"

-SRCREV = "f8274b78c3403591e84f3c2bbacf8c86920d68ba"
+SRCREV = "e4d2df62e65a615e19f62e2fd294709be8d75cdc"
SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.15 \
file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
file://run-ptest \
--
2.17.1


Re: [PATCH] libibverbs: update LICENSE

Bruce Ashfield
 

merged.

Bruce

In message: [meta-virtualization] [PATCH] libibverbs: update LICENSE
on 04/02/2022 Ross Burton wrote:

As per COPYING, this is BSD-2-Clause or GPLv2.

Signed-off-by: Ross Burton <ross.burton@...>
---
recipes-extended/libibverbs/libibverbs_1.2.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-extended/libibverbs/libibverbs_1.2.1.bb b/recipes-extended/libibverbs/libibverbs_1.2.1.bb
index 90c424e..f40eccf 100644
--- a/recipes-extended/libibverbs/libibverbs_1.2.1.bb
+++ b/recipes-extended/libibverbs/libibverbs_1.2.1.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Libibverbs is a library that allows userspace processes to use In
HOMEPAGE = "http://www.openfabrics.org/downloads/verbs/"
SECTION = "libs/devel"

-LICENSE = "BSD"
+LICENSE = "GPLv2 | BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=7c557f27dd795ba77cc419dddc656b51"

# Official repo is at git://git.kernel.org/pub/scm/libs/infiniband/libibverbs.git
--
2.25.1



Re: [hardknott][PATCH v2] openvswitch: uprev from v2.15.0 to v2.15.3

Bruce Ashfield
 

merged to hardknott.

Bruce

In message: [meta-virtualization][hardknott][PATCH v2] openvswitch: uprev from v2.15.0 to v2.15.3
on 28/01/2022 He Zhe wrote:

Drop the following backported patch.
0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch

commits short logs:
e4d2df62e (tag: v2.15.3) Set release date for 2.15.3.
b8baa1141 python: Add cooperative_yield() API method to Idl.
7834abc66 ofproto-dpif-xlate: Snoop ingress packets and update neigh cache if needed.
833c02daa tnl-neigh-cache: Do not refresh the entry while revalidating.
e2182eca8 tnl-neigh-cache: Include expected array sizes in prototypes.
566fe4372 tnl-neigh-cache: Read/write expires atomically.
d477f6000 compat: handle NF_REPEAT error on nf_conntrack_in.
0590e8838 flow: Consider dataofs when parsing TCP packets.
7266042d8 tests/flowgen: Fix packet data endianness.
d2e0632db ofproto: Fix resource usage explosion due to removal of large number of flows.
0a7e66e37 ofproto: Fix resource usage explosion while processing bundled FLOW_MOD.
68466efed tests/flowgen: Fix length field of 802.2 data link header.
2a2185f9e ovs-lib: Backup and remove existing DB when joining cluster.
fcbc29c6f docs/dpdk: Fix install doc.
a5d97d420 ovs-save: Save igmp flows in ofp_parse syntax.
1cbd1f0f5 faq: Update OVS/DPDK version table for OVS 2.13/2.14.
01bc910e5 ofproto-dpif-xlate: Fix check_pkt_larger incomplete translation.
08a270dda datapath-windows: Reset flow key after Ipv4 fragments are reassembled
eca2d50d4 datapath-windows:Reset PseudoChecksum value only for TX direction offload case
031cf67e0 netdev-offload-tc: Verify the flower rule installed.
952e85150 ci: Make linux-prepare trust system installs.
2cf63851a Prepare for 2.15.3.
63f9a7c5d (tag: v2.15.2) Set release date for 2.15.2.
b7d9c491e datapath-windows: add layers when adding the deferred actions
3f718857e ofproto-dpif-xlate: Fix zone set from non-frozen-metadata fields.
ea2ca0af1 dpif-netdev: Fix use-after-free on PACKET_OUT of IP fragments.
9f964354e tunnel-push-pop.at: Mask source port in tunnel header.
58397f222 dpdk-stub: Change the ERR log to DBG.
2a963fc31 python: idl: Avoid sending transactions when the DB is not synced up.
9efa2ea61 ipf: release unhandled packets from the batch
f8274b78c datapath-windows:adjust Offset when processing packet in POP_VLAN action
a2f860aa2 cirrus: Reduce memory requirements for FreeBSD VMs.
7788f1579 netdev-linux: Fix a null pointer dereference in netdev_linux_notify_sock().
dd32deba6 pcap-file: Fix memory leak in ovs_pcap_open().
9f2f66c8e odp-util: Fix a null pointer dereference in odp_flow_format().
02b0c265c odp-util: Fix a null pointer dereference in odp_nsh_key_from_attr__().
031eff456 netdev-dpdk: Fix RSS configuration for virtio.
09cd9570d ipf: Fix only nat the first fragment in the reass process.
ef8ca3e19 dpif-netdev: Fix crash when PACKET_OUT is metered.
d3ff41d60 tc: Set action flags for tunnel_key release.
079a4de72 netlink-socket: Replace error with txn->error when logging nacked transactions.
f8cc5aa35 dynamic-string: Fix a crash in ds_clone().
64d1bba91 dpif-netdev: fix memory leak in dpcls subtable set command
90b219275 dpif-netdev: Do not flush PMD offloads on reload.
b29b04f85 dpif-netdev: Fix offloads of modified flows.
1d0b89ea7 dpif-netdev: Fix flow modification after failure.
8d84a4b16 netdev-offload-dpdk: Fix IPv6 rewrite cast-align warning.
f3f7849cb daemon-unix: Fix leak of a fork error message.
8aa0f0374 ovsdb-cs: Perform forced reconnects without a backoff.
ee4e034dc datapath-windows:Correct checksum for DNAT action
72132a940 bond: Fix broken rebalancing after link state changes.
aa84cfe25 dpif-netlink: Fix report_loss() message.
aec05f7cd ovsdb-server: Fix memleak when failing to read storage.
05bdf11fc conntrack: Init hash basis first at creation.
94e3b9d9c netdev-linux: Ignore TSO packets when TSO is not enabled for userspace.
842bfb899 conntrack: Handle already natted packets.
ab873c1af conntrack: Document all-zero IP SNAT behavior and add a test case.
86d6a9ee1 python: Fix Idl.run change_seqno update.
1ba0c8365 bridge: Use correct (legacy) role names in database.
7e5293ea5 Prepare for 2.15.2.
b855bbc32 (tag: v2.15.1) Set release date for 2.15.1.
007a4f48f dpif-netdev: Apply subtable-lookup-prio-set on any datapath.
c93358a56 netlink: removed incorrect optimization
31626579f ovs-actions.xml: Add missing bracket.
30596ec27 netdev-offload-tc: Use nl_msg_put_flag for OVS_TUNNEL_KEY_ATTR_CSUM.
728980291 conntrack: Increment coverage counter for all bad checksum cases.
881d71ea2 datapath-windows: Specify external include paths
934668c29 Remove Python 2 leftovers.
aaa596705 ipf: Fix a use-after-free error, and remove the 'do_not_steal' flag.
bc0aa785a ovsdb-idl: Fix the database update signaling if it has never been connected.
559426d2b ofproto: Fix potential NULL dereference in ofproto_ct_*_zone_timeout_policy().
f31070e27 ofproto: Fix potential NULL dereference in ofproto_get_datapath_cap().
8995d5311 dpif-netlink: Fix send of uninitialized memory in ct limit requests.
0c056891c ofproto-dpif: Fix use of uninitialized attributes of timeout policy.
121a67cad netdev-linux: Fix use of uninitialized LAG master name.
5f27ff1cf ofp_actions: Fix set_mpls_tc formatting.
e87adce83 dpif-netdev: Remove meter rate from the bucket size calculation.
a3ee3258e ovs-ofctl: Fix coredump when using "add-groups" command.
c5d2a6275 raft: Transfer leadership before creating snapshots.
553d52392 ovsdb-cs: Consider all tables when computing expected cond seqno.
8d0aebcc4 dpdk: Use DPDK 20.11.1 release.
21452722b github: Fix up malformed /etc/hosts.
90d1984b9 doc: automake: Add support for sphinx 4.0.
38a8bed70 cirrus: Look up existing versions of python dependencies.
255c38c74 ofp-group: Use big-enough buffer in ofputil_format_group().
f2c0744d2 ofproto/ofproto-dpif-sflow: Check sflow agent in case of race
ab157ef34 dpif: Fix use of uninitialized execute hash.
b1fded020 odp-util: Fix use of uninitialized erspan metadata.
f473ee568 dpif-netlink: Fix using uninitialized info.tc_modify_flow_deleted in out label.
2721606bd netdev-offload-tc: Probe for support for any of the ct_state flags.
091bc48d9 compat: Add ct_state flags definitions.
1307e90e3 Add test cases for ingress_policing parameters
d184c6ce6 netdev-linux: correct unit of burst parameter
cab998e50 ipsec: Fix IPv6 default route support for Libreswan.
b9ab7827e ovsdb-idl: Mark arc sources as updated when destination is deleted.
c82d2e3fb ovsdb-idl: Preserve references for deleted rows.
9a24ecbc2 ovsdb-idl.at: Make test outputs more predictable.
8d71feb1b ovs-ofctl: Fix segfault due to bad meter n_bands.
3a716b1d9 dpif-netdev: Refactor and fix the buckets calculation.
73ece9c87 dpif-netdev: Fix the meter buckets overflow.
d5dc16670 python: Send notifications after the transaction ends.
556e65e17 ovs-ctl: Allow recording hostname separately.
3982aee45 dpif-netdev: Fix crash when add dp flow without in_port field.
02096f1b3 Documentation: Fix DPDK qos example.
8f1dda316 raft: Report disconnected in cluster/status if candidate retries election.
79e9749da raft: Reintroduce jsonrpc inactivity probes.
2e84a4adb ovsdb-cs: Fix use-after-free for the request id.
d2c311dce connmgr: Check nullptr inside ofmonitor_report().
7307af690 ovsdb-client: Fix needs-conversion when SERVER is explicitly specified.
2a7a63571 windows, tests: Modify service test.
9b48549c6 netdev-linux: Fix indentation.
861a9f3b4 ofproto-dpif-upcall: Fix ukey leak on udpif destroy.
339044c3c ci: Use parallel build for distcheck.
38744b1bc ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
33abe6c05 Prepare for 2.15.1.

The ptest results BEFORE uprev:
ERROR: 2231 tests were run,
27 failed unexpectedly.
62 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - recirculation after resubmit
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

The ptest results AFTER uprev:
ERROR: 2266 tests were run,
27 failed unexpectedly.
65 tests were skipped.

Failed tests:
checkpatch - sign-offs
checkpatch - parenthesized constructs
checkpatch - parenthesized constructs - for
checkpatch - comments
checkpatch - whitespace around operator
checkpatch - whitespace around cast
ovs-ofctl snoop
tunnel - table version
tunnel_push_pop - erspan
tunnel_push_pop - action
tunnel_push_pop - packet_out
tunnel_push_pop - packet_out debug_slow
tunnel_push_pop_ipv6 - ip6gre
tunnel_push_pop_ipv6 - ip6erspan
tunnel_push_pop_ipv6 - action
PMD - non pmd device
ofproto-dpif - sFlow packet sampling - IPv4 collector
ofproto-dpif - sFlow packet sampling - IPv6 collector
ofproto-dpif - sFlow packet sampling - LACP structures
ofproto-dpif - sFlow packet sampling - tunnel set
ofproto-dpif - sFlow packet sampling - tunnel push
ofproto-dpif - sFlow packet sampling - MPLS
bridge - multiple bridges share a controller
bridge - add port after stopping controller
mcast - check multicasts to trunk ports are not duplicated
ptap - triangle bridge setup with L2 and L3 GRE tunnels
ptap - L3 over patch port

Signed-off-by: He Zhe <zhe.he@...>
---
recipes-networking/openvswitch/openvswitch_git.bb | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index d7f8e4b0..a66c9677 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -14,12 +14,12 @@ RDEPENDS_${PN}-ptest += "\
"

S = "${WORKDIR}/git"
-PV = "2.15+${SRCPV}"
-CVE_VERSION = "2.13.0"
+PV = "2.15.3+${SRCPV}"
+CVE_VERSION = "2.15.3"

FILESEXTRAPATHS_append := "${THISDIR}/${PN}-git:"

-SRCREV = "8dc1733eaea866dce033b3c44853e1b09bf59fc7"
+SRCREV = "e4d2df62e65a615e19f62e2fd294709be8d75cdc"
SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 \
file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \
file://run-ptest \
@@ -28,7 +28,6 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
file://systemd-update-tool-paths.patch \
file://systemd-create-runtime-dirs.patch \
file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
- file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
"

LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
--
2.17.1


Re: Docker and GPLv3

Mikko Rapeli <mikko.rapeli@...>
 

Hi,

On Fri, Feb 04, 2022 at 04:03:52PM +0100, Joakim Roubert wrote:
On 2022-02-04 15:30, Mans Zigher wrote:

with our current understanding our customer cannot comply with GPLv3
so we have to avoid it at all cost.
I think this is a situation where

https://layers.openembedded.org/layerindex/branch/master/layer/meta-gplv2/

might come in handy, together with something like

PREFERRED_VERSION_bash ?= "3.2.%"

in the local.conf (or similar suitable configuration place).
While this would work, I can't recommend using meta-gplv2 as it contains unmaintained
SW versions.

Just configure the build to avoid GPLv3 via distro config, e.g.

INCOMPATIBLE_LICENSE_append += " GPLv3 GPLv3+ LGPLv3 LGPLv3+"

and configure SW components to build without GPLv3 dependencies.
lxc for examples compiles just fine without rsync and bash.

Additionally a lot of GPLv3 recipes can be enabled to build but be forbidden
images images, e.g. in distro config:

WHITELIST_GPL-3.0 += "bash"
PACKAGE_EXCLUDE += "bash-ptest bash-dbg bash-staticdev bash-dev bash-doc bash-locale bashbug bash"

Some refactoring of SW architecture may be needed to remove any dependencies to GPLv3
licensed SW. For development and testing GPLv3 components can often be used.

Cheers,

-Mikko


Re: Docker and GPLv3

Joakim Roubert
 

On 2022-02-04 15:30, Mans Zigher wrote:

with our current understanding our customer cannot comply with GPLv3
so we have to avoid it at all cost.
I think this is a situation where

https://layers.openembedded.org/layerindex/branch/master/layer/meta-gplv2/

might come in handy, together with something like

PREFERRED_VERSION_bash ?= "3.2.%"

in the local.conf (or similar suitable configuration place).

BR,

/Joakim


Re: Docker and GPLv3

Yocto
 

On Friday 04 February 2022 21:23:18 PM (+07:00), Måns wrote:

Hi,

Well, does GPLv3 not require that a customer should be able to build
the GPLv3 like bash and deploy it to the target? It is not directly
secure-boot but the customer has a boot up sequence that starts with
secure boot and then the rootfs needs to be signed. So it would not be
possible to open up the device to allow a customer to deploy his own
version of bash on the target. But I might have misunderstood GPLv3. I
am not an expert.

BR
Måns Zigher
ermmm no... my understanding is if a device is bootlocked.. grub or secure-boot, then the vendor only needs to provide a way a client having ownership of the device
can make, rebuild, duplicate, circumvent the secure-boot. ie... make it undoable/bypassable and as long as they allow users to install their own secure boot keys

now im not LAWYER .... However.... if a client can regenerate keys/bootloader/image then i believe your safe.


Den fre 4 feb. 2022 kl 15:19 skrev Embedded Devel <yocto@...>:



On Friday 04 February 2022 15:53:42 PM (+07:00), Mans Zigher wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target.
Okay, wait, why does enabling secure-boot prevent including GPLv3 packages??
Ive never heard this before.
--
Sent with Vivaldi Mail. Download Vivaldi for free at vivaldi.com


Re: Docker and GPLv3

Mans Zigher
 

Hi,

Thanks for your reply. The customer is currently using Thud. You
confirm our current findings so thanks. We are looking into removing
lxc and will then see what else is needed to see if we can skip the
GPLv3 packages. We will look into the GPLv3 license again but with our
current understanding our customer cannot comply with GPLv3 so we have
to avoid it at all cost.

BR
Måns Zigher

Den fre 4 feb. 2022 kl 15:15 skrev Bruce Ashfield <bruce.ashfield@...>:


On Fri, Feb 4, 2022 at 3:53 AM Mans Zigher <mans.zigher@...> wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target. We have successfully managed to add
docker to the target but we noticed that several packages have also
been added that is GPLv3

bash, gmp, gzip, libidn, libunistring, nettle, rsync, tar, wget
Those shouldn't be coming directly from the docker dependencies, but of
course packages that it depends on, may pull other dependencies, etc.

What branch are you using ?

If you look at docker.inc in the layer, it has our known dependencies:

DEPENDS = " \
go-cli \
go-pty \
go-context \
go-mux \
go-patricia \
go-logrus \
go-fsnotify \
go-dbus \
go-capability \
go-systemd \
btrfs-tools \
sqlite3 \
go-distribution \
compose-file \
go-connections \
notary \
grpc-go \
libtool-native \
libtool \
"

DEPENDS:append:class-target = " lvm2"
RDEPENDS:${PN} = "util-linux util-linux-unshare iptables \
${@bb.utils.contains('DISTRO_FEATURES', 'aufs',
'aufs-util', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd',
'', 'cgroup-lite', d)} \
bridge-utils \
ca-certificates \
"
RDEPENDS:${PN} += "virtual-containerd virtual-runc"



1. Does docker have a strict dependency to GPLv3 code?
There may be ways to avoid some GPLv3 dependencies, but it isn't
something that we've actively explored or tested. So it would be
an effort that needs experimentation.

2. For some reason that I don't understand, docker seems to pull in
LXC which in turn will pull in many of the packages. Is Docker using
LXC? I thought docker was replacing LXC doing the same thing as LXC.
3. Do you have any suggestions on how to have container support and
not pull in GPLv3 code? Is Docker moby an alternative?
It depends on how you are installing docker to your image. In the latest
branches, it doesn't have a dependency on lxc. There are some package
groups and kernel configurations that are shared, but you don't have to
install using those packagegroups if they are pulling in elements that
you don't want or need.

Bruce


BR
Måns Zigher



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


Re: Docker and GPLv3

Mans Zigher
 

Hi,

Well, does GPLv3 not require that a customer should be able to build
the GPLv3 like bash and deploy it to the target? It is not directly
secure-boot but the customer has a boot up sequence that starts with
secure boot and then the rootfs needs to be signed. So it would not be
possible to open up the device to allow a customer to deploy his own
version of bash on the target. But I might have misunderstood GPLv3. I
am not an expert.

BR
Måns Zigher

Den fre 4 feb. 2022 kl 15:19 skrev Embedded Devel <yocto@...>:




On Friday 04 February 2022 15:53:42 PM (+07:00), Mans Zigher wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target.
Okay, wait, why does enabling secure-boot prevent including GPLv3 packages??
Ive never heard this before.


Re: Docker and GPLv3

Yocto
 

On Friday 04 February 2022 15:53:42 PM (+07:00), Mans Zigher wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target.
Okay, wait, why does enabling secure-boot prevent including GPLv3 packages??
Ive never heard this before.


Re: Docker and GPLv3

Bruce Ashfield
 

On Fri, Feb 4, 2022 at 3:53 AM Mans Zigher <mans.zigher@...> wrote:

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target. We have successfully managed to add
docker to the target but we noticed that several packages have also
been added that is GPLv3

bash, gmp, gzip, libidn, libunistring, nettle, rsync, tar, wget
Those shouldn't be coming directly from the docker dependencies, but of
course packages that it depends on, may pull other dependencies, etc.

What branch are you using ?

If you look at docker.inc in the layer, it has our known dependencies:

DEPENDS = " \
go-cli \
go-pty \
go-context \
go-mux \
go-patricia \
go-logrus \
go-fsnotify \
go-dbus \
go-capability \
go-systemd \
btrfs-tools \
sqlite3 \
go-distribution \
compose-file \
go-connections \
notary \
grpc-go \
libtool-native \
libtool \
"

DEPENDS:append:class-target = " lvm2"
RDEPENDS:${PN} = "util-linux util-linux-unshare iptables \
${@bb.utils.contains('DISTRO_FEATURES', 'aufs',
'aufs-util', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd',
'', 'cgroup-lite', d)} \
bridge-utils \
ca-certificates \
"
RDEPENDS:${PN} += "virtual-containerd virtual-runc"



1. Does docker have a strict dependency to GPLv3 code?
There may be ways to avoid some GPLv3 dependencies, but it isn't
something that we've actively explored or tested. So it would be
an effort that needs experimentation.

2. For some reason that I don't understand, docker seems to pull in
LXC which in turn will pull in many of the packages. Is Docker using
LXC? I thought docker was replacing LXC doing the same thing as LXC.
3. Do you have any suggestions on how to have container support and
not pull in GPLv3 code? Is Docker moby an alternative?
It depends on how you are installing docker to your image. In the latest
branches, it doesn't have a dependency on lxc. There are some package
groups and kernel configurations that are shared, but you don't have to
install using those packagegroups if they are pulling in elements that
you don't want or need.

Bruce


BR
Måns Zigher



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


[PATCH] libibverbs: update LICENSE

Ross Burton <ross@...>
 

As per COPYING, this is BSD-2-Clause or GPLv2.

Signed-off-by: Ross Burton <ross.burton@...>
---
recipes-extended/libibverbs/libibverbs_1.2.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-extended/libibverbs/libibverbs_1.2.1.bb b/recipes-ex=
tended/libibverbs/libibverbs_1.2.1.bb
index 90c424e..f40eccf 100644
--- a/recipes-extended/libibverbs/libibverbs_1.2.1.bb
+++ b/recipes-extended/libibverbs/libibverbs_1.2.1.bb
@@ -3,7 +3,7 @@ DESCRIPTION =3D "Libibverbs is a library that allows user=
space processes to use In
HOMEPAGE =3D "http://www.openfabrics.org/downloads/verbs/"
SECTION =3D "libs/devel"
=20
-LICENSE =3D "BSD"
+LICENSE =3D "GPLv2 | BSD-2-Clause"
LIC_FILES_CHKSUM =3D "file://COPYING;md5=3D7c557f27dd795ba77cc419dddc656=
b51"
=20
# Official repo is at git://git.kernel.org/pub/scm/libs/infiniband/libib=
verbs.git
--=20
2.25.1


Docker and GPLv3

Mans Zigher
 

Hi,

A client of mine wants to have docker on it's product and they are
having secure boot enabled which prevents us from having any GPLv3
licensed code on the target. We have successfully managed to add
docker to the target but we noticed that several packages have also
been added that is GPLv3

bash, gmp, gzip, libidn, libunistring, nettle, rsync, tar, wget

1. Does docker have a strict dependency to GPLv3 code?
2. For some reason that I don't understand, docker seems to pull in
LXC which in turn will pull in many of the packages. Is Docker using
LXC? I thought docker was replacing LXC doing the same thing as LXC.
3. Do you have any suggestions on how to have container support and
not pull in GPLv3 code? Is Docker moby an alternative?

BR
Måns Zigher


Re: [meta-cloud-services][PATCH 6/8] python3-termcolor: inherit setuptools3 not distutils

Bruce Ashfield
 

Thanks for the update, the series is now applied.

Bruce

In message: [meta-virtualization][meta-cloud-services][PATCH 6/8] python3-termcolor: inherit setuptools3 not distutils
on 19/01/2022 wangmy wrote:

Signed-off-by: Wang Mingyu <wangmy@...>
---
.../recipes-devtools/python/python3-termcolor_1.1.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-openstack/recipes-devtools/python/python3-termcolor_1.1.0.bb b/meta-openstack/recipes-devtools/python/python3-termcolor_1.1.0.bb
index a8d50097..127287a7 100644
--- a/meta-openstack/recipes-devtools/python/python3-termcolor_1.1.0.bb
+++ b/meta-openstack/recipes-devtools/python/python3-termcolor_1.1.0.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=809e8749b63567978acfbd81d9f6a27d"
SRC_URI[md5sum] = "043e89644f8909d462fbbfa511c768df"
SRC_URI[sha256sum] = "1d6d69ce66211143803fbc56652b41d73b4a400a2891d7bf7a1cdf4c02de613b"

-inherit distutils3 pypi
+inherit setuptools3 pypi

DEPENDS += " \
python3-pip \
--
2.25.1


661 - 680 of 7712