We have been using the 1.3.x release series for a long time now which
has been great for stability but is slowly becoming harder and harder
to track and port bug and CVE fixes. This is a big jump to the latest
upstream release which gives us access to a myriad of fixes as well as
puts us in a better position to contribute to the upstream project
when issues are found.
Several patches have been dropped as they are either no longer valid
against this release or have equivalent updates already applied to the
upstream project. Some patches were consolidated which should ease
future uprevs of this recipe. The majority of the updates were related
to ptest patches, which is not a huge surprise given this code has no
upstream equivalent.
The overall runtime behavior remains much the same from v1.3.5 with
the only notable configuration change being for 'seccomp_sandbox'
which has been disabled here but should possibly be revisited in the
near future.
As usual the normal runtime usecases for qemu/kvm and lxc have been
run successfully along with ptest results which are by and large OK:
====================================
Testsuite summary for libvirt 4.3.0
====================================
# TOTAL: 119
# PASS: 115
# SKIP: 0
# XFAIL: 0
# FAIL: 4
# XPASS: 0
# ERROR: 0
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This brings us up to date with the latest upstream release. I suspect
there will be an upcoming release to add compatibility with DPDK
v18.05 (the DPDK release is due out any day now) but getting this
fairly large release bump out of the way first will facilitate any
upcoming uprev.
We are able to drop they python3 patches as they have been merged
upstream. Some scripts which needed to be updated to use python3
disappeared, new ones appeared so the 'use python3' patches are
updated accordingly. Beyond this the biggest change is related to the
systemd unit files, the ovsdb-server has been updated upstream to be
generated on the fly via the spec file, we mimic this in the
install_prepend. We also add the various configuration files which the
unit files source before launching the services.
As usual this was tested against out typical usecases including usage
in meta-overc. As well the ptests have been run and the results are no
better or worse.
Previous version:
ERROR: 2332 tests were run,
21 failed unexpectedly.
3 tests were skipped.
New version:
ERROR: 2527 tests were run,
29 failed unexpectedly.
3 tests were skipped.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The tests are already built when we do_compile so we only need to copy
them to the ptest path and create a wrapper script to run them. This
has the added benefit of reducing the size of the lxc package.
We have to manipulate the test sources some to remove gpg validation
and a few other minor changes, none of which actually change what is
being tested (notes are provided in the associated commit logs).
The following are the ptest results currently acheived:
### Starting LXC ptest ###
./tests/lxc-test-api-reboot FAIL
./tests/lxc-test-apparmor SKIPPED
./tests/lxc-test-attach PASS
./tests/lxc-test-automount PASS
./tests/lxc-test-autostart PASS
./tests/lxc-test-cgpath PASS
./tests/lxc-test-cloneconfig PASS
./tests/lxc-test-clonetest PASS
./tests/lxc-test-concurrent PASS
./tests/lxc-test-config-jump-table PASS
./tests/lxc-test-console PASS
./tests/lxc-test-console-log PASS
./tests/lxc-test-containertests PASS
./tests/lxc-test-createconfig PASS
./tests/lxc-test-createtest PASS
./tests/lxc-test-criu-check-feature PASS
./tests/lxc-test-destroytest PASS
./tests/lxc-test-device-add-remove PASS
./tests/lxc-test-get_item PASS
./tests/lxc-test-getkeys PASS
./tests/lxc-test-list PASS
./tests/lxc-test-locktests PASS
./tests/lxc-test-lxcpath PASS
./tests/lxc-test-may-control PASS
./tests/lxc-test-no-new-privs PASS
./tests/lxc-test-parse-config-file PASS
./tests/lxc-test-raw-clone PASS
./tests/lxc-test-reboot PASS
./tests/lxc-test-rootfs PASS
./tests/lxc-test-saveconfig PASS
./tests/lxc-test-share-ns PASS
./tests/lxc-test-shortlived PASS
./tests/lxc-test-shutdowntest SKIPPED
./tests/lxc-test-snapshot PASS
./tests/lxc-test-startone PASS
./tests/lxc-test-state-server SKIPPED
./tests/lxc-test-utils PASS
Results:
PASSED = 33
FAILED = 1
SKIPPED = 3
(for details check individual test log in ./logs directory)
### LXC ptest complete ###
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
We have a new dependency on 'mountpoint' which is now called in the
download template script. We also hit an upstream bug due to improper
use of 'mktemp', so we apply a patch to fix this and sent the fix
upstream as well.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Update to the latest lxc release. This requires some minor patch
updates (fuzz and offset, not content) along with dropping a no longer
needed fix for gcc7 (gcc 7.3 is everywhere and is patched).
The ptests were already busted before the uprev so I was not able to
run them but I will follow up with a fix for this. I did run against
our usual usecases 'lxc-create', 'lxc-console', 'lxc-ls',
'lxc-destroy', 'lxc-start', 'lxc-execute', 'lxc-attach'... and there
were no issues (outcomes matched v2.0.8).
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This removes the warning that docker can't find docker-init
in PATH.
This recipe is based on the recipe from meta-resin.
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This is a minor bugfix release that was just release by the upstream
project about 2 weeks ago.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Currently on the master branch builds of kvmtool are failing due to
several missing headers. We need to only use the uapi headers and we
also need the kvmtool upstream commit 1cc05b24bfe0 [x86/kvm-cpu.c:
don't include <asm/msr-index.h>] to get the builds to work. So we
can't do this as a fix and uprev and must do both at once in this
single commit.
The upstream project does not have releases so using the latest commit
and setting the version to 4.14.0 to reflect the kernel version we
currently build and which tests were done with, when using Yocto
master.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Adding missing RDEPENDS on iptables, the lxc-net service will fail
without this. Use the new 'pkg_postinst_ontarget_' instead of failing
out to signal runtime postinst scripts, this conforms with the latest
expectation for bitbake. The interfaces file is specific to sysvinit
and unneeded for systemd so block the creation of these files only
when building for sysvinit.
Lastly add a default 'lxc-net' file. Since we have a separate
lxc-networking package we can complete it with this configuration
which is sourced by '/etc/default/lxc' (which is part of the core lxc
package). In doing this we are like Debian when the lxc-networking
package is not installed in the image, and like Ubuntu when it is.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Without this we get:
ERROR: Missing required tool: wget
When attempting to do something like:
lxc-create -n ubu -t download -- --no-validate -d ubuntu -r xenial
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This was renamed back in v1.1.0 but I suppose most folks have been
buiding for systemd or were not using this functionality and it went
unnoticed.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
For some packages we include a -setup package which can be installed
as part of an image to complete a more comprehensive setup of the main
package. This is common for example in meta-cloud-services since many
OpenStack packages have extensive setup.
The -setup package for lxc did at one point do comprehensive setup but
over time this has been moved to the -networking package. Now the
-setup package is only being used as a container for the systemd
service files or sysvinit scripts. This can better be accomplished by
setting appropriate runlevels for the initscripts or disabling or
masking the systemd services (via SYSTEMD_AUTO_ENABLE).
This also fixes some confusion or what might be considered a bug
around -setup and -networking packages as the -setup package was
mopping up the lxc-net.service file, instead of it being included in
the -networking package.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This requires libseccomp from meta-security so it is not enabled by default.
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This requires libseccomp from meta-security so it is not enabled by default.
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Upgrade and make the recipe more systemd "friendly". For the most part
nobody is going to use this with systemd but in case they do they will
get a masked and empty services file, as they do with Debian or
Ubuntu. Otherwise this is a minor update from v1.11.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Raymond Danks <ray.danks@se-eng.com> hasn't contributed any changes to
meta-virtualization since 2012 and is listed on Linkedin as no longer
with Sage Electronics since March 2013, having moved to a completely
different profession (firefighting). So it is almost certain the
listed E-mail address is invalid and has been for a long time.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Several required layer dependencies have been added to the layer
README but didn't have corresponding entries added to
LAYERDEPENDS. Ensure these match.
The 'selinux' layer dependency, is conditional on the 'xen'
DISTRO_FEATURE but I see no way to make a conditional LAYERDEPENDS so
this is left off for now.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
LXC is licensed under LGPLv2.1 not GPLv2. The COPYING file
referenced in the LXC recipe on all branches have the same content,
checksum and all define LICENSE="GPLv2" rather than "LGPLv2.1".
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
With Sun RPC Interfaces removed from libc we need to use an external
provider for rpc. Polling other distros there seems to be consensus to
use libtirpc so we follow this trend.
Unfortunately this should only require the DEPENDS addition to the
recipe but the upstream project has a few flaws in their Makefiles and
configure which we need to work around so we add 2 new patches to
address these to allow for the use of a sysroot and to use the
$XDR_CFLAGS in a few more places.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The netns project has been moved into the 'genuinetools' organisation and so
URLs have been updated. The copyright line in the license file has been updated
to reference "The Genuinetools Authors".
The patch name has been updated to make it more suitable for submission
upstream.
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The upstream Makefile now calls `$(GO)` instead of just `go` so this patch isn't
needed anymore.
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The vTPM stubdomain allows a virtual TPM to be created and used to
provide TPM functionality to Xen guest domains. The vTPM Manager
stubdomain seals the secrets of each vTPM to the physical TPM, thereby
extending the chain of trust to the virtual machines in Xen. More
information on Xen vTPMs found at
https://xenbits.xen.org/docs/unstable/man/xen-vtpm.7.html This xen-vtpm
recipe uses Xen/stubdom source tree to build the Xen vTPM and vTPM
Manager binaries and MiniOS source tree to build the Xen vTPM and vTPM
Manager stubdomains.
This recipe provides the ability to modify how the vTPM stubdomains are
created and the ability to independently patch the vTPM stubdomain
source code as necessary.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
TPM Emulator is a software-based TPM and MTM emulator. This TPM Emulator
recipe creates a static library that is cross-compiled against MiniOS,
Xen, LWIP, Newlib, PolarSSL, and the stubdom-specific GMP headers and
subsequently used during the cross-compilation and linking of the Xen
vTPM and vTPM Manager stubdomains.
The current Xen source code is hardcoded to fetch a specific version of
this package. The patch files originate from the Xen/stubdom source
tree. This recipe provides the flexibility to change version or modify
the patches.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
GMP is a fast precision arithmetic library targeted for cryptographic
applications. This GMP recipe creates a static library that is
cross-compiled against that is cross-compiled against MiniOS, Xen, LWIP,
Newlib, and PolarSSL headers and subsquently used during the
cross-compilation and linking of the TPM Emulator and the Xen vTPM and
vTPM Manager stubdomains.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
PolarSSL (now mbedTLS) is a lightweight SSL library optimized for
embedded systems. In the case of Xen stubdomains, we are using MiniOS.
This PolarSSL recipe creates a static library that is cross-compiled
against MiniOS, Xen, LWIP, and Newlib headers and subsequently used
during the cross-compilation and linking of the stubdom specific GMP,
TPM Emulator, and the Xen vTPM and vTPM Manager stubdomains. The
current Xen source code is hardcoded to fetch a specific version of this
package. The patch files originate from the Xen/stubdom source tree.
This recipe provides the flexibility to change version or modify the
patches.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Newlib provides a fast, C library optimized for embedded systems. In the
case of Xen stubdomains, we are using MiniOS. This Newlib recipe creates
static libraries that are cross-compiled against MiniOS, Xen, and LWIP
headers and subsequently used during the cross-compilation and linking
of PolarSSL, the stubdom specific GMP, TPM Emulator, and the Xen vTPM
and vTPM Manager stubdomains. The current Xen source code is hardcoded
to fetch a specific version of this package. The patch files originate
from the Xen/stubdom source tree. This recipe provides the flexibility
to change version or modify the patches.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Mini-OS is a tiny OS kernel distributed with the Xen Project Hypervisor
sources. It is mainly used as operating system for stub domains that are
used for Dom0 Disaggregation.
The Mini-OS source tree is updated and released in coordination with Xen
releases. The Mini-OS source tree and architecture-specific symbolic
links are required for building the dependencies used to build Xen
stubodmains. For convenience, the make links target was executed before
packaging. Otherwise, this is a source package. The current build
methods for Xen stubdomains require either a source archive which
contains the Mini-OS source code or execution of a make target that will
fetch the appropriate Mini-OS source tree from it's git repository. This
recipe removes the mysticism of relating to the version of Mini-OS being
used and it's origins and provides the flexibility to easily changes
versions or patch as necessary.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
lwIP is a small implementation of the TCP/IP stack designed for use in
embedded systems. This lwIP recipe does not configure nor does it build
the product. Instead, this recipe applies the patches normally found in
the Xen/stubdom source tree and creates a source package that can be
used for cross-compiling for MiniOS.
The current Xen source code is hardcoded to fetch a specific version of
this package. The patch files originate from the Xen/stubdom source
tree. This recipe provides the flexibility to change version or modify
the patches.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This commit introduces the stubdom.inc file that is required for each
recipe that is/will be built for Xen stubdomains. This file defines the
standard values to be used such as common dependencies, compiler and
linker flags, and unsets every flag and build tool that is exported into
the OE environment.
Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Only include our versions of recipes if virtualiztions is in
DISTRO_FEATURE
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This prevents the signature from being modified
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
go 1.9.x was triggering linkage errors on some build hosts due to
missing symbols.
| tmp/work/core2-64-poky-linux/runc-docker/1.0.0-rc5+gitAUTOINC+4fc53a81fb-r0/recipe-sysroot/usr/lib/../lib/libc.a(dl-reloc-static-pie.o): In function `elf_mac:
| /usr/src/debug/glibc/2.27-r0/git/sysdeps/x86_64/dl-machine.h:59: undefined reference to `_DYNAMIC'
| tmp/work/core2-64-poky-linux/runc-docker/1.0.0-rc5+gitAUTOINC+4fc53a81fb-r0/recipe-sysroot/usr/lib/../lib/libc.a(dl-reloc-static-pie.o): In function `elf_get:
| /usr/src/debug/glibc/2.27-r0/git/elf/get-dynamic-info.h:48: undefined reference to `_DYNAMIC'
By ensuring that our sysroot provided go binary and build flags make
it into the build enviroment we can build properly with 1.9 and 1.10
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
the yocto-check-layer failed with:
Dependency on variable DISTRO_FEATURES_LIBC was added
Variable do_install value changed:
@@ -32,3 +32,7 @@
done
echo "" >> ${D}${sysconfdir}/inittab
fi
+ if echo "${DISTRO_FEATURES}" | grep -q 'xen'; then
+ echo "" >> ${D}${sysconfdir}/inittab
+ echo "X0:12345:respawn:/sbin/getty 115200 hvc0" >> ${D}${sysconfdir}/inittab
+ fi
used idea from meta-selinux
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Refresh patches with devtool command to fix do_patch warning.
Drop CVE-2017-9263.patch since it had been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Refresh patches with devtool command to fix do_patch warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
With newer glibc(>= 2.26) and kernel(>=4.14), criu would fail to build:
In file included from
/buildarea/build/tmp/work/core2-64-poky-linux/criu/3.4+gitAUTOINC+a31c1854e1-r0/recipe-sysroot/usr/include/linux/aio_abi.h:31:0,
from criu/cr-check.c:24:
/buildarea/build/tmp/work/core2-64-poky-linux/criu/3.4+gitAUTOINC+a31c1854e1-r0/recipe-sysroot/usr/include/sys/mount.h:35:3:
error: expected identifier before numeric constant
MS_RDONLY = 1, /* Mount read-only. */
^
CC criu/parasite-syscall.o
CC criu/pipes.o
CC criu/pie-util.o
CC criu/pie-util-vdso.o
CC criu/plugin.o
/buildarea/build/tmp/work/core2-64-poky-linux/criu/3.4+gitAUTOINC+a31c1854e1-r0/git/scripts/nmk/scripts/build.mk:110:
recipe for target 'criu/cr-check.o' failed
make[2]: *** [criu/cr-check.o] Error 1
Backport a patch to fix it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The patches are refreshed with devtool command:
devtool modify irqbalance
devtool finish --force-patch-refresh irqbalance meta-virtualization
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Rather than invoking go directly to build docker-proxy, we can use
the libnetwork Make infrastructure. This picks up our exported go
enviroment variables, and other sysroot flags.
We also apply one patch to ensure that the cross-go toolchain is
used, and that the proper build flags are used.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
It will become a visible warning if LAYERSERIES_COMPAT is not set, so
we add it to our layers, and set it to rocko. Once sumo releases and
branched, we'll change the value.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The runc makefile now uses $(GO) universally, but sets the variable
as GO := go by default. This means that the host go will be used
instead of our recipe sysroot variant.
A simple export of the variable is not enough in all cases (due
to Make assignments), so both export it AND pass it directly to the
oe_make call.
This fixes docker-runc builds on ARM64.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
docker has moved to a non-forked version of containerd, so we set
our preference to opencontainers. The containerd-docker is too old
to properly work with modern docker builds, but we keep it around
for reference and compatibility.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Uprev containerd to v1.0.2 for compatibility with recent docker (18.04+)
builds.
With this uprev we also significantly restructure the build to use more
of the latest oe-core go build infrastructure, but non-standard parts of
the build remain.
We also allow containerd to be build with CGO enabled to avoid linkage
errors with the oe provided go build infrastructure.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This commit introduces a docker-ce reference recipe that is nearly
identical to the docker_git recipe.
The main difference between these two recipes is that one builds from
moby and this one from the docker-ce repository itself. The different
repositories mean that a different selection of commits are used and
that the build locations change slightly.
Although both docker_git and this recipe share nearly all their code,
they will vary more in the future, and prematurely factoring them
into a .inc file is not practical (until this proves useful).
Future work: remove the individual libnetwork and cli repository
fetches and build the components directly from the docker-ce repo.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Uprev the docker daemon, proxy and cli to 18.03.0.
The SRCREVs for these updates come from the versions logged in the
docker-ce 18.03.0 release. The docker-ce recipe has a pure docker-ce
single repository build, but here, we continue to assemble the individual
parts for maximum flexibility.
Along with the uprev, we add new dependencies required to build the new
version; libtool and pkcconfig (although unused by the recipe itself).
Finally we switch to a Makefile based build of the cli to allow the
commit and docker version to be properly captured in the docker executable.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Uprev both variants of runc to v1.0.0-rc5.
We drop patches that have made it into the upstream runc, and we also
refresh the context of of two others.
The docker and opencontainers variants are virtually identical, but
we keep the two variants for now to protect against any future forks
in the support.
The runc-docker SRCREV comes from the docker-ce 18.04 logged commit,
while runc-opencontainers is updated to the tip of the master branch.
Runtime tested with docker on x86-64.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
