An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2,
where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in
gaining access to unauthorized resources. This flaw allows an authenticated client to
modify the configuration and possibly conduct further attacks.
Upstream patches:
[master] c7e7009a69
[v15.2.2] f2cf2ce1bd
CVE: CVE-2020-10736
Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* Fix python3native inherit added in:
https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/commit/?id=a1e3f5c92cdee7c4259b7be643bd829ce7c1efa3
to actually work
* also remove the work arounds for /usr/bin/python being python3
on the target device
* I haven't tested this in runtime - I don't use it, it was just
showing that do_configure error in "bitbake world" builds, the
scripts might need some changes to be really compatible with
python3, but it was broken already, now it at least builds
* upgrade to new version with
3c05f06e6a
would be nice by someone who actually uses this
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The go-pty module has moved to https://github.com/creack/pty.
Signed-off-by: Prashant Chikhalkar <prashant.chikhalkar@windriver.com>
Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Runx needs busybox static binary that contains symlinks to mount. However, in
zeus, busybox by default uses BUSYBOX_SPLIT_SUID = 1. With the variable set,
busybox binary gets split into two busybox.suid and busybox.nosuid busybox.suid
contains links to mount while runx recipes pulls in busybox.nosuid.
When vmsep is enabled, set BUSYBOX_SPLIT_SUID = 0 so that an unstripped busybox
binary is generated which contains all the required links including mount.
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The package name for xen-xl has changed, so we need to update the
runx rdepends .. or we are unbuildable.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The deploy for the uncompressed image was checking if a .gz file exists,
it should instead check for a straight xen file.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Upgrade websocket_client from 0.44.0 to 0.57.0.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
License changes from lxc3.2.1 to lxc4.0.1:
1.File COPYING is renamed to LICENSE.LGPL2.1
2.Add a new file LICENSE.GPL2
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
...
|ERROR: ceph-15.2.0-r0 do_package_qa: QA Issue: ceph: The compile
log indicates that host include and/or library paths were used.
| Please check the log 'tmp-glibc/work/corei7-64-wrs-linux/
ceph/15.2.0-r0/temp/log.do_compile' for more information. [compile-host-path]
|ERROR: ceph-15.2.0-r0 do_package_qa: QA Issue: ceph: The install
log indicates that host include and/or library paths were used.
| Please check the log 'tmp-glibc/work/corei7-64-wrs-linux/
ceph/15.2.0-r0/temp/log.do_install' for more information. [install-host-path]
...
While python setup, test var-LIBPL contains recipe-sysrooot prefix,
add it back if lost
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
...
|ERROR: ceph-15.2.0-r0 do_package: QA Issue: ceph: Files/directories
were installed but not shipped in any package:
| /lib/systemd/system/ceph-immutable-object-cache@.service
| /lib/systemd/system/ceph-immutable-object-cache.target
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The recent uprev of lxc left some fuzz in a patches. devtool refresh
cleans this up, and no runtime issues have been detected.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Update to the just released 4.0.1. And drop some patches contained
in this released.
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Set GO_PARALLEL_BUILD to default to prevent the following error:
failed to create new OS thread (have 13 already; errno=11)
runtime: may need to increase max user processes (ulimit -u)
fatal error: newosproc
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
go-build recipe depends on runc source and during compilation tries to run the
command: go get github.com/opencontainers/runc.
This is incorrect as a source fetch shouldn't occur during compilation. Also,
even after a fetch occurs during compilation, the go build path GOPATH points
to the incorrect path hence the runc source is never found.
Fetch the opencontainers/runc source and create links in the correct GOPATH
before compilation for a successful build.
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
virt-login-shell asks for setuid permission as follow.
"virt-login-shell: must be run as setuid root"
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
While enabling multilib on qemumips64, lib32 assembler ends up
crashing on target sometimes due to branch out of range,
therefore using -O2 for now
[snip]
|../../libvirt-6.1.0/tests/qemuxml2argvtest.c: In function 'mymain':
|../../libvirt-6.1.0/tests/qemuxml2argvtest.c:608:1: note: variable
tracking size limit exceeded with '-fvar-tracking-assignments', retrying without
| 608 | mymain(void)
| | ^~~~~~
|/tmp/ccXJSwZR.s: Assembler messages:
|/tmp/ccXJSwZR.s:43943: Error: branch out of range
[snip]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Previously the following message was printed on the console every 5
minutes:
INIT: Id "X0" respawning too fast: disabled for 5 minutes
Installing and using a getty-wrapper that will check for the hypervisor
(hvc0) device and if not present, will call sleep
Signed-off-by: Jaewon Lee <jaewon.lee@xilinx.com>
Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Replace distro_features_check bbclass which is deprecated, with
features_check bbclass.
Signed-off-by: Daniel Dragomir <Daniel.Dragomir@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Remove the placeholder code for go console integration.
Pin the recipe to use the latest commit and copy additional scripts needed at runtime.
Inlcude socat, daemonize and gobuild as required dependencies.
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
go-build_git recipe manages go build dependencies for runX.
This is used to support a console access for runX.
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Include bash as RDEPENDS for qemu-support to prevent the following
do_package_qa error: do_package_qa: QA Issue: /usr/bin/qemu-mips contained in
package qemu-support requires /bin/bash, but no providers found in
RDEPENDS_qemu-support? [file-rdeps]
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Rename bbappend file so that bitbake finds the right recipe. Else during parse
time, a dangling bbappend warning is generated.
Signed-off-by: Sai Hari Chandana Kalluri <chandana.kalluri@xilinx.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping to 19.03.8 to pickup bugfixes and security changes. The
following commits comprise the chnage:
moby:
aa6a9891b0 vendor: add local copy of archive/tar
0d4f412ecd dockerfile: update vndr to 85886e1a
libnetwork:
c7bae399 Merge pull request #2525 from trapier/bump_19.03/cleanup-vfp-during-network-removal
8c407f52 Cleanup VFP during overlay network removal
bd5c6080 Merge pull request #2520 from SamWhited/19.03_backport_dns_update
74b17410 Bump the DNS library and revendor
cli:
eb310fca Merge pull request #2373 from tiborvass/19.03-bump-grpc-1.23.1
0e40b919 vendor: bump google.golang.org/grpc v1.23.1
a51e9e63 vendor: update grpc to v1.23.0
Testing has been performed across x86-64/arm64 via cli and through
higher level frameworks.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
While testing the cni uprev by building in a container with
network=none the following error was found:
go: github.com/Microsoft/go-winio@v0.4.11: Get
https://proxy.golang.org/github.com/%21microsoft/go-winio/@v/v0.4.11.mod:
dial tcp: lookup proxy.golang.org on 128.224.144.130:53:
dial udp 128.224.144.130:53: connect: network is unreachable
After some digging through the go documentation it was found that the
'-mod=vendor' is required for 'go build' to use shipped vendor modules
when building modules. This can be confirmed by look at the
'build_linux.sh' script which is found in the plugins repo.
By using '-mod=vendor' and also ensuring things are properly placed in
the GOPATH (ie $B) we can avoid having to create many of the links we
had been previously.
We also put all the build artifacts into $B to avoid mixing source and
build.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Both uprev's are listed as 'minor' in the upstream release
notes. Neither introduces an uprev in spec. This fixes issues we
observed while testing the forthcoming cri-o uprev.
NOTE: this commit should only be used with the follow-on commit [cni:
prevent go from downloading stuff in the background] otherwise you
will end up with files not owned by you which will prevent the recipe
being properly cleaned.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Uprev to the latest release of cri-o to pick up some fixes and
CVEs. Makefile updates along with updates to the go.bbclass allow us
to remove most of the do_compile() tweaks that were in place. To test
that these removals are sane builds were done for x86_64 and arm64 in
docker containers with network=none, no issues were found.
Quite a few runtime tests were done as well since we are stepping up 2
releases, and we also just uprev'd 'cni' and wanted to validate its
runtime as well.
Once the system is started and cri-o is given time to start you can
use the new 'crio-status info' command to retrieve the runtime status
of cri-o:
root@qemux86-64:~# crio-status info
cgroup driver: cgroupfs
storage driver:
storage root: /var/lib/containers/storage
default GID mappings (format <container>:<host>:<size>):
0:0:4294967295
default UID mappings (format <container>:<host>:<size>):
0:0:4294967295
Additionally 'crictl' was installed (the recipe will be submitted
shortly) and the cri-o Tutorial found here was run
(https://github.com/cri-o/cri-o/blob/master/tutorials/crictl.md)
In order to run the tutorial /etc/cni/net.d/99-loopback.conf and
/etc/containers/policy.json were taken from
./contrib/cni/99-loopback.conf and ./contrib/policy.json in the cri-o
src repo. The sandbox_config.json and container_redis.json were taken
from https://github.com/cri-o/cri-o/blob/master/test/testdata (note:
using core-image-minimal with systemd enabled I had to remove
"cpu_period": 10000 and "cpu_quota": 20000 to get the tutorial to
work). We are not able to use the loopback networking to telnet to the
redis container, but we can use other techniques to validate that it
is running.
root@qemux86-64:~# /usr/lib/go/src/import/_output/crictl --runtime-endpoint unix:///var/run/crio/crio.sock ps
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID
72718714360ef quay.io/crio/redis:alpine 47 seconds ago Running podsandbox1-redis 0 38b97e5a7bb99
root@qemux86-64:~# /usr/lib/go/src/import/_output/crictl --runtime-endpoint unix:///var/run/crio/crio.sock exec -i 72718714360ef cat /etc/issue
Welcome to Alpine Linux 3.7
Kernel \r on an \m (\l)
The CRIO_BUILD_CROSS approach was no longer valid and was
dropped. There is most likely some other cleanup we can do but this
gets us to a good state on the latest release.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The change to the method of passing compiler flags into the Xen build
system in 6b697676 omitted passing the compiler flags for improving
build reproducibility, so this commit returns them and includes a change
to use the -ffile-prefix-map compiler option to remove host filesystem
artefacts instead of the prior method of redefining the __FILE__ builtin
macro.
Signed-off-by: Christopher Clark <christopher.w.clark@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Add system service for podman which starts a podman instance allow to
access the new HTTP based API (apiv2).
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bump to the newest podman release 1.8.1. Many new networking features
and a new HTTP API has been added since 1.6.1.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bump to latest version 2.0.11 of conmon.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
When hosts are using VM separation features, they need qemu
on the target to launch guests (and for other purposes) .. but
they do not want *all* of the build qemu targets. To allow a
more fine grained installation off qemu components, this patch
splits packaging into:
- qemu-<arch>
- qemu-support
- qemu-keymaps
Signed-off-by: Bruce Ashfield <bruce.ashfield@xilinx.com>
If vmsep is a distro feature, we need to allow the static libraries to
be built (so we remove --diable-static). Without this, busybox cannot
be statically built and we can't (easily) use it as part of an initrd.
Signed-off-by: Bruce Ashfield <bruce.ashfield@xilinx.com>
If "vmsep" is in distro features, we need to configure busybox
as a static build. This allows for it to be used as party of an
initrd.
We also ensure that the installer support is added to busybox, so
it can be installed to the initrd via: busybox --install
Signed-off-by: Bruce Ashfield <bruce.ashfield@xilinx.com>
This is the initial version of the runX OCI wrapper to allow Xen based virtual
machines to be launched and managed as containers via an OCI interface.
In this first version, runx consists of the following components:
- runX binary/wrapper (/usr/bin/)
- state control wrappers (/usr/share/runX)
- runx kernel
- initrd
Once built and installed these allow the launching of Xen virtual machines
in an OCI compliant manner.
Dependencies of this recipe include:
- kernel: must be a specific version, currently 4.15. This is done as
a nested build and not as a multiconfig (by design).
- static target busybox: used for the initrd
- initrd: constructed from the kernel + busybox
The configuration of the system to build the dependencies in the right
mode for use in runX is controlled via the DISTRO_FEATURE "vmsep". If
this feature is missing, and runx is bitbaked, an error is thrown.
Installing the "runx" package to a rootfs will install all the required
support components (and dependencies).
Signed-off-by: Bruce Ashfield <bruce.ashfield@xilinx.com>
Updating libvirt to the next major release series. With this, brings
some changes to the build:
- add python3-docutils-native to DEPENDS, since it is needed for doc
building
- remove a reference to libgnu.la from the Makefiles, since it is not
needed or provided in the build dependencies
- remove obselete packageconfig options: xenapi and phyp
- add an explicit do_compile rule (versus the autotools bbclass
variant), so we can create some directories before compilation
starts
- add ${B}/src to the PKG_CONFIG_PATH to the libvirt.pc file can be
found during build, as it is queried by libvirt-python
- with the ability to find the libvirt.pc file, we can also drop the
manipulations for libvirt_api_xml_path, as it is returned from
pkg-config queries.
- clear PKG_CONFIG_SYSROOT_DIR during libvirt-python builds, since
the libvirt.pc file already provides cflags/includes that are
contained to the build/src directory structure.
And finally, existing patches are refreshed to remove fuzz.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* let TARGET_VENDOR to be set to something else than the default:
meta/conf/bitbake.conf:TARGET_VENDOR = "-oe"
like other architectures use
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* apply similar patch to what was applied to docker-ce in:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/commit/recipes-containers/docker?id=e7787cb01be91d3798594687a475d5b085f29ede
it's very similar, but needs to be separate .patch file, because the
path to make/.binary is different in docker-ce and docker-moby.
since the recent upgrade:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/commit/?id=f770151b3ff0938bea4972abdd1ee7f6cbc3a074
docker-moby needs the same change or fails like this:
| ERROR: Execution of 'work/raspberrypi4-oe-linux-gnueabi/docker-moby/19.03.6+git71373c6105e3cbc9702935b96d8ee01214c405e7-r0/temp/run.do_compile.31754' failed with exit code 2:
|
| Package devmapper was not found in the pkg-config search path.
| Perhaps you should add the directory containing `devmapper.pc'
| to the PKG_CONFIG_PATH environment variable
| No package 'devmapper' found
| Removing bundles/
|
| ---> Making bundle: dynbinary (in bundles/dynbinary)
| Building: bundles/dynbinary-daemon/dockerd-19.03.6
| GOOS="linux" GOARCH="arm" GOARM="7"
| # runtime/cgo
| exec: "arm-linux-gnueabihf-gcc": executable file not found in $PATH
| WARNING: work/raspberrypi4-oe-linux-gnueabi/docker-moby/19.03.6+git71373c6105e3cbc9702935b96d8ee01214c405e7-r0/temp/run.do_compile.31754:1 exit 2 from 'VERSION="19.03.6" DOCKER_GITCOMMIT="${SRCREV_docker}" ./hack/make.sh dynbinary'
| ERROR: Task (meta-virtualization/recipes-containers/docker/docker-moby.bb:do_compile) failed with exit code '1'
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* SRCREV_docker isn't defined in docker-moby recipes at all
so it passes unexpanded ${SRCREV_docker} as noticed in
error log:
| ERROR: Execution of 'work/raspberrypi4-oe-linux-gnueabi/docker-moby/19.03.6+git71373c6105e3cbc9702935b96d8ee01214c405e7-r0/temp/run.do_compile.31754' failed with exit code 2:
|
| Package devmapper was not found in the pkg-config search path.
| Perhaps you should add the directory containing `devmapper.pc'
| to the PKG_CONFIG_PATH environment variable
| No package 'devmapper' found
| Removing bundles/
|
| ---> Making bundle: dynbinary (in bundles/dynbinary)
| Building: bundles/dynbinary-daemon/dockerd-19.03.6
| GOOS="linux" GOARCH="arm" GOARM="7"
| # runtime/cgo
| exec: "arm-linux-gnueabihf-gcc": executable file not found in $PATH
| WARNING: work/raspberrypi4-oe-linux-gnueabi/docker-moby/19.03.6+git71373c6105e3cbc9702935b96d8ee01214c405e7-r0/temp/run.do_compile.31754:1 exit 2 from 'VERSION="19.03.6" DOCKER_GITCOMMIT="${SRCREV_docker}" ./hack/make.sh dynbinary'
| ERROR: Task (meta-virtualization/recipes-containers/docker/docker-moby.bb:do_compile) failed with exit code '1'
this build issue is somehow caused by recent upgrade:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/commit/?id=f770151b3ff0938bea4972abdd1ee7f6cbc3a074
and this build error is not fixed by this change, but
see 2nd to last line which shows
DOCKER_GITCOMMIT="${SRCREV_docker}"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
