mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 12:50:22 +02:00

Go to file

Soumya Sambu 86126c9b34 kubernetes: Fix CVE-2023-2431 A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet. CVE: CVE-2023-2431 Affected Versions v1.27.0 - v1.27.1 v1.26.0 - v1.26.4 v1.25.0 - v1.25.9 <= v1.24.13 master branch(kubernetes v1.28.2) is not impacted mickledore branch(kubernetes v1.27.5) is not impacted References: https://nvd.nist.gov/vuln/detail/CVE-2023-2431 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>		2023-11-21 04:07:47 +00:00
classes	containers: introduce container-host class	2023-03-02 16:25:47 -05:00
conf	Revert "qemuboot, xen-image-minimal: enable runqemu for qemuarm Xen images"	2022-05-18 13:56:43 -04:00
docs	podman: Add support for rootless mode	2022-07-15 17:13:05 -04:00
dynamic-layers	xen: Make xilinx extension generic	2022-10-26 10:10:08 -04:00
files	fs-perms-nagios.txt: add perms conf file	2018-09-06 12:45:17 -04:00
lib/oeqa/runtime/cases	xtf: add testimage integration to run XTF test cases in OEQA	2021-09-02 16:36:23 -04:00
recipes-containers	kubernetes: Fix CVE-2023-2431	2023-11-21 04:07:47 +00:00
recipes-core	packagegroup-container: require ipv6 for podman	2023-11-08 09:03:45 -05:00
recipes-demo	demo: add flask and k3s deployment files	2021-12-13 15:59:11 -05:00
recipes-devtools	go-mux: Switch to main branch	2023-09-12 19:46:25 +00:00
recipes-extended	libvirt: CVE-2023-2700 Memory leak in virPCIVirtualFunctionList cleanup	2023-06-07 16:41:39 -04:00
recipes-graphics/xorg-xserver	global: overrides syntax conversion	2021-08-02 17:17:53 -04:00
recipes-kernel	k3s: Add missing IP Virtual Server (ip_vs) feature to the kernel config	2022-04-20 14:12:03 -04:00
recipes-networking	ovs: update to 2.17.6	2023-04-21 11:32:25 -04:00
scripts/lib/wic/plugins/source	wic: add support for bootable pcbios partition with Xen hypervisor	2020-02-27 16:59:22 -05:00
wic	xen-image-minimal: supply bootloader config for qemux86-64 machine	2021-09-02 16:36:23 -04:00
.gitignore	xtf: add testimage integration to run XTF test cases in OEQA	2021-09-02 16:36:23 -04:00
COPYING.MIT	Initial meta-xen layer documentation.	2012-06-21 15:51:11 -06:00
MAINTAINERS	MAINTAINERS: add xtf and the raspberry pi dynamic layer for Xen	2021-12-16 21:45:00 -05:00
meta-virt-roadmap.txt	docs: roadmap: add missing workflow items	2019-10-28 11:56:10 -04:00
README	README: remove some cri-o specific layer dependencies	2023-03-02 16:25:47 -05:00

README

meta-virtualization

This layer provides support for building Xen, KVM, Libvirt, and associated packages necessary for constructing OE-based virtualized solutions.

The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'virtualization' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line.

DISTRO_FEATURES:append = " virtualization"

If meta-virtualization is included, but virtualization is not enabled as a distro feature a warning is printed at parse time:

You have included the meta-virtualization layer, but
'virtualization' has not been enabled in your DISTRO_FEATURES. Some bbappend files
may not take effect. See the meta-virtualization README for details on enabling
virtualization support.

If you know what you are doing, this warning can be disabled by setting the following variable in your configuration:

SKIP_META_VIRT_SANITY_CHECK = 1

Depending on your use case, there are other distro features in meta-virtualization that may also be enabled:

xen: enables xen functionality in various packages (kernel, libvirt, etc)
kvm: enables KVM configurations in the kernel and autoloads modules
k8s: enables kubernets configurations in the kernel, tools and configuration
aufs: enables aufs support in docker and linux-yocto
x11: enable xen and libvirt functionality related to x11
selinux: enables functionality in libvirt and lxc
systemd: enable systemd services and unit files (for recipes for support)
sysvinit: enable sysvinit scripts (for recipes with support)
seccomp: enable seccomp support for packages that have the capability.

Dependencies

This layer depends on:

URI: git://github.com/openembedded/openembedded-core.git branch: master revision: HEAD prio: default

URI: git://github.com/openembedded/meta-openembedded.git branch: master revision: HEAD layers: meta-oe meta-networking meta-filesystems meta-python

BBFILE_PRIORITY_openembedded-layer = "4"

Required for Xen XSM policy: URI: git://git.yoctoproject.org/meta-selinux branch: master revision: HEAD prio: default

Required for Ceph: URI: git://git.yoctoproject.org/meta-cloud-services branch: master revision: HEAD prio: default

Required for cri-o: URI: git://git.yoctoproject.org/meta-selinux branch: master revision: HEAD prio: default

Community / Colaboration

Repository: https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/ Mailing list: https://lists.yoctoproject.org/g/meta-virtualization IRC: libera.chat #meta-virt channel

Maintenance

Send pull requests, patches, comments or questions to meta-virtualization@lists.yoctoproject.org

Maintainer: Bruce Ashfield bruce.ashfield@gmail.com see MAINTAINERS for more specific information

When sending single patches, please using something like: $ git send-email -1 -M --to meta-virtualization@lists.yoctoproject.org --subject-prefix='meta-virtualization][PATCH'

License

All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated.