Update main branch CODEOWNERS file to require CBL-Mariner-Stable-Maintainers team review for all files in this branch since PRs targeting main are going to our next 2.0 stable release.
This check was added to alert if kernel configs with known required values have been changed to undesired values or removed. Additionally it would alert developers to update the json with justification to help with future checks.
This check is no longer needed now that kernel maintainers are required on each PR review for configs. Additionally, the check caused noise and failed frequently. Therefore, remove.
Update the GitHub codeowners file to automatically add tooling codeowners as reviewers to the toolkit code. Retain general dev reviewers for docs, imageconfigs, and package manifests.
Signed-off-by: Chris Co <chrco@microsoft.com>
Update the GitHub codeowners file to automatically add the cbl-mariner-kata-containers team as reviewers for kata-containers and confidential containers packages.
Signed-off-by: Chris Co <chrco@microsoft.com>
Set `CONFIG_FILE=""` as the new default instead of `CONFIG_FILE="./imageconfigs/core-efi.json"`.
For teams that use the Mariner toolkit to build custom packages or images using the Mariner toolkit:
- Previously the toolkit would default to the core-efi.json image definition for all invocations.
- This would result it building all packages required for that image definition when calling `make build-packages` in the core repo
- This would mean that `make image` would succeed without explicitly setting a desired image config
- In future versions of the toolkit, CONFIG_FILE will default to “”
- Package builds will no longer include extraneous packages that may be unneeded
- Image builds will return an error if a config is not explicitly selected
Considerations:
- Packages like the kernel will no longer build during normal package builds unless requested. Set desired packages via PACKAGE_BUILD_LIST=”pkg1 pkg2 …”
- `make image` will no longer succeed without CONFIG_FILE=”/path/to/config.json” being set explicitly
Bump actions/checkout v3 (Node 16) to v4 (Node 20) as
Node 16 reaches EoL on September 11 2023.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* codeowners: Add maintainers for openssl engines
Symcrypt and KeysInUse are OpenSSL engines, so changes to these should
be reviewed by our openssl maintainers groups.
Signed-off-by: Chris Co <chrco@microsoft.com>
* codeowners: Add missing wildcard
Signed-off-by: Chris Co <chrco@microsoft.com>
---------
Signed-off-by: Chris Co <chrco@microsoft.com>
* adding pip requirements file and a readme to toolchain python scripts
* updating requirements file with missed deps and updating readme file
* updating github pipelines to use requirements file to install python dependencies
* Delete README.md
Moved readme file into a wiki page
* reverted tokyocabinet url change
* upgraded tidy to 5.8.0 and deleted ming
* updating licenses to remove ming; updating cgmanifest and tidy.signatures
* fixing cgmanifest stuff
* adding cbl-mariner import to changelog
* switching branches
* verbose comments
* adding a space for a new commit
* does a 2 second timeout fix things
* Only build bond against x86_64 architecture (#1800) (#1801)
* fix bond build break for ARM64 on main branch
* fix bond build break for ARM64 on main branch
* fix bond build break for ARM64 on main branch
Co-authored-by: nicolas guibourge <nicolasg@microsoft.com>
Co-authored-by: nicolas guibourge <nicolasg@microsoft.com>
* [main extended] Enable libguestfs (#1970)
* Remove libreport support from mdadm
* Conditionally pull in perl-Sys-Virt test deps
* Fix dependency resolution for ocaml-ctypes
* Upgrade to latest ocaml-gettext
* Fix ocaml-ounit build
* Upgrade ocaml-base to latest
* Upgrade ocaml-migrate-parsetree to latest
* Upgrade ocaml-stdio to 0.15.0
* Upgrade ocaml-parsexp to 0.15.0
* Upgrade ocaml-ppxlib to 0.24.0
* Upgrade ocaml-sexplib to 0.15.0
* Upgrade ocaml-sexplib0 to 0.15.0
* Upgrade supermin to 5.2.1
* Fixup libguestfs patches and configuration
* [main extended] Fix dnf-plugins-core, ocaml-findlib builds (#1950)
* [main] Removing in-spec sources verification using `libguestfs.keyring`. (#1971)
* kernel: Update Mariner cert in kernel keyring (#1979)
* kernel: Update mariner cert in kernel keyring
* kernel-hyperv: Update mariner cert in kernel keyring
* kernel-headers: Bump to match kernel release number
* kernel-signed: Bump to match kernel release
Signed-off-by: Chris Co <chrco@microsoft.com>
* lttng-consume: disable tests to fix build break (#1980)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Revert "Upgrading Parted to v3.4" (#1966)
* Revert "Upgrading Parted to v3.4 (#1898)"
This reverts commit 24382cfa6e.
* verifying license to unblock upgrade revert pr
* Temporary: Add python3-distro to azurevm-packages packagelist (#2016)
* Upgrade libmemcached, memcached and promote to core specs (#1981)
* kernel-signed: workaround errant .build-id file (#2032)
After the upgrade to RPM 4.17, when building on ARM64 only, we are
observing an unexpected /usr/lib/debug/.build-id/xx/yyyy.debug
file being packaged into the kernel.rpm package. This errant file is causing
build errors when repackaging in the kernel-signed build phase.
This patch workarounds the build issue by specifically excluding the
/usr/lib/debug/.build-id folder when building for ARM64. More investigation
underway to identify why this unexpect /usr/lib/debug/.build-id/xx/yyyy.debug
file is being included.
Signed-off-by: Chris Co <chrco@microsoft.com>
* Fix grubby build with newer versions of RPM (#2036)
* Update libgit2 to latest upstream version 1.1.0 (#2021)
Signed-off-by: Kate Goldenring <kagold@microsoft.com>
* Fix build break (signature) for libgit2
* Fix TDNF download of packages during libguestfs build
* Replace perl(Locale::TextDomain) BR in libguestfs with actual package
* [main] Fixing tooling issues during package candidates resolution. (#2091)
* Fix dependency constraints, UUID parsing in libguestfs (#2113)
* Bring over libguestfs changes from 2.0
* Fix selinux-policy, file bugs in libguestfs
* kernel: Update input aarch64 config file (#2358)
ARM64 kernel package builds are failing due to a config diff missing
between the expected config and the actual config file.
Add missing CONFIG_USBIP_VUDC line
Signed-off-by: Chris Co <chrco@microsoft.com>
* Revert "[main] Update envoy to v1.21.0 (#2330)"
This reverts commit 5c0c47a867.
* toolkit only - use local /run folder in chroot instead of mounted tmpfs (#2435)
* toolkit - use local /run folder in chroot instead of mounted tmpfs
* address PR comments
* address PR comments
* address PR comments
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* [main] iperf3: Update to 3.11 (#2512)
* Update iperf3 to 3.11
* toolchain: Remove alsa-lib (#2543)
* Fix post-install script args in imageconfig being ignored (#2414)
* Upgrade nodejs to 16.14.0 (#2485)
* upgrade nodejs to 16.14.0
* upgrade nodejs to 16.14.0
* upgrade nodejs to 16.14.0
* upgrade nodejs
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* [main] upgrading libarchive to v3.6.0 (#2515)
* upgrading libarchive to v3.6.0
* removing patch file
* adding missing URL
* fixing URL
* [2.0] Modify pam to require audit-libs (#2572)
* update pam
* update manifests
* install audit-libs before systemd (#2584)
* Revert "install audit-libs before systemd (#2584)"
This reverts commit 2170975852.
* Build rubygems with ruby to fix build error in pipeline (#2601)
* Add rubygems to build with ruby to fix build error in pipeline
* Remove bundler requirement
* [main] Adding `--assumeyes` for TDNF calls. (#2641) (#2642)
* Fix bad ruby merge issue
* Revert "python3: Add python-unversioned-command subpackage (#2637)"
This reverts commit b62bb32bef.
* dnf-plugins-core: Fix bad python path in cmake call (#2658)
* dnf-plugins-core: Fix bad python path in cmake call
* Update license map
* Empty commit to trigger GH checks
* Unblock build, exclude SymCrypt from ARM64
* Update python requirement in azurevm packagelist for 2.0 (#2667)
* Revert "Unblock build, exclude SymCrypt from ARM64"
This reverts commit 9b0a48fc52.
* Repair toolkit merge issue
* fix boringssl license issue (#2775)
* revert arm64 exclusion workaround (#2769)
* [main] Build break workaround. (#2788)
* Revert "fix boringssl license issue (#2775)"
This reverts commit 50b3397168.
* Remove boringssl to reconcile with main branch
* [main] Fixing installation paths with new version of Ruby. (#2859)
* vim: Fix vi provides with reversed EVR (#2872)
* cri-o: Replace openSUSE systemd macros with Mariner's (#2874)
* toolchain: Rebuild audit with systemd-bootstrap-rpm-macros installed (#2878)
* toolchain: Rebuild audit with systemd-bootstrap-rpm-macros installed
* audit: Add BR on systemd-bootstrap-rpm-macros
* [2.0] Cherry-pick credscan failure caused by unattended installer image config (#2908)
* minor fix to build doc (#2907)
Co-authored-by: Henry Li <lihl@microsoft.com>
* fix image config json (#2906)
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
* download msopenjdk-11 from prod folder (#2921)
* Cherry Pick build fixes to Extended (#3105)
* ARM64 `buildah` and `edk2` blocked packages fix. (#3101)
* Adding missing signature for `perl-Module-Install-Repository`. (#3086)
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* Python-twisted: upgrade to version 22.4.0 to fix CVE-2022-24801 (#3079)
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-… (#3087)
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* Updating `vim` to version 8.2.5064. (#3112)
* Bump Mariner Release (#3140)
* Revert "Add missing e2fsprogs dep to cloud-init (#3141)"
This reverts commit 7417d8a04f.
Reverting this change temporarily because we are not ready to upgrade cloud-init
* Revert "cloud-init: uprev to 22.2 (#3104)"
This reverts commit 3bcdc43b8f.
Reverting this change temporarily because we are not ready to upgrade cloud-init.
* Fix build errors caused by ncurses 6.3 upgrade (#3184)
* Fix ARM64 Build Break (#3191)
* t1lib: Fix SRPM packing (#3192)
* Revert "cloud-init: patch for CVE-2022-2084 (#3281)"
This reverts commit e3174308e7.
* Revert "Revert "cloud-init: uprev to 22.2 (#3104)""
This reverts commit ae3a7d80af.
* Revert "Revert "Add missing e2fsprogs dep to cloud-init (#3141)""
This reverts commit 68bd0ec8d7.
* Revert "Revert "cloud-init: patch for CVE-2022-2084 (#3281)""
This reverts commit 0b1ba723bc.
* Revert "Initial KeysInUse Integration (#3182)"
This reverts commit 7de96f680a.
* Updating 'mariner-release' version for July update 2. (#3444)
* remove provides from unsigned grub2 (#3461)
Co-authored-by: Henry Li <lihl@microsoft.com>
* Updating 'mariner-release' for the August release.
* Updating licenses after the 'main' merge.
* KeysInUse: re-introduce package back to 2.0. (#3531)
* Update helm version 3.9.3 (#3586)
* Update helm version 3.9.3
* Fix helm version info not displaying correctly
* fix cloud-init dependency issue (#3606)
* `mariadb`: update to v10.6.9 to fix CVE-2022-32091, CVE-2022-32081 (#3645)
* fix npm version in nodejs.spec (#3571)
* upgrade vim to 9.0.0232 (#3580)
* qemu : fix CVE-2022-35414 (#3597)
* qemu : fix CVE-2022-35414
* address PR comment
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* libxml2 and python-lxml: fix CVE-2022-2309 (#3583)
* libxml2 and python-lxml: fix CVE-2022-2309
* libxml2 and python-lxml: fix CVE-2022-2309
* address PR comments
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* rubygem-yajl-ruby: fix CVE 2022 24795 (#3598)
* rubygem-yajl-ruby : fix CVE-2022-24795
* rubygem-yajl-ruby : fix CVE-2022-24795
* back port patch from 1.4.1
* fix spec issue
* address PR comments
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* Update cert-manager to v1.7.3. (#3575)
- Update cert-manager to v1.7.3.
- Split cert-manager binaries into separate packages.
- Remove cert-manager build dependency on Bazel and just build the
binaries directly using `go build`. This makes building easier. Also,
the latest upstream version of cert-manager does this.
- Use the Go "vendor" directory for Go dependencies instead of dumping
files in the global Go cache.
* Bump supported go versions to 1.17.13, 1.18.5 to fix fifteen CVEs (#3600)
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* dpkd: bump version to 21.11.2 to address CVE-2022-2132 (#3631)
* dpkd: bump version to 21.11.2 to address CVE-2022-2132
* dpdk: cgmanifest: update entry
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* `vim`: upgrade to 9.0.0325 to fix CVE-2022-2980, CVE-2022-2982, CVE-2022-2923, CVE-2022-2946 (#3643)
* `python3`: fix CVE-2015-20107 (#3644)
* `python3`: fix CVE-2021-28861 (#3654)
* `colord`: fix CVE-2021-42523 (#3675)
* `virglrenderer`: fix CVE-2022-0135 (#3674)
* libtar: Pull misc Fedora patches, fix CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646 (#3686)
* Apply Fedora patches
* Apply linter
* Use upstream patch
* Patch qemu CVE-2021-4158 (#3696)
* libtar: Fixup spec formatting, remove .la files, remove explicit provides (#3698)
* Fixup libtar spec formatting, .la files, provides
* Add comment so we can track CVE fixes
* update mariner-release to 2.0-19 (#3723)
* fix br in libvirt (#3726)
* Added nopatch to libtirpc for CVE-2021-46828 (#3779)
Co-authored-by: Nick Samson <nisamson@microsoft.com>
* update mariner-release to 2.0-21 (#3778)
* revert changes for adding sysinit.target dependency (#3777)
* Expat fix CVE-2022-40674 (#3799)
Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
* bump mariner-release to 2.0-21
* switching branches
* Ensure rpm-* ABI compatibility (#3880)
* Ensure `python3-rpm` pulls in appropriate libs
* Add rpm-build-libs -> rpm-libs dependency too
* Declare release `4.18.0-2` with fixes
* toolkit.mk: fix 'clean-rpms-snapshot' target. (#3843)
* 7.4.14 to 8.1.11; need to delete the old SPECS-EXTENDED folders
* php 8.1.11 build now
* removed libraries from SPECS-EXTENDED
* merged current 2.0; added changelog for php & updated other licenses; need to verify changelog for php & version thing olivia said
* update cgmanifest.json
* reresolving old mr comments
* updated hunspell to fix CVE; added aspell patch to fix CVE; fixed some PHP linting issues
* one linting fix
* removed commented-out modphp code; updated changelog
* debugging url issues
* trying 2sec timeout instead of 1sec
* echoing to txt log
* undoing validate-cg-manifests.sh changes; trying new url
* resolving mr comments
* updating malaga in cgmanifest
* trying source-git's mirror
* trying with local tarball
* trying with local tarball
* using blob storage
* Delete bad_registrations.txt
* updating tokyocabinet url
* changing branches
* resolving conflicts with upstream/main
* mr comments
* updating cgmanifest
* actually fixing validate_cg_manifest.sh
* Delete php-8.1.11.tar.xz.asc
* Delete php-keyring.gpg
Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Signed-off-by: Kate Goldenring <kagold@microsoft.com>
Co-authored-by: nicolas guibourge <nicogbg@gmail.com>
Co-authored-by: nicolas guibourge <nicolasg@microsoft.com>
Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
Co-authored-by: Thomas Crain <thcrain@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Co-authored-by: Max Brodeur-Urbas <35381493+MaxBrodeurUrbas@users.noreply.github.com>
Co-authored-by: Kate Goldenring <kate.goldenring@microsoft.com>
Co-authored-by: rlmenge <rachelmenge@microsoft.com>
Co-authored-by: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
Co-authored-by: Andrew Phelps <anphel31@users.noreply.github.com>
Co-authored-by: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Co-authored-by: Olivia Crain <olivia@olivia.dev>
Co-authored-by: Henry Li <69694695+henryli001@users.noreply.github.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
Co-authored-by: chalamalasetty <42326515+chalamalasetty@users.noreply.github.com>
Co-authored-by: Nan Liu <108544011+liunan-ms@users.noreply.github.com>
Co-authored-by: Henry Beberman <henry.beberman@microsoft.com>
Co-authored-by: Cameron E Baird <cameronbaird@microsoft.com>
Co-authored-by: Chris Gunn <chrisgun@microsoft.com>
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Nick Samson <nick.samson@microsoft.com>
Co-authored-by: Nick Samson <nisamson@microsoft.com>
Co-authored-by: Minghe Ren <mingheren@microsoft.com>
Co-authored-by: Betty <38226164+BettyRain@users.noreply.github.com>
Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
Co-authored-by: Andrew Phelps <anphel@microsoft.com>
Co-authored-by: Andy Caldwell <andycaldwell@microsoft.com>
* Make `glibc-static` a real package and police its version
* Add version bounds to all mentions of `glibc-static` in spec files
* Bump releases for all affected packages
* Add pipeline job to check static glibc versions
* Release new glibc packages with split out glibc-static
* Include distribution in requirement bounds
* Don't implicitly install glibc-static in pkggen chroot
* Correctly split up the static libraries between devel/static
* Consistent use of f-strings
* Allow libacvp to build without depending on `glibc-static`
* Remove `libhugetlbfs-tests` package
* Update kernel configs to not support static linking
* Declare `glibc-static` dependency for flannel
* Enable `-pie` by default in `clang`
* Rebuild SymCrypt with `-pie` enabled `clang`
* Use `glibc-static` on all platforms for `busybox`
* Tidy up libacvp Source lines
* Clang can't default to `-pie` so move `crt1.o` to `glibc-devel`
* Fix libacvp Source0 syntax
* Don't build static binaries in libhugetlbfs-tests
* Update kernel config signatures
* Kubevirt needs glibc-static too
Pawel Winogrodzki
Daniel McIlvaney
Christopher Co
amritakohli
Karim Eldegwy
Andrew Phelps
Rachel Menge
Cameron E Baird
Archana Choudhary
Aurélien
Muhammad Falak R Wani
Mitch Zhu
jslobodzian
Trung
Chris Gunn
Dan Streetman
Mykhailo Bykhovtsev
aadhar-agarwal
osamaesmailmsft
Olivia Crain
Andy Caldwell