* Bump package version to recompile binaries with fixed gcc stack protection (CVE-2023-4039)
* Bump debuginfo versions in toolchain manifests
* Bump kernel headers to match kernel
* Update SPECS/gettext/gettext.spec
Taking suggestion
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Update for code review comments
* Fix for code review comment in qt5-qtdeclarative changelog
* Fix dash version for signed spec files
---------
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Fix the network config unit test so that it arranges to write to a test dir, not to real /etc.
* Identify unit tests that require running in a chroot and arrange for them to be skipped when the effective UID isn't 0 (i.e., when we're running as non-root, and not under sudo).
* Introduces a basic pattern for ##help comments that allow expressing the help content for well-known variables and targets at their respective definition sites.
* Adds help Makefile target that extracts the ##help comments via sed/grep/awk and does a simple rendering of it to stdout.
* Adds help.mk, which documents the format of these comments and also includes the toplevel help preamble.
* Populates a set of initial ##help comments for commonly used targets and variables. The intention is for this to be easy to iterate on in-tree over time.
This reverts commit d3fd41653a.
Fix error: "Tool 'awk' missing! Please install it before using the toolkit.". Stop.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Set `CONFIG_FILE=""` as the new default instead of `CONFIG_FILE="./imageconfigs/core-efi.json"`.
For teams that use the Mariner toolkit to build custom packages or images using the Mariner toolkit:
- Previously the toolkit would default to the core-efi.json image definition for all invocations.
- This would result it building all packages required for that image definition when calling `make build-packages` in the core repo
- This would mean that `make image` would succeed without explicitly setting a desired image config
- In future versions of the toolkit, CONFIG_FILE will default to “”
- Package builds will no longer include extraneous packages that may be unneeded
- Image builds will return an error if a config is not explicitly selected
Considerations:
- Packages like the kernel will no longer build during normal package builds unless requested. Set desired packages via PACKAGE_BUILD_LIST=”pkg1 pkg2 …”
- `make image` will no longer succeed without CONFIG_FILE=”/path/to/config.json” being set explicitly
* add flag for grapher to resolve cycles by downloading RPM from repos in repolist
add flag to clear version. replace run node with remote node in lookupTable for graphpkgfetcher
send cloner object instead of multiple parameters
* add info to show cycle resolution and use pre-allocated array instead of counted size
* preallocate nodes instead of getting actual count and add info stmt
* Avoid clearing version in original node
* use a different directory for saving chroot
* revert new NodeTypes
* Revert "Avoid clearing version in original node"
This reverts commit e1f17452dbd0df2c5e17109fb3c5b8085cee57d3.
* graphpkgfetcher satisfy with fetched packages
* clear version only if package cannot be found with version
* add Info stmt to show how cycle is fixed
* use rpmsprovidedbySRPM
* Revert "use rpmsprovidedbySRPM"
This reverts commit 571e5be0d7ddb6819ecf998f5397dc46eabf805c.
* Revert "graphpkgfetcher satisfy with fetched packages"
This reverts commit 162882f0d41691011ac9bec4c82fc30aac37097f.
* Revert "Revert "Avoid clearing version in original node""
This reverts commit e36664cf5214aa7b180a369f42a0a9e05e41c13d.
* introduce clonerErr to avoid it tamper the return error
* sort is not deferred when adding remote node to lookup table
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
* do not defer sort when adding remote node to lookup table
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
* remove packageURLlist from grapher
* add disableDefaultrepos flag to grapher
* split MakeDAG
* continue on clonerErr
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* continue early if not buildToRunEdge
* function and arg name changes in replaceCurrentRunNodeWithNewNode
* return error from addRemoteToLookup if tried to add a nonRemote Node
* use proper tmp dir for grapher worker_chroot
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* drop extra debug print
* Try to break cycle with prebuilt RPMs before ignoring version
* Panic if AddRemoteToLookup is called with a non-remote node
* Remove debug function - printLookupTable
* Break inconsistancy in scheduler
Call AddRunToLookup in scheduler.go to avoid inconsistency of the
LookupTable
* Update toolkit/tools/internal/pkggraph/pkggraph.go
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* Update toolkit/tools/grapher/grapher.go
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* Address review comments to
* Functionalize the breaking cycle using upstream at a particular node
* Update function namereplaceCurrentRunNodeWithNewNode to meaningful
replaceSRPMBuildDependency
* Update proper name in function call
* Update toolkit/tools/internal/pkggraph/pkggraph.go
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* Return proper error message from fixCyclesWithExistingRPMS
* Remove Add*ToLookup APIs
* Replace AllRunNodes with AllPreferredRunNodes and make AllRunNodes
travers the entire graph
* Elaborate comments for AllPreferredRunNodes
* Adding suggestions.
* Remove unnecessary assignment in pkggraph.go
---------
Co-authored-by: Sindhu Karri <lakarri@microsoft.com>
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Bala <balakumaran.kannan@microsoft.com>
Co-authored-by: Bala <kumaran.4353@gmail.com>
This commit adds a new Azure VM Gen2 image with FIPS enabled by default.
This image definition is identical to the current marketplace gen2 image
definition, except for the following specific changes:
1. Include the fips-packages.json package list before the initramfs
package in the overall package list
2. Set KernelCommandLine.EnableFIPS to true, to inform image generation
tools to enable FIPS during image creation
3. Set basename for image as "cblmariner-gen2-fips"
Signed-off-by: Chris Co <chrco@microsoft.com>
This commit adds a new Azure VM Gen1 image with FIPS enabled by default.
This image definition is identical to the current marketplace gen1 image
definition, except for the following specific changes:
1. Include the fips-packages.json package list before the initramfs
package in the overall package list
2. Set KernelCommandLine.EnableFIPS to true, to inform image generation
tools to enable FIPS during image creation
3. Set basename for image as "cblmariner-gen1-fips"
Signed-off-by: Chris Co <chrco@microsoft.com>
This PR introduces the capability to override the source of the `specs`.
Appending the option `SPECS_DIR=/path/to/specs` enables building
packages that reside at locations other than the default `SPECS`
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* feat: add new EnableFIPS image configuration option
This commit introduces a new EnableFIPS configuration option to the
KernelCommandline image schema. EnableFIPS is a boolean option that
controls whether the image tools should configure the system with FIPS
enabled or not.
To enable FIPS on a system, 3 parts must be present:
1. The argument fips=1 must be passed to the kernel via the kernel
commandline during boot. To do this, updates are needed to the grub.cfg
to make sure the command line parameter is passed when the kernel is
loaded into memory.
2. The dracut-fips package must be installed on the system. The
dracut-fips package contains FIPS self-tests which will halt the system
if any FIPS-approved kernel crypto algorithm is not functioning as
expected.
3. A boot= argument must be passed to the kernel via the kernel command
line during boot ONLY if the partition where /boot is mounted is
separate from the rootfs. This argument is needed for dracut-fips to
locate the kernel's .hmac file, which our kernel package places this in
/boot next to the kernel binary.
* docs: Add EnableFIPS documentation
* docs: add comments for bootPrefix and readOnlyRoot
Signed-off-by: Chris Co <chrco@microsoft.com>
CBL-Mariner-Bot
Andrew Phelps
jslobodzian
reuben olinsky
Chris Gunn
Daniel McIlvaney
Olivia Crain
Neha Agarwal
Muhammad Falak R Wani
AZaugg
Pawel Winogrodzki
suresh-thelkar
bfjelds
Bala
sindhu-karri
Christopher Co
Trung
rlmenge