From 03d7cb92f043a784550d34c48b22d6953ad4f478 Mon Sep 17 00:00:00 2001 From: "flowzone-app[bot]" <124931076+flowzone-app[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 15:23:06 +0000 Subject: [PATCH] v6.0.36 --- .versionbot/CHANGELOG.yml | 853 ++++++++++---------------------------- CHANGELOG.md | 5 + VERSION | 2 +- 3 files changed, 236 insertions(+), 624 deletions(-) diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml index 5c7d464b6..d1be83296 100644 --- a/.versionbot/CHANGELOG.yml +++ b/.versionbot/CHANGELOG.yml @@ -1,3 +1,17 @@ +- commits: + - subject: Add GHA Built Test Deploy workflows + hash: 63da15aab286fbbaf279de76335f54ce51b9c380 + body: "" + footer: + Changelog-entry: Add GHA Built Test Deploy workflows + changelog-entry: Add GHA Built Test Deploy workflows + Signed-off-by: Ryan Cooke + signed-off-by: Ryan Cooke + author: rcooke-warwick + nested: [] + version: 6.0.36 + title: "" + date: 2024-11-21T15:23:00.113Z - commits: - subject: Update layers/meta-balena to f95917dab4a9e2f6b7e6830c22ba26d461fac816 hash: 786a29d846b7ef2828e35bccae20b59e4d78cda1 @@ -3817,15 +3831,11 @@ nested: [] - subject: "os-helpers-tpm2: specify TCTI backend" hash: c4eb9d7f6ad412bd74d77ece0e534c8dd2dd6fac - body: > - Specify the TCTI backend [0], which also silences error messages - from - + body: | + Specify the TCTI backend [0], which also silences error messages from trying unsupported backends - - [0] - https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md + [0] https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md footer: Change-type: patch change-type: patch @@ -4439,38 +4449,21 @@ nested: [] - subject: "os-helpers: compute_pcr7: merge event log digests" hash: e10d67084621e5ce10f14557f2466e91ff684b41 - body: > + body: | The main variables measured into PCR7 to ensure secure boot - - configuration integrity are the state and EFI vars, including - PK, KEK, - + configuration integrity are the state and EFI vars, including PK, KEK, db, dbx, etc. - - However, some systems have firmware that will measure other, - unexpected - - events, such as "DMA Protection Disabled" (related to a Windows - feature - + However, some systems have firmware that will measure other, unexpected + events, such as "DMA Protection Disabled" (related to a Windows feature [0]), or "Unknown event type" with strange data. - - These events can't be predicted, and other devices may have - different - - measured events that aren't compliant with the TCG spec, so - attempt to - - check the TPM event log and extend our digest with any unknown - events - + These events can't be predicted, and other devices may have different + measured events that aren't compliant with the TCG spec, so attempt to + check the TPM event log and extend our digest with any unknown events that fit the bill. - - [0] - https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt + [0] https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt footer: Change-type: patch change-type: patch @@ -4896,9 +4889,8 @@ - commits: - subject: "automation/balena-deploy: Pin to known working version of balena-img" hash: 927310397896f35bd1921202e8b1f30ba3ef47d8 - body: > - As per internal thread - https://balena.zulipchat.com/#narrow/stream/345890-balena-io/topic/Jenkins.20build.20failures/near/409602914 + body: | + As per internal thread https://balena.zulipchat.com/#narrow/stream/345890-balena-io/topic/Jenkins.20build.20failures/near/409602914 footer: Change-type: patch change-type: patch @@ -5177,15 +5169,9 @@ - commits: - subject: Remove dependency on @balena/happy-eyeballs hash: 08727ed2b5f67c55b2469d3ee5c5e2857119521b - body: > - Node 20 now implements the happy eyeballs algorithm as - part of its core - - `net` module, with the - [autoSelectFamily](https://nodejs.org/docs/latest-v20.x/api/net.html#netgetdefaultautoselectfamily) - option of `socket.connect`. This option defaults to - `true`, meaning that a separate - + body: | + Node 20 now implements the happy eyeballs algorithm as part of its core + `net` module, with the [autoSelectFamily](https://nodejs.org/docs/latest-v20.x/api/net.html#netgetdefaultautoselectfamily) option of `socket.connect`. This option defaults to `true`, meaning that a separate implementation of happy eyeballs is no longer needed. footer: Change-type: patch @@ -5527,15 +5513,10 @@ - subject: "resin-init-flasher: Allow building images for non-flasher devices that have internal storage" hash: 3a887512b343b80208196f6792a48f81d1a8c8f9 - body: > - As per the internal thread: - https://balena.zulipchat.com/#narrow/stream/360838-balena-io.2Fos.2Fdevices/topic/balena-raspberrypi.20jenkins.20build.20failures/near/423970246 - + body: | + As per the internal thread: https://balena.zulipchat.com/#narrow/stream/360838-balena-io.2Fos.2Fdevices/topic/balena-raspberrypi.20jenkins.20build.20failures/near/423970246 - Currently devices with on-board storage fail to build in - jenkins, if they don't provide a flasher image. One example is - the CM4. Since there are multiple devices using this - configuration, let's re-enable builds for all of them. + Currently devices with on-board storage fail to build in jenkins, if they don't provide a flasher image. One example is the CM4. Since there are multiple devices using this configuration, let's re-enable builds for all of them. footer: Change-type: patch change-type: patch @@ -5614,17 +5595,10 @@ - commits: - subject: Fix support for rsync deltas hash: 24e222045ac511cd4fbb3be66e57eb678a29d854 - body: > - Rsync (v2) deltas have been broken since [Supervisor - v14](https://github.com/balena-os/balena-supervisor/commit/460c3ba0aab31d18a02e3f5dda1838691768c494). - While considered legacy, - - they are still used by a few customers with devices - running OS < 2.47.1. - - This should fix v2 delta support for those devices until - we can - + body: | + Rsync (v2) deltas have been broken since [Supervisor v14](https://github.com/balena-os/balena-supervisor/commit/460c3ba0aab31d18a02e3f5dda1838691768c494). While considered legacy, + they are still used by a few customers with devices running OS < 2.47.1. + This should fix v2 delta support for those devices until we can completely remove rsync deltas from the supervisor footer: Change-type: patch @@ -5699,39 +5673,19 @@ - commits: - subject: Add special case for base DTO params on RPI config hash: 6e6a796da5ecc846248eae4c8495bc626964c038 - body: > - While ordering is important in the RPI firmware - configuration file (config.txt), - - some dt params are by default considered part of the - base dt overlay - + body: | + While ordering is important in the RPI firmware configuration file (config.txt), + some dt params are by default considered part of the base dt overlay if they are not used by other overlays. - - Unfortunately the [list of - dtparams](https://github.com/raspberrypi/firmware/blob/master/boot/overlays/README#L133) - - is too long to add all of them as exceptions, but we can - add the params - - used in the default config.txt provided in OS images, to - avoid reboots - - when updating to this new supervisor and correctly - parsing the - + Unfortunately the [list of dtparams](https://github.com/raspberrypi/firmware/blob/master/boot/overlays/README#L133) + is too long to add all of them as exceptions, but we can add the params + used in the default config.txt provided in OS images, to avoid reboots + when updating to this new supervisor and correctly parsing the provisioning config.txt as variables. - - While this addition handles most common scenarios, there - is still a - - chance a user may have use other base overlay dt params - in the initial - - config, in which case those will be interpreted - according to the - + While this addition handles most common scenarios, there is still a + chance a user may have use other base overlay dt params in the initial + config, in which case those will be interpreted according to the relative ordering footer: Change-type: patch @@ -8608,16 +8562,12 @@ - commits: - subject: 'Revert "kernel-balena: Remove apparmor support"' hash: ddc94ae58072323cf94ac39d6c2d16c78ff794d8 - body: > - This is no longer needed after the balena_os/balena-engine - commit: - + body: | + This is no longer needed after the balena_os/balena-engine commit: https://github.com/balena-os/balena-engine/commit/ed8ba18e8776a7bf37b3326baeca8196b4ea76b0 - released in balena-engine v20.10.39 - This reverts commit 18cd233a83554b58b3540164afd768fdeda60b03. footer: Change-type: patch @@ -11566,12 +11516,9 @@ - commits: - subject: "linux/kernel-devsrc: Fix aarch64 kernel-headers-test build" hash: 65abb381ec266066b24f53fa3119dd47ec8af1a3 - body: > + body: | This fix has been ported from the following upstream - - change: - https://patchwork.yoctoproject.org/project/oe-core/patch/002c31d6add77e1002fb1ccd4050ce826a654170.1659653543.git.bruce.ashfield@gmail.com/ - + change: https://patchwork.yoctoproject.org/project/oe-core/patch/002c31d6add77e1002fb1ccd4050ce826a654170.1659653543.git.bruce.ashfield@gmail.com/ and fixes the following compilation error on generic-aarch64: make[1]: *** No rule to make target 'arch/arm64/tools/gen-sysreg.awk', @@ -12294,21 +12241,15 @@ - commits: - subject: "kernel-devsrc: fix for v6.1+" hash: 1687110706cbde4a4d968afb04b3abc07e5c7eaa - body: > + body: | Adapted as a bbappend from: - https://git.yoctoproject.org/poky/commit/meta/recipes-kernel/linux/kernel-devsrc.bb?id=2be1b5d7d38d72c35ec593b98366d128fe5ce12c - The 6.1 kernel has a number of Kbuild and architecture changes - that required us to update our devsrc recipe. With these changes - we are once again able to build on target modules for all - supported archectures. - (From OE-Core rev: a3972b3f919400a12bb9a546ae98092cbfdcdbb8) footer: Change-type: patch @@ -13681,10 +13622,8 @@ - commits: - subject: Fix LED support for ISG-503 hash: 8c779e12dbb16892528af17d8749cff1902146ad - body: > - The LED support was incorrectly changed in - https://github.com/balena-io/contracts/commit/4bb6eb1f732957e605f00e47b068199f14ff1765 - + body: | + The LED support was incorrectly changed in https://github.com/balena-io/contracts/commit/4bb6eb1f732957e605f00e47b068199f14ff1765 Let's switch it back to unsupported. footer: Change-type: patch @@ -15688,24 +15627,13 @@ - commits: - subject: Log uncaught promise exceptions on the app entry hash: 676464142690da2e36a810cb35e4ea4d0d751636 - body: > - Node 15 [changed the way it treats unhandled promise - rejections](https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V15.md#throw-on-unhandled-rejections---33021) - from a warning to a throw. - - For this reason errors like a corrupt migration - directory, that happens when trying to - - roll back to a previous supervisor version were no - longer showing a - - message but dumping the full minimized code into the - journal logs. - - - This PR adds a catchall on app.ts to log the exception - and throw an exit + body: | + Node 15 [changed the way it treats unhandled promise rejections](https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V15.md#throw-on-unhandled-rejections---33021) from a warning to a throw. + For this reason errors like a corrupt migration directory, that happens when trying to + roll back to a previous supervisor version were no longer showing a + message but dumping the full minimized code into the journal logs. + This PR adds a catchall on app.ts to log the exception and throw an exit code of 1. footer: Change-type: patch @@ -15718,15 +15646,10 @@ - commits: - subject: Fix assertion error in restart-service hash: b9e1464d96824f5332c71324d753d94ddbdecf90 - body: > - From: - https://github.com/balena-os/balena-supervisor/pull/2153/commits/c0b4fafe842115933b1da9b4d68e601a19c3e4eb - - Restart-service checks that both services have restarted - in its test assertion, which is - - incorrect as restart-service should only restart one - service. + body: | + From: https://github.com/balena-os/balena-supervisor/pull/2153/commits/c0b4fafe842115933b1da9b4d68e601a19c3e4eb + Restart-service checks that both services have restarted in its test assertion, which is + incorrect as restart-service should only restart one service. footer: Change-type: patch change-type: patch @@ -16170,20 +16093,14 @@ nested: [] - subject: Make sure balenaEngine owns the container cgroups hash: 5efa793c5af63ef177de95b8b4251799b0de7f40 - body: > - Setting `Delegate=yes` ensures that systemd will not change - anything on - + body: | + Setting `Delegate=yes` ensures that systemd will not change anything on the cgroups created for running the containers. - This setting is used upstream since this commit: - https://github.com/moby/moby/commit/d16737f971092767c1b9d28302a3f5aedbe2f576 - - And also is recommended by systemd: - https://systemd.io/CGROUP_DELEGATION/ + And also is recommended by systemd: https://systemd.io/CGROUP_DELEGATION/ footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -16743,9 +16660,8 @@ - commits: - subject: "kernel-balena: Include NFS V2, V3 and V4 client and server modules" hash: 54c4090b518bccfdba0b635ead129502572685be - body: > + body: | As per internal discussion thread - https://balena.zulipchat.com/#narrow/stream/345882-_help/topic/.E2.9C.94.20nfs.20.283.20or.204.29.20on.20jetson.20nano/near/342072698 footer: Change-type: patch @@ -16760,23 +16676,15 @@ - commits: - subject: "dunfell+: remove obsolete systemd patch" hash: f649288c2b284cb06081d296e52b4562f512107b - body: > + body: | The patch applied to systemd addressed this upstream moby issue: - https://github.com/moby/moby/issues/27202 - This was fixed in containerd 1.0.2: - https://github.com/containerd/console/pull/10/commits/c358734ec94e72903243bd1c9034874a1de09424 - - This fix is present in balena engine since v17.13.5, which has - been in - - use since commit 53ce147. Drop this patch from - meta-balena-dunfell and - + This fix is present in balena engine since v17.13.5, which has been in + use since commit 53ce147. Drop this patch from meta-balena-dunfell and later. footer: Change-type: patch @@ -17088,15 +16996,11 @@ - commits: - subject: "balena-image-flasher: Default image type to balenaos-img" hash: 36750c1d0e75d82ec096faeff6d61579c075e0c4 - body: > - This avoids device repositories having to specify it, and it can - always - + body: | + This avoids device repositories having to specify it, and it can always be overwritten in append files. - - This change is an extension of - https://github.com/balena-os/meta-balena/commit/a3c276a1058d05e66991871bf167079fc2824843 + This change is an extension of https://github.com/balena-os/meta-balena/commit/a3c276a1058d05e66991871bf167079fc2824843 footer: Change-type: patch change-type: patch @@ -17350,19 +17254,13 @@ nested: [] - subject: trigger deploy builds on multi-digit revisions too hash: 098f59502e25a6dbac85a625c23dfcdbbf6706a3 - body: > + body: | According to github action syntax [1], there is no special character - to denote a match on zero or more of the preceding character, so - replace `[0-9]?` which only matches zero or one of the preceding - characters with a `*`. - - [1] - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet - + [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet [skip ci] footer: @@ -18272,42 +18170,21 @@ nested: [] - subject: Reference networks by Id instead of by name hash: 180c4ff31ad719fb2b00217548514d42a4b5c4cf - body: > - We have seen a few times devices with duplicated network - names for some - - reason. While we don't know the cause the networks get - duplicates, - - this is disruptive of updates, as the supervisor usually - queries - - resource by name, resulting in a 400 error from the - engine because of - + body: | + We have seen a few times devices with duplicated network names for some + reason. While we don't know the cause the networks get duplicates, + this is disruptive of updates, as the supervisor usually queries + resource by name, resulting in a 400 error from the engine because of the ambiguity. - - This replaces those queries by name to queries by id. - This includes - - network removal. If a `removeNetwork` step is generated, - the supervisor - - opts to remove all instances of the network with the - same name as it - + This replaces those queries by name to queries by id. This includes + network removal. If a `removeNetwork` step is generated, the supervisor + opts to remove all instances of the network with the same name as it cannot easily resolve the ambiguity. - - This doesn't solve the problem of ambiguous networks, - because even if - - networks are referenced by id when creating a container, - the engine will - - throw an error (see - https://github.com/balena-os/balena-supervisor/issues/590#issuecomment-1423557871) + This doesn't solve the problem of ambiguous networks, because even if + networks are referenced by id when creating a container, the engine will + throw an error (see https://github.com/balena-os/balena-supervisor/issues/590#issuecomment-1423557871) footer: Change-type: patch change-type: patch @@ -19212,9 +19089,8 @@ - commits: - subject: "efitools: backport patch to fix build failure" hash: 4497229d9d3435384564cde802a3d16cbc47300c - body: > + body: | Copied from buildroot mailing list: - http://lists.busybox.net/pipermail/buildroot/2021-April/610255.html footer: Change-type: patch @@ -20151,16 +20027,12 @@ - commits: - subject: Discontinue Blackboard TX2 and N310 TX2 hash: a3298cd279625a45c3de1b4f2f4bd641f696542b - body: > + body: | These boards do not have any platform - registrations and have not been maintained - by contributors for more than 6 months. - - Internal discussion: - https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/322934815 + Internal discussion: https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/322934815 footer: Changelog-entry: Discontinue Blackboard TX2 and N310 TX2 changelog-entry: Discontinue Blackboard TX2 and N310 TX2 @@ -20199,15 +20071,11 @@ - commits: - subject: "redsocks: Increase maximum number of open files" hash: e90b9159ed5f0dac3d9fe1b1b486201ee85f1161 - body: > - This increases the number of open connections that redsocks can - support - + body: | + This increases the number of open connections that redsocks can support to a new maximum of 2048. - - See - https://github.com/darkk/redsocks/blob/19b822e345f6a291f6cff6b168f1cfdfeeb2cd7d/base.c#L419 + See https://github.com/darkk/redsocks/blob/19b822e345f6a291f6cff6b168f1cfdfeeb2cd7d/base.c#L419 footer: Change-type: patch change-type: patch @@ -21020,35 +20888,22 @@ - commits: - subject: "Engine healthcheck: deal with empty uuid file" hash: 345d1440d34fe042f03884c4ae32f0ba7e7768e8 - body: > - In rare cases (believed to be caused by a non-atomic file - creation and - - writing operation in containerd), we end up with an empty file - at - + body: | + In rare cases (believed to be caused by a non-atomic file creation and + writing operation in containerd), we end up with an empty file at `/mnt/data/docker/containerd/daemon/io.containerd.grpc.v1.introspection/uuid`. - - This causes `ctr version` (and hence the health check) to fail. - See - + This causes `ctr version` (and hence the health check) to fail. See https://github.com/balena-os/balena-engine/issues/322 - This commit addresses this issue in two ways: - - 1. Before running `ctr version`, we check if the uuid file - exists and is + 1. Before running `ctr version`, we check if the uuid file exists and is empty. If so, we remove it. (The subsequent execution of `ctr version` by the healthcheck will create the file again.) - 2. After running `ctr version`, we check if the uuid file was - really + 2. After running `ctr version`, we check if the uuid file was really created and is not empty. - In both cases, when an empty uuid file is detected, we log the - event to - + In both cases, when an empty uuid file is detected, we log the event to help us confirm our hypothesis about the root cause. footer: Signed-off-by: Leandro Motta Barros @@ -21625,13 +21480,10 @@ - commits: - subject: "floyd-Nano: Discontinue device type" hash: b8e8092d7d405f3d73f801e9d80aabcf93c7c2d6 - body: > + body: | This DT has not been maintained by the contributor - since support was added. Marking it as discontinued - - as per internal discussion - https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/315939998 + as per internal discussion https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/315939998 footer: Signed-off-by: Alexandru Costache signed-off-by: Alexandru Costache @@ -22319,21 +22171,14 @@ - subject: "core: Reduce to 30 the retries number when trying to get the IP address of the DUT" hash: 02b270e1c55429c7316a9c65f70362185bbe3aec - body: > - Instead of retrying to get the DUT IP address 120 times - on a 1 seconds interval, - - let's reduce it to 30 times because the - resolveLocalTarget which we call will - + body: | + Instead of retrying to get the DUT IP address 120 times on a 1 seconds interval, + let's reduce it to 30 times because the resolveLocalTarget which we call will timeout too in 15 seconds: - https://github.com/balena-os/leviathan-worker/blob/master/lib/helpers/index.ts#L162 - - So reducing the retries number to 30 will effectly bring - the total combined timeout to a maximum of 8 minutes. + So reducing the retries number to 30 will effectly bring the total combined timeout to a maximum of 8 minutes. footer: Change-type: patch change-type: patch @@ -23705,12 +23550,10 @@ - commits: - subject: "wpa-supplicant: Sync with v2.10 from upstream" hash: 5464be07070bbc4a06a4d432250dd70b2b2e1522 - body: > + body: | Synced from: - http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/wpa-supplicant?id=3a43c2a82881688d85238464db371f695e60b572 - Closes #2838 footer: Change-type: patch @@ -24261,39 +24104,21 @@ - commits: - subject: "ntp: Remove race condition from directory creation" hash: 5fd19e26d35d7160e2531277a9a14e194d0b95c6 - body: > - Chronyd checks that the directory specified as `sourcedir` in - `chrony.conf` - - (in this case `/var/chrony`) is not world accessible if it - exists (chrony - - will create it correctly if it does not exist), and does not - start - + body: | + Chronyd checks that the directory specified as `sourcedir` in `chrony.conf` + (in this case `/var/chrony`) is not world accessible if it exists (chrony + will create it correctly if it does not exist), and does not start if that's the case. - - The way that the `/var/chrony` is created when it does not exist - opens - - the possibility of the directory existing with the wrong - permissions and - + The way that the `/var/chrony` is created when it does not exist opens + the possibility of the directory existing with the wrong permissions and hitting this problem. - - This commit creates the directory with the correct permissions - from the - + This commit creates the directory with the correct permissions from the start to avoid the race condition. - - It also changes the permissiong from 750 to 770 to match what - chrony - + It also changes the permissiong from 750 to 770 to match what chrony does (see - https://github.com/mlichvar/chrony/blob/7b197953e8add5515b7e58c4638dc55aa4bb91b7/conf.c#L1761) footer: Change-type: patch @@ -27848,18 +27673,13 @@ - commits: - subject: "hostapp-update-hooks: Rework bootfiles blacklist" hash: 7b523caa0099530c45b4d9981d31ca6c72a76262 - body: > + body: | We may have cases when for some boards we do not want - to have all these files blacklisted. See for example - https://github.com/balena-os/balena-rockpi/commit/b5eadcfb3a296eea2554dc0cbdd16002d51c5169 - In conclusion, we rework how the blacklist is constructed - - so that users of meta-balena can alter this list as they see - fit. + so that users of meta-balena can alter this list as they see fit. footer: Change-type: patch change-type: patch @@ -31139,27 +30959,17 @@ - commits: - subject: "kernel-balena: Disable building gcc plugins" hash: bd8d2de9983f47e46ffa0e689be88c5b12e46617 - body: > - Since - https://github.com/raspberrypi/linux/commit/1eee36a5520b5a89fb4d0d6af6f9cb0217a3164f - + body: | + Since https://github.com/raspberrypi/linux/commit/1eee36a5520b5a89fb4d0d6af6f9cb0217a3164f was merged and included in kernel versions after 5.10.84, - building the kernel-modules-headers fails due to various missing - headers from the gmp and mpc packages. This problem is visible - only after upgrading to a newer kernel, because until now the - gcc plugins kernel config was not enabled at all, due to the - failed check in the above mentioned patch. - Since we are not using the functions provided - by the gcc plugins anyway, we can disable this - config. footer: Change-type: patch @@ -34680,10 +34490,8 @@ - commits: - subject: Add recipes for TPM2 tools hash: baddbd39fd17d364ebfd69bf139980ca82abc8ba - body: > - Taken from - http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/meta-tpm/recipes-tpm2 - + body: | + Taken from http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/meta-tpm/recipes-tpm2 Only add the recipes, let DTs pull it as necessary. footer: Change-type: patch @@ -34777,19 +34585,13 @@ - commits: - subject: "dosfstools: selectively apply upstreamed patch" hash: 8f04f1142bcb3074d86e2827dfda6c7d8c87fefd - body: > - This patch was submitted and accepted upstream, and is present - since - + body: | + This patch was submitted and accepted upstream, and is present since v4.2. - https://github.com/dosfstools/dosfstools/commit/87a8f29785bb605350821f1638a42e6cf3e49ce3 - - This fixes a build error applying a patch that's already been - applied - + This fixes a build error applying a patch that's already been applied when building newer versions of dosfstools. footer: Change-type: patch @@ -34883,12 +34685,10 @@ - commits: - subject: Update balena-engine to v19.03.30 hash: abf610e022eeac709c054e4fb672b850ef08a940 - body: > + body: | Fixes EINVAL errors caused by sockets during storage migration, - https://github.com/balena-os/balena-engine/commit/17a198cb53a53da456c848bf303dc3917ca538c5 - Update balena-engine from 19.03.29 to 19.03.30 footer: Changelog-entry: Update balena-engine to v19.03.30 @@ -35153,39 +34953,21 @@ - commits: - subject: "common: conf: create disable-user-ns distro feature" hash: 7dde2133a5b1df710255b8b0471385cca1449c1d - body: > - When user namespacing was enabled in the kernel by default, a - separate - - commit [0] was introduced to disable the feature at runtime, to - allow - + body: | + When user namespacing was enabled in the kernel by default, a separate + commit [0] was introduced to disable the feature at runtime, to allow users/administrators to explicitly choose to enable it, avoiding - potential security implications. - - However, some applications such as Chromium's sandbox, require - either - - SUID or user namespacing to work. Disabling this feature on - boards - - that previously enabled it necessitates container modifications - and - + However, some applications such as Chromium's sandbox, require either + SUID or user namespacing to work. Disabling this feature on boards + that previously enabled it necessitates container modifications and potentially breaks previously working applications. - - Create a distro feature to disable user namespacing by default - in - - meta-balena, while allowing device types to keep it enabled to - maintain - + Create a distro feature to disable user namespacing by default in + meta-balena, while allowing device types to keep it enabled to maintain compatibility with their original behavior. - https://github.com/balena-os/meta-balena/commit/31c3ae8ad5c7ad45e450349b6972524da120e96c footer: Change-type: patch @@ -35256,9 +35038,8 @@ - commits: - subject: "Dockerfile_yocto-build-env: Install Honister host deps" hash: efc069c609431965394912d3ffd34362a1108852 - body: > - See - http://docs.yoctoproject.org/next/migration-guides/migration-3.4.html#new-host-dependencies + body: | + See http://docs.yoctoproject.org/next/migration-guides/migration-3.4.html#new-host-dependencies footer: Change-type: patch change-type: patch @@ -35732,13 +35513,9 @@ - commits: - subject: Backport platform-detection fixes from containerd hash: 9f71253561b1cd2f262ec0d6e81c5fbd09a7a0a1 - body: > + body: | See https://github.com/containerd/containerd/pull/4530 - - and `git log - ad25c1a9c34361e4071f508b9a91946b05fce165^..2055e12953bb538228d8d9fe627fa545d7cf82be - ./platforms/` - + and `git log ad25c1a9c34361e4071f508b9a91946b05fce165^..2055e12953bb538228d8d9fe627fa545d7cf82be ./platforms/` in the containerd repo footer: Change-type: patch @@ -35944,22 +35721,13 @@ - commits: - subject: Bump path-parse from 1.0.6 to 1.0.7 hash: 2e38356bf4f5157483017ea2e6670514cbca49c1 - body: > - Bumps - [path-parse](https://github.com/jbgutierrez/path-parse) - from 1.0.6 to 1.0.7. - - - [Release - notes](https://github.com/jbgutierrez/path-parse/releases) - - - - [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) - + body: | + Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7. + - [Release notes](https://github.com/jbgutierrez/path-parse/releases) + - [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) --- - updated-dependencies: - - dependency-name: path-parse dependency-type: indirect ... @@ -35975,24 +35743,14 @@ - commits: - subject: Bump tar from 4.4.13 to 4.4.19 hash: b7cb494602fbd050bb9e31b5e8293a080349562c - body: > - Bumps [tar](https://github.com/npm/node-tar) from 4.4.13 - to 4.4.19. - - - [Release - notes](https://github.com/npm/node-tar/releases) - - - - [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) - - - - [Commits](https://github.com/npm/node-tar/compare/v4.4.13...v4.4.19) - + body: | + Bumps [tar](https://github.com/npm/node-tar) from 4.4.13 to 4.4.19. + - [Release notes](https://github.com/npm/node-tar/releases) + - [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) + - [Commits](https://github.com/npm/node-tar/compare/v4.4.13...v4.4.19) --- - updated-dependencies: - - dependency-name: tar dependency-type: indirect ... @@ -36543,47 +36301,25 @@ - commits: - subject: Fix regression with local mode push hash: 6f5f3bc2f3aea1bf5e5772533be80c3bfbb4e3a9 - body: > - PR #1749 introduced a bug when pushing local target - state. An update to - - the [image name - normalization](https://github.com/balena-os/balena-supervisor/blob/f1bd4b8d9bcef29e326cbf97eaddd837c2704d19/src/lib/docker-utils.ts#L81) - - failed to consider the local image name format. This - results in mangling - - of image names in the database, i.e. the image - `ubuntu:latest` is stored - - as `/ubuntu:latest`. This causes an exception to be - returned by the - + body: | + PR #1749 introduced a bug when pushing local target state. An update to + the [image name normalization](https://github.com/balena-os/balena-supervisor/blob/f1bd4b8d9bcef29e326cbf97eaddd837c2704d19/src/lib/docker-utils.ts#L81) + failed to consider the local image name format. This results in mangling + of image names in the database, i.e. the image `ubuntu:latest` is stored + as `/ubuntu:latest`. This causes an exception to be returned by the dockerode `getImage('/ubuntu:latest').inspect()` call. - - This sends the supervisor into a crash loop and is shown - on the supervisor - + This sends the supervisor into a crash loop and is shown on the supervisor journal logs as - ``` - getaddrinfo ENOTFOUND images at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:64:26) ``` - - Unfortunately if this happens on a user device, since - the mangled image - - name is already on the database, the easiest way to fix - is to remove the - - supervisor database and let the supervisor recreate it. - Deleting the - + Unfortunately if this happens on a user device, since the mangled image + name is already on the database, the easiest way to fix is to remove the + supervisor database and let the supervisor recreate it. Deleting the database should be side effect free. footer: Change-type: patch @@ -38355,30 +38091,17 @@ - commits: - subject: "balena-engine: refactor systemd service" hash: 8227a61f6bef6d93cc6a5acd0ef93a2012079964 - body: > - This makes it easier to overwrite the arguments passed in the - engine - - unit from drop-in overwrites. See the development image drop-in - unit for - + body: | + This makes it easier to overwrite the arguments passed in the engine + unit from drop-in overwrites. See the development image drop-in unit for reference. - - Using `systemctl edit --runtime balena.service`, which puts - those - - overwrites into `/run/systemd/system/balena.service.d/`, it - would be - - possible to modify the runtime behavior of the engine without - remounting - + Using `systemctl edit --runtime balena.service`, which puts those + overwrites into `/run/systemd/system/balena.service.d/`, it would be + possible to modify the runtime behavior of the engine without remounting the rootfs to be writeable. - - See - https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path + See https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path footer: Change-type: patch change-type: patch @@ -39636,17 +39359,11 @@ - commits: - subject: Bump ssri from 6.0.1 to 6.0.2 hash: ae8dc8ff227237444ae532cf7e817bfc463fbac5 - body: > - Bumps [ssri](https://github.com/npm/ssri) from 6.0.1 to - 6.0.2. - + body: | + Bumps [ssri](https://github.com/npm/ssri) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/npm/ssri/releases) - - - - [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md) - - - - [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2) + - [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md) + - [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2) footer: Change-type: patch change-type: patch @@ -40690,13 +40407,11 @@ nested: [] - subject: "dnsmasq: update to 2.84 with dnspooq fix" hash: 3afbe8dfbbaf9f73a09048e0350622535befa0a8 - body: > + body: | https://github.com/balena-os/meta-balena/issues/2099 - Copy dnsmasq 2.84 recipe and files from this upstream patch: - http://cgit.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/dnsmasq?id=3e28a31bb479f292b9a052a3d2eee84c49319ee3 footer: Change-type: patch @@ -41214,37 +40929,22 @@ - commits: - subject: replace busybox ps with procps [klutchell] hash: 00556af37cf241e2b95d9b719f1ab58cc9bbddb6 - body: > + body: | Replace busybox ps link with ps.procps without installing - any other procps packages. This will avoid regression and bloat - from swapping existing busybox links with procps variants. - By using procps as docker expects we can properly handle ps args - - such as -e and -o to format output. Busybox is only capable of - this - + such as -e and -o to format output. Busybox is only capable of this when compiled in "desktop" mode. - - This upstream commit to poky has already split the ps binary - into - + This upstream commit to poky has already split the ps binary into a separate procps package: + - https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=507a47a4e5077d5f8f76d9629be6b871dfd8eb90 - - - https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=507a47a4e5077d5f8f76d9629be6b871dfd8eb90 - - - So for now we can copy this recipe at the commit above into - compat branches - - and use that version until we pick up a branch newer than - gatesgarth. + So for now we can copy this recipe at the commit above into compat branches + and use that version until we pick up a branch newer than gatesgarth. footer: Change-type: patch change-type: patch @@ -41563,14 +41263,11 @@ nested: [] - subject: "gen_mod_headers: add missing arch headers to tools" hash: 5485f1fbc901a04eedbcc3b72cc95fdfb2d03665 - body: > + body: | Upstream changes to the kernel have switched to a shared x86 - insn decoder required by tools/objtool so we must add those - include and lib components to our target dir. - https://lore.kernel.org/lkml/20190830201021.utzjr6cs5hoxygyi@treble/T/ footer: Change-type: patch @@ -41679,18 +41376,12 @@ nested: [] - subject: "hostapp-update-hooks: Add supervisor database fix" hash: f3e7e164cf095218c1f92f2afecdd186cbbdfadd - body: > + body: | When adding hostapp extension support to mobynit, in: - https://github.com/balena-os/meta-balena/commit/6be3f1153d56c1c0c21e6d84db7be70be96bcd10 - - the supervisor database was relocated by mistake. On this - version the database - - returns to its original place, and these hooks copy the old - database to the - + the supervisor database was relocated by mistake. On this version the database + returns to its original place, and these hooks copy the old database to the new location to avoid data loss. footer: Change-type: patch @@ -41817,12 +41508,10 @@ nested: [] - subject: "systemd: add missing udev rules" hash: 02b48c9523ff5ed36cc2cfd94225ea4234649371 - body: > + body: | https://github.com/balena-os/poky/commit/e3cd4e584239c207e3c82bdf5d7216d26fd28fc7 - - add missing udev rules since systemd began including rules - explicitly + add missing udev rules since systemd began including rules explicitly footer: Change-type: patch change-type: patch @@ -41844,12 +41533,10 @@ nested: [] - subject: "dropbear: prevent conflicts with openssh" hash: 169c1652e46e3a31d4f96bb98cbcf8240f3453ca - body: > + body: | [https://github.com/balena-os/poky/commit/d365948ebd76625f82ef04e77d35bcfeced42fec] - - Dropbear is still required to migrate keys. Avoid the upstream - conflict with openssh. + Dropbear is still required to migrate keys. Avoid the upstream conflict with openssh. footer: Change-type: patch change-type: patch @@ -41908,15 +41595,11 @@ nested: [] - subject: "u-boot: disable u-boot-initial-env" hash: 9346f58cdd73924aec4279861ff43611c125ab5d - body: > + body: | https://github.com/balena-os/poky/commit/d7b8ae3faa9344f2ada22e0402066c2fff5958c6 - - We have no use for u-boot-initial-env and enabling it would - require - - additional changes in do_compile to match the commit linked - above. + We have no use for u-boot-initial-env and enabling it would require + additional changes in do_compile to match the commit linked above. footer: Change-type: patch change-type: patch @@ -41926,9 +41609,8 @@ nested: [] - subject: "dnsmasq: fix build after y2038 changes in glib" hash: fca86497476cf3d275ae3d4f8274d51b6b96a9b8 - body: > + body: | SIOCGSTAMP is defined in linux/sockios.h, not asm/sockios.h - http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3052ce208acf602f0163166dcefb7330d537cedb footer: Change-type: patch @@ -42036,15 +41718,11 @@ - commits: - subject: "zram-swap-init: adjust default to lesser of 50%/4GB" hash: 155af3386029a0e76b74ee60d58c32ba72073a82 - body: > - Copied from Fedora zram defaults [0]. This may be adjusted later - after - + body: | + Copied from Fedora zram defaults [0]. This may be adjusted later after doing our own profiling. - - [0] - https://fedoraproject.org/wiki/Changes/SwapOnZRAM#Default_zram_device_configuration: + [0] https://fedoraproject.org/wiki/Changes/SwapOnZRAM#Default_zram_device_configuration: footer: Change-type: minor change-type: minor @@ -44771,15 +44449,10 @@ - commits: - subject: Bump elliptic from 6.5.2 to 6.5.3 hash: c11004cd24fe66e6af7f16a79c0cc9e8847eb415 - body: > - Bumps [elliptic](https://github.com/indutny/elliptic) - from 6.5.2 to 6.5.3. - - - [Release - notes](https://github.com/indutny/elliptic/releases) - - - - [Commits](https://github.com/indutny/elliptic/compare/v6.5.2...v6.5.3) + body: | + Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.2 to 6.5.3. + - [Release notes](https://github.com/indutny/elliptic/releases) + - [Commits](https://github.com/indutny/elliptic/compare/v6.5.2...v6.5.3) footer: Change-type: patch change-type: patch @@ -45182,15 +44855,10 @@ - commits: - subject: Bump lodash from 4.17.15 to 4.17.19 hash: 01655b595555ae63ea1b70d623451c9ad3ec03dd - body: > - Bumps [lodash](https://github.com/lodash/lodash) from - 4.17.15 to 4.17.19. - - - [Release - notes](https://github.com/lodash/lodash/releases) - - - - [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19) + body: | + Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. + - [Release notes](https://github.com/lodash/lodash/releases) + - [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19) footer: Change-type: patch change-type: patch @@ -45543,19 +45211,13 @@ - subject: Use --mount instead of --volume for bind mounts to the supervisor container. hash: 0fd442943d6b6c802df2f6e35d334ecde0f748e9 - body: > - This makes sure the source path refers to an existing - file/directory on - + body: | + This makes sure the source path refers to an existing file/directory on the host. - https://docs.docker.com/engine/reference/commandline/service_create/#differences-between---mount-and---volume - - This avoids situations where --volume implicitely creates a - directory (see #1748) - + This avoids situations where --volume implicitely creates a directory (see #1748) Fixes #1754 footer: @@ -46401,30 +46063,17 @@ - commits: - subject: Add label to expose gpu to container hash: ae646a07ec6a6c96f7cb91f1d37898a94dbab47a - body: > - In the absence of an upstream implementation of the - DeviceRequest API introduced - - as part of Docker API v1.40 we roll our own using a - feature label. - - - As per my comment in the code, we fall back to the - default behavior of - - docker cli's `--gpu` and request single device with the - `gpu` capabilty. - - The only implementation at the moment is the NVIDIA - driver; here: + body: | + In the absence of an upstream implementation of the DeviceRequest API introduced + as part of Docker API v1.40 we roll our own using a feature label. + As per my comment in the code, we fall back to the default behavior of + docker cli's `--gpu` and request single device with the `gpu` capabilty. + The only implementation at the moment is the NVIDIA driver; here: https://github.com/balena-os/balena-engine/blob/master/daemon/nvidia_linux.go - Background on the composefile implementation: - https://github.com/compose-spec/compose-spec/issues/74 - https://github.com/docker/compose/issues/6691 footer: Change-type: patch @@ -48843,15 +48492,10 @@ - commits: - subject: Bump acorn from 5.7.3 to 5.7.4 hash: f8363fc72b21386cc3561be576d8f21ec0463c89 - body: > - Bumps [acorn](https://github.com/acornjs/acorn) from - 5.7.3 to 5.7.4. - - - [Release - notes](https://github.com/acornjs/acorn/releases) - - - - [Commits](https://github.com/acornjs/acorn/compare/5.7.3...5.7.4) + body: | + Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4. + - [Release notes](https://github.com/acornjs/acorn/releases) + - [Commits](https://github.com/acornjs/acorn/compare/5.7.3...5.7.4) footer: Change-type: patch change-type: patch @@ -49839,14 +49483,10 @@ author: Alex Gonzalez - subject: Update openvpn to v2.4.7 hash: 5c7d3ae1296636dae7b0de67a9c0f8c66d996d1c - body: > + body: | Fetched from: - - * - https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn_2.4.7.bb?id=c1c8895609ae70a1b735e8625c19046c25184ee4 - - * - https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn/openvpn?id=910891d722085c56c474ac72788898b94c5ed193 + * https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn_2.4.7.bb?id=c1c8895609ae70a1b735e8625c19046c25184ee4 + * https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn/openvpn?id=910891d722085c56c474ac72788898b94c5ed193 footer: Connects-to: "#1740" connects-to: "#1740" @@ -50076,19 +49716,13 @@ author: Pagan Gazzard - subject: Add leading new line for PACKAGE_INSTALL variable hash: e79c470b3eaa8d6e763103fa20858fbed61ff292 - body: > + body: | Without the leading space, the last package name - of the PACKAGE_INSTALL variable from other recipes, - is concatenated with the one added in this recipe resulting - in the following error - opkg_prepare_url_for_install - Couldn't find anything to satisfy - 'kernel-module-sdhci-pciinitramfs-module-console-null-workaround' footer: Change-type: patch @@ -50205,9 +49839,8 @@ author: Will Boyce - subject: Add wpa-supplicant recipe and update to v2.9 hash: 139f76b73918e12aa8082896a7a017d2ad5df739 - body: > - Fetched from - http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/wpa-supplicant?id=95507898ad6a7b88c83ef376c1cb8b3b3a685c96 + body: | + Fetched from http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/wpa-supplicant?id=95507898ad6a7b88c83ef376c1cb8b3b3a685c96 footer: Connects-to: "#1711" connects-to: "#1711" @@ -51427,17 +51060,12 @@ author: Andrei Gherzan - subject: Fix kernel-devsrc on thud when kernel version < 4.10 hash: c4cd6307ac3ae86a8d34b91d9dc82b6d3310db9b - body: > - Thud breaks when building against kernel version < 4.10. This is - a known - + body: | + Thud breaks when building against kernel version < 4.10. This is a known issue which is fixed in poky warrior[1]. This patch includes a - workaround for thud. - - [1] - http://lists.openembedded.org/pipermail/openembedded-core/2019-February/278695.html + [1] http://lists.openembedded.org/pipermail/openembedded-core/2019-February/278695.html footer: Change-type: patch change-type: patch @@ -51530,31 +51158,17 @@ author: Zubair Lutfullah Kakakhel - subject: Use all.rp_filter=2 as the default value in balenaOS hash: 2fe90f3316a9394db0a060ec976d23fa97d4f00a - body: > - This change backports a PR[1] that is already in systemd and - will come - + body: | + This change backports a PR[1] that is already in systemd and will come included by default from the version in Yocto warrior. - - In summary, with this change we fix newer NM which stopped - handling - - rp_filter when connected to multiple interfaces. See "device: - disable - - rp_filter handling" commit from NM. Without this change, only - the - - default route will me usable and binding to a specific interface - will - - break connectivity if that interface is not also the default - route for - + In summary, with this change we fix newer NM which stopped handling + rp_filter when connected to multiple interfaces. See "device: disable + rp_filter handling" commit from NM. Without this change, only the + default route will me usable and binding to a specific interface will + break connectivity if that interface is not also the default route for the target IP. - [1]https://github.com/systemd/systemd/pull/10971/commits/6caa14f763c11630f28d587b3caa5f0e6dc96165 footer: Change-type: minor @@ -51619,18 +51233,11 @@ author: Zubair Lutfullah Kakakhel - subject: Set both VERSION_ID and VERSION in os-release to host OS version hash: 40347f618b3b70ccc5f40e924990197ae9fa7e6b - body: > - VERSION and VERSION_ID had a slightly different semantics in - balenaOS. - - VERSION was referring to the BalenaOS (host OS) version (which - is coming from - - device repositories) while VERSION_ID was set to the - DISTRO_VERSION. - + body: | + VERSION and VERSION_ID had a slightly different semantics in balenaOS. + VERSION was referring to the BalenaOS (host OS) version (which is coming from + device repositories) while VERSION_ID was set to the DISTRO_VERSION. This brings confusion so we change it to adhere to - https://www.freedesktop.org/software/systemd/man/os-release.html. footer: Change-type: minor diff --git a/CHANGELOG.md b/CHANGELOG.md index fba49e481..0acf93dac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ Change log ----------- +# v6.0.36 +## (2024-11-21) + +* Add GHA Built Test Deploy workflows [rcooke-warwick] + # v6.0.13 ## (2024-08-26) diff --git a/VERSION b/VERSION index 50e9dae02..421bcd07f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.0.13 \ No newline at end of file +6.0.36 \ No newline at end of file