Merge 3.0-dev and 3.0 (#9072)

.github/workflows/validate-cg-manifest.sh

@@ -49,7 +49,7 @@ ignore_no_source_tarball=" \
   pyproject-rpm-macros \
   python-rpm-generators \
   qt-rpm-macros \
-  sgx-backwards-compatability \
+  sgx-backwards-compatibility \
   verity-read-only-root \
   web-assets \
   "

.pipelines/containerSourceData/base/Dockerfile-Base-Template

@@ -29,4 +29,8 @@ COPY $EULA .
 COPY --from=builder /staging/etc/ /etc/
 COPY --from=builder --chown=${USER_UID}:${USER_GID} /staging/home/ /home/
 
+FROM scratch
+
+COPY --from=final / /
+
 CMD [ "bash" ]

.pipelines/containerSourceData/base/Dockerfile-Distroless-Template

@@ -28,3 +28,7 @@ COPY $EULA .
 
 COPY --from=builder /staging/etc/ /etc/
 COPY --from=builder --chown=${USER_UID}:${USER_GID} /staging/home/ /home/
+
+FROM scratch
+
+COPY --from=final / /

.pipelines/containerSourceData/scripts/BuildBaseContainers.sh

@@ -225,7 +225,7 @@ function docker_build {
     pushd "$build_dir" > /dev/null
 
     echo "+++ Build image: $image_full_name"
-    docker build . \
+    docker buildx build . \
         --build-arg BUILDER_IMAGE="$BASE_BUILDER" \
         --build-arg EULA="$EULA_FILE_NAME" \
         --build-arg BASE_IMAGE="$temp_image" \
@@ -256,7 +256,7 @@ function docker_build_marinara {
 
     sed -E "s|^FROM mcr\..*installer$|FROM $BASE_BUILDER as installer|g" -i "dockerfile-$MARINARA"
 
-    docker build . \
+    docker buildx build . \
         -t "$MARINARA_IMAGE_NAME" \
         -f dockerfile-$MARINARA \
         --build-arg AZL_VERSION="$AZL_VERSION" \

.pipelines/containerSourceData/scripts/BuildGoldenDistrolessContainer.sh

@@ -22,6 +22,13 @@ function DockerBuild {
 
     # Create container
     echo "+++ Create container $containerName"
+
+    # DOCKER_BUILDKIT=0 is set to avoid the unknown timeout error in the Azure DevOps pipeline.
+    # The error is likely caused by some BuildKit feature in version 24.0.9 of moby-engine.
+    # The error is not seen in the local environment.
+    # Setting DOCKER_BUILDKIT=0 disables BuildKit and uses the legacy builder.
+    # TODO: Remove this line once the issue is resolved.
+    export DOCKER_BUILDKIT=0
     docker build . \
         -t "$containerName" \
         -f "$marinaraSrcDir/dockerfiles/dockerfile-new-image" \
@@ -33,8 +40,7 @@ function DockerBuild {
         --build-arg USER_UID=$userUid \
         --build-arg RPMS="$rpmsDir" \
         --build-arg LOCAL_REPO_FILE="$marinaraSrcDir/local.repo" \
-        --no-cache \
-        --progress=plain
+        --no-cache
 }
 
 function create_distroless_container {

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -2389,7 +2389,7 @@
                 "rubygem-zip-zip",
                 "runc",
                 "sdbus-cpp",
-                "sgx-backwards-compatability",
+                "sgx-backwards-compatibility",
                 "shim",
                 "shim-unsigned",
                 "shim-unsigned-aarch64",
@@ -2429,9 +2429,7 @@
                 "libnvidia-container",
                 "mlnx-tools",
                 "mlx-bootctl",
-                "nvidia-container-runtime",
                 "nvidia-container-toolkit",
-                "nvidia-docker2",
                 "ofed-scripts",
                 "perftest"
             ]

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        6.6.22.1
-Release:        2%{?dist}
+Version:        6.6.29.1
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,22 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Fri May 03 2024 Rachel Menge <[email protected]> - 6.6.29.1-3
+- Bump release to match kernel
+
+* Fri May 03 2024 Rachel Menge <[email protected]> - 6.6.29.1-2
+- Bump release to match kernel
+
+* Wed May 01 2024 CBL-Mariner Servicing Account <[email protected]> - 6.6.29.1-1
+- Auto-upgrade to 6.6.29.1
+
+* Mon Apr 29 2024 Sriram Nambakam <[email protected]> - 6.6.22.1-3
+- Remove CONFIG_NF_CONNTRACK_PROCFS
+- Remove CONFIG_TRACE_IRQFLAGS
+- Remove CONFIG_TRACE_IRQFLAGS_NMI
+- Remove CONFIG_IRQSOFF_TRACER
+- Remove CONFIG_PREEMPTIRQ_TRACEPOINTS
+
 * Wed Mar 27 2024 Cameron Baird <[email protected]> - 6.6.22.1-2
 - Change aarch64 config to produce hv, xen, virtio as modules 
 - to support dracut initramfs generation on arm64 VM systems

SPECS/azurelinux-release/90-default.preset

@@ -184,3 +184,5 @@ enable cloud-init.service
 enable cloud-init-local.service
 
 enable waagent.service
+
+enable ephemeral-disk-warning.service

SPECS/azurelinux-release/azurelinux-release.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "90-default.preset": "307a6d6ab554caa22f9067cccda74afc0db0c10f0e80bdd8d0668f1bd5e3c3cc",
+  "90-default.preset": "50ed546e79e3c9f5c4f2d4a9796255537f4900d5d1d78c0564fbe7362634531b",
   "90-default-user.preset": "7cf8f4d2ca1760e04ff46bd2444609cfd27a7ab456be2f9e73b0f89c284e134d",
   "99-default-disable.preset": "3127b197b9eae62eb84eeed69b0413419612238332006183e36a3fba89578378",
   "15-azurelinux-default.conf": "63a46ecbed4b92f996718ea9202e914ff119c2c06fdaeed3d1e2710aabc663b4"

SPECS/azurelinux-release/azurelinux-release.spec

@@ -5,7 +5,7 @@
 Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        %{dist_version}.0
-Release:        10%{?dist}
+Release:        12%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -118,6 +118,12 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
 %{_sysctldir}/*.conf
 
 %changelog
+* Thu May 09 2024 Sam Meluch <[email protected]> - 3.0-12
+- Azure Linux 3.0 May Preview Release 1
+
+* Tue May 07 2024 Sudipta Pandit <[email protected]> - 3.0-11
+- Enable ephemeral-disk-warning.service in 90-default-target
+
 * Wed Apr 24 2024 Sam Meluch <[email protected]> - 3.0-10
 - Azure Linux 3.0 April Preview Release 4
 

SPECS/docker-buildx/docker-buildx.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "docker-buildx-0.12.1.tar.gz": "9cc176ed55e7c423c23de35bd31df3b449261f1b90765c17f003bd4de86a6aa4"
+    "docker-buildx-0.14.0.tar.gz": "9ed27d47b728288500ba2535366792d9b006354e02178688360919663f92b63e"
   }
 }

SPECS/docker-buildx/docker-buildx.spec

@@ -3,7 +3,7 @@
 Summary:        A Docker CLI plugin for extended build capabilities with BuildKit
 Name:           docker-buildx
 # update "commit_hash" above when upgrading version
-Version:        0.12.1
+Version:        0.14.0
 Release:        1%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
@@ -44,6 +44,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Thu May 02 2024 CBL-Mariner Servicing Account <[email protected]> - 0.14.0-1
+- Auto-upgrade to 0.14.0 - address CVE-2024-23653
+
 * Tue Feb 27 2024 Henry Beberman <[email protected]> - 0.12.1-1
 - Rename package from moby-buildx to docker-buildx
 - Upgrade to version 0.12.1