From a5e3fc17b748e9e40386e2e4cdea9959b9f7389a Mon Sep 17 00:00:00 2001 From: "flowzone-app[bot]" <124931076+flowzone-app[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 02:37:42 +0000 Subject: [PATCH] v5.1.49 --- .versionbot/CHANGELOG.yml | 4291 +++++++++++++++++++++++++------------ CHANGELOG.md | 31 + VERSION | 2 +- 3 files changed, 2921 insertions(+), 1403 deletions(-) diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml index 0f81c19af..06205436f 100644 --- a/.versionbot/CHANGELOG.yml +++ b/.versionbot/CHANGELOG.yml @@ -1,3 +1,74 @@ +- commits: + - subject: Update layers/meta-balena to 069243961adb123830eb4073a6245b2fa1e6f8b3 + hash: ed51a3a2b45efffa72af9a1f4b85be7a5dec6354 + body: Update layers/meta-balena + footer: + Changelog-entry: Update layers/meta-balena to 069243961adb123830eb4073a6245b2fa1e6f8b3 + changelog-entry: Update layers/meta-balena to 069243961adb123830eb4073a6245b2fa1e6f8b3 + author: Self-hosted Renovate Bot + nested: + - commits: + - subject: Update tests/leviathan digest to a677d89 + hash: cb9142269bc348e6c0dbe99dfc8b95d4215c0cf4 + body: Update tests/leviathan + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: + - commits: + - subject: Update Lock file maintenance + hash: fad1b73fe8752efee01764264b4aecfd88faf584 + body: | + Update + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.29.64 + title: "" + date: 2024-03-04T02:11:20.831Z + version: meta-balena-5.1.49 + title: "" + date: 2024-03-06T18:33:42.003Z + - commits: + - subject: "hostapp-update-hooks: Soft include balena-config-defaults" + hash: a6cd568a3b3aec127e2ef5b9b480b657a3ea246e + body: > + a203bcdfd567c0cc4b4ed9de493513142cd7463f introduced a dependency + + on /usr/sbin/balena-config-defaults to hostapp-update-hooks, + however + + during HUP the script is not only executed in the "new" OS + container + + but directly in the context of the "old" OS as well, so + + /usr/sbin/balena-config-defaults needs to exist there. + + The file was introduced in balenaOS v2.99.28, so trying to HUP + + from anything before that will fail. + + + This patch changes this to a soft dependency so even if the file + + is missing HUP will continue. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + version: meta-balena-5.1.48 + title: "" + date: 2024-03-06T08:25:08.800Z + version: 5.1.49 + title: "" + date: 2024-03-07T02:37:37.118Z - commits: - subject: pass input parameters to common esr workflow hash: 15641ae8eb7f5137b0945ae6bc665115384617a6 @@ -118,7 +189,8 @@ by UUID and assumes that only a single device is returned. This - assumption breaks when the root is on a MD RAID1 device as not only + assumption breaks when the root is on a MD RAID1 device as not + only the virtual MD device holds a filesystem with the given UUID, @@ -174,7 +246,10 @@ https://balena.zulipchat.com/#narrow/stream/360838-balena-io.2Fos.2Fdevices/topic/balena-raspberrypi.20jenkins.20build.20failures/near/423970246 - Currently devices with on-board storage fail to build in jenkins, if they don't provide a flasher image. One example is the CM4. Since there are multiple devices using this configuration, let's re-enable builds for all of them. + Currently devices with on-board storage fail to build in + jenkins, if they don't provide a flasher image. One example is + the CM4. Since there are multiple devices using this + configuration, let's re-enable builds for all of them. footer: Change-type: patch change-type: patch @@ -216,9 +291,11 @@ RPI firmware configuration allows repeating overlays to define - configurations on multiple devices. For instance, for configuring + configurations on multiple devices. For instance, for + configuring - multiple `ads` devices, `config.txt` needs to be setup this way + multiple `ads` devices, `config.txt` needs to be setup + this way ``` @@ -230,11 +307,14 @@ ``` - Before this change, the supervisor would interpret both lines as + Before this change, the supervisor would interpret both + lines as - belonging to the same overlay, preventing users from configuring multiple + belonging to the same overlay, preventing users from + configuring multiple - devices, and leading to a loop when trying to apply configurations with + devices, and leading to a loop when trying to apply + configurations with repeated overlays coming from the cloud side. footer: @@ -253,9 +333,11 @@ v14](https://github.com/balena-os/balena-supervisor/commit/460c3ba0aab31d18a02e3f5dda1838691768c494). While considered legacy, - they are still used by a few customers with devices running OS < 2.47.1. + they are still used by a few customers with devices + running OS < 2.47.1. - This should fix v2 delta support for those devices until we can + This should fix v2 delta support for those devices until + we can completely remove rsync deltas from the supervisor footer: @@ -291,13 +373,17 @@ Previously, getBootConfig() of the config.txt backend was omitting - array configurations such as gpio settings, thus resulting in the SV + array configurations such as gpio settings, thus + resulting in the SV - mistakenly assuming that boot config had not been applied, since gpio + mistakenly assuming that boot config had not been + applied, since gpio - would not be in current config.txt config but would be in target config. + would not be in current config.txt config but would be + in target config. - This resulted in SV entering an infinite loop of attempting to apply the + This resulted in SV entering an infinite loop of + attempting to apply the gpio config when it wasn't necessary. footer: @@ -331,26 +417,34 @@ While ordering is important in the RPI firmware configuration file (config.txt), - some dt params are by default considered part of the base dt overlay + some dt params are by default considered part of the + base dt overlay if they are not used by other overlays. - Unfortunately the [list of dtparams](https://github.com/raspberrypi/firmware/blob/master/boot/overlays/README#L133) + Unfortunately the [list of + dtparams](https://github.com/raspberrypi/firmware/blob/master/boot/overlays/README#L133) - is too long to add all of them as exceptions, but we can add the params + is too long to add all of them as exceptions, but we can + add the params - used in the default config.txt provided in OS images, to avoid reboots + used in the default config.txt provided in OS images, to + avoid reboots - when updating to this new supervisor and correctly parsing the + when updating to this new supervisor and correctly + parsing the provisioning config.txt as variables. - While this addition handles most common scenarios, there is still a + While this addition handles most common scenarios, there + is still a - chance a user may have use other base overlay dt params in the initial + chance a user may have use other base overlay dt params + in the initial - config, in which case those will be interpreted according to the + config, in which case those will be interpreted + according to the relative ordering footer: @@ -364,23 +458,29 @@ DT overlays and DT params need to be consumed in the order that they - appear on the file. DT params apply to the last dtoverlay defined on the + appear on the file. DT params apply to the last + dtoverlay defined on the file, or to the base overlay. - This commit updates config.txt parsing to consider this ordering, and it + This commit updates config.txt parsing to consider this + ordering, and it - also ensures global dtparams are written first so they cannot be + also ensures global dtparams are written first so they + cannot be overriden by later overlays. - Because of the more strict parsing method, it is possible that existing + Because of the more strict parsing method, it is + possible that existing - HOST_CONFIG vars do not match the interpretation of the parser. If + HOST_CONFIG vars do not match the interpretation of the + parser. If - that's the case, the supervisor will re-apply the target state which + that's the case, the supervisor will re-apply the target + state which will cause the device to reboot. footer: @@ -568,7 +668,8 @@ Calling `cryptsetup resize` on LUKS2 actually prompts for a password - and it is not needed as the partition will auto-expand on unlock. + and it is not needed as the partition will auto-expand on + unlock. footer: Change-type: patch change-type: patch @@ -665,7 +766,8 @@ This helper file is to be overwritten by device integration layers - to provide hostOS update customizations for secure boot devices that + to provide hostOS update customizations for secure boot devices + that split the boot partition into encrypted and non-encrypted. footer: @@ -682,7 +784,8 @@ The flasher image is now able to self-install when launched from an - external storage. This is useful for use cases where an installation + external storage. This is useful for use cases where an + installation steps that re-partitions/encrypts disk is required for example. footer: @@ -797,18 +900,23 @@ During HUP, rollback-health-breadcrumb and rollback-altboot-breadcrumb - are created in the state partition to trigger rollback-health and + are created in the state partition to trigger rollback-health + and - rollback-altboot respectively on the next boot. After these services + rollback-altboot respectively on the next boot. After these + services complete, they will remove these breadcrumbs. - Make the broken init fallback tests wait for these services to become + Make the broken init fallback tests wait for these services to + become - inactive before testing the state of the breadcrumbs. Otherwise, a race + inactive before testing the state of the breadcrumbs. Otherwise, + a race - condition can make these tests fail. Most notably on slower systems, + condition can make these tests fail. Most notably on slower + systems, such as emulated generic-aarch64. footer: @@ -965,36 +1073,47 @@ The balena bootloader initramfs contains the rootfs module and that - will get the rootfs mounted but not checked first for errors. This is + will get the rootfs mounted but not checked first for errors. + This is - problematic because at first boot with network connectivity available, + problematic because at first boot with network connectivity + available, - time will sync but the rootfs will still have the last mount time in + time will sync but the rootfs will still have the last mount + time in - 1970. If at that point the rootfs gets corrupted then at next boot + 1970. If at that point the rootfs gets corrupted then at next + boot - the rootfs' initramfs module from balena-bootloader will try to mount + the rootfs' initramfs module from balena-bootloader will try to + mount - the rootfs without checking it first and then after that the filesystem + the rootfs without checking it first and then after that the + filesystem - check triggered by the fsck module from the actual kernel initramfs will + check triggered by the fsck module from the actual kernel + initramfs will fail like this: - [init][INFO] Running filesystem checks on partition resin-rootA (/dev/disk/by-state/resin-rootA) + [init][INFO] Running filesystem checks on partition resin-rootA + (/dev/disk/by-state/resin-rootA) resin-rootA contains a file system with errors, check forced. - resin-rootA: Inodes that were part of a corrupted orphan linked list found. + resin-rootA: Inodes that were part of a corrupted orphan linked + list found. resin-rootA: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY. (i.e., without -a or -p options) - This commit will add the fsck module to balena bootloader's initramfs + This commit will add the fsck module to balena bootloader's + initramfs - which will trigger filesystem checks before the rootfs module runs. + which will trigger filesystem checks before the rootfs module + runs. footer: Change-type: patch change-type: patch @@ -1098,7 +1217,8 @@ Also update containerd component from balena-containerd to also use - runc v1.1.12. Also update dependencies as indicated from balena-runc go.mod. + runc v1.1.12. Also update dependencies as indicated from + balena-runc go.mod. footer: Change-type: patch change-type: patch @@ -1247,14 +1367,16 @@ This fixes rollback-health failures for boards like the Jetson Seeeed - J4012, which updates efivars for capsule updates from container hooks + J4012, which updates efivars for capsule updates from container + hooks and not from the current OS hooks. While the actual HUP works because of /sys being bindmounted by - hostapp-update, rollbacks will fail to run the old OS hooks unless + hostapp-update, rollbacks will fail to run the old OS hooks + unless efivarfs is mounted. footer: @@ -1348,14 +1470,18 @@ Moby v25 adds the dynamically generated MAC address to the Config field, - which breaks the state engine, preventing the state from settling as the + which breaks the state engine, preventing the state from + settling as the - current state never matches the target state (empty mac address). This + current state never matches the target state (empty mac + address). This - seems to be a bug in Moby that we reported in moby/moby#47228 + seems to be a bug in Moby that we reported in + moby/moby#47228 - The issue won't affect Balena devices until balenaEngine is updated, and this + The issue won't affect Balena devices until balenaEngine + is updated, and this change fixes testing for now. footer: @@ -1369,7 +1495,8 @@ From docker 25, the engine will validate IPAM config. This would cause - the docker utils test to fail since the network/subnet configuration was + the docker utils test to fail since the network/subnet + configuration was incorrect. footer: @@ -1407,7 +1534,8 @@ The tsserver lsp doesn't seem to work well with .editorconfig. Using - prettierrc will allow formatting to work correctly with editor plugins + prettierrc will allow formatting to work correctly with + editor plugins This also updates editorconfig to work well with json @@ -1430,7 +1558,8 @@ to be used as the balena bootloader. Device types are expected - to inherit it and perform additional device-specific configuration. + to inherit it and perform additional device-specific + configuration. footer: Change-type: patch change-type: patch @@ -1444,9 +1573,11 @@ The kexec initrd script currently removes the maxcpus=0 kernel arg - which we use to put the system into non-SMP mode. This however does + which we use to put the system into non-SMP mode. This however + does - not work on all platforms and nr_cpus=1 seems to be a more robust + not work on all platforms and nr_cpus=1 seems to be a more + robust solution, so with this patch nr_cpus will be removed as well. footer: @@ -1531,20 +1662,26 @@ body: > At this moment there is a race condition between NetworkManager - and the engine when a shared interface is configured. If the interface + and the engine when a shared interface is configured. If the + interface - is configured first and the engine second, the containers are allowed + is configured first and the engine second, the containers are + allowed - to access DHCP hosts behind the shared interface. If the engine comes + to access DHCP hosts behind the shared interface. If the engine + comes up first and the shared interface second, access will be denied. - This patch adds a dispatcher script that always configures the firewall + This patch adds a dispatcher script that always configures the + firewall - rules as if the engine came up last. This does not really address + rules as if the engine came up last. This does not really + address - the underlying issue but it overcomes the race condition and makes + the underlying issue but it overcomes the race condition and + makes the behavior deterministic, which is good enough at this point. footer: @@ -1668,7 +1805,8 @@ UEFI firmware in secure boot needs to authenticate the kernel plus - initramfs in the chain of trust. Other firmware implements secure boot + initramfs in the chain of trust. Other firmware implements + secure boot differently and does not need this. footer: @@ -1861,12 +1999,14 @@ This is meant to allow users to configure their device to - resolve `.local` queries via dnsmasq by modifying config.json, e.g. `dnsServers": + resolve `.local` queries via dnsmasq by modifying + config.json, e.g. `dnsServers": "/bob.local/172.17.0.33`. - This would fail before as MDNS lookups would always come first + This would fail before as MDNS lookups would always come + first footer: Change-type: minor change-type: minor @@ -1908,15 +2048,20 @@ The `updateMetadata` step renames the container to match the target - release when the service doesn't change between releases. We have seen + release when the service doesn't change between + releases. We have seen - this step fail because of an engine bug that seems to relate to the + this step fail because of an engine bug that seems to + relate to the - engine keeping stale references after container restarts. The only way + engine keeping stale references after container + restarts. The only way - around this issue is to remove the old container and create it again. + around this issue is to remove the old container and + create it again. - This implements that workaround during the updateMetadata step to deal + This implements that workaround during the + updateMetadata step to deal with that issue. footer: @@ -2117,7 +2262,8 @@ There have been reports of an empty config vars cache file - probably - because of a race condition when the reading of config.json happens just + because of a race condition when the reading of config.json + happens just as the file is being replaced. @@ -2213,7 +2359,8 @@ If update-balena-supervisor runs and finds the image is already downloaded - it will run the specified supervisor but will not check that supervisor.conf + it will run the specified supervisor but will not check that + supervisor.conf is updated so the version will revert on the next update. footer: @@ -2233,12 +2380,14 @@ This provides an easy switch to enable tracing on HUP hooks that works - both on old and new OS hooks as enabling it depends on a config.json + both on old and new OS hooks as enabling it depends on a + config.json setting. - It is meant to debug field issues with HUP failure where all we see is: + It is meant to debug field issues with HUP failure where all we + see is: ``` @@ -2358,27 +2507,35 @@ (see https://github.com/systemd/systemd/pull/17917). - Properly detecting this is too cumbersome for a bash logging script, + Properly detecting this is too cumbersome for a bash logging + script, - see https://github.com/systemd/systemd/pull/17902, however, falling + see https://github.com/systemd/systemd/pull/17902, however, + falling - back to the last check, that is, seeing if `/.dockerenv` exists is easy + back to the last check, that is, seeing if `/.dockerenv` exists + is easy enough and works for our use case. - This script will only be called from the hostOS, and the only case it is + This script will only be called from the hostOS, and the only + case it is - called from a container is during HUP and the container is always a hostOS + called from a container is during HUP and the container is + always a hostOS - image. So even though the interface chosen by moby, a file under /, + image. So even though the interface chosen by moby, a file under + /, - is a bad interface in general, it works fine for the specific limitations + is a bad interface in general, it works fine for the specific + limitations of balenaOS. - Also, check for `/run/.containerenv` which is the equivalent interface + Also, check for `/run/.containerenv` which is the equivalent + interface for podman for future proofing. footer: @@ -2483,13 +2640,17 @@ Whenever the Supervisor reports current state, it diffs the current state - with its last reported current state. However, when the Supervisor starts + with its last reported current state. However, when the + Supervisor starts - up, there is no last reported state, since that last report is stored in + up, there is no last reported state, since that last + report is stored in - process memory. Caching the last report in a location that survives + process memory. Caching the last report in a location + that survives - Supervisor restarts will reduce the current report bandwidth used on startup. + Supervisor restarts will reduce the current report + bandwidth used on startup. footer: Change-type: patch change-type: patch @@ -2528,11 +2689,14 @@ We previously tried to use a single time limit for the execution of the - healthcheck test on all device types. This was causing occasional false + healthcheck test on all device types. This was causing + occasional false - positives in our Continuous Integration pipeline, though -- especially + positives in our Continuous Integration pipeline, though -- + especially - on slow devices like Pi Zeros and the generic-aarch64, which runs on + on slow devices like Pi Zeros and the generic-aarch64, which + runs on emulated hardware. @@ -2540,7 +2704,8 @@ This commit addresses this issue, this commit: - 1. Limits execution for device types for which we have collected enough + 1. Limits execution for device types for which we have collected + enough data to have a good idea of how long the test should take. 2. Uses time limits specific for each device type. footer: @@ -2570,11 +2735,14 @@ PR #2217 removed the expose configuration but also caused a regresion - where ports set via the `ports` configuration would no longer get + where ports set via the `ports` configuration would no + longer get - exposed to the host, despite portmappings being set. This fixes that + exposed to the host, despite portmappings being set. + This fixes that - issue by exposing only those ports comming from port mappings. + issue by exposing only those ports comming from port + mappings. footer: Change-type: patch change-type: patch @@ -2590,33 +2758,44 @@ The docker EXPOSE directive and corresponding docker-compose `expose` - service configuration serves as documentation/metadata that a container + service configuration serves as documentation/metadata + that a container - listens on a certain port that may be used for service discovery but it doesn't + listens on a certain port that may be used for service + discovery but it doesn't have any real impact on the ability for - other containers on the same network to access the exposed service via + other containers on the same network to access the + exposed service via - the port. In newer engine implementations, this property may conflict + the port. In newer engine implementations, this property + may conflict - with other network configurations, and prevent the container from being + with other network configurations, and prevent the + container from being started by the docker engine (see #2211). - This PR removes code that would manage the expose property and takes the + This PR removes code that would manage the expose + property and takes the - property out of the whitelist. A composition with the `expose` property + property out of the whitelist. A composition with the + `expose` property - will result in the log message `Ignoring unsupported or unknown compose fields: expose`. + will result in the log message `Ignoring unsupported or + unknown compose fields: expose`. - While this change should not have operational impact, it still removes + While this change should not have operational impact, it + still removes - a previously supported configuration and as such there is a chance of it + a previously supported configuration and as such there + is a chance of it - being a breaking change for some applications. For this reason it is + being a breaking change for some applications. For this + reason it is being published as a new major version. footer: @@ -2755,17 +2934,21 @@ The code moved from meta-balena-kirkstone was not really specific to - kirkstone so let's move it here so that future branches for newer yocto + kirkstone so let's move it here so that future branches for + newer yocto - releases which we'll base off kirkstone don't continue to add this + releases which we'll base off kirkstone don't continue to add + this unneeded duplication. There are other meta-balena-* directories that still contain the - duplication we moved from meta-balena-kirkstone but we're not really + duplication we moved from meta-balena-kirkstone but we're not + really - concerned with that because going forward those old directories will + concerned with that because going forward those old directories + will naturally get deprecated. footer: @@ -2847,12 +3030,14 @@ body: > If the target supervisor image is already cached but there is no - container running with it, the update script would just exit without + container running with it, the update script would just exit + without actually running the target supervisor. - This commit checks whether there is a running container using the + This commit checks whether there is a running container using + the target image and restarts the supervisor if there is none. footer: @@ -3002,7 +3187,8 @@ This check is now done in the cryptsetup initramfs hook rather than - during installation, which obviates the need to perform it during setup. + during installation, which obviates the need to perform it + during setup. Remove it. footer: @@ -3018,14 +3204,17 @@ During installation, some firmwares may allow keys to be enrolled but - fail to tip the system into user mode until the system is rebooted. We + fail to tip the system into user mode until the system is + rebooted. We - don't want to mislead users with only full-disk encryption into thinking + don't want to mislead users with only full-disk encryption into + thinking their system also has secure boot enabled when it doesn't. - Disable the hook to unlock encrypted partitions if the firmware fails to + Disable the hook to unlock encrypted partitions if the firmware + fails to boot into user mode. footer: @@ -3041,7 +3230,8 @@ We now have several places where secure boot specific configuration is - checked. Create an os-helpers-secureboot package to consolidate and + checked. Create an os-helpers-secureboot package to consolidate + and reuse this code. footer: @@ -3222,7 +3412,8 @@ This script is used by balenaHup to report provisioning failures to - the cloud. Adding retries, return status code check and error output + the cloud. Adding retries, return status code check and error + output should make it more resilient and easier to debug. footer: @@ -3392,13 +3583,17 @@ This reverts commit 0c7bad779291e15e419166a2c66c2a21dd06aa83, as that - change causes a service restart loop. The supervisor cannot distinguish + change causes a service restart loop. The supervisor + cannot distinguish - between ports exposed via the `EXPOSE` directive and the docker-compose + between ports exposed via the `EXPOSE` directive and the + docker-compose - `expose` property. Because of this, in the case of `network-mode: + `expose` property. Because of this, in the case of + `network-mode: - service:<...>` the current state and target state never match, leading + service:<...>` the current state and target state never + match, leading to a service restart loop. footer: @@ -3440,13 +3635,17 @@ The supervisor exposes ports configured using the `EXPOSE` directive in - the dockerfile when configuring the container for runtime. This can + the dockerfile when configuring the container for + runtime. This can - cause issues if using `network_mode: service:` as the + cause issues if using `network_mode: service:` as the - expose configuration is not compatible with that network mode. This + expose configuration is not compatible with that network + mode. This - fix now skips image exposed ports for that particular network mode. + fix now skips image exposed ports for that particular + network mode. footer: Change-type: patch change-type: patch @@ -3497,7 +3696,8 @@ devDependencies are tree-shaked, while dependencies are stored in the - image. We reserve dependencies just for those that contain binary + image. We reserve dependencies just for those that + contain binary bindings footer: @@ -3861,12 +4061,15 @@ body: > When searching for devices matching the glob list in - get_internal_device(), a glob match breaks from a nested loop rather + get_internal_device(), a glob match breaks from a nested loop + rather - than the parent loop, allowing the function to output multiple matches. + than the parent loop, allowing the function to output multiple + matches. - When running the flasher, this results in the script failing with an + When running the flasher, this results in the script failing + with an incorrect path to the internal disk. @@ -4065,7 +4268,8 @@ Alpine allows the `~=` syntax to match a part of the package version - when installing. In this case we want to use it to specify node and + when installing. In this case we want to use it to + specify node and npm major versions footer: @@ -4135,7 +4339,8 @@ security reasons. - This new balenaOS ESR bot has contents:write and workflows:write permissions + This new balenaOS ESR bot has contents:write and workflows:write + permissions but is only available on balenaOS repositories. footer: @@ -4292,16 +4497,19 @@ This is done by the bootloader (uboot/grub) at this moment but as we - are moving towards the balena 2nd stage bootloader, it needs to be + are moving towards the balena 2nd stage bootloader, it needs to + be moved into the initramfs. - This adds a standalone recipe - by default yocto tries to build all + This adds a standalone recipe - by default yocto tries to build + all modules defined in the initramfs-framework recipe, which breaks - on armv7 when abroot is defined there. This is because it depends + on armv7 when abroot is defined there. This is because it + depends on grub-editenv which is not supported on armv7. footer: @@ -4330,9 +4538,11 @@ body: > The rootfs script uses both os-helpers-fs and os-helpers-logging - though the package depends on neither. This seems to work now because + though the package depends on neither. This seems to work now + because - in most cases something else pulls in the dependencies or the code + in most cases something else pulls in the dependencies or the + code on a particular device does not fall under the branches that use @@ -4760,10 +4970,12 @@ This commit updates balena-containerd to a new version in which we - cherry-picked the change from here: https://github.com/containerd/containerd/pull/8086 + cherry-picked the change from here: + https://github.com/containerd/containerd/pull/8086 - This change avoids enabling AppArmor if the `/sbin/apparmor_parser` + This change avoids enabling AppArmor if the + `/sbin/apparmor_parser` binary is not found in the system. footer: @@ -4895,7 +5107,8 @@ The meta-balena version of modemmanager is no longer compatible with - Yocto Pyro, so stop trying to apply bbappend to it from meta-balena. + Yocto Pyro, so stop trying to apply bbappend to it from + meta-balena. footer: Change-type: patch change-type: patch @@ -5503,7 +5716,8 @@ The node-dbus module is unmaintained and a blocker for the update to - Node 18. Switching to our own node bindings for systemd solves this + Node 18. Switching to our own node bindings for systemd + solves this issue footer: @@ -5556,7 +5770,8 @@ mobile-broadband-provider-info 'master' branch was renamed to 'main', - causing do_fetch() to fail before it was changes in Yocto Kirkstone + causing do_fetch() to fail before it was changes in Yocto + Kirkstone commit e4795393c4882cf38273521539cc255a4ffcb34a. footer: @@ -5673,7 +5888,8 @@ Verify kernel lockdown prohibits loading of unsigned modules, and still - loads modules with a signature that validates against a trusted key. + loads modules with a signature that validates against a trusted + key. footer: Change-type: patch change-type: patch @@ -5797,24 +6013,31 @@ 314047e and b5c5214 made flasher block until the resin-device-register - service exits and made resin-device-register give up after 6 seconds + service exits and made resin-device-register give up after 6 + seconds - not to block infinitely when no network is available. This effectively + not to block infinitely when no network is available. This + effectively - means that if the device fails to register within first 6 seconds, + means that if the device fails to register within first 6 + seconds, - it will never retry, flasher will not report status to the dashboard + it will never retry, flasher will not report status to the + dashboard and the device will only register on first boot. - This patch changes the logic back to resin-device-register trying + This patch changes the logic back to resin-device-register + trying - in the background in an infinite loop and moves the "give the device + in the background in an infinite loop and moves the "give the + device a chance to register" delay to flasher itself. It also extends - the wait to openvpn as flasher already does that and wants VPN to run + the wait to openvpn as flasher already does that and wants VPN + to run to be debuggable - in case flashing fails, it would be possible @@ -5880,32 +6103,40 @@ CONIFG_SECURITY=n - which is mispelled and not being applied. The commit where this was + which is mispelled and not being applied. The commit where this + was - introduced claims it's needed to completely disable the audit logs, and + introduced claims it's needed to completely disable the audit + logs, and also that the security framework is unused. - I disagree in that it's unused - the hostOS is not using any security + I disagree in that it's unused - the hostOS is not using any + security - framework, but applications may, so luckily the security framework was + framework, but applications may, so luckily the security + framework was never disabled. - Removing this mispelled entry should have no functional effect. Whether + Removing this mispelled entry should have no functional effect. + Whether the audit subsystem is disabled will depend on the final kernel - configuration. Definitely we have not seen a need to disable it recently, + configuration. Definitely we have not seen a need to disable it + recently, and we have not seen the kernel log flooded with messages. - I'd argue the disabling of the audit subsystem in meta-balena serves no + I'd argue the disabling of the audit subsystem in meta-balena + serves no - need but I also have no specific reason to remove it at the moment. + need but I also have no specific reason to remove it at the + moment. Fixes #2947 @@ -5955,7 +6186,8 @@ The flasher/installer image can be configured by the user and that - configuration finishes up in the installed image. Add the dispatcher + configuration finishes up in the installed image. Add the + dispatcher scripts to this existing mechanim. footer: @@ -5971,7 +6203,8 @@ On boot, the dispatcher script are copied from the boot partition where - the user has configured them, to the bind mount used by the running + the user has configured them, to the bind mount used by the + running applications. footer: @@ -6005,18 +6238,23 @@ At this moment grub.cfg sources /grub/grub_extraenv which works fine - on MBR systems, however on EFI systems this does not work because GRUB + on MBR systems, however on EFI systems this does not work + because GRUB is installed in /EFI/BOOT/ rather than /grub/. - This patch replaces the hardcoded /grub with ${prefix} which should + This patch replaces the hardcoded /grub with ${prefix} which + should - expand to the appropriate directory regardless of the platform. It also + expand to the appropriate directory regardless of the platform. + It also - removes the loading of grub_extraenv from the secure boot variant + removes the loading of grub_extraenv from the secure boot + variant - of the GRUB config since this would not load without a signature anyway. + of the GRUB config since this would not load without a signature + anyway. footer: Change-type: patch change-type: patch @@ -6045,7 +6283,8 @@ body: > This fix has been ported from the following upstream - change: https://patchwork.yoctoproject.org/project/oe-core/patch/002c31d6add77e1002fb1ccd4050ce826a654170.1659653543.git.bruce.ashfield@gmail.com/ + change: + https://patchwork.yoctoproject.org/project/oe-core/patch/002c31d6add77e1002fb1ccd4050ce826a654170.1659653543.git.bruce.ashfield@gmail.com/ and fixes the following compilation error on generic-aarch64: @@ -6088,7 +6327,8 @@ body: > Repackage iwlwifi-cc-a0 to include all firmware versions shipped - upstream, rather than only an older version (48) that's no longer + upstream, rather than only an older version (48) that's no + longer shipped as of 20230404. footer: @@ -6117,7 +6357,8 @@ body: > Replace older versioned iwlwifi packages with - linux-firmware-iwlwifi-3160 package that includes all versions shipped + linux-firmware-iwlwifi-3160 package that includes all versions + shipped in linux-firmware. footer: @@ -6136,7 +6377,8 @@ body: > Some board BSPs may define UBOOT_MACHINE, others UBOOT_CONFIG, - let's make sure we include the extra_uEnv.txt file in the non-flasher + let's make sure we include the extra_uEnv.txt file in the + non-flasher image for both cases. footer: @@ -6432,7 +6674,8 @@ can be obtained from the partlabel directory. - At most, if none of the symlinks exist anymore the update will fail and the + At most, if none of the symlinks exist anymore the update will fail and + the hooks from the previous OS will run. The update procedure should @@ -6498,7 +6741,8 @@ `libgcc_s.so.1 must be installed for pthread_exit to work` - which panics the kernel and triggers a reboot loop indistinguishable + which panics the kernel and triggers a reboot loop + indistinguishable from a "device has been tampered with" state on regular builds @@ -6638,7 +6882,8 @@ deprecation. This allows to just remove the coffee file from the - device repository when a device is deprecated so there will be no + device repository when a device is deprecated so there will be + no more releases and no need for checks on a discontinued state. footer: @@ -6655,7 +6900,8 @@ deprecation. This allows to just remove the coffee file from the - device repository when a device is deprecated so there will be no + device repository when a device is deprecated so there will be + no more releases and no need for checks on a discontinued state. footer: @@ -6672,7 +6918,8 @@ deprecation. This allows to just remove the coffee file from the - device repository when a device is deprecated so there will be no + device repository when a device is deprecated so there will be + no more releases and no need for checks on a discontinued state. footer: @@ -6732,7 +6979,8 @@ systems with secure boot and full-disk encryption. - If kexec fails, we don't want to continue with the rest of the boot + If kexec fails, we don't want to continue with the rest of the + boot process in the first stage kernel, so bail out on failure. footer: @@ -6889,11 +7137,14 @@ It's not an official status from container inspects, and the Supervisor - doesn't set it internally anywhere. It's better to remove it entirely as the + doesn't set it internally anywhere. It's better to + remove it entirely as the - method by which Supervisor sets internal service statuses is by using a global + method by which Supervisor sets internal service + statuses is by using a global - event emitter (reportNewStatus) which makes things difficult to test. + event emitter (reportNewStatus) which makes things + difficult to test. footer: Change-type: patch change-type: patch @@ -7000,7 +7251,8 @@ Explain that balenaOS does not take control of the TPM and that it - is possible to fill all the key slots with enough provisioning cycles. + is possible to fill all the key slots with enough provisioning + cycles. footer: Change-type: patch change-type: patch @@ -7014,13 +7266,16 @@ We have seen devices that won't change PCR1 hash when a temporary boot - order override was applied or secure boot was disabled via BIOS setup. + order override was applied or secure boot was disabled via BIOS + setup. The implementation of what PCR1 actually measures is very - device-specific, but many of the risks can be mitigated by setting up + device-specific, but many of the risks can be mitigated by + setting up - a BIOS password and disabling F-key shortcuts for interacting with + a BIOS password and disabling F-key shortcuts for interacting + with the firmware. @@ -7112,32 +7367,41 @@ Both `kernel-modules-headers` and `kernel-devsrc` provide kernel headers - since Yocto Thud switched `kernel-devsrc` from full source to just + since Yocto Thud switched `kernel-devsrc` from full source to + just kernel headers. - The only difference between them is that `kernel-modules-headers` builds + The only difference between them is that + `kernel-modules-headers` builds - some target binaries which need to be built with `make modules_prepare` + some target binaries which need to be built with `make + modules_prepare` - when using `kernel-devsrc` headers. These binaries depend on libc version + when using `kernel-devsrc` headers. These binaries depend on + libc version matching though so they have shown to be problematic. - This commit removes the `kernel-modules-headers` recipe and modifies + This commit removes the `kernel-modules-headers` recipe and + modifies - `kernel-devsrc` to replace it. The deployed artifact remains named as + `kernel-devsrc` to replace it. The deployed artifact remains + named as `kernel-modules-headers` as it's a more descriptive name. - This introduces a breaking change in the balenaOS API as customers that + This introduces a breaking change in the balenaOS API as + customers that - are using `kernel-modules-headers` to build external kernel modules will + are using `kernel-modules-headers` to build external kernel + modules will - now need to issue a `make modules_prepare` as part of their build scripts. + now need to issue a `make modules_prepare` as part of their + build scripts. Fixes #1822 @@ -7231,9 +7495,11 @@ This variable accepts the base64 encoded public key of a kernel module - signing keypair and appends it to the list of trusted keys the kernel + signing keypair and appends it to the list of trusted keys the + kernel - will use to validate signed modules. Multiple keys may be appended, + will use to validate signed modules. Multiple keys may be + appended, delimited with a semicolon. @@ -7241,7 +7507,8 @@ A PEM file can be used like so: - SIGN_KMOD_KEY_APPEND="$( sed -e '/-----BEGIN CERTIFICATE-----/d' \ + SIGN_KMOD_KEY_APPEND="$( sed -e '/-----BEGIN CERTIFICATE-----/d' + \ -e 's/-----END CERTIFICATE-----/;/g' \ -e '$d' signing_key.pem \ | tr -d '\n' )" @@ -7288,22 +7555,30 @@ The previous implementation in #2170 of parsing the container status was too general, - because it relied on the mistaken assumption that a container would have a status of + because it relied on the mistaken assumption that a + container would have a status of - `Stopped` if it was manually stopped. This turned out to be untrue, as manually stopped + `Stopped` if it was manually stopped. This turned out to + be untrue, as manually stopped - containers were also getting restarted by the Supervisor due to their inspect status of + containers were also getting restarted by the Supervisor + due to their inspect status of - `exited`. With this, parsing the exit message became unavoidable as there are no other + `exited`. With this, parsing the exit message became + unavoidable as there are no other - clear ways to discern a container that has been manually stopped and shouldn't be started + clear ways to discern a container that has been manually + stopped and shouldn't be started - from a container experiencing the Engine-host race condition issue (again, see #2170). + from a container experiencing the Engine-host race + condition issue (again, see #2170). - Since we're just parsing the exit error message, we don't need to worry about different behaviors + Since we're just parsing the exit error message, we + don't need to worry about different behaviors - amongst restart policies, as any container with the error message on exit should be started. + amongst restart policies, as any container with the + error message on exit should be started. footer: Change-type: patch change-type: patch @@ -7336,7 +7611,8 @@ Previously, `concatReadSeekCloser.Read()` would incorrectly return - an `io.ErrUnexpectedEOF` if the last read from the second concatenated + an `io.ErrUnexpectedEOF` if the last read from the + second concatenated `Reader` didn't completely fill the passed buffer. @@ -7352,60 +7628,79 @@ ``` - In this example, we have a `concatReadSeekCloser` that concatenates two + In this example, we have a `concatReadSeekCloser` that + concatenates two - `Reader`s (`aaa...` and `bbb...`). The last `Read()` used a buffer + `Reader`s (`aaa...` and `bbb...`). The last `Read()` + used a buffer - larger than the yet-to-be-read portion of the `bbb...`. So, it would + larger than the yet-to-be-read portion of the `bbb...`. + So, it would incorrectly return an `io.ErrUnexpectedEOF`. - This commit makes sure that last `Read()` returns all the remaining data + This commit makes sure that last `Read()` returns all + the remaining data without an error. It also adds various test cases for - `concatReadSeekCloser.Read()`, many of which would fail before this + `concatReadSeekCloser.Read()`, many of which would fail + before this correction. - Interestingly, this bug was silently affecting us. Not in a fatal way, + Interestingly, this bug was silently affecting us. Not + in a fatal way, - but causing deltas to be larger than necessary. Indeed, running + but causing deltas to be larger than necessary. Indeed, + running - `TestDeltaSize` after this commit shows that some test cases are + `TestDeltaSize` after this commit shows that some test + cases are - producing deltas smaller than what we expected before. For posterity, + producing deltas smaller than what we expected before. + For posterity, see all the details below. - We use `concatReadSeekCloser`s to concatenate all layers of the basis + We use `concatReadSeekCloser`s to concatenate all layers + of the basis - image when creating the "signature" of the basis image. In this process, + image when creating the "signature" of the basis image. + In this process, - the `concatReadSeekCloser`s are wrapped around by a buffered reader with + the `concatReadSeekCloser`s are wrapped around by a + buffered reader with a buffer of 65kB. - If, in any read, part of this 65kB buffer was beyond the second + If, in any read, part of this 65kB buffer was beyond the + second - concatenated reader, it would result in an `io.ErrUnexpectedEOF`. This + concatenated reader, it would result in an + `io.ErrUnexpectedEOF`. This - would not cause the whole process to fail, but would prematurely end the + would not cause the whole process to fail, but would + prematurely end the - signature generation: some of the final blocks in the basis image would + signature generation: some of the final blocks in the + basis image would - not be added to the signature. Therefore, if those blocks appeared in + not be added to the signature. Therefore, if those + blocks appeared in - the target image, they'd result in (larger) LITERAL, instead of + the target image, they'd result in (larger) LITERAL, + instead of (smaller) COPY operations. - For illustration, here's the delta generated for the `delta-006-008` + For illustration, here's the delta generated for the + `delta-006-008` test case. First before this commit: @@ -7458,7 +7753,8 @@ ``` - That 21kB LITERAL is the difference in size we saw in the test results. + That 21kB LITERAL is the difference in size we saw in + the test results. footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -7472,7 +7768,8 @@ Using `defer` for the sake of being more idiomatic (and maybe slightly - more reliable); plus, using the proper doc comment standards. + more reliable); plus, using the proper doc comment + standards. footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -7661,16 +7958,21 @@ This is necessary since the builder no longer passes the platform flag - to the build. This would lead to dockerfiles that are mixing multi and single + to the build. This would lead to dockerfiles that are + mixing multi and single - arch stages to pull the wrong architecture images, particularly when + arch stages to pull the wrong architecture images, + particularly when - trying to build images in emulated builds (e.g. armv7hf built on aarch64). + trying to build images in emulated builds (e.g. armv7hf + built on aarch64). - Moving the full build to multi-arch solves this as the docker engine is + Moving the full build to multi-arch solves this as the + docker engine is - capable of chosing the right architecture from the manifest. + capable of chosing the right architecture from the + manifest. footer: Relatest-to: balena-io/balena-builder#1010 relatest-to: balena-io/balena-builder#1010 @@ -7844,7 +8146,8 @@ This should be the default but with no explicit argument we still - end up with LUKS1 partitions. This patch adds the parameter to enforce + end up with LUKS1 partitions. This patch adds the parameter to + enforce LUKS2 formatting and adds conversion to LUKS2 to the cryptsetup @@ -8233,12 +8536,14 @@ Comply with AWS public AMI quota, taking into account we have two - architectures that publish AMI images and we need free slots for custom + architectures that publish AMI images and we need free slots for + custom version request. - Make the oldest public image back to private before publishing a new image. + Make the oldest public image back to private before publishing a + new image. footer: Change-type: patch change-type: patch @@ -8256,7 +8561,8 @@ When building signed images, add the secureBoot feature flag into the - OS contract. This is needed for other components to identify secureBoot + OS contract. This is needed for other components to identify + secureBoot compatible software releases. footer: @@ -8290,13 +8596,16 @@ When parsing additional variables to be passed to the bitbake build, - keys and values are split using equals as a delimiter. However, the + keys and values are split using equals as a delimiter. However, + the - splitting process does not split only on the first occurrence, which + splitting process does not split only on the first occurrence, + which results in removing equals signs from the value as well. This is - problematic with base64 encoded strings, which are padded with equals + problematic with base64 encoded strings, which are padded with + equals signs. @@ -8360,38 +8669,52 @@ There exists a race condition between Engine and a host resource that may not - be immediately created. In this race condition, if a container's compose config + be immediately created. In this race condition, if a + container's compose config - depends on the existence of that host resource, such as a network interface, and the + depends on the existence of that host resource, such as + a network interface, and the - Engine tries to create & start the container before the host resource is created, the + Engine tries to create & start the container before the + host resource is created, the - Engine will not reattempt to start the container, regardless of the restart policy. + Engine will not reattempt to start the container, + regardless of the restart policy. - This is undesireable behavior but seems to be the behavior as implemented by Docker. + This is undesireable behavior but seems to be the + behavior as implemented by Docker. - To rectify this, the Supervisor state funnel noops for a grace period of 1 minute + To rectify this, the Supervisor state funnel noops for a + grace period of 1 minute - after starting a container to see that the container's status has become 'running`. + after starting a container to see that the container's + status has become 'running`. - If the container exits because of the race condition, the status becomes 'exited' and the + If the container exits because of the race condition, + the status becomes 'exited' and the - Supervisor will attempt to generate another start step. This noop-wait-start step loop + Supervisor will attempt to generate another start step. + This noop-wait-start step loop will repeat until the container is able to start. - If the container is never able to start, there was a problem in the host in the creation of the + If the container is never able to start, there was a + problem in the host in the creation of the - host resource, and that should be fixed at the host level. + host resource, and that should be fixed at the host + level. - This commit does not handle the case of services with restart policies "no" or "on-failure" + This commit does not handle the case of services with + restart policies "no" or "on-failure" - which encounter this host race, as metadata from container inspects needs to be introduced + which encounter this host race, as metadata from + container inspects needs to be introduced - during step calculation in order to figure out whether services with those restart policies + during step calculation in order to figure out whether + services with those restart policies need to be started. This will be fixed in a future PR. footer: @@ -8414,7 +8737,8 @@ This patch extends secure boot documentation with more details about - how the feature works and tries to explain why some decisions were made. + how the feature works and tries to explain why some decisions + were made. footer: Change-type: patch change-type: patch @@ -8432,12 +8756,14 @@ When running in the initramfs, the resin-device-progress package is not - installed as we cannot guarantee that the initramfs would be able to + installed as we cannot guarantee that the initramfs would be + able to bring up all types of network interfaces. - This commit adds a check for the script to exists instead of getting a + This commit adds a check for the script to exists instead of + getting a `command not found` when an API endpoint is defined. footer: @@ -8457,10 +8783,12 @@ The purpose of testing the API calls is to detect breaking changes, not - to fail builds because of temporary network or API access problems. + to fail builds because of temporary network or API access + problems. - Printing a warning instead should be enough for developers to detect + Printing a warning instead should be enough for developers to + detect breaking changes. footer: @@ -8580,11 +8908,14 @@ Support for colon characters was added v14.6.0 which enabled - configurations for HDMI port 2 (e.g on the RPi 4). These configurations + configurations for HDMI port 2 (e.g on the RPi 4). These + configurations - are not documented anywhere else so this allows users to be able to + are not documented anywhere else so this allows users to + be able to - better find the relevant information for working with HDMI. + better find the relevant information for working with + HDMI. footer: Change-type: patch change-type: patch @@ -8661,9 +8992,11 @@ the setup mode flag after a new PK is installed. In this case - flasher will reboot in order to ensure the keys are actually saved + flasher will reboot in order to ensure the keys are actually + saved - and the device comes back with secure boot enabled. Since we changed + and the device comes back with secure boot enabled. Since we + changed flasher to be unsigned by default, this reboot causes a security @@ -8672,7 +9005,8 @@ With this patch flasher will add a new boot entry before issuing - the reboot so that signed flasher comes up and the installation process + the reboot so that signed flasher comes up and the installation + process can continue. footer: @@ -8689,14 +9023,17 @@ Currently the db.auth file is signed as "append" in order to make HUP work. - Most UEFI firmwares will accept such file even for "replace", which we do + Most UEFI firmwares will accept such file even for "replace", + which we do - during the initial provisioning, however we have seen devices that will + during the initial provisioning, however we have seen devices + that will only allow appending, which makes flasher fail. - With this patch flasher will use the esl file for initial programming + With this patch flasher will use the esl file for initial + programming of the db variable. @@ -8794,11 +9131,14 @@ for about 17 minutes (for details see commit - 582487f832c59c2f734a780ab0492833f29002c9). This worked fine in most + 582487f832c59c2f734a780ab0492833f29002c9). This worked + fine in most - situations, but we have seen at least one case of a particularly + situations, but we have seen at least one case of a + particularly - unreliable network connection that would not be able to finish a large + unreliable network connection that would not be able to + finish a large pull when operating under this policy. @@ -8806,17 +9146,20 @@ This commit: - * Completely removes timeouts from image pulls. We'll keep retrying + * Completely removes timeouts from image pulls. We'll + keep retrying forever, or until users cancel the pull. (From the perspective of the REST API, "canceling" mean closing the HTTP connection. This is what happens when a user Ctrl+C during a pull in the CLI, or, say, we kill a curl process that was using the REST API to pull image.) - * Still uses exponential back-off, but we now limit the interval between + * Still uses exponential back-off, but we now limit the + interval between retries to 5 minutes. The rationale is that some very unreliable networks may be up only for relatively small time windows. Therefore, using intervals that are too long would increase the risk of missing these windows. - * Tries to avoid flooding the log stream with messages about retries. + * Tries to avoid flooding the log stream with messages + about retries. We'll log every retry attempt up to the 10th. After that, we'll log retries only once about every 2h. This retry count is reset every time we successfully download any amount of data. @@ -8931,11 +9274,14 @@ the flasher image to force an installer migration. - With the current QEMU setting, `installerForceMigration` alone is not + With the current QEMU setting, `installerForceMigration` + alone is not - enough and the QEMU_INTERNAL_STORAGE also needs to be set to false in + enough and the QEMU_INTERNAL_STORAGE also needs to be + set to false in - the worker's environment so only a single external disk is attached to + the worker's environment so only a single external disk + is attached to the emulator. footer: @@ -9020,7 +9366,8 @@ Whether the internal disk is attached or not will be defined by the - environment. This allows to test the migrator that requires booting only + environment. This allows to test the migrator that + requires booting only the external disk. footer: @@ -9046,7 +9393,8 @@ Removing the pull_request_target run for ESR branches fixes this, but - also removes the possibility of external pull requests into ESR branches, + also removes the possibility of external pull requests into ESR + branches, which we don't actually need. @@ -9088,25 +9436,33 @@ After a recent change enforcing all the partitions to be on the same - block device, encrypted partitions are no longer being detected + block device, encrypted partitions are no longer being + detected - correctly. This is because the assumption that the parent block device + correctly. This is because the assumption that the + parent block device - is a substring of the actually mounted block device does not work + is a substring of the actually mounted block device does + not work - for LUKS devices - the mount will either be /dev/mapper/luks-XXX + for LUKS devices - the mount will either be + /dev/mapper/luks-XXX - or /dev/dm-X while the parent device is still e.g. /dev/sda. + or /dev/dm-X while the parent device is still e.g. + /dev/sda. - The usual balenaOS boot partition is also split in two - boot and efi. + The usual balenaOS boot partition is also split in two - + boot and efi. - The boot partition (mounted under /mnt/boot) is encrypted and the efi + The boot partition (mounted under /mnt/boot) is + encrypted and the efi partition (mounted under /mnt/efi) is not. - This patch generalizes the detection of the parent device so that + This patch generalizes the detection of the parent + device so that it works with both encrypted and unencrypted partitions. footer: @@ -9126,14 +9482,17 @@ The docker compose V2 spec no longer accepts `network_mode: bridge`, - which means we can no longer override the network configuration of + which means we can no longer override the network + configuration of the `balena-supervisor` service for tests. - For this reason we now create a separate service to run the built + For this reason we now create a separate service to run + the built - supervisor `balena-supervisor-sut` and run API tests against this + supervisor `balena-supervisor-sut` and run API tests + against this service instead of the default `balena-supervisor`. footer: @@ -9154,7 +9513,8 @@ Both the migrator and secureboot tests assumed they were creating an - installer config.json section. Modify the code so both settings are + installer config.json section. Modify the code so both settings + are included. footer: @@ -9196,13 +9556,17 @@ This patch adds a wait4file loop to the script that waits - for the /dev/disk/by-state directory. This is not tied to any particular + for the /dev/disk/by-state directory. This is not tied to any + particular - partition or device but since the directory does not exist by default + partition or device but since the directory does not exist by + default - and is only created by a custom balenaOS udev rule, its existence + and is only created by a custom balenaOS udev rule, its + existence - implies that the rule fired and a device with balenaOS partitions + implies that the rule fired and a device with balenaOS + partitions is present in the system. footer: @@ -9244,14 +9608,17 @@ A bug in service comparison would make it that a device already running - a service from a new release with network changes would never stop the + a service from a new release with network changes would + never stop the - running service so remaining services would forever get stuck in + running service so remaining services would forever get + stuck in `Downloaded` state. - This fixes the comparison so the service will get killed in this case, + This fixes the comparison so the service will get killed + in this case, particularly allowing devices to recover from #1576 footer: @@ -9265,11 +9632,14 @@ Devices affected by the bug described in 1576, are also stuck with some - services in the `Downloaded` state, because the state engine does not + services in the `Downloaded` state, because the state + engine does not - detect that the running services should be killed on a network change + detect that the running services should be killed on a + network change - even if they belong to a new release. This is a bug, which can be + even if they belong to a new release. This is a bug, + which can be replicated by the tests in this commit footer: @@ -9283,9 +9653,11 @@ Previous behavior would make it that an `updateMetadata` step would take - precedence over a `kill` step when network changes are present. This + precedence over a `kill` step when network changes are + present. This - would lead to an inconsistent state if an update included a + would lead to an inconsistent state if an update + included a network and a container change. footer: @@ -9309,10 +9681,12 @@ These tests use the supervisor API to check that applying a target state - allows the device to eventually get to the desired target configuration. + allows the device to eventually get to the desired + target configuration. - This are high-level tests that work with real images and containers + This are high-level tests that work with real images and + containers using dind. footer: @@ -9326,11 +9700,14 @@ The supervisor allows the target image to be an image without a - registry (e.g. `alpine:latest`), while this really only happens while in + registry (e.g. `alpine:latest`), while this really only + happens while in - local mode, we don't want to pass credentials to the default registry as + local mode, we don't want to pass credentials to the + default registry as - those credentials are meant for balena registry and will otherwise fail. + those credentials are meant for balena registry and will + otherwise fail. footer: Change-type: patch change-type: patch @@ -9349,7 +9726,8 @@ A safe copy would only work for files that are read by fatrw also and that is - not the case for boot files. Still, some file like `config.json` would + not the case for boot files. Still, some file like `config.json` + would benefit from a safe copy so we still try that first. @@ -9368,14 +9746,17 @@ If a safe copy is preferred but non-critical, the unsafe fatrw command - can be used and if fatrw does not have enough resources to make a safe + can be used and if fatrw does not have enough resources to make + a safe copy it will fallback to a standard cp. - This is useful when performing hostOS updates for example where a safe + This is useful when performing hostOS updates for example where + a safe - copy would only work for files that are read by fatrw also and that is + copy would only work for files that are read by fatrw also and + that is not the case for boot files for example. footer: @@ -9454,7 +9835,8 @@ https://github.com/moby/libnetwork/pull/1805 - This patch is meant to avoid cases in which libnetwork internal state + This patch is meant to avoid cases in which libnetwork + internal state gets inconsistent in case of crashes. footer: @@ -9545,7 +9927,8 @@ Target volatile doesn't make sense now that we can use the - current state as a target. It wasn't actually being used for anything + current state as a target. It wasn't actually being used + for anything anymore apparently footer: @@ -9562,7 +9945,8 @@ from the rest of the code. - The function `applyIntermediateTarget` will now call `pausingApply` + The function `applyIntermediateTarget` will now call + `pausingApply` before applying the target @@ -9582,12 +9966,14 @@ engine. - - doPurge first removes the user app from the target state and passes + - doPurge first removes the user app from the target + state and passes that to the state engine for purging. Since intermediate state doesn't remove images, this will have the effect of basically re-installing the app. - - doRestart modifies the target state by first removing only the + - doRestart modifies the target state by first removing + only the services from the current state but keeping volumes and networks. This has the same effect as before where services were stopped one by one footer: @@ -9601,7 +9987,8 @@ Local mode uses a numeric `appUuid` which was messing up parsing the - network name. This fixes this issue so the current state can be used + network name. This fixes this issue so the current state + can be used as a target state footer: @@ -9615,12 +10002,15 @@ The Service class in `compose/service.ts` cannot get the image name - from the image id when building the object from the container metadata. + from the image id when building the object from the + container metadata. - We query the metadata in the application manager getCurrentApps method + We query the metadata in the application manager + getCurrentApps method - so the current state can be used as target by API methods + so the current state can be used as target by API + methods footer: Change-type: patch change-type: patch @@ -9632,7 +10022,8 @@ Network aliases are now compared checking that the target state is a - subset of the current state. This will prevent service restarts due to + subset of the current state. This will prevent service + restarts due to additional aliases created by docker in the container. footer: @@ -9648,12 +10039,15 @@ When getting the service from the docker container, remove the - containerId from the list of aliases (which gets added by docker). This + containerId from the list of aliases (which gets added + by docker). This - will make it easier to use the current service state as a target. + will make it easier to use the current service state as + a target. - This will help us remove the `safeStateClone` function in the API in a + This will help us remove the `safeStateClone` function + in the API in a future commit footer: @@ -9667,7 +10061,8 @@ This replaces the previous flag `isApplyingIntermediate` on application - manager and simplifies the interface of the state engine to make temporary changes to the + manager and simplifies the interface of the state engine + to make temporary changes to the general app state. footer: @@ -9681,21 +10076,26 @@ There were multiple places in the state engine that skipped some - operations while in local mode. In reality, all it's needed while in + operations while in local mode. In reality, all it's + needed while in local mode is to skip image and volume deletion. - This commit simplifies application-manager and compose app to be more + This commit simplifies application-manager and compose + app to be more - local mode agnostic and instead making the image deletion and volume + local mode agnostic and instead making the image + deletion and volume deletion configurable via function arguments. - This also has the benefit to make the treatment of local mode + This also has the benefit to make the treatment of local + mode - applications more similar to cloud mode applications, allowing for + applications more similar to cloud mode applications, + allowing for API endpoints to function the same way both modes. footer: @@ -9738,11 +10138,14 @@ The OS since v2.82.6 will monitor changes to config.json and restart - the relevant services to apply the changes. There is no need to trigger + the relevant services to apply the changes. There is no + need to trigger - restart of the services via the supervisor. Users on older OS versions + restart of the services via the supervisor. Users on + older OS versions - will need to update their OS or restart the services manually as OS + will need to update their OS or restart the services + manually as OS loses support after 2y. footer: @@ -9762,7 +10165,8 @@ We don't need this anonymous volume as /data is bind mounted into - the container from host (legacy), and will soon be mounted by the + the container from host (legacy), and will soon be + mounted by the Supervisor itself on startup. footer: @@ -9805,7 +10209,8 @@ In order to use hashes we can not use UEFI time-based authentication - for updates as this would prevent rollbacks. Instead we ship appendable + for updates as this would prevent rollbacks. Instead we ship + appendable updates for both db and dbx that HUP can use. footer: @@ -9821,18 +10226,23 @@ This patch changes the validation of bootable images from certificate - signatures to a list of allowed hashes of binaries. This only applies + signatures to a list of allowed hashes of binaries. This only + applies on db level, PK and KEK are still certificates. - The motivation is that certificates expire and we need to be sure + The motivation is that certificates expire and we need to be + sure - that even devices that have been lying on a shelf for several years + that even devices that have been lying on a shelf for several + years - or whose CMOS battery has died and reset date to 1970-01-01 are still + or whose CMOS battery has died and reset date to 1970-01-01 are + still - bootable. Using hashes is more aligned with this use-case and also + bootable. Using hashes is more aligned with this use-case and + also more similar to the approach that embedded SoCs use. footer: @@ -9852,18 +10262,22 @@ Shipping a single image with signature checks enabled will enforce - the signatures on non-secure-boot systems as well. GRUB does not have + the signatures on non-secure-boot systems as well. GRUB does not + have - a simple method to check whether secure boot is enabled that could + a simple method to check whether secure boot is enabled that + could be embedded with the default built-in config. With this patch we build two separate images - one enforcing - the signatures and the other one not, keeping the original behavior. + the signatures and the other one not, keeping the original + behavior. - HUP and flasher both can detect if secure boot is enabled so they + HUP and flasher both can detect if secure boot is enabled so + they put the correct image in place when installing/updating GRUB. footer: @@ -9897,9 +10311,11 @@ The installer is to copy configuration files into the boot partition on - the installer disk - searching by label needs to be restriced to the + the installer disk - searching by label needs to be restriced to + the - booting disk to avoid clashes if there are other disks with matching + booting disk to avoid clashes if there are other disks with + matching labels present. footer: @@ -9925,7 +10341,8 @@ Search for the installation disk on the same device the system is being - installed on. This avoids problems when there are more than one disk + installed on. This avoids problems when there are more than one + disk with balena/resin labelling. footer: @@ -9941,7 +10358,8 @@ The internal target device to program is not always the device the system - is booting from. Make sure the `flash-boot` partition search is done + is booting from. Make sure the `flash-boot` partition search is + done on the booting device. footer: @@ -9989,14 +10407,18 @@ rejections](https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V15.md#throw-on-unhandled-rejections---33021) from a warning to a throw. - For this reason errors like a corrupt migration directory, that happens when trying to + For this reason errors like a corrupt migration + directory, that happens when trying to - roll back to a previous supervisor version were no longer showing a + roll back to a previous supervisor version were no + longer showing a - message but dumping the full minimized code into the journal logs. + message but dumping the full minimized code into the + journal logs. - This PR adds a catchall on app.ts to log the exception and throw an exit + This PR adds a catchall on app.ts to log the exception + and throw an exit code of 1. footer: @@ -10014,9 +10436,11 @@ From: https://github.com/balena-os/balena-supervisor/pull/2153/commits/c0b4fafe842115933b1da9b4d68e601a19c3e4eb - Restart-service checks that both services have restarted in its test assertion, which is + Restart-service checks that both services have restarted + in its test assertion, which is - incorrect as restart-service should only restart one service. + incorrect as restart-service should only restart one + service. footer: Change-type: patch change-type: patch @@ -10174,24 +10598,32 @@ As the Supervisor is a privileged container, it has access to host /dev, and therefore has access - to boot, data, and state balenaOS partitions. This commit sets up the framework for the following: + to boot, data, and state balenaOS partitions. This + commit sets up the framework for the following: - - Finds the /dev partition that corresponds to each partition based on partition label + - Finds the /dev partition that corresponds to each + partition based on partition label - - Mounts the partitions into set mountpoints in the device + - Mounts the partitions into set mountpoints in the + device - - Removes reliance on env vars and mountpoints provided by host's start-balena-supervisor script + - Removes reliance on env vars and mountpoints provided + by host's start-balena-supervisor script - - Simplifies host path querying by centralizing these queries through methods in lib/host-utils.ts + - Simplifies host path querying by centralizing these + queries through methods in lib/host-utils.ts - This particular changes env vars for and mounts the boot partition. + This particular changes env vars for and mounts the boot + partition. - Since the Supervisor would no longer rely on container `run` arguments provided by a host script, + Since the Supervisor would no longer rely on container + `run` arguments provided by a host script, - this change moves Supervisor closer to being able to start itself (Supervisor-as-an-app). + this change moves Supervisor closer to being able to + start itself (Supervisor-as-an-app). footer: Change-type: minor change-type: minor @@ -10222,11 +10654,14 @@ Notable improvements these new versions bring: - * Optimized code path for generating deltas with blocks that are + * Optimized code path for generating deltas with blocks + that are power-of-two-sized. - * Avoid allocating unbounded amounts of memory when the target differs + * Avoid allocating unbounded amounts of memory when the + target differs completely from the source. - * Several bugfixes in edge cases that shall not affect balenaEngine. + * Several bugfixes in edge cases that shall not affect + balenaEngine. footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -10311,14 +10746,17 @@ --tpmstate argument - If the same state directory/files are used for multiple installations, + If the same state directory/files are used for multiple + installations, - the available space can be filled, and the installer will fail with the + the available space can be filled, and the installer + will fail with the error "insufficient space for NV allocation". - Move swtpm state to tmpfs to create new state files every run. + Move swtpm state to tmpfs to create new state files + every run. footer: Change-type: patch change-type: patch @@ -10415,12 +10853,14 @@ Setting `LimitCORE=0` will avoid the creation of core dump files on - containers. This will avoid cases in which a crashlooping user app ends + containers. This will avoid cases in which a crashlooping user + app ends up filling up the entire storage with dump files. - Users can re-enable core dumps in their services by manually setting the + Users can re-enable core dumps in their services by manually + setting the `ulimits.core`. For example: @@ -10456,7 +10896,8 @@ https://github.com/moby/moby/commit/d16737f971092767c1b9d28302a3f5aedbe2f576 - And also is recommended by systemd: https://systemd.io/CGROUP_DELEGATION/ + And also is recommended by systemd: + https://systemd.io/CGROUP_DELEGATION/ footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -10494,16 +10935,20 @@ The original delta code on the `xfer` package used to set `d.err` when - an unexpected EOF was found in the delta tar stream. Turns out `d.err` + an unexpected EOF was found in the delta tar stream. + Turns out `d.err` - would end up being overwritten before it was read, so that initial + would end up being overwritten before it was read, so + that initial assignment was effectively a no-op. - This commit simplifies the code a little bit by removing this bogus + This commit simplifies the code a little bit by removing + this bogus - assignment and also improves the error reporting a notch by adding more + assignment and also improves the error reporting a notch + by adding more context to the error messages. footer: @@ -10519,7 +10964,8 @@ This factors out portions of the `xfer` package, so that we can - reuse this functionality between `balena pull` and `balena load`. There + reuse this functionality between `balena pull` and + `balena load`. There was a good deal of duplication. footer: @@ -10535,31 +10981,39 @@ This factors out portions of the `distribution` package, so that we can - reuse this functionality between `balena pull` and `balena load`. There + reuse this functionality between `balena pull` and + `balena load`. There was a good deal of duplication. - This piece of code is tricky to factor out into a separate function. + This piece of code is tricky to factor out into a + separate function. Basically we had two options: - 1. Create a completely reusable, DRY function that encapsulates all the + 1. Create a completely reusable, DRY function that + encapsulates all the duplicate code. Sounds nice until you noticed that would be a horrendous function with 5 return values and overly obscure semantics. - 2. We create a small set of functions with clearer interfaces and + 2. We create a small set of functions with clearer + interfaces and semantics, but which will still lead to some code duplication between the `pull` and `load` implementations. - I opted for the second alternative because the resulting code is much + I opted for the second alternative because the resulting + code is much - easier to understand and maintain. Also, the remaining duplication is + easier to understand and maintain. Also, the remaining + duplication is - mostly dumb, integration and error handling code that almost writes + mostly dumb, integration and error handling code that + almost writes - itself as we call the new reusable functions -- so, this is sort of a + itself as we call the new reusable functions -- so, this + is sort of a benign duplication. footer: @@ -10593,7 +11047,8 @@ 00e389e5f559dd10e49cfa411784b89498c3c0eb. - Images generated using this dockerfile still don't have the right + Images generated using this dockerfile still don't have + the right architecture. More testing is needed footer: @@ -10702,16 +11157,21 @@ This is necessary since the builder no longer passes the platform flag - to the build. This would lead to dockerfiles that are mixing multi and single + to the build. This would lead to dockerfiles that are + mixing multi and single - arch stages to pull the wrong architecture images, particularly when + arch stages to pull the wrong architecture images, + particularly when - trying to build images in emulated builds (e.g. armv7hf built on aarch64). + trying to build images in emulated builds (e.g. armv7hf + built on aarch64). - Moving the full build to multi-arch solves this as the docker engine is + Moving the full build to multi-arch solves this as the + docker engine is - capable of chosing the right architecture from the manifest. + capable of chosing the right architecture from the + manifest. footer: Relatest-to: balena-io/balena-builder#1010 relatest-to: balena-io/balena-builder#1010 @@ -10758,7 +11218,8 @@ There were various usages of Bash-specific features. As a result, the - script would work correctly only on OSes that have `sh` as an alias to + script would work correctly only on OSes that have `sh` + as an alias to `bash`. It would fail on Ubuntu, for example. footer: @@ -10774,9 +11235,11 @@ A couple of changes here: - * Check for sudo necessity and availability before doing any real work. + * Check for sudo necessity and availability before doing + any real work. Better to warn and exit quick and early! - * Remove the support for using `su`. It was broken for two reasons. + * Remove the support for using `su`. It was broken for + two reasons. First, unlike `sudo`, `su -c` expects the command as a single argument. Second, `su`, unlike `sudo`, reads the password from stdin which in this case "contains" the tarball being downloaded. The second @@ -10797,9 +11260,11 @@ A couple of changes here: - * Check for missing dependencies before doing any real work. Better to + * Check for missing dependencies before doing any real + work. Better to warn and exit quick and early! - * Fix the actual check. We previously used `[ $abort ] && exit 1` which + * Fix the actual check. We previously used `[ $abort ] + && exit 1` which caused the script to always exit (`abort` is never empty). footer: Signed-off-by: Leandro Motta Barros @@ -10890,7 +11355,8 @@ Added an `Asserting` suffix to all functions that internally call - `assert.*()`. This makes clearer what is really going on at the point of + `assert.*()`. This makes clearer what is really going on + at the point of call, without needing to look under the hood. footer: @@ -10916,7 +11382,8 @@ Most notably, on the "delta root" feature, which is important for HUPs, - not very well-known and not documented anywhere else I know. + not very well-known and not documented anywhere else I + know. footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -10944,7 +11411,8 @@ We apparently have broken this during the 20.10 merge. Not setting the - delta image store breaks delta-based balenaOS updates (HUPs). + delta image store breaks delta-based balenaOS updates + (HUPs). footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -11017,9 +11485,11 @@ https://github.com/containerd/console/pull/10/commits/c358734ec94e72903243bd1c9034874a1de09424 - This fix is present in balena engine since v17.13.5, which has been in + This fix is present in balena engine since v17.13.5, which has + been in - use since commit 53ce147. Drop this patch from meta-balena-dunfell and + use since commit 53ce147. Drop this patch from + meta-balena-dunfell and later. footer: @@ -11035,9 +11505,11 @@ Plymouth services are modified in the installation directory with balena - specific customizations using patches. This increases the manual intervention necessary + specific customizations using patches. This increases the manual + intervention necessary - when adding support for a new version of this package or Yocto. Replace + when adding support for a new version of this package or Yocto. + Replace the patches with equivalent drop-in configs. footer: @@ -11053,9 +11525,11 @@ We disable systemd-getty-generator to allow explicit control over when - we setup getty to create consoles. Previously, this was done using a + we setup getty to create consoles. Previously, this was done + using a - patch to systemd, removing this generator. Mask this instead so we can + patch to systemd, removing this generator. Mask this instead so + we can consolidate this configuration in meta-balena-common. footer: @@ -11071,11 +11545,14 @@ Certain services, such as getty@.service, and systemd-logind.service are - disabled when running in a container using a patch to the source files. + disabled when running in a container using a patch to the source + files. - This increases the manual intervention necessary when adding support for + This increases the manual intervention necessary when adding + support for - a new version of systemd. Replace the patch with drop-in configs. + a new version of systemd. Replace the patch with drop-in + configs. footer: Change-type: patch change-type: patch @@ -11148,21 +11625,27 @@ Some incoming tests require QEMU to exit, simulating a device powering - off, before starting QEMU again. This is used to "reflash" a virtualized + off, before starting QEMU again. This is used to + "reflash" a virtualized - device before continuing with testing, for instance after tampering with + device before continuing with testing, for instance + after tampering with - boot files on a secure boot enabled device to verify secure boot checks. + boot files on a secure boot enabled device to verify + secure boot checks. - However, swtpm will exit when QEMU disconnects. The `--exit-code-from` + However, swtpm will exit when QEMU disconnects. The + `--exit-code-from` - compose argument implies `--abort-on-container-exit`, so this results + compose argument implies `--abort-on-container-exit`, so + this results in the test run aborting prematurely. - Adapt the entrypoint and command of the swtpm container to always + Adapt the entrypoint and command of the swtpm container + to always restart the program without exiting the container. footer: @@ -11230,9 +11713,11 @@ Disable ad-hoc unwrapping in the HUP test suite in favor of utilizing - the QEMU worker's new ability to bind a disk image to an emulated + the QEMU worker's new ability to bind a disk image to an + emulated - external USB mass storage device. This runs the flasher in QEMU, and + external USB mass storage device. This runs the flasher in QEMU, + and installs to emulated internal storage. footer: @@ -11266,11 +11751,14 @@ It should be safe to assume that boards now use newer u-boot versions - that all have Kconfig support so we default to that. This allows for + that all have Kconfig support so we default to that. This allows + for - device repos not to specify it and use Kconfig support or if for some + device repos not to specify it and use Kconfig support or if for + some - reason there are boards with old u-boot versions they can overwrite the + reason there are boards with old u-boot versions they can + overwrite the UBOOT_KCONFIG_SUPPORT variable to 0. footer: @@ -11321,7 +11809,8 @@ be overwritten in append files. - This change is an extension of https://github.com/balena-os/meta-balena/commit/a3c276a1058d05e66991871bf167079fc2824843 + This change is an extension of + https://github.com/balena-os/meta-balena/commit/a3c276a1058d05e66991871bf167079fc2824843 footer: Change-type: patch change-type: patch @@ -11340,11 +11829,14 @@ Because we use this patch with various u-boot versions it often happens that this patch - does not apply so we then need to rework it in the device integration layer. Instead it + does not apply so we then need to rework it in the device + integration layer. Instead it - would be better to have some code at configure time parsing the same file and inserting + would be better to have some code at configure time parsing the + same file and inserting - the balena env dynamically, so regardless of u-boot versions we use. + the balena env dynamically, so regardless of u-boot versions we + use. footer: Change-type: patch change-type: patch @@ -11483,9 +11975,11 @@ The unsafe-perm config option has been dropped in npm 9, trying to set it - ends with an error and therefore fails the build. With this patch + ends with an error and therefore fails the build. With this + patch - the build script parses the major version from `npm --version` and only + the build script parses the major version from `npm --version` + and only sets unsafe-perm on npm 8 and older. footer: @@ -11580,7 +12074,8 @@ characters with a `*`. - [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet + [1] + https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet [skip ci] @@ -11627,9 +12122,11 @@ There is nothing in `balena-config-vars` itself that needs `fatrw`, so - change it so scripts don't exit if it is not available. For example, + change it so scripts don't exit if it is not available. For + example, - `balena-config-vars` gets used in the initramfs but `fatrw` is not + `balena-config-vars` gets used in the initramfs but `fatrw` is + not required (and it is quite heavy). footer: @@ -11647,7 +12144,8 @@ balena-config scripts and not unit configuration dependencies. - This allows to include only the balena-config scripts in the initramfs. + This allows to include only the balena-config scripts in the + initramfs. footer: Change-type: patch change-type: patch @@ -11664,7 +12162,8 @@ the images size significantly. - This commit introduces a `raid` machine feature that device types need + This commit introduces a `raid` machine feature that device + types need to define if RAID support is required. footer: @@ -11682,7 +12181,8 @@ will also be used from the initramfs, move the dependency to - packagegroup-resin so that resin-device-progress is still included in + packagegroup-resin so that resin-device-progress is still + included in the flasher image. footer: @@ -11702,9 +12202,11 @@ flasher is not running from initramfs. - These dependencies are already part of the corresponding packagegroups, + These dependencies are already part of the corresponding + packagegroups, - so listing them here is redundant and wrong as it increases the size of + so listing them here is redundant and wrong as it increases the + size of the initramfs with no reason. footer: @@ -11755,7 +12257,8 @@ it is only used in the installer script. - Also, make the resin-init-flasher script check for it's existance before using + Also, make the resin-init-flasher script check for it's + existance before using it. footer: @@ -11774,7 +12277,8 @@ in disk encryption). - Adding a loop that waits for the links to be available adds robustness + Adding a loop that waits for the links to be available adds + robustness in case there are device specific delays. footer: @@ -11849,7 +12353,8 @@ - The Radxa CM3 on RPI CM4 IOBoard as well as the Radxa zero use rockchip software tools in order to put the eMMC in mass-storage mode - - The CM4 module comes in two flavors: one with eMMC and the Lite version + - The CM4 module comes in two flavors: one with eMMC and the + Lite version which uses the carrier board sd-card slot to load the image. Both use the same balenaOS image. I switched the storage to internal for this DT because it *may* have @@ -11887,16 +12392,19 @@ saving the entire uboot environment in any device specific - partitions. This because it relies on the default environment being + partitions. This because it relies on the default environment + being stored in the u-boot binary. Let's disable the saveenv command and avoid potential incorrect - usage which may overwrite the partition table, resin-boot filesystem + usage which may overwrite the partition table, resin-boot + filesystem - or other areas of the eMMC that may be pre-configured by the BSP. + or other areas of the eMMC that may be pre-configured by the + BSP. footer: Change-type: patch change-type: patch @@ -11971,9 +12479,11 @@ Block device nodes are sometimes created without attached media. These - devices can neither be read from, nor written to. In this case, the + devices can neither be read from, nor written to. In this case, + the - flasher will attempt to install to the invalid disk and fail. Detect + flasher will attempt to install to the invalid disk and + fail. Detect this case and skip the disk to allow flashing to continue. footer: @@ -12044,7 +12554,8 @@ Secure boot is now opt-in, even in the case where the image is signed, - and it's supported in firmware. Skip the secure boot tests when it's not + and it's supported in firmware. Skip the secure boot tests when + it's not enabled at runtime. footer: @@ -12103,7 +12614,8 @@ exceptions, and makes debugging and log messages worse. - When we don't have a valid way to handle an exception, just throw it. + When we don't have a valid way to handle an exception, + just throw it. The traceback is more useful than the handler. footer: @@ -12279,7 +12791,8 @@ body: > This is used to support falling back into the original OS when - performing a brownfield migration into balenaOS from a flasher image. + performing a brownfield migration into balenaOS from a flasher + image. footer: Change-type: patch change-type: patch @@ -12347,7 +12860,8 @@ It's not clear how the feature to skip tests work, so modify the commit - message to be of type patch to avoid balenaCI errors on type none. + message to be of type patch to avoid balenaCI errors on type + none. footer: Change-type: patch change-type: patch @@ -12435,25 +12949,32 @@ We have seen a few times devices with duplicated network names for some - reason. While we don't know the cause the networks get duplicates, this + reason. While we don't know the cause the networks get + duplicates, this - can be disruptive for updates as trying to create a container referencing a duplicate + can be disruptive for updates as trying to create a + container referencing a duplicate network results in a 400 error from the engine. - This commit finds and removes duplicate networks via the state engine, + This commit finds and removes duplicate networks via the + state engine, - this means that even if somehow a container could be referencing a + this means that even if somehow a container could be + referencing a - network that has been duplicated later somehow, this will remove the + network that has been duplicated later somehow, this + will remove the container first. - While thies doesn't solve the problem of duplicate networks being + While thies doesn't solve the problem of duplicate + networks being - created in the first place, it will fix the state of the system to + created in the first place, it will fix the state of the + system to correct the inconsistency. footer: @@ -12469,29 +12990,38 @@ We have seen a few times devices with duplicated network names for some - reason. While we don't know the cause the networks get duplicates, + reason. While we don't know the cause the networks get + duplicates, - this is disruptive of updates, as the supervisor usually queries + this is disruptive of updates, as the supervisor usually + queries - resource by name, resulting in a 400 error from the engine because of + resource by name, resulting in a 400 error from the + engine because of the ambiguity. - This replaces those queries by name to queries by id. This includes + This replaces those queries by name to queries by id. + This includes - network removal. If a `removeNetwork` step is generated, the supervisor + network removal. If a `removeNetwork` step is generated, + the supervisor - opts to remove all instances of the network with the same name as it + opts to remove all instances of the network with the + same name as it cannot easily resolve the ambiguity. - This doesn't solve the problem of ambiguous networks, because even if + This doesn't solve the problem of ambiguous networks, + because even if - networks are referenced by id when creating a container, the engine will + networks are referenced by id when creating a container, + the engine will - throw an error (see https://github.com/balena-os/balena-supervisor/issues/590#issuecomment-1423557871) + throw an error (see + https://github.com/balena-os/balena-supervisor/issues/590#issuecomment-1423557871) footer: Change-type: patch change-type: patch @@ -12686,12 +13216,14 @@ - references in docs - - references device-state, api-binder, compose modules, API + - references device-state, api-binder, compose modules, + API - references in tests - The commit also adds a migration to remove the 4 dependent device tables from the DB. + The commit also adds a migration to remove the 4 + dependent device tables from the DB. footer: Change-type: minor change-type: minor @@ -12762,7 +13294,8 @@ body: > Drop support for Fedora 34 35. - Fedora 36 will be the last version for armv7 as it is no longer supported. + Fedora 36 will be the last version for armv7 as it is no longer + supported. footer: Change-type: patch change-type: patch @@ -12804,9 +13337,11 @@ executed. When sourced, the shebang should be ignored. - However, we have seen instances where a bash script sourcing a sh + However, we have seen instances where a bash script sourcing a + sh - os-helper scripts triggers POSIX behaviour, specifically glob parsing + os-helper scripts triggers POSIX behaviour, specifically glob + parsing failures. footer: @@ -13411,7 +13946,8 @@ specific flags being misapplied, breaking the build - Set ARCH based on the target architecture, and override OBJCOPY to the + Set ARCH based on the target architecture, and override OBJCOPY + to the binary provided by the target architecture's toolchain. footer: @@ -13478,27 +14014,35 @@ When a user runs the flasher with secure boot enabled in `config.json`, - the public keys used to validate the bootloader are enrolled. If any + the public keys used to validate the bootloader are enrolled. If + any - other bootloader signature fails to validate against this public key, it + other bootloader signature fails to validate against this public + key, it won't be executed. - If the user attempts to run the balenaOS flasher on that system again + If the user attempts to run the balenaOS flasher on that system + again - without first enabling the secure boot option, the flasher won't enroll + without first enabling the secure boot option, the flasher won't + enroll - keys, but the installed system will be signed. This will result in a + keys, but the installed system will be signed. This will result + in a secure boot enabled system without full-disk encryption. - Bail out in this case so the user must choose to explicitly opt-in to + Bail out in this case so the user must choose to explicitly + opt-in to - secure boot for the new installation, and full-disk encryption along + secure boot for the new installation, and full-disk encryption + along - with it. Otherwise, the user must reset the enrolled keys to install + with it. Otherwise, the user must reset the enrolled keys to + install without secure boot. footer: @@ -13514,11 +14058,14 @@ Extended globbing is not enabled by default, which makes the substring - match for trimming leading zeroes not work. This causes SETUPMODEVAR to + match for trimming leading zeroes not work. This causes + SETUPMODEVAR to - evaluate to "01", which fails comparison with the string "1", skipping + evaluate to "01", which fails comparison with the string "1", + skipping - key enrollment when secure boot is enabled. Compare using an integer + key enrollment when secure boot is enabled. Compare using an + integer expression instead. footer: @@ -13534,21 +14081,26 @@ When refactoring secure boot setup, a logic mistake in the purpose and - use of SECUREBOOT_VAR meant that devices booting the flasher with keys already + use of SECUREBOOT_VAR meant that devices booting the flasher + with keys already - enrolled would bail out with an incorrect message about secure boot not + enrolled would bail out with an incorrect message about secure + boot not being supported in firmware. - This variable is `00` on systems with secure boot support in firmware, + This variable is `00` on systems with secure boot support in + firmware, - but not enabled and enforced, `01` on systems where secure boot is + but not enabled and enforced, `01` on systems where secure boot + is enforced, and empty when secure boot is unsupported. - Change this conditional to bail out only when the variable is empty, + Change this conditional to bail out only when the variable is + empty, indicating that secure boot is unsupported. footer: @@ -13646,9 +14198,11 @@ Not all platforms support secure boot, notably aarch64 using tianocore - firmware. Additionally, swtpm may not be available for all platforms. + firmware. Additionally, swtpm may not be available for + all platforms. - Accordingly, move the swtpm service to a separate compose file that is + Accordingly, move the swtpm service to a separate + compose file that is only used when secure boot is enabled. footer: @@ -13710,7 +14264,8 @@ QEMU is capable of using an emulated software TPM exposed via socket. A - TPM is necessary for full disk encryption (FDE), so add a service to + TPM is necessary for full disk encryption (FDE), so add + a service to provide this to the QEMU worker. footer: @@ -13755,7 +14310,8 @@ Some firmwares will not boot balenaOS by default without explicitly - creating a boot entry, so create one on EFI platforms after flashing. + creating a boot entry, so create one on EFI platforms after + flashing. footer: Change-type: patch change-type: patch @@ -13769,19 +14325,23 @@ get_dev_path_from_label() calls lsblk to get the name and label of a - disk, then filters the list using the label and returns a /dev path. + disk, then filters the list using the label and returns a /dev + path. The name returned when using a luks encrypted partition is the - /dev/mapper name, rather than the kernel's device mapper name under + /dev/mapper name, rather than the kernel's device mapper name + under - /dev/dm-*. When assembling a path under /dev using the luks name, the + /dev/dm-*. When assembling a path under /dev using the luks + name, the path is invalid, and the by-state links aren't created. - This leads to the rootfs hook failing to find and mount the resin-rootA + This leads to the rootfs hook failing to find and mount the + resin-rootA partition. @@ -13816,15 +14376,18 @@ The flasher image enrolls the secure boot keys before rebooting into - secured user mode and creating the encrypted luks volumes on disk. + secured user mode and creating the encrypted luks volumes on + disk. - If the image is not signed, the key enrollment will fail, and the + If the image is not signed, the key enrollment will fail, and + the flasher will enter a loop trying to enroll them and rebooting. - Instead, skip the key enrollment if the image is not signed, resulting + Instead, skip the key enrollment if the image is not signed, + resulting in a non secure-boot installation. footer: @@ -13973,7 +14536,8 @@ old hooks from, the EFI partition must be bind-mounted as well - otherwise the /mnt/boot/EFI symlink is invalid and rollback fails + otherwise the /mnt/boot/EFI symlink is invalid and rollback + fails to deploy files into that directory. footer: @@ -14192,7 +14756,8 @@ body: > iptables takes a file lock at /run/xtables.lock. By default, if - the file is locked, iptables will fail with error. When that happens, + the file is locked, iptables will fail with error. When that + happens, the iptables rules won't be configured, and the shared mode @@ -14260,10 +14825,12 @@ This EFI image contains the secure boot certificates and when executed it - is supposed to load the keys into the respective secure boot slots. + is supposed to load the keys into the respective secure boot + slots. - We don't use this binary in our secure boot implementation, but currently + We don't use this binary in our secure boot implementation, but + currently the build breaks as the binary is installed but not packaged. footer: @@ -14306,7 +14873,8 @@ by contributors for more than 6 months. - Internal discussion: https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/322934815 + Internal discussion: + https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/322934815 footer: Changelog-entry: Discontinue Blackboard TX2 and N310 TX2 changelog-entry: Discontinue Blackboard TX2 and N310 TX2 @@ -14352,7 +14920,8 @@ to a new maximum of 2048. - See https://github.com/darkk/redsocks/blob/19b822e345f6a291f6cff6b168f1cfdfeeb2cd7d/base.c#L419 + See + https://github.com/darkk/redsocks/blob/19b822e345f6a291f6cff6b168f1cfdfeeb2cd7d/base.c#L419 footer: Change-type: patch change-type: patch @@ -14663,14 +15232,17 @@ body: > The previous method of disabling NTP by stopping the nameserver - (dnsmasq) relied on the dnsmasq unit not being reactivated before the + (dnsmasq) relied on the dnsmasq unit not being reactivated + before the test completed. - Instead, disable NTP by blocking ntp.org in the local dnsmasq instance + Instead, disable NTP by blocking ntp.org in the local dnsmasq + instance - using a dbus method call. NTP is re-enabled as before, by restarting + using a dbus method call. NTP is re-enabled as before, by + restarting dnsmasq. footer: @@ -14850,7 +15422,8 @@ Custom actions can only use certain secrets and single-dimension - run matrices. By running an entirely separate job after Flowzone + run matrices. By running an entirely separate job after + Flowzone is successful we have a lot more options. footer: @@ -15165,11 +15738,13 @@ In rare cases (believed to be caused by a non-atomic file creation and - writing operation in containerd), we end up with an empty file at + writing operation in containerd), we end up with an empty file + at `/mnt/data/docker/containerd/daemon/io.containerd.grpc.v1.introspection/uuid`. - This causes `ctr version` (and hence the health check) to fail. See + This causes `ctr version` (and hence the health check) to fail. + See https://github.com/balena-os/balena-engine/issues/322 @@ -15177,13 +15752,16 @@ This commit addresses this issue in two ways: - 1. Before running `ctr version`, we check if the uuid file exists and is + 1. Before running `ctr version`, we check if the uuid file + exists and is empty. If so, we remove it. (The subsequent execution of `ctr version` by the healthcheck will create the file again.) - 2. After running `ctr version`, we check if the uuid file was really + 2. After running `ctr version`, we check if the uuid file was + really created and is not empty. - In both cases, when an empty uuid file is detected, we log the event to + In both cases, when an empty uuid file is detected, we log the + event to help us confirm our hypothesis about the root cause. footer: @@ -15384,12 +15962,14 @@ meta-openembedded, so that all improvements are merged now. - Excluded from it are `iwd` and `dhcpcd` daemon configurations that are + Excluded from it are `iwd` and `dhcpcd` daemon configurations + that are not used by us. - Default NM firewall in meta-openembedded is `nftables` where we are still + Default NM firewall in meta-openembedded is `nftables` where we + are still using `iptables`. @@ -15397,11 +15977,14 @@ The new recipe relies on `meson` as a build system now. - The .bbapend file that contains modifications specific to balena is preserved. + The .bbapend file that contains modifications specific to balena + is preserved. - Only `balena-client-id.patch` is removed as it references code that no longer + Only `balena-client-id.patch` is removed as it references code + that no longer - exists. This is because the internal systemd DHCPv4 client code that NM used + exists. This is because the internal systemd DHCPv4 client code + that NM used is now replaced by nettools' n-dhcp4 implementation. @@ -15429,7 +16012,8 @@ so we reuse the fixed version from upstream. - The symptom is that DNS servers provided by DHCP are not being used. + The symptom is that DNS servers provided by DHCP are not being + used. Closes #2907 @@ -15760,7 +16344,8 @@ since support was added. Marking it as discontinued - as per internal discussion https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/315939998 + as per internal discussion + https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/Floyd.20Nano/near/315939998 footer: Signed-off-by: Alexandru Costache signed-off-by: Alexandru Costache @@ -15799,7 +16384,8 @@ a unique subnet that is not in use. - The DinD daemon in the core service will also start with a non-default + The DinD daemon in the core service will also start with + a non-default subnet. footer: @@ -15847,11 +16433,14 @@ When unlocking LUKS devices, udev events initializing the DM devices are still - generated in the background even after cryptsetup luksOpen returns. We need to + generated in the background even after cryptsetup luksOpen + returns. We need to - wait for the udev processing to finish before killing udev and cleaning up + wait for the udev processing to finish before killing udev and + cleaning up - the udev database to avoid having to deal with partially initialized devices + the udev database to avoid having to deal with partially + initialized devices or corrupted udev database in the target OS. footer: @@ -15882,11 +16471,14 @@ When unlocking LUKS devices, udev events initializing the DM devices are still - generated in the background even after cryptsetup luksOpen returns. We need to + generated in the background even after cryptsetup luksOpen + returns. We need to - wait for the udev processing to finish before killing udev and cleaning up + wait for the udev processing to finish before killing udev and + cleaning up - the udev database to avoid having to deal with partially initialized devices + the udev database to avoid having to deal with partially + initialized devices or corrupted udev database in the target OS. footer: @@ -16025,9 +16617,11 @@ Our initramfs is built into the kernel, which is always compressed. - Disable redundant initramfs compression, which should save some CPU + Disable redundant initramfs compression, which should save some + CPU - cycles during build and boot, as well as improving compression ratio. + cycles during build and boot, as well as improving compression + ratio. footer: Change-type: patch change-type: patch @@ -16057,16 +16651,21 @@ In the current state the cryptsetup initrd script tries to unlock all - LUKS volumes in the system using the TPM. This includes user-defined LUKS + LUKS volumes in the system using the TPM. This includes + user-defined LUKS - volumes that, if present, fail to unlock and make the system unbootable. + volumes that, if present, fail to unlock and make the system + unbootable. - We should also not touch user-defined volumes in the first place. + We should also not touch user-defined volumes in the first + place. - This patch modifies the cryptsetup script to only unlock LUKS volumes + This patch modifies the cryptsetup script to only unlock LUKS + volumes - that are on the OS drive (same block device as the EFI partition). + that are on the OS drive (same block device as the EFI + partition). footer: Change-type: patch change-type: patch @@ -16268,11 +16867,14 @@ Not all the boards we support have the redsocks uid as 995 in their rootfs so let's - fetch the actual redsocks uid from the DUT before running the proxy tests and + fetch the actual redsocks uid from the DUT before running the + proxy tests and - update that in the docker-compose.yml. We do so because the REDSOCKS_UID value + update that in the docker-compose.yml. We do so because the + REDSOCKS_UID value - isn't substituted in the compose if the variable, even if it is passed trough + isn't substituted in the compose if the variable, even if it is + passed trough the cli. footer: @@ -16292,19 +16894,23 @@ Enabling CONFIG_KERNEL_ZSTD=y improves the compression ratio compared - to gzip while being faster to decompress. With kernel 5.15 in balenaOS + to gzip while being faster to decompress. With kernel 5.15 in + balenaOS v2.105, we see the 24 MB kernel compress to approximately 19 MB. - Zstd support was added in commit 48f7ddf, first introduced in kernel + Zstd support was added in commit 48f7ddf, first introduced in + kernel v5.9. Enable this config unconditionally in supported kernels. - Note that not every architecture and device support this option, but in + Note that not every architecture and device support this option, + but in - those cases, Kconfig will automatically disable it as HAVE_ZSTD is also + those cases, Kconfig will automatically disable it as HAVE_ZSTD + is also missing. footer: @@ -16324,7 +16930,8 @@ Generate a bmap file from the sparse image to allow for punching holes - in the disk image ranges that were unmapped after building. This data is + in the disk image ranges that were unmapped after building. This + data is lost during compression, and the bmapfile allows for recreating, @@ -16382,12 +16989,14 @@ eb69ff445fe0cac4f2060e67fa6994e61c3ca4b9. - Hardcoding the bridge address like this results in conflicts + Hardcoding the bridge address like this results in + conflicts when multiple instances are running on one jenkins node. - A new solution for local workstation testing will have to be + A new solution for local workstation testing will have + to be considered. footer: @@ -16428,7 +17037,8 @@ Instead of retrying to get the DUT IP address 120 times on a 1 seconds interval, - let's reduce it to 30 times because the resolveLocalTarget which we call will + let's reduce it to 30 times because the + resolveLocalTarget which we call will timeout too in 15 seconds: @@ -16436,7 +17046,8 @@ https://github.com/balena-os/leviathan-worker/blob/master/lib/helpers/index.ts#L162 - So reducing the retries number to 30 will effectly bring the total combined timeout to a maximum of 8 minutes. + So reducing the retries number to 30 will effectly bring + the total combined timeout to a maximum of 8 minutes. footer: Change-type: patch change-type: patch @@ -16473,7 +17084,8 @@ The testbot AP is visible and is discovered during a scan. - Let's remove the hidden attribute as it may cause problems + Let's remove the hidden attribute as it may cause + problems for the 243390-rpi wireless tests. footer: @@ -16608,9 +17220,11 @@ There are two GRUB config variants - one for regular devices and one - for devices with FDE enabled. This commit makes flasher include the latter + for devices with FDE enabled. This commit makes flasher include + the latter - in the boot partition when secure boot and FDE is included in the image. + in the boot partition when secure boot and FDE is included in + the image. footer: Change-type: patch change-type: patch @@ -16738,7 +17352,8 @@ get_part_number_by_label expects the block device name without the /dev/ - prefix, flasher uses this correctly in all but one place, this patch fixes it. + prefix, flasher uses this correctly in all but one place, this + patch fixes it. footer: Change-type: patch change-type: patch @@ -16751,7 +17366,8 @@ body: > On most device types rootA and rootB are partitions 2 and 3 - but with LUKS encryption and boot/EFI split they are shifted to 3 and 4 + but with LUKS encryption and boot/EFI split they are shifted to + 3 and 4 footer: Change-type: patch change-type: patch @@ -16777,7 +17393,8 @@ We are using two variants of GRUB configs - one for LUKS-encrypted OS - and the other one for the rest. HUP needs to acknowledge this and use + and the other one for the rest. HUP needs to acknowledge this + and use the correct one based on the system being updated. footer: @@ -16804,7 +17421,8 @@ On full disk encrypted devices the EFI partition is a soft link in the - boot partition. This commit fixes detecting files in the EFI partition + boot partition. This commit fixes detecting files in the EFI + partition from the boot partition. footer: @@ -16820,7 +17438,8 @@ On full disk encrypted devices the EFI partition is a soft link in the - boot partition. This commit fixes detecting files in the EFI partition + boot partition. This commit fixes detecting files in the EFI + partition from the boot partition. footer: @@ -16840,9 +17459,11 @@ |-sda2 8:2 0 42M 0 part | `-luks-a91cd125-9e4c-45e6-b3f4-1e9b4ec9e5b9 250:0 0 40M 0 crypt /mnt/boot - This commit allows extracting the physical device (sdaN) whic is needed + This commit allows extracting the physical device (sdaN) whic is + needed - to extract the partition index using sysfs both for luks or standard + to extract the partition index using sysfs both for luks or + standard devices. footer: @@ -16920,7 +17541,8 @@ container and the DUT does not allow to ssh as a non-root user. - Run ssh from the worker to test local SSH authentication with a cloud + Run ssh from the worker to test local SSH authentication with a + cloud user. footer: @@ -16936,14 +17558,17 @@ Given that testbot devices use a tunnel to specific ports to communicate - with the DUT that is established with the suite-generated keys, using + with the DUT that is established with the suite-generated keys, + using - a different keypair for the ssh-auth test would require to tear down and + a different keypair for the ssh-auth test would require to tear + down and re-establish the tunnel. - It's easier to just use the existing key pair in the ssh-auth test. + It's easier to just use the existing key pair in the ssh-auth + test. footer: Change-type: patch change-type: patch @@ -16957,7 +17582,8 @@ Using two set of keys, the one created by the suite to authenticate by - the proxy and a new custom key, is tricky as when running on testbot the + the proxy and a new custom key, is tricky as when running on + testbot the key is used to establish the tunnel between core and DUT. @@ -17059,12 +17685,14 @@ When adding a kernel configuration conditional in a provided kernel - version, make the check include the provided kernel version as that is + version, make the check include the provided kernel version as + that is the intuitive way to understand it. - The two places that use this function already used it in this way. + The two places that use this function already used it in this + way. footer: Change-type: patch change-type: patch @@ -17093,7 +17721,8 @@ body: > chrony 4.2 introduces security hardening in the - service definition that removes the CAP_SYS_ADMIN permission, affecting + service definition that removes the CAP_SYS_ADMIN permission, + affecting the way healthdog uses execve to become chronyd. @@ -17101,7 +17730,8 @@ commit 83f96efdfd2d (examples: harden systemd services) - This commits works around it by allowing all members of the service's + This commits works around it by allowing all members of the + service's control group to send notification messages. footer: @@ -17193,7 +17823,8 @@ Add the wireguard module by default so it is included in all device - types. This is a frequently requested by customers and will avoid having + types. This is a frequently requested by customers and will + avoid having to patch individual device repositories. footer: @@ -17225,12 +17856,15 @@ There are two sets of keys used in this test, one stored in `/root/id` - which is created by the cloud suite to SSH via the proxy server, and + which is created by the cloud suite to SSH via the proxy server, + and - a custom key stored in `/root/test_id` used in some of the subtests. + a custom key stored in `/root/test_id` used in some of the + subtests. - Fix the test cases using the custom key to use the correct private key. + Fix the test cases using the custom key to use the correct + private key. footer: Change-type: patch change-type: patch @@ -17288,7 +17922,8 @@ configuration and starting the `openvpn` service unit. - As the `openvpn` service units stops `os-config`, it might not get to + As the `openvpn` service units stops `os-config`, it might not + get to restart the supervisor. @@ -17386,12 +18021,15 @@ The sshd daemon is configured to fetch keys from the API for local - user connections. The script that fetches the keys, cloud-public-sshkeys, + user connections. The script that fetches the keys, + cloud-public-sshkeys, - sources balena-config-vars and is run as an exclusive non-root user. + sources balena-config-vars and is run as an exclusive non-root + user. - Let's set the correct permissions for this file to allow not to break + Let's set the correct permissions for this file to allow not to + break the above. @@ -17422,12 +18060,14 @@ database and files modified outside of the pseudo context [0]. - This will occasionally cause builds to fail in the do_deploy step of the + This will occasionally cause builds to fail in the do_deploy + step of the kernel-devsrc recipe. [1] - Fix this by not removing the kernel_source tarball in the do_deploy + Fix this by not removing the kernel_source tarball in the + do_deploy step. @@ -17477,7 +18117,8 @@ The old test no longer matches on full disk paths including /dev, which - can potentially result in the installation disk not being excluded from + can potentially result in the installation disk not being + excluded from the pool of installation targets. @@ -17498,9 +18139,11 @@ Previously, globs such as 'md/balena{,_*}' and 'mmcblk?' weren't being - properly expanded, resulting in the old behavior of explicit lists of + properly expanded, resulting in the old behavior of explicit + lists of - disks continuing to work, but consolidated globs matching multiple disks + disks continuing to work, but consolidated globs matching + multiple disks would not. @@ -17561,7 +18204,8 @@ Since kirkstone tasks have network access disabled by default so we need - to enable it explicitly for tasks that talk to the signing service. + to enable it explicitly for tasks that talk to the signing + service. footer: Change-type: patch change-type: patch @@ -17885,7 +18529,8 @@ Handle ENOENT ErrnoException when attempting to unwrap a non-flasher - image in HUP tests. This mirrors a similar change made in ce2d33ad8. + image in HUP tests. This mirrors a similar change made in + ce2d33ad8. footer: Change-type: patch change-type: patch @@ -17937,7 +18582,8 @@ ``` - ERROR: libical-2.0.0-r0 do_package: QA Issue: libical: Files/directories were installed but not shipped in any package: + ERROR: libical-2.0.0-r0 do_package: QA Issue: libical: + Files/directories were installed but not shipped in any package: /usr/lib/cmake @@ -17968,7 +18614,8 @@ body: > Newer versions fail on the configuration step with: - Requested 'libcrypto >= 1.1.0' but version of OpenSSL-libcrypto is 1.0.2o + Requested 'libcrypto >= 1.1.0' but version of OpenSSL-libcrypto + is 1.0.2o footer: Change-type: patch change-type: patch @@ -18258,14 +18905,17 @@ This config file hasn't been used since commit 2db88c2, which unified - how managed and unmanaged images operate. Since that commit, openvpn + how managed and unmanaged images operate. Since that commit, + openvpn - starts up if the config file at /etc/openvpn/openvpn.conf is found, and + starts up if the config file at /etc/openvpn/openvpn.conf is + found, and otherwise remains inactive. This file is populated by os-config. - Remove the old config to prevent misdirection and cleanup the layer. + Remove the old config to prevent misdirection and cleanup the + layer. footer: Change-type: patch change-type: patch @@ -18329,26 +18979,32 @@ Chronyd checks that the directory specified as `sourcedir` in `chrony.conf` - (in this case `/var/chrony`) is not world accessible if it exists (chrony + (in this case `/var/chrony`) is not world accessible if it + exists (chrony - will create it correctly if it does not exist), and does not start + will create it correctly if it does not exist), and does not + start if that's the case. - The way that the `/var/chrony` is created when it does not exist opens + The way that the `/var/chrony` is created when it does not exist + opens - the possibility of the directory existing with the wrong permissions and + the possibility of the directory existing with the wrong + permissions and hitting this problem. - This commit creates the directory with the correct permissions from the + This commit creates the directory with the correct permissions + from the start to avoid the race condition. - It also changes the permissiong from 750 to 770 to match what chrony + It also changes the permissiong from 750 to 770 to match what + chrony does (see @@ -18413,7 +19069,8 @@ hostOS updates between aufs and overlay2 balenaOS versions. - This commit adds support for 5.15 kernels and improves the branch + This commit adds support for 5.15 kernels and improves the + branch selection logic to cover some corner cases. @@ -18439,7 +19096,8 @@ d6b563710e6cc0857843433d85023d47f9f2037d - Without much explanation in the commit, the ABI was removed in Poky: + Without much explanation in the commit, the ABI was removed in + Poky: e4c16d11128f0e9cc2567fc9e3579e9a94988b2e @@ -18449,14 +19107,17 @@ 0bf2fd16273436f1cd9ea2ab99ad882e879f965d - Then, there was a partial revert to remove the ABI again in Poky: + Then, there was a partial revert to remove the ABI again in + Poky: 66ff1fb3a164fa794ee186960809e3fa9e938b48 - This last 66ff1fb3a164fa794ee186960809e3fa9e938b48 commit is reverted here as + This last 66ff1fb3a164fa794ee186960809e3fa9e938b48 commit is + reverted here as - it fails to build for ARM targets. All our boards that cover all the + it fails to build for ARM targets. All our boards that cover all + the possible ABIs build with this change. footer: @@ -18753,7 +19414,8 @@ body: > This fixes the following error when building mkfs-hostapp-native - with Honister for a Variscite iMX8MM which only has Hardknott support: + with Honister for a Variscite iMX8MM which only has Hardknott + support: mkfs-hostapp-native-1.0-r0 do_prepare_recipe_sysroot: @@ -18873,7 +19535,8 @@ Unfortunately the standalone balena-cli package is linked to glibc - and does not work with musl (alpine) so we need to switch to debian. + and does not work with musl (alpine) so we need to + switch to debian. The trade-off seems worth it for build times though. @@ -18890,7 +19553,8 @@ This version can likely be increased now that the balena-cli - is no longer part of the ndoe dependencies, but for now just + is no longer part of the ndoe dependencies, but for now + just publish the current setting. footer: @@ -19036,7 +19700,8 @@ Before kirkstone, the way to not include the kernel image was to - override the `RDEPENDS:${KERNEL_PACKAGE_NAME}-base` not to include + override the `RDEPENDS:${KERNEL_PACKAGE_NAME}-base` not to + include `kernel-image`, as was done in the `kernel-resin-noimage` class. @@ -19046,7 +19711,8 @@ Poky's commit f6d963fa6d0e64d53f7ef56fd2c12d67f5811829 - Now excluding the kernel image needs to `PACKAGE_EXCLUDE = "kernel-image-*"` + Now excluding the kernel image needs to `PACKAGE_EXCLUDE = + "kernel-image-*"` footer: Change-type: patch change-type: patch @@ -19146,7 +19812,9 @@ Yocto kirkstone complains with: - ERROR: packagegroup-resin-1.0-r1 do_package_write_ipk: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (libnss-ato to libnss-ato2) + ERROR: packagegroup-resin-1.0-r1 do_package_write_ipk: An + allarch packagegroup shouldn't depend on packages which are + dynamically renamed (libnss-ato to libnss-ato2) For lack of a better place, move to the balena-image recipe. @@ -19505,7 +20173,8 @@ Run the resin-update-state rules that create the by-state links after md - arrays are assembled. This fixes state link creation when running on a + arrays are assembled. This fixes state link creation when + running on a RAID array. footer: @@ -19543,7 +20212,8 @@ Run the resin-update-state rules that create the by-state links after md - arrays are assembled. This fixes state link creation when running on a + arrays are assembled. This fixes state link creation when + running on a RAID array. footer: @@ -19585,7 +20255,8 @@ The latest meta-balena includes `util-linux-findmnt` as a kexec module - dependency and this package has not yet been split from `util-linux` in + dependency and this package has not yet been split from + `util-linux` in thud. footer: @@ -19643,9 +20314,11 @@ In order to use the same rust toolchain across all supported Yocto - versions this commit updates the cmake version on all integration layers + versions this commit updates the cmake version on all + integration layers - below Zeus to 3.13.4, which is the minimum version to compile the rust + below Zeus to 3.13.4, which is the minimum version to compile + the rust 1.62 toolchain. @@ -19682,7 +20355,8 @@ it was living in meta-rust. - We want to use the balena-rust layer across a wide variety of Yocto + We want to use the balena-rust layer across a wide variety of + Yocto versions so include the fetcher conditionally. footer: @@ -19702,11 +20376,14 @@ systems and is not present in older Yocto releases. - This commit reverts to the previous way of setting the rust architecture. + This commit reverts to the previous way of setting the rust + architecture. - It will not work for ppc64le and if we would need to support such an + It will not work for ppc64le and if we would need to support + such an - architecture the arch_to_rust_arch() function will still be called if it + architecture the arch_to_rust_arch() function will still be + called if it exists in Kirkstone or newer Yocto versions. footer: @@ -19723,14 +20400,17 @@ With Kirkstone and the support of openSSL 3.0 it's not possible to find - a set of dependencies that work for all of our rust applications across + a set of dependencies that work for all of our rust applications + across - the 1.32 to 1.62 toolchain versions that are supported across all the + the 1.32 to 1.62 toolchain versions that are supported across + all the Yocto versions we keep compatibility with. - This layer allows to set a preferred version as a distro setting that can + This layer allows to set a preferred version as a distro setting + that can be used across all Yocto versions. @@ -19977,7 +20657,8 @@ body: > Add support for Auvidea JN30D-Nano and JN30d-TX2 board. - A break out board bundled with the NVIDIA Jetson Nano or TX2 and similar to the + A break out board bundled with the NVIDIA Jetson Nano or TX2 and similar + to the dev kit. footer: @@ -20040,7 +20721,8 @@ Recent versions of meta-balena include a balena-rust layer used to - specify a distro-set Rust version across all supported Yocto versions + specify a distro-set Rust version across all supported Yocto + versions As such, the syntax of this layer also needs to be converted. @@ -20086,18 +20768,23 @@ container. This had two downsides: - 1. It was relatively heavyweight. In devices under heavy load, it would + 1. It was relatively heavyweight. In devices under heavy load, + it would sometimes take so long to run that the Engine was killed by the watchdog. - 2. It wrote to the storage media. Creating a container involves writing + 2. It wrote to the storage media. Creating a container involves + writing some data to persistent storage, therefore the healthcheck was wearing the storage media. - This new healthcheck simply pings both `balenad` and `containerd`, which + This new healthcheck simply pings both `balenad` and + `containerd`, which - is much faster than starting a new container and doesn't write to disk. + is much faster than starting a new container and doesn't write + to disk. - The step of pinging `containerd` is important because we have seen at + The step of pinging `containerd` is important because we have + seen at least one case in the past in which `balenad` was working but @@ -20115,11 +20802,13 @@ With `WatchdogSignal=SIGTERM` systemd will send a SIGTERM and give the - Engine 90 seconds to gracefully shutdown before sending a SIGKILL. We + Engine 90 seconds to gracefully shutdown before sending a + SIGKILL. We had cases of Engine metadata on disk getting corrupted after the - watchdog sent it a SIGKILL directly. This change shall minimize this + watchdog sent it a SIGKILL directly. This change shall minimize + this issue. footer: @@ -20160,18 +20849,23 @@ container. This had two downsides: - 1. It was relatively heavyweight. In devices under heavy load, it would + 1. It was relatively heavyweight. In devices under heavy load, + it would sometimes take so long to run that the Engine was killed by the watchdog. - 2. It wrote to the storage media. Creating a container involves writing + 2. It wrote to the storage media. Creating a container involves + writing some data to persistent storage, therefore the healthcheck was wearing the storage media. - This new healthcheck simply pings both `balenad` and `containerd`, which + This new healthcheck simply pings both `balenad` and + `containerd`, which - is much faster than starting a new container and doesn't write to disk. + is much faster than starting a new container and doesn't write + to disk. - The step of pinging `containerd` is important because we have seen at + The step of pinging `containerd` is important because we have + seen at least one case in the past in which `balenad` was working but @@ -20189,11 +20883,13 @@ With `WatchdogSignal=SIGTERM` systemd will send a SIGTERM and give the - Engine 90 seconds to gracefully shutdown before sending a SIGKILL. We + Engine 90 seconds to gracefully shutdown before sending a + SIGKILL. We had cases of Engine metadata on disk getting corrupted after the - watchdog sent it a SIGKILL directly. This change shall minimize this + watchdog sent it a SIGKILL directly. This change shall minimize + this issue. footer: @@ -20276,7 +20972,8 @@ Our tests perform two HUPs (into and out of the release under test), and - the code for both of these HUPs were duplicated. This commit factors + the code for both of these HUPs were duplicated. This commit + factors this code out to a common function. footer: @@ -20292,7 +20989,8 @@ This is a small improvement over our previous test: in addition to - checking that the volumes themselves are preserved over HUPs, we now + checking that the volumes themselves are preserved over HUPs, we + now check if the contents of these volumes is preserved. @@ -20604,9 +21302,11 @@ The boot partition is currently a FAT filesystem that does not support - atomic writes. To prevent corruption, this commit introduces a fatrw + atomic writes. To prevent corruption, this commit introduces a + fatrw - application that needs to be used both when reading and writing files + application that needs to be used both when reading and writing + files to the boot partition to provide safe accesses. footer: @@ -20650,7 +21350,8 @@ Including the 2min systemd watchdog timer, plus 60 attempts to sync - the time via chronyc waitsync, it may take longer than expected to + the time via chronyc waitsync, it may take longer than expected + to trigger the healthcheck condition. footer: @@ -20956,7 +21657,8 @@ 87a741fd22a78c190bec59fa6628de921ac2809f. - This change didn't actually help to resolve the original ETIMEDOUT + This change didn't actually help to resolve the original + ETIMEDOUT issues so it can be reverted. footer: @@ -21066,13 +21768,17 @@ The executeCommand family of methods default to retrying on failure. In - some cases, such as in the ssh-auth test in the cloud test suite, we + some cases, such as in the ssh-auth test in the cloud + test suite, we - expect failures to happen, and want them to be raised immediately. Other + expect failures to happen, and want them to be raised + immediately. Other - situations might demand adjusting the number of retries and interval to + situations might demand adjusting the number of retries + and interval to - fit specific tests. Add a retryOptions object to these methods to allow + fit specific tests. Add a retryOptions object to these + methods to allow for this behavior to be configured. footer: @@ -21107,7 +21813,8 @@ This test was broken previously, and would fail with "All configured - authentication methods failed" after a long delay caused by excessive + authentication methods failed" after a long delay caused by + excessive retries. @@ -21138,7 +21845,8 @@ This test was broken previously, and would fail with "All configured - authentication methods failed" after a long delay caused by excessive + authentication methods failed" after a long delay caused by + excessive retries. @@ -21422,12 +22130,14 @@ body: > When parallelizing fingerprint checks with Promise.any(), the - unsuccessful command would continue retrying in the background, causing + unsuccessful command would continue retrying in the background, + causing spurious error messages. - With mDNS resolution memoization, this optimization no longer saves us + With mDNS resolution memoization, this optimization no longer + saves us time, so remove it. footer: @@ -21564,7 +22274,8 @@ BOOT_MOUNTPOINT is used in 5. - This commit replaces BOOT_MOUNTPOINT with BALENA_BOOT_MOUNTPOINT to + This commit replaces BOOT_MOUNTPOINT with BALENA_BOOT_MOUNTPOINT + to remove the duplication. footer: @@ -21599,16 +22310,20 @@ When accessing a test device as part of a fleet, a cloud API key is - required in order to generate an SSH key and access the device through + required in order to generate an SSH key and access the device + through - the VPN. However, when accessing a device locally, such as a QEMU + the VPN. However, when accessing a device locally, such as a + QEMU - instance running on the workstation itself, we have a direct path, and + instance running on the workstation itself, we have a direct + path, and no VPN is necessary. - Make the apiKey optional, and don't login when it's not specified. This + Make the apiKey optional, and don't login when it's not + specified. This allows direct connections to work without it. footer: @@ -21674,7 +22389,8 @@ Reduce the interval between scans as well as the maximum number of scans - for modems, reducing the time spent waiting when no modem is present + for modems, reducing the time spent waiting when no modem is + present from ~50s to ~5s. footer: @@ -21703,11 +22419,14 @@ worker.rebootDut() contains retry logic using utils.waitUntil() wrapping - this.executeCommandInHostOS(). The latter contains its own retry logic, + this.executeCommandInHostOS(). The latter contains its + own retry logic, - which will try to execute a given command for up to five minutes before + which will try to execute a given command for up to five + minutes before - timing out. Remove the retry logic from worker.rebootDut(), as it's + timing out. Remove the retry logic from + worker.rebootDut(), as it's redundant and adds latency. footer: @@ -21723,9 +22442,11 @@ The default interval for retrying this command is 5s, with a total - timeout of 2m30s. Reduce the timeout to 1s to reduce latency for the + timeout of 2m30s. Reduce the timeout to 1s to reduce + latency for the - successful case, while increasing the total timeout to 5m. + successful case, while increasing the total timeout to + 5m. footer: Change-type: patch change-type: patch @@ -21767,9 +22488,11 @@ Certain chrony tests require the ability to block NTP requests. Switch - from blocking these requests using iptables rules to simply stopping the + from blocking these requests using iptables rules to simply + stopping the - local DNS server, which is faster and simpler, and doesn't conflict with + local DNS server, which is faster and simpler, and doesn't + conflict with the supervisor firewall. footer: @@ -21849,7 +22572,8 @@ In conclusion, we rework how the blacklist is constructed - so that users of meta-balena can alter this list as they see fit. + so that users of meta-balena can alter this list as they see + fit. footer: Change-type: patch change-type: patch @@ -21917,24 +22641,32 @@ This changes the condition in the unit file from checking whether - /dev/disk/by-state/balena-efi exists to checking whether /mnt/boot/EFI + /dev/disk/by-state/balena-efi exists to checking whether + /mnt/boot/EFI - is a symlink. The original approach has a race condition populating + is a symlink. The original approach has a race condition + populating - the by-state symlink - it is depending on udev and if the link is + the by-state symlink - it is depending on udev and if the link + is - not present when the service is started (after the boot partition is mounted), + not present when the service is started (after the boot + partition is mounted), the service fails and the EFI partition is never mounted. - The new approach does the trick pretty well - /mnt/boot/EFI is a symlink + The new approach does the trick pretty well - /mnt/boot/EFI is a + symlink - if the EFI partition is split and a regular directory in case there is a single + if the EFI partition is split and a regular directory in case + there is a single - boot partition. That said the service is only started when necessary + boot partition. That said the service is only started when + necessary - and the waiting for udev is implemented as a part of the mount script. + and the waiting for udev is implemented as a part of the mount + script. footer: Change-type: patch change-type: patch @@ -21952,7 +22684,8 @@ Recent versions of GRUB default to use shim_lock when in secure boot mode. - We do not use shim and do not build the shim_lock module into GRUB EFI binary + We do not use shim and do not build the shim_lock module into + GRUB EFI binary therefore this needs to be disabled. footer: @@ -21993,9 +22726,11 @@ Create a directConnect variable that indicates whether we're connecting - to a local instance of the worker server, including if the connection is + to a local instance of the worker server, including if + the connection is - over a unix domain socket. This allows the suite to skip steps that + over a unix domain socket. This allows the suite to skip + steps that don't pertain to local runs. footer: @@ -22162,9 +22897,11 @@ and the system time does not skew. - The healthcheck will command a burst sync if there is no selected + The healthcheck will command a burst sync if there is no + selected - reachable source, and will restart chronyd if the system clock skews. + reachable source, and will restart chronyd if the system clock + skews. Fixes #2314 @@ -22197,7 +22934,8 @@ The resin-img is no longer maintained and the deployment of raw images - as well as flasher requires features only available in balena-img. + as well as flasher requires features only available in + balena-img. footer: Change-type: patch change-type: patch @@ -22262,7 +23000,8 @@ As part of rebranding, resin docker repos were renamed to balena, and - resin/resin-img no longer receives updates. Change the image we pull to + resin/resin-img no longer receives updates. Change the image we + pull to process OS images from resin/resin-img to balena/balena-img. footer: @@ -22424,7 +23163,8 @@ body: > Test context is now accessible from self, remove verbose - this.context.get() syntax when calling worker.executeCommandInHostOS. + this.context.get() syntax when calling + worker.executeCommandInHostOS. footer: Change-type: patch change-type: patch @@ -22438,7 +23178,8 @@ When calling waitUntil(), reduce calling intervals and the total number - of retries. This effectively halves the runtime for these tests, as the + of retries. This effectively halves the runtime for these tests, + as the latency for detecting success is much lower. footer: @@ -22663,7 +23404,8 @@ When the promise called in waitUntil fails, the function defaults to a - 30s interval before trying again. Reduce this to a 5s interval w/ + 30s interval before trying again. Reduce this to a 5s interval + w/ maximum 5m retry window in the cloud suite. footer: @@ -22752,7 +23494,8 @@ utils.waitUntil expects rejectionFail before _times and _delay, include - this argument to ensure the later arguments have the intended effect + this argument to ensure the later arguments have the intended + effect footer: Change-type: patch change-type: patch @@ -22848,7 +23591,8 @@ Use systemd.waitForServiceState instead of waitUntil. This improves - readability, and reduces the time taken in the case that the test fails + readability, and reduces the time taken in the case that the + test fails and the default interval of waitUntil causes an excessive wait. footer: @@ -22889,7 +23633,8 @@ Log statements for powerOn/powerOff were added for debugging when - refactoring the QEMU worker to operate w/out libvirt. Remove these. + refactoring the QEMU worker to operate w/out libvirt. + Remove these. footer: Change-type: patch change-type: patch @@ -22921,7 +23666,8 @@ Device addresses likely won't change during a single test run, and mDNS - queries can be time consuming. Memoize the result of the query to save + queries can be time consuming. Memoize the result of the + query to save some time. footer: @@ -22968,7 +23714,8 @@ When we patch an ESR branch, for example from v2022.1.0 to v2022.1.1, - do not update the next, current, sunset ESR phases as they remain the + do not update the next, current, sunset ESR phases as they + remain the same. footer: @@ -23014,7 +23761,8 @@ Otherwise patch updates of ESR branches move the ESR phase when they - should not. For example, if 2022.1.1 is current, 2022.1.2 is also + should not. For example, if 2022.1.1 is current, 2022.1.2 is + also current and should not move 2022.1.1 to sunset. footer: @@ -23137,9 +23885,11 @@ When tests execute quicker, a race condition can occur where config.json - is edited to remove the dnsServers property, but /run/dnsmasq.servers is + is edited to remove the dnsServers property, but + /run/dnsmasq.servers is - not changed yet. This causes the test to fail, as the file is not empty. + not changed yet. This causes the test to fail, as the file is + not empty. not ok 1 - We should have an empty /run/dnsmasq.servers file. --- @@ -23153,7 +23903,8 @@ -/^\s?$/ +"server=1.1.1.1\nserver=1.1.1.1" - Fix this by waiting until the InvocationID of dnsmasq.service changes. + Fix this by waiting until the InvocationID of dnsmasq.service + changes. footer: Change-type: patch change-type: patch @@ -23263,7 +24014,8 @@ This is used by the OS builders to deploy releases. This contract contains - details related to the balena-image artifact generated in the balenaOS + details related to the balena-image artifact generated in the + balenaOS build. footer: @@ -23724,7 +24476,8 @@ sets the system time to the incorrect rtc time - as soon as timesync-https finished running and setting the correct date + as soon as timesync-https finished running and setting the + correct date from the servers. footer: @@ -23744,23 +24497,29 @@ This reverts 5047757 where we set the global DHCP timeout for ipv4 to - infinity to mitigate problems with routers that do not respond to DHCP + infinity to mitigate problems with routers that do not respond + to DHCP requests in time. - This however causes issues on some routers, which after power cycle fail to + This however causes issues on some routers, which after power + cycle fail to renew leases after they are expired. - The same ipv4.dhcp-timeout can be specified on per connection basis. Since + The same ipv4.dhcp-timeout can be specified on per connection + basis. Since - the case with lease renewal due to router power cycle is a more common case, + the case with lease renewal due to router power cycle is a more + common case, - it is better to keep the global dhcp-timeout default unmodified. If the + it is better to keep the global dhcp-timeout default unmodified. + If the - setting needs adjustment then it can be overwritten in the particular + setting needs adjustment then it can be overwritten in the + particular connection profile. footer: @@ -23845,21 +24604,26 @@ There are known situations in which balenaEngine times out during - initialization (for example, during aufs to overlayfs migrations, or + initialization (for example, during aufs to overlayfs + migrations, or - when restarting a device that was running a large number of containers). + when restarting a device that was running a large number of + containers). - When these time outs occur, Systemd kills the Engine, causing further + When these time outs occur, Systemd kills the Engine, causing + further problems. - To avoid these cases, this commit disables timeouts during the Engine + To avoid these cases, this commit disables timeouts during the + Engine initialization. - This is also aligned with the default Systemd settings distributed with + This is also aligned with the default Systemd settings + distributed with the Moby project. footer: @@ -23887,21 +24651,26 @@ There are known situations in which balenaEngine times out during - initialization (for example, during aufs to overlayfs migrations, or + initialization (for example, during aufs to overlayfs + migrations, or - when restarting a device that was running a large number of containers). + when restarting a device that was running a large number of + containers). - When these time outs occur, Systemd kills the Engine, causing further + When these time outs occur, Systemd kills the Engine, causing + further problems. - To avoid these cases, this commit disables timeouts during the Engine + To avoid these cases, this commit disables timeouts during the + Engine initialization. - This is also aligned with the default Systemd settings distributed with + This is also aligned with the default Systemd settings + distributed with the Moby project. footer: @@ -23961,7 +24730,8 @@ development mode. - A managed device is always accessible via the configured custom keys. + A managed device is always accessible via the configured custom + keys. footer: Change-type: patch change-type: patch @@ -23976,7 +24746,8 @@ The behaviour of the SSH connection depends on whether custom keys are - present or not. This commit calls out to generate the development mode + present or not. This commit calls out to generate the + development mode configuration file on ssh key change. @@ -24053,7 +24824,8 @@ body: > * Fixes #2569 - * ensure OpenVPN client always starts with the latest CA certificate + * ensure OpenVPN client always starts with the latest CA + certificate from API config endpoint as this certificate may have changed and we don't want VPN to be down for ~24 hours until os-config is triggered by systemd timer @@ -24113,9 +24885,11 @@ We currently do not log any information to help us understanding the - underlying issue -- not even to identify what is the exact point in + underlying issue -- not even to identify what is the + exact point in - which the error is raised. This commit improves on this situation. + which the error is raised. This commit improves on this + situation. footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -24133,15 +24907,19 @@ This adds two new integration tests: - * TestDeltaSize: this is meant to catch regressions on delta sizes. It + * TestDeltaSize: this is meant to catch regressions on + delta sizes. It generates deltas and compare their sizes with the delta sizes we get as of now. If the size increases, the test fails. - * TestDeltaCorrectness: checks if applying a delta indeed results in the + * TestDeltaCorrectness: checks if applying a delta + indeed results in the same image as we had originally. - A number of different test cases (different images with distinct + A number of different test cases (different images with + distinct - features) are tested for each of these integration tests. + features) are tested for each of these integration + tests. footer: Signed-off-by: Leandro Motta Barros signed-off-by: Leandro Motta Barros @@ -24269,9 +25047,11 @@ Starting with v2.91.6 device provisioning will not start if the device - was unable to register in the cloud due to lack of internet connectivity. + was unable to register in the cloud due to lack of internet + connectivity. - To avoid this, we switch to retrying 3 times with the usual 2 second delay + To avoid this, we switch to retrying 3 times with the usual 2 + second delay between attempts, after which the flashing process will start. footer: @@ -24365,9 +25145,11 @@ jq returns null by default when a given key isn't found, ensure that - when getting the value of deployRawArtifact, we get an empty variable + when getting the value of deployRawArtifact, we get an empty + variable - instead, which is checked later on to determine if that file should be + instead, which is checked later on to determine if that file + should be deployed footer: @@ -24557,22 +25339,29 @@ This was originally introduced in combination with a kernel patch backported - from Red Hat kernel that would enable kernel lockdown when secure boot + from Red Hat kernel that would enable kernel lockdown when + secure boot - is enabled. We have since changed the approach, dropped the kernel patch + is enabled. We have since changed the approach, dropped the + kernel patch - and when in secure boot mode use a different GRUB config file that enables + and when in secure boot mode use a different GRUB config file + that enables lockdown on kernel command line unconditionally. - That said, while the patch works fine, we do not really need it and it adds + That said, while the patch works fine, we do not really need it + and it adds - extra overhead porting it to newer yocto versions so there is no point keeping + extra overhead porting it to newer yocto versions so there is no + point keeping - it at this moment. If in the future there is need for the kernel to know + it at this moment. If in the future there is need for the kernel + to know - whether it is in secure boot mode or not, we can roll this back and rebase. + whether it is in secure boot mode or not, we can roll this back + and rebase. footer: Change-type: patch change-type: patch @@ -24606,7 +25395,8 @@ is on the same partition. - This uses a data mount to ensure temporary extracted files of the + This uses a data mount to ensure temporary extracted files of + the compressed image will not fill the target sysroot. footer: @@ -24676,15 +25466,18 @@ * the CLI prompts for input during preload - Alternatively, the --pin-device-to-release flag may be used to pin only the + Alternatively, the --pin-device-to-release flag may be used to + pin only the preloaded device to the selected release. - Would you like to disable automatic updates for this fleet now? No + Would you like to disable automatic updates for this fleet now? + No - * we do not want to set the suggested flag and we do not want to touch the fleet release policy for this use case + * we do not want to set the suggested flag and we do not want to + touch the fleet release policy for this use case footer: Change-type: patch change-type: patch @@ -24744,7 +25537,8 @@ Surface the preloaded app commit as a variable that can be overridden in - the build job. Default to "current" to maintain existing behavior when + the build job. Default to "current" to maintain existing + behavior when the variable isn't set. footer: @@ -24779,7 +25573,8 @@ This will allow us to make changes to config.js in meta-balena without - breaking the deploy steps. If additional changes are needed at runtime + breaking the deploy steps. If additional changes are needed at + runtime the substitutions can be made by the leviathan Jenkins job. footer: @@ -24798,7 +25593,8 @@ body: > If the submodule was recently added to meta-balena, the checkout - command will not initialize it without a separate submodule update + command will not initialize it without a separate submodule + update command. footer: @@ -24915,7 +25711,8 @@ preventing the device from booting. - Should this happen, we use sgdisk to check and recover the end gpt + Should this happen, we use sgdisk to check and recover the end + gpt from the main one. footer: @@ -24936,9 +25733,11 @@ A legacy development image will update to development mode enabled - independently of whether the newOS is configured for development mode or + independently of whether the newOS is configured for development + mode or - not. The only case when a hostapp has developmentMode set is when locally + not. The only case when a hostapp has developmentMode set is + when locally building with `OS_DEVELOPMENT`. footer: @@ -24958,9 +25757,11 @@ body: > This caters for the use case of custom device types that are not - registered in balena-cloud but still need to fetch the supervisor from + registered in balena-cloud but still need to fetch the + supervisor from - balena-cloud's registry by querying the `supervisor_version` endpoint, + balena-cloud's registry by querying the `supervisor_version` + endpoint, for example when using openBalena. footer: @@ -24979,9 +25780,11 @@ by the API. - Providing the image name in the command line provides an update path + Providing the image name in the command line provides an update + path - for unmanaged devices, manual updates on ESR devices (which currently + for unmanaged devices, manual updates on ESR devices (which + currently do not allow dashboard based updates) and openBalena use cases. footer: @@ -25005,7 +25808,8 @@ 4.9, the test will not pass. - Let's run this test on kernel versions where the issue was present. + Let's run this test on kernel versions where the issue was + present. footer: Change-type: patch change-type: patch @@ -25202,12 +26006,15 @@ is not generated for two reasons: - - 60-resin-update-state.rules only react to resin-* partition names + - 60-resin-update-state.rules only react to resin-* partition + names - - the root device is not identified correctly in resin_update_state_probe + - the root device is not identified correctly in + resin_update_state_probe for LUKS devices - This patch fixes both the issues and makes use of the by-state symlink + This patch fixes both the issues and makes use of the by-state + symlink instead of by-label. footer: @@ -25245,19 +26052,25 @@ - 3 - Expansion card firmware configs - The full protection is only applied on first boot after provisioning, + The full protection is only applied on first boot after + provisioning, flasher only locks against PCRs 0, 2 and 3. - This is because when using flasher, the environment is not in the same + This is because when using flasher, the environment is not in + the same - state as the one we want to lock to. In particular the boot order is + state as the one we want to lock to. In particular the boot + order is - different (flasher is booted from a different drive than the resulting OS). + different (flasher is booted from a different drive than the + resulting OS). - As for now we were not able to find a better solution than fully locking + As for now we were not able to find a better solution than fully + locking - only on first boot. This means the device must be booted in a secure + only on first boot. This means the device must be booted in a + secure environment at least once after provisioning. footer: @@ -25469,9 +26282,11 @@ per-unit configuration files extracts. - These will then be monitored by the respective service units to trigger + These will then be monitored by the respective service units to + trigger - restarts, so that service units will only be restarted when there are + restarts, so that service units will only be restarted when + there are configuration changes that apply to them. footer: @@ -25490,14 +26305,17 @@ on config.json changes are part of this target. - This causes a burst of service restarts each time config.json changes, + This causes a burst of service restarts each time config.json + changes, - independently of whether the configuration changes applies to the unit + independently of whether the configuration changes applies to + the unit or not. - This commit removes all config-json.target instances in preparation for + This commit removes all config-json.target instances in + preparation for the introduction of a better, more fine grained mechanism. footer: @@ -25540,11 +26358,14 @@ In order to avoid the need to unlock encrypted partitions in GRUB we want - to use a custom stage2 bootloader. Since that is not ready yet, emulate that + to use a custom stage2 bootloader. Since that is not ready yet, + emulate that - by copying flasher kernel to the EFI partition, start it from GRUB, have it + by copying flasher kernel to the EFI partition, start it from + GRUB, have it - unlock all the partitions, find the real kernel and kexec into it. + unlock all the partitions, find the real kernel and kexec into + it. footer: Change-type: patch change-type: patch @@ -25561,7 +26382,8 @@ - Split resin-boot into EFI and linux boot - - LUKS-format the partitions, copy image contents after unlocking + - LUKS-format the partitions, copy image contents after + unlocking - Propagate signatures for secure boot @@ -25661,7 +26483,8 @@ After moving the partition resizing code to execute on each boot, - we made it unreachable on first boot. We must not exit the script + we made it unreachable on first boot. We must not exit the + script after resizing the partition only because that way the resizing @@ -25699,7 +26522,8 @@ This will allow us to refer to the supervisor image by the repo name - in docker commands, like docker inspect, and prevent re-downloading the + in docker commands, like docker inspect, and prevent + re-downloading the image even though it already exists as an untagged digest. footer: @@ -25721,14 +26545,17 @@ it because it's dirty, the partition gets resized, but not the - filesystem. The script will not attempt to resize the filesystem again, + filesystem. The script will not attempt to resize the filesystem + again, as it detects the partition has already been resized. - Split these actions apart, so that the filesystem resize is always + Split these actions apart, so that the filesystem resize is + always - attempted. If resize2fs detects that the filesystem is already filling + attempted. If resize2fs detects that the filesystem is already + filling available space, it will exit with no action taken. footer: @@ -25747,7 +26574,8 @@ body: > Some BSPs might only make use of UBOOT_MACHINE so let's consider - this case in addition to UBOOT_CONFIG when setting dependency for + this case in addition to UBOOT_CONFIG when setting dependency + for u-boot's do_deploy task. footer: @@ -26164,22 +26992,29 @@ body: > The chrony driftfile is not being updated at shutdown due to an - incorrect mount service dependency in the systemd chronyd.service + incorrect mount service dependency in the systemd + chronyd.service - file. The current dependency on 'var-volatile-lib' does not cover the + file. The current dependency on 'var-volatile-lib' does not + cover the - subsequent bind mounting of the '/var/lib/chrony' sub-directory, so + subsequent bind mounting of the '/var/lib/chrony' sub-directory, + so - the chrony directory gets unmounted at shutdown before the drift file + the chrony directory gets unmounted at shutdown before the drift + file has been updated. - This issue is solved by changing the mount service dependency from + This issue is solved by changing the mount service dependency + from - 'var-volatile-lib' to 'bind-var-lib-chrony' (which is similar to the + 'var-volatile-lib' to 'bind-var-lib-chrony' (which is similar to + the - way bind mount dependencies are already handled for the NetworkManager + way bind mount dependencies are already handled for the + NetworkManager and bluetooth services). footer: @@ -26202,7 +27037,8 @@ Chain operations using Promise.then(), and run commands in parallel - using Promise.map(). This reduces the time taken for fsck tests to about + using Promise.map(). This reduces the time taken for fsck tests + to about half. @@ -26245,7 +27081,8 @@ occur when updating a freshly provisioned device, - which has unitialized timestamps for files in the boot partition, + which has unitialized timestamps for files in the boot + partition, to a newer release based on Honister with glibc-2.34. footer: @@ -26300,7 +27137,8 @@ As resin-rootA is used to decide whether to re-run the generation, leave it - last. As it stands, if resin-rootA is regenerated by any other fail, the + last. As it stands, if resin-rootA is regenerated by any other + fail, the UUID generation is not retried. footer: @@ -26319,7 +27157,8 @@ cleanedup as the rules between initramfs and rootfs might defer. - However, dm devices are flagged not to be re-processed, so we need to + However, dm devices are flagged not to be re-processed, so we + need to set a sticky bit on them so they persist the cleanup. footer: @@ -26337,7 +27176,8 @@ different than the one in the initramfs. - Devices that need to persist, like dm devices, need to be flagged with + Devices that need to persist, like dm devices, need to be + flagged with the `db_persist` option. footer: @@ -26353,30 +27193,37 @@ From v2.49, the hostapp-update utility creates the /run directory in the - root filesystem, however when huping from previous versions /run is not + root filesystem, however when huping from previous versions /run + is not there. - Commit bab3cd7f50022127bfef50fde9cd445b6b55a7b2 switches to use /tmp + Commit bab3cd7f50022127bfef50fde9cd445b6b55a7b2 switches to use + /tmp to store the new UUID for the root partition on first boot after generating new UUIDs as this is backwards compatible. - However, this means that the udev database in the initramfs is recreated + However, this means that the udev database in the initramfs is + recreated - on the final system instead of reused. This becomes a problems for DM + on the final system instead of reused. This becomes a problems + for DM - devices (used in luks based disk encryption), as they are not re-processed + devices (used in luks based disk encryption), as they are not + re-processed by udevd. - This change will use /run if available, so new releases that may implement + This change will use /run if available, so new releases that may + implement - disk encryption work, or /tmp if not so it still remains backwards + disk encryption work, or /tmp if not so it still remains + backwards compatible for HUP from older releases. footer: @@ -26403,7 +27250,8 @@ Some BIOS configuration, like TianoCore used in QEMU, needs DER keys for - secure boot setup. Also, der, auth and esl keys are served base64 encoded + secure boot setup. Also, der, auth and esl keys are served + base64 encoded and need to be decoded before they can be used. footer: @@ -26435,12 +27283,14 @@ When updating from a legacy development image which has no developmentMode - set in config.json to an image configured with development mode, the hooks + set in config.json to an image configured with development mode, + the hooks need to set developmentMode accordingly in config.json. - Updating to a development mode image from a production image will not + Updating to a development mode image from a production image + will not set developmentMode. footer: @@ -26462,7 +27312,8 @@ field is missing from the returned HTTPS header. - When the date field is not present the script will now exit with a + When the date field is not present the script will now exit with + a warning rather than blocking indefinitely. footer: @@ -26673,7 +27524,8 @@ based systems to allow reverting to the old 28.x partition layout. - Images that were releases on L4T 28.1, 28.2 etc did not support re-creating + Images that were releases on L4T 28.1, 28.2 etc did not support + re-creating the partition layout in case of a rollback, because the new 32.X layout @@ -26688,9 +27540,11 @@ connectivity or engine related issues and rolls back, the updated hook - in the old OS re-writes the partition layout in the corresponding 28.x format, + in the old OS re-writes the partition layout in the corresponding 28.x + format, - with the offsets expected by the old tegra-bootloaders, thus allowing the + with the offsets expected by the old tegra-bootloaders, thus allowing + the system to fully revert to the old OS. footer: @@ -26826,7 +27680,8 @@ base meta-balena version. - Replace it with searching down the git tree for the commit before the + Replace it with searching down the git tree for the commit + before the branch. footer: @@ -26928,9 +27783,11 @@ last meta-balena tag. - For example, when we branch an ESR release, the meta-balena branch is + For example, when we branch an ESR release, the meta-balena + branch is - tagged with the ESR name, like 2.83.x, while the last meta-balena version + tagged with the ESR name, like 2.83.x, while the last + meta-balena version will be a proper semver. footer: @@ -26992,7 +27849,8 @@ body: > This is required to allow building against cloud instances with - different names for the balenaOS organization and private device types. + different names for the balenaOS organization and private device + types. footer: Change-type: patch change-type: patch @@ -27083,7 +27941,8 @@ When discontinuing a device type, there are no artifacts apart from - device-type.json, so check that the logo is there before deploying. + device-type.json, so check that the logo is there before + deploying. footer: Change-type: patch change-type: patch @@ -27138,10 +27997,12 @@ setting a release semver. - For the time being we are still using a version label in the hostapp. + For the time being we are still using a version label in the + hostapp. - This commit will be reverted once we get rid of the version label. + This commit will be reverted once we get rid of the version + label. footer: Change-type: patch change-type: patch @@ -27257,7 +28118,8 @@ block release. - Also, pass a flag to specify whether the block should be deployed as final + Also, pass a flag to specify whether the block should be + deployed as final release. footer: @@ -27326,14 +28188,16 @@ * Convert balena_deploy_build_block to balena_build_block, and deploy with balena_deploy_block - * Remove balena_deploy_hostapp and replace with balena_deploy_block + * Remove balena_deploy_hostapp and replace with + balena_deploy_block * Modify balena_deploy_hostos to use balena_deploy_block * Modify balena_deploy_block to use release versioning - By deafult image deployments happen as draft versions, and only become + By deafult image deployments happen as draft versions, and only + become final when passing validation. footer: @@ -27361,7 +28225,8 @@ When fetching images for blocks, use a given release revision. - Also, add token autentication to the API calls that miss it so that they work + Also, add token autentication to the API calls that miss it so + that they work with private device types. @@ -27383,7 +28248,8 @@ reject deployments for an existing release. - On the new versioning model, deployments increment a revision field so + On the new versioning model, deployments increment a revision + field so there is no need to check for uniqueness. footer: @@ -27416,7 +28282,8 @@ use of release_version. - Introduce a new balena_lib_release() function that utilises a balena + Introduce a new balena_lib_release() function that utilises a + balena contract and the CLI to set the release version. footer: @@ -27574,9 +28441,11 @@ do_deploy:append replaces the original file with its signed counterpart, - the signature just gets ignored for non secure boot setups. The .signed + the signature just gets ignored for non secure boot setups. The + .signed - symlink was in place for backwards compatibility but nothing is using it + symlink was in place for backwards compatibility but nothing is + using it anymore therefore we can safely remove it. footer: @@ -27610,12 +28479,15 @@ This patch replaces the kernel being shipped with the one that we eventually - sign for EFI - without signing the original file used would be identical + sign for EFI - without signing the original file used would be + identical - but after applying signature, the signed version is the one we want to ship. + but after applying signature, the signed version is the one we + want to ship. - It also fixes the file name for the detached signature, which must match + It also fixes the file name for the detached signature, which + must match the name of the associated file. footer: @@ -27666,46 +28538,61 @@ Add a new timesync-https systemd service to synchronise the system - time at boot using an HTTPS header. The service uses curl to request + time at boot using an HTTPS header. The service uses curl to + request - an HTTPS header from either $API_ENDPOINT/connectivity-check (default) + an HTTPS header from either $API_ENDPOINT/connectivity-check + (default) or the URL defined by the os.network.connectivity.uri field in - config.json. The URL used *must* return HTTP code 204 (No Content) + config.json. The URL used *must* return HTTP code 204 (No + Content) - in response to a request so that we can determine that we have full + in response to a request so that we can determine that we have + full - network connectivity and are not operating behind a captive portal. + network connectivity and are not operating behind a captive + portal. - The date field returned by a valid header is used to set the current + The date field returned by a valid header is used to set the + current - system time. The date/time derived from the header is assumed to be a + system time. The date/time derived from the header is assumed to + be a - reasonable source of 'truth' such that it can be used to adjust the + reasonable source of 'truth' such that it can be used to adjust + the - system time both backwards and forwards. This will compensate for any + system time both backwards and forwards. This will compensate + for any erroneous timestamps saved via fake-hwclock or any invalid data read from an RTC. - The service will exit when a valid response has been received. Poll + The service will exit when a valid response has been received. + Poll - attempts will be made at an increasing interval starting at 2s and + attempts will be made at an increasing interval starting at 2s + and - doubling up to a maximum of 64s. Polling will continue at the maximum + doubling up to a maximum of 64s. Polling will continue at the + maximum interval until a valid response has been received. - This service will provide initial time synchronisation for devices + This service will provide initial time synchronisation for + devices - where NTP ports have been blocked. For devices where NTP access is + where NTP ports have been blocked. For devices where NTP access + is - available it should ensure that any system 'time jump' is only a few + available it should ensure that any system 'time jump' is only a + few seconds when NTP synchronisation is eventually achieved. It also @@ -27716,9 +28603,11 @@ complete. - Services that are ordered after the new time-sync-https-wait target + Services that are ordered after the new time-sync-https-wait + target - can be sure that full network connectivity has been achieved and that + can be sure that full network connectivity has been achieved and + that time has been synchronised with an accuracy of a few seconds. footer: @@ -27752,11 +28641,14 @@ When udev runs resin_update_state_probe for a non-balena partition - and ENV{ID_PART_ENTRY_NAME} is undefined it still gets expanded to random + and ENV{ID_PART_ENTRY_NAME} is undefined it still gets expanded + to random - garbage accidentally lying at the eventual memory address. This can create + garbage accidentally lying at the eventual memory address. This + can create - a mess in /dev/disk/by-state e.g. when external devices are connected. + a mess in /dev/disk/by-state e.g. when external devices are + connected. footer: Change-type: patch change-type: patch @@ -27867,14 +28759,17 @@ The interface test uses a simple ping to ensure a specific interface - works. It sends ten packets, and expects ten packets back. However, the + works. It sends ten packets, and expects ten packets back. + However, the - default interval is one second, which increases the time taken for the + default interval is one second, which increases the time taken + for the test while not adding anything of value. - Reduce the timeout to the minimum non-privileged interval of 2ms. + Reduce the timeout to the minimum non-privileged interval of + 2ms. footer: Change-type: patch change-type: patch @@ -27891,7 +28786,8 @@ One of the test was making sure we were NOT using the default 8.8.8.8 - server even though that may be a valid upstream server provided by DHCP/PPP. + server even though that may be a valid upstream server provided + by DHCP/PPP. footer: Change-type: patch change-type: patch @@ -27908,14 +28804,17 @@ The hook tries to read EFI variables from efivarfs but this is not always - mounted within the container. We have already validated that we are running + mounted within the container. We have already validated that we + are running - in EFI mode therefore we can just check whether it is already mounted + in EFI mode therefore we can just check whether it is already + mounted and eventually mount with no further checks. - This also adds graceful handling of nonexistent variables since not all + This also adds graceful handling of nonexistent variables since + not all UEFI implementations come with secure boot support. footer: @@ -27933,12 +28832,14 @@ body: > At this moment GRUB drops to rescue shell if config is invalid - or if signatures are missing/wrong. This lets the user disable the signature + or if signatures are missing/wrong. This lets the user disable + the signature checks altogether. - With this patch GRUB outputs nothing and accepts no user input if signing + With this patch GRUB outputs nothing and accepts no user input + if signing is configured. footer: @@ -28207,7 +29108,8 @@ This reverts commit 853656e6bcfed0b0206d031c32cd1cde811b8146. - The change overwrites build files, though that is what we need, it is a hacky + The change overwrites build files, though that is what we need, + it is a hacky approach and we will look for a clean solution. footer: @@ -28240,11 +29142,14 @@ GRUB can not use the TPM easily to unlock the volumes and find the kernel - on an encrypted partition. Instead, we choose to store a linux kernel + on an encrypted partition. Instead, we choose to store a linux + kernel - and use it as 2nd stage bootloader to unlock the partition, load the actual + and use it as 2nd stage bootloader to unlock the partition, load + the actual - kernel and kexec into it. This should eventually be replaced by a proper + kernel and kexec into it. This should eventually be replaced by + a proper 2nd stage bootloader that is being worked on. footer: @@ -28296,7 +29201,8 @@ body: > Add a recipe to deploy the signing keys to the deploy directory. - Device types that use them should copy them into the boot partition. + Device types that use them should copy them into the boot + partition. footer: Change-type: patch change-type: patch @@ -28314,13 +29220,17 @@ Currently the two classes would keep the original files untouched and store - the signed versions as .signed. This patch reverses the logic - the signed + the signed versions as .signed. This patch reverses the logic - + the signed - files replace the original ones and the unsigned version is stored as .unsigned. + files replace the original ones and the unsigned version is + stored as .unsigned. - This is because there is no real use-case for the unsigned files, we always + This is because there is no real use-case for the unsigned + files, we always - want to ship the signed version, even if the particular DT does not require it, + want to ship the signed version, even if the particular DT does + not require it, this causes no harm. footer: @@ -28336,7 +29246,8 @@ Add classes for GPG, KMOD and EFI artifact signing. Inheriting these classes - won't run the signing tasks, they have to be manually added to recipes. + won't run the signing tasks, they have to be manually added to + recipes. footer: Change-type: patch change-type: patch @@ -28354,11 +29265,14 @@ When a device is running in secure boot mode, it must not be possible to HUP - to an unsigned version of the OS because UEFI would refuse to boot it before + to an unsigned version of the OS because UEFI would refuse to + boot it before - any of our self-recovering rollback mechanisms can be triggered. This would + any of our self-recovering rollback mechanisms can be triggered. + This would - effectively brick the device, needing physical access to recover. + effectively brick the device, needing physical access to + recover. footer: Change-type: patch change-type: patch @@ -28401,20 +29315,25 @@ Previously, the core service exposed a /proxy endpoint that would start - up a proxy remotely, which would be used by a test in the connectivity + up a proxy remotely, which would be used by a test in the + connectivity - module. However, the endpoint returned the address for the testbot to be + module. However, the endpoint returned the address for the + testbot to be used as the proxy in the response, and this required manual - configuration of the interface. Additionally, it requires the worker + configuration of the interface. Additionally, it requires the + worker service to install and provide glider for forward proxying. - Move the proxy (glider) to a container on the device being tested, + Move the proxy (glider) to a container on the device being + tested, - which simplifies configuration, and reduces the complexity and size of + which simplifies configuration, and reduces the complexity and + size of the interface of Leviathan. footer: @@ -28582,7 +29501,8 @@ https://github.com/dosfstools/dosfstools/commit/87a8f29785bb605350821f1638a42e6cf3e49ce3 - This fixes a build error applying a patch that's already been applied + This fixes a build error applying a patch that's already been + applied when building newer versions of dosfstools. footer: @@ -28605,7 +29525,8 @@ instantly available at boot time. With the addition of the new - HTTPS time synchronisation service the starting of chronyd can be + HTTPS time synchronisation service the starting of chronyd can + be delayed by a few seconds so we need to ensure that the service @@ -28699,7 +29620,8 @@ the only hard error is if rollback (failcleanup) fails, in all other - scenarios we want the daemon to continue starting with the new + scenarios we want the daemon to continue starting with + the new graphdriver footer: @@ -28715,12 +29637,14 @@ previously switch would treat S_IFIFO and S_IFSOCK as the same, passing - both of the to mkfifo, which lead to EINVAL errors when trying to create + both of the to mkfifo, which lead to EINVAL errors when + trying to create the socket, we instead handle socket separately. - Also adds cases for this to the unit and integration tests of the + Also adds cases for this to the unit and integration + tests of the migrator. footer: @@ -28814,7 +29738,8 @@ but is not part of the root filesystem generation. - The decoupling allows to build just the docker rootfs image without + The decoupling allows to build just the docker rootfs image + without having to build the balenaos-img target. footer: @@ -28873,7 +29798,8 @@ In situations with limited resources the info and ps commands can take - an unecessarily long time when we really only need to know that a + an unecessarily long time when we really only need to know that + a container can be started. footer: @@ -28925,7 +29851,8 @@ body: > This prevents downstream linux-firmware fakeroot tasks, such as - firmware compression, from encountering Pseudo Abort due to files + firmware compression, from encountering Pseudo Abort due to + files changing outside the fakeroot context. footer: @@ -28944,25 +29871,31 @@ When user namespacing was enabled in the kernel by default, a separate - commit [0] was introduced to disable the feature at runtime, to allow + commit [0] was introduced to disable the feature at runtime, to + allow users/administrators to explicitly choose to enable it, avoiding potential security implications. - However, some applications such as Chromium's sandbox, require either + However, some applications such as Chromium's sandbox, require + either - SUID or user namespacing to work. Disabling this feature on boards + SUID or user namespacing to work. Disabling this feature on + boards - that previously enabled it necessitates container modifications and + that previously enabled it necessitates container modifications + and potentially breaks previously working applications. - Create a distro feature to disable user namespacing by default in + Create a distro feature to disable user namespacing by default + in - meta-balena, while allowing device types to keep it enabled to maintain + meta-balena, while allowing device types to keep it enabled to + maintain compatibility with their original behavior. @@ -29124,9 +30057,11 @@ made it unreachable from the balena-generate-ami-env container. - This patch makes mktemp create the file back within yocto cache to ensure + This patch makes mktemp create the file back within yocto cache + to ensure - this is shared yet still each concurrent process can safely have its own copy. + this is shared yet still each concurrent process can safely have + its own copy. footer: Change-type: patch change-type: patch @@ -29160,11 +30095,14 @@ Since the file name is hardcoded at this moment, this fails when two - builds are running in parallel (e.g. dev and prod variants during deploy) + builds are running in parallel (e.g. dev and prod variants + during deploy) - because they try to preload the same file at pretty much the same moment. + because they try to preload the same file at pretty much the + same moment. - Having a separate copy for each outside of yocto cache should fix the issue. + Having a separate copy for each outside of yocto cache should + fix the issue. footer: Change-type: patch change-type: patch @@ -29194,7 +30132,8 @@ body: > This is necessary for AMI preloading to work, additionally - it has been more than a year since the last update, we should keep up. + it has been more than a year since the last update, we should + keep up. footer: Change-type: patch change-type: patch @@ -29510,7 +30449,9 @@ body: > See https://github.com/containerd/containerd/pull/4530 - and `git log ad25c1a9c34361e4071f508b9a91946b05fce165^..2055e12953bb538228d8d9fe627fa545d7cf82be ./platforms/` + and `git log + ad25c1a9c34361e4071f508b9a91946b05fce165^..2055e12953bb538228d8d9fe627fa545d7cf82be + ./platforms/` in the containerd repo footer: @@ -29648,7 +30589,8 @@ The current code authenticates unmanaged production devices which makes - no sense. Unmanaged devices do not need to authenticate with the API. + no sense. Unmanaged devices do not need to authenticate + with the API. footer: Change-type: patch change-type: patch @@ -29663,9 +30605,11 @@ Newer BalenaOS releases have replaced OS variants for a developmentMode - configuration setting. This commit uses this variable to set the OS + configuration setting. This commit uses this variable to + set the OS - variant in the absence of `VARIANT_ID` from the os-release file. + variant in the absence of `VARIANT_ID` from the + os-release file. footer: Change-type: patch change-type: patch @@ -29679,7 +30623,8 @@ Add a `developmentMode` configuration variable to the schema. Do not expose - this on the device target state until local key-based authentication is + this on the device target state until local key-based + authentication is sorted. footer: @@ -29699,7 +30644,8 @@ body: > Use a GitHub permalink that includes the commit in - case the file changes and the reference becomes out-of-date. + case the file changes and the reference becomes + out-of-date. footer: Change-type: patch change-type: patch @@ -29717,9 +30663,11 @@ [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7. - - [Release notes](https://github.com/jbgutierrez/path-parse/releases) + - [Release + notes](https://github.com/jbgutierrez/path-parse/releases) - - [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) + - + [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) --- @@ -29745,11 +30693,14 @@ Bumps [tar](https://github.com/npm/node-tar) from 4.4.13 to 4.4.19. - - [Release notes](https://github.com/npm/node-tar/releases) + - [Release + notes](https://github.com/npm/node-tar/releases) - - [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) + - + [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) - - [Commits](https://github.com/npm/node-tar/compare/v4.4.13...v4.4.19) + - + [Commits](https://github.com/npm/node-tar/compare/v4.4.13...v4.4.19) --- @@ -29813,7 +30764,8 @@ At runtime we can now enable development features that were previously - configured using the development-image feature. That feature also + configured using the development-image feature. That feature + also configured U-Boot for OS development. @@ -29821,16 +30773,19 @@ Now we have two distinct functionalities: - * A runtime development configuration variable that configures the + * A runtime development configuration variable that configures + the device to facilitate application development - * A build time osdev-image feature that configures the OS for BSP and OS + * A build time osdev-image feature that configures the OS for + BSP and OS development - This allows us to merge the current production/development images into + This allows us to merge the current production/development + images into a single image. footer: @@ -29857,7 +30812,8 @@ The images now can be configured for application development mode at runtime. - This commit introduces a built time option to configure them for BSP or + This commit introduces a built time option to configure them for + BSP or other OS development like board bringup. footer: @@ -29873,7 +30829,8 @@ The ssh development configurations are now applied at runtime. The only - feature that has been left out is the postinst logging. Customers that + feature that has been left out is the postinst logging. + Customers that need to develop the OS can configure this themselves. footer: @@ -29891,7 +30848,8 @@ authentication and empty passwords, as well as root logins. - In production mode, disable password authentication to allow only + In production mode, disable password authentication to allow + only SSH access. footer: @@ -29932,7 +30890,8 @@ Even without debug-tweaks, allow passwordless root logins. For production - builds there is no console available so this setting does not change current + builds there is no console available so this setting does not + change current functionality. footer: @@ -29997,7 +30956,8 @@ BalenaHUP won't need to transfer the isolcpus setting to - the new OS anymore. This is necessary only when updating from older + the new OS anymore. This is necessary only when updating from + older OS versions in which the supervisor adds the isolcpus @@ -30104,7 +31064,8 @@ %%BALENA_ARCH%% for better compatibility - Device types lacking matching tags in the balenalib Docker Hub account + Device types lacking matching tags in the balenalib Docker Hub + account will fail tests when a matching image is not found. Switch to @@ -30149,7 +31110,8 @@ reorder the defer statements in the migrate function to only teardown - the logger after the failcleanup function ran. otherwise errors logged + the logger after the failcleanup function ran. otherwise + errors logged there won't show up in the logfile footer: @@ -30168,9 +31130,11 @@ This brings all migration logic into a single call into the - storagemigration package, which should make future maintenance easier + storagemigration package, which should make future + maintenance easier - and fixes the cleanup logic bug, where the old aufs root would never be + and fixes the cleanup logic bug, where the old aufs root + would never be cleaned up. footer: @@ -30262,10 +31226,12 @@ Some recent changes to the OS allowed some services to restart - automatically when the associated config files are changed. + automatically when the associated config files are + changed. - In these cases we want to avoid restarting the same services + In these cases we want to avoid restarting the same + services manually from the supervisor. footer: @@ -30295,18 +31261,23 @@ PR #1749 introduced a bug when pushing local target state. An update to - the [image name normalization](https://github.com/balena-os/balena-supervisor/blob/f1bd4b8d9bcef29e326cbf97eaddd837c2704d19/src/lib/docker-utils.ts#L81) + the [image name + normalization](https://github.com/balena-os/balena-supervisor/blob/f1bd4b8d9bcef29e326cbf97eaddd837c2704d19/src/lib/docker-utils.ts#L81) - failed to consider the local image name format. This results in mangling + failed to consider the local image name format. This + results in mangling - of image names in the database, i.e. the image `ubuntu:latest` is stored + of image names in the database, i.e. the image + `ubuntu:latest` is stored - as `/ubuntu:latest`. This causes an exception to be returned by the + as `/ubuntu:latest`. This causes an exception to be + returned by the dockerode `getImage('/ubuntu:latest').inspect()` call. - This sends the supervisor into a crash loop and is shown on the supervisor + This sends the supervisor into a crash loop and is shown + on the supervisor journal logs as @@ -30318,11 +31289,14 @@ ``` - Unfortunately if this happens on a user device, since the mangled image + Unfortunately if this happens on a user device, since + the mangled image - name is already on the database, the easiest way to fix is to remove the + name is already on the database, the easiest way to fix + is to remove the - supervisor database and let the supervisor recreate it. Deleting the + supervisor database and let the supervisor recreate it. + Deleting the database should be side effect free. footer: @@ -30339,9 +31313,11 @@ Preparing for the new v3 target state, where the supervisor will make environment - dependent ids optional and rely on using general UUIDs and user known identifiers + dependent ids optional and rely on using general UUIDs + and user known identifiers - for comparison. This PR moves forward in that direction by removing some of those + for comparison. This PR moves forward in that direction + by removing some of those comparisons for v2 target state. @@ -30350,14 +31326,18 @@ - serviceId to be replace by serviceName - - releaseId to be replaced by commit (future release_uuid) + - releaseId to be replaced by commit (future + release_uuid) - This is a backwards compatible change, meaning it doesn't completely get rid of + This is a backwards compatible change, meaning it + doesn't completely get rid of - these identifiers (which are still being used by supervisor API and for state + these identifiers (which are still being used by + supervisor API and for state - patch), but will not depend on those identifiers for calculating steps to target state. + patch), but will not depend on those identifiers for + calculating steps to target state. footer: Change-type: minor change-type: minor @@ -30372,27 +31352,37 @@ The image manager module now uses tags instead of docker IDs as the main - way to identify docker images on the engine. That is, if the target + way to identify docker images on the engine. That is, if + the target - state image has a name `imageName:tag@digest`, the supervisor will always use + state image has a name `imageName:tag@digest`, the + supervisor will always use - the given `imageName` and `tag` (which may be empty) to tag the image on + the given `imageName` and `tag` (which may be empty) to + tag the image on - the engine after fetching. This PR also adds checkups to ensure + the engine after fetching. This PR also adds checkups to + ensure - consistency is maintained between the database and the engine. + consistency is maintained between the database and the + engine. - Using tags allows to simplify query and removal operations, since now + Using tags allows to simplify query and removal + operations, since now - removing the image now means removing tags matching the image name. + removing the image now means removing tags matching the + image name. - Before this change the supervisor relied only on information in the + Before this change the supervisor relied only on + information in the - supervisor database, and used that to remove images by docker ID. However, the docker + supervisor database, and used that to remove images by + docker ID. However, the docker - id is not a reliable identifier, since images retain the same id between + id is not a reliable identifier, since images retain the + same id between releases or between services in the same release. @@ -30437,9 +31427,11 @@ The previous module was using `rewire` to get the knex instance from the - db module but that was leading to issues when running tests using `test:fast`. + db module but that was leading to issues when running + tests using `test:fast`. - This provides a fix for the test module that just removes the destroy + This provides a fix for the test module that just + removes the destroy call entirely (it turns out it is not necessary). footer: @@ -30473,12 +31465,14 @@ Since kernel v5.10 this file is generated when using modules_prepare. As - the kernel-modules-headers contains pre-built target binaries, we also + the kernel-modules-headers contains pre-built target binaries, + we also need to include this file in the package. - This is not a problem when using kernel-source as a modules_prepare is + This is not a problem when using kernel-source as a + modules_prepare is always required. footer: @@ -30501,7 +31495,8 @@ The kernel-balena class contains a global blacklist of btrfs that - disables this filesystem for all device types, regardless of them + disables this filesystem for all device types, regardless of + them explicitly enabling it. @@ -30539,7 +31534,8 @@ Since adding the 'config-json' systemd target the 'balena-ntp-config' - and 'prepare-openvpn' services have stopped running automatically + and 'prepare-openvpn' services have stopped running + automatically when config.json is updated. This is fixed by adding @@ -30563,9 +31559,11 @@ body: > Fix a race condition that can occur when setting the hostname at - boot by disabling NetworkManager's ability to modify the hostname. + boot by disabling NetworkManager's ability to modify the + hostname. - The static and transient system hostnames are now managed exclusively + The static and transient system hostnames are now managed + exclusively by the 'balena-hostname' service. footer: @@ -30588,7 +31586,8 @@ We no longer require reboots when changing hostname in config.json. - The contents of '/etc/hostname' and the avahi mDNS broadcast hostname + The contents of '/etc/hostname' and the avahi mDNS broadcast + hostname are updated automatically without requiring a reboot. footer: @@ -30607,11 +31606,13 @@ changes. - Changes to 'config.json' will trigger the 'balena-hostname' service + Changes to 'config.json' will trigger the 'balena-hostname' + service to update the static and transient hostnames and the 'avahi' - service to ensure that any hostname changes are broadcast via mDNS. + service to ensure that any hostname changes are broadcast via + mDNS. footer: Change-type: patch change-type: patch @@ -30644,7 +31645,8 @@ This commit adds a FIRMWARE_COMPRESSION distro configuration that - performs the compression of linux-firmware files. Only kernel versions + performs the compression of linux-firmware files. Only kernel + versions above 5.3 support loading compressed firmware. footer: @@ -30678,7 +31680,8 @@ Some kernel configuration are only applicable from specific kernel - versions. This commit adds a function that allows to add a specific + versions. This commit adds a function that allows to add a + specific configuration set only from a given kernel version. footer: @@ -30694,11 +31697,14 @@ This allows to re-use this functionality. Note that the `KERNEL_VERSION` - variable is only available after the kernel has been built as it relies + variable is only available after the kernel has been built as it + relies - on get_kernelversion_headers() poky function and utsrelease.h being + on get_kernelversion_headers() poky function and utsrelease.h + being - generated. This function parses the Makefile so only needs the source. + generated. This function parses the Makefile so only needs the + source. footer: Change-type: patch change-type: patch @@ -30737,7 +31743,8 @@ body: > Change the NetworkManager NTP dispatcher script to update the - on/offline status of the NTP sources on 'connectivity-change' events + on/offline status of the NTP sources on 'connectivity-change' + events instead of 'up/down' events. @@ -30746,7 +31753,8 @@ network interface. It makes more sense to run it for - 'connectivity-change' events as we are really interested in whether + 'connectivity-change' events as we are really interested in + whether the internet is there or not rather than whether an interface is @@ -30796,7 +31804,8 @@ Remove ${bindir} from FILES_grub-common, ensuring grub utilities aren't - installed to /usr/bin, in addition to a previous similar commit that + installed to /usr/bin, in addition to a previous similar commit + that removed sbin utils. This frees approximately 5.5M. footer: @@ -30815,41 +31824,51 @@ Most major distributions now ship kernels with user namespacing enabled - in the kernel config. Some distributions, such as Arch and Ubuntu, + in the kernel config. Some distributions, such as Arch and + Ubuntu, default to the upstream behavior of allowing unprivileged user - namespacing, regardless of potential attack surfaces exposed in the + namespacing, regardless of potential attack surfaces exposed in + the kernel. - Other distributions, such as Debian, are slightly more conservative, + Other distributions, such as Debian, are slightly more + conservative, disabling the feature at runtime behind a sysctl tunable. Debian - maintains its own patch to add the kernel.unprivileged_userns_clone + maintains its own patch to add the + kernel.unprivileged_userns_clone tunable. - The Debian patch was rejected by upstream over fears of application + The Debian patch was rejected by upstream over fears of + application - developers not using this feature due to it being generally unavailable + developers not using this feature due to it being generally + unavailable in systems, as well as fears of bugs going undiscovered. - RHEL uses a newer tunable introduced upstream to set the max number of + RHEL uses a newer tunable introduced upstream to set the max + number of - user namespaces to zero, which accomplishes the same thing, but without + user namespaces to zero, which accomplishes the same thing, but + without an out of tree patch. - Disable user namespacing at runtime using the same method as RHEL, in + Disable user namespacing at runtime using the same method as + RHEL, in - the same manner as the hardened kernels and distributions have chosen. + the same manner as the hardened kernels and distributions have + chosen. https://lwn.net/Articles/673597/ @@ -30885,7 +31904,8 @@ There is at least a case in a board where the puts function in u-boot's - common/console.c is #ifdef'ed and defined twice. Let's accomodate for + common/console.c is #ifdef'ed and defined twice. Let's + accomodate for such cases by correctly looping through more than one function @@ -30947,9 +31967,11 @@ made it to production. - We can now use a runtime drop-in unit placed under /run/systemd/ to + We can now use a runtime drop-in unit placed under /run/systemd/ + to - configure the balena-host service, which doesn't require us to remount + configure the balena-host service, which doesn't require us to + remount the rootfs. footer: @@ -31001,9 +32023,11 @@ Triggered by a failue in the VPN test - the bash binary is bigger than - the openvpn binary and on devices with limitted rootfs space the copying + the openvpn binary and on devices with limitted rootfs space the + copying - is not possible. Symlinking /dev/null will break the services as well. + is not possible. Symlinking /dev/null will break the services as + well. footer: Change-type: patch change-type: patch @@ -31414,7 +32438,8 @@ 596b0474d3d9b1242eab713f84d8873f9887d980 for details. - Hence we use in meta-balena-dunfell the upstream kernel-devsrc from the + Hence we use in meta-balena-dunfell the upstream kernel-devsrc + from the hardknott-3.3.1 Poky release which handles this module.lds move. footer: @@ -31433,7 +32458,8 @@ Update balena-engine from 19.03.18 to 19.03.23 - Which brings more resilient layer download (allows proper resuming after + Which brings more resilient layer download (allows proper + resuming after network failures). footer: @@ -31452,7 +32478,8 @@ This commit changes the way we retry layer downloads after failures with - the goal of making it more resilient, especially for cases involving + the goal of making it more resilient, especially for + cases involving large layers and unreliable network connections. @@ -31460,15 +32487,18 @@ These are the changes: - * Make sure we also retry after failures in `v2LayerDescriptor.reset()`. + * Make sure we also retry after failures in + `v2LayerDescriptor.reset()`. This method creates a new HTTP request to resume a failed download, and therefore depends on a working network to succeed. - * Wait exponentially longer times between retries (instead of retrying + * Wait exponentially longer times between retries + (instead of retrying immediately as before). This shall increase of success in case of network issues that take longer to get resolved. * Increase the number of retries to 10. - * Reset retry count whenever we successfully download anything at all. + * Reset retry count whenever we successfully download + anything at all. The idea is that we want to give up downloading only after a long continuous period of failures. Combined with the exponential back-off strategy and increased number of retries described above, a layer pull @@ -31503,13 +32533,16 @@ During fingerpinting of the source image the destination layers are not - exepmt from being released (e.g. when `balena image rm `) is run + exepmt from being released (e.g. when `balena image rm + `) is run simultaneously. - Similarly when processing the destination layers to generate deltas we + Similarly when processing the destination layers to + generate deltas we - only hold one reference at a time, leaving the subsequent layers + only hold one reference at a time, leaving the + subsequent layers vulnerable to the same issues. footer: @@ -31540,7 +32573,8 @@ body: > This can be used to keep a record of failed migrations. - Only runs if BALENA_MIGRATE_OVERLAY_LOGFILE is set to a path on disk. + Only runs if BALENA_MIGRATE_OVERLAY_LOGFILE is set to a + path on disk. The log file will be deleted if there are no errors. footer: @@ -31556,7 +32590,8 @@ With this change the aufs data is kept around until the next time we - start. If we find both an aufs AND an overlay2 storage root, we cleanup + start. If we find both an aufs AND an overlay2 storage + root, we cleanup the aufs data. footer: @@ -31638,17 +32673,21 @@ Since we don't have devices using older 3.x kernels we update to a newer - base image so that we don't have problems compiling this test kernel + base image so that we don't have problems compiling this test + kernel module on newer kernels. This avoids a compile error on kernel 5.10.31 on arm64 - raspberrypicm4-ioboard for example where it would complain _mcount is + raspberrypicm4-ioboard for example where it would complain + _mcount is - undefined because the older gcc in the intel-nuc-debian:stretch-20190717 + undefined because the older gcc in the + intel-nuc-debian:stretch-20190717 - base image would not create the _mcount symbol when compiling against + base image would not create the _mcount symbol when compiling + against the newer 5.10.31 kernel. footer: @@ -31670,11 +32709,13 @@ Resolve `latest` to dev variant - If we want the serial logs of the DUT the image that is flashed needs to + If we want the serial logs of the DUT the image that is flashed + needs to be the development variant. The `latest` shortcut however always - resolves to the production image. We manually resolve the version to fix + resolves to the production image. We manually resolve the + version to fix this. @@ -31699,9 +32740,11 @@ hup due to a lack of space on the inactive partition. - Add a task to check the docker image space against the available space on + Add a task to check the docker image space against the available + space on - the root filesystem partition and fail the build if it's too big. + the root filesystem partition and fail the build if it's too + big. footer: Change-type: patch change-type: patch @@ -31720,9 +32763,11 @@ hup due to a lack of space on the inactive partition. - Add a task to check the docker image space against the available space on + Add a task to check the docker image space against the available + space on - the root filesystem partition and fail the build if it's too big. + the root filesystem partition and fail the build if it's too + big. footer: Change-type: patch change-type: patch @@ -31739,11 +32784,14 @@ the partition sizes on the balena image classes. - The rootfs size is calculated with the assumption of a total BalenaOS + The rootfs size is calculated with the assumption of a total + BalenaOS - size of 700M. This includes boot, state, rootA and rootB partitions. The + size of 700M. This includes boot, state, rootA and rootB + partitions. The - data partition will then grow to occupy the rest of the storage media. + data partition will then grow to occupy the rest of the storage + media. Device integration layers can override this value if needed. @@ -31760,7 +32808,8 @@ Instead of hardcoding the requested root filesystem value, let's explain - how the calculation is made with a python function that will adjust based + how the calculation is made with a python function that will + adjust based on the sizes of other partitions. footer: @@ -31907,33 +32956,42 @@ connectivity checker doesn't differentiate between the - CONNECTED_LOCAL, CONNECTED_SITE and CONNECTED_GLOBAL states. This + CONNECTED_LOCAL, CONNECTED_SITE and CONNECTED_GLOBAL states. + This - service checks for the CONNECTED_GLOBAL state only and can be used + service checks for the CONNECTED_GLOBAL state only and can be + used to delay the start of other services which require full network - access to be available. This can help to avoid startup problems on + access to be available. This can help to avoid startup problems + on networks with slow DNS access or that utilise a captive portal. - The script does an initial oneshot check of the NM state to make sure + The script does an initial oneshot check of the NM state to make + sure that we don't wait for an event that doesn't come. This check is - redundant at boot time due to the fact that the service is started + redundant at boot time due to the fact that the service is + started - before NM to ensure that no NM DBus events are missed. The initial + before NM to ensure that no NM DBus events are missed. The + initial - check is useful in circumstances where you want to run the script + check is useful in circumstances where you want to run the + script standalone or post-boot. - Other services that wish to make use of this service and wait for + Other services that wish to make use of this service and wait + for - full network connectivity should add the following entries to their + full network connectivity should add the following entries to + their systemd unit definition: @@ -32015,21 +33073,26 @@ This makes it easier to overwrite the arguments passed in the engine - unit from drop-in overwrites. See the development image drop-in unit for + unit from drop-in overwrites. See the development image drop-in + unit for reference. - Using `systemctl edit --runtime balena.service`, which puts those + Using `systemctl edit --runtime balena.service`, which puts + those - overwrites into `/run/systemd/system/balena.service.d/`, it would be + overwrites into `/run/systemd/system/balena.service.d/`, it + would be - possible to modify the runtime behavior of the engine without remounting + possible to modify the runtime behavior of the engine without + remounting the rootfs to be writeable. - See https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path + See + https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path footer: Change-type: patch change-type: patch @@ -32203,7 +33266,8 @@ The example kernel module has some unnecessary variables and targets. - Simplify this makefile by passing the kernel source directory to make, + Simplify this makefile by passing the kernel source directory to + make, and using the M variable to build the module. footer: @@ -32252,14 +33316,16 @@ The hostapp-update hooks would run before the supervisor update step - when using balenahup via the dashboard. This resulted in the balena + when using balenahup via the dashboard. This resulted in the + balena supervisor state conf file being out-of-date. This commit removes the hostapp-update hook and instead uses a - oneshot service to ensure the conf is migrated if it does not exist + oneshot service to ensure the conf is migrated if it does not + exist in the new path before starting the supervisor. footer: @@ -32315,16 +33381,20 @@ balena-engine requires fixes backported from upstream to support a newer - version of Go, and retaining the new recipes while switching back to the + version of Go, and retaining the new recipes while switching + back to the - supported version of Go using the GOVERSION variable is still a work in + supported version of Go using the GOVERSION variable is still a + work in - process. Revert these changes for now. We can merge the new recipes + process. Revert these changes for now. We can merge the new + recipes back in once the build issues are resolved. - This reverts commit f36dbd96684f9adfc5ce6faa57aa26fc4ba8e34e, reversing + This reverts commit f36dbd96684f9adfc5ce6faa57aa26fc4ba8e34e, + reversing changes made to b228aea720fd1536ac6904b1886b2d445a582fc9. footer: @@ -32358,7 +33428,8 @@ mounted from /etc/resin-supervisor in the state cache partition. - Avoid deleting the old supervisor state cache in case of rollback. + Avoid deleting the old supervisor state cache in case of + rollback. footer: Change-type: patch change-type: patch @@ -32402,7 +33473,8 @@ Sync changes to disk once the certificates have been updated. This - minimizes the risk of the custom CA to be committed without having the + minimizes the risk of the custom CA to be committed without + having the certificates updated. footer: @@ -32587,7 +33659,8 @@ Hung tasks are not normally terminal, nor do they affect system - stability, but panicking during an image write forces a device into a + stability, but panicking during an image write forces a device + into a bootloop that requires manual intervention to remedy. @@ -32595,11 +33668,13 @@ See the below stacktrace: - [ 243.565482] INFO: task balenad:4049 blocked for more than 120 seconds. + [ 243.565482] INFO: task balenad:4049 blocked for more than 120 + seconds. [ 243.565737] Not tainted 4.9.140-l4t-r32.4 #1 - [ 243.565853] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + [ 243.565853] "echo 0 > + /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 243.566032] balenad D 0 4049 1 0x00000008 @@ -32611,7 +33686,8 @@ [ 243.566590] [] schedule+0x40/0xa8 - [ 243.566744] [] rwsem_down_read_failed+0xd4/0x128 + [ 243.566744] [] + rwsem_down_read_failed+0xd4/0x128 [ 243.566872] [] down_read+0x58/0x60 @@ -32621,11 +33697,14 @@ [ 243.567237] [] el0_svc_naked+0x34/0x38 - [ 243.567394] Kernel panic - not syncing: hung_task: blocked tasks + [ 243.567394] Kernel panic - not syncing: hung_task: blocked + tasks - [ 243.567533] CPU: 3 PID: 47 Comm: khungtaskd Not tainted 4.9.140-l4t-r32.4 #1 + [ 243.567533] CPU: 3 PID: 47 Comm: khungtaskd Not tainted + 4.9.140-l4t-r32.4 #1 - [ 243.567819] Hardware name: NVIDIA Jetson Xavier NX Developer Kit (DT) + [ 243.567819] Hardware name: NVIDIA Jetson Xavier NX Developer + Kit (DT) [ 243.568318] Call trace: @@ -32649,7 +33728,8 @@ [ 243.609511] Memory Limit: none - [ 243.612484] trusty-log panic notifier - trusty version Built: 12:18:19 Oct 16 2020 [ 243.636124] Rebooting in 1 seconds.. + [ 243.612484] trusty-log panic notifier - trusty version Built: + 12:18:19 Oct 16 2020 [ 243.636124] Rebooting in 1 seconds.. Disable this config for all platforms. @@ -32686,7 +33766,8 @@ introduced to bootstrap the Go compilation. - Specify to use the go-native recipe and not go-binary-native when + Specify to use the go-native recipe and not go-binary-native + when requiring go-native. footer: @@ -32705,10 +33786,12 @@ balena-engine hasn't transitioned to building with modules yet, and Go - 1.16 enabled them by default. Revert to the old behavior for now to fix + 1.16 enabled them by default. Revert to the old behavior for now + to fix the build. - This option will be removed in Go 1.17, so we'll have to update our + This option will be removed in Go 1.17, so we'll have to update + our build before upgrading further. @@ -32727,7 +33810,8 @@ Hardknott introduces get_linuxloader() to linuxloader.bbclass that - allows for dynamically choosing between different c libraries, which go + allows for dynamically choosing between different c libraries, + which go recipes depend on. @@ -32788,20 +33872,24 @@ rather than having to parse them directly. Some of the default - settings have now been included as part of the jq parsing string. + settings have now been included as part of the jq parsing + string. - The jq command has also been assigned to an interim variable rather + The jq command has also been assigned to an interim variable + rather than being evaluated directly. This allows other scripts which - include balena-config-vars to handle parsing errors correctly when + include balena-config-vars to handle parsing errors correctly + when they are running with 'set -e'. The os-networkmanager script has been updated to make use of the - balena-config-vars script and no longer parses config.json itself. + balena-config-vars script and no longer parses config.json + itself. The logging has been standardised and the simplification of the @@ -32810,7 +33898,8 @@ to 101 lines. - The build time tests have been removed as the os-networkmanager script + The build time tests have been removed as the os-networkmanager + script is unable to access /usr/sbin/balena-config-vars at buildtime. footer: @@ -32915,35 +34004,45 @@ A previous PR (#1656) fixed validation for network ipam config, - checking that both network and subnet are defined for each ipam config entry + checking that both network and subnet are defined for + each ipam config entry (as described in the docker documentation). - After that PR, the validations throws an exception if the network target state is incorrect, + After that PR, the validations throws an exception if + the network target state is incorrect, - but this turns out to be the wrong approach, because that exception is also triggered + but this turns out to be the wrong approach, because + that exception is also triggered when querying target state. - This isn't a problem in normal operation, but it is in local mode, because local + This isn't a problem in normal operation, but it is in + local mode, because local - mode queries the old target state before sending a new one. Since the query fails, + mode queries the old target state before sending a new + one. Since the query fails, the CLI can never push the new target state. - This PR replaces the exception with a warning on the logs, since a + This PR replaces the exception with a warning on the + logs, since a - misconfigured network won't cause any engine failures, it will just + misconfigured network won't cause any engine failures, + it will just - prevent containers to communicate through the provided network. + prevent containers to communicate through the provided + network. - A future improvement should move this validation to an earlier point in the process, + A future improvement should move this validation to an + earlier point in the process, - so the target state can get rejected before it even gets to a point it + so the target state can get rejected before it even gets + to a point it can be used. footer: @@ -32988,11 +34087,14 @@ This extra info will mean the API is able to immediately set default - config vars based on the os/supervisor version so that they are + config vars based on the os/supervisor version so that + they are - available on the first target state fetch rather than having a delay + available on the first target state fetch rather than + having a delay - whilst waiting for the supervisor to report them as part of a state + whilst waiting for the supervisor to report them as part + of a state patch @@ -33131,12 +34233,14 @@ The `start-resin-supervisor` script in newer OS version no longer uses the - SUPERVISOR_TAG environment variable setup on supervisor.conf and + SUPERVISOR_TAG environment variable setup on + supervisor.conf and update-supervisor.conf. - This change removes the need for that variable with livepush supervisor + This change removes the need for that variable with + livepush supervisor to make it compatible with older and newer OS versions footer: @@ -33176,7 +34280,8 @@ for custom composer types for network. - This commit also modifies network tests to use the new types + This commit also modifies network tests to use the new + types footer: Change-type: minor change-type: minor @@ -33216,7 +34321,8 @@ body: > Replace all references to the 'resin-vars' script with - 'balena-config-vars' as it has been renamed. Add a conditional + 'balena-config-vars' as it has been renamed. Add a + conditional test for compatibility with legacy systems. footer: @@ -33250,9 +34356,11 @@ - [Release notes](https://github.com/npm/ssri/releases) - - [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md) + - + [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md) - - [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2) + - + [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2) footer: Change-type: patch change-type: patch @@ -33319,9 +34427,11 @@ This is needed in preparation for storage migration from aufs to overlayfs. - When running hostapp-update, we need to create the target hostapp on + When running hostapp-update, we need to create the target + hostapp on - overlayfs, which implies the OS we update from can support both drivers + overlayfs, which implies the OS we update from can support both + drivers footer: Change-type: minor change-type: minor @@ -33365,12 +34475,15 @@ body: > The upstream recipe has removed the master branch and replaced it with - main. When specifying the SRC_URI with a sha1, the OE fetcher will assume + main. When specifying the SRC_URI with a sha1, the OE fetcher will + assume the master branch and fail with: - libnvidia-container-tools-0.9.0-r1 do_fetch: Fetcher failure: Unable to find revision d97c08af5061f1516fb2e3a26508936f69d6d71d in branch master even from upstream + libnvidia-container-tools-0.9.0-r1 do_fetch: Fetcher failure: Unable to + find revision d97c08af5061f1516fb2e3a26508936f69d6d71d in branch master + even from upstream This commit specifies the upstream branch as main. @@ -33421,14 +34534,16 @@ This brings in the aufs-to-overlay migrator. Which won't run until we - configure the engine service to include an `BALENA_MIGRATE_OVERLAY=1` + configure the engine service to include an + `BALENA_MIGRATE_OVERLAY=1` env var. The other notable change is the fix for - https://github.com/balena-os/balena-engine/issues/236 which allows + https://github.com/balena-os/balena-engine/issues/236 which + allows `balena top` to work as expected on balenaOS footer: @@ -33478,18 +34593,23 @@ We need to make sure the modem is completely initialized before sending - the AT commands that do the switch to ECM mode. To achieve this we + the AT commands that do the switch to ECM mode. To achieve this + we - change the systemd service dependency to depend on ModemManager.service + change the systemd service dependency to depend on + ModemManager.service - and then we determine the modem state by using mmcli and querying the + and then we determine the modem state by using mmcli and + querying the modem power-state property. - This procedure will only be done once. After the modem is placed in ECM + This procedure will only be done once. After the modem is placed + in ECM - mode, it will stay in this mode for future reboots so there will be no + mode, it will stay in this mode for future reboots so there will + be no other delays in bringing up the modem connection. footer: @@ -33576,7 +34696,8 @@ The balena-supervisor repository has been moved to balena-os so the - repo.yml file needs to be corrected for nested changelogs to work again. + repo.yml file needs to be corrected for nested changelogs to + work again. footer: Change-type: patch change-type: patch @@ -33611,30 +34732,40 @@ to etc-fake-hwclock.mount. - On initial boot after flashing a device the resin-state-reset.service + On initial boot after flashing a device the + resin-state-reset.service - was running after etc-fake-hwclock.mount causing the bind mount point + was running after etc-fake-hwclock.mount causing the bind mount + point - /mnt/state/root-overlay/etc/fake-hwclock to be deleted after it had + /mnt/state/root-overlay/etc/fake-hwclock to be deleted after it + had - been mounted. This resulted in a failure to save the date/time at + been mounted. This resulted in a failure to save the date/time + at - shutdown which caused problems with persistent logging at next boot. + shutdown which caused problems with persistent logging at next + boot. - Subsequent boots are unaffected as resin-state-reset does not run. + Subsequent boots are unaffected as resin-state-reset does not + run. Adding a dependency on the resin-state services ensures that the - bind mount point is created after the state reset has been performed. + bind mount point is created after the state reset has been + performed. - This issue was noticed when running the testbot unmanaged OS image + This issue was noticed when running the testbot unmanaged OS + image - persistent logging test. When running a managed OS image the device + persistent logging test. When running a managed OS image the + device normally reboots fairly immediately after connecting to the - balena-cloud host and receiving parameter updates, so this issue is + balena-cloud host and receiving parameter updates, so this issue + is not usually noticeable. footer: @@ -33702,11 +34833,14 @@ At this moment resin_update_state_probe is scanning pretty much every - block device for rootfs. This include ramdisks, zram and loop devices + block device for rootfs. This include ramdisks, zram and loop + devices - which, when scanned, even spam warnings in logs. This patch updates + which, when scanned, even spam warnings in logs. This patch + updates - the udev rule to skip such devices and only trigger on add or change + the udev rule to skip such devices and only trigger on add or + change events. footer: @@ -33939,9 +35073,11 @@ Remove assumptions about root fstype. Rename create to create.ext4, - mkfs.hostapp-ext4 to mkfs.hostapp, and add an argument to mkfs.hostapp + mkfs.hostapp-ext4 to mkfs.hostapp, and add an argument to + mkfs.hostapp - for fstype. Remove CMD from Dockerfile in favor of passing it as an + for fstype. Remove CMD from Dockerfile in favor of passing it as + an argument to docker run. footer: @@ -33962,27 +35098,35 @@ that was previously made `PartOf=` the balena.service. - This was done in an attempt to help get the system unstuck when the + This was done in an attempt to help get the system unstuck when + the - image is removed (like through manual pruning), which would cause the + image is removed (like through manual pruning), which would + cause the - healthcheck to trigger the engine to reboot until the load service was + healthcheck to trigger the engine to reboot until the load + service was restarted by hand. - Further investigation found a race between the first execution of the + Further investigation found a race between the first execution + of the - engine healthcheck script (which needs the image to be loaded) and the + engine healthcheck script (which needs the image to be loaded) + and the - loader service itself, which would lead to a similar state, requireing + loader service itself, which would lead to a similar state, + requireing manual intervention. - This change moves the loading into the healthcheck script itself, + This change moves the loading into the healthcheck script + itself, - allowing us to remove the loader script and service entirely, skipping + allowing us to remove the loader script and service entirely, + skipping the whole service ordering issue. footer: @@ -34005,7 +35149,8 @@ This option depends on FW_LOADER_USER_HELPER which will be enabled if - _FALLBACK is set to 'y', which is the default in the arm64 defconfig + _FALLBACK is set to 'y', which is the default in the arm64 + defconfig since Linux 5.4+. footer: @@ -34076,7 +35221,8 @@ As part of a full rename away from legacy resin namespaces the - following os-config compatibility changes are required to align + following os-config compatibility changes are required + to align with meta-balena changes. @@ -34142,9 +35288,11 @@ resin-image installs them from ${DEPLOYDIR}. - A normal grub installation installs those modules to ${PREFIX}/${libdir} + A normal grub installation installs those modules to + ${PREFIX}/${libdir} - to allow grub tooling to install them at runtime, but we're building the + to allow grub tooling to install them at runtime, but we're + building the image with GRUB baked in, so we don't need those in the sysroot. @@ -34153,18 +35301,23 @@ constraints by copying the modules from ${D}/${libdir}/grub/ to - ${DEPLOYDIR} in do_deploy(), then removing ${D}${prefix}. This had the + ${DEPLOYDIR} in do_deploy(), then removing ${D}${prefix}. This + had the - unfortunate side effect of breaking the build in certain cases, such as + unfortunate side effect of breaking the build in certain cases, + such as - clean builds or reexecuting do_deploy() without the other steps of the + clean builds or reexecuting do_deploy() without the other steps + of the build. - Instead, remove the unwanted files in do_install(), and append the + Instead, remove the unwanted files in do_install(), and append + the - required modules to GRUB_BUILDIN to create a standalone grub image + required modules to GRUB_BUILDIN to create a standalone grub + image without any external modules at all. footer: @@ -34183,11 +35336,14 @@ If the device with flasher rootfs is slow to bring up and rootfs is defined - as UUID=xxx the waiting loop in rootfs initrd script would assume UUIDs have + as UUID=xxx the waiting loop in rootfs initrd script would + assume UUIDs have - just been regenerated and wait for a by-state symlink instead. This only works + just been regenerated and wait for a by-state symlink instead. + This only works - for the OS - flasher does not use the dynamically generated UUIDs + for the OS - flasher does not use the dynamically generated + UUIDs therefore we always want to use the by-uuid link for it. footer: @@ -34275,7 +35431,8 @@ and *.mod extensions respectively. - Install only the release modules in do_deploy() to avoid balooning the + Install only the release modules in do_deploy() to avoid + balooning the size of the boot partition. footer: @@ -34353,15 +35510,20 @@ unit (etc-fake\x2dhwclock.mount). - Using a systemd service to bind mount the /etc/fake-hwclock directory + Using a systemd service to bind mount the /etc/fake-hwclock + directory - results in systemd generating an internal mount unit for the same + results in systemd generating an internal mount unit for the + same - directory. This causes problems at shutdown when both methods try to + directory. This causes problems at shutdown when both methods + try to - unmount the directory. This frequently leads to the directory being + unmount the directory. This frequently leads to the directory + being - unmounted before the fake-hwclock service has managed to save the + unmounted before the fake-hwclock service has managed to save + the system time. This results in an inaccurate fake-hwclock time @@ -34470,7 +35632,8 @@ body: > Running resin-ntp-config from openvpn upscript.sh is no longer - necessary as it is now run automatically when config.json changes. + necessary as it is now run automatically when config.json + changes. footer: Change-type: patch change-type: patch @@ -34513,9 +35676,11 @@ using the chrony-helper script. - A systemd service has been added to run the resin-ntp-config script + A systemd service has been added to run the resin-ntp-config + script - once at boot. Previously the script was being run up to 8 times at + once at boot. Previously the script was being run up to 8 times + at boot via a NetworkManager dispatcher script. footer: @@ -34535,15 +35700,19 @@ Update the existing DHCP dispatcher script for adding NTP sources to - make use of dynamic chrony source configuration. Any DHCP configured + make use of dynamic chrony source configuration. Any DHCP + configured - NTP sources for a particular interface are added to a sources file on + NTP sources for a particular interface are added to a sources + file on - network 'up' or DHCP lease renewal events. Any DHCP configured NTP + network 'up' or DHCP lease renewal events. Any DHCP configured + NTP sources for a particular interface are deleted on network 'down' - events. Changes to the sources file are picked up by chrony either + events. Changes to the sources file are picked up by chrony + either when it starts up or at runtime using the chrony-helper script. @@ -34552,7 +35721,8 @@ status on network 'up' and 'down' events. This will make chrony - re-run an iburst for sources when the appropriate network interface + re-run an iburst for sources when the appropriate network + interface comes back up. footer: @@ -34574,9 +35744,11 @@ Add the 'sourcedir' parameter to the chrony configuration to support - dynamic source configuration files. Any NTP source files that are + dynamic source configuration files. Any NTP source files that + are - created in 'sourcedir' (/run/chrony) can be used to update the chrony + created in 'sourcedir' (/run/chrony) can be used to update the + chrony source configuration at runtime. @@ -34610,7 +35782,8 @@ build flags for the time being. - Poky defaulted to using -trimpath in commit 2d0c2242136e8c823d58218844c6e082122d0bce + Poky defaulted to using -trimpath in commit + 2d0c2242136e8c823d58218844c6e082122d0bce footer: Changelog-entry: Fix nvidia-container-toolkit to build with Go v1.12 changelog-entry: Fix nvidia-container-toolkit to build with Go v1.12 @@ -34628,7 +35801,8 @@ build flags for the time being. - Poky defaulted to using -trimpath in commit 2d0c2242136e8c823d58218844c6e082122d0bce + Poky defaulted to using -trimpath in commit + 2d0c2242136e8c823d58218844c6e082122d0bce footer: Changelog-entry: Fix nvidia-container-runtime to build with Go v1.12 changelog-entry: Fix nvidia-container-runtime to build with Go v1.12 @@ -34656,7 +35830,8 @@ body: > We need to make sure the firmware cleanup function runs before - do_populate_sysroot otherwise do_populate_sysroot will race with it and + do_populate_sysroot otherwise do_populate_sysroot will race with + it and will fail complaining about the missing firmware that @@ -34679,38 +35854,49 @@ Fixes #2075 - Needed were a number of various changes to make the package compile properly: + Needed were a number of various changes to make the package + compile properly: - Removed is 0001-wwan-Set-MTU-based-on-what-ModemManager-exposes.patch that is now + Removed is + 0001-wwan-Set-MTU-based-on-what-ModemManager-exposes.patch that + is now included upstream. - Our patch for removing HTTPS connectivity checking warning is reworked for ease of + Our patch for removing HTTPS connectivity checking warning is + reworked for ease of - maintainance. It now keeps the log entry, but changes it to debug level. + maintainance. It now keeps the log entry, but changes it to + debug level. - Fixed are UPSTREAM_CHECK_* definitions as they referenced a wrong version number. + Fixed are UPSTREAM_CHECK_* definitions as they referenced a + wrong version number. - The following additional configuration options were added/removed: + The following additional configuration options were + added/removed: - *. Introspection is disabled through `--enable-introspection=no`. Other services do + *. Introspection is disabled through + `--enable-introspection=no`. Other services do - not depend on it, so it is safe to remove it. A related patch is no longer needed + not depend on it, so it is safe to remove it. A related patch is + no longer needed 0002-Do-not-create-settings-settings-property-documentati.patch - *. A new option for using firewalld zone for shared mode is disabled as we do not + *. A new option for using firewalld zone for shared mode is + disabled as we do not use firewalld. - *. The polkit agent option no longer is available, so `--enable-polkit-agent` and + *. The polkit agent option no longer is available, so + `--enable-polkit-agent` and `--disable-polkit-agent` are no longer defined. footer: @@ -34752,22 +35938,27 @@ By using procps as docker expects we can properly handle ps args - such as -e and -o to format output. Busybox is only capable of this + such as -e and -o to format output. Busybox is only capable of + this when compiled in "desktop" mode. - This upstream commit to poky has already split the ps binary into + This upstream commit to poky has already split the ps binary + into a separate procps package: - - https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=507a47a4e5077d5f8f76d9629be6b871dfd8eb90 + - + https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=507a47a4e5077d5f8f76d9629be6b871dfd8eb90 - So for now we can copy this recipe at the commit above into compat branches + So for now we can copy this recipe at the commit above into + compat branches - and use that version until we pick up a branch newer than gatesgarth. + and use that version until we pick up a branch newer than + gatesgarth. footer: Change-type: patch change-type: patch @@ -34948,12 +36139,14 @@ UART modems (RaspberryPi HATs) are not working currently under - balenaOS as NetworkManager times out while attempting to establish + balenaOS as NetworkManager times out while attempting to + establish ppp connection. This is not a balenaOS specific issue. - This commits adds a `connect ""` declaration to `/etc/ppp/options` + This commits adds a `connect ""` declaration to + `/etc/ppp/options` to workaround this as the NULL default value causes the timeout. @@ -34962,7 +36155,8 @@ physical link. When using NetworkManager/ModemManager it is - ModemManager that establishes the physical link before passing it + ModemManager that establishes the physical link before passing + it to NetworkManager. Thus `connect` should be empty. footer: @@ -34982,16 +36176,19 @@ body: > Starting with dee971c0dbeb6e8363f3e321af582e99627626e9, flasher - images, which don't contain a supervisor version, try to register + images, which don't contain a supervisor version, try to + register in the API using the parameter supervisor_version='null'. - However, the API expects this parameter to be unset completely if + However, the API expects this parameter to be unset completely + if there's no version to be reported during registration, otherwise - the call fails and the device doesn't show up in dashboard during + the call fails and the device doesn't show up in dashboard + during flashing or report the post-provisioning state. footer: @@ -35025,9 +36222,11 @@ This is necessary because node has its own built-in CA bundle and ignores - the system-wide bundle. Bind-mount the system-wide bundle to the supervisor + the system-wide bundle. Bind-mount the system-wide bundle to the + supervisor - container as well to keep the previous behavior. Make it read-only though, + container as well to keep the previous behavior. Make it + read-only though, any modifications should be performed by the host OS. footer: @@ -35181,7 +36380,8 @@ This reverts commit dc6cfa2e90b29b0fdcfc05c1b85e2196de4f950b. - Once the core problem with the resin-data mount has been fixed this + Once the core problem with the resin-data mount has been fixed + this commit is no longer needed. footer: @@ -35199,9 +36399,11 @@ https://github.com/balena-os/meta-balena/commit/6be3f1153d56c1c0c21e6d84db7be70be96bcd10 - the supervisor database was relocated by mistake. On this version the database + the supervisor database was relocated by mistake. On this + version the database - returns to its original place, and these hooks copy the old database to the + returns to its original place, and these hooks copy the old + database to the new location to avoid data loss. footer: @@ -35220,7 +36422,8 @@ able to start. - This commit checks the directory existence and creates it if required + This commit checks the directory existence and creates it if + required independently of whether the supervisor container is present. footer: @@ -35292,7 +36495,8 @@ https://github.com/meta-rust/meta-rust/pull/242 - The fix for TUNE_FEATURES parsing has been merged in meta-rust master + The fix for TUNE_FEATURES parsing has been merged in meta-rust + master and should be present when they fork for dunfell. footer: @@ -35308,14 +36512,16 @@ The content applied by the patches has not changed, just the context - in order to properly inject changes without fuzzy matching since the source + in order to properly inject changes without fuzzy matching since + the source files have changed upstream. `devtool modify systemd` - `devtool finish --force-patch-refresh systemd ../layers/meta-balena/meta-balena-dunfell/` + `devtool finish --force-patch-refresh systemd + ../layers/meta-balena/meta-balena-dunfell/` footer: Change-type: patch change-type: patch @@ -35329,7 +36535,8 @@ https://github.com/balena-os/poky/commit/e3cd4e584239c207e3c82bdf5d7216d26fd28fc7 - add missing udev rules since systemd began including rules explicitly + add missing udev rules since systemd began including rules + explicitly footer: Change-type: patch change-type: patch @@ -35355,7 +36562,8 @@ [https://github.com/balena-os/poky/commit/d365948ebd76625f82ef04e77d35bcfeced42fec] - Dropbear is still required to migrate keys. Avoid the upstream conflict with openssh. + Dropbear is still required to migrate keys. Avoid the upstream + conflict with openssh. footer: Change-type: patch change-type: patch @@ -35418,9 +36626,11 @@ https://github.com/balena-os/poky/commit/d7b8ae3faa9344f2ada22e0402066c2fff5958c6 - We have no use for u-boot-initial-env and enabling it would require + We have no use for u-boot-initial-env and enabling it would + require - additional changes in do_compile to match the commit linked above. + additional changes in do_compile to match the commit linked + above. footer: Change-type: patch change-type: patch @@ -35446,7 +36656,8 @@ body: > In dunfell, rather than patching the bluetooth.service.in file, - we will just override the ExecStart value via bluetooth.conf.systemd + we will just override the ExecStart value via + bluetooth.conf.systemd footer: Change-type: patch change-type: patch @@ -35494,9 +36705,11 @@ 'runSupervisor'. - Updates to the 'start-resin-supervisor' script in v2.62.1 removed + Updates to the 'start-resin-supervisor' script in v2.62.1 + removed - the check for updates to the REGISTRY_ENDPOINT variable. Previously + the check for updates to the REGISTRY_ENDPOINT variable. + Previously this had been detected as changing every time the script was run @@ -35504,17 +36717,21 @@ 'start-resin-supervisor' script always running through the - 'runSupervisor' path. With this variable check removed, and no config + 'runSupervisor' path. With this variable check removed, and no + config updates being detected, the script was trying to run 'balena start --attach resin_supervisor' and failing due to the - absence of the /var/log/supervisor-log directory. To fix this problem we + absence of the /var/log/supervisor-log directory. To fix this + problem we - unconditionally test for and create this directory (if necessary) so + unconditionally test for and create this directory (if + necessary) so - that it is available regardless of the path taken through the script. + that it is available regardless of the path taken through the + script. footer: Change-type: patch change-type: patch @@ -35540,7 +36757,8 @@ doing our own profiling. - [0] https://fedoraproject.org/wiki/Changes/SwapOnZRAM#Default_zram_device_configuration: + [0] + https://fedoraproject.org/wiki/Changes/SwapOnZRAM#Default_zram_device_configuration: footer: Change-type: minor change-type: minor @@ -35559,15 +36777,20 @@ 1234 (non-privileged). - Previous issues with Phicomm routers had required the use of a fixed + Previous issues with Phicomm routers had required the use of a + fixed - UDP source port, so port 123 was chosen as this is used by both ntpd + UDP source port, so port 123 was chosen as this is used by both + ntpd - and ntpdate. However recent testing has shown that using a privileged + and ntpdate. However recent testing has shown that using a + privileged - port such as 123 can cause issues on other networks. By changing the + port such as 123 can cause issues on other networks. By changing + the - port to be non-privileged (i.e. 1234) we can satisfy both network + port to be non-privileged (i.e. 1234) we can satisfy both + network requirements. footer: @@ -35604,7 +36827,8 @@ follows: - 1) A 'timeinit-rtc.sh' script has been added to improve logging of + 1) A 'timeinit-rtc.sh' script has been added to improve logging + of system time updates from the RTC and to prevent system time being set when RTC time is behind system time. If RTC time is found to be behind system time a warning is issued regarding @@ -35820,11 +37044,14 @@ ``` - Will lead to the supervisor creating multiple image database entries + Will lead to the supervisor creating multiple image + database entries - with the same dockerId (this is because of how the engine handles this + with the same dockerId (this is because of how the + engine handles this - particular case). This case is not handled by the removal process + particular case). This case is not handled by the + removal process leading to image pile up and increased disk usage. footer: @@ -35845,22 +37072,29 @@ The memory information reported by the supervisor currently - estimates the value of used memory as `MemTotal - MemFree`. + estimates the value of used memory as `MemTotal - + MemFree`. - However, linux systems will try to cache and buffer as much + However, linux systems will try to cache and buffer as + much - memory as possible, which will affect the output of `MemFree` + memory as possible, which will affect the output of + `MemFree` - (from /proc/meminfo) and in consequence the memory usage seen + (from /proc/meminfo) and in consequence the memory usage + seen - by the user on the dashboard, which will appear much greater than + by the user on the dashboard, which will appear much + greater than it is. - The correct calculation should be `MemTotal - MemFree - Buffers - Cached`, + The correct calculation should be `MemTotal - MemFree - + Buffers - Cached`, - which the calculation performed by `htop` and the `free` commands. + which the calculation performed by `htop` and the `free` + commands. footer: Change-type: patch change-type: patch @@ -35915,13 +37149,17 @@ With the addition of the system information feature (CPU temp) etc if - there wasn't any changes in the docker or config state of the device, + there wasn't any changes in the docker or config state + of the device, - updates in system information would not be sent to the API. Now we + updates in system information would not be sent to the + API. Now we - attempt to send data once every maxReportFrequency (although this does + attempt to send data once every maxReportFrequency + (although this does - not mean that we will be sending data that often, we still only send the + not mean that we will be sending data that often, we + still only send the delta, if one exists) footer: @@ -35965,9 +37203,11 @@ In order to make supervisor upgrades more transparent, lets move away - from this env var since it requires a container restart any time the supervisor + from this env var since it requires a container restart + any time the supervisor - is upgraded. We should ultimately move towards providing the supervisors + is upgraded. We should ultimately move towards providing + the supervisors set of capabilities, but that can come later footer: @@ -35988,7 +37228,8 @@ Due to the singleton work, when performing migration M00005 and there - are apps with services created in the database, a deadlock occurs + are apps with services created in the database, a + deadlock occurs during database initialization due to a circular @@ -36026,12 +37267,15 @@ When trying to apply SSDT overlays in Up Board, the supervisor currently - gets stuck in a loop trying to apply target state. See #1465 + gets stuck in a loop trying to apply target state. See + #1465 - This was due to a bug in parsing the configuration, which lead to + This was due to a bug in parsing the configuration, + which lead to - the method bootConfigChangeRequired returning true when no change was + the method bootConfigChangeRequired returning true when + no change was needed. footer: @@ -36065,14 +37309,17 @@ Each service, when requesting access to the Supervisor API, will - now get an individual key which can be scoped to specific resources. + now get an individual key which can be scoped to + specific resources. - In this iteration the default scope will be to the application that + In this iteration the default scope will be to the + application that the service belongs to. - We also have a `global` scope which is used by the cloud API when in + We also have a `global` scope which is used by the cloud + API when in managed mode. footer: @@ -36181,14 +37428,17 @@ By default chrony uses a random UDP source port for each NTP request. - This can cause problems with particular routers/firewalls (issues have + This can cause problems with particular routers/firewalls + (issues have been reported for the Phicomm KE 2P). - The chrony `acquisitionport` configuration setting has been added + The chrony `acquisitionport` configuration setting has been + added - to the chrony.conf file to change the UDP source port for NTP requests + to the chrony.conf file to change the UDP source port for NTP + requests to 123 (this is the same as the default source port used by both @@ -36210,11 +37460,13 @@ body: > Drop the '-s' command line parameter from chronyd as: - a) restoring time from the drift file is no longer necessary due to + a) restoring time from the drift file is no longer necessary due + to the fake-hwclock service, and - b) restoring time from the RTC is already covered by the timeinit-rtc + b) restoring time from the RTC is already covered by the + timeinit-rtc service. footer: @@ -36231,43 +37483,52 @@ In order to produce sensible timestamps for journald log messages: - a) the system time needs to be maintained correctly over a reboot, and + a) the system time needs to be maintained correctly over a + reboot, and b) the system time needs to be set before journald is started. Currently the system time is maintained over reboots on systems - without an RTC using the last modified time of the chrony drift file. + without an RTC using the last modified time of the chrony drift + file. However there are a couple of issues with this approach: - a) /var/lib/chrony/ is not mounted early enough in the boot process + a) /var/lib/chrony/ is not mounted early enough in the boot + process to be available for setting the time before journald is started. - b) there is an issue with the current systemd dependencies that result + b) there is an issue with the current systemd dependencies that + result - in the last modified time of the drift file not being updated when the + in the last modified time of the drift file not being updated + when the system is shutdown or rebooted (see #1995). - The Debian fake-hwclock service (as used by Raspberry Pi OS) has been + The Debian fake-hwclock service (as used by Raspberry Pi OS) has + been added to overcome these issues. - The fake-hwclock service will save and restore the system time from + The fake-hwclock service will save and restore the system time + from - the fake-hwclock.data file (in /etc/fake-hwclock/). The system time + the fake-hwclock.data file (in /etc/fake-hwclock/). The system + time is loaded from this file at boot and saved to it on shutdown. An additional timer service has been added to update the file on an - hourly basis to cater for unexpected shutdown scenarios, e.g. power + hourly basis to cater for unexpected shutdown scenarios, e.g. + power failure. @@ -36297,7 +37558,8 @@ Add a persistent r/w location (root-overlay/etc/fake-hwclock/) to - the resin-state partition for storage of the fake-hwclock.data file. + the resin-state partition for storage of the fake-hwclock.data + file. This file is used by the fake-hwclock service to load the system @@ -36354,9 +37616,11 @@ in the system. - The list of hostapp extensions to install can either be passed to the + The list of hostapp extensions to install can either be passed + to the - script or it will use the ones set in config.json or hostapp-extensions.conf + script or it will use the ones set in config.json or + hostapp-extensions.conf in that order. footer: @@ -36389,11 +37653,14 @@ root filesystem at boot. - This commits adds the default host extensions to the data partition + This commits adds the default host extensions to the data + partition - image, stores their repository tags in the /etc directory, and creates + image, stores their repository tags in the /etc directory, and + creates - the containers so that mobynit can mount the container filesystems on + the containers so that mobynit can mount the container + filesystems on boot. footer: @@ -36438,7 +37705,8 @@ Now that the data partition will be mounted from the initramfs for host - extensions support, this script will only run if something went wrong. + extensions support, this script will only run if something went + wrong. footer: Change-type: patch change-type: patch @@ -36466,7 +37734,8 @@ The resin-data partition will be mounted in the initramfs for the host - extension support so the UUID generation needs to happen before that. + extension support so the UUID generation needs to happen before + that. footer: Change-type: patch change-type: patch @@ -36480,12 +37749,14 @@ With the data partition being mounted in the initramfs to support host - extensions, the runtime systemd-udev no longer sees the resin-data mount + extensions, the runtime systemd-udev no longer sees the + resin-data mount event and this mount is blocked. - This is resolved by not adding the default dependency on the block device. + This is resolved by not adding the default dependency on the + block device. footer: Change-type: patch change-type: patch @@ -36782,12 +38053,14 @@ The hostapp update process should not overwrite the supervisor configuration - backend files to avoid the supervisor being forced to set the target state + backend files to avoid the supervisor being forced to set the + target state after HUP and reboot the device during the rollback period. - This only applies to the host configuration files which are the only ones + This only applies to the host configuration files which are the + only ones that force a reboot. footer: @@ -36822,9 +38095,11 @@ body: > If the rootfs is on a slow-to-bring-up device (e.g. RPi4 + USB) - the fsuuidsinit_enabled() function may return before the balena symlinks + the fsuuidsinit_enabled() function may return before the balena + symlinks - are created. This gets wrongly interpreted as missing UUIDs leading to + are created. This gets wrongly interpreted as missing UUIDs + leading to a chain of failures in the subsequent scripts. @@ -36849,9 +38124,11 @@ We allow the user to specify a custom CA in the .balenaRootCA key - of config.json but at this moment each tool has to implement support + of config.json but at this moment each tool has to implement + support - if it wants to use it. This commit adds it to the system-wide CA bundle + if it wants to use it. This commit adds it to the system-wide CA + bundle so that the CA is respected everywhere. @@ -37145,9 +38422,11 @@ The change type is considered 'major' because, by default, errors are - now thrown for relatively common occurrences such as authentication + now thrown for relatively common occurrences + such as authentication - failures when pulling from private registries, and library users may + failures when pulling from private registries, + and library users may have to adapt. footers: @@ -37352,7 +38631,8 @@ * Switch to `export ...` syntax (from `export = ...`) - * Fix invalid export of class inheriting non-exported class + * Fix invalid export of class inheriting + non-exported class footers: change-type: major hash: a6307b8c04d3456ad7d8a6ac19035b5e718c4311 @@ -37642,7 +38922,8 @@ For the updated 5.4 kernel on RPI4, kernel-headers-test fails with - arch/arm64/kernel/vdso/Makefile lib/vdso/Makefile No such file or directory + arch/arm64/kernel/vdso/Makefile lib/vdso/Makefile No such file + or directory make[1] *** No rule to make target 'lib/vdso/Makefile'. Stop. @@ -37913,9 +39194,11 @@ This is very similar to the cache class they use by default, with the - difference that it has a limit and won't grow indefinitely, causing + difference that it has a limit and won't + grow indefinitely, causing - memory leaks on long running applications like Jellyfish. + memory leaks on long running + applications like Jellyfish. footers: change-type: patch signed-off-by: Juan Cruz Viotti @@ -38105,11 +39388,14 @@ This is a hack, and should be reverted once we get to the bottom of it. - It will impact performance, but right now there are things that should + It will impact performance, but right + now there are things that should - be filtered and are not, so lets get this merged for security purposes. + be filtered and are not, so lets get + this merged for security purposes. - Hopefully this library will be re-written soon. + Hopefully this library will be + re-written soon. footers: change-type: patch see: https://github.com/balena-io/jellyfish/pull/878 @@ -38177,11 +39463,14 @@ Handlebars supports very basic if condition checking, but it only checks for - existence of a field. There are times when we want to combine conditions in order + existence of a field. There are times when we + want to combine conditions in order - to generate something as part of a blueprint, without defining a completely separate + to generate something as part of a blueprint, + without defining a completely separate - blueprint for it (like generating network config schema if a dt has a wifi chip or + blueprint for it (like generating network config + schema if a dt has a wifi chip or a usb port to which we can connect a dongle). footers: @@ -38200,9 +39489,11 @@ Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.2 to 6.5.3. - - [Release notes](https://github.com/indutny/elliptic/releases) + - [Release + notes](https://github.com/indutny/elliptic/releases) - - [Commits](https://github.com/indutny/elliptic/compare/v6.5.2...v6.5.3) + - + [Commits](https://github.com/indutny/elliptic/compare/v6.5.2...v6.5.3) footer: Change-type: patch change-type: patch @@ -38246,9 +39537,11 @@ This allows consumers like pinejs-client-supertest - to have all the methods returning different Promise + to have all the methods returning + different Promise - types based solely on the implementation of the + types based solely on the implementation + of the request() method. footer: @@ -38416,11 +39709,14 @@ In b791055f3f6ffd6cc5796569a7321c5060129eea I attempted to have flasher - images report their preconfigured supervisor version without a good + images report their preconfigured supervisor version without a + good - understanding of how flasher images work. As it turns out no supervisor + understanding of how flasher images work. As it turns out no + supervisor - information is maintained in the flasher image itself, so until that is + information is maintained in the flasher image itself, so until + that is sorted stop reporting a blank string for the supervisor version. footer: @@ -38454,7 +39750,8 @@ like the older branches do. Let's move this setting in the - balena-os-sysctl file to avoid issues where some device integration + balena-os-sysctl file to avoid issues where some device + integration layers set the rp_filter mode to strict and break connectivity. footer: @@ -38485,12 +39782,14 @@ Recently the supervisor added a codepath that assumes no files underneath it will change during runtime. - OS update hooks can trigger a condition whereby the supervisor reboots the device during a HUP, + OS update hooks can trigger a condition whereby the supervisor + reboots the device during a HUP, which in turn bricks the device. - Additionally, since unknown args cause this update to fail-closed, + Additionally, since unknown args cause this update to + fail-closed, remove that barrier to future-proof more flag expansion. footer: @@ -38554,17 +39853,21 @@ On commit a4ce26caadabcb1e87d944d78218cc32c579914e the supervisor moved - from using --volume to using --mount to avoid the implicit creation of + from using --volume to using --mount to avoid the implicit + creation of directories instead of files. - However, in the case where the mount referred to a directory, these have + However, in the case where the mount referred to a directory, + these have - to exist in the rootfs beforehand as --mount will not create them. + to exist in the rootfs beforehand as --mount will not create + them. - This commit checks for the existence of the /var/log/supervisor-log + This commit checks for the existence of the + /var/log/supervisor-log directory and creates it if required. footer: @@ -38597,9 +39900,11 @@ Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - - [Release notes](https://github.com/lodash/lodash/releases) + - [Release + notes](https://github.com/lodash/lodash/releases) - - [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19) + - + [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19) footer: Change-type: patch change-type: patch @@ -38726,9 +40031,11 @@ Otherwise, as util-linux has a higher default alternative priority, the - version in util-linux is chosen. It would seem they are exchangeable, but + version in util-linux is chosen. It would seem they are + exchangeable, but - the busybox version reportedly works even if the RTC interrupt line is not + the busybox version reportedly works even if the RTC interrupt + line is not connected. @@ -38752,9 +40059,11 @@ In order to get closer to formally requiring a target supervisor release - in the model, we should expand our provisioning process to provide the + in the model, we should expand our provisioning process to + provide the - initial supervisor_version metadata. This connects back to tri-app. + initial supervisor_version metadata. This connects back to + tri-app. footer: Depends-on: https://github.com/balena-io/open-balena-api/pull/394 depends-on: https://github.com/balena-io/open-balena-api/pull/394 @@ -38804,17 +40113,21 @@ On commit a4ce26caadabcb1e87d944d78218cc32c579914e the supervisor moved - from using --volume to using --mount to avoid the implicit creation of + from using --volume to using --mount to avoid the implicit + creation of directories instead of files. - However, in the case where the mount referred to a directory, these have + However, in the case where the mount referred to a directory, + these have - to exist in the rootfs beforehand as --mount will not create them. + to exist in the rootfs beforehand as --mount will not create + them. - This commit checks for the existence of the /resin-data/resin-supervisor + This commit checks for the existence of the + /resin-data/resin-supervisor directory and creates it if required. footer: @@ -38834,9 +40147,11 @@ This commits renames it to the newly branded balena-logo.png - If the resin-logo.png was unmodified, it will forcefully replace to + If the resin-logo.png was unmodified, it will forcefully replace + to - balena-logo.png to force rebranding of older resin branded release. + balena-logo.png to force rebranding of older resin branded + release. Fixes #1801 @@ -38876,26 +40191,33 @@ The `docker` Docker Hub repository lists what versions of the image - are supported and 18.6 is not among them at all. Use the current stable + are supported and 18.6 is not among them at all. Use the current + stable - line of 18.09 instead, to stay on supported versions. See more info at: + line of 18.09 instead, to stay on supported versions. See more + info at: https://hub.docker.com/_/docker - For more reproducability, we are also including the patch level version + For more reproducability, we are also including the patch level + version - of the container, which will give us more responsibility to update more + of the container, which will give us more responsibility to + update more frequently, but fewer surprises. - Also explicitly set `DOCKER_HOST` for the daemon being started, otherwise + Also explicitly set `DOCKER_HOST` for the daemon being started, + otherwise - the base image's setting might silently take over, and modify this. + the base image's setting might silently take over, and modify + this. - Replace deprecated `-g` (graph driver) with `--data-root` as well. + Replace deprecated `-g` (graph driver) with `--data-root` as + well. footer: Change-type: minor change-type: minor @@ -38910,10 +40232,12 @@ on wlan0. This commit moves the logic to udev rule as there is - no guarantee wlan0 is the only or default wlan adapter in the system. + no guarantee wlan0 is the only or default wlan adapter in the + system. - There seems to be no better way to identify a wlan device in udev + There seems to be no better way to identify a wlan device in + udev than KERNEL=="wl*" which should match both net.ifnames=0 (wlanX) @@ -38943,7 +40267,8 @@ https://docs.docker.com/engine/reference/commandline/service_create/#differences-between---mount-and---volume - This avoids situations where --volume implicitely creates a directory (see #1748) + This avoids situations where --volume implicitely creates a + directory (see #1748) Fixes #1754 @@ -39081,9 +40406,11 @@ The host config variable HOST_DISCOVERABILITY can be set to - true or false, controlling the state of the avahi service. This + true or false, controlling the state of the avahi + service. This - determines if the device advertises it's presence over mDNS. + determines if the device advertises it's presence over + mDNS. footer: Change-type: patch change-type: patch @@ -39104,7 +40431,8 @@ - In the 'off' state, all traffic is allowed. - - In the 'on' state, only traffic for the core services provided + - In the 'on' state, only traffic for the core services + provided by Balena is allowed. footer: Change-type: patch @@ -39133,7 +40461,8 @@ When reporting device information, send the MAC address of any - interfaces on the system. Also expose in the Supervisor API at + interfaces on the system. Also expose in the Supervisor + API at the route GET /v1/device. footer: @@ -39515,7 +40844,8 @@ Detects unique constrain errors by 409 statusCodes. - Because of this, the upsert() method is only + Because of this, the upsert() method is + only supported when Pinejs ^10.19.0 is used. footer: @@ -39789,14 +41119,18 @@ In the absence of an upstream implementation of the DeviceRequest API introduced - as part of Docker API v1.40 we roll our own using a feature label. + as part of Docker API v1.40 we roll our own using a + feature label. - As per my comment in the code, we fall back to the default behavior of + As per my comment in the code, we fall back to the + default behavior of - docker cli's `--gpu` and request single device with the `gpu` capabilty. + docker cli's `--gpu` and request single device with the + `gpu` capabilty. - The only implementation at the moment is the NVIDIA driver; here: + The only implementation at the moment is the NVIDIA + driver; here: https://github.com/balena-os/balena-engine/blob/master/daemon/nvidia_linux.go @@ -39823,7 +41157,8 @@ This is part of the work to make the application-manager module much - less monolithic, in preperation for system apps and more generally + less monolithic, in preperation for system apps and more + generally multi-app. footer: @@ -40028,7 +41363,8 @@ We were treating the database class as a singleton, but still having to pass - around the db instance. Now we can simply require the db module and have + around the db instance. Now we can simply require the db + module and have access to the database handle. footer: @@ -40111,7 +41447,8 @@ Before=swap.target - Causes randomly appearing ordering cycles that leave the system in not + Causes randomly appearing ordering cycles that leave the system + in not functioning states. footer: @@ -40155,7 +41492,8 @@ Also, move configuration that will not be present in newer kernels to - RESIN_CONFIGS_DEP so the kernel check task does not complain when not + RESIN_CONFIGS_DEP so the kernel check task does not complain + when not present. footer: @@ -40236,24 +41574,32 @@ whichever smallest. - Upstream Yocto has a zram implementation that's broken in warrior, and a + Upstream Yocto has a zram implementation that's broken in + warrior, and a - new implementation introduced in Zeus that does not work in BalenaOS as + new implementation introduced in Zeus that does not work in + BalenaOS as - we run two udevs, one in the initramfs and one in the main OS. The + we run two udevs, one in the initramfs and one in the main OS. + The - mkswap needs to happen in the initramfs udev otherwise the udev database + mkswap needs to happen in the initramfs udev otherwise the udev + database - is not updated with the swap device and the zram0 device is not detected + is not updated with the swap device and the zram0 device is not + detected by systemd. - This implementation is simpler than the one upstream and common to all + This implementation is simpler than the one upstream and common + to all - the supported Yocto versions. It uses a udev rule in the initramfs that + the supported Yocto versions. It uses a udev rule in the + initramfs that - creates the swap drive, and a swap unit in the main OS that enables it. + creates the swap drive, and a swap unit in the main OS that + enables it. footer: Change-type: patch change-type: patch @@ -40284,21 +41630,25 @@ pool URL the 'burst' command may fail. This occurs when the pool - URL resolves to a different IP addresses for the 'add server' and + URL resolves to a different IP addresses for the 'add server' + and 'burst' commands. - To avoid this issue we can combine the burst functionality into the + To avoid this issue we can combine the burst functionality into + the 'add server' command by using the 'iburst' option. Although this - option is not documented by the chronyc man page it has been present + option is not documented by the chronyc man page it has been + present since v1.25 released in 2011. - This fix has been tested via the balenaOS (2.51.1+rev1) command line + This fix has been tested via the balenaOS (2.51.1+rev1) command + line running on a RPi3. footer: @@ -40360,10 +41710,14 @@ the `maxsources` directive is simply to maintain the current behavior of - resolving four servers for synchronization. as noted in chrony's docs: + resolving four servers for synchronization. as noted in chrony's + docs: - > When a pool source is unreachable, marked as a falseticker, or has a distance larger than the limit set by the maxdistance directive, chronyd will try to replace the source with a newly resolved address from the pool. + > When a pool source is unreachable, marked as a falseticker, or + has a distance larger than the limit set by the maxdistance + directive, chronyd will try to replace the source with a newly + resolved address from the pool. footer: Connects-to: "#1852" connects-to: "#1852" @@ -40394,11 +41748,14 @@ body: > The change this commit reverts allowed to update with a locally - available image - but it also has the side effect of restarting the + available image - but it also has the side effect of restarting + the - supervisor even if no update is required and that has unintentional + supervisor even if no update is required and that has + unintentional - consequences as https://github.com/balena-io/balena-supervisor/issues/1358 + consequences as + https://github.com/balena-io/balena-supervisor/issues/1358 This commit reverts 646e4ae809375f4abf35c55cd580e2c62a8812e2 @@ -40554,7 +41911,8 @@ The dependency is introduced by the upstream.sh and downstream.sh scripts. - Bash is also a dependency not only for internal packages but for external + Bash is also a dependency not only for internal packages but for + external scripts too. footer: @@ -40612,7 +41970,8 @@ Devices with closed source bootloaders that cannot be made to pass the UUID - of the booting device (like smartphones, Jetson NX and Xabier), need to + of the booting device (like smartphones, Jetson NX and Xabier), + need to fallback to passing a label in the kernel command line. @@ -40634,9 +41993,11 @@ Devices with custom HUPs, like Jetson devices that run BSP partition update - scripts, do not have state symlinks when updating from legacy pre state + scripts, do not have state symlinks when updating from legacy + pre state - symlinks OS versions, so they need to fallback to legacy label/partname + symlinks OS versions, so they need to fallback to legacy + label/partname resolution. footer: @@ -40708,7 +42069,8 @@ All logging is handled by journald so remove the default dependency on - busybox-syslog. It is still available to be explicitely included in + busybox-syslog. It is still available to be explicitely included + in images that might need it like initramfs images. footer: @@ -40884,10 +42246,12 @@ From v2.49, the hostapp-update utility creates the /run directory in the - root filesystem, however when huping from previous versions /run is not there. + root filesystem, however when huping from previous versions /run + is not there. - This commit switches to use /tmp to store the new UUID for the root partition on + This commit switches to use /tmp to store the new UUID for the + root partition on first boot after generating new UUIDs. footer: @@ -40917,9 +42281,11 @@ e.g. os-config, healthdog, bindmount, some others maybe - At the moment, we haven't syncronized on one rust version and device + At the moment, we haven't syncronized on one rust version and + device - integration layers can pick any meta-rust version. Which probably uses + integration layers can pick any meta-rust version. Which + probably uses the latest rust version in the layer. @@ -40973,9 +42339,11 @@ This file allows other components to uniquely parse the information that - is contained in the changelog. It will be automatically managed by + is contained in the changelog. It will be automatically + managed by - versionist by appending the new commits on top. This is needed to + versionist by appending the new commits on top. This is + needed to provide nested-changelogs. footer: @@ -41187,12 +42555,15 @@ This allows a response to an input with dport=`supevisor api port` and - is required when the host OS is doing stateful firewalling. + is required when the host OS is doing stateful + firewalling. - This should not affect things when stateful firewalling is not in + This should not affect things when stateful firewalling + is not in - effect, as the standard OUTPUT chain policy is ACCEPT, so we're just + effect, as the standard OUTPUT chain policy is ACCEPT, + so we're just being explicit about it. footer: @@ -41560,7 +42931,8 @@ sync-debug.js. - We add a command `npm run sync`, which starts a livepush process + We add a command `npm run sync`, which starts a livepush + process with the supervisor on a device. footer: @@ -41575,12 +42947,15 @@ We also remove the Makefile to go to a simpler build system, as long with - the retry_docker_push.sh file. We remove the rest of the automation tools + the retry_docker_push.sh file. We remove the rest of the + automation tools - as they're no longer used and update the circle.yml file. + as they're no longer used and update the circle.yml + file. - We also remove debug builds, as these aren't needed moving forward, and were + We also remove debug builds, as these aren't needed + moving forward, and were only to enable livepush builds. footer: @@ -41726,7 +43101,8 @@ ``` - could not initialize thread_rng: All entropy sources failed (permanently unavailable); + could not initialize thread_rng: All entropy sources + failed (permanently unavailable); cause: getrandom not ready (not ready yet); @@ -41734,7 +43110,8 @@ ``` - This change makes sure we are cycling until a random sequence is populated successfully. + This change makes sure we are cycling until a random + sequence is populated successfully. - hash: 14a19bf24e258c01a294bd7adfa808fddee59096 author: Zubair Lutfullah Kakakhel footers: @@ -41890,14 +43267,17 @@ When a partition filesystem label is detected, udev checks whether the - device belongs to the same disk as the root partitition passed in the + device belongs to the same disk as the root partitition passed + in the - kernel command line by the bootloader. Only if it does, it creates a by-state + kernel command line by the bootloader. Only if it does, it + creates a by-state link to it. - By using this by-state links we avoid filesystem label clashes as the + By using this by-state links we avoid filesystem label clashes + as the system will always use partitions in the same drive as root (as @@ -41935,7 +43315,8 @@ When running fsck, the tool will complain when needed gconv modules are - missing. Include them in the initramfs where we fsck the boot partition. + missing. Include them in the initramfs where we fsck the boot + partition. footer: Change-type: patch change-type: patch @@ -41950,9 +43331,11 @@ balenaOS uses FAT as a fs type for the boot/first partition. This is - currently hardcoded so let's have the related kernel configs built in + currently hardcoded so let's have the related kernel configs + built in - the kernel image. In this way we don't have to handle kernel modules in + the kernel image. In this way we don't have to handle kernel + modules in the initramfs (when needed). footer: @@ -42178,9 +43561,11 @@ Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4. - - [Release notes](https://github.com/acornjs/acorn/releases) + - [Release + notes](https://github.com/acornjs/acorn/releases) - - [Commits](https://github.com/acornjs/acorn/compare/5.7.3...5.7.4) + - + [Commits](https://github.com/acornjs/acorn/compare/5.7.3...5.7.4) footer: Change-type: patch change-type: patch @@ -42206,7 +43591,8 @@ We add an implicit .0 to the end of l4t versions which do not fulfill - semver, which allows us to always match using comparison operators, such + semver, which allows us to always match using comparison + operators, such as < and <=. footer: @@ -42380,7 +43766,8 @@ We also package separately the firmware for Intel Wireless-AC 9260 - cards and also package separetely the wifi and bluetooth firmware for + cards and also package separetely the wifi and bluetooth + firmware for Intel Wireless-AX MAC which is found in the Intel NUC10I7FNH. footer: @@ -42400,7 +43787,8 @@ body: > This package adds to rootfs the regulatory database into - /lib/firmware/regulatory.db which can be loaded by kernel versions + /lib/firmware/regulatory.db which can be loaded by kernel + versions >= v4.15 for Poky Thud and Warrior based boards. footer: @@ -42422,7 +43810,8 @@ We need to allow user containers to do some clean-up if they wish to on - reboot / shutdown through systemctl so let's add KillMode set to process + reboot / shutdown through systemctl so let's add KillMode set to + process so that systemd won't directly kill the user containers first. @@ -42479,9 +43868,11 @@ Lets pass it here to keep it correct. - Should not have any actual affect. NM plugin was built with reference + Should not have any actual affect. NM plugin was built with + reference - to the 2.4.7 headers. Just the directoy path would say 2.4.5 misleading + to the 2.4.7 headers. Just the directoy path would say 2.4.5 + misleading some debug effort footer: @@ -42498,7 +43889,8 @@ This is an old version of openvpn. Devices still on pyro should be using - the openvpn version from meta-balena-common and not this one. Removing + the openvpn version from meta-balena-common and not this one. + Removing this to prevent any accidents even and some cleanup. footer: @@ -42793,12 +44185,14 @@ e.g. Jetson family have tegra-firmware-xusb etc. - IMAGE_ROOTFS_MAXSIZE triggers an error if the rootfs goes beyond this + IMAGE_ROOTFS_MAXSIZE triggers an error if the rootfs goes beyond + this limit. This does not force the rootfs to an empty fixed size. - We can comfortably increase the max size to 32MB to reduce unnecessary + We can comfortably increase the max size to 32MB to reduce + unnecessary patches in the device integration layers. @@ -42865,16 +44259,20 @@ The DNS clients (applications) resolver libraries use the timeout value in - /etc/resolv.conf to set the time between DNS attempts. The default is 5 + /etc/resolv.conf to set the time between DNS attempts. The + default is 5 - secs which for slow networks like cellular mean lots of DNS requests on + secs which for slow networks like cellular mean lots of DNS + requests on a bandwidth sensitive channel. - This change modifies the default to 15 secs. This timeout only applies + This change modifies the default to 15 secs. This timeout only + applies - when DNS servers are unresponsive so it will not affect the normal + when DNS servers are unresponsive so it will not affect the + normal functionality. @@ -42980,7 +44378,8 @@ We do not want by default that any OS variants allow for stopping the - autoboot in any way and letting users enter the u-boot shell. This can + autoboot in any way and letting users enter the u-boot shell. + This can be overwritten by setting OS_DEV_UBOOT_DELAY to 1. footer: @@ -43000,19 +44399,23 @@ hours. - BalenaOS uses chronyd for time synchronization, and it allows to specify + BalenaOS uses chronyd for time synchronization, and it allows to + specify - a minpoll and maxpoll values per server with a power of two number of + a minpoll and maxpoll values per server with a power of two + number of seconds for the minimum and maximum polling time respectively. - With those constraints, the change set both limits to 2^14s (4.55h) for + With those constraints, the change set both limits to 2^14s + (4.55h) for all servers. - An architectural decision has been made not to make this configurable. + An architectural decision has been made not to make this + configurable. Fixes #1780. @@ -43030,7 +44433,8 @@ body: > We do not want that production OS variants allow for stopping - the autoboot in any way and letting users enter the u-boot shell. + the autoboot in any way and letting users enter the u-boot + shell. footer: Change-type: patch change-type: patch @@ -43118,10 +44522,12 @@ Reports indicate that NetworkManager can leave stale temporary files on - the state partition that over time can affect the device's operability. + the state partition that over time can affect the device's + operability. - This commit removes the timestamps.XXXXXX and seen-bssids.XXXXXX files on + This commit removes the timestamps.XXXXXX and seen-bssids.XXXXXX + files on startup to avoid this situation. @@ -43150,9 +44556,11 @@ body: > Fetched from: - * https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn_2.4.7.bb?id=c1c8895609ae70a1b735e8625c19046c25184ee4 + * + https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn_2.4.7.bb?id=c1c8895609ae70a1b735e8625c19046c25184ee4 - * https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn/openvpn?id=910891d722085c56c474ac72788898b94c5ed193 + * + https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-support/openvpn/openvpn/openvpn?id=910891d722085c56c474ac72788898b94c5ed193 footer: Connects-to: "#1740" connects-to: "#1740" @@ -43185,21 +44593,27 @@ which includes DATETIME - DATETIME changes between runs so we can sometimes get into a state + DATETIME changes between runs so we can sometimes get into a + state where the do_populate_lic_deploy task has its stamp file set. - But when our subsequent deploy_image_license_manifest task runs, the + But when our subsequent deploy_image_license_manifest task runs, + the - DATETIME is different. Hence we get into a state where we have to + DATETIME is different. Hence we get into a state where we have + to - run cleanall on the resin-image-flasher recipe to clean up directories. + run cleanall on the resin-image-flasher recipe to clean up + directories. - Lets mark do_populate_lic_deploy with nostamp. This should make it + Lets mark do_populate_lic_deploy with nostamp. This should make + it - run every time we need to run deploy_image_license_manifest with the + run every time we need to run deploy_image_license_manifest with + the most up to date DATETIME variable to prevent any hiccups footer: @@ -43216,12 +44630,14 @@ Need to make the script go in the background in ExecStartPost=. - Otherwise, the service status never gets to active/running resulting + Otherwise, the service status never gets to active/running + resulting it in remaining stuck in an endless loop. - If the health-check load fails for whatever reason, the subsequent + If the health-check load fails for whatever reason, the + subsequent engine healthcheck will fail retriggering the healthcheck load. footer: @@ -43424,7 +44840,8 @@ b0e0c77a26f3fad51e2923ab416fdd2af2a5a033 - Lets use META_BALENA_VERSION if available for our os version checks. + Lets use META_BALENA_VERSION if available for our os version + checks. footer: Change-type: patch change-type: patch @@ -43604,18 +45021,21 @@ Customers usually don't need this delay during u-boot. Also in some - cases, hardware attached on the uart pins might pause uboot preventing + cases, hardware attached on the uart pins might pause uboot + preventing customers from using dev images easily. - But we do need this delay during our development work on bsps etc. + But we do need this delay during our development work on bsps + etc. Lets make this autoboot delay build time configurable - Also make the BOOTDELAY -2 which is better than 0 as that completely + Also make the BOOTDELAY -2 which is better than 0 as that + completely prevents any char on serial from interrupting boot. footer: @@ -43648,7 +45068,8 @@ The supervisor needs to know its container ID on the context of different - engine objects cleanup tasks, so it can understand what objects are + engine objects cleanup tasks, so it can understand what objects + are related to itself. @@ -43673,7 +45094,8 @@ body: > Necessary to avoid error: - "No rule to make target 'arch/arm64/kernel/vdso/vdso.lds', needed + "No rule to make target 'arch/arm64/kernel/vdso/vdso.lds', + needed by 'arch/arm64/kernel/vdso/vdso.so.dbg'" @@ -43934,7 +45356,8 @@ cmdline - A better way would be to check the presence of a valid symlink for fd0, + A better way would be to check the presence of a valid symlink + for fd0, fd1 and fd2. And assign them to /dev/null if unavailable. footer: @@ -43977,7 +45400,8 @@ git revision although the kernel's abiversion includes it and - as such the external modules built using this utsrelease.h header + as such the external modules built using this utsrelease.h + header will fail to load because of this mismatch). footer: @@ -43999,7 +45423,8 @@ one cgroup manager in our OS. - Otherwise, systemd will have its own cgroup manager and cgroupfs will + Otherwise, systemd will have its own cgroup manager and cgroupfs + will be another cgroup manager via balenaEngine daemon. @@ -44036,9 +45461,17 @@ body: > Otherwise systemd complains: - localhost systemd-tmpfiles[525]: [/etc/tmpfiles.d/balena-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/docker.pid → /run/docker.pid; please update the tmpfiles.d/ drop-in file accordingly. + localhost systemd-tmpfiles[525]: + [/etc/tmpfiles.d/balena-tmpfiles.conf:1] Line references path + below legacy directory /var/run/, updating /var/run/docker.pid → + /run/docker.pid; please update the tmpfiles.d/ drop-in file + accordingly. - localhost systemd-tmpfiles[525]: [/etc/tmpfiles.d/balena-tmpfiles.conf:2] Line references path below legacy directory /var/run/, updating /var/run/balena.pid → /run/balena.pid; please update the tmpfiles.d/ drop-in file accordingly. + localhost systemd-tmpfiles[525]: + [/etc/tmpfiles.d/balena-tmpfiles.conf:2] Line references path + below legacy directory /var/run/, updating /var/run/balena.pid → + /run/balena.pid; please update the tmpfiles.d/ drop-in file + accordingly. footer: Change-type: patch change-type: patch @@ -44056,14 +45489,16 @@ PR #1441 changed mnt-sysroot-inactive to an automount. But there is no - way to easily add a udev dependency to the automount. As a result, + way to easily add a udev dependency to the automount. As a + result, when rollbacks tries to access the inactive partition, it fails. Let's add systemd-udev-settle.service to the rollback services. - This will only delay the first boot after a HUP which is reasonable. + This will only delay the first boot after a HUP which is + reasonable. footer: Change-type: patch change-type: patch @@ -44092,14 +45527,17 @@ When `console=null` is passed in the kernel cmdline for production - images, the system doesn't boot. Traced to initramfs not starting any + images, the system doesn't boot. Traced to initramfs not + starting any process such as udev with the right file descripters for 0,1,2 - Add workaround for that issue. This got exposed with a systemd bump. + Add workaround for that issue. This got exposed with a systemd + bump. - More details here https://github.com/systemd/systemd/issues/13332 + More details here + https://github.com/systemd/systemd/issues/13332 footer: Change-type: patch change-type: patch @@ -44126,9 +45564,11 @@ Our root filesystem is overlayfs or aufs. When latter, the system - crashes when reading a lower directory file. We avoid this by always + crashes when reading a lower directory file. We avoid this by + always - falling back to copy and mount (as if overlayfs is not available). + falling back to copy and mount (as if overlayfs is not + available). Fixes #1618 @@ -44161,9 +45601,11 @@ We have found a rare corner case bug where the journal bloats beyond - its limit and fills the state partition. Triggering a vacuum on reboot + its limit and fills the state partition. Triggering a vacuum on + reboot - helps a bit in case the device is restarted to recover its function. + helps a bit in case the device is restarted to recover its + function. Fixes #1423 @@ -44241,14 +45683,17 @@ After a HUP, until rollbacks clears its state, the supervisor(or user) - can trigger good reboots. These reboots might be seen by the bootloader + can trigger good reboots. These reboots might be seen by the + bootloader as bad reboots. - To prevent this from happening, add a service that clears the bootcount + To prevent this from happening, add a service that clears the + bootcount - upon good reboots. This only runs if the rollback services have not + upon good reboots. This only runs if the rollback services have + not cleared their flag files in the state partition. footer: @@ -44268,7 +45713,8 @@ We'd like to split dev and prod uboot config fragments. Dev images can - have a 2 second u-boot delay to facilitate debugging. While prod images + have a 2 second u-boot delay to facilitate debugging. While prod + images shouldn't really pause at this stage of the boot. footer: @@ -44289,12 +45735,14 @@ meta-balena - The support is mainline since warrior. Lets copy it in meta-balena + The support is mainline since warrior. Lets copy it in + meta-balena to get it in the previous layers as well. - We need CMD_SETEXPR to be enabled for rollbacks to work. So enable it + We need CMD_SETEXPR to be enabled for rollbacks to work. So + enable it via the config fragment footer: @@ -44324,9 +45772,11 @@ This will allow us to scale to lots of devices. - A flag os_bootcount_skip is left for devices that are unable to support + A flag os_bootcount_skip is left for devices that are unable to + support - fatwrite in u-boot (in some rare cases). This will allow a device to + fatwrite in u-boot (in some rare cases). This will allow a + device to not support rollback-altboot and still function. @@ -44350,23 +45800,28 @@ body: > We'd like to enable some options in all boards header files via - meta-balena. This patch adds a task to include config_resin.h into + meta-balena. This patch adds a task to include config_resin.h + into config_default.h (which is included in all board header files). - We can then add a config option via meta-balena that will be enabled for + We can then add a config option via meta-balena that will be + enabled for all devices. - This patch enables CONFIG_RESET_TO_RETRY. If for whatever strange reason + This patch enables CONFIG_RESET_TO_RETRY. If for whatever + strange reason - (accidental fs issue in u-boot etc), this will trigger a u-boot reset + (accidental fs issue in u-boot etc), this will trigger a u-boot + reset command the device in 15 seconds. - Note This requires that the device's u-boot supports the reset command + Note This requires that the device's u-boot supports the reset + command which it probably should. footer: @@ -44385,7 +45840,8 @@ Fixes #1597 - The warning doesn't apply for our use case and confuses customers + The warning doesn't apply for our use case and confuses + customers footer: Change-type: patch change-type: patch @@ -44423,14 +45879,17 @@ body: > We load the hello-world image after starting the balena daemon. - ExecStartPost should run after the daemon is initialized but chaining a + ExecStartPost should run after the daemon is initialized but + chaining a 15 second sleep for good measure. - We load the hello-world image here so that devices out in the field and + We load the hello-world image here so that devices out in the + field and - on prem devices don't need to pull from dockerhub which would require + on prem devices don't need to pull from dockerhub which would + require external internet connectivity. footer: @@ -44474,21 +45933,27 @@ Occasionally balena ps and balena info work but the balena daemon is - unable to start a new container. This is usually when something in runc + unable to start a new container. This is usually when something + in runc or containerd is not functioning correctly. - Add a healthcheck to spin up a simple hello-world container as well. + Add a healthcheck to spin up a simple hello-world container as + well. - The trade-off here is that there will be a few extra writes to disk + The trade-off here is that there will be a few extra writes to + disk - every healthcheck timeout. But there will be a benefit that if runc + every healthcheck timeout. But there will be a benefit that if + runc - or containerd is in a bad state, the healthcheck will fail and systemd + or containerd is in a bad state, the healthcheck will fail and + systemd - will restart the balena daemon to recover the application container + will restart the balena daemon to recover the application + container Fixes #1391 @@ -44552,9 +46017,11 @@ The data partition contains the supervisor which is only about 61M on - the pi3. We compress the data partition later on so don't notice these + the pi3. We compress the data partition later on so don't notice + these - zeros. But lets reduce the size of the data partition to eat less + zeros. But lets reduce the size of the data partition to eat + less space whenever an uncompressed image is used anywhere. e.g. when @@ -44610,7 +46077,8 @@ This version fixes the use of wrong fixdep binary (the bug makes it use - target fixdep binary instead of cross fixdep binary) used for compiling + target fixdep binary instead of cross fixdep binary) used for + compiling the target objtool binary on kernel version 5.0.3. footer: @@ -44645,17 +46113,22 @@ Fixes #1564 - This bbclass uses the common layer path advertised by BBLAYERS to find + This bbclass uses the common layer path advertised by BBLAYERS + to find - the paths to different resources in board repository. For example + the paths to different resources in board repository. For + example - machine json - to get the slug and advertise it in os-release. After + machine json - to get the slug and advertise it in os-release. + After - renaming the common layer (resin to balena) and because we support old + renaming the common layer (resin to balena) and because we + support old references to the old common layer name (by including a dummy - deprecation layer), we need to make sure this class can cope now with + deprecation layer), we need to make sure this class can cope now + with both cases. footer: @@ -44677,7 +46150,8 @@ workaround for thud. - [1] http://lists.openembedded.org/pipermail/openembedded-core/2019-February/278695.html + [1] + http://lists.openembedded.org/pipermail/openembedded-core/2019-February/278695.html footer: Change-type: patch change-type: patch @@ -44709,7 +46183,8 @@ Poky, following os-release(5), sanitizes VERSION_ID accordingly but in - doing so it produces a nonisemver compliant version. For example: + doing so it produces a nonisemver compliant version. For + example: VERSION="2.37.0+rev1" VERSION_ID="2.37.0-rev1" @@ -44732,7 +46207,8 @@ Since #1550, os-release doesn't reference meta-balena distro version anymore. Restore - that by providing this information in a new variable called META_BALENA_VERSION. + that by providing this information in a new variable called + META_BALENA_VERSION. Fixes #1558 @@ -44749,7 +46225,8 @@ Currently once config_resin.h is generated, a change in these variables - doesn't regenerate the file. Add vardeps so that bitbake can regenerate + doesn't regenerate the file. Add vardeps so that bitbake can + regenerate config_resin.h in case these variables are changed. @@ -44774,15 +46251,20 @@ included by default from the version in Yocto warrior. - In summary, with this change we fix newer NM which stopped handling + In summary, with this change we fix newer NM which stopped + handling - rp_filter when connected to multiple interfaces. See "device: disable + rp_filter when connected to multiple interfaces. See "device: + disable - rp_filter handling" commit from NM. Without this change, only the + rp_filter handling" commit from NM. Without this change, only + the - default route will me usable and binding to a specific interface will + default route will me usable and binding to a specific interface + will - break connectivity if that interface is not also the default route for + break connectivity if that interface is not also the default + route for the target IP. @@ -44802,11 +46284,14 @@ Currently, bluez's storage data is set to /var/lib/bluetooth which - in turn is a tmpfs location. We want this location persistent so we can + in turn is a tmpfs location. We want this location persistent so + we can - save paired devices over reboot. We do that by adding the corresponding + save paired devices over reboot. We do that by adding the + corresponding - bind mount to the state partition and setting bluez to depend on this + bind mount to the state partition and setting bluez to depend on + this mount unit. @@ -44852,9 +46337,11 @@ VERSION and VERSION_ID had a slightly different semantics in balenaOS. - VERSION was referring to the BalenaOS (host OS) version (which is coming from + VERSION was referring to the BalenaOS (host OS) version (which + is coming from - device repositories) while VERSION_ID was set to the DISTRO_VERSION. + device repositories) while VERSION_ID was set to the + DISTRO_VERSION. This brings confusion so we change it to adhere to diff --git a/CHANGELOG.md b/CHANGELOG.md index 12d20798a..1fd18685a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,37 @@ Change log ----------- +# v5.1.49 +## (2024-03-07) + + +
+ Update layers/meta-balena to 069243961adb123830eb4073a6245b2fa1e6f8b3 [Self-hosted Renovate Bot] + +> ## meta-balena-5.1.49 +> ### (2024-03-06) +> +> +>
+> Update tests/leviathan digest to a677d89 [Self-hosted Renovate Bot] +> +>> ### leviathan-2.29.64 +>> #### (2024-03-04) +>> +>> * Update Lock file maintenance [Self-hosted Renovate Bot] +>> +> +>
+> +> +> ## meta-balena-5.1.48 +> ### (2024-03-06) +> +> * hostapp-update-hooks: Soft include balena-config-defaults [Michal Toman] +> + +
+ # v5.1.47+rev1 ## (2024-03-06) diff --git a/VERSION b/VERSION index a3ed538d9..b72061af4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.1.47+rev1 \ No newline at end of file +5.1.49 \ No newline at end of file