Add kubevirt-chart

Imported from https://github.com/suse-edge/charts/tree/main/charts/kubevirt/0.4.0

.gitattributes

@@ -2,3 +2,4 @@
 *.tar.gz filter=lfs diff=lfs merge=lfs -text
 *.tar.xz filter=lfs diff=lfs merge=lfs -text
 *.obscpio filter=lfs diff=lfs merge=lfs -text
+*.tar.bz2 filter=lfs diff=lfs merge=lfs -text

.gitmodules

@@ -4,3 +4,12 @@
 [submodule "cri-tools"]
 	path = cri-tools
 	url = https://src.opensuse.org/pool/cri-tools.git
+[submodule "fakeroot"]
+	path = fakeroot
+	url = https://src.opensuse.org/pool/fakeroot.git
+[submodule "crudini"]
+	path = crudini
+	url = https://src.opensuse.org/pool/crudini.git
+[submodule "autoconf"]
+	path = autoconf
+	url = https://src.opensuse.org/SLFO-pool/autoconf.git

.obs/delete_package.py

@@ -21,7 +21,7 @@ def delete_package_from_workflow(name: str):
 
 
 def delete_package_from_project(name: str):
-    p = subprocess.run(["osc", "rdelete", PROJECT, name], stdout=subprocess.PIPE)
+    p = subprocess.run(["osc", "rdelete", PROJECT, name, "-m \"Deleted via delete_package.py\"" ], stdout=subprocess.PIPE)
     print(p.stdout)
     print(p.stderr)
     p.check_returncode()

.obs/workflows.yml

@@ -66,14 +66,6 @@ staging_build:
       source_package: frr-k8s
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api-operator
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: kubectl
       source_project: isv:SUSE:Edge:Factory
@@ -82,10 +74,6 @@ staging_build:
       source_package: upgrade-controller
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api-provider-rke2
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: nm-configurator
       source_project: isv:SUSE:Edge:Factory
@@ -122,10 +110,6 @@ staging_build:
       source_package: cdi-chart
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api-controller-image
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: cluster-api-provider-metal3-image
       source_project: isv:SUSE:Edge:Factory
@@ -134,10 +118,6 @@ staging_build:
       source_package: metallb-chart
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api-operator-image
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: sriov-crd-chart
       source_project: isv:SUSE:Edge:Factory
@@ -154,10 +134,6 @@ staging_build:
       source_package: ironic-ipa-downloader-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api-provider-rke2-controlplane-image
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: upgrade-controller-image
       source_project: isv:SUSE:Edge:Factory
@@ -170,10 +146,6 @@ staging_build:
       source_package: baremetal-operator-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: cluster-api-provider-rke2-bootstrap-image
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: sriov-network-operator-chart
       source_project: isv:SUSE:Edge:Factory
@@ -190,11 +162,55 @@ staging_build:
       source_package: metallb-speaker-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: venv
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: ironic-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: cri-tools
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: crudini
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: fakeroot
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: ipcalc
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: autoconf
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: rancher-turtles-airgap-resources-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: rancher-turtles-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: kube-rbac-proxy-image
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: ironic-ipa-ramdisk
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: kubevirt-dashboard-extension-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: kiwi-builder-image
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: kubevirt-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging

README.md

@@ -13,3 +13,26 @@ Then run the `.obs/add_package.py` script to create the package in the OBS proje
 This script is using the `osc` command behind the scenes, so ensure you have it installed and correctly configured, as well as you have the correct permissions to create a new package in the project.
 
 You will then get asked to push your changes.
+
+## Testing a fork or a development branch
+
+You can create a project in your home space in OBS, use the same prjconf as the one of "isv:SUSE:Edge:Factory", and copy the repositories part of the metadata (adjust self references).
+Then add a scmsync stanza to your metadata like this (adjust repository path and branch):
+
+```xml
+<scmsync>https://src.opensuse.org/suse-edge/Factory#main</scmsync>
+```
+
+## Cutting a release version branch
+
+1. Do the appropriate git branch command
+2. Change the project path in `.obs/common.py` file (e.g. from `isv:SUSE:Edge:Factory` to `isv:SUSE:Edge:3.2`)
+3. Change the branch reference in `.obs/common.py` file (e.g. from `main` to `3.2`)
+4. Edit the `.obs/workflows.yml` file to change the references to the correct projects
+5. Commit those changes to the new branch and push the new branch
+6. Create the base and to-test projects (e.g. `isv:SUSE:Edge:3.2` and `isv:SUSE:Edge:3.2:ToTest`), use the `isv:SUSE:Edge:Factory` projects as example for metadata part
+7. Use the prjconf of Factory in all those projects
+8. Run the `.obs/sync_packages.py` script to create all the packages in the base project
+9. Go take a few cups of coffee/tea/mate/... while waiting for OBS to build everything
+10. Once built do an `osc release` of the project for it to be copied over in the `ToTest` section
+11. Hand over to QA to test whatever is in `ToTest`. (You can continue to work on the base branch if needed meanwhile)

akri-agent-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-agent:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-agent-image/_service

@@ -13,5 +13,7 @@
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

akri-controller-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-controller:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-controller-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-dashboard-extension-chart/Chart.yaml

@@ -1,5 +1,5 @@
-#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.1.0
+#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.2.0
-#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.1.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.2.0-%RELEASE%
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: Akri
@@ -7,14 +7,14 @@ annotations:
   catalog.cattle.io/namespace: cattle-ui-plugin-system
   catalog.cattle.io/os: linux
   catalog.cattle.io/permits-os: linux, windows
-  catalog.cattle.io/rancher-version: '>= v2.9.0'
+  catalog.cattle.io/rancher-version: '>= 2.10.0-0'
   catalog.cattle.io/scope: management
   catalog.cattle.io/ui-component: plugins
-  catalog.cattle.io/ui-extensions-version: '>= 2.0.1'
+  catalog.cattle.io/ui-extensions-version: '>= 3.0.0'
 apiVersion: v2
-appVersion: 1.1.0
+appVersion: 1.2.0
 description: 'SUSE Edge: Akri extension for Rancher Dashboard'
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg
 name: akri-dashboard-extension
 type: application
-version: 1.1.0
+version: 1.2.0

akri-dashboard-extension-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

akri-dashboard-extension-chart/templates/cr.yaml

@@ -8,7 +8,7 @@ spec:
   plugin:
     name: {{ include "extension-server.fullname" . }}
     version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.1.0
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.2.0
     noCache: {{ .Values.plugin.noCache }}
     noAuth: {{ .Values.plugin.noAuth }}
     metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

akri-dashboard-extension-chart/values.yaml

@@ -7,6 +7,6 @@ plugin:
   noAuth: false
   metadata:
     catalog.cattle.io/display-name: Akri
-    catalog.cattle.io/rancher-version: ">= v2.9.0"
+    catalog.cattle.io/rancher-version: ">= 2.10.0-0"
-    catalog.cattle.io/ui-extensions-version: ">= 2.0.1"
+    catalog.cattle.io/ui-extensions-version: ">= 3.0.0"
     catalog.cattle.io/kube-version: ">= v1.26.0-0"

akri-debug-echo-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-debug-echo-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-debug-echo-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-onvif-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-onvif-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-onvif-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-opcua-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-opcua-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-opcua-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-udev-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-udev-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-udev-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-webhook-configuration-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-webhook-configuration:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-webhook-configuration-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

baremetal-operator-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

baremetal-operator-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

baremetal-operator/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/baremetal-operator</param>
     <param name="scm">git</param>
-    <param name="revision">v0.6.1</param>
+    <param name="revision">v0.8.0</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

baremetal-operator/baremetal-operator.spec

@@ -17,14 +17,14 @@
 
 
 Name:           baremetal-operator
-Version:        0.6.1
+Version:        0.8.0
-Release:        0.6.1
+Release:        0.8.0
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Source:         baremetal-operator-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

cdi-chart/_service

@@ -2,7 +2,7 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

cluster-api-operator-image/Dockerfile

@@ -1,35 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%
-#!BuildVersion: 15.6
-ARG SLE_VERSION
-FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
-
-FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
-COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-operator shadow; zypper -n clean; rm -rf /var/log/*
-
-FROM micro AS final
-# Define labels according to https://en.opensuse.org/Building_derived_containers
-# labelprefix=com.suse.application.cluster-api-operator
-LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
-LABEL org.opencontainers.image.title="SLE cluster-api-operator Container Image"
-LABEL org.opencontainers.image.description="cluster-api-operator based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="%%cluster-api-operator_version%%"
-LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
-LABEL org.opencontainers.image.created="%BUILDTIME%"
-LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%"
-LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
-LABEL com.suse.eula="SUSE Combined EULA February 2024"
-LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
-LABEL com.suse.image-type="application"
-LABEL com.suse.release-stage="released"
-# endlabelprefix
-
-COPY --from=base /installroot /
-RUN mv /usr/bin/cluster-api-operator-controller /manager
-# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
-USER 65532
-ENTRYPOINT [ "/manager" ]

cluster-api-operator-image/_service

@@ -1,17 +0,0 @@
-<services>
-  <service mode="buildtime" name="kiwi_metainfo_helper"/>
-  <service mode="buildtime" name="docker_label_helper"/>
-  <service name="replace_using_package_version" mode="buildtime">
-    <param name="file">Dockerfile</param>
-    <param name="regex">%%cluster-api-operator_version%%</param>
-    <param name="package">cluster-api-operator</param>
-    <param name="parse-version">patch</param>
-  </service>
-  <service name="replace_using_env" mode="buildtime">
-    <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
-    <param name="var">IMG_PREFIX</param>
-    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
-    <param name="var">IMG_REPO</param>
-  </service>
-</services>

cluster-api-operator/_service

@@ -1,23 +0,0 @@
-<services>
- <service name="obs_scm">
-    <param name="url">https://github.com/kubernetes-sigs/cluster-api-operator</param>
-    <param name="scm">git</param>
-    <param name="revision">v0.12.0</param>
-    <param name="version">_auto_</param>
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="changesgenerate">enable</param>
-    <param name="changesauthor">steven.hardy@suse.com</param>
-    <param name="match-tag">v*</param>
-    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
-    <param name="without-version">yes</param>
-    <param name="versionrewrite-replacement">\1</param>
-  </service>
-  <service mode="buildtime" name="tar" />
-  <service mode="buildtime" name="recompress">
-    <param name="file">*.tar</param>
-    <param name="compression">gz</param>
-  </service>
-  <service name="go_modules">
-  </service>
-  <service mode="buildtime" name="set_version" />
-</services>

cluster-api-operator/cluster-api-operator.spec

@@ -1,52 +0,0 @@
-#
-# spec file for package cluster-api-operator
-#
-# Copyright (c) 2023 SUSE LLC
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-
-Name:           cluster-api-operator
-Version:        0.12.0
-Release:        0
-Summary:        Cluster API Core Controller
-License:        Apache-2.0
-URL:            https://github.com/kubernetes-sigs/cluster-api-operator
-Source:         cluster-api-operator-%{version}.tar.gz
-Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
-ExcludeArch:    s390
-ExcludeArch:    %{ix86}
-
-%description
-
-Cluster API operator
-
-%prep
-%autosetup -a1 -n cluster-api-operator-%{version}
-
-%build
-go build \
-   -mod=vendor \
-   -buildmode=pie \
-   -o cluster-api-operator cmd/main.go
-
-%install
-install -D -m0755 cluster-api-operator %{buildroot}%{_bindir}/cluster-api-operator-controller
-
-%files
-%license LICENSE
-%doc README.md
-%{_bindir}/cluster-api-operator-controller
-
-%changelog

cluster-api-provider-metal3-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-metal3:%%cluster-api-provider-metal3_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

cluster-api-provider-metal3-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

cluster-api-provider-metal3/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/cluster-api-provider-metal3</param>
     <param name="scm">git</param>
-    <param name="revision">v1.7.1</param>
+    <param name="revision">v1.7.2</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

cluster-api-provider-metal3/cluster-api-provider-metal3.spec

@@ -17,14 +17,14 @@
 
 
 Name:           cluster-api-provider-metal3
-Version:        1.7.1
+Version:        1.7.2
 Release:        0
 Summary:        Cluster API Infrastructure Provider for Metal3
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/cluster-api-provider-metal3
 Source:         cluster-api-provider-metal3-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

cluster-api-provider-rke2-bootstrap-image/Dockerfile

@@ -1,36 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:v%%cluster-api-provider-rke2_version%%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%
-#!BuildVersion: 15.6
-ARG SLE_VERSION
-FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
-
-FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
-COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-rke2-bootstrap shadow; zypper -n clean; rm -rf /var/log/*
-
-FROM micro AS final
-# Define labels according to https://en.opensuse.org/Building_derived_containers
-# labelprefix=com.suse.application.cluster-api-provider-rke2
-LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
-LABEL org.opencontainers.image.title="SLE cluster-api-provider-rke2 Container Image"
-LABEL org.opencontainers.image.description="cluster-api-provider-rke2 based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="%%cluster-api-provider-rke2_version%%"
-LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
-LABEL org.opencontainers.image.created="%BUILDTIME%"
-LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%"
-LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
-LABEL com.suse.eula="SUSE Combined EULA February 2024"
-LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
-LABEL com.suse.image-type="application"
-LABEL com.suse.release-stage="released"
-# endlabelprefix
-
-COPY --from=base /installroot /
-RUN mv /usr/bin/rke2-bootstrap-manager /manager
-# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
-USER 65532
-ENTRYPOINT [ "/manager" ]

cluster-api-provider-rke2-bootstrap-image/_service

@@ -1,17 +0,0 @@
-<services>
-  <service mode="buildtime" name="kiwi_metainfo_helper"/>
-  <service mode="buildtime" name="docker_label_helper"/>
-  <service name="replace_using_package_version" mode="buildtime">
-    <param name="file">Dockerfile</param>
-    <param name="regex">%%cluster-api-provider-rke2_version%%</param>
-    <param name="package">cluster-api-provider-rke2-bootstrap</param>
-    <param name="parse-version">patch</param>
-  </service>
-  <service name="replace_using_env" mode="buildtime">
-    <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
-    <param name="var">IMG_PREFIX</param>
-    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
-    <param name="var">IMG_REPO</param>
-  </service>
-</services>

cluster-api-provider-rke2-controlplane-image/Dockerfile

@@ -1,36 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:v%%cluster-api-provider-rke2_version%%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%
-#!BuildVersion: 15.6
-ARG SLE_VERSION
-FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
-
-FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
-COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-rke2-control-plane shadow; zypper -n clean; rm -rf /var/log/*
-
-FROM micro AS final
-# Define labels according to https://en.opensuse.org/Building_derived_containers
-# labelprefix=com.suse.application.cluster-api-provider-rke2
-LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
-LABEL org.opencontainers.image.title="SLE cluster-api-provider-rke2 Container Image"
-LABEL org.opencontainers.image.description="cluster-api-provider-rke2 based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="%%cluster-api-provider-rke2_version%%"
-LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
-LABEL org.opencontainers.image.created="%BUILDTIME%"
-LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%"
-LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
-LABEL com.suse.eula="SUSE Combined EULA February 2024"
-LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
-LABEL com.suse.image-type="application"
-LABEL com.suse.release-stage="released"
-# endlabelprefix
-
-COPY --from=base /installroot /
-RUN mv /usr/bin/rke2-control-plane-manager /manager
-# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
-USER 65532
-ENTRYPOINT [ "/manager" ]

cluster-api-provider-rke2/_service

@@ -1,23 +0,0 @@
-<services>
- <service name="obs_scm">
-    <param name="url">https://github.com/rancher-sandbox/cluster-api-provider-rke2</param>
-    <param name="scm">git</param>
-    <param name="revision">v0.7.0</param>
-    <param name="version">_auto_</param>
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="changesgenerate">enable</param>
-    <param name="changesauthor">steven.hardy@suse.com</param>
-    <param name="match-tag">v*</param>
-    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
-    <param name="without-version">yes</param>
-    <param name="versionrewrite-replacement">\1</param>
-  </service>
-  <service mode="buildtime" name="tar" />
-  <service mode="buildtime" name="recompress">
-    <param name="file">*.tar</param>
-    <param name="compression">gz</param>
-  </service>
-   <service name="go_modules">
-  </service>
-  <service mode="buildtime" name="set_version" />
-</services>

cluster-api-provider-rke2/cluster-api-provider-rke2.spec

@@ -1,61 +0,0 @@
-#
-# spec file for package cluster-api-provider-rke2
-#
-# Copyright (c) 2023 SUSE LLC
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-
-Name:           cluster-api-provider-rke2
-Version:        0.7.0
-Release:        0
-Summary:        Cluster API provider for RKE2
-License:        Apache-2.0
-URL:            https://github.com/rancher-sandbox/cluster-api-provider-rke2
-Source:         cluster-api-provider-rke2-%{version}.tar.gz
-Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
-ExcludeArch:    s390
-ExcludeArch:    %{ix86}
-
-%description
-
-Cluster API provider for RKE2
-
-%package bootstrap
-Summary: Cluster API bootstrap controller for RKE2
-%description bootstrap
-Cluster API bootstrap controller for RKE2
-
-%package control-plane
-Summary: Cluster API control-plane controller for RKE2
-%description control-plane
-Cluster API control-plane controller for RKE2
-
-%prep
-%autosetup -a1 -n cluster-api-provider-rke2-%{version}
-
-%build
-make managers
-
-%install
-install -D -m0755 bin/rke2-bootstrap-manager %{buildroot}%{_bindir}/rke2-bootstrap-manager
-install -D -m0755 bin/rke2-control-plane-manager %{buildroot}%{_bindir}/rke2-control-plane-manager
-
-%files bootstrap
-%{_bindir}/rke2-bootstrap-manager
-
-%files control-plane
-%{_bindir}/rke2-control-plane-manager
-
-%changelog

cluster-api/_service

@@ -1,23 +0,0 @@
-<services>
- <service name="obs_scm">
-    <param name="url">https://github.com/kubernetes-sigs/cluster-api</param>
-    <param name="scm">git</param>
-    <param name="revision">v1.7.5</param>
-    <param name="version">_auto_</param>
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="changesgenerate">enable</param>
-    <param name="changesauthor">steven.hardy@suse.com</param>
-    <param name="match-tag">v*</param>
-    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
-    <param name="without-version">yes</param>
-    <param name="versionrewrite-replacement">\1</param>
-  </service>
-  <service mode="buildtime" name="tar" />
-  <service mode="buildtime" name="recompress">
-    <param name="file">*.tar</param>
-    <param name="compression">gz</param>
-  </service>
-  <service name="go_modules">
-  </service>
-  <service mode="buildtime" name="set_version" />
-</services>

cluster-api/cluster-api.spec

@@ -1,51 +0,0 @@
-#
-# spec file for package cluster-api
-#
-# Copyright (c) 2023 SUSE LLC
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-
-Name:           cluster-api
-Version:        1.7.5
-Release:        0
-Summary:        Cluster API Core Controller
-License:        Apache-2.0
-URL:            https://github.com/kubernetes-sigs/cluster-api
-Source:         cluster-api-%{version}.tar.gz
-Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
-ExcludeArch:    s390
-ExcludeArch:    %{ix86}
-
-%description
-
-Cluster API core controller
-
-%prep
-%autosetup -a1 -n cluster-api-%{version}
-
-%build
-go build \
-   -mod=vendor \
-   -buildmode=pie \
-
-%install
-install -D -m0755 cluster-api %{buildroot}%{_bindir}/cluster-api-controller
-
-%files
-%license LICENSE
-%doc README.md
-%{_bindir}/cluster-api-controller
-
-%changelog

edge-image-builder-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.1.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

edge-image-builder-image/_service

@@ -2,13 +2,15 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
     <param name="file">artifacts.yaml</param>
     <param name="eval">CHART_REPO=$(rpm --macros=/root/.rpmmacros -E %chart_repo)</param>
     <param name="var">CHART_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>
 

endpoint-copier-operator-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

endpoint-copier-operator-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

endpoint-copier-operator-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ip-address-manager-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ip-address-manager:%%ip-address-manager_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

ip-address-manager-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ip-address-manager/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/ip-address-manager</param>
     <param name="scm">git</param>
-    <param name="revision">v1.7.1</param>
+    <param name="revision">v1.7.2</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

ip-address-manager/ip-address-manager.spec

@@ -17,14 +17,14 @@
 
 
 Name:           ip-address-manager
-Version:        1.7.1
+Version:        1.7.2
 Release:        0
 Summary:        Metal3 IPAM controller
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/ip-address-manager
 Source:         ip-address-manager-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

ipcalc/ipcalc-disable-network-tests.patch

@@ -0,0 +1,50 @@
+Index: ipcalc-1.0.0/tests/meson.build
+===================================================================
+--- ipcalc-1.0.0.orig/tests/meson.build
++++ ipcalc-1.0.0/tests/meson.build
+@@ -64,14 +64,6 @@ test('RandomIPv6Explicit',
+ 		ipcalc.full_path() + ' -6 -r 24' + '|grep Address'
+ 	]
+ )
+-test('HostnameIPv6Localhost',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -6 -o localhost',
+-		files('hostname-localhost-ipv6')
+-	]
+-)
+ test('HostnameIPv4Localhost',
+ 	testrunner,
+ 	args : [
+@@ -88,30 +80,6 @@ test('HostnameIPv4LocalhostJson',
+ 		files('hostname-localhost-ipv4-json')
+ 	]
+ )
+-test('IPIPv6Localhost',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -h ::1',
+-		files('ip-localhost-ipv6')
+-	]
+-)
+-test('IPIPv4Localhost',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -h 127.0.0.1',
+-		files('ip-localhost-ipv4')
+-	]
+-)
+-test('IPIPv4LocalhostJson',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -j -h 127.0.0.1',
+-		files('ip-localhost-ipv4-json')
+-	]
+-)
+ # --class-prefix tests
+ test('AssignClassPrefix12',
+ 	testrunner,

ipcalc/ipcalc.changes

@@ -0,0 +1,64 @@
+-------------------------------------------------------------------
+Tue Jun 27 15:11:20 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.3:
+  * When --no-decorate is given the default output will
+  * include no colors
+  * Correctly split networks with /31
+
+-------------------------------------------------------------------
+Mon Jan  2 20:43:13 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.2:
+  * Fix ULA prefix generator to use only defined ULA range
+  * Corrected manpage generation
+
+-------------------------------------------------------------------
+Sat Oct 16 15:16:34 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.1:
+  - The application will now build even without ronn
+  - Improved JSON output on single host input
+
+-------------------------------------------------------------------
+Sat Apr  3 20:54:10 UTC 2021 - Atri Bhattacharya <badshah400@gmail.com>
+
+- Update to version 1.0.0:
+  * Manpage was converted to markdown.
+- Switch to using meson for building; BuildRequires: meson >=
+  0.49.
+- Addtional BuildRequires now needed: pkgconfig(libmaxminddb),
+  rubygem(ronn).
+- Add ipcalc-disable-network-tests.patch: Disable tests requiring
+  network.
+- Run tests as part of %check section.
+- New upstream URL and Source URL.
+- Drop patch patch-queue: no longer needed.
+
+-------------------------------------------------------------------
+Tue Aug  4 10:07:35 UTC 2015 - mpluskal@suse.com
+
+- Cleanup spec file with spec-clenaer
+
+-------------------------------------------------------------------
+Sun Jun 26 22:24:37 UTC 2011 - lazy.kent@opensuse.org
+
+- refreshed patch to fix build in openSUSE >= 11.3
+- splitted off rpm changelog to changes
+- corrected License tag
+- added Authors
+- formatted spec
+
+-------------------------------------------------------------------
+Sun Nov 18 00:00:00 UTC 2007 - guru@unixtech.be
+
+- moved to openSUSE Build Service
+- added minor patch
+
+-------------------------------------------------------------------
+Sun Oct 22 00:00:00 UTC 2006 - guru@unixtech.be
+
+- new upstream version
+- rewrote spec file
+
+

ipcalc/ipcalc.spec

@@ -0,0 +1,61 @@
+#
+# spec file for package ipcalc
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           ipcalc
+Version:        1.0.3
+Release:        0
+Summary:        IPv4/IPv6 tool assisting in network calculations on the command line
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/System
+URL:            https://gitlab.com/ipcalc/ipcalc
+Source0:        https://gitlab.com/ipcalc/ipcalc/-/archive/%{version}/%{name}-%{version}.tar.bz2
+# PATCH-FEATURE-OPENSUSE ipcalc-disable-network-tests.patch badshah400@gmail.com -- Disable tests requiring network
+Patch0:         ipcalc-disable-network-tests.patch
+BuildRequires:  meson >= 0.49
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(libmaxminddb)
+Conflicts:      netcalc
+
+%description
+ipcalc is a modern tool to assist in network address calculations for IPv4 and
+IPv6. It acts both as a tool to output human readable information about a
+network or address, as well as a tool suitable to be used by scripts or other
+programs.  It supports printing a summary about the provided network address,
+multiple command line options per information to be printed, transparent IPv6
+support, and in addition it will use libGeoIP if available to provide
+geographic information.
+
+%prep
+%autosetup -p1
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+
+%check
+%meson_test
+
+%files
+%doc README.md NEWS
+%license COPYING
+%{_bindir}/ipcalc
+
+%changelog

ironic-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%
 #!BuildVersion: 15.6
 
 ARG SLE_VERSION
@@ -16,7 +16,12 @@ RUN /bin/prepare-efi.sh
 
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api
+RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs crudini openstack-ironic
+
+# DATABASE
+RUN mkdir -p /installroot/var/lib/ironic && \
+  /installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
+  zypper --installroot /installroot --non-interactive remove sqlite3
 
 FROM micro AS final
 MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -26,10 +31,10 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="24.1.2.0"
+LABEL org.opencontainers.image.version="26.1.2.0"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
@@ -48,8 +53,8 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
 COPY mkisofs_wrapper /usr/bin/mkisofs
 RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
 
-COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runironic-api runironic-conductor runironic-exporter runironic-inspector runlogwatch.sh tls-common.sh configure-nonroot.sh /bin/
+COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
-RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runironic-api; chmod +x /bin/runironic-conductor; chmod +x /bin/runironic-exporter; chmod +x /bin/runironic-inspector; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
+RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
 RUN mkdir -p /tftpboot
 RUN mkdir -p $GRUB_DIR
 
@@ -63,7 +68,7 @@ RUN cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi
 COPY --from=base /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic.conf.j2 /etc/ironic/
-COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 /tmp/
+COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
 COPY network-data-schema-empty.json /etc/ironic/
 
 # DNSMASQ
@@ -73,14 +78,7 @@ COPY dnsmasq.conf.j2 /etc/
 COPY httpd.conf.j2 /etc/httpd/conf/
 COPY httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
-
+COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
-# IRONIC-INSPECTOR #
-RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
-  sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
-  sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal"
-
-COPY ironic-inspector.conf.j2 /etc/ironic-inspector/
-COPY inspector-apache.conf.j2 /etc/httpd/conf.d/
 
 # Workaround
 # Removing the 010-ironic.conf file that comes with the package 

ironic-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ironic-image/apache2-ipxe.conf.j2

@@ -0,0 +1,35 @@
+Listen {{ env.IPXE_TLS_PORT }}
+
+<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
+    ErrorLog /dev/stderr
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    SSLEngine on
+    SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IPXE_CERT_FILE }}
+    SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
+
+    <Directory "/shared/html">
+        Order Allow,Deny
+        Allow from all
+    </Directory>
+    <Directory "/shared/html/(redfish|ilo|images)/">
+        Order Deny,Allow
+        Deny from all
+    </Directory>
+</VirtualHost>
+
+<Location ~ "^/grub.*/">
+    SSLRequireSSL
+</Location>
+<Location ~ "^/pxelinux.cfg/">
+    SSLRequireSSL
+</Location>
+<Location ~ "^/.*\.conf/">
+    SSLRequireSSL
+</Location>
+<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
+    SSLRequireSSL
+</Location>
+

ironic-image/apache2-vmedia.conf.j2

@@ -10,15 +10,17 @@ Listen {{ env.VMEDIA_TLS_PORT }}
     SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
 
-    <Directory "/shared">
+    <Directory ~ "/shared/html">
-        AllowOverride None
+         Order deny,allow
-        Require all granted
+         deny from all
     </Directory>
-
+    <Directory ~ "/shared/html/(redfish|ilo)/">
-    <Directory "/shared/html">
+         Order allow,deny
-        Options Indexes FollowSymLinks
+         allow from all
-        AllowOverride None
+    </Directory>
-        Require all granted
+    <Directory ~ "/shared/html/images/">
+         Order allow,deny
+         allow from all
     </Directory>
 </VirtualHost>
 

ironic-image/auth-common.sh

@@ -2,36 +2,39 @@
 
 set -euxo pipefail
 
-export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
-export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
-export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
-export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
+
+# Backward compatibility
+if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
+    export IRONIC_EXPOSE_JSON_RPC=true
+else
+    export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
+fi
 
 IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
-INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
+if [[ -f "/auth/ironic/htpasswd" ]]; then
+    IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
+fi
+export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 
 configure_client_basic_auth()
 {
     local auth_config_file="/auth/$1/auth-config"
     local dest="${2:-/etc/ironic/ironic.conf}"
     if [[ -f "${auth_config_file}" ]]; then
-        # Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
+        # Merge configurations in the "auth" directory into the default ironic configuration file
-        # when running the api as a WSGI app.
         crudini --merge "${dest}" < "${auth_config_file}"
     fi
 }
 
 configure_json_rpc_auth()
 {
-    export JSON_RPC_AUTH_STRATEGY="noauth"
+    if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
-    if [[ -n "${IRONIC_HTPASSWD}" ]]; then
+        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
-        if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
+            echo "FATAL: enabling JSON RPC requires authentication"
-            export JSON_RPC_AUTH_STRATEGY="http_basic"
+            exit 1
-            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
-        else
-            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
         fi
+        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
     fi
 }
 
@@ -48,24 +51,9 @@ configure_ironic_auth()
     fi
 }
 
-configure_inspector_auth()
-{
-    local config=/etc/ironic-inspector/ironic-inspector.conf
-    if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
-        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
-        if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
-            crudini --set "${config}" DEFAULT auth_strategy http_basic
-            crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
-        fi
-    fi
-}
-
 write_htpasswd_files()
 {
     if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
         printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
     fi
-    if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
-        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
-    fi
 }

ironic-image/configure-ironic.sh

@@ -2,14 +2,13 @@
 
 set -euxo pipefail
 
-IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
 
 # Define the VLAN interfaces to be included in introspection report, e.g.
 #   all - all VLANs on all interfaces using LLDP information
 #   <interface> - all VLANs on a particular interface using LLDP information
 #   <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
-export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
+export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
 
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
@@ -20,13 +19,17 @@ export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
 
 export HTTP_PORT=${HTTP_PORT:-80}
 
-MARIADB_PASSWORD=${MARIADB_PASSWORD}
+export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
-MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
+
-MARIADB_USER=${MARIADB_USER:-ironic}
+if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
-MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
+    MARIADB_PASSWORD=${MARIADB_PASSWORD}
-export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
+    MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
-if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
+    MARIADB_USER=${MARIADB_USER:-ironic}
-    export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
+    MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
+    export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
+    if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
+        export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
+    fi
 fi
 
 # TODO(dtantsur): remove the explicit default once we get
@@ -37,9 +40,6 @@ if [[ "$NUMPROC" -lt 4 ]]; then
 fi
 export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
 
-export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
-export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}
-
 # Whether to enable fast_track provisioning or not
 export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
 
@@ -58,16 +58,14 @@ wait_for_interface_or_ip
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
 
 export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
-export IRONIC_INSPECTOR_BASE_URL=${IRONIC_INSPECTOR_BASE_URL:-"${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_ACCESS_PORT}"}
 
 if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
-    export IRONIC_EXTERNAL_CALLBACK_URL="${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"
+    export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
     if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-        export IRONIC_EXTERNAL_HTTP_URL="https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"
+        export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
     else
-        export IRONIC_EXTERNAL_HTTP_URL="http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"
+        export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
     fi
-    export IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE="https://${IRONIC_EXTERNAL_IP}:${IRONIC_INSPECTOR_ACCESS_PORT}"
 fi
 
 IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent
@@ -90,13 +88,32 @@ mkdir -p /shared/ironic_prometheus_exporter
 
 configure_json_rpc_auth
 
+if [[ -f /proc/sys/crypto/fips_enabled ]]; then
+    ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
+    export ENABLE_FIPS_IPA
+fi
+
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 
-if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
-    configure_client_basic_auth ironic-inspector
-fi
 configure_client_basic_auth ironic-rpc
 
 # Make sure ironic traffic bypasses any proxies
 export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
+
+PROBE_CURL_ARGS=
+if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
+    if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
+        PROBE_URL="http://127.0.0.1:6385"
+        PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
+    else
+        PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
+    fi
+else
+        PROBE_URL="${IRONIC_BASE_URL}"
+fi
+export PROBE_CURL_ARGS
+export PROBE_URL
+
+PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
+PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness

ironic-image/configure-nonroot.sh

@@ -15,7 +15,7 @@ useradd -r -g ${NONROOT_GID} \
 mkdir -p /shared/html
 chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
 
-# we'll bind mount shared ca and ironic/inspector certificate dirs here
+# we'll bind mount shared ca and ironic certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
@@ -26,17 +26,15 @@ chmod 2775 /certs{,/ca}
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
 
-# ironic, inspector and httpd related changes
+# ironic and httpd related changes
+mkdir -p /etc/httpd/conf.d
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic-inspector
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
-chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
+chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
 
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic-inspector
+chmod 664 /var/lib/ironic/ironic.sqlite
-chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
-chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
 
 # dnsmasq, and the capabilities required to run it as non-root user
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
@@ -48,3 +46,8 @@ chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
 touch /var/lib/ca-certificates/ca-bundle.pem.new
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
 chmod -R +w /var/lib/ca-certificates/
+
+# probes that are created before start
+touch /bin/ironic-{readi,live}ness
+chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
+chmod 775 /bin/ironic-{readi,live}ness

ironic-image/dnsmasq.conf.j2

@@ -29,13 +29,23 @@ dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["D
 # IPv4 Configuration:
 dhcp-match=ipxe,175
 # Client is already running iPXE; move to next stage of chainloading
+{%- if env.IPXE_TLS_SETUP == "true"  %}
+# iPXE with (U)EFI
+dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
+# iPXE with BIOS
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
+{% else %}
 dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
+{% endif %}
 
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
+# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
+{%- if env.IPXE_TLS_SETUP == "true"  %}
+dhcp-boot=tag:efi,tag:ipxe,snponly.efi
+{% endif %}
 dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
 
 # Client is running PXE over BIOS; send BIOS version of iPXE chainloader

ironic-image/httpd-ironic-api.conf.j2

@@ -19,8 +19,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
  <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
 
-    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
-
     {% if env.IRONIC_PRIVATE_PORT == "unix" %}
     ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
     ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -29,14 +27,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
     {% endif %}
 
-    {% else %}
-    WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
-    WSGIScriptAlias / /usr/bin/ironic-api-wsgi
-    {% endif %}
-
     SetEnv APACHE_RUN_USER ironic-suse
     SetEnv APACHE_RUN_GROUP ironic-suse
-    WSGIProcessGroup ironic-suse
 
     ErrorLog /dev/stderr
     LogLevel debug
@@ -49,7 +41,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
 
-    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
     <Location />
          {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
             AuthType Basic
@@ -58,22 +49,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
             Require valid-user
          {% endif %}
     </Location>
-    {% else %}
-    <Directory /usr/bin >
-        WSGIProcessGroup ironic
-        WSGIApplicationGroup %{GLOBAL}
-        AllowOverride None
-
-        {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
-        AuthType Basic
-        AuthName "Restricted WSGI area"
-        AuthUserFile "/etc/ironic/htpasswd"
-        Require valid-user
-        {% else %}
-        Require all granted
-        {% endif %}
-    </Directory>
-    {% endif %}
 
     <Location ~ "^/(v1/?)?$" >
         Require all granted

ironic-image/httpd-modules.conf

@@ -5,7 +5,6 @@ LoadModule dir_module /usr/lib64/apache2/mod_dir.so
 LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
 #LoadModule unixd_module modules/mod_unixd.so
 #LoadModule mpm_event_module modules/mod_mpm_event.so
-LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so
 LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
 LoadModule env_module /usr/lib64/apache2/mod_env.so
 LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so

ironic-image/httpd.conf.j2

@@ -1,6 +1,6 @@
 ServerRoot "/etc/httpd"
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen [::]:{{ env.HTTP_PORT }}
+Listen {{ env.HTTP_PORT }}
 {% else %}
 Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
 {% endif %}

ironic-image/inspector.ipxe.j2

@@ -5,6 +5,6 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
-initrd --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
+initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
 boot

ironic-image/ipxe_config.template

@@ -0,0 +1,81 @@
+#!ipxe
+
+set attempts:int32 10
+set i:int32 0
+
+goto deploy
+
+:deploy
+imgfree
+{%- if pxe_options.deployment_aki_path %}
+{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
+{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
+{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
+{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
+{%- endif %}
+{%- if pxe_options.deployment_ari_path %}
+{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
+{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
+{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
+{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
+{%- endif %}
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
+
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
+boot
+
+:retry
+iseq ${i} ${attempts} && goto fail ||
+inc i
+echo No response, retrying in ${i} seconds.
+sleep ${i}
+goto deploy
+
+:fail
+echo Failed to get a response after ${attempts} attempts
+echo Powering off in 30 seconds.
+sleep 30
+poweroff
+
+:boot_anaconda
+imgfree
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
+boot
+
+:boot_ramdisk
+imgfree
+{%- if pxe_options.boot_iso_url %}
+sanboot {{ pxe_options.boot_iso_url }}
+{%- else %}
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
+boot
+{%- endif %}
+
+{%- if pxe_options.boot_from_volume %}
+
+:boot_iscsi
+imgfree
+{% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
+{% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
+{% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
+sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
+{%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
+set username {{ volume.username }}
+set password {{ volume.password }}
+{%- set drive_id = 129 + i %}
+sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
+{%- endfor %}{% endif %}
+{% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
+{% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
+sanboot --no-describe || goto fail_iscsi_retry
+
+:fail_iscsi_retry
+echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
+sleep 10
+goto boot_iscsi
+{%- endif %}
+
+:boot_whole_disk
+sanboot --no-describe || exit 0

ironic-image/ironic-common.sh

@@ -6,6 +6,7 @@ IRONIC_IP="${IRONIC_IP:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
+IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 
 get_provisioning_interface()
 {
@@ -72,7 +73,10 @@ wait_for_interface_or_ip()
 
 render_j2_config()
 {
+    ls $1 # DEBUG
+    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
     python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
+    ls $2 # DEBUG
 }
 
 run_ironic_dbsync()
@@ -86,25 +90,18 @@ run_ironic_dbsync()
         done
     else
         # SQLite does not support some statements. Fortunately, we can just create
-        # the schema in one go instead of going through an upgrade.
+        # the schema in one go if not already created, instead of going through an upgrade
-        ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
+        DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
+        if [[ "${DB_VERSION}" == "None" ]]; then
+            ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
+        fi
     fi
 }
 
 # Use the special value "unix" for unix sockets
-export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-6388}
+export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
-export IRONIC_INSPECTOR_PRIVATE_PORT=${IRONIC_INSPECTOR_PRIVATE_PORT:-5049}
 
 export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
 export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
 
-export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
+export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}
-export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
-
-# If this is false, built-in inspection is used.
-export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
-export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
-if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
-    echo "Discovery is only supported with ironic-inspector at this point"
-    exit 1
-fi

ironic-image/ironic-probe.j2

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
+
+# TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
+# to make sure the conductor is ready. This requires having access to secrets
+# since these endpoints are authenticated.

ironic-image/ironic.conf.j2

@@ -1,28 +1,22 @@
 [DEFAULT]
-{% if env.AUTH_STRATEGY is defined %}
-auth_strategy = {{ env.AUTH_STRATEGY }}
-{% if env.AUTH_STRATEGY == "http_basic" %}
-http_basic_auth_user_file=/etc/ironic/htpasswd
-{% endif %}
-{% else %}
 auth_strategy = noauth
-{% endif %}
 debug = true
 default_deploy_interface = direct
-default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
+default_inspect_interface = agent
 default_network_interface = noop
-enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
+enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
-enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
+enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
+enabled_firmware_interfaces = no-firmware,fake,redfish
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
-enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
+enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
-enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
-enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
+enabled_network_interfaces = noop
-enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
+enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
-enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
+enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
-enabled_firmware_interfaces = no-firmware,fake,redfish
+enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
 {% else %}
@@ -32,14 +26,7 @@ use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
 my_ip = {{ env.IRONIC_IP }}
-{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
-# if access is unauthenticated, we bind only to localhost - use that as the
-# host name also, so that the client can find the server
-# If we run both API and conductor in the same pod, use localhost
-host = localhost
-{% else %}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
-{% endif %}
 
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -96,7 +83,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img
+bootloader = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/uefi_esp.img
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -125,7 +112,7 @@ default_boot_option = local
 erase_devices_metadata_priority = 10
 erase_devices_priority = 0
 http_root = /shared/html/
-http_url = {{ env.IRONIC_BOOT_BASE_URL }}
+http_url = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
@@ -143,26 +130,22 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
 dhcp_provider = none
 
 [inspector]
+# NOTE(dtantsur): we properly configure the "unmanaged" inspection boot (i.e.
+# booting IPA through a separate inspector.ipxe rather than the driver's boot
+# interface), so managed boot is not required.
+require_managed_boot = False
 power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
-extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
-
-{% if env.USE_IRONIC_INSPECTOR == "true" %}
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
-{% endif %}
-{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
-callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
-{% endif %}
-{% else %}
 hooks = $default_hooks,parse-lldp
 add_ports = all
 keep_ports = present
-{% endif %}
+
+[auto_discovery]
+enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
+driver = ipmi
 
 [ipmi]
 # use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -191,15 +174,9 @@ cipher_suite_versions = 3,17
 # authentication over localhost, using the same credentials as API, to prevent
 # unauthenticated connections from other processes in the same host since the
 # containers are in host networking.
-auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
+auth_strategy = http_basic
 http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
-{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
-# if access is unauthenticated, we bind only to localhost - use that as the
-# host name also, so that the client can find the server
-host_ip = localhost
-{% else %}
 host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
-{% endif %}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -224,24 +201,27 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
 enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
+{% if env.IPXE_TLS_SETUP | lower == "true" %}
+ipxe_config_template = /tmp/ipxe_config.template
+{% endif %}
 
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 use_web_server_for_images = true
 
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}

ironic-image/rundnsmasq

@@ -4,6 +4,8 @@ set -eux
 
 # shellcheck disable=SC1091
 . /bin/ironic-common.sh
+# shellcheck disable=SC1091
+. /bin/tls-common.sh
 
 export HTTP_PORT=${HTTP_PORT:-80}
 DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
@@ -19,7 +21,13 @@ mkdir -p /shared/html/images
 mkdir -p /shared/html/pxelinux.cfg
 
 # Copy files to shared mount
-cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
+if [[ -r "${IPXE_CUSTOM_FIRMWARE_DIR}" ]]; then
+    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
+        "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
+        "/shared/tftpboot"
+else
+    cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
+fi
 
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory

ironic-image/runhttpd

@@ -8,10 +8,7 @@
 export HTTP_PORT=${HTTP_PORT:-80}
 export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
 
-INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
-INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
-export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 
 # In Metal3 context they are called node images in Ironic context they are
 # called user images.
@@ -33,11 +30,7 @@ chmod 0777 /shared/html
 
 IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
 
-if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
+INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
-    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
-else
-    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
-fi
 
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
     INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
@@ -51,14 +44,6 @@ cp /tmp/uefi_esp.img /shared/html/uefi_esp.img
 # Render the core httpd config
 render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
 
-if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
-    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
-    fi
-else
-    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
-fi
-
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
     if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
         render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
@@ -74,12 +59,14 @@ if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
     render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
 fi
 
-# Set up inotify to kill the container (restart) whenever cert files for ironic inspector change
+# Render httpd TLS configuration for /shared/html
-if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
-    # shellcheck disable=SC2034
+    mkdir -p /shared/html/custom-ipxe
-    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
+    chmod 0777 /shared/html/custom-ipxe
-        kill -WINCH $(pgrep httpd)
+    render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
-    done &
+    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
+       "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
+       "/shared/html/custom-ipxe"
 fi
 
 # Set up inotify to kill the container (restart) whenever cert files for ironic api change

ironic-image/runironic

@@ -1,9 +1,7 @@
 #!/usr/bin/bash
 
-# These settings must go before configure-ironic since it has different
+# This setting must go before configure-ironic since it has different defaults.
-# defaults.
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
-export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}
 
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh

ironic-image/runlogwatch.sh

@@ -1,20 +1,11 @@
 #!/usr/bin/bash
 
 # Ramdisk logs path
-LOG_DIRS=("/shared/log/ironic/deploy" "/shared/log/ironic-inspector/ramdisk")
+LOG_DIR="/shared/log/ironic/deploy"
 
-while :; do
+inotifywait -m "${LOG_DIR}" -e close_write |
-    for LOG_DIR in "${LOG_DIRS[@]}"; do
+    while read -r path _action file; do
-        if ! ls "${LOG_DIR}"/*.tar.gz 1> /dev/null 2>&1; then
+        echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
-            continue
+        tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
-        fi
+        rm -f "${path}/${file}"
-
-        for fn in "${LOG_DIR}"/*.tar.gz; do
-            echo "************ Contents of $fn ramdisk log file bundle **************"
-            tar -xOzvvf "$fn" | sed -e "s/^/$(basename "$fn"): /"
-            rm -f "$fn"
-        done
     done
-
-    sleep 5
-done

ironic-image/tls-common.sh

@@ -5,24 +5,25 @@ export IRONIC_KEY_FILE=/certs/ironic/tls.key
 export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
 export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
+export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
 
-export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
-export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key
-export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt
-export IRONIC_INSPECTOR_INSECURE=${IRONIC_INSPECTOR_INSECURE:-$IRONIC_INSECURE}
-
 export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
 export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
 
+export IPXE_CERT_FILE=/certs/ipxe/tls.crt
+export IPXE_KEY_FILE=/certs/ipxe/tls.key
+
 export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 
 export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 
+export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
+
 mkdir -p /certs/ironic
-mkdir -p /certs/ironic-inspector
 mkdir -p /certs/ca/ironic
-mkdir -p /certs/ca/ironic-inspector
+mkdir -p /certs/ipxe
+mkdir -p /certs/vmedia
 
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
@@ -33,15 +34,6 @@ if [[ ! -f "$IRONIC_CERT_FILE" ]] && [[ -f "$IRONIC_KEY_FILE" ]]; then
     exit 1
 fi
 
-if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
-    echo "Missing TLS Certificate key file $IRONIC_INSPECTOR_KEY_FILE"
-    exit 1
-fi
-if [[ ! -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
-    echo "Missing TLS Certificate file $IRONIC_INSPECTOR_CERT_FILE"
-    exit 1
-fi
-
 if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ ! -f "$IRONIC_VMEDIA_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_VMEDIA_KEY_FILE"
     exit 1
@@ -51,6 +43,15 @@ if [[ ! -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ -f "$IRONIC_VMEDIA_KEY_FILE" ]];
     exit 1
 fi
 
+if [[ -f "$IPXE_CERT_FILE" ]] && [[ ! -f "$IPXE_KEY_FILE" ]]; then
+    echo "Missing TLS Certificate key file $IPXE_KEY_FILE"
+    exit 1
+fi
+if [[ ! -f "$IPXE_CERT_FILE" ]] && [[ -f "$IPXE_KEY_FILE" ]]; then
+    echo "Missing TLS Certificate file $IPXE_CERT_FILE"
+    exit 1
+fi
+
 copy_atomic()
 {
     local src="$1"
@@ -75,25 +76,20 @@ else
     export IRONIC_SCHEME="http"
 fi
 
-if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] || [[ -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
-    export IRONIC_INSPECTOR_TLS_SETUP="true"
-    export IRONIC_INSPECTOR_SCHEME="https"
-    if [[ ! -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
-        copy_atomic "$IRONIC_INSPECTOR_CERT_FILE" "$IRONIC_INSPECTOR_CACERT_FILE"
-    fi
-else
-    export IRONIC_INSPECTOR_TLS_SETUP="false"
-    export IRONIC_INSPECTOR_SCHEME="http"
-fi
-
 if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
-    export IRONIC_VMEDIA_SCHEME="https"
     export IRONIC_VMEDIA_TLS_SETUP="true"
 else
-    export IRONIC_VMEDIA_SCHEME="http"
     export IRONIC_VMEDIA_TLS_SETUP="false"
 fi
 
+if [[ -f "$IPXE_CERT_FILE" ]]; then
+    export IPXE_SCHEME="https"
+    export IPXE_TLS_SETUP="true"
+else
+    export IPXE_SCHEME="http"
+    export IPXE_TLS_SETUP="false"
+fi
+
 if [[ -f "$MARIADB_CACERT_FILE" ]]; then
     export MARIADB_TLS_ENABLED="true"
 else

ironic-ipa-downloader-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -8,7 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends openstack-ironic-image-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
 #RUN zypper --installroot /installroot --non-interactive install --no-recommends sles-release;
 RUN cp /usr/bin/getopt /installroot/
 
@@ -19,13 +19,13 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="2.0.0"
+LABEL org.opencontainers.image.version="3.0.0"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

ironic-ipa-downloader-image/_service

@@ -3,15 +3,17 @@
   <service mode="buildtime" name="docker_label_helper"/>
   <service name="replace_using_package_version" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="regex">%%openstack-ironic-image-x86_64_version%%</param>
+    <param name="regex">%%ironic-ipa-ramdisk-x86_64_version%%</param>
-    <param name="package">openstack-ironic-image-x86_64</param>
+    <param name="package">ironic-ipa-ramdisk-x86_64</param>
     <param name="parse-version">patch</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ironic-ipa-ramdisk/_constraints

@@ -0,0 +1,8 @@
+<constraints>
+    <hardware>
+        <processors>4</processors>
+        <disk>
+            <size unit="G">12</size>
+        </disk>
+    </hardware>
+</constraints>

ironic-ipa-ramdisk/config.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+test -f /.kconfig && . /.kconfig
+test -f /.profile && . /.profile
+
+#======================================
+# Greeting...
+#--------------------------------------
+echo "Configure image: [$kiwi_iname]..."
+
+#==========================================
+# setup build day
+#------------------------------------------
+baseSetupBuildDay
+
+#======================================
+# Mount system filesystems
+#--------------------------------------
+#baseMount
+
+#==========================================
+# remove unneded kernel files
+#------------------------------------------
+suseStripKernel
+baseStripLocales en_US.utf-8 C.utf8
+
+#======================================
+# Setup baseproduct link
+#--------------------------------------
+suseSetupProduct
+
+#======================================
+# Add missing gpg keys to rpm
+#--------------------------------------
+suseImportBuildKey
+
+#======================================
+# Activate services
+#--------------------------------------
+baseInsertService openstack-ironic-python-agent
+baseInsertService suse-ironic-image-setup
+baseInsertService suse-network-setup
+baseInsertService sshd
+baseInsertService NetworkManager
+#suseInsertService sshd
+#suseInsertService openstack-ironic-python-agent
+#suseInsertService suse-ironic-image-setup
+
+echo 'DEFAULT_TIMEZONE="UTC"' >> /etc/sysconfig/clock
+baseUpdateSysConfig /etc/sysconfig/clock HWCLOCK "-u"
+baseUpdateSysConfig /etc/sysconfig/clock TIMEZONE UTC
+baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME no
+baseUpdateSysConfig /etc/sysconfig/network/dhcp WRITE_HOSTNAME_TO_HOSTS no
+
+#==========================================
+# generate autologin@ service
+# based on getty@ service
+#------------------------------------------
+#sed 's/^ExecStart=.*/\0 --autologin root/' /usr/lib/systemd/system/getty@.service > /etc/systemd/system/autologin\@.service
+sed -E 's/^(ExecStart=.*\/agetty).*(--noclear.*)/\1 \2 --autologin root/' /usr/lib/systemd/system/getty@.service > /etc/systemd/system/autologin\@.service
+
+#==========================================
+# add fstab entry for tmpfs based /tmp
+#------------------------------------------
+echo 'tmpfs /tmp tmpfs size=3G 0 0' >> /etc/fstab
+
+#==========================================
+# remove package docs and manuals
+#------------------------------------------
+#baseStripDocs
+#baseStripMans
+#baseStripInfos
+
+#======================================
+# only basic version of vim is
+# installed; no syntax highlighting
+#--------------------------------------
+sed -i -e's/^syntax on/" syntax on/' /etc/vimrc
+
+#======================================
+# Remove yast if not in use
+#--------------------------------------
+#suseRemoveYaST
+
+#======================================
+# Remove package manager
+#--------------------------------------
+#suseStripPackager
+
+#rm -f usr/lib/perl5/*/*/auto/Encode/??/??.so # 9MB
+
+#======================================
+# Umount kernel filesystems
+#--------------------------------------
+#baseCleanMount
+
+ln -s /sbin/init /init
+
+#==========================================
+# umount
+#------------------------------------------
+umount /proc >/dev/null 2>&1
+
+exit 0
+

ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi

@@ -0,0 +1,173 @@
+<?xml version="1.0" encoding="utf-8"?>
+<image schemaversion="7.4" name="openstack-ironic-image-201">
+    <description type="system">
+        <author>Cloud developers</author>
+        <contact>cloud-devel@suse.de</contact>
+        <specification>kernel and ramdisk image for metal3</specification>
+    </description>
+    <profiles>
+        <profile name="default" description="Booting default profile" import="true"/>
+    </profiles>
+    <preferences>
+        <locale>en_US</locale>
+        <packagemanager>zypper</packagemanager>
+        <rpm-check-signatures>false</rpm-check-signatures>
+        <timezone>UTC</timezone>
+        <version>1.0.0</version> 
+    </preferences>	
+    <preferences profiles="default">
+        <type image="kis" initrd_system="none" compressed="false"/>
+    </preferences>
+
+    <users>
+        <user password="*" home="/root" name="root" groups="root"/>
+    </users>
+
+    <repository alias="build-binaries" type="rpm-md" priority="99">
+      <source path="dir:///.build.binaries"/>
+    </repository>
+
+    <drivers>
+        <file name="crypto/*"/>
+        <file name="drivers/acpi/*"/>
+        <file name="drivers/acpi/dock.ko"/>
+        <file name="drivers/ata/*"/>
+        <file name="drivers/block/brd.ko"/>
+        <file name="drivers/block/cciss.ko"/>
+        <file name="drivers/block/loop.ko"/>
+        <file name="drivers/block/virtio_blk.ko"/>
+        <file name="drivers/cdrom/*"/>
+        <file name="drivers/char/hw_random/virtio-rng.ko"/>
+        <file name="drivers/char/lp.ko"/>
+        <file name="drivers/char/ipmi/*"/>
+        <file name="drivers/firmware/iscsi_ibft.ko"/>
+        <file name="drivers/firmware/edd.ko"/>
+        <file name="drivers/gpu/drm/*"/>
+        <file name="drivers/hid/*"/>
+        <file name="drivers/hv/*"/>
+        <file name="drivers/hwmon/*"/>
+        <file name="drivers/ide/*"/>
+        <file name="drivers/input/keyboard/*"/>
+        <file name="drivers/input/mouse/*"/>
+        <file name="drivers/md/*"/>
+        <file name="drivers/message/fusion/*"/>
+        <file name="drivers/misc/hpilo.ko"/>
+        <file name="drivers/net/*"/>
+        <file name="drivers/parport/*"/>
+        <file name="drivers/scsi/*"/>
+        <file name="drivers/staging/hv/*"/>
+        <file name="drivers/target/*"/>
+        <file name="drivers/thermal/*"/>
+        <file name="drivers/usb/*"/>
+        <file name="drivers/virtio/*"/>
+        <file name="fs/binfmt_aout.ko"/>
+        <file name="fs/binfmt_misc.ko"/>
+        <file name="fs/overlayfs/*"/>
+        <file name="fs/btrfs/*"/>
+        <file name="fs/exportfs/*"/>
+        <file name="fs/ext4/*"/>
+        <file name="fs/fat/*"/>
+        <file name="fs/fuse/*"/>
+        <file name="fs/hfs/*"/>
+        <file name="fs/jbd2/*"/>
+        <file name="fs/nfs/*"/>
+        <file name="fs/mbcache.ko"/>
+        <file name="fs/nls/nls_cp437.ko"/>
+        <file name="fs/nls/nls_iso8859-1.ko"/>
+        <file name="fs/nls/nls_utf8.ko"/>
+        <file name="fs/quota_v1.ko"/>
+        <file name="fs/quota_v2.ko"/>
+        <file name="fs/squashfs/*"/>
+        <file name="fs/udf/*"/>
+        <file name="fs/vfat/*"/>
+        <file name="fs/xfs/*"/>
+        <file name="fs/isofs/*"/>
+        <file name="lib/crc-t10dif.ko"/>
+        <file name="lib/crc16.ko"/>
+        <file name="lib/libcrc32c.ko"/>
+        <file name="lib/zlib_deflate/zlib_deflate.ko"/>
+        <file name="net/packet/*"/>
+    </drivers>
+
+    <packages type="delete">
+        <package name="gpg2"/>
+        <package name="libcairo2"/>
+        <package name="libpango-1_0-0"/>
+        <package name="libX11-6"/>
+        <package name="libXext6"/>
+        <package name="libXft2"/>
+        <package name="libXrender1"/>
+        <package name="libX11-data"/>
+        <package name="libXau6"/>
+        <package name="libxcb-render0"/>
+        <package name="libxcb-shm0"/>
+        <package name="libxcb1"/>
+        <package name="plymouth"/>
+        <package name="plymouth-branding-SLE"/>
+    </packages>
+
+    <packages type="image">
+        <package name="checkmedia"/>
+        <package name="plymouth-branding-SLE"/>
+        <package name="plymouth-dracut"/>
+        <package name="plymouth-theme-bgrt"/>
+        <package name="grub2-branding-SLE"/>
+        <package name="iputils"/>
+        <package name="vim"/>
+        <package name="grub2"/>
+        <package name="grub2-x86_64-efi" arch="x86_64"/>
+        <package name="grub2-i386-pc"/>
+        <package name="syslinux"/>
+        <package name="lvm2"/>
+        <package name="plymouth"/>
+        <package name="fontconfig"/>
+        <package name="fonts-config"/>
+        <package name="openssh"/>
+        <package name="iproute2"/>
+        <package name="which"/>
+        <package name="kernel-firmware"/>
+        <package name="kernel-default"/>
+        <package name="NetworkManager"/>
+        <package name="nm-configurator"/>
+        <package name="timezone"/>
+        <package name="haveged"/>
+        <!-- ironic-python-agent specific -->
+        <package name="openstack-ironic-python-agent"/>
+        <package name="hdparm"/>
+        <package name="qemu-tools"/>
+        <package name="python311-proliantutils" arch="x86_64"/>
+        <package name="lshw"/>
+        <package name="dmidecode" arch="aarch64"/>
+        <package name="dmidecode" arch="x86_64"/>
+        <package name="efibootmgr" arch="aarch64" />
+        <package name="efibootmgr" arch="x86_64" />
+        <package name="gptfdisk"/>
+        <package name="open-iscsi"/>
+        <package name="hwinfo"/>
+        <package name="ipmitool"/>
+        <package name="iputils"/>
+        <package name="lvm2"/>
+        <package name="net-tools"/>
+        <package name="ntp"/>
+        <package name="parted"/>
+        <package name="psmisc"/>
+        <package name="timezone"/>
+        <package name="which"/>
+        <package name="kbd"/>
+    </packages>
+
+    <packages type="kis">
+        <package name="gfxboot-branding-SLE"/>
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="dracut-kiwi-oem-dump"/>
+    </packages> 
+
+    <packages type="bootstrap">
+        <package name="glibc-locale"/>
+        <package name="udev"/>
+        <package name="filesystem"/>
+        <package name="cracklib-dict-full"/>
+        <package name="ca-certificates"/>
+        <package name="sles-release"/>
+    </packages>
+</image>

ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec

@@ -0,0 +1,167 @@
+#
+# spec file for package openstack-ironic-image
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+# needsrootforbuild
+# needsbinariesforbuild
+
+
+Name:           ironic-ipa-ramdisk
+Version:        3.0.0
+Release:        0
+Summary:        Kernel and ramdisk image for OpenStack Ironic
+License:        SUSE-EULA
+Group:          System/Management
+URL:            https://github.com/SUSE-Cloud/
+Source0:        config.sh
+Source10:       ironic-ipa-ramdisk.kiwi
+Source20:       root.tar.bz2
+
+BuildRequires:  -post-build-checks
+BuildRequires:  bash
+BuildRequires:  kiwi
+BuildRequires:  kiwi-tools
+BuildRequires:  zypper
+BuildArch:      noarch
+
+BuildRequires:  checkmedia
+BuildRequires:  acl
+BuildRequires:  ca-certificates
+BuildRequires:  cracklib-dict-full
+BuildRequires:  cron
+BuildRequires:  dbus-1
+BuildRequires:  elfutils
+BuildRequires:  filesystem
+BuildRequires:  fipscheck
+BuildRequires:  fontconfig
+BuildRequires:  fonts-config
+BuildRequires:  gptfdisk
+BuildRequires:  grub2
+BuildRequires:  grub2-x86_64-efi
+BuildRequires:  haveged
+BuildRequires:  hdparm
+BuildRequires:  hwinfo
+BuildRequires:  ipmitool
+BuildRequires:  iproute2
+BuildRequires:  iputils
+BuildRequires:  kernel-default
+BuildRequires:  kernel-firmware
+BuildRequires:  lvm2
+BuildRequires:  net-tools
+BuildRequires:  ntp
+BuildRequires:  open-iscsi
+BuildRequires:  openssh
+BuildRequires:  openstack-ironic-python-agent
+BuildRequires:  pam-config
+BuildRequires:  parted
+BuildRequires:  patterns-base-minimal_base
+BuildRequires:  pinentry
+BuildRequires:  pkgconfig
+BuildRequires:  Mesa-gallium
+BuildRequires:  plymouth
+BuildRequires:  plymouth-scripts
+BuildRequires:  python311-proliantutils
+BuildRequires:  psmisc
+BuildRequires:  qemu-tools
+BuildRequires:  sg3_utils
+BuildRequires:  sles-release
+BuildRequires:  sudo
+BuildRequires:  suse-build-key
+BuildRequires:  systemd-presets-branding-SLE
+BuildRequires:  timezone
+BuildRequires:  udev
+BuildRequires:  vim
+BuildRequires:  wpa_supplicant
+BuildRequires:  dhcp-client
+BuildRequires:  which
+BuildRequires:  NetworkManager
+BuildRequires:  nm-configurator
+BuildRequires:  logrotate
+BuildRequires:  plymouth-dracut
+BuildRequires:  plymouth-theme-bgrt
+BuildRequires:  dracut-kiwi-oem-dump
+BuildRequires:  dracut-kiwi-oem-repart
+BuildRequires:  gfxboot-branding-SLE
+BuildRequires:  grub2-branding-SLE
+BuildRequires:  open-iscsi
+BuildRequires:  plymouth-branding-SLE
+BuildRequires:  lshw
+BuildRequires:  kbd
+%ifarch aarch64
+BuildRequires:  dmidecode
+BuildRequires:  efibootmgr
+%endif
+%ifarch x86_64
+BuildRequires:  dmidecode
+BuildRequires:  efibootmgr
+BuildRequires:  syslinux
+%endif
+
+%description
+Kernel and ramdisk image for use with Metal3
+
+%package %{_arch}
+Summary:        Kernel and ramdisk image for Metal3
+Group:          System/Management
+Provides:       openstack-ironic-python-agent = %{version}
+Obsoletes:      openstack-ironic-python-agent < %{version}
+
+%description %{_arch}
+Kernel and ramdisk image for use with Metal3
+For %{_arch}
+
+%prep
+mkdir -p /tmp/openstack-ironic-image/build /tmp/openstack-ironic-image/root /tmp/openstack-ironic-image/img
+
+cp -a %{SOURCE0} /tmp/openstack-ironic-image/config.sh
+
+cp -a %{SOURCE10} /tmp/openstack-ironic-image/config.kiwi
+
+tar -xC /tmp/openstack-ironic-image/root -f %{SOURCE20}
+
+%build
+if ! which kiwi; then
+    cat <<EOF >&2
+kiwi not found in \$PATH; most likely this build was missing
+the --userootforbuild option.  If you are invoking osc build
+manually, please use 'make buildlocal' instead.
+EOF
+    exit 1
+fi
+
+kiwi-ng --debug --profile default system build --description /tmp/openstack-ironic-image --target-dir /tmp/openstack-ironic-image/img
+
+%install
+TDIR=`mktemp -d /tmp/openstack-ironic-image.XXXXX`
+cd /tmp/openstack-ironic-image/img/build/image-root 
+find . | cpio --create --format=newc --quiet > $TDIR/initrdtmp
+cd $TDIR
+gzip -9 -f initrdtmp
+INITRDGZ=`ls *.gz | head -1`
+gzip -cd $INITRDGZ | xz --check=crc32 -c9 > initrd.xz
+INITRD=`ls *.xz | head -1`
+
+ls /tmp/openstack-ironic-image/img/openstack-ironic-image*
+KERNEL=`ls /tmp/openstack-ironic-image/img/openstack-ironic-image*default*kernel | head -1`
+
+mkdir -p %{buildroot}/srv/tftpboot/openstack-ironic-image
+install -p -m 644 $KERNEL $INITRD %{buildroot}/srv/tftpboot/openstack-ironic-image/
+
+%files %{_arch}
+%defattr(644,root,root)
+%dir %attr(755, root, root) /srv/tftpboot/openstack-ironic-image
+%attr(644, root, root) /srv/tftpboot/openstack-ironic-image/*
+
+%changelog

kiwi-builder-image/Dockerfile

@@ -0,0 +1,38 @@
+#!BuildTag: kiwi-builder:10.1
+FROM registry.suse.com/bci/kiwi:10.1.10
+MAINTAINER SUSE LLC (https://www.suse.com/)
+
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.application.akri
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE Kiwi Builder Container Image"
+LABEL org.opencontainers.image.description="kiwi-builder based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%PACKAGE_VERSION%"
+LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kiwi-builder:10.1"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
+LABEL com.suse.eula="SUSE Combined EULA February 2024"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.image-type="application"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+
+# Install required packages for Kiwi to function as expected
+# Should be provided via https://github.com/SUSE/BCI-dockerfile-generator/pull/1770
+# RUN zypper in -y gawk && zypper clean -a
+
+# Configure Kiwi to use kpartx
+RUN echo -e "mapper:\n  - part_mapper: kpartx" > /etc/kiwi.yml
+
+# Copy build script into image and make it executable
+ADD build-image.sh /usr/bin/build-image
+RUN chmod a+x /usr/bin/build-image
+
+# Make a directory for the standard SL Micro Kiwi definition and config file and copy them in
+RUN mkdir -p /micro-sdk/defs
+ADD SL-Micro.kiwi /micro-sdk/defs
+ADD SL-Micro.kiwi.4096 /micro-sdk/defs
+ADD config.sh /micro-sdk/defs

kiwi-builder-image/README

@@ -0,0 +1,51 @@
+###########################
+Kiwi SDK Image Instructions
+###########################
+
+Please ensure that you're running this on a registered SLE Micro 6.0 system, and make sure that SELinux is disabled:
+
+# setenforce 0
+
+Next, download the podman image:
+
+# podman pull %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10
+
+Make a local output directory (where the images will reside):
+
+# mkdir output
+
+Then, to build a standard "Default" image, run the following in podman:
+
+# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image
+
+To build a SelfInstall ISO, you can add additional flags, for example:
+
+# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image -p Default-SelfInstall
+
+To build an image with a RealTime kernel, e.g. a RAW disk image ("Default"), use the following:
+
+# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image -p Base-RT
+
+To build an image that supports a large block/sectorsize (4096), use the "-b" flag, for example:
+
+# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image -p Default-SelfInstall -b
+
+# mkdir mydefs/
+# cp /path/to/SL-Micro.kiwi mydefs/
+# cp /path/to/config.sh mydefs/
+# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -v ./mydefs/:/micro-sdk/defs/ -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image
+
+All output will be in the local $(pwd)/output directory, for example:
+
+# ls -1 output/
+SLE-Micro.x86_64-6.0.changes
+SLE-Micro.x86_64-6.0.packages
+SLE-Micro.x86_64-6.0.raw
+SLE-Micro.x86_64-6.0.verified
+build
+kiwi.result
+kiwi.result.json
+
+Note, if you want to rebuild the image, you'll need to empty the output directory, or Kiwi will error due to existing output files:
+
+# rm -rf output/*

kiwi-builder-image/SL-Micro.kiwi

@@ -0,0 +1,777 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- OBS-Profiles: @BUILD_FLAVOR@ -->
+<!-- OBS-Milestone: %current_milestone -->
+<!-- OBS-BcntSyncTag: SL-Micro -->
+<image schemaversion="7.5" name="SL-Micro" displayname="SL Micro">
+    <description type="system">
+        <author>SUSE</author>
+        <contact>crc@suse.com</contact>
+        <specification>SL Micro</specification>
+    </description>
+    <profiles>
+        <!-- Profiles used as dependencies of actual image profiles -->
+        <!-- Flavors -->
+        <profile name="full" description="SL Micro as KVM and Container host"/>
+        <profile name="container-host" description="SL Micro as Container host"/>
+        <profile name="ecs_anywhere" description="Amazon ECS Anywhere support"/>
+        <!-- Platforms - support profiles -->
+        <profile name="bootloader" description="Bootloader files for x86_64 and aarch64"/>
+        <profile name="self_install" description="Self Installing ISO media"/>
+        <!-- Platforms -->
+        <profile name="x86" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-vmware" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-encrypted" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-legacy" description="Raw disk for x86_64 - legacy boot" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-rt" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-rt-encrypted" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-rt-self_install" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+	<profile name="aarch64-qcow" description="qcow2 for aarch64 - uEFI" arch="aarch64">
+	  <requires profile="bootloader"/>
+	</profile>
+        <profile name="s390-kvm" description="Raw disk for s390 - DASD" arch="s390x">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="s390-dasd" description="Raw disk for s390 - DASD" arch="s390x">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="s390-fba" description="Raw disk for s390 - DASD" arch="s390x">
+            <requires profile="bootloader"/>
+        </profile>
+        <!-- Images (flavor + platform) -->
+        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86"/>
+        </profile>
+        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86"/>
+        </profile>
+        <profile name="Default-VMware" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-vmware"/>
+        </profile>
+        <profile name="Base-VMware" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+	    <requires profile="x86-vmware"/>
+        </profile>
+        <profile name="Default-encrypted" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-encrypted"/>
+        </profile>
+        <profile name="Base-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-encrypted"/>
+        </profile>
+        <profile name="Base-RT-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-rt-encrypted"/>
+        </profile>
+        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="ECS-Anywhere" description="SL Micro with Podman and ECS Anywhere packagesas raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="ecs_anywhere"/>
+            <requires profile="x86"/>
+        </profile>
+        <profile name="ECS-Anywhere-SelfInstall" description="SL Micro with Podman and ECS Anywhere packages as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="ecs_anywhere"/>
+            <requires profile="x86-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi"/>
+        </profile>
+        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="rpi"/>
+        </profile>
+        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-rt"/>
+        </profile>
+        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-rt-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
+            <requires profile="full"/>
+            <requires profile="s390-kvm"/>
+        </profile>
+        <profile name="Base-qcow" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
+            <requires profile="container-host"/>
+            <requires profile="s390-kvm"/>
+        </profile>
+        <profile name="Default-dasd" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
+            <requires profile="full"/>
+            <requires profile="s390-dasd"/>
+        </profile>
+        <profile name="Base-dasd" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
+            <requires profile="container-host"/>
+            <requires profile="s390-dasd"/>
+        </profile>
+        <profile name="Default-fba" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
+            <requires profile="full"/>
+            <requires profile="s390-fba"/>
+        </profile>
+        <profile name="Base-fba" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
+            <requires profile="container-host"/>
+            <requires profile="s390-fba"/>
+        </profile>
+        <profile name="Default-legacy" description="SL Micro with Podman as raw image with legacy boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-legacy"/>
+        </profile>
+        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-qcow"/>
+        </profile>
+        <profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-qcow"/>
+        </profile>
+	<profile name="Default-qcow" description="SL Micro with Podman and KMV as raw image with uEFI boot" arch="aarch64">
+	    <requires profile="full"/>
+	    <requires profile="aarch64-qcow"/>
+        </profile>
+	<profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
+	    <requires profile="container-host"/>
+	    <requires profile="aarch64-qcow"/>
+        </profile>
+    </profiles>
+
+    <preferences profiles="x86-encrypted,x86-rt-encrypted">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            filesystem="btrfs"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            luks_version="luks2"
+            luks="1234"
+	    luks_randomize="false"
+	    luks_pbkdf="pbkdf2"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes"/>
+            </luksformat>
+            <bootloader name="grub2" console="gfxterm" use_disk_password="true" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">4</size>
+        </type>
+    </preferences>
+    <preferences profiles="x86,x86-rt">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            filesystem="btrfs"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+    	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+
+    <preferences profiles="x86-self_install,x86-rt-self_install">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+
+    <preferences profiles="rpi">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            efipartsize="128"     
+            editbootinstall="editbootinstall_rpi.sh"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="4096"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="aarch64-self_install">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            firmware="uefi"
+            efipartsize="128"     
+	    kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            disk_start_sector="4096"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+
+    <preferences profiles="s390-kvm">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+
+        <type
+            image="oem"
+            filesystem="btrfs"
+            bootpartition="true"
+            bootpartsize="300"
+            bootfilesystem="ext2"
+        initrd_system="dracut"
+        format="qcow2"
+            kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
+        devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+    >
+            <bootloader name="grub2_s390x_emu" timeout="3" />
+              <systemdisk>
+                  <volume name="home"/>
+                  <volume name="root"/>
+                  <volume name="opt"/>
+                  <volume name="srv"/>
+          <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
+                  <volume name="boot/writable"/>
+                  <volume name="usr/local"/>
+                  <volume name="var" copy_on_write="false"/>
+               </systemdisk>
+           <size unit="G">32</size>
+      </type>
+    </preferences>
+
+
+    <preferences profiles="s390-dasd">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+          image="oem"
+          filesystem="btrfs"
+          bootpartition="true"
+          bootpartsize="300"
+          bootfilesystem="ext2"
+          initrd_system="dracut"
+          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
+          devicepersistency="by-uuid"
+          target_blocksize="4096"
+          btrfs_root_is_snapshot="true"
+          btrfs_root_is_readonly_snapshot="true"
+          btrfs_quota_groups="true"
+      >
+            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="CDL" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">5</size>
+      </type>
+    </preferences>
+
+
+
+    <preferences profiles="s390-fba">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+          image="oem"
+          filesystem="btrfs"
+          bootpartition="true"
+          bootpartsize="300"
+          bootfilesystem="ext2"
+          initrd_system="dracut"
+          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
+          devicepersistency="by-uuid"
+          btrfs_root_is_snapshot="true"
+          btrfs_root_is_readonly_snapshot="true"
+          btrfs_quota_groups="true"
+        >
+            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="FBA"/>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">5</size>
+        </type>
+    </preferences>
+
+
+    <preferences profiles="x86-vmware">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            filesystem="btrfs"
+            format="vmdk"
+            firmware="uefi"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+            <bootloader name="grub2" console="gfxterm" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">24</size>
+            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+        </type>
+    </preferences>
+    <preferences profiles="x86-qcow">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            format="qcow2"
+            filesystem="btrfs"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">32</size>
+        </type>
+    </preferences>
+ 
+    <preferences profiles="aarch64-qcow">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+	<locale>en_US</locale>
+        <type
+            image="oem"
+            format="qcow2"
+            filesystem="btrfs"
+            firmware="uefi"
+            efipartsize="128"     
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+ 		<volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+		<volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">20</size>
+        </type>
+    </preferences>
+
+   <repository type="rpm-md" >
+        <source path='obsrepositories:/'/>
+    </repository>
+
+    <packages type="image" profiles="full">
+        <namedCollection name="base_transactional"/>
+        <package name="patterns-base-transactional"/>
+        <namedCollection name="salt_minion"/>
+	<package name="patterns-base-salt_minion"/>
+        <namedCollection name="kvm_host"/>
+	<package name="patterns-base-kvm_host"/>
+	<package name="lzop"/>
+        <namedCollection name="container_runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
+        <namedCollection name="cockpit"/>
+        <package name="patterns-base-cockpit"/>
+        <namedCollection name="selinux"/>
+        <package name="patterns-base-selinux"/>
+        <package name="suseconnect-ng"/>
+        <package name="SL-Micro-release"/>
+        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
+        <package name="systemd-default-settings-branding-SLE-Micro"/>
+        <package name="firewalld"/>
+        <package name="wpa_supplicant" arch="x86_64,aarch64"/>
+	<package name="libpwquality-tools"/>
+        <!-- <package name="k3s-install"/> -->
+    </packages>
+
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+        <!-- full disk encryption stuff -->
+        <package name="device-mapper"/>
+        <package name="cryptsetup"/>
+        <package name="system-user-tss"/>
+        <package name="libtss2-fapi1"/>
+        <package name="libtss2-tcti-device0"/>
+        <package name="tpm2.0-tools"/>
+        <package name="tpm2-0-tss"/>
+        <package name="fde-firstboot"/>
+    </packages>
+
+    <packages type="image" profiles="container-host">
+        <namedCollection name="base_transactional"/>
+        <package name="patterns-base-transactional"/>
+        <namedCollection name="container_runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
+        <namedCollection name="cockpit"/>
+        <package name="patterns-base-cockpit"/>
+        <namedCollection name="selinux"/>
+        <package name="patterns-base-selinux"/>
+        <package name="suseconnect-ng"/>
+        <package name="SL-Micro-release"/>
+        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
+        <package name="systemd-default-settings-branding-SLE-Micro"/>
+        <package name="firewalld"/>
+	<package name="libpwquality-tools"/>
+    </packages>
+
+    <packages type="image" profiles="ecs_anywhere">
+        <package name="amazon-ssm-agent"/>
+        <package name="amazon-ecs-init"/>
+        <package name="aws-cli"/>
+        <package name="docker"/>
+    </packages>
+
+    <!-- Ignition / Combustion everywhere, cloud-init only in selected images
+    <packages type="image" profiles="aarch64-self_install,rpi,s390-dasd,s390-fba,s390-kvm,x86,x86-encrypted,x86-legacy,x86-rt,x86-rt-encrypted,x86-rt-self_install,x86-self_install"> -->
+    <packages type="image">
+        <package name="ignition"/>
+        <package name="combustion &gt;= 1.2"/> <!-- New firstboot mechanism -->
+	<package name="jeos-firstboot"/>
+    </packages>
+
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+        <package name="cloud-init"/>
+        <package name="cloud-init-config-suse"/>
+    </packages>
+
+    <packages type="image">
+        <namedCollection name="base_transactional"/>
+        <package name="patterns-base-transactional"/>
+        <namedCollection name="hardware"/>
+        <package name="patterns-base-hardware"/>
+        <package name="grub2"/>
+        <package name="glibc-locale-base"/>
+        <package name="ca-certificates"/>
+	<package name="SL-Micro-release"/>
+        <package name="systemd-default-settings-branding-SLE-Micro"/>
+        <package name="firewalld"/>
+	<package name="NetworkManager-tui"/>
+        <package name="growpart-generator"/>
+        <package name="suse-build-key"/>
+        <!-- for debugging -->
+        <package name="less"/>
+        <package name="vim-small"/>
+
+        <namedCollection name="micro_defaults"/>
+        <package name="patterns-micro-defaults"/>
+        <package name="NetworkManager"/>
+        <package name="NetworkManager-branding-SLE"/>
+	<package name="ModemManager"/>
+	<!-- FIXME does not build without control file which is obsolete 
+	<package name="live-add-yast-repos"/> -->
+	<package name="parted"/> <!-- seems missing to deploy the image -->
+    </packages>
+
+    <packages type="image" profiles="bootloader">
+        <package name="grub2-i386-pc" arch="x86_64"/>
+        <package name="grub2-x86_64-efi" arch="x86_64"/>
+        <package name="grub2-arm64-efi" arch="aarch64"/>
+        <package name="grub2-s390x-emu" arch="s390x"/>
+        <package name="grub2-branding-SLE" bootinclude="true" arch="x86_64,aarch64"/>
+        <package name="grub2-snapper-plugin"/>
+        <package name="shim" arch="x86_64,aarch64"/>
+	<package name="mokutil" arch="x86_64,aarch64"/>
+	<!-- obsoleted by kiwi-settings
+	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
+    </packages>
+    <!-- rpi kernel-default-base does not provide all necessary drivers -->
+    <packages type="image" profiles="x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba">
+        <package name="kernel-default"/>
+        <package name="kernel-firmware-all"/>
+    </packages>
+    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted">
+        <package name="kernel-rt"/>
+	<package name="kernel-firmware-all"/>
+	<!-- FIXME intentionally removed from ALP code stream 
+	<package name="cpuset"/> -->
+    </packages>
+    <!-- makes the image build, but also include kernel-default
+    <packages type="image" profiles="x86-rt-encrypted">
+        <package name="kernel-default-extra"/>
+    </packages> -->
+    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba">
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="blog"/>
+    </packages>
+    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,rpi,aarch64-self_install">
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="dracut-kiwi-oem-dump"/>
+    </packages>
+    <packages type="image" profiles="rpi,aarch64-self_install">
+        <package name="raspberrypi-firmware" arch="aarch64"/>
+        <package name="raspberrypi-firmware-config" arch="aarch64"/>
+        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
+        <package name="u-boot-rpiarm64" arch="aarch64"/>
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="bcm43xx-firmware"/>
+        <package name="kernel-firmware-all"/><!-- Fix choice between kernel-firmware and kernel-firmware-all -->
+        <package name="wireless-regdb"/>
+        <package name="wireless-tools"/>
+        <package name="wpa_supplicant"/>
+        <package name="grub2-arm64-efi"/>
+        <!-- kernel-default-base does not have all required drivers -->
+        <package name="kernel-default"/>
+    </packages>
+    <packages type="bootstrap">
+        <package name="coreutils"/>
+        <package name="filesystem"/>
+        <package name="ca-certificates"/>
+        <package name="ca-certificates-mozilla"/>
+    </packages>
+
+    <!-- bsc#1221936 -->
+    <packages type="image" profiles="x86-vmware">
+        <package name="open-vm-tools"/>
+    </packages>
+
+    <!-- bsc#1221727-->
+    <packages type="image" profiles="x86-qcow,aarch64-qcow">
+        <package name="qemu-guest-agent"/>
+    </packages>
+</image>

kiwi-builder-image/SL-Micro.kiwi.4096

@@ -0,0 +1,784 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- OBS-Profiles: @BUILD_FLAVOR@ -->
+<!-- OBS-Milestone: %current_milestone -->
+<!-- OBS-BcntSyncTag: SL-Micro -->
+<image schemaversion="7.5" name="SL-Micro" displayname="SL Micro">
+    <description type="system">
+        <author>SUSE</author>
+        <contact>crc@suse.com</contact>
+        <specification>SL Micro</specification>
+    </description>
+    <profiles>
+        <!-- Profiles used as dependencies of actual image profiles -->
+        <!-- Flavors -->
+        <profile name="full" description="SL Micro as KVM and Container host"/>
+        <profile name="container-host" description="SL Micro as Container host"/>
+        <profile name="ecs_anywhere" description="Amazon ECS Anywhere support"/>
+        <!-- Platforms - support profiles -->
+        <profile name="bootloader" description="Bootloader files for x86_64 and aarch64"/>
+        <profile name="self_install" description="Self Installing ISO media"/>
+        <!-- Platforms -->
+        <profile name="x86" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-vmware" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-encrypted" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-legacy" description="Raw disk for x86_64 - legacy boot" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-rt" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-rt-encrypted" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-rt-self_install" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
+            <requires profile="bootloader"/>
+        </profile>
+	<profile name="aarch64-qcow" description="qcow2 for aarch64 - uEFI" arch="aarch64">
+	  <requires profile="bootloader"/>
+	</profile>
+        <profile name="s390-kvm" description="Raw disk for s390 - DASD" arch="s390x">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="s390-dasd" description="Raw disk for s390 - DASD" arch="s390x">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="s390-fba" description="Raw disk for s390 - DASD" arch="s390x">
+            <requires profile="bootloader"/>
+        </profile>
+        <!-- Images (flavor + platform) -->
+        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86"/>
+        </profile>
+        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86"/>
+        </profile>
+        <profile name="Default-VMware" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-vmware"/>
+        </profile>
+        <profile name="Base-VMware" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+	    <requires profile="x86-vmware"/>
+        </profile>
+        <profile name="Default-encrypted" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-encrypted"/>
+        </profile>
+        <profile name="Base-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-encrypted"/>
+        </profile>
+        <profile name="Base-RT-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-rt-encrypted"/>
+        </profile>
+        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="ECS-Anywhere" description="SL Micro with Podman and ECS Anywhere packagesas raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="ecs_anywhere"/>
+            <requires profile="x86"/>
+        </profile>
+        <profile name="ECS-Anywhere-SelfInstall" description="SL Micro with Podman and ECS Anywhere packages as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="ecs_anywhere"/>
+            <requires profile="x86-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi"/>
+        </profile>
+        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="rpi"/>
+        </profile>
+        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-rt"/>
+        </profile>
+        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-rt-self_install"/>
+            <requires profile="self_install"/>
+        </profile>
+        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
+            <requires profile="full"/>
+            <requires profile="s390-kvm"/>
+        </profile>
+        <profile name="Base-qcow" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
+            <requires profile="container-host"/>
+            <requires profile="s390-kvm"/>
+        </profile>
+        <profile name="Default-dasd" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
+            <requires profile="full"/>
+            <requires profile="s390-dasd"/>
+        </profile>
+        <profile name="Base-dasd" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
+            <requires profile="container-host"/>
+            <requires profile="s390-dasd"/>
+        </profile>
+        <profile name="Default-fba" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
+            <requires profile="full"/>
+            <requires profile="s390-fba"/>
+        </profile>
+        <profile name="Base-fba" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
+            <requires profile="container-host"/>
+            <requires profile="s390-fba"/>
+        </profile>
+        <profile name="Default-legacy" description="SL Micro with Podman as raw image with legacy boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-legacy"/>
+        </profile>
+        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
+            <requires profile="full"/>
+            <requires profile="x86-qcow"/>
+        </profile>
+        <profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
+            <requires profile="container-host"/>
+            <requires profile="x86-qcow"/>
+        </profile>
+	<profile name="Default-qcow" description="SL Micro with Podman and KMV as raw image with uEFI boot" arch="aarch64">
+	    <requires profile="full"/>
+	    <requires profile="aarch64-qcow"/>
+        </profile>
+	<profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
+	    <requires profile="container-host"/>
+	    <requires profile="aarch64-qcow"/>
+        </profile>
+    </profiles>
+
+    <preferences profiles="x86-encrypted,x86-rt-encrypted">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            filesystem="btrfs"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            luks_version="luks2"
+            luks="1234"
+	    luks_randomize="false"
+	    luks_pbkdf="pbkdf2"
+            target_blocksize="4096"
+            efipartsize="200"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes"/>
+            </luksformat>
+            <bootloader name="grub2" console="gfxterm" use_disk_password="true" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">4</size>
+        </type>
+    </preferences>
+    <preferences profiles="x86,x86-rt">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            filesystem="btrfs"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            target_blocksize="4096"
+            efipartsize="200"
+        >
+    	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+
+    <preferences profiles="x86-self_install,x86-rt-self_install">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            target_blocksize="4096"
+            efipartsize="200"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+
+    <preferences profiles="rpi">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            efipartsize="128"
+            editbootinstall="editbootinstall_rpi.sh"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="4096"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="aarch64-self_install">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            firmware="uefi"
+            efipartsize="128"
+	    kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            disk_start_sector="4096"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+
+    <preferences profiles="s390-kvm">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+
+        <type
+            image="oem"
+            filesystem="btrfs"
+            bootpartition="true"
+            bootpartsize="300"
+            bootfilesystem="ext2"
+        initrd_system="dracut"
+        format="qcow2"
+            kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
+        devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+    >
+            <bootloader name="grub2_s390x_emu" timeout="3" />
+              <systemdisk>
+                  <volume name="home"/>
+                  <volume name="root"/>
+                  <volume name="opt"/>
+                  <volume name="srv"/>
+          <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
+                  <volume name="boot/writable"/>
+                  <volume name="usr/local"/>
+                  <volume name="var" copy_on_write="false"/>
+               </systemdisk>
+           <size unit="G">32</size>
+      </type>
+    </preferences>
+
+
+    <preferences profiles="s390-dasd">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+          image="oem"
+          filesystem="btrfs"
+          bootpartition="true"
+          bootpartsize="300"
+          bootfilesystem="ext2"
+          initrd_system="dracut"
+          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
+          devicepersistency="by-uuid"
+          target_blocksize="4096"
+          btrfs_root_is_snapshot="true"
+          btrfs_root_is_readonly_snapshot="true"
+          btrfs_quota_groups="true"
+      >
+            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="CDL" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">5</size>
+      </type>
+    </preferences>
+
+
+
+    <preferences profiles="s390-fba">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+          image="oem"
+          filesystem="btrfs"
+          bootpartition="true"
+          bootpartsize="300"
+          bootfilesystem="ext2"
+          initrd_system="dracut"
+          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
+          devicepersistency="by-uuid"
+          btrfs_root_is_snapshot="true"
+          btrfs_root_is_readonly_snapshot="true"
+          btrfs_quota_groups="true"
+        >
+            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="FBA"/>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">5</size>
+        </type>
+    </preferences>
+
+
+    <preferences profiles="x86-vmware">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            filesystem="btrfs"
+            format="vmdk"
+            firmware="uefi"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+            <bootloader name="grub2" console="gfxterm" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">24</size>
+            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+        </type>
+    </preferences>
+    <preferences profiles="x86-qcow">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            format="qcow2"
+            filesystem="btrfs"
+            firmware="uefi"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+            target_blocksize="4096"
+            efipartsize="200"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/i386-pc"/>
+                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">32</size>
+        </type>
+    </preferences>
+
+    <preferences profiles="aarch64-qcow">
+        <version>6.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+	<locale>en_US</locale>
+        <type
+            image="oem"
+            format="qcow2"
+            filesystem="btrfs"
+            firmware="uefi"
+            efipartsize="128"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
+            bootpartition="false"
+            bootkernel="custom"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="true"
+        >
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+ 		<volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+		<volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">20</size>
+        </type>
+    </preferences>
+
+   <repository type="rpm-md" >
+        <source path='obsrepositories:/'/>
+    </repository>
+
+    <packages type="image" profiles="full">
+        <namedCollection name="base_transactional"/>
+        <package name="patterns-base-transactional"/>
+        <namedCollection name="salt_minion"/>
+	<package name="patterns-base-salt_minion"/>
+        <namedCollection name="kvm_host"/>
+	<package name="patterns-base-kvm_host"/>
+	<package name="lzop"/>
+        <namedCollection name="container_runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/>
+        <namedCollection name="cockpit"/>
+        <package name="patterns-base-cockpit"/>
+        <namedCollection name="selinux"/>
+        <package name="patterns-base-selinux"/>
+        <package name="suseconnect-ng"/>
+        <package name="SL-Micro-release"/>
+        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
+        <package name="systemd-default-settings-branding-SLE-Micro"/>
+        <package name="firewalld"/>
+        <package name="wpa_supplicant" arch="x86_64,aarch64"/>
+	<package name="libpwquality-tools"/>
+    </packages>
+
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+        <!-- full disk encryption stuff -->
+        <package name="device-mapper"/>
+        <package name="cryptsetup"/>
+        <package name="system-user-tss"/>
+        <package name="libtss2-fapi1"/>
+        <package name="libtss2-tcti-device0"/>
+        <package name="tpm2.0-tools"/>
+        <package name="tpm2-0-tss"/>
+        <package name="fde-firstboot"/>
+    </packages>
+
+    <packages type="image" profiles="container-host">
+        <namedCollection name="base_transactional"/>
+        <package name="patterns-base-transactional"/>
+        <namedCollection name="container_runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/>
+        <namedCollection name="cockpit"/>
+        <package name="patterns-base-cockpit"/>
+        <namedCollection name="selinux"/>
+        <package name="patterns-base-selinux"/>
+        <package name="suseconnect-ng"/>
+        <package name="SL-Micro-release"/>
+        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
+        <package name="systemd-default-settings-branding-SLE-Micro"/>
+        <package name="firewalld"/>
+	<package name="libpwquality-tools"/>
+    </packages>
+
+    <packages type="image" profiles="ecs_anywhere">
+        <package name="amazon-ssm-agent"/>
+        <package name="amazon-ecs-init"/>
+        <package name="aws-cli"/>
+        <package name="docker"/>
+    </packages>
+
+    <!-- Ignition / Combustion everywhere, cloud-init only in selected images
+    <packages type="image" profiles="aarch64-self_install,rpi,s390-dasd,s390-fba,s390-kvm,x86,x86-encrypted,x86-legacy,x86-rt,x86-rt-encrypted,x86-rt-self_install,x86-self_install"> -->
+    <packages type="image">
+        <package name="ignition"/>
+        <package name="combustion &gt;= 1.2"/> <!-- New firstboot mechanism -->
+	<package name="jeos-firstboot"/>
+    </packages>
+
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+        <package name="cloud-init"/>
+        <package name="cloud-init-config-suse"/>
+    </packages>
+
+    <packages type="image">
+        <namedCollection name="base_transactional"/>
+        <package name="patterns-base-transactional"/>
+        <namedCollection name="hardware"/>
+        <package name="patterns-base-hardware"/>
+        <package name="grub2"/>
+        <package name="glibc-locale-base"/>
+        <package name="ca-certificates"/>
+	<package name="SL-Micro-release"/>
+        <package name="systemd-default-settings-branding-SLE-Micro"/>
+        <package name="firewalld"/>
+	<package name="NetworkManager-tui"/>
+        <package name="growpart-generator"/>
+        <package name="suse-build-key"/>
+        <!-- for debugging -->
+        <package name="less"/>
+        <package name="vim-small"/>
+
+        <namedCollection name="micro_defaults"/>
+        <package name="patterns-micro-defaults"/>
+        <package name="NetworkManager"/>
+        <package name="NetworkManager-branding-SLE"/>
+	<package name="ModemManager"/>
+	<!-- FIXME does not build without control file which is obsolete
+	<package name="live-add-yast-repos"/> -->
+	<package name="parted"/> <!-- seems missing to deploy the image -->
+    </packages>
+
+    <packages type="image" profiles="bootloader">
+        <package name="grub2-i386-pc" arch="x86_64"/>
+        <package name="grub2-x86_64-efi" arch="x86_64"/>
+        <package name="grub2-arm64-efi" arch="aarch64"/>
+        <package name="grub2-s390x-emu" arch="s390x"/>
+        <package name="grub2-branding-SLE" bootinclude="true" arch="x86_64,aarch64"/>
+        <package name="grub2-snapper-plugin"/>
+        <package name="shim" arch="x86_64,aarch64"/>
+	<package name="mokutil" arch="x86_64,aarch64"/>
+	<!-- obsoleted by kiwi-settings
+	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
+    </packages>
+    <!-- rpi kernel-default-base does not provide all necessary drivers -->
+    <packages type="image" profiles="x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba">
+        <package name="kernel-default"/>
+        <package name="kernel-firmware-all"/>
+    </packages>
+    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted">
+        <package name="kernel-rt"/>
+	<package name="kernel-firmware-all"/>
+	<!-- FIXME intentionally removed from ALP code stream
+	<package name="cpuset"/> -->
+    </packages>
+    <!-- makes the image build, but also include kernel-default
+    <packages type="image" profiles="x86-rt-encrypted">
+        <package name="kernel-default-extra"/>
+    </packages> -->
+    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba">
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="blog"/>
+    </packages>
+    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,rpi,aarch64-self_install">
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="dracut-kiwi-oem-dump"/>
+    </packages>
+    <packages type="image" profiles="rpi,aarch64-self_install">
+        <package name="raspberrypi-firmware" arch="aarch64"/>
+        <package name="raspberrypi-firmware-config" arch="aarch64"/>
+        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
+        <package name="u-boot-rpiarm64" arch="aarch64"/>
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="bcm43xx-firmware"/>
+        <package name="kernel-firmware-all"/><!-- Fix choice between kernel-firmware and kernel-firmware-all -->
+        <package name="wireless-regdb"/>
+        <package name="wireless-tools"/>
+        <package name="wpa_supplicant"/>
+        <package name="grub2-arm64-efi"/>
+        <!-- kernel-default-base does not have all required drivers -->
+        <package name="kernel-default"/>
+    </packages>
+    <packages type="bootstrap">
+        <package name="coreutils"/>
+        <package name="filesystem"/>
+        <package name="ca-certificates"/>
+        <package name="ca-certificates-mozilla"/>
+    </packages>
+
+    <!-- bsc#1221936 -->
+    <packages type="image" profiles="x86-vmware">
+        <package name="open-vm-tools"/>
+    </packages>
+
+    <!-- bsc#1221727-->
+    <packages type="image" profiles="x86-qcow,aarch64-qcow">
+        <package name="qemu-guest-agent"/>
+    </packages>
+</image>

kiwi-builder-image/_service

@@ -0,0 +1,19 @@
+<services>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">README</param>
+    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="var">IMG_REPO</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+  </service>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
+  </service>
+</services>

kiwi-builder-image/build-image.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# Copyright (c) 2024 SUSE LLC
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+
+# Set image build defaults, blocksize is an empty string
+PROFILE="Default"
+LARGEBLOCK=false
+
+# Print usage
+usage(){
+	cat <<-EOF
+	==============================
+	SLE Micro 6.0 Kiwi SDK Builder
+	==============================
+
+	Usage: ${0} [-p <profile>] [-b]
+
+	Profile Options (-p):
+	* Default: RAW Disk Image with kernel-default
+	* Default-SelfInstall: SelfInstall ISO with kernel-default
+	* Base-RT: RAW Disk Image with kernel-rt
+	* Base-RT-SelfInstall: SelfInstall ISO with kernel-rt
+
+	4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.
+
+	NOTE: If both options are omitted, the "Default" profile with a standard "512" blocksize is used.
+	EOF
+}
+
+# Grab CLI options and handle
+while getopts 'p:bh' OPTION; do
+	case "${OPTION}" in
+		p)
+			PROFILE="${OPTARG}"
+			;;
+		b)
+			LARGEBLOCK=true
+			;;
+		?)
+			usage && exit 2
+			;;
+	esac
+done
+
+# To avoid wasting time, perform the loop creation test first, and exit with a warning to re-run.
+# This only happens when the container hasn't been ran on the host before, and is avoided by mounting /dev/ into the image.
+qemu-img create /tmp/output/test.img 1M
+if LOOP=$(losetup -f --show /tmp/output/test.img); then
+  rm -f /tmp/output/test.img
+  losetup -d $LOOP
+else
+  echo -e "\nERROR: Early loop device test failed, please retry the container run."
+  exit 1
+fi
+
+# Grab local SLE Micro repos and create a list to use as part of the image build
+REPOS=`for i in $(cat /micro-sdk/repos/*.repo | awk '/baseurl/ {split($0,string,"="); print string[2]}'); do echo -n "--add-repo $i "; done`
+
+if $LARGEBLOCK; then
+  mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
+fi
+
+# Build the image
+kiwi-ng --debug --profile $PROFILE system build \
+    --description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
+
+# Print output
+RESULT=$?
+if [ $RESULT -eq 0 ]; then
+  echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
+else
+  echo -e "\n\nERROR: Failed to build the image, please see above logs."
+fi

kiwi-builder-image/config.sh

@@ -0,0 +1,317 @@
+#!/bin/bash
+# Copyright (c) 2023 SUSE LLC
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# 
+#======================================
+# Functions...
+#--------------------------------------
+
+test -f /.kconfig && . /.kconfig
+test -f /.profile && . /.profile
+
+set -euxo pipefail
+
+mkdir /var/lib/misc/reconfig_system
+
+#======================================
+# Greeting...
+#--------------------------------------
+echo "Configure image: [$kiwi_iname]-[$kiwi_profiles]..."
+
+#======================================
+# This is a workaround - someone,
+# somewhere needs to load the xts crypto
+# module, otherwise luksOpen will fail while
+# creating the image.
+#--------------------------------------
+modprobe xts || true
+
+#======================================
+# add missing fonts
+#--------------------------------------
+CONSOLE_FONT="eurlatgr.psfu"
+
+#======================================
+# prepare for setting root pw, timezone
+#--------------------------------------
+echo ** "reset machine settings"
+sed -i 's/^root:[^:]*:/root:*:/' /etc/shadow
+rm /etc/machine-id
+rm /var/lib/zypp/AnonymousUniqueId
+
+#======================================
+# Setup baseproduct link
+#--------------------------------------
+suseSetupProduct
+
+#======================================
+# Specify default runlevel
+#--------------------------------------
+baseSetRunlevel 3
+
+#======================================
+# Add missing gpg keys to rpm
+#--------------------------------------
+suseImportBuildKey
+
+#======================================
+# If SELinux is installed, configure it like transactional-update setup-selinux
+#--------------------------------------
+if [[ -e /etc/selinux/config ]]; then
+	# Check if we don't have selinux already enabled.
+	grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q security=selinux || \
+	    sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 security=selinux selinux=1"|g' "/etc/default/grub"
+
+	# Adjust selinux config
+	sed -i -e 's|^SELINUX=.*|SELINUX=enforcing|g' \
+	    -e 's|^SELINUXTYPE=.*|SELINUXTYPE=targeted|g' \
+	    "/etc/selinux/config"
+
+	# Move an /.autorelabel file from initial installation to writeable location
+	test -f /.autorelabel && mv /.autorelabel /etc/selinux/.autorelabel
+fi
+
+##======================================
+## Enable DHCP on eth0
+##--------------------------------------
+#cat >/etc/sysconfig/network/ifcfg-eth0 <<EOF
+#BOOTPROTO='dhcp'
+#MTU=''
+#REMOTE_IPADDR=''
+#STARTMODE='auto'
+#ETHTOOL_OPTIONS=''
+#USERCONTROL='no'
+#EOF
+
+systemctl enable NetworkManager
+systemctl enable ModemManager
+
+#======================================
+# Enable cloud-init
+#--------------------------------------
+suseInsertService cloud-init-local
+suseInsertService cloud-init
+suseInsertService cloud-config
+suseInsertService cloud-final
+
+# Enable chrony
+suseInsertService chronyd
+
+#======================================
+# Sysconfig Update
+#--------------------------------------
+echo '** Update sysconfig entries...'
+
+echo FONT="$CONSOLE_FONT" >> /etc/vconsole.conf
+
+# fix security level (boo#1171174)
+sed -e '/^PERMISSION_SECURITY=s/easy/paranoid/' /etc/sysconfig/security
+chkstat --set --system
+
+#======================================
+# SSL Certificates Configuration
+#--------------------------------------
+echo '** Rehashing SSL Certificates...'
+update-ca-certificates
+
+#======================================
+# Import trusted rpm keys
+#--------------------------------------
+for i in /usr/lib/rpm/gnupg/keys/gpg-pubkey*asc; do
+    # importing can fail if it already exists
+    rpm --import $i || true
+done
+
+# Temporary workaround for bsc#1212187
+echo "techpreview.ZYPP_MEDIANETWORK=1" >> /etc/zypp/zypp.conf
+
+#======================================
+# Enable kubelet if installed
+#--------------------------------------
+if [ -e /usr/lib/systemd/system/kubelet.service ]; then
+	suseInsertService kubelet
+fi
+
+# Adjust zypp conf
+# https://github.com/openSUSE/libzypp/issues/212
+# in yast that's done in packager/cfa/zypp_conf.rb
+sed -i 's/.*solver.onlyRequires.*/solver.onlyRequires = true/g' /etc/zypp/zypp.conf
+sed -i 's/.*rpm.install.excludedocs.*/rpm.install.excludedocs = yes/g' /etc/zypp/zypp.conf
+sed -i 's/^multiversion =.*/multiversion =/g' /etc/zypp/zypp.conf
+
+#=====================================
+# Configure snapper
+#-------------------------------------
+if [ "${kiwi_btrfs_root_is_snapshot-false}" = 'true' ]; then
+        echo "creating initial snapper config ..."
+        cp /usr/share/snapper/config-templates/default /etc/snapper/configs/root
+        baseUpdateSysConfig /etc/sysconfig/snapper SNAPPER_CONFIGS root
+
+	# Adjust parameters
+	sed -i'' 's/^TIMELINE_CREATE=.*$/TIMELINE_CREATE="no"/g' /etc/snapper/configs/root
+	sed -i'' 's/^NUMBER_LIMIT=.*$/NUMBER_LIMIT="2-10"/g' /etc/snapper/configs/root
+	sed -i'' 's/^NUMBER_LIMIT_IMPORTANT=.*$/NUMBER_LIMIT_IMPORTANT="4-10"/g' /etc/snapper/configs/root
+fi
+
+# Enable jeos-firstboot if installed, disabled by combustion/ignition
+if rpm -q --whatprovides jeos-firstboot >/dev/null; then
+        mkdir -p /var/lib/YaST2
+        touch /var/lib/YaST2/reconfig_system
+        systemctl enable jeos-firstboot.service
+fi
+
+# Enable cloud-init if installed
+if rpm -q --whatprovides cloud-init >/dev/null; then
+	systemctl enable cloud-init
+	systemctl enable cloud-init-local
+fi
+
+# The %post script can't edit /etc/fstab sys due to https://github.com/OSInside/kiwi/issues/945
+# so use the kiwi custom hack
+cat >/etc/fstab.script <<"EOF"
+#!/bin/sh
+set -eux
+
+/usr/sbin/setup-fstab-for-overlayfs
+# If /var is on a different partition than /...
+if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
+	# ... set options for autoexpanding /var
+	gawk -i inplace '$2 == "/var" { $4 = $4",x-growpart.grow,x-systemd.growfs" } { print $0 }' /etc/fstab
+fi
+EOF
+chmod a+x /etc/fstab.script
+
+# To make x-systemd.growfs work from inside the initrd
+cat >/etc/dracut.conf.d/50-microos-growfs.conf <<"EOF"
+install_items+=" /usr/lib/systemd/systemd-growfs "
+EOF
+
+#======================================
+# Add repos from control.xml
+#--------------------------------------
+if [ -x /usr/sbin/add-yast-repos ]; then
+	add-yast-repos
+	zypper --non-interactive rm -u live-add-yast-repos
+fi
+
+#======================================
+# Configure SelfInstall specifics
+#--------------------------------------
+if [[ "$kiwi_profiles" == *"SelfInstall"* ]]; then
+	cat > /etc/systemd/system/selfinstallbootloader.service <<-EOF
+	[Unit]
+	Description=
+	After=systemd-machine-id-commit.service
+	Before=jeos-firstboot.service
+	
+	[Service]
+	Type=oneshot
+	ExecStart=rm /etc/systemd/system/selfinstallbootloader.service
+	ExecStart=rm /etc/systemd/system/default.target.wants/selfinstallbootloader.service
+	ExecStart=/sbin/transactional-update bootloader
+	ExecStart=/sbin/transactional-update apply
+
+	[Install]
+	WantedBy=default.target
+	EOF
+	ln -s /etc/systemd/system/selfinstallbootloader.service /etc/systemd/system/default.target.wants/selfinstallbootloader.service
+fi
+
+#======================================
+# Boot TimeOut Configuration for iSCSI
+#--------------------------------------
+cat > /etc/systemd/system/iscsi-init-delay.service <<-EOF
+[Unit]
+# Workaround for boo#1198457 delay gen-initiatorname after local-fs
+Description=One time delay for the iscsid.service
+ConditionPathExists=!/etc/iscsi/initiatorname.iscsi
+ConditionPathExists=/sbin/iscsi-gen-initiatorname
+DefaultDependencies=no
+RequiresMountsFor=/etc/iscsi
+After=local-fs.target
+Before=iscsi-init.service
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/sbin/iscsi-gen-initiatorname
+EOF
+ln -s /etc/systemd/system/iscsi-init-delay.service /etc/systemd/system/default.target.wants/iscsi-init-delay.service
+
+#======================================
+# Configure Pine64 specifics
+#--------------------------------------
+if [[ "$kiwi_profiles" == *"Pine64" ]]; then
+    echo 'add_drivers+=" fixed sunxi-mmc axp20x-regulator axp20x-rsb "' > /etc/dracut.conf.d/sunxi_modules.conf
+fi
+
+#======================================
+# Configure Raspberry Pi specifics
+#--------------------------------------
+if [[ "$kiwi_profiles" == *"RaspberryPi"* ]]; then
+	# Add necessary kernel modules to initrd (will disappear with bsc#1084272)
+	echo 'add_drivers+=" bcm2835_dma dwc2 "' > /etc/dracut.conf.d/raspberrypi_modules.conf
+
+	# Add necessary kernel modules to initrd (will disappear with boo#1162669)
+	echo 'add_drivers+=" pcie-brcmstb "' >> /etc/dracut.conf.d/raspberrypi_modules.conf
+
+	# Work around network issues
+  	cat > /etc/modprobe.d/50-rpi3.conf <<-EOF
+		# Prevent too many page allocations (bsc#1012449)
+		options smsc95xx turbo_mode=N
+	EOF
+
+	cat > /usr/lib/sysctl.d/50-rpi3.conf <<-EOF
+		# Avoid running out of DMA pages for smsc95xx (bsc#1012449)
+		vm.min_free_kbytes = 2048
+	EOF
+fi
+
+#======================================
+# Configure Vagrant specifics
+#--------------------------------------
+if [[ "$kiwi_profiles" == *"Vagrant"* ]]; then
+        # create vagrant user
+        useradd vagrant
+        # allow password-less sudo
+        echo "vagrant ALL=(ALL)NOPASSWD:ALL" > /etc/sudoers.d/vagrant
+        # add vagrant's insecure key
+        mkdir -p /home/vagrant/.ssh
+        chmod 0700 /home/vagrant/.ssh
+        cat > /home/vagrant/.ssh/authorized_keys << EOF
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
+EOF
+        chmod 0600 /home/vagrant/.ssh/authorized_keys
+        chown -R vagrant /home/vagrant
+fi
+
+#======================================
+# cloud-init specific settings
+#--------------------------------------
+# We do not want cloud-init to run in an environment when there is no data
+# source found. bsc#1222113
+if [[ "$kiwi_profiles" =~ ^(x86-qcow|x86-vmware|aarch64-qcow)$ ]]; then
+    echo "policy: search,found=all,maybe=disabled,notfound=disabled" > /etc/cloud/ds-identify.cfg
+fi
+
+exit 0

kube-rbac-proxy-image/Dockerfile

@@ -1,28 +1,27 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:v%%cluster-api_version%%
+#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:%%cluster-api_version%%
+#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
-#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:%%cluster-api_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api shadow; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends kube-rbac-proxy; zypper -n clean; rm -rf /var/log/*
 
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
-# labelprefix=com.suse.application.cluster-api
+# labelprefix=com.suse.application.kube-rbac-proxy
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
-LABEL org.opencontainers.image.title="SLE cluster-api Container Image"
+LABEL org.opencontainers.image.title="SLE kube-rbac-proxy Container Image"
-LABEL org.opencontainers.image.description="cluster-api based on the SLE Base Container Image."
+LABEL org.opencontainers.image.description="kube-rbac-proxy based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="%%cluster-api_version%%"
+LABEL org.opencontainers.image.version="%%kube-rbac-proxy_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api:%%cluster-api_version%%-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
@@ -30,7 +29,7 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN mv /usr/bin/cluster-api-controller /manager
+#Install kube-rbac-proxy
-# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+EXPOSE 8080
-USER 65532
+USER 65532:65532
-ENTRYPOINT [ "/manager" ]
+ENTRYPOINT ["/kube-rbac-proxy"]

kube-rbac-proxy-image/_service

@@ -3,15 +3,17 @@
   <service mode="buildtime" name="docker_label_helper"/>
   <service name="replace_using_package_version" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="regex">%%cluster-api-provider-rke2_version%%</param>
+    <param name="regex">%%kube-rbac-proxy_version%%</param>
-    <param name="package">cluster-api-provider-rke2-control-plane</param>
+    <param name="package">kube-rbac-proxy</param>
     <param name="parse-version">patch</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

kube-rbac-proxy/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/brancz/kube-rbac-proxy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.18.0</param>
+    <param name="revision">v0.18.1</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

kube-rbac-proxy/kube-rbac-proxy.spec

@@ -17,14 +17,14 @@
 
 
 Name:           kube-rbac-proxy
-Version:        0.18.0
+Version:        0.18.1
-Release:        0.18.0
+Release:        0.18.1
 Summary:        The kube-rbac-proxy is a small HTTP proxy for a single upstream
 License:        Apache-2.0
 URL:            https://github.com/brancz/kube-rbac-proxy
 Source:         kube-rbac-proxy-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.23
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

kubevirt-chart/Chart.yaml

@@ -0,0 +1,9 @@
+#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:302.0.0_up0.4.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:302.0.0_up0.4.0
+apiVersion: v2
+appVersion: 1.3.1
+description: A Helm chart for KubeVirt
+icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
+name: kubevirt
+type: application
+version: 302.0.0+up0.4.0