Merge pull request 'Update metal3 components to latest' (#317) from nbelouin/Factory:metal3-update into main

Reviewed-on: #317
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>

.gitmodules

@@ -1,39 +1,170 @@
-[submodule "obs-service-set_version"]
-	path = obs-service-set_version
-	url = https://src.opensuse.org/SLFO-pool/obs-service-set_version.git
 [submodule "cri-tools"]
 	path = cri-tools
 	url = https://src.opensuse.org/pool/cri-tools.git
-[submodule "fakeroot"]
-	path = fakeroot
-	url = https://src.opensuse.org/pool/fakeroot.git
 [submodule "crudini"]
 	path = crudini
 	url = https://src.opensuse.org/pool/crudini.git
-[submodule "autoconf"]
-	path = autoconf
-	url = https://src.opensuse.org/SLFO-pool/autoconf.git
-[submodule "python-pydantic"]
-	path = python-pydantic
-	url = https://src.opensuse.org/SLFO-pool/python-pydantic
-[submodule "python-pydantic-core"]
-	path = python-pydantic-core
-	url = https://src.opensuse.org/SLFO-pool/python-pydantic-core
-[submodule "python-inline-snapshot"]
-	path = python-inline-snapshot
-	url = https://src.opensuse.org/SLFO-pool/python-inline-snapshot
-[submodule "python-executing"]
-	path = python-executing
-	url = https://src.opensuse.org/SLFO-pool/python-executing
-[submodule "python-typing-inspection"]
-	path = python-typing-inspection
-	url = https://src.opensuse.org/SLFO-pool/python-typing-inspection
-[submodule "python-annotated-types"]
-	path = python-annotated-types
-	url = https://src.opensuse.org/SLFO-pool/python-annotated-types
-[submodule "python-typing_extensions"]
-	path = python-typing_extensions
-	url = https://src.opensuse.org/SLFO-pool/python-typing_extensions
-[submodule "python-flit-core"]
-	path = python-flit-core
-	url = https://src.opensuse.org/SLFO-pool/python-flit-core
+[submodule "cni-plugins"]
+	path = cni-plugins
+	url = https://src.opensuse.org/pool/cni-plugins
+[submodule "python-kubernetes"]
+	path = python-kubernetes
+	url = https://src.opensuse.org/pool/python-kubernetes
+	branch = leap-16.0
+[submodule "python-durationpy"]
+	path = python-durationpy
+	url = https://src.opensuse.org/pool/python-durationpy
+	branch = leap-16.0
+[submodule "python-recommonmark"]
+	path = python-recommonmark
+	url = https://src.opensuse.org/pool/python-recommonmark
+	branch = leap-16.0
+[submodule "python-iniparse"]
+	path = python-iniparse
+	url = https://src.opensuse.org/pool/python-iniparse
+	branch = leap-16.0
+[submodule "python-commonmark"]
+	path = python-commonmark
+	url = https://src.opensuse.org/pool/python-commonmark
+	branch = leap-16.0
+[submodule "cni"]
+	path = cni
+	url = https://src.opensuse.org/pool/cni
+[submodule "python-tenacity"]
+	path = python-tenacity
+	url = https://src.opensuse.org/pool/python-tenacity
+[submodule "python-pint"]
+	path = python-pint
+	url = https://src.opensuse.org/pool/python-pint
+	branch = leap-16.0
+[submodule "python-flexcache"]
+	path = python-flexcache
+	url = https://src.opensuse.org/pool/python-flexcache
+	branch = leap-16.0
+[submodule "python-flexparser"]
+	path = python-flexparser
+	url = https://src.opensuse.org/pool/python-flexparser
+	branch = leap-16.0
+[submodule "python-uncertainties"]
+	path = python-uncertainties
+	url = https://src.opensuse.org/pool/python-uncertainties
+	branch = leap-16.0
+[submodule "python-dogpile.cache"]
+	path = python-dogpile.cache
+	url = https://src.opensuse.org/pool/python-dogpile.cache
+	branch = leap-16.0
+[submodule "python-pytest-mpl"]
+	path = python-pytest-mpl
+	url = https://src.opensuse.org/pool/python-pytest-mpl
+	branch = leap-16.0
+[submodule "python-zeroconf"]
+	path = python-zeroconf
+	url = https://src.opensuse.org/pool/python-zeroconf
+	branch = leap-16.0
+[submodule "python-ifaddr"]
+	path = python-ifaddr
+	url = https://src.opensuse.org/pool/python-ifaddr
+	branch = leap-16.0
+[submodule "python-yappi"]
+	path = python-yappi
+	url = https://src.opensuse.org/pool/python-yappi
+[submodule "python-routes"]
+	path = python-routes
+	url = https://src.opensuse.org/pool/python-routes
+	branch = leap-16.0
+[submodule "python-repoze.lru"]
+	path = python-repoze.lru
+	url = https://src.opensuse.org/pool/python-repoze.lru
+	branch = leap-16.0
+[submodule "ipxe"]
+	path = ipxe
+	url = https://src.opensuse.org/pool/ipxe
+	branch = leap-16.0
+[submodule "python-setproctitle"]
+	path = python-setproctitle
+	url = https://src.opensuse.org/pool/python-setproctitle
+	branch = leap-16.0
+[submodule "python-requests-kerberos"]
+	path = python-requests-kerberos
+	url = https://src.opensuse.org/pool/python-requests-kerberos
+	branch = leap-16.0
+[submodule "python-pecan"]
+	path = python-pecan
+	url = https://src.opensuse.org/pool/python-pecan
+	branch = leap-16.0
+[submodule "python-pycdlib"]
+	path = python-pycdlib
+	url = https://src.opensuse.org/pool/python-pycdlib
+[submodule "python-cliff"]
+	path = python-cliff
+	url = https://src.opensuse.org/pool/python-cliff
+[submodule "python-autopage"]
+	path = python-autopage
+	url = https://src.opensuse.org/pool/python-autopage
+[submodule "python-cmd2"]
+	path = python-cmd2
+	url = https://src.opensuse.org/pool/python-cmd2
+	branch = leap-16.0
+[submodule "uwsgi"]
+	path = uwsgi
+	url = https://src.opensuse.org/pool/uwsgi
+	branch = leap-16.0
+[submodule "python-requestsexceptions"]
+	path = python-requestsexceptions
+	url = https://src.opensuse.org/pool/python-requestsexceptions
+[submodule "python-python-memcached"]
+	path = python-python-memcached
+	url = https://src.opensuse.org/pool/python-python-memcached
+[submodule "python-kombu"]
+	path = python-kombu
+	url = https://src.opensuse.org/pool/python-kombu
+[submodule "python-amqp"]
+	path = python-amqp
+	url = https://src.opensuse.org/pool/python-amqp
+	branch = leap-16.0
+[submodule "python-statsd"]
+	path = python-statsd
+	url = https://src.opensuse.org/pool/python-statsd
+[submodule "python-warlock"]
+	path = python-warlock
+	url = https://src.opensuse.org/pool/python-warlock
+[submodule "python-case"]
+	path = python-case
+	url = https://src.opensuse.org/pool/python-case
+	branch = leap-16.0
+[submodule "python-vine"]
+	path = python-vine
+	url = https://src.opensuse.org/pool/python-vine
+	branch = leap-16.0
+[submodule "python-Pyro5"]
+	path = python-Pyro5
+	url = https://src.opensuse.org/pool/python-Pyro5
+	branch = leap-16.0
+[submodule "python-pre-commit"]
+	path = python-pre-commit
+	url = https://src.opensuse.org/pool/python-pre-commit
+[submodule "python-serpent"]
+	path = python-serpent
+	url = https://src.opensuse.org/pool/python-serpent
+	branch = leap-16.0
+[submodule "python-google-cloud-monitoring"]
+	path = python-google-cloud-monitoring
+	url = https://src.opensuse.org/pool/python-google-cloud-monitoring
+[submodule "python-google-cloud-pubsub"]
+	path = python-google-cloud-pubsub
+	url = https://src.opensuse.org/pool/python-google-cloud-pubsub
+[submodule "python-cfgv"]
+	path = python-cfgv
+	url = https://src.opensuse.org/pool/python-cfgv
+[submodule "python-identify"]
+	path = python-identify
+	url = https://src.opensuse.org/pool/python-identify
+[submodule "python-pandas"]
+	path = python-pandas
+	url = https://src.opensuse.org/pool/python-pandas
+[submodule "python-grpc-google-iam-v1"]
+	path = python-grpc-google-iam-v1
+	url = https://src.opensuse.org/pool/python-grpc-google-iam-v1
+[submodule "python-editdistance"]
+	path = python-editdistance
+	url = https://src.opensuse.org/pool/python-editdistance

.obs/common.py

@@ -1,3 +1,3 @@
-PROJECT = "isv:SUSE:Edge:3.4"
+PROJECT = "isv:SUSE:Edge:Factory"
 REPOSITORY = "https://src.opensuse.org/suse-edge/Factory"
-BRANCH = "3.4"
+BRANCH = "main"

_config

@@ -1,8 +1,11 @@
-Prefer: -libqpid-proton10 -python311-urllib3_1
+Prefer: -libqpid-proton10 -python313-urllib3_1
 Prefer: -cargo1.58 -cargo1.57 cargo1.89
+Prefer: chrony-pool-suse
+Prefer: -postgresql17-devel-mini
+
+BuildFlags: excludebuild:python-pandas:test-py313
 
 Macros:
-%__python3 /usr/bin/python3.11
 %registry_url %(echo %{vendor} | cut -d '/' -f 3 | sed 's/build/registry/')
 :Macros
 
@@ -46,92 +49,43 @@ Macros:
 :Macros
 %endif
 
-# Missing deps for testsuite
-BuildFlags: excludebuild:autoconf:el
-BuildFlags: excludebuild:autoconf:testsuite
-
-# Missing deps for python packages related to suse-edge-components-versions
-BuildFlags: excludebuild:python-pydantic:test
-BuildFlags: excludebuild:python-pydantic-core:test
-BuildFlags: excludebuild:python-inline-snapshot:test
-BuildFlags: excludebuild:python-executing:test
-BuildFlags: excludebuild:python-annotated-types:test
-BuildFlags: excludebuild:python-typing-inspection:test
-BuildFlags: excludebuild:python-typing_extensions:test
-
 # Only build manifest embedding images here
 %if "%_repository" == "test_manifest_images"
 BuildFlags: onlybuild:edge-image-builder-image
 BuildFlags: onlybuild:release-manifest-image
-  # Exclude the images selected by the following section
-  # as the standard repository is a dependency
-  %ifarch aarch64
-    BuildFlags: excludebuild:baremetal-operator-image
-    BuildFlags: excludebuild:endpoint-copier-operator-image
-    BuildFlags: excludebuild:ironic-image
-    BuildFlags: excludebuild:ironic-ipa-downloader-image
-    BuildFlags: excludebuild:kiwi-builder-image
-    BuildFlags: excludebuild:kubectl-image
-    BuildFlags: excludebuild:kube-rbac-proxy-image
-    BuildFlags: excludebuild:metallb-controller-image
-    BuildFlags: excludebuild:metallb-speaker-image
-    BuildFlags: excludebuild:nessie-image
-    BuildFlags: excludebuild:suse-edge-components-versions-image
-  %endif
 %else
-# Only a subset of stack is arm64 ready
+# Only a subset of stack is arm64 ready exclude what is not ready
   %ifarch aarch64
-    BuildFlags: onlybuild:autoconf
-    BuildFlags: onlybuild:baremetal-operator
-    BuildFlags: onlybuild:baremetal-operator-image
-    BuildFlags: onlybuild:ca-certificates-suse
-    BuildFlags: onlybuild:container-build-checks
-    BuildFlags: onlybuild:crudini
-    BuildFlags: onlybuild:edge-build-checks
-    BuildFlags: onlybuild:edge-image-builder
-    BuildFlags: onlybuild:edge-image-builder-image
-    BuildFlags: onlybuild:endpoint-copier-operator
-    BuildFlags: onlybuild:endpoint-copier-operator-image
-    BuildFlags: onlybuild:fakeroot
-    BuildFlags: onlybuild:hauler
-    BuildFlags: onlybuild:ipcalc
-    BuildFlags: onlybuild:ironic-image
-    BuildFlags: onlybuild:ironic-ipa-downloader-image
-    BuildFlags: onlybuild:ironic-ipa-ramdisk
-    BuildFlags: onlybuild:kubectl
-    BuildFlags: onlybuild:kubectl-image
-    BuildFlags: onlybuild:kube-rbac-proxy
-    BuildFlags: onlybuild:kube-rbac-proxy-image
-    BuildFlags: onlybuild:metallb
-    BuildFlags: onlybuild:metallb-controller-image
-    BuildFlags: onlybuild:metallb-speaker-image
-    BuildFlags: onlybuild:nessie
-    BuildFlags: onlybuild:nessie-image
-    BuildFlags: onlybuild:nm-configurator
-    BuildFlags: onlybuild:python-annotated-types
-    BuildFlags: onlybuild:python-executing
-    BuildFlags: onlybuild:python-flit-core
-    BuildFlags: onlybuild:python-inline-snapshot
-    BuildFlags: onlybuild:python-pydantic
-    BuildFlags: onlybuild:python-pydantic-core
-    BuildFlags: onlybuild:python-pyhelm3
-    BuildFlags: onlybuild:python-rich
-    BuildFlags: onlybuild:python-suse-edge-components-versions
-    BuildFlags: onlybuild:python-typing-inspection
-    BuildFlags: onlybuild:python-typing_extensions
-    BuildFlags: onlybuild:shim-noarch
-    BuildFlags: onlybuild:suse-edge-components-versions-image
+    # Akri
+    BuildFlags: excludebuild:akri
+    BuildFlags: excludebuild:akri-agent-image
+    BuildFlags: excludebuild:akri-controller-image
+    BuildFlags: excludebuild:akri-debug-echo-discovery-handler-image
+    BuildFlags: excludebuild:akri-onvif-discovery-handler-image
+    BuildFlags: excludebuild:akri-opcua-discovery-handler-image
+    BuildFlags: excludebuild:akri-udev-discovery-handler-image
+    BuildFlags: excludebuild:akri-webhook-configuration-image
+    BuildFlags: excludebuild:cri-tools
+
+    # FRR
+    BuildFlags: excludebuild:frr-image
+    BuildFlags: excludebuild:frr-k8s
+    BuildFlags: excludebuild:frr-k8s-image
+    
+    # Upgrade controller
+    BuildFlags: excludebuild:release-manifest-image
+    BuildFlags: excludebuild:upgrade-controller
+    BuildFlags: excludebuild:upgrade-controller-image 
   %endif
 %endif
 
 %if "%_repository" == "images" || "%_repository" == "test_manifest_images"
-    Prefer: container:sles15-image
     Type: docker
     Repotype: none
     Patterntype: none
     BuildEngine: podman
-    Prefer: sles-release
-    BuildFlags: dockerarg:SLE_VERSION=15.7
+    Prefer: SLES-release
+    BuildFlags: dockerarg:SLE_VERSION=16.0
 
     # Publish multi-arch container images only once all archs have been built
     PublishFlags: archsync
@@ -146,47 +100,6 @@ BuildFlags: onlybuild:release-manifest-image
 
 %endif
 
-%if "%_repository" == "images_16.0"
-    Prefer: container:sles15-image
-    Type: docker
-    BuildEngine: podman
-    Repotype: none
-    Patterntype: none
-    BuildFlags: dockerarg:SLE_VERSION=16.0
-    BuildFlags: onlybuild:kiwi-builder-image
-    
-    Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
-
-    # Publish multi-arch container images only once all archs have been built
-    PublishFlags: archsync
-
-    # Exclude the images selected by the aarch64 section
-    %ifarch aarch64
-      BuildFlags: excludebuild:baremetal-operator-image
-      BuildFlags: excludebuild:edge-image-builder-image
-      BuildFlags: excludebuild:endpoint-copier-operator-image
-      BuildFlags: excludebuild:ironic-image
-      BuildFlags: excludebuild:ironic-ipa-downloader-image
-      BuildFlags: excludebuild:kubectl-image
-      BuildFlags: excludebuild:kube-rbac-proxy-image
-      BuildFlags: excludebuild:metallb-controller-image
-      BuildFlags: excludebuild:metallb-speaker-image
-      BuildFlags: excludebuild:nessie-image
-      BuildFlags: excludebuild:suse-edge-components-versions-image
-    %endif
-
-%else
-    %if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
-      BuildFlags: excludebuild:kiwi-builder-image
-    %else
-      %ifarch aarch64
-        BuildFlags: onlybuild:kiwi-builder-image
-      %endif
-    %endif
-%endif
-
-
-
 %if "%_repository" == "charts" || "%_repository" == "phantomcharts" || "%_repository" == "releasecharts"
     Type: helm
     Repotype: helm
@@ -203,12 +116,16 @@ BuildFlags: onlybuild:release-manifest-image
 
     # ironic-ipa-ramdisk are noarch packages that need to be availble to both archs
     ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64
+    ExportFilter: ^grub2-.*-efi-.*\.noarch\.rpm$ aarch64 x86_64
 %endif
 
+%if "%_repository" != "standard"
+    BuildFlags: excludebuild:grub-aggregate 
+%endif
 # Enable reproducible builds
 # https://en.opensuse.org/openSUSE:Reproducible_Builds\#With_OBS
 Macros:
-%source_date_epoch_from_changelog Y
+%source_date_epoch_from_changelog N
 %clamp_mtime_to_source_date_epoch Y
 %use_source_date_epoch_as_buildtime Y
 %_buildhost reproducible

_meta

@@ -34,20 +34,15 @@
     <arch>x86_64</arch>
   </repository>
 {%- endif %}
-{%- for repository in ["images", "images_16.0", "test_manifest_images"] %}
+{%- for repository in ["images", "test_manifest_images"] %}
   <repository name="{{ repository }}">
     {%- if release_project is defined and repository != "test_manifest_images" %}
     <releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
     {%- endif %}
     <path project="SUSE:Registry" repository="standard"/>
-    {%- if repository == "images_16.0" %}
-      <path project="SUSE:CA" repository="16.0"/>
-      <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
-      <path project="SUSE:SLFO:Main:Build" repository="standard"/>
-    {%- else %}
-      <path project="SUSE:CA" repository="SLE_15_SP7"/>
-      <path project="{{ project }}" repository="standard"/>
-    {%- endif %}
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
+    <path project="SUSE:CA" repository="openSUSE_Tumbleweed"/>
+    <path project="{{ project }}" repository="standard"/>
     <arch>x86_64</arch>
     <arch>aarch64</arch>
   </repository>
@@ -56,8 +51,9 @@
     {%- if release_project is defined and not for_release %}
     <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
     {%- endif %}
-    <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
-    <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
+    <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
+    <path project="SUSE:SLFO:1.2" repository="standard"/>
     <arch>x86_64</arch>
     <arch>aarch64</arch>
   </repository>

akri-dashboard-extension-chart/Chart.yaml

@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2-%RELEASE%
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
   catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
   catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 304.0.3+up1.3.1
+appVersion: 1.3.2
 description: 'SUSE Edge: Akri extension for Rancher Dashboard'
 name: akri-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.3+up1.3.1"
+version: "%%CHART_MAJOR%%.0.4+up1.3.2"
 icon: >-
   https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg

akri-dashboard-extension-chart/templates/cr.yaml

@@ -8,7 +8,7 @@ spec:
   plugin:
     name: {{ include "extension-server.fullname" . }}
     version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/304.0.3+up1.3.1
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.3.2
     noCache: {{ .Values.plugin.noCache }}
     noAuth: {{ .Values.plugin.noAuth }}
     metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

baremetal-operator-image/Dockerfile

@@ -1,12 +1,12 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1
-#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0
+#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator inotify-tools procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator python3-watchdog procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
 
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers

baremetal-operator-image/bmo-run

@@ -3,10 +3,11 @@ export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPD
 export IRONIC_CACERT_FILE=${IRONIC_CACERT_FILE:-"/opt/metal3/certs/ca/tls.crt"}
 
 if [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    # shellcheck disable=SC2034
-    inotifywait -m -e delete_self "${IRONIC_CACERT_FILE}" | while read -r file event; do
-        kill $(pgrep baremetal-opera)
-    done &
+     watchmedo shell-command \
+            --patterns="$(basename "${IRONIC_CACERT_FILE}")" \
+            --ignore-directories \
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -TERM baremetal-opera; fi' \
+            "$(dirname "${IRONIC_CACERT_FILE}")" &
 fi
 
 exec /usr/bin/baremetal-operator $@

baremetal-operator/0001-Enable-exhaustive-linter.patch

@@ -1,163 +0,0 @@
-From f8c1ba1696fd8555e8e94246ec5afa38536fa8bd Mon Sep 17 00:00:00 2001
-From: erjavaskivuori <erja.vaskivuori@est.tech>
-Date: Thu, 5 Jun 2025 09:49:47 +0000
-Subject: [PATCH 1/5] Enable exhaustive linter
-
-Enable exhaustive linter to check exhaustiveness of switch statements of enum-like
-constants.
-
-Signed-off-by: erjavaskivuori <erja.vaskivuori@est.tech>
-(cherry picked from commit a5a81b8717c9e6642ae626ea97933e3615fe11c0)
----
- .golangci.yaml                                |  4 ++-
- .../metal3.io/v1alpha1/baremetalhost_types.go |  1 +
- .../metal3.io/baremetalhost_controller.go     |  2 ++
- .../metal3.io/host_state_machine.go           |  4 +++
- pkg/provisioner/ironic/ironic.go              | 26 +++++++++----------
- 5 files changed, 22 insertions(+), 15 deletions(-)
-
-diff --git a/.golangci.yaml b/.golangci.yaml
-index 58e54b31..c758b93c 100644
---- a/.golangci.yaml
-+++ b/.golangci.yaml
-@@ -21,7 +21,7 @@ linters:
-   - errchkjson
-   #- errname
-   #- errorlint
--  #- exhaustive
-+  - exhaustive
-   - exptostd
-   - fatcontext
-   #- forbidigo
-@@ -78,6 +78,8 @@ linters:
-   # Run with --fast=false for more extensive checks
-   fast: true
- linters-settings:
-+  exhaustive:
-+    default-signifies-exhaustive: true
-   gosec:
-     severity: medium
-     confidence: medium
-diff --git a/apis/metal3.io/v1alpha1/baremetalhost_types.go b/apis/metal3.io/v1alpha1/baremetalhost_types.go
-index ba1b4333..426a7a89 100644
---- a/apis/metal3.io/v1alpha1/baremetalhost_types.go
-+++ b/apis/metal3.io/v1alpha1/baremetalhost_types.go
-@@ -1113,6 +1113,7 @@ func (host *BareMetalHost) OperationMetricForState(operation ProvisioningState)
- 		metric = &history.Provision
- 	case StateDeprovisioning:
- 		metric = &history.Deprovision
-+	default:
- 	}
- 	return
- }
-diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
-index 33310bf7..1998627e 100644
---- a/internal/controller/metal3.io/baremetalhost_controller.go
-+++ b/internal/controller/metal3.io/baremetalhost_controller.go
-@@ -586,6 +586,7 @@ func getCurrentImage(host *metal3api.BareMetalHost) *metal3api.Image {
- 		if host.Spec.Image != nil && host.Spec.Image.URL != "" {
- 			return host.Spec.Image.DeepCopy()
- 		}
-+	default:
- 	}
- 	return nil
- }
-@@ -816,6 +817,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
- 		if info.host.Spec.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
- 			preprovImgFormats = nil
- 		}
-+	default:
- 	}
- 
- 	preprovImg, err := r.getPreprovImage(info, preprovImgFormats)
-diff --git a/internal/controller/metal3.io/host_state_machine.go b/internal/controller/metal3.io/host_state_machine.go
-index 8b382553..6d88591b 100644
---- a/internal/controller/metal3.io/host_state_machine.go
-+++ b/internal/controller/metal3.io/host_state_machine.go
-@@ -107,6 +107,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
- 			if actionRes := hsm.ensureCapacity(info, hsm.NextState); actionRes != nil {
- 				return actionRes
- 			}
-+		default:
- 		}
- 
- 		info.log.Info("changing provisioning state",
-@@ -137,6 +138,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
- 				info.log.Info("saving boot mode",
- 					"new mode", hsm.Host.Status.Provisioning.BootMode)
- 			}
-+		default:
- 		}
- 	}
- 
-@@ -163,6 +165,7 @@ func (hsm *hostStateMachine) checkDelayedHost(info *reconcileInfo) actionResult
- 		if actionRes := hsm.ensureCapacity(info, info.host.Status.Provisioning.State); actionRes != nil {
- 			return actionRes
- 		}
-+	default:
- 	}
- 
- 	return nil
-@@ -299,6 +302,7 @@ func (hsm *hostStateMachine) checkDetachedHost(info *reconcileInfo) (result acti
- 		switch info.host.Status.Provisioning.State {
- 		case metal3api.StateProvisioned, metal3api.StateExternallyProvisioned, metal3api.StateReady, metal3api.StateAvailable:
- 			return hsm.Reconciler.detachHost(hsm.Provisioner, info)
-+		default:
- 		}
- 	}
- 	if info.host.Status.ErrorType == metal3api.DetachError {
-diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
-index 9a4b4589..4c4923ad 100644
---- a/pkg/provisioner/ironic/ironic.go
-+++ b/pkg/provisioner/ironic/ironic.go
-@@ -335,21 +335,17 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
- 		return result, err
- 	}
- 
-+	if data.State == metal3api.StateProvisioning && data.CurrentImage.IsLiveISO() {
-+		// Live ISO doesn't need pre-provisioning image
-+		return result, nil
-+	}
-+
-+	if data.State == metal3api.StateDeprovisioning && data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
-+		// No need for pre-provisioning image if cleaning disabled
-+		return result, nil
-+	}
-+
- 	switch data.State {
--	case metal3api.StateProvisioning,
--		metal3api.StateDeprovisioning:
--		if data.State == metal3api.StateProvisioning {
--			if data.CurrentImage.IsLiveISO() {
--				// Live ISO doesn't need pre-provisioning image
--				return result, nil
--			}
--		} else {
--			if data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
--				// No need for pre-provisioning image if cleaning disabled
--				return result, nil
--			}
--		}
--		fallthrough
- 	case metal3api.StateInspecting,
- 		metal3api.StatePreparing:
- 		if deployImageInfo == nil {
-@@ -360,6 +356,7 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
- 			}
- 			return result, err
- 		}
-+	default:
- 	}
- 
- 	return result, nil
-@@ -1724,6 +1721,7 @@ func (p *ironicProvisioner) loadBusyHosts() (hosts map[string]struct{}, err erro
- 			if !strings.Contains(node.BootInterface, "virtual-media") {
- 				hosts[node.Name] = struct{}{}
- 			}
-+		default:
- 		}
- 	}
- 
--- 
-2.50.1
-

baremetal-operator/0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch

@@ -1,91 +0,0 @@
-From 509ba92a8ed7303a418c5277f7544db2765c3802 Mon Sep 17 00:00:00 2001
-From: Dmitry Tantsur <dtantsur@protonmail.com>
-Date: Wed, 2 Jul 2025 17:33:46 +0200
-Subject: [PATCH 2/5] Stop requiring DEPLOY_KERNEL/RAMDISK
-
-Ironic has global configuration that allows specifying them, even
-depending on the architecture. Our ironic-image supports that when
-IPA downloader is used (and should start supporting explicit variables
-too).
-
-Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
-(cherry picked from commit 0f1ef6cbeb8815f19d853ba5eab1e70c7d85e2ec)
----
- pkg/provisioner/ironic/factory.go      |  6 ++----
- pkg/provisioner/ironic/factory_test.go |  9 ++-------
- pkg/provisioner/ironic/ironic.go       | 10 +++-------
- 3 files changed, 7 insertions(+), 18 deletions(-)
-
-diff --git a/pkg/provisioner/ironic/factory.go b/pkg/provisioner/ironic/factory.go
-index 19571eb0..15f636b3 100644
---- a/pkg/provisioner/ironic/factory.go
-+++ b/pkg/provisioner/ironic/factory.go
-@@ -114,10 +114,8 @@ func loadConfigFromEnv(havePreprovImgBuilder bool) (ironicConfig, error) {
- 	c.deployRamdiskURL = os.Getenv("DEPLOY_RAMDISK_URL")
- 	c.deployISOURL = os.Getenv("DEPLOY_ISO_URL")
- 	if !havePreprovImgBuilder {
--		if c.deployISOURL == "" &&
--			(c.deployKernelURL == "" || c.deployRamdiskURL == "") {
--			return c, errors.New("either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set")
--		}
-+		// NOTE(dtantsur): with a PreprovisioningImage controller, it makes sense to set only the kernel.
-+		// Without it, either both or neither must be set.
- 		if (c.deployKernelURL == "" && c.deployRamdiskURL != "") ||
- 			(c.deployKernelURL != "" && c.deployRamdiskURL == "") {
- 			return c, errors.New("DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together")
-diff --git a/pkg/provisioner/ironic/factory_test.go b/pkg/provisioner/ironic/factory_test.go
-index db47d8b2..0d32eccb 100644
---- a/pkg/provisioner/ironic/factory_test.go
-+++ b/pkg/provisioner/ironic/factory_test.go
-@@ -98,24 +98,19 @@ func TestLoadConfigFromEnv(t *testing.T) {
- 				ramdiskURL: "http://ramdisk",
- 			},
- 		},
--		{
--			name:          "no deploy info",
--			env:           EnvFixture{},
--			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
--		},
- 		{
- 			name: "only kernel",
- 			env: EnvFixture{
- 				kernelURL: "http://kernel",
- 			},
--			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
-+			expectedError: "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
- 		},
- 		{
- 			name: "only ramdisk",
- 			env: EnvFixture{
- 				ramdiskURL: "http://ramdisk",
- 			},
--			expectedError:         "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
-+			expectedError:         "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
- 			expectedImgBuildError: "DEPLOY_RAMDISK_URL requires DEPLOY_KERNEL_URL to be set also",
- 		},
- 		{
-diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
-index 4c4923ad..48db865a 100644
---- a/pkg/provisioner/ironic/ironic.go
-+++ b/pkg/provisioner/ironic/ironic.go
-@@ -348,14 +348,10 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
- 	switch data.State {
- 	case metal3api.StateInspecting,
- 		metal3api.StatePreparing:
--		if deployImageInfo == nil {
--			if p.config.havePreprovImgBuilder {
--				result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
--			} else {
--				result, err = operationFailed("no preprovisioning image available")
--			}
--			return result, err
-+		if deployImageInfo == nil && p.config.havePreprovImgBuilder {
-+			result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
- 		}
-+		return result, err
- 	default:
- 	}
- 
--- 
-2.50.1
-

baremetal-operator/0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch

@@ -1,49 +0,0 @@
-From ea10df866f0fc491cac15ba5005f3b820e1ccecb Mon Sep 17 00:00:00 2001
-From: Dmitry Tantsur <dtantsur@protonmail.com>
-Date: Wed, 2 Jul 2025 17:55:48 +0200
-Subject: [PATCH 3/5] Remove DEPLOY_KERNEL_URL from deployment scripts for main
-
-Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
-(cherry picked from commit ddcf3d915819b6344f79fbcec3e28250b217a597)
----
- config/default/ironic.env      | 2 --
- config/overlays/e2e/ironic.env | 2 --
- config/render/capm3.yaml       | 2 --
- 3 files changed, 6 deletions(-)
-
-diff --git a/config/default/ironic.env b/config/default/ironic.env
-index e72cb3c3..3fe36d25 100644
---- a/config/default/ironic.env
-+++ b/config/default/ironic.env
-@@ -1,7 +1,5 @@
- HTTP_PORT=6180
- PROVISIONING_INTERFACE=eth2
- DHCP_RANGE=172.22.0.10,172.22.0.100
--DEPLOY_KERNEL_URL=http://172.22.0.2:6180/images/ironic-python-agent.kernel
--DEPLOY_RAMDISK_URL=http://172.22.0.2:6180/images/ironic-python-agent.initramfs
- IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/
- CACHEURL=http://172.22.0.1/images
-diff --git a/config/overlays/e2e/ironic.env b/config/overlays/e2e/ironic.env
-index 44147ae0..6f200720 100644
---- a/config/overlays/e2e/ironic.env
-+++ b/config/overlays/e2e/ironic.env
-@@ -1,3 +1 @@
--DEPLOY_KERNEL_URL=http://192.168.222.1:6180/images/ironic-python-agent.kernel
--DEPLOY_RAMDISK_URL=http://192.168.222.1:6180/images/ironic-python-agent.initramfs
- IRONIC_ENDPOINT=https://192.168.222.1:6385/v1/
-diff --git a/config/render/capm3.yaml b/config/render/capm3.yaml
-index 42283193..7568288f 100644
---- a/config/render/capm3.yaml
-+++ b/config/render/capm3.yaml
-@@ -2510,8 +2510,6 @@ subjects:
- apiVersion: v1
- data:
-   CACHEURL: http://172.22.0.1/images
--  DEPLOY_KERNEL_URL: http://172.22.0.2:6180/images/ironic-python-agent.kernel
--  DEPLOY_RAMDISK_URL: http://172.22.0.2:6180/images/ironic-python-agent.initramfs
-   DHCP_RANGE: 172.22.0.10,172.22.0.100
-   HTTP_PORT: "6180"
-   IRONIC_ENDPOINT: http://172.22.0.2:6385/v1/
--- 
-2.50.1
-

baremetal-operator/0004-Refactor-setting-various-Ironic-properties.patch

@@ -1,422 +0,0 @@
-From b2e8a1a42c95a3338c9c83a4781ba4744da5ff6a Mon Sep 17 00:00:00 2001
-From: Dmitry Tantsur <dtantsur@protonmail.com>
-Date: Tue, 24 Jun 2025 18:53:42 +0200
-Subject: [PATCH 4/5] Refactor setting various Ironic properties
-
-Currently, Ironic instance_info and properties fields are populated at
-random either in most states or before deployment. While potentially
-convenient, it makes it very hard to reason about the code.
-
-Now, the logic is split into two parts:
-1. configureNode (renamed from configureImages) writes fields that are
-   considered properties of the node itself: CPU architecture, deploy
-   images, capabilities, etc.
-2. getInstanceUpdateOpts (merge of getImageUpdateOptsForNode and
-   getUpdateOptsForNode) writes fields that are required for deployment
-   and thus are properties of instance. This includes images, checksums,
-   runtime capabilities. As an exception, root device hints fall under
-   this category and thus are now set in instance_info, not properties.
-
-Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
-(cherry picked from commit 0c70cba38c926c474f4fa129a7e99ef9827d6ce9)
----
- .../metal3.io/baremetalhost_controller.go     |  2 +-
- pkg/provisioner/ironic/ironic.go              | 49 +++++-------
- pkg/provisioner/ironic/provision_test.go      | 27 +++----
- pkg/provisioner/ironic/register.go            |  3 +-
- pkg/provisioner/ironic/register_test.go       | 78 +------------------
- pkg/provisioner/provisioner.go                |  2 +-
- 6 files changed, 40 insertions(+), 121 deletions(-)
-
-diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
-index 1998627e..0d0c9562 100644
---- a/internal/controller/metal3.io/baremetalhost_controller.go
-+++ b/internal/controller/metal3.io/baremetalhost_controller.go
-@@ -848,6 +848,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
- 			PreprovisioningNetworkData: preprovisioningNetworkData,
- 			HasCustomDeploy:            hasCustomDeploy(info.host),
- 			DisablePowerOff:            info.host.Spec.DisablePowerOff,
-+			CPUArchitecture:            getHostArchitecture(info.host),
- 		},
- 		credsChanged,
- 		info.host.Status.ErrorType == metal3api.RegistrationError)
-@@ -1271,7 +1272,6 @@ func (r *BareMetalHostReconciler) actionProvisioning(prov provisioner.Provisione
- 		BootMode:        info.host.Status.Provisioning.BootMode,
- 		HardwareProfile: hwProf,
- 		RootDeviceHints: info.host.Status.Provisioning.RootDeviceHints.DeepCopy(),
--		CPUArchitecture: getHostArchitecture(info.host),
- 	}, forceReboot)
- 	if err != nil {
- 		return actionError{errors.Wrap(err, "failed to provision")}
-diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
-index 48db865a..b8e6d72b 100644
---- a/pkg/provisioner/ironic/ironic.go
-+++ b/pkg/provisioner/ironic/ironic.go
-@@ -311,20 +311,24 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
- 	return nil
- }
- 
--func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
-+func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
- 	updater := clients.UpdateOptsBuilder(p.log)
- 
- 	deployImageInfo := setDeployImage(p.config, bmcAccess, data.PreprovisioningImage)
- 	updater.SetDriverInfoOpts(deployImageInfo, ironicNode)
- 
--	// NOTE(dtantsur): It is risky to update image information for active nodes since it may affect the ability to clean up.
--	if (data.CurrentImage != nil || data.HasCustomDeploy) && ironicNode.ProvisionState != string(nodes.Active) {
--		p.getImageUpdateOptsForNode(ironicNode, data.CurrentImage, data.BootMode, data.HasCustomDeploy, updater)
--	}
- 	updater.SetTopLevelOpt("automated_clean",
- 		data.AutomatedCleaningMode != metal3api.CleaningModeDisabled,
- 		ironicNode.AutomatedClean)
- 
-+	opts := clients.UpdateOptsData{
-+		"capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
-+	}
-+	if data.CPUArchitecture != "" {
-+		opts["cpu_arch"] = data.CPUArchitecture
-+	}
-+	updater.SetPropertiesOpts(opts, ironicNode)
-+
- 	_, success, result, err := p.tryUpdateNode(ironicNode, updater)
- 	if !success {
- 		return result, err
-@@ -656,40 +660,29 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
- 		SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
- }
- 
--func (p *ironicProvisioner) getImageUpdateOptsForNode(ironicNode *nodes.Node, imageData *metal3api.Image, bootMode metal3api.BootMode, hasCustomDeploy bool, updater *clients.NodeUpdater) {
-+func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
-+	updater := clients.UpdateOptsBuilder(p.log)
-+
-+	hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
-+
- 	// instance_uuid
- 	updater.SetTopLevelOpt("instance_uuid", string(p.objectMeta.UID), ironicNode.InstanceUUID)
- 
- 	updater.SetInstanceInfoOpts(clients.UpdateOptsData{
--		"capabilities": buildInstanceInfoCapabilities(bootMode),
-+		"capabilities": buildInstanceInfoCapabilities(data.BootMode),
-+		"root_device":  devicehints.MakeHintMap(data.RootDeviceHints),
- 	}, ironicNode)
- 
- 	if hasCustomDeploy {
- 		// Custom deploy process
--		p.setCustomDeployUpdateOptsForNode(ironicNode, imageData, updater)
--	} else if imageData.IsLiveISO() {
-+		p.setCustomDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
-+	} else if data.Image.IsLiveISO() {
- 		// Set live-iso format options
--		p.setLiveIsoUpdateOptsForNode(ironicNode, imageData, updater)
-+		p.setLiveIsoUpdateOptsForNode(ironicNode, &data.Image, updater)
- 	} else {
- 		// Set deploy_interface direct options when not booting a live-iso
--		p.setDirectDeployUpdateOptsForNode(ironicNode, imageData, updater)
-+		p.setDirectDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
- 	}
--}
--
--func (p *ironicProvisioner) getUpdateOptsForNode(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
--	updater := clients.UpdateOptsBuilder(p.log)
--
--	hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
--	p.getImageUpdateOptsForNode(ironicNode, &data.Image, data.BootMode, hasCustomDeploy, updater)
--
--	opts := clients.UpdateOptsData{
--		"root_device":  devicehints.MakeHintMap(data.RootDeviceHints),
--		"capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
--	}
--	if data.CPUArchitecture != "" {
--		opts["cpu_arch"] = data.CPUArchitecture
--	}
--	updater.SetPropertiesOpts(opts, ironicNode)
- 
- 	return updater
- }
-@@ -792,7 +785,7 @@ func (p *ironicProvisioner) setUpForProvisioning(ironicNode *nodes.Node, data pr
- 	p.log.Info("starting provisioning", "node properties", ironicNode.Properties)
- 
- 	ironicNode, success, result, err := p.tryUpdateNode(ironicNode,
--		p.getUpdateOptsForNode(ironicNode, data))
-+		p.getInstanceUpdateOpts(ironicNode, data))
- 	if !success {
- 		return result, err
- 	}
-diff --git a/pkg/provisioner/ironic/provision_test.go b/pkg/provisioner/ironic/provision_test.go
-index 72ee57b7..40c714e9 100644
---- a/pkg/provisioner/ironic/provision_test.go
-+++ b/pkg/provisioner/ironic/provision_test.go
-@@ -713,7 +713,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
- 		BootMode:        metal3api.DefaultBootMode,
- 		RootDeviceHints: host.Status.Provisioning.RootDeviceHints,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -723,7 +723,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
- 		Value interface{}       // the value being passed to ironic (or value associated with the key)
- 	}{
- 		{
--			Path:  "/properties/root_device",
-+			Path:  "/instance_info/root_device",
- 			Value: "userdefined_devicename",
- 			Map: map[string]string{
- 				"name":                 "s== userd_devicename",
-@@ -807,7 +807,7 @@ func TestGetUpdateOptsForNodeVirtual(t *testing.T) {
- 		BootMode:        metal3api.DefaultBootMode,
- 		HardwareProfile: hwProf,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -903,9 +903,8 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
- 		Image:           *host.Spec.Image,
- 		BootMode:        metal3api.DefaultBootMode,
- 		HardwareProfile: hwProf,
--		CPUArchitecture: "x86_64",
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -930,10 +929,6 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
- 			Path:  "/instance_uuid",
- 			Value: "27720611-e5d1-45d3-ba3a-222dcfaa4ca2",
- 		},
--		{
--			Path:  "/properties/cpu_arch",
--			Value: "x86_64",
--		},
- 	}
- 
- 	for _, e := range expected {
-@@ -971,7 +966,7 @@ func TestGetUpdateOptsForNodeLiveIso(t *testing.T) {
- 		Image:    *host.Spec.Image,
- 		BootMode: metal3api.DefaultBootMode,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -1038,7 +1033,7 @@ func TestGetUpdateOptsForNodeImageToLiveIso(t *testing.T) {
- 		Image:    *host.Spec.Image,
- 		BootMode: metal3api.DefaultBootMode,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -1116,7 +1111,7 @@ func TestGetUpdateOptsForNodeLiveIsoToImage(t *testing.T) {
- 		Image:    *host.Spec.Image,
- 		BootMode: metal3api.DefaultBootMode,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -1188,7 +1183,7 @@ func TestGetUpdateOptsForNodeCustomDeploy(t *testing.T) {
- 		BootMode:     metal3api.DefaultBootMode,
- 		CustomDeploy: host.Spec.CustomDeploy,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -1245,7 +1240,7 @@ func TestGetUpdateOptsForNodeCustomDeployWithImage(t *testing.T) {
- 		BootMode:     metal3api.DefaultBootMode,
- 		CustomDeploy: host.Spec.CustomDeploy,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -1312,7 +1307,7 @@ func TestGetUpdateOptsForNodeImageToCustomDeploy(t *testing.T) {
- 		BootMode:     metal3api.DefaultBootMode,
- 		CustomDeploy: host.Spec.CustomDeploy,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-@@ -1405,7 +1400,7 @@ func TestGetUpdateOptsForNodeSecureBoot(t *testing.T) {
- 		BootMode:        metal3api.UEFISecureBoot,
- 		HardwareProfile: hwProf,
- 	}
--	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
-+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
- 
- 	t.Logf("patches: %v", patches)
- 
-diff --git a/pkg/provisioner/ironic/register.go b/pkg/provisioner/ironic/register.go
-index 390e463f..9a600189 100644
---- a/pkg/provisioner/ironic/register.go
-+++ b/pkg/provisioner/ironic/register.go
-@@ -220,7 +220,7 @@ func (p *ironicProvisioner) Register(data provisioner.ManagementAccessData, cred
- 		fallthrough
- 
- 	default:
--		result, err = p.configureImages(data, ironicNode, bmcAccess)
-+		result, err = p.configureNode(data, ironicNode, bmcAccess)
- 		return result, provID, err
- 	}
- }
-@@ -246,6 +246,7 @@ func (p *ironicProvisioner) enrollNode(data provisioner.ManagementAccessData, bm
- 		DisablePowerOff:     &data.DisablePowerOff,
- 		Properties: map[string]interface{}{
- 			"capabilities": buildCapabilitiesValue(nil, data.BootMode),
-+			"cpu_arch":     data.CPUArchitecture,
- 		},
- 	}
- 
-diff --git a/pkg/provisioner/ironic/register_test.go b/pkg/provisioner/ironic/register_test.go
-index e6c302b5..8e524dad 100644
---- a/pkg/provisioner/ironic/register_test.go
-+++ b/pkg/provisioner/ironic/register_test.go
-@@ -72,7 +72,7 @@ func TestRegisterMACOptional(t *testing.T) {
- 	assert.Equal(t, "", result.ErrorMessage)
- }
- 
--func TestRegisterCreateNodeNoImage(t *testing.T) {
-+func TestRegisterCreateNode(t *testing.T) {
- 	// Create a host without a bootMACAddress and with a BMC that
- 	// does not require one.
- 	host := makeHost()
-@@ -146,79 +146,6 @@ func TestRegisterCreateNodeOldInspection(t *testing.T) {
- 	assert.Equal(t, "inspector", createdNode.InspectInterface)
- }
- 
--func TestRegisterCreateWithImage(t *testing.T) {
--	// Create a host with Image specified in the Spec
--	host := makeHost()
--	host.Status.Provisioning.ID = "" // so we don't lookup by uuid
--	host.Spec.Image.URL = "theimagefoo"
--	host.Spec.Image.Checksum = "thechecksumxyz"
--	host.Spec.Image.ChecksumType = "auto"
--
--	var createdNode *nodes.Node
--
--	createCallback := func(node nodes.Node) {
--		createdNode = &node
--	}
--
--	ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
--	ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
--	ironic.Start()
--	defer ironic.Stop()
--
--	auth := clients.AuthConfig{Type: clients.NoAuth}
--	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
--	if err != nil {
--		t.Fatalf("could not create provisioner: %s", err)
--	}
--
--	result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
--	if err != nil {
--		t.Fatalf("error from Register: %s", err)
--	}
--	assert.Equal(t, "", result.ErrorMessage)
--	assert.Equal(t, createdNode.UUID, provID)
--	assert.Equal(t, "", createdNode.DeployInterface)
--	updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
--	assert.Contains(t, updates, "/instance_info/image_source")
--	assert.Contains(t, updates, host.Spec.Image.URL)
--	assert.Contains(t, updates, "/instance_info/image_checksum")
--	assert.Contains(t, updates, host.Spec.Image.Checksum)
--}
--
--func TestRegisterCreateWithLiveIso(t *testing.T) {
--	// Create a host with Image specified in the Spec
--	host := makeHostLiveIso()
--	host.Status.Provisioning.ID = "" // so we don't lookup by uuid
--
--	var createdNode *nodes.Node
--
--	createCallback := func(node nodes.Node) {
--		createdNode = &node
--	}
--
--	ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
--	ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
--	ironic.Start()
--	defer ironic.Stop()
--
--	auth := clients.AuthConfig{Type: clients.NoAuth}
--	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
--	if err != nil {
--		t.Fatalf("could not create provisioner: %s", err)
--	}
--
--	result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
--	if err != nil {
--		t.Fatalf("error from Register: %s", err)
--	}
--	assert.Equal(t, "", result.ErrorMessage)
--	assert.Equal(t, createdNode.UUID, provID)
--	assert.Equal(t, "ramdisk", createdNode.DeployInterface)
--	updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
--	assert.Contains(t, updates, "/instance_info/boot_iso")
--	assert.Contains(t, updates, host.Spec.Image.URL)
--}
--
- func TestRegisterExistingNode(t *testing.T) {
- 	// Create a host without a bootMACAddress and with a BMC that
- 	// does not require one.
-@@ -342,6 +269,7 @@ func TestRegisterExistingNodeContinue(t *testing.T) {
- 					"test_password":  "******", // ironic returns a placeholder
- 					"test_port":      "42",
- 				},
-+				Properties: map[string]interface{}{"capabilities": ""},
- 			}).NodeUpdate(nodes.Node{
- 				UUID: "uuid",
- 			})
-@@ -521,6 +449,7 @@ func TestRegisterExistingSteadyStateNoUpdate(t *testing.T) {
- 				DeployInterface: imageType.DeployInterface,
- 				InstanceInfo:    imageType.InstanceInfo,
- 				DriverInfo:      imageType.DriverInfo,
-+				Properties:      map[string]interface{}{"capabilities": ""},
- 			}).NodeUpdate(nodes.Node{
- 				UUID: "uuid",
- 			})
-@@ -577,6 +506,7 @@ func TestRegisterExistingNodeWaiting(t *testing.T) {
- 					"test_password":  "******", // ironic returns a placeholder
- 					"test_port":      "42",
- 				},
-+				Properties: map[string]interface{}{"capabilities": ""},
- 			}
- 			ironic := testserver.NewIronic(t).CreateNodes(createCallback).Node(node).NodeUpdate(nodes.Node{
- 				UUID: "uuid",
-diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
-index faddd0fd..e2018e63 100644
---- a/pkg/provisioner/provisioner.go
-+++ b/pkg/provisioner/provisioner.go
-@@ -82,6 +82,7 @@ type ManagementAccessData struct {
- 	PreprovisioningNetworkData string
- 	HasCustomDeploy            bool
- 	DisablePowerOff            bool
-+	CPUArchitecture            string
- }
- 
- type AdoptData struct {
-@@ -122,7 +123,6 @@ type ProvisionData struct {
- 	HardwareProfile profile.Profile
- 	RootDeviceHints *metal3api.RootDeviceHints
- 	CustomDeploy    *metal3api.CustomDeploy
--	CPUArchitecture string
- }
- 
- type HTTPHeaders []map[string]string
--- 
-2.50.1
-

baremetal-operator/0005-Provide-inline-docs-for-node-configuration-calls.patch

@@ -1,46 +0,0 @@
-From 5419f8d95306efed8667936156d8081c21e068ed Mon Sep 17 00:00:00 2001
-From: Dmitry Tantsur <dtantsur@protonmail.com>
-Date: Wed, 9 Jul 2025 14:02:23 +0200
-Subject: [PATCH 5/5] Provide inline docs for node configuration calls
-
-Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
-(cherry picked from commit 778d9342747aefc8079f1ccaa6a14f83b26f28ff)
----
- pkg/provisioner/ironic/ironic.go | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
-index b8e6d72b..166d929c 100644
---- a/pkg/provisioner/ironic/ironic.go
-+++ b/pkg/provisioner/ironic/ironic.go
-@@ -311,6 +311,10 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
- 	return nil
- }
- 
-+// configureNode configures Node properties that are not related to any specific provisioning phase.
-+// It populates the AutomatedClean field, as well as capabilities and architecture in Properties.
-+// It also calls setDeployImage to populate IPA parameters in DriverInfo and
-+// checks if the required PreprovisioningImage is provided and ready.
- func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
- 	updater := clients.UpdateOptsBuilder(p.log)
- 
-@@ -426,6 +430,8 @@ func setExternalURL(p *ironicProvisioner, driverInfo map[string]interface{}) map
- 	return driverInfo
- }
- 
-+// setDeployImage configures the IPA ramdisk parameters in the Node's DriverInfo.
-+// It can use either the provided PreprovisioningImage or the global configuration from ironicConfig.
- func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostImage *provisioner.PreprovisioningImage) clients.UpdateOptsData {
- 	deployImageInfo := clients.UpdateOptsData{
- 		deployKernelKey:  nil,
-@@ -660,6 +666,7 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
- 		SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
- }
- 
-+// getInstanceUpdateOpts constructs InstanceInfo options required to provision a Node in Ironic.
- func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
- 	updater := clients.UpdateOptsBuilder(p.log)
- 
--- 
-2.50.1
-

baremetal-operator/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/baremetal-operator</param>
     <param name="scm">git</param>
-    <param name="revision">v0.10.2</param>
+    <param name="revision">v0.11.2</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

baremetal-operator/baremetal-operator.spec

@@ -17,19 +17,13 @@
 
 
 Name:           baremetal-operator
-Version:        0.10.2
+Version:        0.11.2
 Release:        0
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Source:         baremetal-operator-%{version}.tar
 Source1:        vendor.tar.gz
-# Patches related to multi-architecture support, upstream PRs #2506 #2559 #2537
-Patch0:		0001-Enable-exhaustive-linter.patch
-Patch1:		0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
-Patch2:		0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
-Patch3:		0004-Refactor-setting-various-Ironic-properties.patch
-Patch4:		0005-Provide-inline-docs-for-node-configuration-calls.patch
 
 BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390

edge-image-builder-image/Dockerfile

@@ -7,7 +7,7 @@ MAINTAINER SUSE LLC (https://www.suse.com/)
 COPY artifacts.yaml artifacts.yaml
 
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins; zypper -n clean; rm -rf /var/log/*
+RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins pigz zstd cpio && zypper -n clean && rm -rf /var/log/*
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.edge-image-builder
@@ -32,8 +32,7 @@ LABEL com.suse.release-stage="released"
 # and also expects the boot kernel to be a portable executable (PE), not ELF.
 RUN mkdir -p /usr/share/edk2/aarch64 && \
   cp /usr/share/qemu/aavmf-aarch64-code.bin /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw && \
-  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw && \
-  mv /boot/vmlinux* /boot/backup-vmlinux
+  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw
 
 ENTRYPOINT ["/usr/bin/eib"]
 

edge-image-builder-image/artifacts.yaml

@@ -1,7 +1,7 @@
 metallb:
   chart: metallb
   repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
-  version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+  version: "%%CHART_MAJOR%%.0.1+up0.15.2"
 endpoint-copier-operator:
   chart: endpoint-copier-operator
   repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"

frr-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: MIT
-#!BuildTag: %%IMG_PREFIX%%frr:8.5.6
-#!BuildTag: %%IMG_PREFIX%%frr:8.5.6-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%frr:10.2.1
+#!BuildTag: %%IMG_PREFIX%%frr:10.2.1-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -14,11 +14,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="FRR Container Image"
 LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="8.5.6"
+LABEL org.opencontainers.image.version="10.2.1"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:8.5.6-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:10.2.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"

frr-k8s/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metallb/frr-k8s</param>
     <param name="scm">git</param>
-    <param name="revision">v0.0.16</param>
+    <param name="revision">v0.0.20</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
@@ -18,4 +18,4 @@
   <service name="go_modules">
   </service>
   <service mode="buildtime" name="set_version" />
-</services>
+</services>

frr-k8s/frr-k8s.spec

@@ -17,14 +17,14 @@
 
 
 Name:           frr-k8s
-Version:        0.0.16
-Release:        0.0.16
+Version:        0.0.20
+Release:        0.0.20
 Summary:        A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner.
 License:        Apache-2.0
 URL:            https://github.com/metallb/frr-k8s
 Source:         frr-k8s-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 
@@ -63,4 +63,4 @@ install -D -m0755 frr-k8s %{buildroot}/frr-k8s
 /frr-metrics
 /frr-k8s
 
-%changelog
+%changelog

grub-aggregate/_aggregate

@@ -0,0 +1,7 @@
+<aggregatelist>
+  <aggregate project="SUSE:SLFO:1.2" >
+    <binary>grub2-x86_64-efi</binary>
+    <binary>grub2-arm64-efi</binary>
+    <repository target="standard" source="standard" />
+  </aggregate>
+</aggregatelist>

ib-sriov-cni-image/Dockerfile

@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+#!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%
+#!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%-%RELEASE%
+ARG SLE_VERSION
+FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
+
+FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
+COPY --from=micro / /installroot/
+RUN zypper --installroot /installroot --non-interactive install --no-recommends ib-sriov-cni gawk which; \
+    zypper -n clean; \
+    rm -rf /var/log/*
+
+FROM micro AS final
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.application.ib-sriov-cni
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE ib-sriov-cni Container Image"
+LABEL org.opencontainers.image.description="ib-sriov-cni based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%%ib-sriov-cni_version%%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ib-sriov-cni:%%ib-sriov-cni_version%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
+LABEL com.suse.eula="SUSE Combined EULA February 2024"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.image-type="application"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+
+COPY --from=base /installroot /
+ENTRYPOINT ["/entrypoint.sh"]

ib-sriov-cni-image/_service

@@ -0,0 +1,19 @@
+<services>
+  <service name="kiwi_metainfo_helper" mode="buildtime"/>
+  <service name="docker_label_helper" mode="buildtime"/>
+  <service name="replace_using_package_version" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="regex">%%ib-sriov-cni_version%%</param>
+    <param name="package">ib-sriov-cni</param>
+    <param name="parse-version">patch</param>
+  </service>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
+  </service>
+</services>

ib-sriov-cni/_service

@@ -0,0 +1,25 @@
+<services>
+ <service name="obs_scm">
+    <param name="url">https://github.com/k8snetworkplumbingwg/ib-sriov-cni</param>
+    <param name="scm">git</param>
+    <param name="revision">v1.3.0</param>
+    <param name="version">_auto_</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="changesgenerate">enable</param>
+    <param name="changesauthor">antonio.alarcon@suse.com</param>
+    <param name="match-tag">v*</param>
+    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
+    <param name="without-version">yes</param>
+    <param name="versionrewrite-replacement">\1</param>
+  </service>
+  <service mode="buildtime" name="tar">
+    <param name="obsinfo">ib-sriov-cni.obsinfo</param>
+  </service>
+  <service name="go_modules" />
+  <service mode="buildtime" name="set_version" />
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">ib-sriov-cni.spec</param>
+    <param name="var">SOURCE_COMMIT</param>
+    <param name="eval">SOURCE_COMMIT=$(grep commit ib-sriov-cni.obsinfo | cut -d" " -f2)</param>
+  </service>
+</services>

ib-sriov-cni/ib-sriov-cni.spec

@@ -0,0 +1,64 @@
+#
+# spec file for package ib-sriov-cni
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           ib-sriov-cni
+Version:        0
+Release:        0
+Summary:        Implements a Kubernetes CNI plugin operator for Infiniband SRIOV VFs
+License:        Apache-2.0
+URL:            https://github.com/k8snetworkplumbingwg/ib-sriov-cni
+Source:         %{name}-%{version}.tar
+Source1:        vendor.tar.gz
+BuildRequires:  golang(API) = 1.24
+ExcludeArch:    s390
+ExcludeArch:    %{ix86}
+
+%description
+Network Interface Cards (NICs) with SR-IOV capabilities are managed through physical functions (PFs) and virtual functions (VFs).
+A PF is used by the host and usually represents a single NIC port. VF configurations are applied through the PF.
+The SR-IOV CNI allows each VF to be treated as a separate network interface, assigned to a container, and configured with its own
+MAC, VLAN, IP and more.
+
+Infiniband SR-IOV CNI plugin works with Infiniband SR-IOV device plugin for VF allocation in Kubernetes. A CNI metaplugin such as Multus
+gets the allocated VF's deviceID(PCI address) and is responsible for invoking the Infiniband SR-IOV CNI plugin with that deviceID.
+
+%prep
+%autosetup -a1 -n %{name}-%{version} -p1
+
+%build
+# CGO is disabled by default in upstream Makefile:
+%define cgoenabled "0"
+# go build constrain (aka tag) "no_openssl" is set by default in upstream Makefile
+%define gotags "no_openssl"
+%define buildtime %(date +%%Y-%%m-%%dT%%H:%%M:%%S%%z)
+%define buildcommit %%SOURCE_COMMIT%%
+%define buildldflags "-X main.version=%{version} -X main.commit=%{buildcommit}% -X main.date=%{buildtime}%"
+CGO_ENABLED=%{cgoenabled} go build -mod=vendor -buildmode=pie -tags %{gotags} -ldflags %{buildldflags} -o ib-sriov cmd/ib-sriov-cni/main.go
+
+%install
+install -D -m0755 ib-sriov %{buildroot}%{_bindir}/ib-sriov
+install -D -m0755 images/entrypoint.sh %{buildroot}/entrypoint.sh
+
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/ib-sriov
+/entrypoint.sh
+
+%changelog

ironic-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:32.0.0.0
+#!BuildTag: %%IMG_PREFIX%%ironic:32.0.0.0-%RELEASE%
 
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -17,13 +17,19 @@ RUN /bin/prepare-efi.sh
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 
+RUN zypper --installroot /installroot --non-interactive install --no-recommends \
+    python3-devel python3 python3-pip \
+    python313-sushy \
+    python3-watchdog python313-ironicclient \
+    git curl sles-release tar gzip vim gawk \
+    dnsmasq dosfstools apache2 ipcalc ipmitool iproute2 \
+    bind-utils procps qemu-tools sqlite3 util-linux xorriso \
+    tftp ipxe-bootimgs crudini \
+    openstack-ironic
+
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
-    fi
-#!ArchExclusiveLine: aarch64
-RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux  ; \
     fi
     
 # DATABASE
@@ -53,8 +59,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 
-RUN set -euo pipefail; ln -s /usr/bin/python3.11 /usr/local/bin/python3; \
-    ln -s /usr/bin/pydoc3.11 /usr/local/bin/pydoc
+RUN set -euo pipefail; ln -s /usr/bin/python3.13 /usr/local/bin/python3; \
+    ln -s /usr/bin/pydoc3.13 /usr/local/bin/pydoc
 
 ENV GRUB_DIR=/tftpboot/boot/grub
 
@@ -75,7 +81,7 @@ RUN cp /bin/ironic-readiness /bin/ironic-liveness
 
 COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
      ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
-     /tmp/
+     /templates/
 
 # IRONIC #
 RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -99,8 +105,8 @@ RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
 # Custom httpd config, removes all but the bare minimum needed modules
 COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
-COPY ironic-config/apache2-vmedia.conf.j2 /tmp/httpd-vmedia.conf.j2
-COPY ironic-config/apache2-ipxe.conf.j2 /tmp/httpd-ipxe.conf.j2
+COPY ironic-config/apache2-vmedia.conf.j2 /templates/httpd-vmedia.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /templates/httpd-ipxe.conf.j2
 
 # configure non-root user and set relevant permissions
 RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh

ironic-image/ironic-config/apache2-ipxe.conf.j2

@@ -11,26 +11,17 @@ Listen [::]:{{ env.IPXE_TLS_PORT }}
     SSLCertificateFile {{ env.IPXE_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
 
+    DocumentRoot "/shared/html"
     <Directory "/shared/html">
-        Order Allow,Deny
-        Allow from all
+        Options Indexes FollowSymLinks
+        Require all granted
     </Directory>
-    <Directory "/shared/html/(redfish|ilo|images)/">
-        Order Deny,Allow
-        Deny from all
+    <Directory ~ "/shared/html/(redfish|ilo|images)/">
+        Require all denied
     </Directory>
+
+    <Location ~ "^/.*">
+        SSLRequireSSL
+    </Location>
+
 </VirtualHost>
-
-<Location ~ "^/grub.*/">
-    SSLRequireSSL
-</Location>
-<Location ~ "^/pxelinux.cfg/">
-    SSLRequireSSL
-</Location>
-<Location ~ "^/.*\.conf/">
-    SSLRequireSSL
-</Location>
-<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
-    SSLRequireSSL
-</Location>
-

ironic-image/ironic-config/apache2-vmedia.conf.j2

@@ -24,18 +24,16 @@ Listen [::]:{{ env.VMEDIA_TLS_PORT }}
     SSLHonorCipherOrder on
     {% endif %}
 
-    <Directory "/shared/html/">
-        Options Indexes FollowSymLinks
-        AllowOverride None
-        Require all granted
+    <Directory ~ "/shared/html">
+        Require all denied
     </Directory>
     <Directory ~ "/shared/html/(redfish|ilo)/">
-        Options Indexes FollowSymLinks
-        AllowOverride None
         Require all granted
     </Directory>
+
+    <Location ~ "^/.*">
+        SSLRequireSSL
+    </Location>
+
 </VirtualHost>
 
-<Location ~ "^/(redfish|ilo)/">
-    SSLRequireSSL
-</Location>

ironic-image/ironic-config/dnsmasq.conf.j2

@@ -11,14 +11,8 @@ port={{ env.DNS_PORT }}
 {%- if env.DHCP_RANGE | length %}
 log-dhcp
 dhcp-range={{ env.DHCP_RANGE }}
-
-# It can be used when setting DNS or GW variables.
-{%- if env["GATEWAY_IP"] is undefined %}
-# Disable default router(s)
-dhcp-option=3
-{% else %}
-dhcp-option=option{% if ":" in env["GATEWAY_IP"] %}6{% endif %}:router,{{ env["GATEWAY_IP"] }}
 {% endif %}
+
 {%- if env["DNS_IP"] is undefined %}
 # Disable DNS over provisioning network
 dhcp-option=6
@@ -26,31 +20,31 @@ dhcp-option=6
 dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
 {% endif %}
 
+{# Network boot options for IPv4 and IPv6 #}
 {%- if env.IPV == "4" or env.IPV is undefined %}
 # IPv4 Configuration:
 dhcp-match=ipxe,175
-# Client is already running iPXE; move to next stage of chainloading
-{%- if env.IPXE_TLS_SETUP == "true"  %}
-# iPXE with (U)EFI
-dhcp-boot=tag:efi,tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/snponly.efi
-# iPXE with BIOS
-dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/undionly.kpxe
+
+{# Set the router or disable it. Setting router is IPv4 specific, in v6 there #}
+{# are router advertisements that do the same thing. #}
+{%- if env["GATEWAY_IP"] is undefined %}
+# Disable default router(s)
+dhcp-option=3
 {% else %}
-dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
+dhcp-option=option:router,{{ env["GATEWAY_IP"] }}
 {% endif %}
 
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
-{%- if env.IPXE_TLS_SETUP == "true"  %}
-dhcp-boot=tag:efi,tag:ipxe,snponly.efi
+# Client is (i)PXE booting on EFI machine
+dhcp-boot=tag:efi,/snponly.efi,{{ env.IRONIC_IP }}
+# Client is running (i)PXE on BIOS machine
+dhcp-boot=tag:!efi,/undionly.kpxe,{{ env.IRONIC_IP }}
+{%- if env.IPXE_TLS_SETUP != "true" %}
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
 {% endif %}
-dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
-
-# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
-dhcp-boot=/undionly.kpxe,{{ env.IRONIC_IP }}
 {% endif %}
 
 {% if env.IPV == "6" %}
@@ -60,22 +54,12 @@ ra-param={{ env.PROVISIONING_INTERFACE }},0,0
 
 dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
 dhcp-userclass=set:ipxe6,iPXE
-dhcp-option=tag:pxe6,option6:bootfile-url,{{ env.IRONIC_TFTP_URL }}/snponly.efi
+# Client is (i)PXE booting on EFI machine
+dhcp-option=tag:efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/snponly.efi
+# Client is running (i)PXE on BIOS machine
+dhcp-option=tag:!efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/undionly.kpxe
+{%- if env.IPXE_TLS_SETUP != "true" %}
 dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
-
-# It can be used when setting DNS or GW variables.
-{%- if env["GATEWAY_IP"] is undefined %}
-# Disable default router(s)
-dhcp-option=3
-{% else %}
-dhcp-option=3,{{ env["GATEWAY_IP"] }}
-{% endif %}
-{%- if env["DNS_IP"] is undefined %}
-# Disable DNS over provisioning network
-dhcp-option=6
-{% else %}
-dhcp-option=6,{{ env["DNS_IP"] }}
-{% endif %}
 {% endif %}
 {% endif %}
 

ironic-image/ironic-config/httpd-ironic-api.conf.j2

@@ -29,6 +29,20 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
 {% endif %}
 {% endif %}
 
+    DocumentRoot "/shared/html"
+
+    <Directory "/shared/html">
+        Require all denied
+    </Directory>
+
+    <Directory "/shared/html/images">
+        Require all granted
+    </Directory>
+
+    # Exclude /images from proxying
+    ProxyPass        "/images" !
+    ProxyPassReverse "/images" !
+
     {% if env.IRONIC_PRIVATE_PORT == "unix" %}
     ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
     ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -51,6 +65,7 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
     SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
 
+
     <Location />
          {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
             AuthType Basic
@@ -67,4 +82,9 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
     <Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
         Require all granted
     </Location>
+
+    <Location ~ "^/images(/.*)?$">
+        Require all granted
+    </Location>
+
 </VirtualHost>

ironic-image/ironic-config/httpd-modules.conf

@@ -8,8 +8,6 @@ LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
 LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
 LoadModule env_module /usr/lib64/apache2/mod_env.so
 LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
-LoadModule proxy_ajp_module /usr/lib64/apache2/mod_proxy_ajp.so
-LoadModule proxy_balancer_module /usr/lib64/apache2/mod_proxy_balancer.so
 LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
 LoadModule slotmem_shm_module /usr/lib64/apache2/mod_slotmem_shm.so
 LoadModule headers_module /usr/lib64/apache2/mod_headers.so

ironic-image/ironic-config/httpd.conf.j2

@@ -22,18 +22,43 @@ Group ironic-suse
 DocumentRoot "/shared/html"
 
 <Directory "/shared/html">
+{%- if env.IPXE_TLS_SETUP | lower == "true" %}
+    Options Indexes FollowSymLinks
+    Require all denied
+{%- else %}
     Options Indexes FollowSymLinks
-    AllowOverride None
     Require all granted
+{%- endif %}
 </Directory>
 
-{%- if env.HTTPD_SERVE_NODE_IMAGES | lower == "true" %}
+<Directory ~ "/shared/html/(redfish|ilo)/">
+{%- if env.IRONIC_VMEDIA_TLS_SETUP | lower == "true" %}
+    Require all denied
+{%- else %}
+    Require all granted
+{%- endif %}
+</Directory>
+
+{%- set serve_img = env.HTTPD_SERVE_NODE_IMAGES | lower %}
+{%- set image_tls = env.IRONIC_TLS_SETUP | lower %}
 <Directory "/shared/html/images">
     Options Indexes FollowSymLinks
     AllowOverride None
+{%- if serve_img == "true" and image_tls != "true" %}
     Require all granted
+{%- else %}
+    Require all denied
+{%- endif %}
+
+    <FilesMatch "^ironic.*">
+{%- if env.IPXE_TLS_SETUP | lower == "true" %}
+        Require all denied
+{%- else %}
+        Require all granted
+{%- endif %}
+    </FilesMatch>
 </Directory>
-{% endif %}
+
 
 <IfModule dir_module>
     DirectoryIndex index.html
@@ -70,7 +95,7 @@ AddDefaultCharset UTF-8
     MIMEMagicFile conf/magic
 </IfModule>
 
-PidFile /var/tmp/httpd.pid
+PidFile {{ env.IRONIC_TMP_DATA_DIR }}/httpd.pid
 
 # EnableSendfile directive could speed up deployments but it could also cause
 # issues depending on the underlying file system, to learn more:

ironic-image/ironic-config/ironic.conf.j2

@@ -4,19 +4,19 @@ debug = true
 default_deploy_interface = direct
 default_inspect_interface = agent
 default_network_interface = noop
-enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
-enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
+enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc
+enabled_boot_interfaces = ipxe,pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,redfish-https
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
 enabled_firmware_interfaces = no-firmware,fake,redfish
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
-enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
-enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
-enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management
+enabled_inspect_interfaces = agent,irmc,fake,redfish
+enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,noop
 enabled_network_interfaces = noop
-enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
-enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
-enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
+enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish
+enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish
+enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,fake
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
 {% else %}
@@ -33,7 +33,6 @@ my_ipv6 = {{ env.IRONIC_IPV6 }}
 {% endif %}
 
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
-tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
 
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -48,6 +47,10 @@ isolinux_bin = /usr/share/syslinux/isolinux.bin
 # the ESP provided in [conductor]bootloader.
 grub_config_path = EFI/BOOT/grub.cfg
 
+# NOTE(hroyrh): updating the default temp directory to fix device cross links
+# errors when hard linking
+tempdir = /shared/tmp
+
 [agent]
 deploy_logs_collect = always
 deploy_logs_local_path = /shared/log/ironic/deploy
@@ -86,11 +89,6 @@ network_data_schema = /etc/ironic/network-data-schema-empty.json
 automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}
 # NOTE(dtantsur): keep aligned with [pxe]boot_retry_timeout below.
 deploy_callback_timeout = 4800
-send_sensor_data = {{ env.SEND_SENSOR_DATA }}
-# NOTE(TheJulia): Do not lower this value below 120 seconds.
-# Power state is checked every 60 seconds and BMC activity should
-# be avoided more often than once every sixty seconds.
-send_sensor_data_interval = 160
 bootloader_by_arch = {{ env.BOOTLOADER_BY_ARCH }}
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
@@ -112,6 +110,9 @@ deploy_ramdisk_by_arch = {{ env.DEPLOY_RAMDISK_BY_ARCH }}
 {% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
 disable_deep_image_inspection = True
 {% endif %}
+# Allowed path for file:// links: ipa-downloader uses /shared/html/images,
+# while the bootloader configuration above refers to /templates.
+file_url_allowed_paths = /shared/html/images,/templates
 
 [database]
 {% if env.IRONIC_USE_MARIADB | lower == "true" %}
@@ -131,6 +132,7 @@ erase_devices_priority = 0
 http_root = /shared/html/
 http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
+iso_master_path = /shared/html/master_iso_images
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
 {% endif %}
@@ -194,6 +196,7 @@ cipher_suite_versions = 3,17
 auth_strategy = http_basic
 http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
 host_ip = {{ env.IRONIC_HOST_IP }}
+port = {{ env.IRONIC_JSON_RPC_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -204,6 +207,26 @@ insecure = {{ env.IRONIC_INSECURE }}
 [nova]
 send_power_notifications = false
 
+# Sections (oslo_messaging_notifications, sensor_data, metrics) required for sensor data collection using ironic-prometheus-exporter (IPE):
+{% if env.SEND_SENSOR_DATA | lower == "true" %}
+[oslo_messaging_notifications]
+driver = prometheus_exporter
+location = /shared/ironic_prometheus_exporter
+transport_url = fake://
+
+[sensor_data]
+send_sensor_data = {{ env.SEND_SENSOR_DATA }}
+# NOTE(TheJulia): Do not lower this value below 120 seconds.
+# Power state is checked every 60 seconds and BMC activity should
+# be avoided more often than once every sixty seconds.
+interval = 160
+# Additional sensor_data options can be configured via OS_ environment variables:
+# https://docs.openstack.org/ironic/latest/configuration/config.html#sensor-data
+
+[metrics]
+backend = collector
+{% endif %}
+
 [pxe]
 # NOTE(dtantsur): keep this value at least 3x lower than
 # [conductor]deploy_callback_timeout so that at least some retries happen.
@@ -221,19 +244,22 @@ enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 {% if env.IPXE_TLS_SETUP | lower == "true" %}
-ipxe_config_template = /tmp/ipxe_config.template
+ipxe_config_template = /templates/ipxe_config.template
 {% endif %}
 
 [redfish]
 use_swift = false
 kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
-
-[ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
-use_web_server_for_images = true
+{% if env.BMC_TLS_ENABLED == "true" %}
+# idrac uses the same options as the redfish driver
+verify_ca = {{ env.BMC_CACERT_FILE }}
+{% endif %}
 
 [irmc]
 kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+{% if env.BMC_TLS_ENABLED == "true" %}
+verify_ca = {{ env.BMC_CACERT_FILE }}
+{% endif %}
 
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}
@@ -243,3 +269,8 @@ endpoint_override = {{ env.IRONIC_BASE_URL }}
 cert_file = {{ env.IRONIC_CERT_FILE }}
 key_file = {{ env.IRONIC_KEY_FILE }}
 {% endif %}
+
+[oci]
+{% if env.IRONIC_OCI_AUTH_CONFIG is defined %}
+authentication_config = {{ env.IRONIC_OCI_AUTH_CONFIG }}
+{% endif %}

ironic-image/scripts/auth-common.sh

@@ -40,6 +40,10 @@ fi
 
 IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
 
+if [[ -z "${IRONIC_OCI_AUTH_CONFIG:-}" ]] && [[ -f "/auth/oci.json" ]]; then
+    export IRONIC_OCI_AUTH_CONFIG="/auth/oci.json"
+fi
+
 configure_json_rpc_auth()
 {
     if [[ "${IRONIC_EXPOSE_JSON_RPC}" != "true" ]]; then

ironic-image/scripts/configure-ironic.sh

@@ -18,8 +18,6 @@ export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_I
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 
-export HTTP_PORT=${HTTP_PORT:-80}
-
 if [[ "${IRONIC_USE_MARIADB}" == true ]]; then
     if [[ -z "${MARIADB_PASSWORD:-}" ]]; then
         echo "FATAL: IRONIC_USE_MARIADB requires password, mount a secret under /auth/mariadb"
@@ -130,6 +128,8 @@ echo 'Options set from Environment variables'
 env | grep "^OS_" || true
 
 mkdir -p /shared/html
+mkdir -p /shared/tmp
+mkdir -p /shared/ironic_prometheus_exporter
 
 if [[ -f /proc/sys/crypto/fips_enabled ]]; then
     ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)

ironic-image/scripts/ironic-common.sh

@@ -25,6 +25,11 @@ export IRONIC_GEN_CERT_DIR="${CUSTOM_DATA_DIR}/auto_gen_certs"
 export IRONIC_TMP_DATA_DIR="${CUSTOM_DATA_DIR}/tmp"
 export PROBE_CONF_DIR="${CUSTOM_CONFIG_DIR}/probes"
 
+export HTTP_PORT=${HTTP_PORT:-80}
+# NOTE(elfosardo): the default port for json_rpc in ironic is 8089, but
+# we need to use a different port to avoid conflicts with other services
+export IRONIC_JSON_RPC_PORT=${IRONIC_JSON_RPC_PORT:-6189}
+
 mkdir -p "${IRONIC_CONF_DIR}" "${PROBE_CONF_DIR}" "${HTTPD_CONF_DIR}" \
     "${HTTPD_CONF_DIR_D}" "${DNSMASQ_CONF_DIR}" "${DNSMASQ_TEMP_DIR}" \
     "${IRONIC_DB_DIR}" "${IRONIC_GEN_CERT_DIR}" "${DNSMASQ_DATA_DIR}" \
@@ -262,7 +267,7 @@ wait_for_interface_or_ip()
 
 render_j2_config()
 {
-    python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
+    python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
 }
 
 run_ironic_dbsync()

ironic-image/scripts/rundnsmasq

@@ -7,7 +7,6 @@ set -eux
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
 
-export HTTP_PORT=${HTTP_PORT:-80}
 DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
 export DNS_PORT=${DNS_PORT:-0}
 
@@ -36,7 +35,7 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/templates/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
 
 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
     sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"

ironic-image/scripts/runhttpd

@@ -5,7 +5,6 @@
 . /bin/ironic-common.sh
 . /bin/auth-common.sh
 
-export HTTP_PORT=${HTTP_PORT:-80}
 export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
 
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
@@ -36,7 +35,7 @@ fi
 export INSPECTOR_EXTRA_ARGS
 
 # Copy files to shared mount
-render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
+render_j2_config /templates/inspector.ipxe.j2 /shared/html/inspector.ipxe
 # cp -r /etc/httpd/* "${HTTPD_DIR}"
 if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
     mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
@@ -48,7 +47,7 @@ render_j2_config "/etc/httpd/conf/httpd.conf.j2" \
 
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
     if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "/tmp/httpd-ironic-api.conf.j2" \
+        render_j2_config "/templates/httpd-ironic-api.conf.j2" \
             "${HTTPD_CONF_DIR_D}/ironic.conf"
     fi
 else
@@ -59,7 +58,7 @@ write_htpasswd_files
 
 # Render httpd TLS configuration for /shared/html/<redifsh;ilo>
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-    render_j2_config "/tmp/httpd-vmedia.conf.j2" \
+    render_j2_config "/templates/httpd-vmedia.conf.j2" \
         "${HTTPD_CONF_DIR_D}/vmedia.conf"
 fi
 
@@ -67,7 +66,7 @@ fi
 if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
     mkdir -p /shared/html/custom-ipxe
     chmod 0777 /shared/html/custom-ipxe
-    render_j2_config "/tmp/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
+    render_j2_config "/templates/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
     cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
        "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
        "/shared/html/custom-ipxe"

ironic-image/scripts/runironic

@@ -15,4 +15,13 @@ configure_restart_on_certificate_update "${IRONIC_TLS_SETUP}" ironic "${IRONIC_C
 
 configure_ironic_auth
 
+if [[ -d "${BMC_CACERTS_PATH}" ]]; then
+    # shellcheck disable=SC2034
+    watchmedo shell-command \
+        --patterns="*" \
+        --ignore-directories \
+        --command='cat "${BMC_CACERTS_PATH}"/* > "${BMC_CACERT_FILE}"' \
+        "${BMC_CACERTS_PATH}" &
+fi
+
 exec /usr/bin/ironic --config-dir "${IRONIC_CONF_DIR}"

ironic-image/scripts/runironic-exporter

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+# Set dummy provisioning IP to avoid interface detection issues (not needed to run IPE to service `/metrics`)
+export PROVISIONING_IP="127.0.0.1"
+# Set to true since running this script implies sensor data metrics are needed
+# ironic-prometheus-exporter (IPE) needs to read from oslo_messaging_notifications.location (i.e content under /shared) where Ironic writes to
+export SEND_SENSOR_DATA=true
+
+# shellcheck disable=SC1091
+. /bin/configure-ironic.sh
+# shellcheck disable=SC1091
+. /bin/ironic-common.sh
+
+FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
+FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
+
+export IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
+
+exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
+    ironic_prometheus_exporter.app.wsgi:application

ironic-image/scripts/runlogwatch.sh

@@ -1,17 +1,32 @@
 #!/usr/bin/bash
 
 # Ramdisk logs path
-LOG_DIR="/shared/log/ironic/deploy"
+export LOG_DIR="/shared/log/ironic/deploy"
 
 mkdir -p "${LOG_DIR}"
 
-# shellcheck disable=SC2034
-python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
-    while read -r event dir mask maskname filename filepath pathname wd; do
-        #NOTE(elfosardo): a pyinotify event looks like this:
-        # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
-        FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
-        echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
-        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
-        rm -f "${LOG_DIR}/${FILENAME}"
+# Function to process log files
+process_log_file() {
+    local FILEPATH="$1"
+    # shellcheck disable=SC2155
+    local FILENAME=$(basename "${FILEPATH}")
+
+    echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
+    tar -tzf "${FILEPATH}" | while read -r entry; do
+        echo "${FILENAME}: **** Entry: ${entry} ****"
+        tar -xOzf "${FILEPATH}" "${entry}" | sed -e "s/^/${FILENAME}: /"
+        echo
     done
+    rm -f "${FILEPATH}"
+}
+
+# Export the function so watchmedo can use it
+export -f process_log_file
+
+# Use watchmedo to monitor for file close events
+# shellcheck disable=SC2016
+watchmedo shell-command \
+    --patterns="*" \
+    --ignore-directories \
+    --command='if [[ "${watch_event_type}" == "closed" ]]; then process_log_file "${watch_src_path}"; fi' \
+    "${LOG_DIR}"

ironic-image/scripts/tls-common.sh

@@ -1,13 +1,14 @@
 #!/bin/bash
 
-export IRONIC_CERT_FILE=/certs/ironic/tls.crt
-export IRONIC_KEY_FILE=/certs/ironic/tls.key
-export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
 export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
 
+# Node image storage is using the same cert and port as the API
+export IRONIC_CERT_FILE=/certs/ironic/tls.crt
+export IRONIC_KEY_FILE=/certs/ironic/tls.key
+
 export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
 export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
 
@@ -16,15 +17,15 @@ export IPXE_KEY_FILE=/certs/ipxe/tls.key
 
 export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 
+# By default every cert has to be signed with Ironic's
+# CA otherwise node image and IPA verification would fail
 export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
+export BMC_CACERTS_PATH=/certs/ca/bmc
+export BMC_CACERT_FILE=/conf/bmc-tls.pem
+export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 
 export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
 
-mkdir -p /certs/ironic
-mkdir -p /certs/ca/ironic
-mkdir -p /certs/ipxe
-mkdir -p /certs/vmedia
-
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
     exit 1
@@ -69,6 +70,7 @@ if [[ -f "$IRONIC_CERT_FILE" ]] || [[ -f "$IRONIC_CACERT_FILE" ]]; then
     export IRONIC_TLS_SETUP="true"
     export IRONIC_SCHEME="https"
     if [[ ! -f "$IRONIC_CACERT_FILE" ]]; then
+        mkdir -p "$(dirname "${IRONIC_CACERT_FILE}")"
         copy_atomic "$IRONIC_CERT_FILE" "$IRONIC_CACERT_FILE"
     fi
 else
@@ -105,11 +107,23 @@ configure_restart_on_certificate_update()
 
     if [[ "${enabled}" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
         if [[ "${service}" == httpd ]]; then
+            # shellcheck disable=SC2034
             signal="WINCH"
         fi
-        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
-            while read -r; do
-                pkill "-${signal}" "${service}"
-            done &
+
+        # Use watchmedo to monitor certificate file deletion
+        # shellcheck disable=SC2016
+        watchmedo shell-command \
+            --patterns="$(basename "${cert_file}")" \
+            --ignore-directories \
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -'"${signal}"' '"${service}"'; fi' \
+            "$(dirname "${cert_file}")" &
     fi
 }
+
+if [ -d "${BMC_CACERTS_PATH}" ]; then
+    export BMC_TLS_ENABLED="true"
+    cat "${BMC_CACERTS_PATH}"/* > "${BMC_CACERT_FILE}"
+else
+    export BMC_TLS_ENABLED="false"
+fi

ironic-ipa-downloader-image/Dockerfile

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
 
-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.aarch64

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
 
-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.x86_64

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 tar gawk curl xz zstd shadow cpio findutils
 
-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi

@@ -76,6 +76,7 @@
         <package name="grub2-i386-pc" arch="x86_64"/>
         <package name="grub2-x86_64-efi" arch="x86_64"/>
         <package name="grub2"/>
+        <package name="gettext-runtime"/>
         <package name="iproute2"/>
         <package name="iputils"/>
         <package name="kernel-default"/>
@@ -87,6 +88,7 @@
         <package name="timezone"/>
         <package name="which"/>
         <!-- ironic-python-agent specific -->
+        <package name="chrony"/>
         <package name="dmidecode"/>
         <package name="efibootmgr"/>
         <package name="gptfdisk"/>
@@ -95,15 +97,14 @@
         <package name="ipmitool"/>
         <package name="iputils"/>
         <package name="kbd"/>
+        <package name="krb5"/>
         <package name="lshw"/>
         <package name="lvm2"/>
         <package name="net-tools"/>
-        <package name="ntp"/>
         <package name="open-iscsi"/>
         <package name="openstack-ironic-python-agent"/>
         <package name="parted"/>
         <package name="psmisc"/>
-        <package name="python311-proliantutils"/>
         <package name="qemu-tools"/>
         <package name="timezone"/>
         <package name="which"/>

ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec

@@ -29,12 +29,12 @@ Source0:        config.sh
 Source10:       ironic-ipa-ramdisk.kiwi
 Source20:       root
 
+#!BuildIgnore:  systemd-mini
+BuildRequires: systemd
 BuildRequires:  -post-build-checks
 BuildRequires:  bash
 BuildRequires:  kiwi
-BuildRequires:  kiwi-tools
 BuildRequires:  zypper
-BuildArch:      noarch
 
 BuildRequires:  checkmedia
 BuildRequires:  acl
@@ -55,7 +55,6 @@ BuildRequires:  grub2-x86_64-efi
 %ifarch aarch64
 BuildRequires:  grub2-arm64-efi
 %endif
-BuildRequires:  haveged
 BuildRequires:  hdparm
 BuildRequires:  hwinfo
 BuildRequires:  ipmitool
@@ -65,7 +64,7 @@ BuildRequires:  kernel-default
 BuildRequires:  kernel-firmware-all
 BuildRequires:  lvm2
 BuildRequires:  net-tools
-BuildRequires:  ntp
+BuildRequires:  chrony
 BuildRequires:  open-iscsi
 BuildRequires:  openssh
 BuildRequires:  openstack-ironic-python-agent
@@ -77,7 +76,6 @@ BuildRequires:  pkgconfig
 BuildRequires:  Mesa-gallium
 BuildRequires:  plymouth
 BuildRequires:  plymouth-scripts
-BuildRequires:  python311-proliantutils
 BuildRequires:  psmisc
 BuildRequires:  qemu-tools
 BuildRequires:  sg3_utils
@@ -105,6 +103,9 @@ BuildRequires:  lshw
 BuildRequires:  kbd
 BuildRequires:  dmidecode
 BuildRequires:  efibootmgr
+BuildRequires:  glibc-locale
+BuildRequires:  krb5
+BuildRequires:  gettext-runtime
 %ifarch x86_64
 BuildRequires:  syslinux
 %endif
@@ -113,10 +114,9 @@ BuildRequires:  syslinux
 Kernel and ramdisk image for use with Metal3
 
 %package %{_arch}
+BuildArch:      noarch
 Summary:        Kernel and ramdisk image for Metal3
 Group:          System/Management
-Provides:       openstack-ironic-python-agent = %{version}
-Obsoletes:      openstack-ironic-python-agent < %{version}
 
 %description %{_arch}
 Kernel and ramdisk image for use with Metal3

kiwi-builder-image/Dockerfile

@@ -1,8 +1,8 @@
-#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.0-%RELEASE%
-#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.0
+#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1
 
 # Base image version, should match the tag above
-ARG KIWIVERSION="10.2.12"
+ARG KIWIVERSION="10.2.29"
 FROM registry.suse.com/bci/kiwi:${KIWIVERSION}
 ARG KIWIVERSION
 
@@ -33,4 +33,6 @@ RUN mkdir -p /micro-sdk/defs
 ADD SL-Micro.kiwi /micro-sdk/defs
 ADD SL-Micro.kiwi.4096 /micro-sdk/defs
 ADD config.sh /micro-sdk/defs
+ADD disk.sh /micro-sdk/defs
 ADD editbootinstall_rpi.sh /micro-sdk/defs
+ADD editbootinstall_pine64.sh /micro-sdk/defs

kiwi-builder-image/README.build.md

@@ -0,0 +1,28 @@
+The following files are coming from _upstream_ https://build.opensuse.org/package/show/SUSE:SLFO:Products:SL-Micro:6.2/SL-Micro :
+
+* SL-Micro.kiwi
+* disk.sh
+* config.sh
+* editbootinstall_pine64.sh
+* editbootinstall_rpi.sh
+
+Those can be downloaded as:
+
+```
+curl -LO https://src.suse.de/products/SL-Micro/raw/branch/6.2/SL-Micro/SL-Micro.kiwi
+```
+
+The SL-Micro.kiwi file needs to be modified to append a few packages on the bootstrap stanza to be able to generate images with no SSL errors:
+
+```
+     <packages type="bootstrap">
+         <package name="filesystem"/>
++        <package name="coreutils"/>
++        <package name="ca-certificates"/>
++        <package name="ca-certificates-mozilla"/>
+     </packages>
+```
+
+The SL-Micro.kiwi.4096 file needs to be modified to modify the `target_blocksize="4096"` where appropiate.
+
+All the other files are used verbatim.

kiwi-builder-image/SL-Micro.kiwi

@@ -30,16 +30,13 @@
         <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
             <requires profile="bootloader"/>
         </profile>
-        <profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
-            <requires profile="bootloader"/>
-        </profile>
         <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
         <profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
-        <profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
+        <profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
         <profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -60,6 +57,15 @@
         <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
+        <profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
         <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
             <requires profile="bootloader"/>
         </profile>
@@ -89,6 +95,15 @@
         </profile>
         <profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
             <requires profile="bootloader"/>
+        </profile> 
+       	<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
         </profile>
         <!-- Images (flavor + platform) -->
         <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -154,18 +169,10 @@
             <requires profile="full"/>
             <requires profile="aarch64"/>
         </profile>
-        <profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
-            <requires profile="full"/>
-            <requires profile="rpi"/>
-        </profile>
         <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
             <requires profile="container-host"/>
             <requires profile="aarch64"/>
         </profile>
-        <profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="rpi"/>
-        </profile>
         <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
             <requires profile="container-host"/>
             <requires profile="x86-rt"/>
@@ -179,10 +186,6 @@
             <requires profile="container-host"/>
             <requires profile="aarch64-rt"/>
         </profile>
-        <profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="aarch64-rt-rpi"/>
-        </profile>
         <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
             <requires profile="container-host"/>
             <requires profile="aarch64-rt-self_install"/>
@@ -277,10 +280,42 @@
             <requires profile="ppc64le-4096ss-self_install"/>
             <requires profile="self_install"/>
         </profile>
+	<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi-self_install"/>
+        </profile>
+	<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi"/>
+        </profile>
     </profiles>
 
     <preferences profiles="x86-encrypted,x86-rt-encrypted">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -291,7 +326,8 @@
             initrd_system="dracut"
             filesystem="btrfs"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -323,7 +359,7 @@
         </type>
     </preferences>
     <preferences profiles="x86,x86-rt">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -334,7 +370,8 @@
             initrd_system="dracut"
             filesystem="btrfs"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -359,7 +396,7 @@
     </preferences>
 
     <preferences profiles="x86-self_install,x86-rt-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -374,7 +411,8 @@
             installboot="install"
             install_continue_on_timeout="false"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -397,9 +435,8 @@
             </systemdisk>
         </type>
     </preferences>
-
-    <preferences profiles="rpi,aarch64-rt-rpi">
-        <version>6.1</version>
+    <preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -414,11 +451,96 @@
             install_continue_on_timeout="false"
             fsmountoptions="noatime"
             firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+            luks_version="luks2"
+            luks="1234"
+	    luks_randomize="false"
+	    luks_pbkdf="pbkdf2"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+            </luksformat>
+            <bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="rpi">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
-            efipartsize="128"
             editbootinstall="editbootinstall_rpi.sh"
             btrfs_root_is_readonly_snapshot="true"
             btrfs_quota_groups="false"
@@ -438,9 +560,8 @@
             </systemdisk>
         </type>
     </preferences>
-
-    <preferences profiles="aarch64,aarch64-rt">
-        <version>6.1</version>
+    <preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -450,19 +571,20 @@
             image="oem"
             initrd_system="dracut"
             installiso="true"
+            installpxe="true"
             filesystem="btrfs"
             installboot="install"
             install_continue_on_timeout="false"
-            fsmountoptions="noatime"
             firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
+            bootkernel="custom"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
-            efipartsize="128"
             btrfs_root_is_readonly_snapshot="true"
-            btrfs_quota_groups="false"
-            disk_start_sector="4096"
+            btrfs_quota_groups="true"
+            disk_start_sector="8192"
         >
             <bootloader name="grub2" console="gfxterm" timeout="3" />
             <systemdisk>
@@ -478,8 +600,8 @@
             </systemdisk>
         </type>
     </preferences>
-    <preferences profiles="aarch64-self_install,aarch64-rt-self_install">
-        <version>6.1</version>
+    <preferences profiles="rpi-self_install">
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -494,13 +616,14 @@
             installboot="install"
             install_continue_on_timeout="false"
             firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
             btrfs_root_is_readonly_snapshot="true"
+            editbootinstall="editbootinstall_rpi.sh"
             btrfs_quota_groups="true"
             disk_start_sector="4096"
         >
@@ -520,7 +643,7 @@
     </preferences>
 
     <preferences profiles="s390-kvm">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -558,7 +681,7 @@
 
 
     <preferences profiles="s390-dasd">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -596,7 +719,7 @@
 
 
     <preferences profiles="s390-fba">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -631,7 +754,7 @@
     </preferences>
 
     <preferences profiles="s390-fcp">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -670,7 +793,7 @@
     </preferences>
 
     <preferences profiles="x86-vmware">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -681,6 +804,7 @@
             filesystem="btrfs"
             format="vmdk"
             firmware="uefi"
+            efipartsize="512"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -701,11 +825,11 @@
                 <volume name="var" copy_on_write="false"/>
             </systemdisk>
             <size unit="G">24</size>
-            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+            <machine memory="1024" HWversion="17" guestOS="suse-64"/>
         </type>
     </preferences>
     <preferences profiles="x86-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -716,7 +840,8 @@
             format="qcow2"
             filesystem="btrfs"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -740,9 +865,9 @@
             <size unit="G">32</size>
         </type>
     </preferences>
-
+ 
     <preferences profiles="aarch64-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -753,8 +878,8 @@
             format="qcow2"
             filesystem="btrfs"
             firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"     
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -765,7 +890,7 @@
             <systemdisk>
                 <volume name="home"/>
                 <volume name="root"/>
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                 <volume name="boot/writable"/>
@@ -777,7 +902,7 @@
     </preferences>
 
     <preferences profiles="ppc64le-512ss">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -788,7 +913,7 @@
             image="oem"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -800,7 +925,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -810,7 +935,7 @@
         </type>
     </preferences>
     <preferences profiles="ppc64le-4096ss">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -824,7 +949,7 @@
             target_blocksize="4096"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -836,7 +961,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -847,7 +972,7 @@
     </preferences>
 
     <preferences profiles="ppc64le-512ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -860,7 +985,7 @@
             installpxe="true"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -877,7 +1002,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -887,7 +1012,7 @@
         </type>
     </preferences>
     <preferences profiles="ppc64le-4096ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -903,7 +1028,7 @@
             target_blocksize="4096"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -920,7 +1045,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -936,20 +1061,17 @@
     </repository>
 
     <packages type="image" profiles="full">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
-        <namedCollection name="salt_minion"/>
-	<package name="patterns-base-salt_minion"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
         <namedCollection name="kvm_host"/>
-	<package name="patterns-base-kvm_host"/>
+	<package name="patterns-micro-kvm_host"/>
 	<package name="lzop"/>
         <namedCollection name="container_runtime_podman"/>
-        <package name="patterns-container-runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
         <namedCollection name="cockpit"/>
-        <package name="patterns-base-cockpit"/>
+        <package name="patterns-cockpit"/>
         <namedCollection name="selinux"/>
         <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
         <package name="suseconnect-ng"/>
         <package name="SL-Micro-release"/>
         <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -959,7 +1081,7 @@
 	<package name="libpwquality-tools"/>
     </packages>
 
-    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
         <!-- full disk encryption stuff -->
         <package name="device-mapper"/>
         <package name="cryptsetup"/>
@@ -972,13 +1094,12 @@
     </packages>
 
     <packages type="image" profiles="container-host">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
         <namedCollection name="container_runtime_podman"/>
         <package name="patterns-container-runtime_podman"/>
         <namedCollection name="selinux"/>
         <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
         <package name="suseconnect-ng"/>
         <package name="SL-Micro-release"/>
         <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1002,16 +1123,16 @@
 	<package name="jeos-firstboot"/>
     </packages>
 
-    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
         <package name="cloud-init"/>
         <package name="cloud-init-config-suse"/>
     </packages>
 
     <packages type="image">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
         <namedCollection name="hardware"/>
-        <package name="patterns-base-hardware"/>
+        <package name="patterns-micro-hardware"/>
         <package name="grub2"/>
         <package name="glibc-locale-base"/>
         <package name="ca-certificates"/>
@@ -1030,9 +1151,10 @@
         <package name="NetworkManager"/>
         <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
-	<!-- FIXME does not build without control file which is obsolete
+	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
+	<package name="iptables"/> <!-- needed by RKE2 -->
     </packages>
 
     <packages type="image" profiles="bootloader">
@@ -1049,14 +1171,18 @@
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
     </packages>
     <!-- rpi kernel-default-base does not provide all necessary drivers -->
-    <packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
         <package name="kernel-default"/>
         <package name="kernel-firmware-all"/>
     </packages>
-    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
+        <package name="kernel-64kb"/>
+        <package name="kernel-firmware-all"/>
+    </packages>
+    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
         <package name="kernel-rt"/>
         <package name="kernel-firmware-all"/>
-	<!-- FIXME intentionally removed from ALP code stream
+	<!-- FIXME intentionally removed from ALP code stream 
         <package name="cpuset"/> -->
     </packages>
     <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1068,17 +1194,18 @@
     <packages type="image" profiles="s390-fcp">
         <package name="multipath-tools"/>
     </packages>
-    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
+    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
         <package name="dracut-kiwi-oem-repart"/>
         <package name="dracut-kiwi-oem-dump"/>
     </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="rpi,rpi-self_install">
         <package name="raspberrypi-firmware" arch="aarch64"/>
         <package name="raspberrypi-firmware-config" arch="aarch64"/>
         <package name="raspberrypi-firmware-dt" arch="aarch64"/>
         <package name="u-boot-rpiarm64" arch="aarch64"/>
     </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
         <package name="dracut-kiwi-oem-repart"/>
         <package name="bcm43xx-firmware"/>
         <package name="wireless-regdb"/>
@@ -1086,6 +1213,7 @@
         <package name="wpa_supplicant"/>
         <package name="grub2-arm64-efi"/>
     </packages>
+    <!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
     <packages type="bootstrap">
         <package name="filesystem"/>
         <package name="coreutils"/>
@@ -1102,14 +1230,15 @@
     <packages type="image" profiles="x86-qcow,aarch64-qcow">
         <package name="qemu-guest-agent"/>
     </packages>
-
+    
     <!-- jsc#PED-8599 -->
-    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
+    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
         <package name="usbguard"/>
     </packages>
 
     <!-- jsc#PED-8788 -->
-    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
         <package name="stalld"/>
     </packages>
 </image>
+

kiwi-builder-image/SL-Micro.kiwi.4096

@@ -30,16 +30,13 @@
         <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
             <requires profile="bootloader"/>
         </profile>
-        <profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
-            <requires profile="bootloader"/>
-        </profile>
         <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
         <profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
-        <profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
+        <profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
         <profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -60,6 +57,15 @@
         <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
             <requires profile="bootloader"/>
         </profile>
+        <profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
         <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
             <requires profile="bootloader"/>
         </profile>
@@ -89,6 +95,15 @@
         </profile>
         <profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
             <requires profile="bootloader"/>
+        </profile> 
+       	<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
         </profile>
         <!-- Images (flavor + platform) -->
         <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -154,18 +169,10 @@
             <requires profile="full"/>
             <requires profile="aarch64"/>
         </profile>
-        <profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
-            <requires profile="full"/>
-            <requires profile="rpi"/>
-        </profile>
         <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
             <requires profile="container-host"/>
             <requires profile="aarch64"/>
         </profile>
-        <profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="rpi"/>
-        </profile>
         <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
             <requires profile="container-host"/>
             <requires profile="x86-rt"/>
@@ -179,10 +186,6 @@
             <requires profile="container-host"/>
             <requires profile="aarch64-rt"/>
         </profile>
-        <profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="aarch64-rt-rpi"/>
-        </profile>
         <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
             <requires profile="container-host"/>
             <requires profile="aarch64-rt-self_install"/>
@@ -277,21 +280,55 @@
             <requires profile="ppc64le-4096ss-self_install"/>
             <requires profile="self_install"/>
         </profile>
+	<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi-self_install"/>
+        </profile>
+	<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi"/>
+        </profile>
     </profiles>
 
     <preferences profiles="x86-encrypted,x86-rt-encrypted">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
         <rpm-excludedocs>true</rpm-excludedocs>
         <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
         <type
             image="oem"
             initrd_system="dracut"
             filesystem="btrfs"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -301,9 +338,8 @@
             luks_version="luks2"
             luks="1234"
 	    luks_randomize="false"
-	    luks_pbkdf="pbkdf2"
+			luks_pbkdf="pbkdf2"
             target_blocksize="4096"
-            efipartsize="200"
         >
             <luksformat>
                 <option name="--cipher" value="aes-xts-plain64"/>
@@ -325,18 +361,20 @@
         </type>
     </preferences>
     <preferences profiles="x86,x86-rt">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
         <rpm-excludedocs>true</rpm-excludedocs>
         <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
         <type
             image="oem"
             initrd_system="dracut"
             filesystem="btrfs"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -344,7 +382,6 @@
             btrfs_root_is_readonly_snapshot="true"
             btrfs_quota_groups="true"
             target_blocksize="4096"
-            efipartsize="200"
         >
     	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
             <systemdisk>
@@ -363,12 +400,13 @@
     </preferences>
 
     <preferences profiles="x86-self_install,x86-rt-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
         <rpm-excludedocs>true</rpm-excludedocs>
         <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
         <type
             image="oem"
             initrd_system="dracut"
@@ -378,7 +416,8 @@
             installboot="install"
             install_continue_on_timeout="false"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -386,7 +425,6 @@
             btrfs_root_is_readonly_snapshot="true"
             btrfs_quota_groups="true"
             target_blocksize="4096"
-            efipartsize="200"
         >
             <bootloader name="grub2" console="gfxterm" timeout="3" />
             <systemdisk>
@@ -403,9 +441,97 @@
             </systemdisk>
         </type>
     </preferences>
-
-    <preferences profiles="rpi,aarch64-rt-rpi">
-        <version>6.1</version>
+    <preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+            target_blocksize="4096"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+            luks_version="luks2"
+            luks="1234"
+	    luks_randomize="false"
+	    luks_pbkdf="pbkdf2"
+            target_blocksize="4096"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+            </luksformat>
+            <bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="rpi">
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -420,11 +546,11 @@
             install_continue_on_timeout="false"
             fsmountoptions="noatime"
             firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
-            efipartsize="128"
             editbootinstall="editbootinstall_rpi.sh"
             btrfs_root_is_readonly_snapshot="true"
             btrfs_quota_groups="false"
@@ -444,31 +570,33 @@
             </systemdisk>
         </type>
     </preferences>
-
-    <preferences profiles="aarch64,aarch64-rt">
-        <version>6.1</version>
+    <preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
         <rpm-excludedocs>true</rpm-excludedocs>
         <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
         <type
             image="oem"
             initrd_system="dracut"
             installiso="true"
+            installpxe="true"
             filesystem="btrfs"
             installboot="install"
             install_continue_on_timeout="false"
-            fsmountoptions="noatime"
             firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
+            bootkernel="custom"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
-            efipartsize="128"
             btrfs_root_is_readonly_snapshot="true"
-            btrfs_quota_groups="false"
-            disk_start_sector="4096"
+            btrfs_quota_groups="true"
+            disk_start_sector="8192"
+            target_blocksize="4096"
         >
             <bootloader name="grub2" console="gfxterm" timeout="3" />
             <systemdisk>
@@ -484,8 +612,8 @@
             </systemdisk>
         </type>
     </preferences>
-    <preferences profiles="aarch64-self_install,aarch64-rt-self_install">
-        <version>6.1</version>
+    <preferences profiles="rpi-self_install">
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -500,13 +628,14 @@
             installboot="install"
             install_continue_on_timeout="false"
             firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
             btrfs_root_is_readonly_snapshot="true"
+            editbootinstall="editbootinstall_rpi.sh"
             btrfs_quota_groups="true"
             disk_start_sector="4096"
         >
@@ -526,7 +655,7 @@
     </preferences>
 
     <preferences profiles="s390-kvm">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -564,7 +693,7 @@
 
 
     <preferences profiles="s390-dasd">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -602,7 +731,7 @@
 
 
     <preferences profiles="s390-fba">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -637,7 +766,7 @@
     </preferences>
 
     <preferences profiles="s390-fcp">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -676,7 +805,7 @@
     </preferences>
 
     <preferences profiles="x86-vmware">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -687,6 +816,7 @@
             filesystem="btrfs"
             format="vmdk"
             firmware="uefi"
+            efipartsize="512"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -707,11 +837,11 @@
                 <volume name="var" copy_on_write="false"/>
             </systemdisk>
             <size unit="G">24</size>
-            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+            <machine memory="1024" HWversion="17" guestOS="suse-64"/>
         </type>
     </preferences>
     <preferences profiles="x86-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -722,15 +852,14 @@
             format="qcow2"
             filesystem="btrfs"
             firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
             btrfs_root_is_snapshot="true"
             btrfs_root_is_readonly_snapshot="true"
             btrfs_quota_groups="true"
-            target_blocksize="4096"
-            efipartsize="200"
         >
             <bootloader name="grub2" console="gfxterm" timeout="3" />
             <systemdisk>
@@ -748,9 +877,9 @@
             <size unit="G">32</size>
         </type>
     </preferences>
-
+ 
     <preferences profiles="aarch64-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -761,8 +890,8 @@
             format="qcow2"
             filesystem="btrfs"
             firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"     
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -773,7 +902,7 @@
             <systemdisk>
                 <volume name="home"/>
                 <volume name="root"/>
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                 <volume name="boot/writable"/>
@@ -785,7 +914,7 @@
     </preferences>
 
     <preferences profiles="ppc64le-512ss">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -796,7 +925,7 @@
             image="oem"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -808,7 +937,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -818,7 +947,7 @@
         </type>
     </preferences>
     <preferences profiles="ppc64le-4096ss">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -832,7 +961,7 @@
             target_blocksize="4096"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -844,7 +973,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -855,7 +984,7 @@
     </preferences>
 
     <preferences profiles="ppc64le-512ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -868,7 +997,7 @@
             installpxe="true"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -885,7 +1014,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -895,7 +1024,7 @@
         </type>
     </preferences>
     <preferences profiles="ppc64le-4096ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
         <packagemanager>zypper</packagemanager>
         <bootsplash-theme>SLE</bootsplash-theme>
         <bootloader-theme>SLE</bootloader-theme>
@@ -911,7 +1040,7 @@
             target_blocksize="4096"
             filesystem="btrfs"
             firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
             bootpartition="false"
             bootkernel="custom"
             devicepersistency="by-uuid"
@@ -928,7 +1057,7 @@
                 <volume name="home"/>
                 <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                 <volume name="srv"/>
                 <volume name="boot/grub2/powerpc-ieee1275"/>
                 <volume name="boot/writable"/>
@@ -944,20 +1073,17 @@
     </repository>
 
     <packages type="image" profiles="full">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
-        <namedCollection name="salt_minion"/>
-	<package name="patterns-base-salt_minion"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
         <namedCollection name="kvm_host"/>
-	<package name="patterns-base-kvm_host"/>
+	<package name="patterns-micro-kvm_host"/>
 	<package name="lzop"/>
         <namedCollection name="container_runtime_podman"/>
-        <package name="patterns-container-runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
         <namedCollection name="cockpit"/>
-        <package name="patterns-base-cockpit"/>
+        <package name="patterns-cockpit"/>
         <namedCollection name="selinux"/>
         <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
         <package name="suseconnect-ng"/>
         <package name="SL-Micro-release"/>
         <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -967,7 +1093,7 @@
 	<package name="libpwquality-tools"/>
     </packages>
 
-    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
         <!-- full disk encryption stuff -->
         <package name="device-mapper"/>
         <package name="cryptsetup"/>
@@ -980,13 +1106,12 @@
     </packages>
 
     <packages type="image" profiles="container-host">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
         <namedCollection name="container_runtime_podman"/>
         <package name="patterns-container-runtime_podman"/>
         <namedCollection name="selinux"/>
         <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
         <package name="suseconnect-ng"/>
         <package name="SL-Micro-release"/>
         <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1010,16 +1135,16 @@
 	<package name="jeos-firstboot"/>
     </packages>
 
-    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
         <package name="cloud-init"/>
         <package name="cloud-init-config-suse"/>
     </packages>
 
     <packages type="image">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
         <namedCollection name="hardware"/>
-        <package name="patterns-base-hardware"/>
+        <package name="patterns-micro-hardware"/>
         <package name="grub2"/>
         <package name="glibc-locale-base"/>
         <package name="ca-certificates"/>
@@ -1038,9 +1163,10 @@
         <package name="NetworkManager"/>
         <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
-	<!-- FIXME does not build without control file which is obsolete
+	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
+	<package name="iptables"/> <!-- needed by RKE2 -->
     </packages>
 
     <packages type="image" profiles="bootloader">
@@ -1057,14 +1183,18 @@
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
     </packages>
     <!-- rpi kernel-default-base does not provide all necessary drivers -->
-    <packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
         <package name="kernel-default"/>
         <package name="kernel-firmware-all"/>
     </packages>
-    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
+        <package name="kernel-64kb"/>
+        <package name="kernel-firmware-all"/>
+    </packages>
+    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
         <package name="kernel-rt"/>
         <package name="kernel-firmware-all"/>
-	<!-- FIXME intentionally removed from ALP code stream
+	<!-- FIXME intentionally removed from ALP code stream 
         <package name="cpuset"/> -->
     </packages>
     <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1076,17 +1206,18 @@
     <packages type="image" profiles="s390-fcp">
         <package name="multipath-tools"/>
     </packages>
-    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
+    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
         <package name="dracut-kiwi-oem-repart"/>
         <package name="dracut-kiwi-oem-dump"/>
     </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="rpi,rpi-self_install">
         <package name="raspberrypi-firmware" arch="aarch64"/>
         <package name="raspberrypi-firmware-config" arch="aarch64"/>
         <package name="raspberrypi-firmware-dt" arch="aarch64"/>
         <package name="u-boot-rpiarm64" arch="aarch64"/>
     </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
         <package name="dracut-kiwi-oem-repart"/>
         <package name="bcm43xx-firmware"/>
         <package name="wireless-regdb"/>
@@ -1094,6 +1225,7 @@
         <package name="wpa_supplicant"/>
         <package name="grub2-arm64-efi"/>
     </packages>
+    <!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
     <packages type="bootstrap">
         <package name="filesystem"/>
         <package name="coreutils"/>
@@ -1110,14 +1242,15 @@
     <packages type="image" profiles="x86-qcow,aarch64-qcow">
         <package name="qemu-guest-agent"/>
     </packages>
-
+    
     <!-- jsc#PED-8599 -->
-    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
+    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
         <package name="usbguard"/>
     </packages>
 
     <!-- jsc#PED-8788 -->
-    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
         <package name="stalld"/>
     </packages>
 </image>
+

kiwi-builder-image/build-image.sh

@@ -28,7 +28,7 @@ LARGEBLOCK=false
 usage(){
   cat <<-EOF
   =====================================
-  SUSE Linux Micro 6.1 Kiwi SDK Builder
+  SUSE Linux Micro 6.2 Kiwi SDK Builder
   =====================================
 
   Usage: ${0} [-p <profile>] [-b]
@@ -36,13 +36,12 @@ usage(){
   Profile Options (-p):
   * Default: RAW Disk Image with default packages (incl. Podman & KVM)
   * Default-SelfInstall: SelfInstall ISO with default packages
-  * Default-RPi: RAW Disk Image for Raspberry Pi (aarch64 only with MBR)
   * Base: RAW Disk Image with reduced package set (no KVM)
   * Base-SelfInstall: SelfInstall ISO with reduced packages
   * Base-RT: RAW Disk Image with reduced packages and kernel-rt
   * Base-RT-SelfInstall: SelfInstall ISO with reduced packages and kernel-rt
-  * Base-RT-RPi: RAW Disk image for Raspberry Pi with kernel-rt (aarch64 only with MBR)
-  * Base-RPi: RAW Disk Image for Raspberry Pi with reduced packages (aarch64 only with MBR)
+  * RaspberryPi: RAW Disk Image for Raspberry Pi with default packages (aarch64 only with MBR)
+  * RaspberryPi-SelfInstall: SelfInstall ISO for Raspberry Pi with default packages (aarch64 only with MBR)
 
   4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.
 
@@ -83,14 +82,34 @@ if $LARGEBLOCK; then
   mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
 fi
 
+# Create temporary directory that supports seclabel
+dir=$(mktemp -d)
+mkdir -p /tmp/output/tmp-dir
+mount -t tmpfs $dir /tmp/output/tmp-dir
+
 # Build the image
-kiwi-ng --debug --profile $PROFILE system build \
-    --description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
+kiwi-ng --temp-dir /tmp/output/tmp-dir --debug --profile $PROFILE \
+    system build --description /micro-sdk/defs --target-dir /tmp/output \
+    --ignore-repos-used-for-build $REPOS
 
 # Print output
 RESULT=$?
 if [ $RESULT -eq 0 ]; then
   echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
+  # The -n flag is being used to avoid the \n at the end of the line
+  echo -n "INFO: Generating sha256 checksum file... " && {
+  # This returns the iso or raw image from the kiwi.result.json file, preferring iso
+  FILE_PATH=$(python3 -c 'import json, sys; data = json.load(sys.stdin); iso = data.get("installation_image", {}).get("filename"); raw = data.get("disk_image", {}).get("filename"); print(iso if iso else raw)' < /tmp/output/kiwi.result.json)
+  # Generate the checksum if the file path was successfully extracted
+  if [ -n "$FILE_PATH" ]; then
+    # The sed trims the full path to just the filename (e.g., "sum filename")
+    sha256sum "$FILE_PATH" | sed -E 's/\s+.*\/([^/]+)$/  \1/' > "$FILE_PATH.sha256" && echo "done"
+  else
+    # Or fail if it is not there
+    echo "ERROR: Neither ISO nor RAW file path found in JSON."
+  fi
+  # Catch-all just in case something fails inside the block
+  } || echo "ERROR: Command failed during processing."
 else
   echo -e "\n\nERROR: Failed to build the image, please see above logs."
 fi

kiwi-builder-image/config.sh

@@ -188,7 +188,6 @@ cat >/etc/fstab.script <<"EOF"
 #!/bin/sh
 set -eux
 
-/usr/sbin/setup-fstab-for-overlayfs
 # If /var is on a different partition than /...
 if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
 	# ... set options for autoexpanding /var

kiwi-builder-image/disk.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Copyright (c) 2025 SUSE LLC
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+set -euxo pipefail
+
+/usr/libexec/setup-etc-subvol

kiwi-builder-image/editbootinstall_pine64.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+set -euxo pipefail
+
+diskname=$1
+devname="$2"
+loopname="${devname%*p?}"
+loopdev=/dev/${loopname#/dev/mapper/*}
+
+#==========================================
+# The GPT spans the first 33 sectors, but we need to write our
+# at sector 16. Shrink the GPT to only span 5 sectors
+# (16 partitions) to give us some space.
+#------------------------------------------
+# echo -e 'x\ns\n16\nw\ny' > gdisk.tmp
+# Shrink GPT does not work anymore, so let's use legacy MBR for now
+cat > gdisk.tmp <<-'EOF'
+		x
+		r
+		g
+		t
+		1
+		c
+		w
+		y
+	EOF
+dd if=$loopdev of=mbrid.bin bs=1 skip=440 count=4
+gdisk $loopdev < gdisk.tmp
+dd of=$loopdev if=mbrid.bin bs=1 seek=440 count=4
+rm -f mbrid.bin
+rm -f gdisk.tmp
+
+#==========================================
+# Installing All-in-one U-Boot/SPL
+#------------------------------------------
+echo "Installing All-in-one U-Boot/SPL..."
+if ! dd if=boot/u-boot-sunxi-with-spl.bin of=$diskname bs=1024 seek=8 conv=notrunc; then
+	echo "Couldn't install SPL on $diskname"
+	exit 1
+fi
+

kiwi-builder-image/editbootinstall_rpi.sh

@@ -3,12 +3,9 @@ set -euxo pipefail
 
 diskname=$1
 devname="$2"
-
 loopname="${devname%*p?}"
 loopdev=/dev/${loopname#/dev/*}
 
-if [ ! -f $loopdev ]; then loopdev=/dev/${loopdev#/dev/mapper/}; fi
-
 #==========================================
 # copy Raspberry Pi firmware to EFI partition
 #------------------------------------------

kube-rbac-proxy/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/brancz/kube-rbac-proxy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.18.1</param>
+    <param name="revision">v0.19.1</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

kube-rbac-proxy/kube-rbac-proxy.spec

@@ -17,14 +17,14 @@
 
 
 Name:           kube-rbac-proxy
-Version:        0.18.1
-Release:        0.18.1
+Version:        0.19.1
+Release:        0.19.1
 Summary:        The kube-rbac-proxy is a small HTTP proxy for a single upstream
 License:        Apache-2.0
 URL:            https://github.com/brancz/kube-rbac-proxy
 Source:         kube-rbac-proxy-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

kubectl-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.34.2
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.34.2-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -15,11 +15,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE kubectl image"
 LABEL org.opencontainers.image.description="kubectl on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.33.4"
+LABEL org.opencontainers.image.version="1.34.2"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.34.2-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"

kubectl/kubectl.spec

@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 
 Name: kubectl
-Version: 1.33.4
+Version: 1.34.2
 Release: 0
 Summary: Command-line utility for interacting with a Kubernetes cluster
 

kubevirt-dashboard-extension-chart/Chart.yaml

@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.2
-#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.2-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.3
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.3-%RELEASE%
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
   catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
   catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 304.0.3+up1.3.2
+appVersion: 1.3.3
 description: 'SUSE Edge: KubeVirt extension for Rancher Dashboard'
 name: kubevirt-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.3+up1.3.2"
+version: "%%CHART_MAJOR%%.0.4+up1.3.3"
 icon: >-
   https://raw.githubusercontent.com/cncf/artwork/master/projects/kubevirt/icon/color/kubevirt-icon-color.svg

kubevirt-dashboard-extension-chart/templates/cr.yaml

@@ -8,7 +8,7 @@ spec:
   plugin:
     name: {{ include "extension-server.fullname" . }}
     version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/304.0.3+up1.3.2
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/1.3.3
     noCache: {{ .Values.plugin.noCache }}
     noAuth: {{ .Values.plugin.noAuth }}
     metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

metal3-chart/Chart.yaml

@@ -1,21 +1,21 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.19_up0.12.9
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.19_up0.12.9-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.20_up0.13.0
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.20_up0.13.0-%RELEASE%
 apiVersion: v2
-appVersion: 0.12.9
+appVersion: 0.13.0
 dependencies:
 - alias: metal3-baremetal-operator
   name: baremetal-operator
   repository: file://./charts/baremetal-operator
-  version: 0.10.4
+  version: 0.11.2
 - alias: metal3-ironic
   name: ironic
   repository: file://./charts/ironic
-  version: 0.11.6
+  version: 0.12.0
 - alias: metal3-mariadb
   condition: global.enable_mariadb
   name: mariadb
   repository: file://./charts/mariadb
-  version: 0.6.1
+  version: 0.6.2
 - alias: metal3-media
   condition: global.enable_metal3_media_server
   name: media
@@ -25,4 +25,4 @@ description: A Helm chart that installs all of the dependencies needed for Metal
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.19+up0.12.9"
+version: "%%CHART_MAJOR%%.0.20+up0.13.0"

metal3-chart/charts/baremetal-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.10.2
+appVersion: 0.11.2
 description: A Helm chart for baremetal-operator, used by Metal3
 name: baremetal-operator
 type: application
-version: 0.10.4
+version: 0.11.2

metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml

@@ -291,6 +291,15 @@ spec:
                 required:
                 - url
                 type: object
+              inspectionMode:
+                description: |-
+                  Specifies the mode for host inspection.
+                  "disabled" - no inspection will be performed
+                  "agent" - normal agent-based inspection will run
+                enum:
+                - disabled
+                - agent
+                type: string
               metaData:
                 description: |-
                   MetaData holds the reference to the Secret containing host metadata
@@ -578,9 +587,8 @@ spec:
                       description: Required. The taint key to be applied to a node.
                       type: string
                     timeAdded:
-                      description: |-
-                        TimeAdded represents the time at which the taint was added.
-                        It is only written for NoExecute taints.
+                      description: TimeAdded represents the time at which the taint
+                        was added.
                       format: date-time
                       type: string
                     value:
@@ -710,6 +718,19 @@ spec:
                             if one is present.  If both IPv4 and IPv6 addresses are present in a
                             dual-stack environment, two nics will be output, one with each IP.
                           type: string
+                        lldp:
+                          description: LLDP data for this interface
+                          properties:
+                            portID:
+                              description: The switch port ID from LLDP
+                              type: string
+                            switchID:
+                              description: The switch chassis ID from LLDP
+                              type: string
+                            switchSystemName:
+                              description: The switch system name from LLDP
+                              type: string
+                          type: object
                         mac:
                           description: The device MAC address
                           pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'

metal3-chart/charts/baremetal-operator/crds/customresource-hardwaredata.yaml

@@ -99,6 +99,19 @@ spec:
                             if one is present.  If both IPv4 and IPv6 addresses are present in a
                             dual-stack environment, two nics will be output, one with each IP.
                           type: string
+                        lldp:
+                          description: LLDP data for this interface
+                          properties:
+                            portID:
+                              description: The switch port ID from LLDP
+                              type: string
+                            switchID:
+                              description: The switch chassis ID from LLDP
+                              type: string
+                            switchSystemName:
+                              description: The switch system name from LLDP
+                              type: string
+                          type: object
                         mac:
                           description: The device MAC address
                           pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'

metal3-chart/charts/baremetal-operator/values.yaml

@@ -28,7 +28,7 @@ images:
   baremetalOperator:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/baremetal-operator
     pullPolicy: IfNotPresent
-    tag: "0.10.2.1"
+    tag: "0.11.2.0"
 
 imagePullSecrets: []
 nameOverride: "manger"

metal3-chart/charts/ironic/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 29.0.4
+appVersion: 32.0.0
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.11.6
+version: 0.12.0

metal3-chart/charts/ironic/templates/configmap.yaml

@@ -53,5 +53,5 @@ data:
   IRONIC_USE_MARIADB: "false"
   {{- end }}
   {{- with .Values.ironicExtraEnv -}}
-  {{ toYaml . | nindent 2 }}  
+  {{ toYaml . | nindent 2 }}
   {{- end -}}

metal3-chart/charts/ironic/templates/deployment.yaml

@@ -160,12 +160,7 @@ spec:
         image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
         imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
         securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
-        securityContext:
-          capabilities:
-            add:
-            - NET_ADMIN
-            - NET_RAW
+          {{- merge .Values.securityContext .Values.dnsmasqSecurityContext | toYaml | nindent 10 }}
         command:
         - /bin/rundnsmasq
         envFrom:

metal3-chart/charts/ironic/values.yaml

@@ -64,7 +64,7 @@ images:
   ironic:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
     pullPolicy: IfNotPresent
-    tag: 29.0.4.4
+    tag: 32.0.0.0
   ironicIPADownloader:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
     pullPolicy: IfNotPresent
@@ -97,6 +97,12 @@ securityContext:
     type: RuntimeDefault
   runAsNonRoot: true
 
+dnsmasqSecurityContext:
+  capabilities:
+    add:
+    - NET_ADMIN
+    - NET_RAW
+
 service:
   type: LoadBalancer
   annotations: {}

metal3-chart/charts/mariadb/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: "10.11"
+appVersion: "11.8"
 description: A Helm chart for MariaDB, used by Metal3
 name: mariadb
 type: application
-version: 0.6.1
+version: 0.6.2

metal3-chart/charts/mariadb/values.yaml

@@ -14,7 +14,7 @@ service:
 image:
   repository: registry.suse.com/suse/mariadb
   pullPolicy: IfNotPresent
-  tag: 10.11
+  tag: 11.8
 
 nameOverride: ""
 fullnameOverride: ""

metal3-chart/values.yaml

@@ -89,8 +89,6 @@ metal3-media:
   # available to the Ironic deployment services.
   mediaVolume:
     hostPath: /opt/media
-  image:
-    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic"
 
 #
 # ironic service

metallb-chart/Chart.yaml

@@ -1,17 +1,17 @@
-#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.0_up0.14.9
-#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.0_up0.14.9-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.1_up0.15.2
+#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.1_up0.15.2-%RELEASE%
 apiVersion: v2
-appVersion: v0.14.9
+appVersion: v0.15.2
 dependencies:
 - condition: crds.enabled
   name: crds
   repository: file://./charts/crds
-  version: 0.14.9
+  version: 0.15.2
 - alias: metallb-frr-k8s
   condition: frrk8s.enabled
   name: frr-k8s
   repository: file://./charts/frr-k8s
-  version: 0.0.16
+  version: 0.0.20
 description: A network load-balancer implementation for Kubernetes using standard
   routing protocols
 home: https://metallb.universe.tf
@@ -21,4 +21,4 @@ name: metallb
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+version: "%%CHART_MAJOR%%.0.1+up0.15.2"

metallb-chart/README.md

@@ -1,6 +1,6 @@
 # metallb
 
-![Version: 0.14.9](https://img.shields.io/badge/Version-0.14.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.9](https://img.shields.io/badge/AppVersion-v0.14.9-informational?style=flat-square)
+![Version: 0.15.2](https://img.shields.io/badge/Version-0.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.15.2](https://img.shields.io/badge/AppVersion-v0.15.2-informational?style=flat-square)
 
 A network load-balancer implementation for Kubernetes using standard routing protocols
 
@@ -16,8 +16,8 @@ Kubernetes: `>= 1.19.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 0.14.9 |
-| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.16 |
+|  | crds | 0.15.2 |
+| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.20 |
 
 ## Values
 
@@ -99,7 +99,7 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.rbacPrometheus | bool | `true` |  |
 | prometheus.rbacProxy.pullPolicy | string | `nil` |  |
 | prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
-| prometheus.rbacProxy.tag | string | `"v0.18.0"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.19.1"` |  |
 | prometheus.scrapeAnnotations | bool | `false` |  |
 | prometheus.serviceAccount | string | `""` |  |
 | prometheus.serviceMonitor.controller.additionalLabels | object | `{}` |  |
@@ -122,7 +122,7 @@ Kubernetes: `>= 1.19.0-0`
 | speaker.frr.enabled | bool | `true` |  |
 | speaker.frr.image.pullPolicy | string | `nil` |  |
 | speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
-| speaker.frr.image.tag | string | `"8.5.6"` |  |
+| speaker.frr.image.tag | string | `"10.2.1"` |  |
 | speaker.frr.metricsPort | int | `7473` |  |
 | speaker.frr.resources | object | `{}` |  |
 | speaker.frrMetrics.resources | object | `{}` |  |

metallb-chart/charts/crds/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.14.9
+appVersion: v0.15.2
 description: MetalLB CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: 0.14.9
+version: 0.15.2

metallb-chart/charts/crds/templates/crds.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: bfdprofiles.metallb.io
 spec:
   group: metallb.io
@@ -123,7 +123,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: bgpadvertisements.metallb.io
 spec:
   group: metallb.io
@@ -329,7 +329,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: bgppeers.metallb.io
 spec:
   conversion:
@@ -526,7 +526,15 @@ spec:
                       rule: duration(self).getMilliseconds() % 1000 == 0
                 disableMP:
                   default: false
-                  description: To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
+                  description: |-
+                    To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
+                    Deprecated: DisableMP is deprecated in favor of dualStackAddressFamily.
+                  type: boolean
+                dualStackAddressFamily:
+                  default: false
+                  description: |-
+                    To set if we want to enable the neighbor not only for the ipfamily related to its session,
+                    but also the other one. This allows to advertise/receive IPv4 prefixes over IPv6 sessions and vice versa.
                   type: boolean
                 dynamicASN:
                   description: |-
@@ -555,6 +563,14 @@ spec:
                 holdTime:
                   description: Requested BGP hold time, per RFC4271.
                   type: string
+                interface:
+                  description: |-
+                    Interface is the node interface over which the unnumbered BGP peering will
+                    be established. No API validation takes place as that string value
+                    represents an interface name on the host and if user provides an invalid
+                    value, only the actual BGP session will not be established.
+                    Address and Interface are mutually exclusive and one of them must be specified.
+                  type: string
                 keepaliveTime:
                   description: Requested BGP keepalive time, per RFC4271.
                   type: string
@@ -649,7 +665,7 @@ spec:
                   default: 179
                   description: Port to dial when establishing the session.
                   maximum: 16384
-                  minimum: 0
+                  minimum: 1
                   type: integer
                 routerID:
                   description: BGP router ID to advertise to the peer
@@ -664,7 +680,6 @@ spec:
                   type: string
               required:
                 - myASN
-                - peerAddress
               type: object
             status:
               description: BGPPeerStatus defines the observed state of Peer.
@@ -679,7 +694,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: communities.metallb.io
 spec:
   group: metallb.io
@@ -744,7 +759,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: ipaddresspools.metallb.io
 spec:
   group: metallb.io
@@ -941,6 +956,28 @@ spec:
               type: object
             status:
               description: IPAddressPoolStatus defines the observed state of IPAddressPool.
+              properties:
+                assignedIPv4:
+                  description: AssignedIPv4 is the number of assigned IPv4 addresses.
+                  format: int64
+                  type: integer
+                assignedIPv6:
+                  description: AssignedIPv6 is the number of assigned IPv6 addresses.
+                  format: int64
+                  type: integer
+                availableIPv4:
+                  description: AvailableIPv4 is the number of available IPv4 addresses.
+                  format: int64
+                  type: integer
+                availableIPv6:
+                  description: AvailableIPv6 is the number of available IPv6 addresses.
+                  format: int64
+                  type: integer
+              required:
+                - assignedIPv4
+                - assignedIPv6
+                - availableIPv4
+                - availableIPv6
               type: object
           required:
             - spec
@@ -954,7 +991,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: l2advertisements.metallb.io
 spec:
   group: metallb.io
@@ -1134,7 +1171,92 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: servicebgpstatuses.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: ServiceBGPStatus
+    listKind: ServiceBGPStatusList
+    plural: servicebgpstatuses
+    singular: servicebgpstatus
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.node
+          name: Node
+          type: string
+        - jsonPath: .status.serviceName
+          name: Service Name
+          type: string
+        - jsonPath: .status.serviceNamespace
+          name: Service Namespace
+          type: string
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: ServiceBGPStatus exposes the BGP peers a service is configured to be advertised to, per relevant node.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ServiceBGPStatusSpec defines the desired state of ServiceBGPStatus.
+              type: object
+            status:
+              description: MetalLBServiceBGPStatus defines the observed state of ServiceBGPStatus.
+              properties:
+                node:
+                  description: Node indicates the node announcing the service.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
+                peers:
+                  description: |-
+                    Peers indicate the BGP peers for which the service is configured to be advertised to.
+                    The service being actually advertised to a given peer depends on the session state and is not indicated here.
+                  items:
+                    type: string
+                  type: array
+                serviceName:
+                  description: ServiceName indicates the service this status represents.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
+                serviceNamespace:
+                  description: ServiceNamespace indicates the namespace of the service.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: servicel2statuses.metallb.io
 spec:
   group: metallb.io

metallb-chart/charts/frr-k8s/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: v0.0.16
+appVersion: v0.0.20
 dependencies:
 - condition: crds.enabled
   name: crds
   repository: file://./charts/crds
-  version: 0.0.16
+  version: 0.0.20
 description: A cloud native wrapper of FRR
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -13,4 +13,4 @@ name: frr-k8s
 sources:
 - https://github.com/metallb/frr-k8s
 type: application
-version: 0.0.16
+version: 0.0.20

metallb-chart/charts/frr-k8s/README.md

@@ -1,6 +1,6 @@
 # frr-k8s
 
-![Version: 0.0.16](https://img.shields.io/badge/Version-0.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.16](https://img.shields.io/badge/AppVersion-v0.0.16-informational?style=flat-square)
+![Version: 0.0.20](https://img.shields.io/badge/Version-0.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.20](https://img.shields.io/badge/AppVersion-v0.0.20-informational?style=flat-square)
 
 A cloud native wrapper of FRR
 
@@ -16,7 +16,7 @@ Kubernetes: `>= 1.19.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 0.0.16 |
+|  | crds | 0.0.20 |
 
 ## Values
 
@@ -30,7 +30,7 @@ Kubernetes: `>= 1.19.0-0`
 | frrk8s.frr.acceptIncomingBGPConnections | bool | `false` |  |
 | frrk8s.frr.image.pullPolicy | string | `nil` |  |
 | frrk8s.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
-| frrk8s.frr.image.tag | string | `"8.5.6"` |  |
+| frrk8s.frr.image.tag | string | `"10.2.1"` |  |
 | frrk8s.frr.metricsBindAddress | string | `"127.0.0.1"` |  |
 | frrk8s.frr.metricsPort | int | `7573` |  |
 | frrk8s.frr.resources | object | `{}` |  |
@@ -78,7 +78,7 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.rbacPrometheus | bool | `false` |  |
 | prometheus.rbacProxy.pullPolicy | string | `nil` |  |
 | prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
-| prometheus.rbacProxy.tag | string | `"v0.18.0"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.19.1"` |  |
 | prometheus.scrapeAnnotations | bool | `false` |  |
 | prometheus.secureMetricsPort | int | `9140` |  |
 | prometheus.serviceAccount | string | `""` |  |

metallb-chart/charts/frr-k8s/charts/crds/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.0.16
+appVersion: v0.0.20
 description: FRR K8s CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/frr-k8s
 type: application
-version: 0.0.16
+version: 0.0.20

metallb-chart/charts/frr-k8s/values.yaml

@@ -98,7 +98,7 @@ frrk8s:
   tolerateMaster: true
   image:
     repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr-k8s"
-    tag: "v0.0.16"
+    tag: "v0.0.20"
     pullPolicy: IfNotPresent
   ## @param controller.updateStrategy.type FRR-K8s controller daemonset strategy type
   ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
@@ -161,7 +161,7 @@ frrk8s:
   frr:
     image:
       repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr"
-      tag: "8.5.6"
+      tag: "10.2.1"
       pullPolicy: IfNotPresent
     metricsBindAddress: 127.0.0.1
     metricsPort: 7573

metallb-chart/templates/rbac.yaml

@@ -110,6 +110,9 @@ rules:
 - apiGroups: ["metallb.io"]
   resources: ["communities"]
   verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["servicebgpstatuses","servicebgpstatuses/status"]
+  verbs: ["*"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -138,6 +141,9 @@ rules:
 - apiGroups: ["metallb.io"]
   resources: ["ipaddresspools"]
   verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["ipaddresspools/status"]
+  verbs: ["update"]
 - apiGroups: ["metallb.io"]
   resources: ["bgppeers"]
   verbs: ["get", "list"]

metallb-chart/values.yaml

@@ -59,7 +59,7 @@ prometheus:
   # the image to be used for the kuberbacproxy container
   rbacProxy:
     repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
-    tag: "0.18.1"
+    tag: "0.19.1"
     pullPolicy: IfNotPresent
 
   # Prometheus Operator PodMonitors
@@ -201,7 +201,7 @@ controller:
   # webhookMode: enabled
   image:
     repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller"
-    tag: "v0.14.9"
+    tag: "v0.15.2"
     pullPolicy: IfNotPresent
   ## @param controller.updateStrategy.type Metallb controller deployment strategy type.
   ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
@@ -282,7 +282,7 @@ speaker:
 
   image:
     repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker"
-    tag: "v0.14.9"
+    tag: "v0.15.2"
     pullPolicy: IfNotPresent
   ## @param speaker.updateStrategy.type Speaker daemonset strategy type
   ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
@@ -346,7 +346,7 @@ speaker:
     enabled: false
     image:
       repository: "%%IMG_REPO%%/%%IMG_PREFIX%%frr"
-      tag: "8.5.6"
+      tag: "10.2.1"
       pullPolicy: IfNotPresent
     metricsPort: 7473
     resources: {}

metallb/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metallb/metallb</param>
     <param name="scm">git</param>
-    <param name="revision">v0.14.9</param>
+    <param name="revision">v0.15.2</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
@@ -18,4 +18,4 @@
   <service name="go_modules">
   </service>
   <service mode="buildtime" name="set_version" />
-</services>
+</services>

metallb/metallb.spec

@@ -17,14 +17,14 @@
 
 
 Name:           metallb
-Version:        0.14.9
-Release:        0.14.9
+Version:        0.15.2
+Release:        0.15.2
 Summary:        Load Balancer for bare metal Kubernetes clusters
 License:        Apache-2.0
 URL:            https://github.com/metallb/metallb
 Source:         %{name}-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

network-resources-injector-image/Dockerfile

@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: Apache-2.0
+#!BuildTag: %%IMG_PREFIX%%network-resources-injector:v%%network-resources-injector_version%%
+#!BuildTag: %%IMG_PREFIX%%network-resources-injector:v%%network-resources-injector_version%%-%RELEASE%
+ARG SLE_VERSION
+FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
+
+FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
+COPY --from=micro / /installroot/
+RUN zypper --installroot /installroot --non-interactive install --no-recommends network-resources-injector gawk which; \
+    zypper -n clean; \
+    rm -rf /var/log/*
+
+FROM micro AS final
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.application.network-resources-injector
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE network-resources-injector Container Image"
+LABEL org.opencontainers.image.description="network-resources-injector based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%%network-resources-injector_version%%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%network-resources-injector:%%network-resources-injector_version%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
+LABEL com.suse.eula="SUSE Combined EULA February 2024"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.image-type="application"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+
+USER 1001
+COPY --from=base /installroot /
+CMD ["/usr/bin/webhook"]

network-resources-injector-image/_service

@@ -0,0 +1,19 @@
+<services>
+  <service name="kiwi_metainfo_helper" mode="buildtime"/>
+  <service name="docker_label_helper" mode="buildtime"/>
+  <service name="replace_using_package_version" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="regex">%%network-resources-injector_version%%</param>
+    <param name="package">network-resources-injector</param>
+    <param name="parse-version">patch</param>
+  </service>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
+  </service>
+</services>

network-resources-injector/_service

@@ -0,0 +1,20 @@
+<services>
+ <service name="obs_scm">
+    <param name="url">https://github.com/k8snetworkplumbingwg/network-resources-injector</param>
+    <param name="scm">git</param>
+    <param name="revision">v1.8.0</param>
+    <param name="version">_auto_</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="changesgenerate">enable</param>
+    <param name="changesauthor">antonio.alarcon@suse.com</param>
+    <param name="match-tag">v*</param>
+    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
+    <param name="without-version">yes</param>
+    <param name="versionrewrite-replacement">\1</param>
+  </service>
+  <service mode="buildtime" name="tar">
+    <param name="obsinfo">network-resources-injector.obsinfo</param>
+  </service>
+  <service name="go_modules" />
+  <service mode="buildtime" name="set_version" />
+</services>

network-resources-injector/network-resources-injector.spec

@@ -0,0 +1,62 @@
+#
+# spec file for package network-resources-injector
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           network-resources-injector
+Version:        0
+Release:        0
+Summary:        Kubernetes admission controller able to patch pod spec's requests and limits on custom network resources
+License:        Apache-2.0
+URL:            https://github.com/k8snetworkplumbingwg/network-resources-injector
+Source:         %{name}-%{version}.tar
+Source1:        vendor.tar.gz
+BuildRequires:  golang(API) = 1.24
+ExcludeArch:    s390
+ExcludeArch:    %{ix86}
+
+%description
+Network Resources Injector is a Kubernetes Dynamic Admission Controller application that provides functionality of
+patching Kubernetes pod specifications with requests and limits of custom network resources (managed by device plugins
+such as k8snetworkplumbingwg/sriov-network-device-plugin). Requires Multus Network-Attach-Definition (NAD) custom
+objects to be created before creating the pod object referring/pointing to them; custom network resources' request and
+limits to add to the pod spec are inferred from the pointed NAD/s.
+
+%prep
+%autosetup -a1 -n %{name}-%{version} -p1
+
+%build
+# CGO is disabled by default in upstream Makefile
+%define cgoenabled "0"
+# go build constrain (aka tag) "no_openssl" is set by default in upstream Makefile
+%define buildgotags "no_openssl"
+%define buildldflags "-w -s"
+CGO_ENABLED=%{cgoenabled} go build -mod=vendor -buildmode=pie -trimpath -ldflags %{buildldflags} -tags %{buildgotags} -o installer ./cmd/installer
+CGO_ENABLED=%{cgoenabled} go build -mod=vendor -buildmode=pie -trimpath -ldflags %{buildldflags} -tags %{buildgotags} -o webhook ./cmd/webhook
+
+
+%install
+install -D -m0755 installer %{buildroot}%{_bindir}/installer
+install -D -m0755 webhook %{buildroot}%{_bindir}/webhook
+
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/installer
+%{_bindir}/webhook
+
+%changelog

node-feature-discovery-image/Dockerfile

@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: Apache-2.0
+#!BuildTag: %%IMG_PREFIX%%node-feature-discovery:v%%node-feature-discovery_version%%
+#!BuildTag: %%IMG_PREFIX%%node-feature-discovery:v%%node-feature-discovery_version%%-%RELEASE%
+ARG SLE_VERSION
+FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
+
+FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
+COPY --from=micro / /installroot/
+RUN zypper --installroot /installroot --non-interactive install --no-recommends node-feature-discovery; \
+    zypper -n clean; \
+    rm -rf /var/log/*
+
+FROM micro AS final
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.application.node-feature-discovery
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE node-feature-discovery Container Image"
+LABEL org.opencontainers.image.description="node-feature-discovery based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%%node-feature-discovery_version%%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%node-feature-discovery:%%node-feature-discovery_version%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
+LABEL com.suse.eula="SUSE Combined EULA February 2024"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.image-type="application"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+
+USER 65534:65534
+COPY --from=base /installroot /
+
+