.gitmodules

@@ -1,39 +1,170 @@
-[submodule "obs-service-set_version"]
-	path = obs-service-set_version
-	url = https://src.opensuse.org/SLFO-pool/obs-service-set_version.git
 [submodule "cri-tools"]
 	path = cri-tools
 	url = https://src.opensuse.org/pool/cri-tools.git
-[submodule "fakeroot"]
-	path = fakeroot
-	url = https://src.opensuse.org/pool/fakeroot.git
 [submodule "crudini"]
 	path = crudini
 	url = https://src.opensuse.org/pool/crudini.git
-[submodule "autoconf"]
-	path = autoconf
-	url = https://src.opensuse.org/SLFO-pool/autoconf.git
-[submodule "python-pydantic"]
-	path = python-pydantic
-	url = https://src.opensuse.org/SLFO-pool/python-pydantic
-[submodule "python-pydantic-core"]
-	path = python-pydantic-core
-	url = https://src.opensuse.org/SLFO-pool/python-pydantic-core
-[submodule "python-inline-snapshot"]
-	path = python-inline-snapshot
-	url = https://src.opensuse.org/SLFO-pool/python-inline-snapshot
-[submodule "python-executing"]
-	path = python-executing
-	url = https://src.opensuse.org/SLFO-pool/python-executing
-[submodule "python-typing-inspection"]
-	path = python-typing-inspection
-	url = https://src.opensuse.org/SLFO-pool/python-typing-inspection
-[submodule "python-annotated-types"]
-	path = python-annotated-types
-	url = https://src.opensuse.org/SLFO-pool/python-annotated-types
-[submodule "python-typing_extensions"]
-	path = python-typing_extensions
-	url = https://src.opensuse.org/SLFO-pool/python-typing_extensions
-[submodule "python-flit-core"]
-	path = python-flit-core
-	url = https://src.opensuse.org/SLFO-pool/python-flit-core
+[submodule "cni-plugins"]
+	path = cni-plugins
+	url = https://src.opensuse.org/pool/cni-plugins
+[submodule "python-kubernetes"]
+	path = python-kubernetes
+	url = https://src.opensuse.org/pool/python-kubernetes
+	branch = leap-16.0
+[submodule "python-durationpy"]
+	path = python-durationpy
+	url = https://src.opensuse.org/pool/python-durationpy
+	branch = leap-16.0
+[submodule "python-recommonmark"]
+	path = python-recommonmark
+	url = https://src.opensuse.org/pool/python-recommonmark
+	branch = leap-16.0
+[submodule "python-iniparse"]
+	path = python-iniparse
+	url = https://src.opensuse.org/pool/python-iniparse
+	branch = leap-16.0
+[submodule "python-commonmark"]
+	path = python-commonmark
+	url = https://src.opensuse.org/pool/python-commonmark
+	branch = leap-16.0
+[submodule "cni"]
+	path = cni
+	url = https://src.opensuse.org/pool/cni
+[submodule "python-tenacity"]
+	path = python-tenacity
+	url = https://src.opensuse.org/pool/python-tenacity
+[submodule "python-pint"]
+	path = python-pint
+	url = https://src.opensuse.org/pool/python-pint
+	branch = leap-16.0
+[submodule "python-flexcache"]
+	path = python-flexcache
+	url = https://src.opensuse.org/pool/python-flexcache
+	branch = leap-16.0
+[submodule "python-flexparser"]
+	path = python-flexparser
+	url = https://src.opensuse.org/pool/python-flexparser
+	branch = leap-16.0
+[submodule "python-uncertainties"]
+	path = python-uncertainties
+	url = https://src.opensuse.org/pool/python-uncertainties
+	branch = leap-16.0
+[submodule "python-dogpile.cache"]
+	path = python-dogpile.cache
+	url = https://src.opensuse.org/pool/python-dogpile.cache
+	branch = leap-16.0
+[submodule "python-pytest-mpl"]
+	path = python-pytest-mpl
+	url = https://src.opensuse.org/pool/python-pytest-mpl
+	branch = leap-16.0
+[submodule "python-zeroconf"]
+	path = python-zeroconf
+	url = https://src.opensuse.org/pool/python-zeroconf
+	branch = leap-16.0
+[submodule "python-ifaddr"]
+	path = python-ifaddr
+	url = https://src.opensuse.org/pool/python-ifaddr
+	branch = leap-16.0
+[submodule "python-yappi"]
+	path = python-yappi
+	url = https://src.opensuse.org/pool/python-yappi
+[submodule "python-routes"]
+	path = python-routes
+	url = https://src.opensuse.org/pool/python-routes
+	branch = leap-16.0
+[submodule "python-repoze.lru"]
+	path = python-repoze.lru
+	url = https://src.opensuse.org/pool/python-repoze.lru
+	branch = leap-16.0
+[submodule "ipxe"]
+	path = ipxe
+	url = https://src.opensuse.org/pool/ipxe
+	branch = leap-16.0
+[submodule "python-setproctitle"]
+	path = python-setproctitle
+	url = https://src.opensuse.org/pool/python-setproctitle
+	branch = leap-16.0
+[submodule "python-requests-kerberos"]
+	path = python-requests-kerberos
+	url = https://src.opensuse.org/pool/python-requests-kerberos
+	branch = leap-16.0
+[submodule "python-pecan"]
+	path = python-pecan
+	url = https://src.opensuse.org/pool/python-pecan
+	branch = leap-16.0
+[submodule "python-pycdlib"]
+	path = python-pycdlib
+	url = https://src.opensuse.org/pool/python-pycdlib
+[submodule "python-cliff"]
+	path = python-cliff
+	url = https://src.opensuse.org/pool/python-cliff
+[submodule "python-autopage"]
+	path = python-autopage
+	url = https://src.opensuse.org/pool/python-autopage
+[submodule "python-cmd2"]
+	path = python-cmd2
+	url = https://src.opensuse.org/pool/python-cmd2
+	branch = leap-16.0
+[submodule "uwsgi"]
+	path = uwsgi
+	url = https://src.opensuse.org/pool/uwsgi
+	branch = leap-16.0
+[submodule "python-requestsexceptions"]
+	path = python-requestsexceptions
+	url = https://src.opensuse.org/pool/python-requestsexceptions
+[submodule "python-python-memcached"]
+	path = python-python-memcached
+	url = https://src.opensuse.org/pool/python-python-memcached
+[submodule "python-kombu"]
+	path = python-kombu
+	url = https://src.opensuse.org/pool/python-kombu
+[submodule "python-amqp"]
+	path = python-amqp
+	url = https://src.opensuse.org/pool/python-amqp
+	branch = leap-16.0
+[submodule "python-statsd"]
+	path = python-statsd
+	url = https://src.opensuse.org/pool/python-statsd
+[submodule "python-warlock"]
+	path = python-warlock
+	url = https://src.opensuse.org/pool/python-warlock
+[submodule "python-case"]
+	path = python-case
+	url = https://src.opensuse.org/pool/python-case
+	branch = leap-16.0
+[submodule "python-vine"]
+	path = python-vine
+	url = https://src.opensuse.org/pool/python-vine
+	branch = leap-16.0
+[submodule "python-Pyro5"]
+	path = python-Pyro5
+	url = https://src.opensuse.org/pool/python-Pyro5
+	branch = leap-16.0
+[submodule "python-pre-commit"]
+	path = python-pre-commit
+	url = https://src.opensuse.org/pool/python-pre-commit
+[submodule "python-serpent"]
+	path = python-serpent
+	url = https://src.opensuse.org/pool/python-serpent
+	branch = leap-16.0
+[submodule "python-google-cloud-monitoring"]
+	path = python-google-cloud-monitoring
+	url = https://src.opensuse.org/pool/python-google-cloud-monitoring
+[submodule "python-google-cloud-pubsub"]
+	path = python-google-cloud-pubsub
+	url = https://src.opensuse.org/pool/python-google-cloud-pubsub
+[submodule "python-cfgv"]
+	path = python-cfgv
+	url = https://src.opensuse.org/pool/python-cfgv
+[submodule "python-identify"]
+	path = python-identify
+	url = https://src.opensuse.org/pool/python-identify
+[submodule "python-pandas"]
+	path = python-pandas
+	url = https://src.opensuse.org/pool/python-pandas
+[submodule "python-grpc-google-iam-v1"]
+	path = python-grpc-google-iam-v1
+	url = https://src.opensuse.org/pool/python-grpc-google-iam-v1
+[submodule "python-editdistance"]
+	path = python-editdistance
+	url = https://src.opensuse.org/pool/python-editdistance

_config

@@ -1,8 +1,11 @@
-Prefer: -libqpid-proton10 -python311-urllib3_1
+Prefer: -libqpid-proton10 -python313-urllib3_1
 Prefer: -cargo1.58 -cargo1.57 cargo1.89
+Prefer: chrony-pool-suse
+Prefer: -postgresql17-devel-mini
+
+BuildFlags: excludebuild:python-pandas:test-py313
 
 Macros:
-%__python3 /usr/bin/python3.11
 %registry_url %(echo %{vendor} | cut -d '/' -f 3 | sed 's/build/registry/')
 :Macros
 
@@ -46,92 +49,59 @@ Macros:
 :Macros
 %endif
 
-# Missing deps for testsuite
-BuildFlags: excludebuild:autoconf:el
-BuildFlags: excludebuild:autoconf:testsuite
-
-# Missing deps for python packages related to suse-edge-components-versions
-BuildFlags: excludebuild:python-pydantic:test
-BuildFlags: excludebuild:python-pydantic-core:test
-BuildFlags: excludebuild:python-inline-snapshot:test
-BuildFlags: excludebuild:python-executing:test
-BuildFlags: excludebuild:python-annotated-types:test
-BuildFlags: excludebuild:python-typing-inspection:test
-BuildFlags: excludebuild:python-typing_extensions:test
-
 # Only build manifest embedding images here
 %if "%_repository" == "test_manifest_images"
 BuildFlags: onlybuild:edge-image-builder-image
 BuildFlags: onlybuild:release-manifest-image
-  # Exclude the images selected by the following section
-  # as the standard repository is a dependency
-  %ifarch aarch64
-    BuildFlags: excludebuild:baremetal-operator-image
-    BuildFlags: excludebuild:endpoint-copier-operator-image
-    BuildFlags: excludebuild:ironic-image
-    BuildFlags: excludebuild:ironic-ipa-downloader-image
-    BuildFlags: excludebuild:kiwi-builder-image
-    BuildFlags: excludebuild:kubectl-image
-    BuildFlags: excludebuild:kube-rbac-proxy-image
-    BuildFlags: excludebuild:metallb-controller-image
-    BuildFlags: excludebuild:metallb-speaker-image
-    BuildFlags: excludebuild:nessie-image
-    BuildFlags: excludebuild:suse-edge-components-versions-image
-  %endif
 %else
-# Only a subset of stack is arm64 ready
+# Only a subset of stack is arm64 ready exclude what is not ready
   %ifarch aarch64
-    BuildFlags: onlybuild:autoconf
-    BuildFlags: onlybuild:baremetal-operator
-    BuildFlags: onlybuild:baremetal-operator-image
-    BuildFlags: onlybuild:ca-certificates-suse
-    BuildFlags: onlybuild:container-build-checks
-    BuildFlags: onlybuild:crudini
-    BuildFlags: onlybuild:edge-build-checks
-    BuildFlags: onlybuild:edge-image-builder
-    BuildFlags: onlybuild:edge-image-builder-image
-    BuildFlags: onlybuild:endpoint-copier-operator
-    BuildFlags: onlybuild:endpoint-copier-operator-image
-    BuildFlags: onlybuild:fakeroot
-    BuildFlags: onlybuild:hauler
-    BuildFlags: onlybuild:ipcalc
-    BuildFlags: onlybuild:ironic-image
-    BuildFlags: onlybuild:ironic-ipa-downloader-image
-    BuildFlags: onlybuild:ironic-ipa-ramdisk
-    BuildFlags: onlybuild:kubectl
-    BuildFlags: onlybuild:kubectl-image
-    BuildFlags: onlybuild:kube-rbac-proxy
-    BuildFlags: onlybuild:kube-rbac-proxy-image
-    BuildFlags: onlybuild:metallb
-    BuildFlags: onlybuild:metallb-controller-image
-    BuildFlags: onlybuild:metallb-speaker-image
-    BuildFlags: onlybuild:nessie
-    BuildFlags: onlybuild:nessie-image
-    BuildFlags: onlybuild:nm-configurator
-    BuildFlags: onlybuild:python-annotated-types
-    BuildFlags: onlybuild:python-executing
-    BuildFlags: onlybuild:python-flit-core
-    BuildFlags: onlybuild:python-inline-snapshot
-    BuildFlags: onlybuild:python-pydantic
-    BuildFlags: onlybuild:python-pydantic-core
-    BuildFlags: onlybuild:python-pyhelm3
-    BuildFlags: onlybuild:python-rich
-    BuildFlags: onlybuild:python-suse-edge-components-versions
-    BuildFlags: onlybuild:python-typing-inspection
-    BuildFlags: onlybuild:python-typing_extensions
-    BuildFlags: onlybuild:shim-noarch
-    BuildFlags: onlybuild:suse-edge-components-versions-image
+    # Akri
+    BuildFlags: excludebuild:akri
+    BuildFlags: excludebuild:akri-agent-image
+    BuildFlags: excludebuild:akri-controller-image
+    BuildFlags: excludebuild:akri-debug-echo-discovery-handler-image
+    BuildFlags: excludebuild:akri-onvif-discovery-handler-image
+    BuildFlags: excludebuild:akri-opcua-discovery-handler-image
+    BuildFlags: excludebuild:akri-udev-discovery-handler-image
+    BuildFlags: excludebuild:akri-webhook-configuration-image
+    BuildFlags: excludebuild:cri-tools
+
+    # FRR
+    BuildFlags: excludebuild:frr-image
+    BuildFlags: excludebuild:frr-k8s
+    BuildFlags: excludebuild:frr-k8s-image
+
+    # SRIOV
+    BuildFlags: excludebuild:ib-sriov-cni
+    BuildFlags: excludebuild:ib-sriov-cni-image
+    BuildFlags: excludebuild:network-resources-injector
+    BuildFlags: excludebuild:network-resources-injector-image
+    BuildFlags: excludebuild:node-feature-discovery
+    BuildFlags: excludebuild:node-feature-discovery-image
+    BuildFlags: excludebuild:sriov-cni
+    BuildFlags: excludebuild:sriov-cni-image
+    BuildFlags: excludebuild:sriov-network-device-plugin
+    BuildFlags: excludebuild:sriov-network-device-plugin-image
+    BuildFlags: excludebuild:sriov-network-operator
+    BuildFlags: excludebuild:sriov-network-operator-config-daemon-image
+    BuildFlags: excludebuild:sriov-network-operator-manager-image
+    BuildFlags: excludebuild:sriov-network-operator-webhook-image
+    
+    # Upgrade controller
+    BuildFlags: excludebuild:release-manifest-image
+    BuildFlags: excludebuild:upgrade-controller
+    BuildFlags: excludebuild:upgrade-controller-image 
   %endif
 %endif
 
 %if "%_repository" == "images" || "%_repository" == "test_manifest_images"
-    Prefer: container:sles15-image
     Type: docker
     Repotype: none
     Patterntype: none
     BuildEngine: podman
-    Prefer: sles-release
-    BuildFlags: dockerarg:SLE_VERSION=15.7
+    Prefer: SLES-release
+    BuildFlags: dockerarg:SLE_VERSION=16.0
 
     # Publish multi-arch container images only once all archs have been built
     PublishFlags: archsync
@@ -146,47 +116,6 @@ BuildFlags: onlybuild:release-manifest-image
 
 %endif
 
-%if "%_repository" == "images_16.0"
-    Prefer: container:sles15-image
-    Type: docker
-    BuildEngine: podman
-    Repotype: none
-    Patterntype: none
-    BuildFlags: dockerarg:SLE_VERSION=16.0
-    BuildFlags: onlybuild:kiwi-builder-image
-    
-    Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
-
-    # Publish multi-arch container images only once all archs have been built
-    PublishFlags: archsync
-
-    # Exclude the images selected by the aarch64 section
-    %ifarch aarch64
-      BuildFlags: excludebuild:baremetal-operator-image
-      BuildFlags: excludebuild:edge-image-builder-image
-      BuildFlags: excludebuild:endpoint-copier-operator-image
-      BuildFlags: excludebuild:ironic-image
-      BuildFlags: excludebuild:ironic-ipa-downloader-image
-      BuildFlags: excludebuild:kubectl-image
-      BuildFlags: excludebuild:kube-rbac-proxy-image
-      BuildFlags: excludebuild:metallb-controller-image
-      BuildFlags: excludebuild:metallb-speaker-image
-      BuildFlags: excludebuild:nessie-image
-      BuildFlags: excludebuild:suse-edge-components-versions-image
-    %endif
-
-%else
-    %if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
-      BuildFlags: excludebuild:kiwi-builder-image
-    %else
-      %ifarch aarch64
-        BuildFlags: onlybuild:kiwi-builder-image
-      %endif
-    %endif
-%endif
-
-
-
 %if "%_repository" == "charts" || "%_repository" == "phantomcharts" || "%_repository" == "releasecharts"
     Type: helm
     Repotype: helm
@@ -203,12 +132,16 @@ BuildFlags: onlybuild:release-manifest-image
 
     # ironic-ipa-ramdisk are noarch packages that need to be availble to both archs
     ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64
+    ExportFilter: ^grub2-.*-efi-.*\.noarch\.rpm$ aarch64 x86_64
 %endif
 
+%if "%_repository" != "standard"
+    BuildFlags: excludebuild:grub-aggregate 
+%endif
 # Enable reproducible builds
 # https://en.opensuse.org/openSUSE:Reproducible_Builds\#With_OBS
 Macros:
-%source_date_epoch_from_changelog Y
+%source_date_epoch_from_changelog N
 %clamp_mtime_to_source_date_epoch Y
 %use_source_date_epoch_as_buildtime Y
 %_buildhost reproducible

_meta

@@ -34,20 +34,15 @@
     <arch>x86_64</arch>
   </repository>
 {%- endif %}
-{%- for repository in ["images", "images_16.0", "test_manifest_images"] %}
+{%- for repository in ["images", "test_manifest_images"] %}
   <repository name="{{ repository }}">
     {%- if release_project is defined and repository != "test_manifest_images" %}
     <releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
     {%- endif %}
     <path project="SUSE:Registry" repository="standard"/>
-    {%- if repository == "images_16.0" %}
-      <path project="SUSE:CA" repository="16.0"/>
-      <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
-      <path project="SUSE:SLFO:Main:Build" repository="standard"/>
-    {%- else %}
-      <path project="SUSE:CA" repository="SLE_15_SP7"/>
-      <path project="{{ project }}" repository="standard"/>
-    {%- endif %}
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
+    <path project="SUSE:CA" repository="openSUSE_Tumbleweed"/>
+    <path project="{{ project }}" repository="standard"/>
     <arch>x86_64</arch>
     <arch>aarch64</arch>
   </repository>
@@ -56,8 +51,9 @@
     {%- if release_project is defined and not for_release %}
     <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
     {%- endif %}
-    <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
-    <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
+    <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
+    <path project="SUSE:SLFO:1.2" repository="standard"/>
     <arch>x86_64</arch>
     <arch>aarch64</arch>
   </repository>

baremetal-operator-image/Dockerfile

@@ -6,7 +6,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator inotify-tools procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator python3-watchdog procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
 
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers

baremetal-operator-image/bmo-run

@@ -3,10 +3,11 @@ export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPD
 export IRONIC_CACERT_FILE=${IRONIC_CACERT_FILE:-"/opt/metal3/certs/ca/tls.crt"}
 
 if [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    # shellcheck disable=SC2034
-    inotifywait -m -e delete_self "${IRONIC_CACERT_FILE}" | while read -r file event; do
-        kill $(pgrep baremetal-opera)
-    done &
+     watchmedo shell-command \
+            --patterns="$(basename "${IRONIC_CACERT_FILE}")" \
+            --ignore-directories \
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -TERM baremetal-opera; fi' \
+            "$(dirname "${IRONIC_CACERT_FILE}")" &
 fi
 
 exec /usr/bin/baremetal-operator $@

edge-image-builder-image/Dockerfile

@@ -7,7 +7,7 @@ MAINTAINER SUSE LLC (https://www.suse.com/)
 COPY artifacts.yaml artifacts.yaml
 
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins; zypper -n clean; rm -rf /var/log/*
+RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins pigz zstd cpio && zypper -n clean && rm -rf /var/log/*
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.edge-image-builder
@@ -32,8 +32,7 @@ LABEL com.suse.release-stage="released"
 # and also expects the boot kernel to be a portable executable (PE), not ELF.
 RUN mkdir -p /usr/share/edk2/aarch64 && \
   cp /usr/share/qemu/aavmf-aarch64-code.bin /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw && \
-  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw && \
-  mv /boot/vmlinux* /boot/backup-vmlinux
+  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw
 
 ENTRYPOINT ["/usr/bin/eib"]
 

grub-aggregate/_aggregate

@@ -0,0 +1,7 @@
+<aggregatelist>
+  <aggregate project="SUSE:SLFO:1.2" >
+    <binary>grub2-x86_64-efi</binary>
+    <binary>grub2-arm64-efi</binary>
+    <repository target="standard" source="standard" />
+  </aggregate>
+</aggregatelist>

ironic-image/Dockerfile

@@ -17,13 +17,19 @@ RUN /bin/prepare-efi.sh
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 
+RUN zypper --installroot /installroot --non-interactive install --no-recommends \
+    python3-devel python3 python3-pip \
+    python313-sushy \
+    python3-watchdog python313-ironicclient \
+    git curl sles-release tar gzip vim gawk \
+    dnsmasq dosfstools apache2 ipcalc ipmitool iproute2 \
+    bind-utils procps qemu-tools sqlite3 util-linux xorriso \
+    tftp ipxe-bootimgs crudini \
+    openstack-ironic
+
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
-    fi
-#!ArchExclusiveLine: aarch64
-RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux  ; \
     fi
     
 # DATABASE
@@ -53,8 +59,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 
-RUN set -euo pipefail; ln -s /usr/bin/python3.11 /usr/local/bin/python3; \
-    ln -s /usr/bin/pydoc3.11 /usr/local/bin/pydoc
+RUN set -euo pipefail; ln -s /usr/bin/python3.13 /usr/local/bin/python3; \
+    ln -s /usr/bin/pydoc3.13 /usr/local/bin/pydoc
 
 ENV GRUB_DIR=/tftpboot/boot/grub
 

ironic-image/scripts/ironic-common.sh

@@ -262,7 +262,7 @@ wait_for_interface_or_ip()
 
 render_j2_config()
 {
-    python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
+    python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
 }
 
 run_ironic_dbsync()

ironic-image/scripts/rundnsmasq

@@ -36,7 +36,7 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
 
 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
     sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"

ironic-image/scripts/runlogwatch.sh

@@ -1,17 +1,32 @@
 #!/usr/bin/bash
 
 # Ramdisk logs path
-LOG_DIR="/shared/log/ironic/deploy"
+export LOG_DIR="/shared/log/ironic/deploy"
 
 mkdir -p "${LOG_DIR}"
 
-# shellcheck disable=SC2034
-python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
-    while read -r event dir mask maskname filename filepath pathname wd; do
-        #NOTE(elfosardo): a pyinotify event looks like this:
-        # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
-        FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
-        echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
-        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
-        rm -f "${LOG_DIR}/${FILENAME}"
+# Function to process log files
+process_log_file() {
+    local FILEPATH="$1"
+    # shellcheck disable=SC2155
+    local FILENAME=$(basename "${FILEPATH}")
+
+    echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
+    tar -tzf "${FILEPATH}" | while read -r entry; do
+        echo "${FILENAME}: **** Entry: ${entry} ****"
+        tar -xOzf "${FILEPATH}" "${entry}" | sed -e "s/^/${FILENAME}: /"
+        echo
     done
+    rm -f "${FILEPATH}"
+}
+
+# Export the function so watchmedo can use it
+export -f process_log_file
+
+# Use watchmedo to monitor for file close events
+# shellcheck disable=SC2016
+watchmedo shell-command \
+    --patterns="*" \
+    --ignore-directories \
+    --command='if [[ "${watch_event_type}" == "closed" ]]; then process_log_file "${watch_src_path}"; fi' \
+    "${LOG_DIR}"

ironic-image/scripts/tls-common.sh

@@ -105,11 +105,17 @@ configure_restart_on_certificate_update()
 
     if [[ "${enabled}" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
         if [[ "${service}" == httpd ]]; then
+            # shellcheck disable=SC2034
             signal="WINCH"
         fi
-        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
-            while read -r; do
-                pkill "-${signal}" "${service}"
-            done &
+
+        # Use watchmedo to monitor certificate file deletion
+        # shellcheck disable=SC2016
+        watchmedo shell-command \
+            --patterns="$(basename "${cert_file}")" \
+            --ignore-directories \
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -'"${signal}"' '"${service}"'; fi' \
+            "$(dirname "${cert_file}")" &
     fi
 }
+

ironic-ipa-downloader-image/Dockerfile

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
 
-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.aarch64

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
 
-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.x86_64

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 tar gawk curl xz zstd shadow cpio findutils
 
-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 
 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi

@@ -76,6 +76,7 @@
         <package name="grub2-i386-pc" arch="x86_64"/>
         <package name="grub2-x86_64-efi" arch="x86_64"/>
         <package name="grub2"/>
+        <package name="gettext-runtime"/>
         <package name="iproute2"/>
         <package name="iputils"/>
         <package name="kernel-default"/>
@@ -87,6 +88,7 @@
         <package name="timezone"/>
         <package name="which"/>
         <!-- ironic-python-agent specific -->
+        <package name="chrony"/>
         <package name="dmidecode"/>
         <package name="efibootmgr"/>
         <package name="gptfdisk"/>
@@ -95,15 +97,14 @@
         <package name="ipmitool"/>
         <package name="iputils"/>
         <package name="kbd"/>
+        <package name="krb5"/>
         <package name="lshw"/>
         <package name="lvm2"/>
         <package name="net-tools"/>
-        <package name="ntp"/>
         <package name="open-iscsi"/>
         <package name="openstack-ironic-python-agent"/>
         <package name="parted"/>
         <package name="psmisc"/>
-        <package name="python311-proliantutils"/>
         <package name="qemu-tools"/>
         <package name="timezone"/>
         <package name="which"/>

ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec

@@ -29,12 +29,12 @@ Source0:        config.sh
 Source10:       ironic-ipa-ramdisk.kiwi
 Source20:       root
 
+#!BuildIgnore:  systemd-mini
+BuildRequires: systemd
 BuildRequires:  -post-build-checks
 BuildRequires:  bash
 BuildRequires:  kiwi
-BuildRequires:  kiwi-tools
 BuildRequires:  zypper
-BuildArch:      noarch
 
 BuildRequires:  checkmedia
 BuildRequires:  acl
@@ -55,7 +55,6 @@ BuildRequires:  grub2-x86_64-efi
 %ifarch aarch64
 BuildRequires:  grub2-arm64-efi
 %endif
-BuildRequires:  haveged
 BuildRequires:  hdparm
 BuildRequires:  hwinfo
 BuildRequires:  ipmitool
@@ -65,7 +64,7 @@ BuildRequires:  kernel-default
 BuildRequires:  kernel-firmware-all
 BuildRequires:  lvm2
 BuildRequires:  net-tools
-BuildRequires:  ntp
+BuildRequires:  chrony
 BuildRequires:  open-iscsi
 BuildRequires:  openssh
 BuildRequires:  openstack-ironic-python-agent
@@ -77,7 +76,6 @@ BuildRequires:  pkgconfig
 BuildRequires:  Mesa-gallium
 BuildRequires:  plymouth
 BuildRequires:  plymouth-scripts
-BuildRequires:  python311-proliantutils
 BuildRequires:  psmisc
 BuildRequires:  qemu-tools
 BuildRequires:  sg3_utils
@@ -105,6 +103,9 @@ BuildRequires:  lshw
 BuildRequires:  kbd
 BuildRequires:  dmidecode
 BuildRequires:  efibootmgr
+BuildRequires:  glibc-locale
+BuildRequires:  krb5
+BuildRequires:  gettext-runtime
 %ifarch x86_64
 BuildRequires:  syslinux
 %endif
@@ -113,10 +114,9 @@ BuildRequires:  syslinux
 Kernel and ramdisk image for use with Metal3
 
 %package %{_arch}
+BuildArch:      noarch
 Summary:        Kernel and ramdisk image for Metal3
 Group:          System/Management
-Provides:       openstack-ironic-python-agent = %{version}
-Obsoletes:      openstack-ironic-python-agent < %{version}
 
 %description %{_arch}
 Kernel and ramdisk image for use with Metal3

metal3-chart/charts/ironic/templates/configmap.yaml

@@ -53,5 +53,5 @@ data:
   IRONIC_USE_MARIADB: "false"
   {{- end }}
   {{- with .Values.ironicExtraEnv -}}
-  {{ toYaml . | nindent 2 }}  
+  {{ toYaml . | nindent 2 }}
   {{- end -}}

metal3-chart/values.yaml

@@ -89,8 +89,6 @@ metal3-media:
   # available to the Ironic deployment services.
   mediaVolume:
     hostPath: /opt/media
-  image:
-    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic"
 
 #
 # ironic service

python-rich/_service

@@ -1,3 +0,0 @@
-<services>
-<service name="download_assets"></service>
-</services>

python-rich/pygments.patch

@@ -1,45 +0,0 @@
-From 08be21dadfd2ce9e96e41e366ab38bd8d7cd0e39 Mon Sep 17 00:00:00 2001
-From: Dan Lazin <dlazin@users.noreply.github.com>
-Date: Tue, 7 Jan 2025 16:04:56 -0500
-Subject: [PATCH] Fix test that changed with Pygments 2.19.
-
----
- tests/test_markdown.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: rich-13.9.4/tests/test_markdown.py
-===================================================================
---- rich-13.9.4.orig/tests/test_markdown.py
-+++ rich-13.9.4/tests/test_markdown.py
-@@ -110,7 +110,7 @@ def test_inline_code():
-         inline_code_theme="emacs",
-     )
-     result = render(markdown)
--    expected = "inline \x1b[1;38;2;170;34;255;48;2;248;248;248mimport\x1b[0m\x1b[38;2;0;0;0;48;2;248;248;248m \x1b[0m\x1b[1;38;2;0;0;255;48;2;248;248;248mthis\x1b[0m code                                                                             \n"
-+    expected = "inline \x1b[1;38;2;170;34;255;48;2;248;248;248mimport\x1b[0m\x1b[38;2;187;187;187;48;2;248;248;248m \x1b[0m\x1b[1;38;2;0;0;255;48;2;248;248;248mthis\x1b[0m code                                                                             \n"
-     print(result)
-     print(repr(result))
-     assert result == expected
-Index: rich-13.9.4/tests/test_syntax.py
-===================================================================
---- rich-13.9.4.orig/tests/test_syntax.py
-+++ rich-13.9.4/tests/test_syntax.py
-@@ -53,7 +53,7 @@ def test_blank_lines():
-     print(repr(result))
-     assert (
-         result
--        == "\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m1 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m2 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m3 \x1b[0m\x1b[1;38;2;0;128;0;48;2;248;248;248mimport\x1b[0m\x1b[38;2;0;0;0;48;2;248;248;248m \x1b[0m\x1b[1;38;2;0;0;255;48;2;248;248;248mthis\x1b[0m\x1b[48;2;248;248;248m                   \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m4 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m5 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n"
-+        == "\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m1 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m2 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m3 \x1b[0m\x1b[1;38;2;0;128;0;48;2;248;248;248mimport\x1b[0m\x1b[38;2;187;187;187;48;2;248;248;248m \x1b[0m\x1b[1;38;2;0;0;255;48;2;248;248;248mthis\x1b[0m\x1b[48;2;248;248;248m                   \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m4 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n\x1b[1;38;2;24;24;24;48;2;248;248;248m  \x1b[0m\x1b[38;2;173;173;173;48;2;248;248;248m5 \x1b[0m\x1b[48;2;248;248;248m                              \x1b[0m\n"
-     )
- 
- 
-@@ -119,7 +119,7 @@ def test_python_render_simple_indent_gui
-     )
-     rendered_syntax = render(syntax)
-     print(repr(rendered_syntax))
--    expected = '\x1b[34mdef\x1b[0m \x1b[32mloop_first_last\x1b[0m(values: Iterable[T]) -> Iterable[Tuple[\x1b[36mb\x1b[0m\n\x1b[2;37m│   \x1b[0m\x1b[33m"""Iterate and generate a tuple with a flag for first an\x1b[0m\n\x1b[2m│   \x1b[0miter_values = \x1b[36miter\x1b[0m(values)\n\x1b[2m│   \x1b[0m\x1b[34mtry\x1b[0m:\n\x1b[2m│   │   \x1b[0mprevious_value = \x1b[36mnext\x1b[0m(iter_values)\n\x1b[2m│   \x1b[0m\x1b[34mexcept\x1b[0m \x1b[36mStopIteration\x1b[0m:\n\x1b[2m│   │   \x1b[0m\x1b[34mreturn\x1b[0m\n\x1b[2m│   \x1b[0mfirst = \x1b[34mTrue\x1b[0m\n\x1b[2m│   \x1b[0m\x1b[34mfor\x1b[0m value \x1b[35min\x1b[0m iter_values:\n\x1b[2m│   │   \x1b[0m\x1b[34myield\x1b[0m first, \x1b[34mFalse\x1b[0m, previous_value\n\x1b[2m│   │   \x1b[0mfirst = \x1b[34mFalse\x1b[0m\n\x1b[2m│   │   \x1b[0mprevious_value = value\n\x1b[2m│   \x1b[0m\x1b[34myield\x1b[0m first, \x1b[34mTrue\x1b[0m, previous_value\n'
-+    expected = '\x1b[34mdef\x1b[0m\x1b[37m \x1b[0m\x1b[32mloop_first_last\x1b[0m(values: Iterable[T]) -> Iterable[Tuple[\x1b[36mb\x1b[0m\n\x1b[2;37m│   \x1b[0m\x1b[33m"""Iterate and generate a tuple with a flag for first an\x1b[0m\n\x1b[2m│   \x1b[0miter_values = \x1b[36miter\x1b[0m(values)\n\x1b[2m│   \x1b[0m\x1b[34mtry\x1b[0m:\n\x1b[2m│   │   \x1b[0mprevious_value = \x1b[36mnext\x1b[0m(iter_values)\n\x1b[2m│   \x1b[0m\x1b[34mexcept\x1b[0m \x1b[36mStopIteration\x1b[0m:\n\x1b[2m│   │   \x1b[0m\x1b[34mreturn\x1b[0m\n\x1b[2m│   \x1b[0mfirst = \x1b[34mTrue\x1b[0m\n\x1b[2m│   \x1b[0m\x1b[34mfor\x1b[0m value \x1b[35min\x1b[0m iter_values:\n\x1b[2m│   │   \x1b[0m\x1b[34myield\x1b[0m first, \x1b[34mFalse\x1b[0m, previous_value\n\x1b[2m│   │   \x1b[0mfirst = \x1b[34mFalse\x1b[0m\n\x1b[2m│   │   \x1b[0mprevious_value = value\n\x1b[2m│   \x1b[0m\x1b[34myield\x1b[0m first, \x1b[34mTrue\x1b[0m, previous_value\n'
-     assert rendered_syntax == expected
- 
- 
-

python-rich/python-rich.spec

@@ -1,66 +0,0 @@
-#
-# spec file for package python-rich
-#
-# Copyright (c) 2025 SUSE LLC
-# Copyright (c) 2020-2021, Martin Hauke <mardnh@gmx.de>
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-
-%{?sle15_python_module_pythons}
-Name:           python-rich
-Version:        14.0.0
-Release:        0
-Summary:        A Python library for rich text and beautiful formatting in the terminal
-License:        MIT
-URL:            https://github.com/Textualize/rich
-#!RemoteAsset: https://github.com/Textualize/rich/archive/refs/tags/v%{version}.tar.gz rich-%{version}.tar.gz
-Source:					rich-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM https://github.com/Textualize/rich/pull/3604 Fix test that changed with Pygments 2.19.
-# and https://github.com/Textualize/rich/pull/3608 fix remaining tests with Pygments 2.19 #3604 did not fix
-Patch:          pygments.patch
-BuildRequires:  %{python_module base >= 3.8}
-BuildRequires:  %{python_module markdown-it-py >= 2.2.0}
-BuildRequires:  %{python_module pip}
-BuildRequires:  %{python_module poetry-core}
-BuildRequires:  %{python_module pygments >= 2.13.0}
-BuildRequires:  fdupes
-BuildRequires:  python-rpm-macros
-Requires:       python-markdown-it-py >= 2.2.0
-Requires:       python-pygments >= 2.13.0
-Suggests:       python-ipywidgets >= 7.5.1
-BuildArch:      noarch
-# TODO(edu): Disabled all tests
-%python_subpackages
-
-%description
-Render rich text, tables, progress bars, syntax highlighting,
-markdown and more to the terminal.
-
-%prep
-%autosetup -p1 -n rich-%{version}
-
-%build
-%pyproject_wheel
-
-%install
-%pyproject_install
-%python_expand %fdupes %{buildroot}%{$python_sitelib}
-
-%files %{python_files}
-%license LICENSE
-%doc README.md
-%{python_sitelib}/rich
-%{python_sitelib}/rich-%{version}.dist-info
-
-%changelog

shim-noarch/shim.changes

@@ -1,3 +1,106 @@
+-------------------------------------------------------------------
+Tue Apr 22 20:39:33 UTC 2025 - Eugenio Paolantonio <eugenio.paolantonio@suse.com>
+
+- Undefine %_enable_debug_packages to fix building with rpm-4.20
+  (backport of the fix from Factory in SR#1232808)
+- Fix build with rpm 4.20 by copying the extracted directories
+  explicitly
+
+-------------------------------------------------------------------
+Thu Sep 19 06:27:27 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update shim-install to limit the scope of the 'removable'
+  SL-Micro to the image booting with TPM2 unsealing (bsc#1210382)
+  * 769e41d Limit the removable option to encrypted SL-Micro
+
+-------------------------------------------------------------------
+Mon Sep 16 07:28:57 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update shim-install to use the 'removable' way for SL-Micro
+  (bsc#1230316)
+  * 433cc4e Always use the removable way for SL-Micro
+
+-------------------------------------------------------------------
+Sun May 19 15:08:27 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
+
+-- Update to version 15.8
+    - Various CVE fixes are already merged into this version
+        mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
+        avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
+        Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
+        Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
+        pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
+        pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
+    - remove shim-Enable-the-NX-compatibility-flag-by-default.patch
+        The codes in this patch are already existing in shim-15.8
+        The NX flag is disable which is same as the default value of shim-15.8, 
+        hence, not need to enable it by this patch now.
+    - Patches (git log --oneline --reverse 15.7..15.8)
+        657b248 Make sbat_var.S parse right with buggy gcc/binutils
+        7c76425 Enable the NX compatibility flag by default.
+        89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
+        c7b3051 pe: Align section size up to page size for mem attrs
+        e4f40ae pe: Add IS_PAGE_ALIGNED macro
+        f23883c Don't loop forever in load_certs() with buggy firmware
+        1f38cb3 Optionally allow to keep shim protocol installed
+        102a658 Drop invalid calls to `CRYPTO_set_mem_functions`
+        aae3df0 test-sbat: Fix exit code
+        cca3933 Block Debian grub binaries with SBAT < 4
+        cf59f34 Further improve load_certs() for non-compliant drivers/firmwares
+        0601f44 SBAT-related documents formatting and spelling
+        0640e13 Add a security contact email address in README.md
+        0bfc397 Work around malformed path delimiters in file paths from DHCP
+        a8b0b60 pe: only process RelocDir->Size of reloc section
+        f7a4338 Skip testing msleep()
+        549d346 Rename 'msecs' to 'usecs' to avoid potential confusion
+        908c388 Change type of fallback_verbose_wait from int to unsigned long
+        05eae92 Add SbatLevel_Variable.txt to document the various revocations
+        243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
+        89d25a1 Add a make rule for compile_commands.json
+        118ff87 Add gnu-stack notes
+        f132655 test: Make our fake dprintf be a statement.
+        be00279 Remove CentOS 7 test builds.
+        9964960 Split pe.c up even more.
+        569270d Test (and fix) ImageAddress()
+        61e9894 Verify signature before verifying sbat levels
+        1578b55 Add libFuzzer support for csv.c
+        a0673e3 Fix a 1-byte memory leak in .sbat parsing.
+        e246812 Add libFuzzer support to the .sbat parser.
+        fd43eda Work around ImageAddress() usage mistake
+        1e985a3 Correctly free memory allocated in handle_image()
+        dbbe3c8 mok: Avoid underflow in maximum variable size calculation
+        04111d4 Make some of the static analysis tools a little easier to run
+        7ba7440 compile_commands.json: remove stuff clang doesn't like
+        66e6579 CVE-2023-40546 mok: fix LogError() invocation
+        f271826 Add primitives for overflow-checked arithmetic operations.
+        8372147 pe-relocate: Add a fuzzer for read_header()
+        5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
+        e912071 pe-relocate: make read_header() use checked arithmetic operations.
+        93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
+        e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550
+        afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
+        96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
+        dae82f6 Further mitigations against CVE-2023-40546 as a class
+        ea0f9df Allow SbatLevel data from external binary
+        b078ef2 Always clear SbatLevel when Secure Boot is disabled
+        7dfb687 BS Variables for bootmgr revocations
+        a967c0e shim should not self revoke
+        577cedd Print message when refusing to apply SbatLevel
+        e801b0d sbat revocations: check the full section name
+        0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+        6f0c8d2 Print errors when setting/clearing memory attrs
+        57c0eed Updated Revocations for January 2024 CVEs
+        49c6d95 Fix some minor ia32 build issues.
+        be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all.
+        13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5
+        c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist
+        30a4f37 Rename "previous" revocations to "automatic"
+        6f395c2 Build time selectable automatic SBATLevel revocations
+        a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER
+        993a345 Try to load revocations.efi even if directory read fails
+        1770a03 gitmodules: use shim-15.8 for gnu-efi branch
+        5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8 
+
 -------------------------------------------------------------------
 Thu Mar 14 06:05:12 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
 

shim-noarch/shim.spec

@@ -21,14 +21,14 @@
 %define sysefibasedir  %{_datadir}/efi
 
 Name:           shim
-Version:        15.7
+Version:        15.8
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
 Group:          System/Boot
 URL:            https://github.com/rhboot/shim
-Source:         shim-15.7-150300.4.16.1.x86_64.rpm
-Source1:        shim-15.7-150300.4.16.1.aarch64.rpm
+Source:         shim-15.8-150300.4.20.2.x86_64.rpm
+Source1:        shim-15.8-150300.4.20.2.aarch64.rpm
 Requires:       perl-Bootloader
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
@@ -63,9 +63,9 @@ rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-tim
 
 %install
 # purely repackaged
-cp -a * %{buildroot}
+cp -a usr %{buildroot}
 rm -rf %{buildroot}/usr/lib64/efi
-rm %{buildroot}/etc/uefi/certs/BCA4E38E-shim.crt %{buildroot}/usr/sbin/shim-install %{buildroot}/usr/share/doc/packages/shim/COPYRIGHT
+rm %{buildroot}/usr/sbin/shim-install %{buildroot}/usr/share/doc/packages/shim/COPYRIGHT
 
 %files aarch64
 %defattr(-,root,root)

suse-edge-components-versions-image/Dockerfile

@@ -8,7 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-suse-edge-components-versions
+RUN zypper --installroot /installroot --non-interactive install --no-recommends python3-suse-edge-components-versions
 
 # https://opensource.suse.com/bci-docs/guides/adding-users/
 ARG USERNAME=suse