In some cases, the wipe service may be called due to a race condition for the
second time during the boot, very likely failing because the filesystems are
already mounted. This can not be reproduced on OVA but can be fairly easy
triggered e.g. on RPi. As we want the service to be executed exactly only once,
we can do what's suggested in [1] and set the RemainAfterExit=yes. That should
ensure the unit is not ever started for the second time.
[1] https://www.github.com/systemd/systemd/issues/29367
(cherry picked from commit 24640c11ae)
In some cases, the wipe service may be called due to a race condition for the
second time during the boot, very likely failing because the filesystems are
already mounted. This can not be reproduced on OVA but can be fairly easy
triggered e.g. on RPi. As we want the service to be executed exactly only once,
we can do what's suggested in [1] and set the RemainAfterExit=yes. That should
ensure the unit is not ever started for the second time.
[1] https://www.github.com/systemd/systemd/issues/29367
Add missing patch and update for latest runc version to fix losing device
permissions when new devices are added in runtime.
* buildroot b079a02a9a...3914f8cad5 (2):
> package/runc: add patch for extended default allowed devices in v1.2.4
> package/runc: add missing patch to fix device permissions update
Fixes#3915
(cherry picked from commit 04debe2f53)
Update to latest version of the driver and matching firmware. The most common
application for it - Frigate - currently has 4.19.0 in stable but 4.20.0 is
staged in dev. As it's easier to select OS version than a version of the
add-on, it makes sense to stay ahead in HAOS. This also means Frigate needs to
be updated to the matching version (as staying on an arbitrary older patch
revision doesn't make much sense either).
(cherry picked from commit 173a4388fe)
* Add test checking journal logs for dependency cycles
* Run some test cases to get their output also when full init fails
* Remove high timeouts from the times when GHA couldn't use KVM
* Enable logging durations for future optimizations
(cherry picked from commit 4a1d2b75b9)
Use simple shell script to perform device wipe instead of calling OS Agent to
do that through the UDisks2 API. While it might have been a good idea to use
high level interface for that back then, it turns out it causes more issues
than the benefits it could bring.
Main problem currently is that the OS Agent needs to read sysctl variables, but
those are only set after mounting the overlay partition. But at the same time,
the overlay partition can't be mounted if we want to wipe it - this creates a
dependency cycle through the haos-agent.service.
To get rid of the cycle and simplify things, use a shell script doing basically
the same what the OS Agent does. Since the wipe functionality only makes sense
to be implemented on HAOS targets (not on Supervised), there's little point of
having it in higher layer of abstraction that OS Agent provides.
It should be also checked if changes from #1291 are needed anymore, as the
driving factor for those have been probably the wipe feature in OS Agent too,
but at this point they seem to be harmless.
(cherry picked from commit 6c4f32a8c0)
Update to latest version that fixes start order in haos-agent.service. Without
that, OS Agent reports incorrect swappiness after boot.
(cherry picked from commit 36d905720a)
As discussed in #3885, now that fixed Supervisor is in stable, we can test that
no AppArmor denied events are logged during CI tests.
(cherry picked from commit 610ced0162)
Add missing patch and update for latest runc version to fix losing device
permissions when new devices are added in runtime.
* buildroot b079a02a9a...3914f8cad5 (2):
> package/runc: add patch for extended default allowed devices in v1.2.4
> package/runc: add missing patch to fix device permissions update
Fixes#3915
Update to latest version of the driver and matching firmware. The most common
application for it - Frigate - currently has 4.19.0 in stable but 4.20.0 is
staged in dev. As it's easier to select OS version than a version of the
add-on, it makes sense to stay ahead in HAOS. This also means Frigate needs to
be updated to the matching version (as staying on an arbitrary older patch
revision doesn't make much sense either).
* Add test checking journal logs for dependency cycles
* Run some test cases to get their output also when full init fails
* Remove high timeouts from the times when GHA couldn't use KVM
* Enable logging durations for future optimizations
Use simple shell script to perform device wipe instead of calling OS Agent to
do that through the UDisks2 API. While it might have been a good idea to use
high level interface for that back then, it turns out it causes more issues
than the benefits it could bring.
Main problem currently is that the OS Agent needs to read sysctl variables, but
those are only set after mounting the overlay partition. But at the same time,
the overlay partition can't be mounted if we want to wipe it - this creates a
dependency cycle through the haos-agent.service.
To get rid of the cycle and simplify things, use a shell script doing basically
the same what the OS Agent does. Since the wipe functionality only makes sense
to be implemented on HAOS targets (not on Supervised), there's little point of
having it in higher layer of abstraction that OS Agent provides.
It should be also checked if changes from #1291 are needed anymore, as the
driving factor for those have been probably the wipe feature in OS Agent too,
but at this point they seem to be harmless.
Cherry-pick bumps up to v5.79 and sync other changes and fixes with latest
upstream state.
* buildroot b4df362187...7d5c3b5e70 (10):
> package/bluez5_utils: tidy up the init script
> package/bluez5_utils: install datafiles with correct permissions
> package/bluez5_utils: fix dbusconfdir
> package/bluez5_utils{, -headers}: bump version to 5.79
> package/bluez5_utils: enable asha/bass when building audio plugins
> package/{bluez5_utils, bluez5_utils-headers}: bump to version 5.78
> bluez5_utils: disable asha profile
> package/{bluez5_utils, bluez5_utils-headers}: bump to version 5.77
> package/bluez5_utils: disable datafiles
> package/bluez5_utils: fix sixaxis build without tools
Update Docker to latest version and containerd to latest version from the 1.7
line. Runc updated to v1.2.5 with rebased patchset from the outstanding PR.
* buildroot 257ddc70ce...b4df362187 (4):
> package/runc: bump version to v1.2.5
> package/docker-cli: bump version to v28.0.1
> package/docker-engine: bump version to v28.0.1
> package/containerd: bump version to v1.7.25
Mainly the amdgpu updates cause an increase of generic-x86-64 image size by
~12MB but there's still enough of space in the rootfs after recent cleanup.
* buildroot c5a1cbcf73...257ddc70ce (9):
> package/linux-firmware: bump Intel BZ firmware version to 92
> package/linux-firmware: bump version to 20250211
> package/linux-firmware: bump version to 20241210
> package/linux-firmware: fix build failures to due RTL8723 file changes
> package/linux-firmware: bump version to 20240909
> package/linux-firmware: bump to version 20240709
> package/linux-firmware: improve help text for Realtek 88xx Bluetooth firmware
> package/linux-firmware: install all rtl88 Bluetooth binary blobs
> package/linux-firmware: RTL_88XX_BT: install all firmware
Disable downstream option for linux-firmware compression. With #3877 it's not
needed for x86 anymore and other boards don't need it. Eventually the higher
EROFS compression for firmwares and modules can be enabled for other targets as
well.
Patch added in #3843 is not necessary anymore, as the missing reset names have
been added to DTS includes of the 6.12.y branch as patch
6c9cd0a70ccea8a505471062a85de5626ad07cec (released in v6.12.14).
When RPi is booted in the tryboot state and the set-state operation is called
for the second time, the tryboot files don't exists anymore and the handler
exits with an error code, printing an error in the Supervisor logs. Fix
handling of this case and add few more checks to make the handler a bit more
robust/traceable.
As we don't have the info utility in HAOS, it's worthless to preserve info
pages. While there are currently some files in /share/info (coming from GRUB2
tools install), /usr/share/info was added pre-emptively.
Because the OTA hooks interact with GRUB environment using grub-editenv, we
have BR2_TARGET_GRUB2_INSTALL_TOOLS enabled. However, that brings massive bloat
of files that are never used in HAOS, as it also installs many other binaries,
GRUB modules and translations.
As it's not possible to configure what gets installed in grub2 package, remove
the undesired files in the post-build function. This brings savings of ~8.5MB
of space in the root partition.
Use auditd so logs from AppArmor and other audit events are processed by that
instead of printed to the Systemd journal. This will reduce the log spam from
BPF usually present in host logs and still preserve the audit logs for
debugging.
The default configs seems to be sane for our purpose, rotating up to 5 files of
8MiB each. The difference is that /var/log/audit will be now on tmpfs but given
how AppArmor is used on typical HA setup, we don't need to preserve the logs
over reboots.
Removal of the e2scrub binary is not needed anymore, as it's not installed and
only BR2_PACKAGE_E2FSPROGS_E2IMAGE is enabled. Moreover, it's been probably
wrong since the very beginning, as the TARGET_DIR prefix was missing, possibly
leading to removal of the binary from the host/builder.
Allow configuration of the swap size via /etc/default/haos-swapfile file. By
setting the SWAPSIZE variable in this file, swapfile get recreated on the next
reboot to the defined size. Size can be either in bytes or with optional units
(B/K/M/G, accepting some variations but always interpreted as power of 10). The
size is then rounded to 4k block size. If no override is defined or the value
can't be parsed, it falls back to previously used 33% of system RAM.
Fixes#968
* Refresh fileenv patch for U-Boot 2025.01
* Update Tinker to U-Boot 2025.01
Needs minor patch adjustment, also fixed patch numbering.
* Update ODROID-N2 to U-Boot 2025.01, move eMMC patch
Move the patch for eMMC so it's applied only for N2 specifically and update it
for 2025.01.
* Update ODROID-C/XU to U-Boot 2025.01
No changes in patches necessary after moving the N2 patch.
* Update RPi boards to U-Boot 2025.01
Changes needed in bcmstb PCIe driver due to upstream refactoring, rest only
refreshed. All patches now target the same version, so we can drop one of the
series.
* Update VIM3 to U-Boot 2025.01
No patches here, just version bump.
* Update Green to U-Boot 2025.01
Updated and refreshed patches, added a patch to disable OF_UPSTREAM which is
now needed.
* Update ODROID-M1 to U-Boot 2025.01
Drop patch that has been mostly merged upstream. The change is that HS400 would
stay enabled but let's get back to what upstream does.
* Update ODROID-M1 to U-Boot 2025.01
Drop all patches as M1S support should be now merged to U-Boot and DTS taken
from upstream.
* Disable DFU and mkeficapsule to fix build
mkeficapsule requires gnutls to be built first but it's not among dependencies.
Since we don't need the tool, we can disable it.
DFU is also not used on HAOS and it implies EFI_LOADER that we already disable.
Moreover, that also sets SET_DFU_ALT_INFO and leads to linker failure on some
platforms where it's not implemented.
* fixup! Update Green to U-Boot 2025.01
There were more changes needed in the Green config to use correct memory layout
due to upstream changes, otherwise we'll have malloc failures in U-Boot proper.
* Move N2 eMMC patch to more generic patches-meson
To stay on the safe side, move the eMMC hack to more generic folder that's used
for all targets using the meson_gx eMMC driver (i.e. C2, C4 and N2). This is
still better than keeping it in hardkernel/patches which is applied only to
some hardkernel boards (like it was before bump to U-Boot 20205.01).
Instead of using per-file ZSTD compression, compress firmware (and newly also
kernel modules) using LZMA within EROFS image. LZMA was picked because ZSTD
support in EROFS is still experimental and due to some limitations in the
implementation, the compression takes significantly more time.
This change gives us more control over compression of the files and with the
proposed settings, saves a bit of the space (~10 MiB) in the resulting image.
In theory, even higher savings could be achieved through compressing other
runtime binaries, but this would need to be thoroughly tested whether it
doesn't have any detrimental effects. For firmware and modules, the overhead
should be minimal, as they are usually touched only once per boot and are
rather small before decompression.
* buildroot 74994c4f32...92fab35fed (6):
> fs/erofs: add custom compression option with optional compress-hints file
> package/erofs-utils: bump to version 1.8.5
> package/erofs-utils: bump to version 1.8.3
> package/erofs-utils: bump to version 1.8.2
> package/erofs-utils: bump to version 1.8.1
> package/erofs-utils: add libdeflate and zlib optional dependencies
* buildroot 014c3fad50...74994c4f32 (2):
> package/linux-firmware: update Intel iwlwifi firmware versions for Linux 6.12
> package/linux-firmware: bump version to 20240513
