Add Eden version selection based on PR target branch#115
Merged
europaul merged 31 commits intorene:masterfrom Dec 23, 2025
Merged
Add Eden version selection based on PR target branch#115europaul merged 31 commits intorene:masterfrom
europaul merged 31 commits intorene:masterfrom
Conversation
rene
approved these changes
Nov 18, 2025
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
rene
force-pushed
the
master
branch
5 times, most recently
from
4dc0349 to
e95e631
Compare
rene
force-pushed
the
master
branch
6 times, most recently
from
acfe831 to
0b89674
Compare
The original linuxkit/sysctl accidentally copied all of the apk /etc and /lib into the final container. This update removes it. Signed-off-by: Avi Deitcher <avi@deitcher.net>
Follow on to the previous commit that bumped linuxkit/sysctl. These contained apk databases which referenced buildtime packages that were not included in the final image. This not only was extraneous, but it confused SBoMs and hence CVE scanners. These versions have those removed. Signed-off-by: Avi Deitcher <avi@deitcher.net>
Currently zizmor is running over the whole repo and checking vendor GitHub actions, leading to the following error: fatal: no audit was performed ref-confusion failed on file://./pkg/installer/vendor/shlex/.github/workflows/test.yml This commit configures zizmor action to run only over .github/workflows of EVE repo. Signed-off-by: Renê de Souza Pinto <rene@renesp.com.br>
To get MaintenanceModeReason_MAINTENANCE_MODE_REASON_EDGE_NODE_CERTS_REFUSED Signed-off-by: eriknordmark <erik@zededa.com>
After a device has been reinstalled but reusing the the device certificate the attempts to publish EdgeNodeCerts will be rejected by the controller for security reasons since they have changed. (They are stored in /persist/certs hence are lost and recreated on a device reinstall.) This makes that unusual condition visible to the user by putting the device in maintenance mode. Signed-off-by: eriknordmark <erik@zededa.com>
For debug->recovertpm dependency Signed-off-by: eriknordmark <erik@zededa.com>
The LIVE_UPDATE=1 feature allows for faster development builds by updating existing qcow2 disk images with new rootfs content instead of rebuilding from scratch. However, this was broken due to two issues: 1. Incorrect tarball dependency: When LIVE_UPDATE=1 is set, the Makefile rule used an order-only dependency for the rootfs tarball, which meant the $< variable was empty. This caused makerootfs.sh to be called with an empty -t parameter, leading to "dirname: invalid option" errors. 2. Insufficient disk space: The ext4 filesystem created by mkrootfs-ext4 was too small to hold all EVE content. The original 200MB extra space was insufficient for the full firmware and binary payload. This fix: - Updates the LIVE_UPDATE=1 Makefile rule to explicitly construct the tarball path using $(ROOTFS_TAR_BASE)-$*.tar instead of relying on $< - Increases the extra space allocation in mkrootfs-ext4 from 200MB to 800MB to accommodate the complete EVE rootfs content The LIVE_UPDATE=1 feature now works correctly, significantly reducing build times for developers by only updating rootfs content rather than recreating the entire disk image. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
k3s release the latest version v1.34.2+k3s1 which addresses the critical CVE in runc. runc version where the critical CVE are fixed is v1.3.3 and this k3s version includes that. Check https://github.com/k3s-io/k3s/releases/tag/v1.34.2%2Bk3s1 Signed-off-by: Pramodh Pallapothu <pramodh@zededa.com>
on some machines, especially if virtualized the tests take more than one hour, therefore increase the timeout on my laptop it takes about 35 minutes Signed-off-by: Christoph Ostarek <christoph@zededa.com>
TestSingleDPC could intermittently fail by checking the DPC testing state before NIM updates it after completing testing, resulting in reading DPCStateNone instead of the expected DPCStateSuccess. To avoid this race, switch the check to use Eventually and wait for the success state, as is already done in the other DPC unit tests. Signed-off-by: Milan Lenco <milan@zededa.com>
Updated runc version to almost identical, but built so that it properly populates the sbom. Signed-off-by: Avi Deitcher <avi@deitcher.net>
This commit does the following. 1) compile nvidia-container-runtime and nvidia-container-runtime-hook binaries from nvidia container toolkit 2) Update CDI file to name GPU to tegra (jetson only looks for tegra devices in CDI mode) 3) Update pkg/kube to ship nvidia-container-runtime config and nvidia-device-plugin yaml files. 4) Update k3s containerd config to load nvidia container runtime if requested through pod yaml file (runtimeClassName = nvidia) 5) Directly use runtime binary from /opt/vendor/nvidia/bin 6) Changed jp5 and jp6 yaml Orin files to use kind nvidia.com/gpu 7) Update .spdxignore and yetus excludes file with nvidia device plugin yaml Signed-off-by: Pramodh Pallapothu <pramodh@zededa.com>
Recent k3s version update to v1.34.2+k3s1 requires KUBE_VERSION to be bumped, else in already existing installs k3s will not get upgraded. Tested on single nodes where old version v1.33.3+k3s1 is running and verifed after eve upgrade new version of k3s is v1.34.2+k3s1 Signed-off-by: Pramodh Pallapothu <pramodh@zededa.com>
- change the expired time from always using seconds to human readable time in seconds, minutes, hours and days Signed-off-by: naiming-zededa <naiming@zededa.com>
- seen the error during decryption from token, 'Edge Node Certificate get fail', and most likely due to the initial wait for EdgeNodeCerts is not enough. Like the ControllerCert update, we also add this to the EdgeNodeCert update to re-publish the EdgeNodeClusterStatus Signed-off-by: naiming-zededa <naiming@zededa.com>
Replace os.ModeAppend with 0644 in OpenFile to correctly set Unix rw-r--r-- permissions when creating or appending to log files. Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
…AN creation Fix missing dependency between a VLAN subinterface and its parent adapter being configured for VLAN use. Previously, the VLAN item only depended on the adapter’s existence and MTU. In some cases, this allowed reconciliation to attempt VLAN creation before the parent interface (bridge) was fully created and configured for VLANs, causing the operation to fail. This change strengthens the dependency by requiring the adapter to be marked as a VLAN parent (UsedAsVlanParent) in addition to having a sufficient MTU. This guarantees correct ordering and prevents premature VLAN subinterface creation. Signed-off-by: Milan Lenco <milan@zededa.com>
Optimize adapter reconciliation by avoiding unnecessary re-creation when VLANs are added or removed. Previously, changes to UsedAsVlanParent would always trigger adapter (i.e. bridge) re-creation. However, VLAN membership changes do not require re-creating the adapter as long as the bridge continues to be managed by the same microservice (NIM or zedrouter). This change refines the comparison logic to ignore direct changes to UsedAsVlanParent and instead only trigger re-creation when the adapter’s bridge ownership changes. This reduces churn during reconciliation while preserving correct behavior. Signed-off-by: Milan Lenco <milan@zededa.com>
Update eve-libs to include context validation in dialer. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
Validate that the context passed to SendOnIntf is not nil and is cancelable. Otherwise, dump the stack for better traceability. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
Replace context.Background with context from GetContextForAllIntfFunctions - it's cancelable and thus more suitable for network operations. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
When doing HTTP requests in loops it's a good practice to close the response body explicitly after reading it, instead of deferring it until the surrounding function returns. This helps to free up resources sooner and avoid potential resource leaks, especially in bigger loops. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
rene
force-pushed
the
master
branch
2 times, most recently
from
705e8b4 to
2df2b2b
Compare
Bump nvidia-container-toolkit to 1.16.2 in order to fix 2 critical CVEs: https://nvidia.custhelp.com/app/answers/detail/a_id/5582 Signed-off-by: Renê de Souza Pinto <rene@renesp.com.br>
On recent EVE-OS versions (observed on 16.1.0), systems equipped with Intel Wi-Fi 6 AX210 fail to bring up a WLAN interface even though the iwlwifi driver is loaded. Kernel logs show that the driver requires TY firmware (iwlwifi-ty-a0-gf-a0-77 … -89), but only an older TY firmware version (-59) is currently included in the firmware bundle. As a result, the driver fails with “no suitable firmware found” and no wlan interface is created. This PR adds the required newer AX210 (TY) firmware files so that the iwlwifi driver can successfully load firmware and initialize the Wi-Fi interface. Signed-off-by: Ioannis Sfakianakis <jsfakas@gmail.com>
New location for kube service container /var/lib/ items: a bind mount in /persist/vault/kube. Enables no ZFS in io path. Installer default is changed to use ext4 instead of zfs, this follows the default in kvm eve. Multiple eve_persist_disk disk will default to zfs persist. Signed-off-by: Andrew Durbin <andrewd@zededa.com>
This commit fixes a regression where nvidia device plugin daemon set is copied on amd64 platforms too. That leads to pod in error state, thought that is not a major issue in itself, but since the pod is not online, eve-k k3s components installation is stuck waiting for all pods to be ready. In other words, clean USB install of eve-k will hang forever to get to ready state. Signed-off-by: Pramodh Pallapothu <pramodh@zededa.com>
pkg/debug build blocked by spec.sh json output - Move COMMA variable out of output - skip non-link files in /sys/class/net. This may be only an issue when building pkg/debug on MacOS aarch64 building for ZARCH=amd64 due to the Docker desktop shim linux kernel. - "docker build -f Dockerfile.spec ." to quickly test spec.sh Signed-off-by: Andrew Durbin <andrewd@zededa.com>
- Add pr_base_ref capture in pr-gate.yml - Create eden-version-map.yml with branch-to-version mapping - Modify eden-trusted.yml to select Eden version dynamically - Map LTS branches (13.4-stable, 14.5-stable) to Eden 1.0.9 - Map all other branches to Eden 1.0.13 GH actions don't support dynamic workflow names, so we have to take a workaround through scripts. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
Replace external YAML mapping file with inline case statement in the select_eden_version job. This simplifies the implementation since the mapping logic is straightforward (LTS branches use 1.0.9, others use 1.0.13). Also removes unnecessary repository checkout step. Co-authored-by: europaul <32612024+europaul@users.noreply.github.com>
Replace complex repository dispatch approach with simpler static workflow references. Create separate jobs for each Eden version that conditionally execute based on the selected version: - tests-eden-1_0_9: Uses lf-edge/eden/.github/workflows/test.yml@1.0.9 - tests-eden-1_0_13: Uses lf-edge/eden/.github/workflows/test.yml@1.0.13 Add aggregator job to validate results and maintain compatibility with downstream jobs. This approach is simpler, more reliable, and doesn't require complex polling logic. Co-authored-by: europaul <32612024+europaul@users.noreply.github.com>
this is some fake change to trigger PR build workflow Signed-off-by: Paul Gaiduk <paulg@zededa.com>
europaul
force-pushed
the
eden-version-selection
branch
from
c06daec to
d309146
Compare
OhmSpectator
approved these changes
Dec 23, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GH actions don't support dynamic workflow names, so we have to take a workaround through scripts.
Description
Provide a clear and concise description of the changes in this PR and
explain why they are necessary.
If the PR contains only one commit, you will see the commit message above:
fill free to use it under the description section here, if it is good enough.
For Backport PRs, a full description is optional, but please clearly state
the original PR number(s). Use the #{NUMBER} format for that, it makes it easier
to handle with the scripts later. For example:
Title of a backport PR must also follow the following format:
where
x.y-stableis the name of the target stable branch, andOriginal PR titleis the title of the original PR.For example, for a PR that backports a PR with title
Fix the nasty bugtobranch
13.4-stablethe title should be:[13.4-stable] Fix the nasty bug.PR dependencies
List all dependencies of this PR (when applicable, otherwise remove this
section).
How to test and validate this PR
Please describe how the changes in this PR can be validated or verified. For
example:
This will be used
The first is especially important, so, please make sure to provide as much
detail as possible.
If it's covered by an automated test, please mention it here.
Changelog notes
Text in this section will be used to generate the changelog entry for
release notes. The consumers of this are end users, not developers.
So, provide a clear and short description of what is changed in the PR from
the end user perspective. If it changes only tooling or some internal
implementation, put a note like "No user-facing changes" or "None".
PR Backports
For all current LTS branches, please state explicitly if this PR should be
backported or not. This section is used by our scripts to track the backports,
so, please, do not omit it.
Here is the list of current LTS branches (it should be always up to date):
For example, if this PR fixes a bug in a feature that was introduced in 14.5,
you can write:
Also, to the PRs that should be backported into any stable branch, please
add a label
stable.Checklist
For backport PRs (remove it if it's not a backport):
And the last but not least:
check them.
Please, check the boxes above after submitting the PR in interactive mode.