Monthly update 3.0 (microsoft#16111)

Author: jslobodzian

.pipelines/containerSourceData/scripts/BuildGoldenDistrolessContainer.sh

@@ -4,6 +4,14 @@
 
 set -e
 
+function docker_cleanup {
+    echo "+++ Cleaning up Docker resources to free disk space"
+    docker system prune -f --volumes || true
+    docker builder prune -f || true
+    echo "+++ Docker cleanup completed"
+    df -h / || true
+}
+
 function DockerBuild {
     local containerName=$1
     local azureLinuxVersion=$2
@@ -41,6 +49,9 @@ function DockerBuild {
         --build-arg RPMS="$rpmsDir" \
         --build-arg LOCAL_REPO_FILE="$marinaraSrcDir/local.repo" \
         --no-cache
+
+    # Cleanup after build to free disk space
+    docker_cleanup
 }
 
 function create_distroless_container {

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -1076,6 +1076,7 @@
                 "opensm",
                 "opensp",
                 "openssl",
+                "openssl-fips-provider",
                 "openssl-ibmpkcs11",
                 "openssl-pkcs11",
                 "openwsman",
@@ -2452,6 +2453,7 @@
                 "tinyxml2",
                 "toml11",
                 "tracelogging",
+                "trident",
                 "umoci",
                 "usrsctp",
                 "vala",
@@ -2784,6 +2786,7 @@
                 "golang",
                 "golang-1.23",
                 "golang-1.24",
+                "golang-1.25",
                 "gperf",
                 "gperftools",
                 "gpgme",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -68,7 +68,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
 Version:          3.1.1
-Release:          9%{?dist}
+Release:          10%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Vendor:           Microsoft Corporation
@@ -733,6 +733,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Feb 02 2026 Archana Shettigar <v-shettigara@microsoft.com> - 3.1.1-10
+- Bump release to rebuild with rust
+
 * Tue Jan 13 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 3.1.1-9
 - Bump release to rebuild with rust
 - Add patch add explicit lifetime for ValueArrayRef iterator

SPECS-EXTENDED/389-ds-base/389-ds-base.spec

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.6.121.1 Kernel Configuration
+# Linux/x86_64 6.6.126.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -129,7 +129,7 @@ CONFIG_PREEMPT_NONE=y
 CONFIG_PREEMPT_COUNT=y
 CONFIG_PREEMPTION=y
 CONFIG_PREEMPT_DYNAMIC=y
-# CONFIG_SCHED_CORE is not set
+CONFIG_SCHED_CORE=y
 
 #
 # CPU/Task time and stats accounting
@@ -1238,6 +1238,7 @@ CONFIG_TCP_CONG_ILLINOIS=m
 CONFIG_TCP_CONG_DCTCP=m
 CONFIG_TCP_CONG_CDG=m
 CONFIG_TCP_CONG_BBR=m
+# CONFIG_TCP_CONG_BBR3 is not set
 CONFIG_DEFAULT_CUBIC=y
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"
@@ -1888,7 +1889,8 @@ CONFIG_CEPH_LIB=m
 # CONFIG_NFC is not set
 # CONFIG_PSAMPLE is not set
 # CONFIG_NET_IFE is not set
-# CONFIG_LWTUNNEL is not set
+CONFIG_LWTUNNEL=y
+CONFIG_LWTUNNEL_BPF=y
 CONFIG_DST_CACHE=y
 CONFIG_GRO_CELLS=y
 CONFIG_NET_SELFTESTS=y

SPECS-EXTENDED/kernel-ipe/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.121.1 Kernel Configuration
+# Linux/arm64 6.6.126.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -108,7 +108,7 @@ CONFIG_PREEMPT_NONE=y
 # CONFIG_PREEMPT_VOLUNTARY is not set
 # CONFIG_PREEMPT is not set
 # CONFIG_PREEMPT_DYNAMIC is not set
-# CONFIG_SCHED_CORE is not set
+CONFIG_SCHED_CORE=y
 
 #
 # CPU/Task time and stats accounting
@@ -1249,6 +1249,7 @@ CONFIG_TCP_CONG_ILLINOIS=m
 CONFIG_TCP_CONG_DCTCP=m
 CONFIG_TCP_CONG_CDG=m
 CONFIG_TCP_CONG_BBR=m
+# CONFIG_TCP_CONG_BBR3 is not set
 CONFIG_DEFAULT_CUBIC=y
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"

SPECS-EXTENDED/kernel-ipe/config_aarch64

@@ -1,14 +1,14 @@
 {
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
-    "config": "45568c4b391b581400145626bd7ca1712028bfcef6b1f3ab4691c27786a91c3a",
-    "config_aarch64": "77ba2d0761f07f9d1182fd3ab469106e99c38e839665e5af699379a1a204a844",
+    "config": "33cc973aa1144fb7513c32f8f6c1be9b352b28d30ff1e91925c748c45c88de11",
+    "config_aarch64": "d4c131e815d83b2425b75288ca3d2ad0942bbbac46a4eeba3bbb90419c749936",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
     "azl-ipe-boot-policy.pol": "f2b7941bd3b721aadc8e937d0472c36fe5e140221f7bb54af6ef905884e0372c",
     "Makefile": "1c2e740407215ed9b9cbbc09f9102bc99c08b370bbe2cbb0490aefdc9eb70455",
     "tarfs.c": "066084e1ca2c1e7ba83e76a6696cf17928e7efb46a2b1670a7a1f597c2d9bc51",
-    "kernel-6.6.121.1.tar.gz": "aa5721db931ce7b5a7a2c9a554c78e399dbe76e823356d36f860308cfa9c5e12"
+    "kernel-6.6.126.1.tar.gz": "e0bf18e2647c360b43faa8147cca8fc22a0b57913725f35044c69a1c455625cd"
   }
 }

SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json

@@ -32,7 +32,7 @@
 
 Summary:        Linux Kernel
 Name:           kernel-ipe
-Version:        6.6.121.1
+Version:        6.6.126.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -460,6 +460,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Thu Feb 26 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.126.1-1
+- Auto-upgrade to 6.6.126.1
+
+* Mon Feb 23 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.121.1-2
+- Enable lwtunnel, lwtunnel-bpf, and sched_core
+
 * Mon Feb 02 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.121.1-1
 - Auto-upgrade to 6.6.121.1
 

SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec

@@ -0,0 +1,84 @@
+From c8978b7be6dbe388596fb899ab41a29e414ea5dc Mon Sep 17 00:00:00 2001
+From: Daniel Mihai <Daniel.Mihai@microsoft.com>
+Date: Wed, 28 Jul 2021 14:55:12 -0700
+Subject: [PATCH] Replacing deprecated functions with NULL or highest
+ supported.
+
+This is a workaround until OpenSSL issue #7048 is officially resolved.
+Issue link: https://github.com/openssl/openssl/issues/7048.
+
+The main purpose of the change is to prevent breaking applications
+as they dynamically link to 'libssl.so' where APIs for some
+deprecated protocols are no longer present. With this change
+OpenSSL's build time configuration may skip the 'no-<prot>-method'
+switch, while still not supporting the deprecated protocols disabled
+through the 'no-<prot>' switch.
+
+For deprecated DTLS protocol versions behind the scenes we're calling
+into 'DTLS_(client_|server_)?method()' set of methods, which
+automatically negotiate the highest supported protocol.
+
+For SSLv3 methods we're returning a NULL pointer as there are no
+more supported methods for the SSL protocol.
+---
+ ssl/methods.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/ssl/methods.c b/ssl/methods.c
+index c846143277..a7ae074bfd 100644
+--- a/ssl/methods.c
++++ b/ssl/methods.c
+@@ -215,17 +215,29 @@ const SSL_METHOD *TLSv1_client_method(void)
+ # ifndef OPENSSL_NO_SSL3_METHOD
+ const SSL_METHOD *SSLv3_method(void)
+ {
++#  ifdef OPENSSL_NO_SSL3
++    return NULL;
++#  else
+     return sslv3_method();
++#  endif
+ }
+ 
+ const SSL_METHOD *SSLv3_server_method(void)
+ {
++#  ifdef OPENSSL_NO_SSL3
++    return NULL;
++#  else
+     return sslv3_server_method();
++#  endif
+ }
+ 
+ const SSL_METHOD *SSLv3_client_method(void)
+ {
++#  ifdef OPENSSL_NO_SSL3
++    return NULL;
++#  else
+     return sslv3_client_method();
++#  endif
+ }
+ # endif
+ 
+@@ -249,17 +261,17 @@ const SSL_METHOD *DTLSv1_2_client_method(void)
+ # ifndef OPENSSL_NO_DTLS1_METHOD
+ const SSL_METHOD *DTLSv1_method(void)
+ {
+-    return dtlsv1_method();
++    return DTLS_method();
+ }
+ 
+ const SSL_METHOD *DTLSv1_server_method(void)
+ {
+-    return dtlsv1_server_method();
++    return DTLS_server_method();
+ }
+ 
+ const SSL_METHOD *DTLSv1_client_method(void)
+ {
+-    return dtlsv1_client_method();
++    return DTLS_client_method();
+ }
+ # endif
+ 
+-- 
+2.25.1
+

SPECS-EXTENDED/openssl-fips-provider/0001-Replacing-deprecated-functions-with-NULL-or-highest.patch

@@ -0,0 +1,68 @@
+From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:03:40 +0200
+Subject: Use more general default values in openssl.cnf
+
+Also set sha256 as default hash, although that should not be
+necessary anymore.
+
+(was openssl-1.1.1-defaults.patch)
+---
+ apps/openssl.cnf | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 97567a67be..eb25a0ac48 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -104,7 +104,7 @@ cert_opt 	= ca_default		# Certificate field options
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= default		# use public key default MD
++default_md	= sha256		# use SHA-256 by default
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look
+@@ -136,6 +136,7 @@ emailAddress		= optional
+ ####################################################################
+ [ req ]
+ default_bits		= 2048
++default_md		= sha256
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -158,17 +159,18 @@ string_mask = utf8only
+ 
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+-countryName_default		= AU
++countryName_default		= XX
+ countryName_min			= 2
+ countryName_max			= 2
+ 
+ stateOrProvinceName		= State or Province Name (full name)
+-stateOrProvinceName_default	= Some-State
++#stateOrProvinceName_default	= Default Province
+ 
+ localityName			= Locality Name (eg, city)
++localityName_default		= Default City
+ 
+ 0.organizationName		= Organization Name (eg, company)
+-0.organizationName_default	= Internet Widgits Pty Ltd
++0.organizationName_default	= Default Company Ltd
+ 
+ # we can do this but it is not needed normally :-)
+ #1.organizationName		= Second Organization Name (eg, company)
+@@ -177,7 +179,7 @@ localityName			= Locality Name (eg, city)
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+ #organizationalUnitName_default	=
+ 
+-commonName			= Common Name (e.g. server FQDN or YOUR name)
++commonName			= Common Name (eg, your name or your server\'s hostname)
+ commonName_max			= 64
+ 
+ emailAddress			= Email Address
+-- 
+2.26.2
+