Add version-gated NETFILTER_XTABLES_LEGACY and BRIDGE_NF_EBTABLES_LEGACY
support in armbian-kernel.sh for kernels >= 6.18. Also add missing
ebtables table modules (BRIDGE_EBT_BROUTE, BRIDGE_EBT_T_FILTER,
BRIDGE_EBT_T_NAT) unconditionally to the nftables config function.
This ensures all hardware families automatically get legacy xtables
support when building kernels 6.18+, fixing Docker and Proxmox
firewall breakage without requiring per-family config changes.
Integrate the libc0607/rtl88x2eu-20230815 out-of-tree driver into the build
system under EXTRA_WIFI for kernels >= 3.14 and < 6.19.
- Fetch pinned upstream commit ccb31f4ee346d5c2dd45475d276171b2f8de8350
- Install sources under drivers/net/wireless/rtl8822eu
- Enable AP and P2P modes in driver Makefile
- Hook into kernel Kconfig and Makefile via CONFIG_RTL8822EU
Tested working on `6.12.74-current-sunxi` and `6.6.75-legacy-sunxi`.
Add opt-in extension that includes gcc/clang major.minor version in the
kernel artifact version string for cache invalidation when the toolchain
changes. Enable with ENABLE_EXTENSIONS="kernel-version-toolchain".
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace single-line version suffix assembly with an extensible two-array
approach: artifact_version_parts (associative, key=value) and
artifact_version_part_order (indexed, "NNNN-KEY" for sortable insertion).
Extensions can add, modify, or remove parts via the
artifact_kernel_version_parts hook. Keys starting with "_" are
internal-only and not prefixed in the output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reduce kernel_config_modifying_hashes to last assignment per key before
hashing, so that overridden config options do not cause unnecessary
cache invalidation. Uses tac|sort to implement last-value-wins
deduplication.
Co-Authored-By: tabrisnet <tabrisnet@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes wrong CPU vulnerability output:
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled
It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning.
This warning happens on ARM32 and ARM64 devices.
Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ;
CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2]
Operational behavior you should know
kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch):
0: unprivileged bpf() allowed
1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running)
2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed
If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2]
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- Add ARMBIAN_DOCKER_AUTO_PULL environment variable (opt-in, must be explicitly set to "yes")
- Move auto-pull cronjob setup from requirements to docker CLI
- Add automatic cleanup of cronjob files when flag is disabled/removed
- Remove verbose "unchanged" messages for cleaner output
- Simplify control flow in docker_ensure_auto_pull_cronjob()
- Add docker_cleanup_old_images() to remove dangling images and keep only 2 most recent per tag
- Add docker_pull_with_marker() to pull images and update marker files tracking last pull time
- Add docker_setup_auto_pull_cronjob() to create/update system cronjob and wrapper script via hash-based detection
- Add docker_ensure_auto_pull_cronjob() to ensure cronjob is installed and up-to-date
- Create self-contained wrapper script at /usr/local/bin/armbian-docker-pull for cron execution
- Store configuration hash in /var/lib/armbian/docker-pull.hash for smart update detection
- Install cronjob at /etc/cron.d/armbian-docker-pull to pull images every 12 hours
- Move cronjob setup from docker_cli_prepare() to requirements command
- Cronjob is now only installed when users explicitly run ./compile.sh requirements
- Prevents "12 hours since last pull, pulling again" delay during builds
Signed-off-by: Igor Pecovnik <igor@armbian.com>
When building kernels with KERNEL_COMPILER=clang, compiler warnings
were displayed without color despite -fdiagnostics-color=always being
set in KCFLAGS. This GCC-native flag is not reliably honored by clang
when invoked through ccache and the kernel build system with LLVM=1.
Add -fcolor-diagnostics (clang's native flag) to the clang-specific
extra_warnings to ensure colored warning output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
In Linux 6.19, net_device->dev_addr is const unsigned char *.
Clang with -Werror,-Wincompatible-pointer-types-discards-qualifiers
rejects passing dev_addr to non-const parameters and memcpy into it.
Fix by:
- Replacing memcpy(dev->dev_addr, ...) with dev_addr_set()
- Using local buffer + ether_addr_copy for sprdwl_set_mac_addr call
that needs mutable addr (the function modifies it in-place)
- Changing u8 *mac pointer to u8 mac[ETH_ALEN] array in cfg80211.c
where dev_addr was assigned to a non-const pointer
Relates to #9049
Add a new extension hook point in run_kernel_make_internal() that allows
extensions to modify kernel make parameters before compilation.
Extensions can now modify:
- common_make_params_quoted - parameters passed to make
- common_make_envs - environment variables for make
This enables features like CROSS_COMPILE_COMPAT for 32-bit compat vDSO
on arm64 builds without modifying core build scripts.
Refs: https://github.com/armbian/build/issues/9216
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add loong64 to the list of architectures prepared by prepare_host_binfmt_qemu_cross().
This allows automatic registration and use of qemu-user emulation for LoongArch64
guests, enabling rootfs bootstrap and CI workflows targeting loong64.
This aligns Armbian with Debian’s upcoming native loong64 support (Forky) and allows
testing already via debian-ports and qemu-system-loongarch64.
Signed-off-by: Igor Pecovnik <igor@armbian.com>
When the memoize cache lock is held by another process (e.g., a stale
Docker container from a previous interrupted build), the build would
hang indefinitely without any feedback to the user.
This change:
- First tries non-blocking flock, acquiring immediately if available
- If lock is busy, informs user and waits with periodic status messages
- Adds MEMOIZE_FLOCK_WAIT_INTERVAL (default 10s) for message frequency
- Adds MEMOIZE_FLOCK_MAX_WAIT (default 0=infinite) for optional timeout
- Allows user to interrupt with Ctrl+C
- Suggests checking for stale containers: docker ps -a | grep armbian
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- we've had SKIP_EXTERNAL_TOOLCHAINS=yes for ~5 years now
- drop all usages, mostly through `find_toolchains()`
- drop all manual PATH env injections (we've centralized if ever needed)
- optionally, if UBOOT_BINS_TO_OUTPUT=yes, copy them out to output/
- this might reveal differences in binwalk itself more than u-boot
- but better than nothing
- Autopatcher was commiting atrocities to the upstream DTs that are so
carefully hand-crafted, by simply rewriting everything, or trying to be
smart and failing at it (`incremental: true`)
- Instead, add `add-only: true` mode, where we simply only ever add to the
end of the Makefile, adding each new .dts and optionally the `subdir-y`
for overlays
The `DEST_LANG` variable affects rootfs cache content (locale is generated via
`locale-gen "${DEST_LANG}"` before cache is packaged), but it was not included in the
cache hash calculation.
This meant that changing `DEST_LANG` would not invalidate the existing cache,
potentially resulting in images with incorrect locale.
Include `DEST_LANG` in the `hash_hooks` calculation in `calculate_rootfs_cache_id()`.
Changes
- `lib/functions/rootfs/create-cache.sh`: Add `LANG=${DEST_LANG}` to the hash input
Result
Changing `DEST_LANG` now properly invalidates rootfs cache, ensuring the correct locale
is generated.
Build process generated numerous locale warnings like:
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
perl: warning: Setting locale failed
This happened because the Docker container and host environment were
configured to use `en_US.UTF-8`, but the rootfs cache may not contain
this locale (only `C.utf8` and whatever `DEST_LANG` specifies,
e.g. `en_GB.utf8`).
When `chroot_sdcard` runs commands inside the rootfs, environment variables
are inherited from the host/Docker, causing locale lookup failures.
Then use `C.UTF-8` locale for the build environment instead of `en_US.UTF-8`.
This locale is always available in rootfs immediately after mmdebstrap,
requiring no generation.
Changes
`lib/functions/host/docker.sh`: Remove `en_US.UTF-8` locale generation,
set `LANG=C.UTF-8` in container environment
`lib/functions/host/prepare-host.sh`: Change locale exports
from `en_US.UTF-8` to `C.UTF-8`
- turns out everybody was wrong, including me
- some (older?) ATF sources won't work, ever; thus
- introduce ATF_SKIP_LDFLAGS=yes to skip it completely
- introduce ATF_SKIP_LDFLAGS_WL=yes to only skip the `-Wl,` prefix
- this is for ATF's that pass flag directly to linker, not gcc
- artifact-uboot: hash atf-building code into artifact version
This flag was breaking kernel's cc-option detection, causing GCC-specific
warnings (-Wpacked-not-aligned, -Wstringop-truncation, -Wmaybe-uninitialized)
to be incorrectly added to btrfs/drm/coresight builds when using clang.
* rtw88 mainline driver has good enough support for rtl8723cs
so stop patching the kernel with this ancient driver
* fixes rtl8703b (same chip as 8723cs) bluetooth firmware name file
