Replace all 43 POSIX `[ ]` tests with bash `[[ ]]` across five board-side
package hook functions (preinst, postinst_base, postinst_finish,
postinst_update_uboot_bootscript, get_bootscript_info).
Normalise `=` to `==` in the `"$1" == "upgrade"` comparison.
Collapse paired `[ A ] && [ B ]` into a single `[[ A && B ]]` where possible.
Variables that were previously unquoted inside `[ ]` (e.g. ${BOOTSCRIPT_DST},
${BOOTSCRIPT_BACKUP_VERSION}) are now properly quoted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace two chained POSIX `[ ]` with a single bash `[[ ]]` using `&&`
inside the double brackets.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace POSIX `[ ]` with bash `[[ ]]` on four conditionals: file/path
existence checks and an array length comparison.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace POSIX `[ ]` with bash `[[ ]]` on six conditionals: file existence
checks, string comparisons, and -n tests. Also normalise `=` to `==` in
the string comparison.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace POSIX `[ ]` with bash `[[ ]]` on three remaining single-bracket
conditionals: two numeric comparisons on sfdisk version (lines 251, 270)
and one -z test with unquoted variable (line 485, also adds quoting).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
If patch B sorts after patch A but has an older mtime, it would
overwrite A's timestamp on the shared file, causing the kernel Makefile
to skip recompilation.
Fix: only call os.utime() when the new mtime is strictly greater than
the file's current mtime.
* add hook to allow customizing before kernel make env creation
* Hook runs in docker_cli_prepare_launch() just before DOCKER_EXTRA_ARGS
is processed, allowing extensions to add Docker arguments with a more
descriptive hook name than add_host_dependencies.
* Extension: ccache-remote
Enables ccache with remote Redis storage for sharing compilation cache across build hosts.
Features:
- Auto-discovery via Avahi/mDNS (ccache.local hostname)
- Explicit Redis server configuration via CCACHE_REMOTE_STORAGE
- Build statistics display at end of build (hit/miss/error rates)
- Support for both Docker and native builds
- Hooks for kernel and u-boot compilation environments
Documentation includes server setup instructions with security warnings,
client mDNS configuration, and cache sharing requirements.
* uboot: fix ccache environment and add extension hook
U-Boot build uses `env -i` which clears all environment variables.
CCACHE_DIR and CCACHE_TEMPDIR were not explicitly passed to make,
unlike kernel build (kernel-make.sh). This caused ccache to use
default directory instead of configured Armbian one, breaking
cache statistics and shared cache functionality.
Changes:
- Add CCACHE_DIR and CCACHE_TEMPDIR to uboot_make_envs
- Add uboot_make_config hook for extensions (similar to kernel_make_config),
allowing modification of environment variables before compilation
* add long list of allowed ccache-related env vars
* set permissions to ccache files RW for everyone if cache not private
* ccache: add ccache_post_compilation hook for extensions
* ccache-remote: use ccache_post_compilation hook instead of cleanup handler
Show remote ccache stats after each compilation (kernel, uboot) via hook,
instead of once at the end via cleanup handler. Stats now shown even on
build failure.
* ccache: show stats with safe arithmetic
* ccache/uboot: improve code comments per review feedback
- uboot.sh: clarify ARMBIAN=foe workaround for dual-compiler scenario
- ccache-remote.sh: document that CCACHE_REDIS_CONNECT_TIMEOUT must be
set before extension loads
* ccache-remote: mask storage URLs in logs
Mask CCACHE_REMOTE_STORAGE when emitting Docker env debug logs.
* ccache-remote: extract ccache_inject_envs() helper to deduplicate passthrough loops
Extract ccache_inject_envs() helper to deduplicate identical passthrough
loops in kernel and uboot make config hooks.
ccache-remote: rename functions to follow project naming conventions
Rename get_redis_stats and mask_storage_url to ccache_get_redis_stats
and ccache_mask_storage_url to follow project naming conventions.
ccache-remote: mask credentials in debug log output for passthrough loops
Mask CCACHE_REMOTE_STORAGE value through ccache_mask_storage_url() before
logging in both Docker env and make env passthrough loops to avoid leaking
credentials into build logs.
* ccache-remote: add HTTP/WebDAV backend and DNS discovery
* ccache-remote: move extension script into directory layout
* ccache-remote: add server setup docs and config files
* ccache-remote: validate Redis credentials in URLs
* ccache-remote: document Redis auth options and safe passwords
Add separate insecure config example for trusted networks.
Recommend URL-safe hex passwords and update setup docs.
* ccache-remote: improve Docker loopback handling and IPv6 host parsing
Was only used once (orangepi5pro.csc) and has been deprecated.
Remove the implementation, the board config, and the README entry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Other read calls in the same file already use -r.
Without -r, backslashes in user input are interpreted as escape characters.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
При упаковке linux-headers скомпилированные бинарники из scripts/ удаляются,
так как они собраны под хост сборки, а не под целевую машину (типичный случай
кросс-сборки). Поэтому postinst при установке пакета пересобирает их нативно,
предварительно запустив `make olddefconfig`.
Однако olddefconfig не только подготавливает окружение — он заново вычисляет
конфигурацию ядра, проверяя тулчейн, доступный на целевом хосте при установке.
Если инструменты, использовавшиеся при сборке ядра, на целевой машине отсутствуют
или имеют другую версию, olddefconfig молча отключает соответствующие CONFIG_*
опции (например, CONFIG_CC_IS_CLANG, CONFIG_LTO_CLANG, CONFIG_DEBUG_INFO_BTF).
В результате установленный пакет заголовков описывает не то ядро, которое
реально собрано и работает, а то, которое можно было бы собрать на данном хосте.
Это затрагивает:
- include/generated/autoconf.h (используется препроцессором C)
- include/config/auto.conf + маркер-файлы include/config/ (используются
make-правилами kbuild)
- include/generated/rustc_cfg (используется Rust-сборками)
Все эти файлы — артефакты сборки и должны описывать скомпилированное ядро,
а не возможности хоста установки.
Исправление: при упаковке сохраняем сайдкар-тарбол с build-time версиями
include/config/ и include/generated/{autoconf.h,rustc_cfg}; восстанавливаем
его в postinst в самом конце, после всех make-шагов.
Fixes: https://github.com/armbian/build/issues/9425
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add version-gated NETFILTER_XTABLES_LEGACY and BRIDGE_NF_EBTABLES_LEGACY
support in armbian-kernel.sh for kernels >= 6.18. Also add missing
ebtables table modules (BRIDGE_EBT_BROUTE, BRIDGE_EBT_T_FILTER,
BRIDGE_EBT_T_NAT) unconditionally to the nftables config function.
This ensures all hardware families automatically get legacy xtables
support when building kernels 6.18+, fixing Docker and Proxmox
firewall breakage without requiring per-family config changes.
Integrate the libc0607/rtl88x2eu-20230815 out-of-tree driver into the build
system under EXTRA_WIFI for kernels >= 3.14 and < 6.19.
- Fetch pinned upstream commit ccb31f4ee346d5c2dd45475d276171b2f8de8350
- Install sources under drivers/net/wireless/rtl8822eu
- Enable AP and P2P modes in driver Makefile
- Hook into kernel Kconfig and Makefile via CONFIG_RTL8822EU
Tested working on `6.12.74-current-sunxi` and `6.6.75-legacy-sunxi`.
Add opt-in extension that includes gcc/clang major.minor version in the
kernel artifact version string for cache invalidation when the toolchain
changes. Enable with ENABLE_EXTENSIONS="kernel-version-toolchain".
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace single-line version suffix assembly with an extensible two-array
approach: artifact_version_parts (associative, key=value) and
artifact_version_part_order (indexed, "NNNN-KEY" for sortable insertion).
Extensions can add, modify, or remove parts via the
artifact_kernel_version_parts hook. Keys starting with "_" are
internal-only and not prefixed in the output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reduce kernel_config_modifying_hashes to last assignment per key before
hashing, so that overridden config options do not cause unnecessary
cache invalidation. Uses tac|sort to implement last-value-wins
deduplication.
Co-Authored-By: tabrisnet <tabrisnet@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes wrong CPU vulnerability output:
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled
It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning.
This warning happens on ARM32 and ARM64 devices.
Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ;
CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2]
Operational behavior you should know
kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch):
0: unprivileged bpf() allowed
1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running)
2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed
If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2]
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- Add ARMBIAN_DOCKER_AUTO_PULL environment variable (opt-in, must be explicitly set to "yes")
- Move auto-pull cronjob setup from requirements to docker CLI
- Add automatic cleanup of cronjob files when flag is disabled/removed
- Remove verbose "unchanged" messages for cleaner output
- Simplify control flow in docker_ensure_auto_pull_cronjob()
- Add docker_cleanup_old_images() to remove dangling images and keep only 2 most recent per tag
- Add docker_pull_with_marker() to pull images and update marker files tracking last pull time
- Add docker_setup_auto_pull_cronjob() to create/update system cronjob and wrapper script via hash-based detection
- Add docker_ensure_auto_pull_cronjob() to ensure cronjob is installed and up-to-date
- Create self-contained wrapper script at /usr/local/bin/armbian-docker-pull for cron execution
- Store configuration hash in /var/lib/armbian/docker-pull.hash for smart update detection
- Install cronjob at /etc/cron.d/armbian-docker-pull to pull images every 12 hours
- Move cronjob setup from docker_cli_prepare() to requirements command
- Cronjob is now only installed when users explicitly run ./compile.sh requirements
- Prevents "12 hours since last pull, pulling again" delay during builds
Signed-off-by: Igor Pecovnik <igor@armbian.com>
When building kernels with KERNEL_COMPILER=clang, compiler warnings
were displayed without color despite -fdiagnostics-color=always being
set in KCFLAGS. This GCC-native flag is not reliably honored by clang
when invoked through ccache and the kernel build system with LLVM=1.
Add -fcolor-diagnostics (clang's native flag) to the clang-specific
extra_warnings to ensure colored warning output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
In Linux 6.19, net_device->dev_addr is const unsigned char *.
Clang with -Werror,-Wincompatible-pointer-types-discards-qualifiers
rejects passing dev_addr to non-const parameters and memcpy into it.
Fix by:
- Replacing memcpy(dev->dev_addr, ...) with dev_addr_set()
- Using local buffer + ether_addr_copy for sprdwl_set_mac_addr call
that needs mutable addr (the function modifies it in-place)
- Changing u8 *mac pointer to u8 mac[ETH_ALEN] array in cfg80211.c
where dev_addr was assigned to a non-const pointer
Relates to #9049
Add a new extension hook point in run_kernel_make_internal() that allows
extensions to modify kernel make parameters before compilation.
Extensions can now modify:
- common_make_params_quoted - parameters passed to make
- common_make_envs - environment variables for make
This enables features like CROSS_COMPILE_COMPAT for 32-bit compat vDSO
on arm64 builds without modifying core build scripts.
Refs: https://github.com/armbian/build/issues/9216
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add loong64 to the list of architectures prepared by prepare_host_binfmt_qemu_cross().
This allows automatic registration and use of qemu-user emulation for LoongArch64
guests, enabling rootfs bootstrap and CI workflows targeting loong64.
This aligns Armbian with Debian’s upcoming native loong64 support (Forky) and allows
testing already via debian-ports and qemu-system-loongarch64.
Signed-off-by: Igor Pecovnik <igor@armbian.com>
When the memoize cache lock is held by another process (e.g., a stale
Docker container from a previous interrupted build), the build would
hang indefinitely without any feedback to the user.
This change:
- First tries non-blocking flock, acquiring immediately if available
- If lock is busy, informs user and waits with periodic status messages
- Adds MEMOIZE_FLOCK_WAIT_INTERVAL (default 10s) for message frequency
- Adds MEMOIZE_FLOCK_MAX_WAIT (default 0=infinite) for optional timeout
- Allows user to interrupt with Ctrl+C
- Suggests checking for stale containers: docker ps -a | grep armbian
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- we've had SKIP_EXTERNAL_TOOLCHAINS=yes for ~5 years now
- drop all usages, mostly through `find_toolchains()`
- drop all manual PATH env injections (we've centralized if ever needed)
- optionally, if UBOOT_BINS_TO_OUTPUT=yes, copy them out to output/
- this might reveal differences in binwalk itself more than u-boot
- but better than nothing
