Packages changed:
  container-selinux (2.158.0 -> 2.160.1)
  cri-o (1.20.2 -> 1.21.0)
  dnf (4.6.1 -> 4.7.0)
  grub2
  kernel-source (5.11.15 -> 5.11.16)
  kexec-tools (2.0.20 -> 2.0.21)
  kubernetes (1.20.2 -> 1.21.0)
  kubernetes1.20 (1.20.2 -> 1.20.6)
  libgcrypt (1.9.2 -> 1.9.3)
  lvm2
  lvm2-device-mapper
  patterns-microos
  python-M2Crypto
  python-MarkupSafe
  python-jsonpatch (1.28 -> 1.31)
  rook (1.5.7+git4.gae949004e -> 1.5.10+git4.g309ad2f64)
  suse-module-tools (15.4.0 -> 15.4.1)

=== Details ===

==== container-selinux ====
Version update (2.158.0 -> 2.160.1)

- Fix container runtime binary labels (bsc#1185030). You need to
  relable at least /usr/sbin if you're affected

==== cri-o ====
Version update (1.20.2 -> 1.21.0)
Subpackages: cri-o-kubeadm-criconfig

- Update to version 1.21.0:
  * bump to v1.21.0
  * config: drop registries field as it is no longer supported
  * Revert "test: drop unneeded sed statement"
  * WIP: add debug print
  * test: drop unneeded sed statement
  * config: fix template insecure_registries field
  * config: drop commented config lines
  * build(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0
  * Bump OpenShift CI cri-tools version and fix build path
  * build(deps): bump github.com/containers/image/v5 from 5.10.5 to 5.11.0
  * Bump cri-tools to v1.21.0
  * Update Kubernetes to v1.21.0
  * Add container out of memory metrics
  * [CLI] "crio config" only prints the fields that are differet than the default.
  * Set short name mode to permissive
  * docs-validation: update to handle workloads
  * Fix unnecessary conversion lint report
  * add tests for workloads
  * integrate with server
  * config: update workloads structure
  * Clarify release cadence and version skew
  * Add correct start time to initial log output
  * Add support for workload settings
  * refactor handling of allowed_annotations
  * Do not push main binary into cachix cache
  * resourcestore: introduce ResourceCleaner
  * Use internal logging when context available
  * build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1
  * server: remove dead code
  * sandbox: use defined CRI type for NamespaceOption
  * config: remove dead code
  * oci: remove dead code
  * lib: remove dead code
  * build(deps): bump github.com/containers/podman/v3
  * build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.5
  * update pause image to 3.5 for non-root
  * build(deps): bump github.com/soheilhy/cmux from 0.1.4 to 0.1.5
  * build(deps): bump google.golang.org/grpc from 1.34.0 to 1.36.1
  * build(deps): bump github.com/containers/buildah from 1.19.8 to 1.20.0
  * build(deps): bump github.com/prometheus/client_golang
  * build(deps): bump github.com/godbus/dbus/v5 from 5.0.3 to 5.0.4
  * build(deps): bump k8s.io/cri-api from 0.20.1 to 0.20.5
  * build(deps): bump github.com/containers/podman/v3
  * build(deps): bump k8s.io/kubernetes from 1.13.0 to 1.20.5
  * crio-wipe: only clear storage if CleanShutdownFile is supported
  * Add static bundle node e2e tests to GitHub actions
  * Reload the main config file when reloading configs
  * crio wipe: only completely wipe storage after a reboot
  * Bump static binary dependency versions
  * Add dependabot config file
  * runtimeVM: Fix shimv2 binary name construction
  * config,runtimeVM: Improve runtime_path validation
  * oci_test: Add basic coverage to "RuntimeType()"
  * oci_test: Add basic coverage to "privileged_without_host_devices"
  * oci_test: Leave invalidRuntime on its own line
  * tweak scope dependencies
  * Do not return `<none>` placeholders for images any more
  * Fix invalid libcontainer GetExecUser call
  * Update dependencies
  * config: Don't fail if the non default runtime doesn't pass validation
  * Remove check for CI env variable for release-notes and dependencies
  * cgmgr: add CreateSandboxCgroup method
  * inspect: send container PID for dropped infra sandbox
  * oci: specify sbox id when creating spoofed container
  * Run GitHub actions on release branches
  * Update bats to v1.3.0 (#4661)
  * use happy-eyeballs for port-forwarding
  * fix mock issues
  * fix lint issues
  * install: drop support matrix and update instructions
  * do not store context in runtime vm
  * Fix lint GitHub action
  * pkg/container: take process args
  * Use and publish version marker for CRI-O
  * Add GitHub API pages support to `get` script
  * add libbtrfs-dev to unit tests
  * Revert "server: use IsAlive() more"
  * Fix GitHub actions cache key
  * Bug 1881694: Add pull source as info level log
  * test: use latest conmon
  * runtime_vm: Create the global fifo inside the runtime root path
  * stats: fix log spam
  * Support CRI seccomp security profiles
  * oci: add unit tests for stop timeouts
  * oci: don't update stop timeout if it's earlier than old one
  * oci: update timeout even if we're ignoring kill
  * oci: don't wait too long on a long stop
  * oci: check process is still around with kill
  * Add integration test for started/finished container time
  * fix: Don't set `image-endpoint` in crictl config
  * feat: Add CLI option to set registries.conf.d path
  * Add allowed io.containers.trace-syscall annotation to static bundle
  * Make `get` script independent from `make`
  * test: correct the env variable for dropping the infra container
  * Add metric to grab latency of individual cri calls
  * Fix `get` script commit SHA retrieval
  * Add arm64 static build to GitHub actions
  * Fix GitHub actions workflow syntax
  * Updates yq commnands for yq v4
  * gh-actions:  also run on release branches
  * pkg/sandbox: add InitInfraContainer endpoint
  * test: reconfigure how runtimes are passed in
  * test: add runtime() function
  * sandbox/container: drop context
  * test: drop workaround for crun
  * pkg/sandbox: cleanup unused funcs/files
  * fix doc log_level adding trace option
  * Fix oci container update config
  * Update e2e-aws logic for 4.8
  * nsmgr: take Initalize method
  * Switch to go 1.16 for GitHub actions and remove scripts/build-test-image
  * config: remove and create the correct dir
  * Update nix pin with `make nixpkgs`
  * server: mount cgroup with rslave
  * crio wipe: ensure a clean shutdown
  * Move integration tests to GitHub actions
  * Run release-notes GitHub action after dependencies
  * Bumps github.com/containers/ocicrypt from 1.0.3 to 1.1.0.
  * config/node: refactor checking for CollectMode
  * Fix GitHub actions checkout permissions
  * change binary version to 1.21.0-dev
  * Set conmon scope KillSignal to SIGPIPE
  * Move repo modification jobs to GitHub actions
  * bump protobuf to 1.3.2
  * Log container stop timeout
  * ResourceStore: add close method
  * Allow seccomp hook tracing for separate containers
  * ResourceStore: extend tests to test WatcherForResource
  * ResourceStore: update tests to all run
  * ResourceStore: update docs for WatcherForResource
  * ResourceStore: don't segfault
  * server: support setting raw unified cgroupv2 settings
  * vendor: update runtime-specs
  * cgroup: implement fix for swap memcg on cgroup v2
  * server: leave swap mem limit unset if not supported
  * test: skip ServiceAccountIssuerDiscovery test
  * hostport manager clean up host ports
  * allows stream timeout to be set from config
  * config: pre-create pinns directories
  * Bump containers image to v5.10.1
  * Move unit tests to GitHub actions
  * Move go1.14 and 386 builds to GitHub actions
  * set kubelet node IP
  * Fix validate-completions GitHub action
  * Add integration test for pprof over unix socket
  * Add a flag for enabling profile over unix socket
  * Lookup echo command for unit tests
  * Move static build to GitHub actions
  * pinns: Fixup 'pwarn' output to match 'pwarnf' output
  * pinns: Don't put errno in the exit message for argument checks
  * nsmgr: use host option
  * nsmgr: Use config struct for NewPodNamespaces
  * pinns: support pinning host ns
  * Remove implicit GitHub action `name` fields
  * Move docs and completions validation to GitHub actions
  * Bump golangci-lint to v1.35.2
  * Make config tests work rootless
  * Make rootless namespace unit test execution work
  * config: fix template to show infra_ctr_cpus option
  * Do not log file path on ioutil.ReadFile
  * fixes version_test.go
  * Close the stdin/tty on server start to avoid shortname prompts
  * docs: fix http link
  * docs: update kubeadm tutorial
  * Fix `make lint`
  * Return runtime API version based on protocol
  * Update compatibility matrix to mention v1.20
  * add method comment
  * restore irqbalance config only on system restart
  * add blurb in doc and more informative name for unit tests
  * add is-enabled check for irqbalance service
  * fix unit tests
  * add unit tests
  * fix bash/zsh completions
  * fix the docs validation
  * handle irqbalance service
  * runtime_vm: set finished time when containers stop
  * nsmgr: fix/add calls to GetNamespace
  * managed namespaces: move to dedicated package
  * Provide integration test for infra-ctr-cpuset feature
  * Set CPUs for the infra containers during the creation
  * Add shell completion for infra-containers-cpu flag
  * Add new infra-containers-cpus to the CLI and config file
  * refine `registries` deprecation message
  * Circle CI: install test/registries.conf
  * crio.8.md: runroot defaults to /run/containers/storage
  * support short-name aliases
  * pull: do check for blocked registries
  * config: deprecate registries
  * Rollback gocapability vendor bump
  * vendor: bump containers/storage to v1.24.4
  * Update nix pin with `make nixpkgs`
  * contrib/test/int: add Kata Containers runtime support
  * contrib/test/int: enforce linking in parallel build process
  * contrib/test/int: build parallel from sources in CentOS
  * contrib/test/int: allow to skip user namespace testing
  * contrib/test/int: allow to configure test timeout
  * Capitalize Kubernetes
  * modify the error url of podctl
  * Add Digital Science to adopters
  * crio.service: Request to be run before kubelet.service
  * pinns: make binary not always static
  * server: use IsAlive() more
  * Support CRI v1 and v1alpha2 at the same time
  * drop support for ManageNSLifecycle
  * test/timeout.bats: increase timeout to fix flakes
  * release-notes: fix flags
  * test/timeout.bats: fix comments
  * int/resourcestore: fix comment about Put
  * test/image.bats: simplify some loops
  * test/helpers.bats: simplify cleanup_*
  * contrib/test/int: rm node-e2e test
  * contrib/test/int: fix iptables rule
  * critest: add unix:// prefix
  * critest.yml: don't skip test on RHEL
  * test: add timeout.bats
  * bump network creation timeout to 5 minutes
  * resourcecache: add watcher idiom
  * server: use ResourceCache instead of dropping progress
  * Add unit tests for ResourceCache
  * Introduce ResourceCache
  * moves shmsize to a handler allowed annotation
  * image pull: close progress chan
  * test/ctr.bats: fix a "ctr execsync" flake
  * Fix the functions' name in completions
  * make: drop link to crio.service
  * test: rm "run ctr with image with Config.Volumes"
  * test: add no-pull-on-run=true
  * test/devices.bats: fix "additional device permissions" case
  * test/devices.bats: rm unneeded run
  * test/devices.bats: skip earlier
  * Bandwidht CNI plugin reserved an upper limit on burst,in which banned include boundary. See: https://github.com/containernetworking/plugins/blob/v0.8.7/plugins/meta/bandwidth/main.go#L113
- Drop config-fix-tz.patch as upstream dependency was patched

==== dnf ====
Version update (4.6.1 -> 4.7.0)

- Update to version 4.7.0
  + Improve repo config path ordering to fix a comps merging issue (rh#1928181)
  + Keep reason when package is removed (rh#1921063)
  + Improve mechanism for application of security filters (rh#1918475)
  + [doc] Add description for new API
  + [API] Add new method for reset of security filters
  + [doc] Improve documentation for Hotfix repositories
  + [doc] fix: "makecache" command downloads only enabled repositories
  + Use libdnf.utils.checksum_{check,value}
  + [doc] Add info that maximum parallel downloads is 20
  + Increase loglevel in case of invalid config options
  + [doc] installonly_limit documentation follows behavior
  + Prevent traceback (catch ValueError) if pkg is from cmdline
  + Add documentation for config option sslverifystatus (rh#1814383)
  + Check for specific key string when verifing signatures (rh#1915990)
  + Use rpmkeys binary to verify package signature (rh#1915990)
  + Bugs fixed (rh#1916783)
  + Preserve file mode during log rotation (rh#1910084)

==== grub2 ====
Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi

- Fix obsolete syslog in systemd unit file and updating to use journal as
  StandardOutput (bsc#1185149)
  * grub2-once.service

==== kernel-source ====
Version update (5.11.15 -> 5.11.16)

- Revert "rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)"
  This turned out to be a bad idea: the kernel-$flavor-devel package
  must be usable without kernel-$flavor, e.g. at the build of a KMP.
  And this change brought superfluous installation of kernel-preempt
  when a system had kernel-syms (bsc#1185113).
- commit d771304
- rpm/check-for-config-changes: add AS_HAS_* to ignores
  arch/arm64/Kconfig defines a lot of these. So far our current compilers
  seem to support them all. But it can quickly change with SLE later.
- commit a4d8194
- Linux 5.11.16 (bsc#1012628).
- bpf: Move sanitize_val_alu out of op switch (bsc#1012628).
- bpf: Improve verifier error messages for users (bsc#1012628).
- bpf: Rework ptr_limit into alu_limit and add common error path
  (bsc#1012628).
- ARM: 9071/1: uprobes: Don't hook on thumb instructions
  (bsc#1012628).
- bpf: Move off_reg into sanitize_ptr_alu (bsc#1012628).
- bpf: Ensure off_reg has no mixed signed bounds for all types
  (bsc#1012628).
- r8169: don't advertise pause in jumbo mode (bsc#1012628).
- r8169: tweak max read request size for newer chips also in
  jumbo mtu mode (bsc#1012628).
- kasan: remove redundant config option (bsc#1012628).
- kasan: fix hwasan build for gcc (bsc#1012628).
- KVM: VMX: Don't use vcpu->run->internal.ndata as an array index
  (bsc#1012628).
- KVM: VMX: Convert vcpu_vmx.exit_reason to a union (bsc#1012628).
- bpf: Use correct permission flag for mixed signed bounds
  arithmetic (bsc#1012628).
- arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz
  osc reference (bsc#1012628).
- arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems
  (bsc#1012628).
- ARM: OMAP2+: Fix uninitialized sr_inst (bsc#1012628).
- ARM: footbridge: fix PCI interrupt mapping (bsc#1012628).
- ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to
  for_each_mem_range() (bsc#1012628).
- ARM: 9063/1: mm: reduce maximum number of CPUs if
  DEBUG_KMAP_LOCAL is enabled (bsc#1012628).
- ARM: OMAP2+: Fix warning for omap_init_time_of() (bsc#1012628).
- gro: ensure frag0 meets IP header alignment (bsc#1012628).
- ch_ktls: do not send snd_una update to TCB in middle
  (bsc#1012628).
- ch_ktls: tcb close causes tls connection failure (bsc#1012628).
- ch_ktls: fix device connection close (bsc#1012628).
- ch_ktls: Fix kernel panic (bsc#1012628).
- ibmvnic: remove duplicate napi_schedule call in open function
  (bsc#1012628).
- ibmvnic: remove duplicate napi_schedule call in do_reset
  function (bsc#1012628).
- ibmvnic: avoid calling napi_disable() twice (bsc#1012628).
- ia64: tools: remove inclusion of ia64-specific version of
  errno.h header (bsc#1012628).
- ia64: remove duplicate entries in generic_defconfig
  (bsc#1012628).
- ethtool: pause: make sure we init driver stats (bsc#1012628).
- i40e: fix the panic when running bpf in xdpdrv mode
  (bsc#1012628).
- ibmvnic: correctly use dev_consume/free_skb_irq (bsc#1012628).
- net: Make tcp_allowed_congestion_control readonly in non-init
  netns (bsc#1012628).
- mm: ptdump: fix build failure (bsc#1012628).
- net: ip6_tunnel: Unregister catch-all devices (bsc#1012628).
- net: sit: Unregister catch-all devices (bsc#1012628).
- net: phy: marvell: fix detection of PHY on Topaz switches
  (bsc#1012628).
- net: davicom: Fix regulator not turned off on failed probe
  (bsc#1012628).
- net/mlx5e: Fix setting of RS FEC mode (bsc#1012628).
- netfilter: nftables: clone set element expression template
  (bsc#1012628).
- netfilter: nft_limit: avoid possible divide error in
  nft_limit_init (bsc#1012628).
- net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta
  (bsc#1012628).
- net: macb: fix the restore of cmp registers (bsc#1012628).
- drm/i915/display/vlv_dsi: Do not skip panel_pwr_cycle_delay
  when disabling the panel (bsc#1012628).
- libbpf: Fix potential NULL pointer dereference (bsc#1012628).
- netfilter: arp_tables: add pre_exit hook for table unregister
  (bsc#1012628).
- netfilter: bridge: add pre_exit hooks for ebtable unregistration
  (bsc#1012628).
- libnvdimm/region: Fix nvdimm_has_flush() to handle
  ND_REGION_ASYNC (bsc#1012628).
- ice: Fix potential infinite loop when using u8 loop counter
  (bsc#1012628).
- netfilter: conntrack: do not print icmpv6 as unknown via /proc
  (bsc#1012628).
- netfilter: flowtable: fix NAT IPv6 offload mangling
  (bsc#1012628).
- ixgbe: fix unbalanced device enable/disable in suspend/resume
  (bsc#1012628).
- ixgbe: Fix NULL pointer dereference in ethtool loopback test
  (bsc#1012628).
- drm/vmwgfx: Make sure we unpin no longer needed buffers
  (bsc#1012628).
- scsi: libsas: Reset num_scatter if libata marks qc as NODATA
  (bsc#1012628).
- riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM"
  (bsc#1012628).
- vfio/pci: Add missing range check in vfio_pci_mmap
  (bsc#1012628).
- arm64: alternatives: Move length validation in
  alternative_{insn, endif} (bsc#1012628).
- arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically
  (bsc#1012628).
- Update config files.
- arm64: fix inline asm in load_unaligned_zeropad() (bsc#1012628).
- drm/i915: Don't zero out the Y plane's watermarks (bsc#1012628).
- readdir: make sure to verify directory entry for legacy
  interfaces too (bsc#1012628).
- dm verity fec: fix misaligned RS roots IO (bsc#1012628).
- HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC
  type of devices (bsc#1012628).
- Input: i8042 - fix Pegatron C15B ID entry (bsc#1012628).
- Input: s6sy761 - fix coordinate read bit shift (bsc#1012628).
- net/sctp: fix race condition in sctp_destroy_sock (bsc#1012628).
- lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS
  (bsc#1012628).
- virt_wifi: Return micros for BSS TSF values (bsc#1012628).
- mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN
  (bsc#1012628).
- drm/amd/display: Add missing mask for DCN3 (bsc#1012628).
- pcnet32: Use pci_resource_len to validate PCI resource
  (bsc#1012628).
- net: ieee802154: forbid monitor for add llsec seclevel
  (bsc#1012628).
- net: ieee802154: stop dump llsec seclevels for monitors
  (bsc#1012628).
- net: ieee802154: forbid monitor for del llsec devkey
  (bsc#1012628).
- net: ieee802154: forbid monitor for add llsec devkey
  (bsc#1012628).
- net: ieee802154: stop dump llsec devkeys for monitors
  (bsc#1012628).
- net: ieee802154: forbid monitor for del llsec dev (bsc#1012628).
- net: ieee802154: forbid monitor for add llsec dev (bsc#1012628).
- net: ieee802154: stop dump llsec devs for monitors
  (bsc#1012628).
- net: ieee802154: forbid monitor for del llsec key (bsc#1012628).
- net: ieee802154: forbid monitor for add llsec key (bsc#1012628).
- net: ieee802154: stop dump llsec keys for monitors
  (bsc#1012628).
- iwlwifi: add support for Qu with AX201 device (bsc#1012628).
- scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST
  state (bsc#1012628).
- ASoC: fsl_esai: Fix TDM slot setup for I2S mode (bsc#1012628).
- drm/msm: Fix a5xx/a6xx timestamps (bsc#1012628).
- ARM: omap1: fix building with clang IAS (bsc#1012628).
- ARM: keystone: fix integer overflow warning (bsc#1012628).
- powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO
  (bsc#1012628).
- neighbour: Disregard DEAD dst in neigh_update (bsc#1012628).
- bpf: Take module reference for trampoline in module
  (bsc#1012628).
- gpu/xen: Fix a use after free in xen_drm_drv_init (bsc#1012628).
- net: axienet: allow setups without MDIO (bsc#1012628).
- ASoC: max98373: Added 30ms turn on/off time delay (bsc#1012628).
- ASoC: max98373: Changed amp shutdown register as volatile
  (bsc#1012628).
- xfrm: BEET mode doesn't support fragments for inner packets
  (bsc#1012628).
- iwlwifi: Fix softirq/hardirq disabling in
  iwl_pcie_enqueue_hcmd() (bsc#1012628).
- arc: kernel: Return -EFAULT if copy_to_user() fails
  (bsc#1012628).
- lockdep: Add a missing initialization hint to the "INFO:
  Trying to register non-static key" message (bsc#1012628).
- remoteproc: pru: Fix loading of GNU Binutils ELF (bsc#1012628).
- ARM: dts: Fix moving mmc devices with aliases for omap4 & 5
  (bsc#1012628).
- ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race
  (bsc#1012628).
- ACPI: x86: Call acpi_boot_table_init() after
  acpi_table_upgrade() (bsc#1012628).
- dmaengine: idxd: fix wq cleanup of WQCFG registers
  (bsc#1012628).
- dmaengine: idxd: clear MSIX permission entry on shutdown
  (bsc#1012628).
- dmaengine: plx_dma: add a missing put_device() on error path
  (bsc#1012628).
- dmaengine: Fix a double free in dma_async_device_register
  (bsc#1012628).
- dmaengine: dw: Make it dependent to HAS_IOMEM (bsc#1012628).
- dmaengine: idxd: fix wq size store permission state
  (bsc#1012628).
- dmaengine: idxd: fix opcap sysfs attribute output (bsc#1012628).
- dmaengine: idxd: fix delta_rec and crc size field for completion
  record (bsc#1012628).
- dmaengine: idxd: Fix clobbering of SWERR overflow bit on
  writeback (bsc#1012628).
- gpio: sysfs: Obey valid_mask (bsc#1012628).
- Input: nspire-keypad - enable interrupts only when opened
  (bsc#1012628).
- mtd: rawnand: mtk: Fix WAITRDY break condition and timeout
  (bsc#1012628).
- AMD_SFH: Add DMI quirk table for BIOS-es which don't set the
  activestatus bits (bsc#1012628).
- AMD_SFH: Add sensor_mask module parameter (bsc#1012628).
- AMD_SFH: Removed unused activecontrolstatus member from the
  amd_mp2_dev struct (bsc#1012628).
- commit d57ad55

==== kexec-tools ====
Version update (2.0.20 -> 2.0.21)

- kexec-tools-remove-duplicate-ramdisk-definition.patch:
  Remove duplicate definition of ramdisk (fix ppc build).
- Bump version to 2.0.21
- Drop patches from upstream git:
  * kexec-tools-add-variant-helper-functions.patch
  * kexec-tools-arm64-kexec-allocate-memory-space-avoiding-reserved-regions.patch
  * kexec-tools-arm64-kdump-deal-with-resource-entries-in-proc-iomem.patch
  * kexec-tools-build-multiboot2-for-i386.patch
  * kexec-tools-fix-kexec_file_load-error-handling.patch
  * kexec-tools-reset-getopt-before-falling-back-to-legacy.patch
  * kexec-tools-s390-Reset-kernel-command-line-on-syscal.patch
  * kexec-tools-Remove-duplicated-variable-declarations.patch
- Hardening: Link as PIE (bsc#1185020).

==== kubernetes ====
Version update (1.20.2 -> 1.21.0)
Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet

- Remove BuildRequires for Go, bump kubernetes to 1.21.0 and 1.20.5
- add BuildRequires for go >= 1.15.5, to align with kubernetes1.20 package

==== kubernetes1.20 ====
Version update (1.20.2 -> 1.20.6)

- Update to version 1.20.6:
  * azure: fix node public IP not able to fetch issues from IMDS
  * Fix test now that empty struct are tracked in mangaed fields
  * make generated_files
  * Update bazel and dependencies.
  * Update to use cliflag.NamedFlagSets
  * Address comments.
  * Update NodeIPAM wrapper
  * Delete build file based on latest changes.
  * Update extension mechanism and related sample.
  * Address review comments
  * Address review comments
  * Modify integration test to fill CCM test gap
  * Update test
  * Move initialize cloud provider with client builder reference inside controller start func
  * Separate example func and add README.md
  * Separate func
  * Add demonstration of wiring nodeIPAMController config object
  * Remove cloud provider name as input parameter.
  * Fix flag passing in CCM.
  * Use apply to create objects in TestApplyStatus
  * Stop skipping APIService in apply test
  * Stop clearing OpenAPIConfig for kube-aggregator
  * Declare TCP default for service port protocol
  * Add ability to skip OpenAPI handler installation
  * do not tag user created public IPs
  * apf: fix test flake
  * update gogo/protobuf to v1.3.2
  * Fixed describe ingress causing SEGFAULT
  * Update sigs.k8s.io/structured-merge-diff to v4.0.3
  * Stop probing a pod during graceful shutdown
  * apf: handle error from PollImmediateUntil
  * staging/publishing: Set default go version to go1.15.10
  * webhook config manager: HasSynced returns true when the manager is synced with existing webhookconfig objects at startup
  * update metadata-concealment to 1.6 for removing legacy checking
  * slice mirroring controller mirror annotations
  * additional subnet configuration for AWS ELB
  * Revert "Automated cherry pick of #97417: fix azure file secret not found issue"
  * Use the correct volum handle format for GCE regional PD.
  * Increasing maximum number of ports allowed in EndpointSlice
  * Support > 5 ports in L4 ILB.
  * build: Update to k/repo-infra@v0.1.5 (supports go1.15.10)
  * Use go-runner:v2.3.1-go1.15.10-buster.0 image (built on go1.15.10)
  * Update to go1.15.10
  * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.5
  * fix a bug where only service with less than 100 ports can have GCE load balancer
  * bazel
  * deepcopy statefulsets
  * full deepcopy on munged pod spec
  * remove pod toleration toleration seconds mutation
  * add markers for inspected validation mutation hits
  * move secret mutation from validation to prepareforupdate
  * remove unnecessary mutations in validation
  * tweak validation to avoid mutation
  * For LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP
  * Moving docker options to daemon.json
  * e2e fix: loosen configmap to 10 in resource quota
  * api-server add --lease-max-object-count
  * apiserver add metric etcd_lease_object_counts
  * apiserver add --lease-reuse-duration-seconds to config lease reuse duration
  * Bump Cluster Autoscaler to v1.20.0
- Rebase opensuse-version-checks.patch
- Update to version 1.20.5:
  * Updating EndpointSliceMirroring controller to wait for cache to be updated
  * Updating EndpointSlice controller to wait for cache to be updated
  * Add tests for populated volumes
  * Fix comment on getPodVolumeSubpathListFromDisk
  * Fix tests to test for new behavior
  * Add warnings after cleanup back
  * Automatically remove orphaned pod's dangling volumes
  * Count pod overhead as an entity's resource usage
  * Ensure only one LoadBalancer rule is created when HA mode is enabled
  * Fix issue in checking domain socket for plugin watcher
  * Use Lstat in plugin watcher to avoid Windows problem
  * Skip visiting empty secret and configmap names
  * Number of sockets is assumed to be same as NUMA nodes
  * disables APF if the aggregated apiserver cannot locate the core kube-apiserver
  * Fix repeatedly aquire the inhibit lock
  * Sync node status during kubelet node shutdown
  * remove executable permission bits
  * Upgrading vendored dependencies
  * Upgrading cAdvisor to 0.38.8
  * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.4
  * build/OWNERS: Add Dan and Sascha as reviewers
  * OWNERS(CHANGELOG): Move reviewers/approvers to CHANGELOG/ dir
  * Bump konnectivity-client to v0.0.15 in release-1.20
  * Storage e2e: Remove pd csi driver installation in GKE
  * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.3
  * kube-cross: update image to use v1.15.8-legacy-1
  * [go1.15] build: Update to k/repo-infra@v0.1.4 (supports go1.15.8)
  * Use go-runner:buster-v2.3.1 image (built on go1.15.8)
  * staging/publishing: Set default go version to go1.15.8
  * Update to go1.15.8
  * Fix dbus shutdown events not continuing if they are not valid
  * Revert "make hostPort match test linuxonly"
  * Revert "conformance changes"
  * kube-proxy: clear conntrack entries after rules are in place
  * Use -LiteralPath instead of -Path
  * Escape the special character in vsphere windows path
  * Include unit test
  * Adjust defer to correctly call
  * do not remove volume dir when saveVolumeData fails
  * kubeadm: drop explicit constant override in version test
  * kubeadm: get k8s CI version markers from k8s infra bucket
  * dockershim hostport respect IPFamily
  * dockershim hostport manager use HostIP
  * Balance nodes in scheduling e2e
  * e2e: Pod should avoid nodes that have avoidPod annotation: clean remaining pods
  * Cherry pick of #98254:Fix the kube-scheduler binary's description of the --config parameter is inaccurate
  * fix kube-scheduler cannot send event because the Note field is too large
  * Fix nil pointer dereference in disruption controller
  * Update region_pd e2e test to support PV have GA topology
  * Recover CSI volumes from dangling attachments
  * IsVolumeAttachedToNode() renamed to GetAttachState(), and returns 3 states instead of combining "uncertain" and "detached" into "false"
  * Fixes Attach Detach Controller reconciler race reading ActualStateOfWorld and operation pending states; fixes reconciler_test mock detach to account for multiple attaches on a node
  * Fix translation of Cinder storage classess to CSI
  * OWNERS(CHANGELOG): Add release-engineering-reviewers as reviewers
  * OWNERS(CHANGELOG): Add release-engineering-reviewers as approvers
  * Resolve IP addresses of host-only in filtered dialer
  * Deflake ingress updates
  * make podTopologyHints protected by lock
  * ignore cgroup driver check in windows node upgrade
  * OWNERS(sig-release): Add CHANGELOG aliases
  * OWNERS(build-image): Add Release Managers as reviewers
  * OWNERS(releng): Sync Release Managers
  * OWNERS(sig-release): Remove SIG Release approvers alias
  * aggregate errors when putting vmss
  * fix azure file migration issue
  * kubelet: Fix mirrorPodTerminationMap leak
  * kubelet: Delete static pods gracefully
  * kubeadm: change the default image repository for CI images from gcr.io/kubernetes-ci-images to gcr.io/k8s-staging-ci-images
  * kubelet logs print 'kubelet nodes sync' frequently
  * reduce buckets for etcd_request_duration_seconds
  * Merge pull request #96876 from howieyuen/no-execute-taint-missing
  * cleanup subnet in frontend ip configs
  * conformance changes
  * make hostPort match test linuxonly
  * Clean up namespaced children of missing virtual parents with incorrectly cluster-scoped nodes
  * Add unit test for child scope mismatch with missing parent
  * vendor: update cAdvisor to v0.38.7
  * Use volumeHandle as PV name when translating EBS inline volume
  * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.2
  * kubectl-convert import known versions
  * Revert "Merge pull request #92817 from kmala/kubelet"
  * WIP: node sync at least once
  * fixes nil panic for nil delegated auth options
  * Lower the frequency of volume plugin deprecation warning
  * handle webhook authenticator and authorizer error
  * fix the panic when kubelet registers if a node object already exists with no Status.Capacity or Status.Allocatable
  * Avoid checking the entire backend service URL for FR equality.
  * Use non privileged ports

==== libgcrypt ====
Version update (1.9.2 -> 1.9.3)

- libgcrypt 1.9.3:
  * Bug fixes:
  - Fix build problems on i386 using gcc-4.7.
  - Fix checksum calculation in OCB decryption for AES on s390.
  - Fix a regression in gcry_mpi_ec_add related to certain usages
    of curve 25519.
  - Fix a symbol not found problem on Apple M1.
  - Fix for Apple iOS getentropy peculiarity.
  - Make keygrip computation work for compressed points.
  * Performance:
  - Add x86_64 VAES/AVX2 accelerated implementation of Camellia.
  - Add x86_64 VAES/AVX2 accelerated implementation of AES.
  - Add VPMSUMD acceleration for GCM mode on PPC.
  * Internal changes.
  - Harden MPI conditional code against EM leakage.
  - Harden Elgamal by introducing exponent blinding.

==== lvm2 ====
Subpackages: liblvm2cmd2_03

- Honor lvm.conf event_activation=0 on "pvscan --cache -aay" (bsc#1185190)
  + bug-1185190_01-pvscan-support-disabled-event_activation.patch
  + bug-1185190_02-config-improve-description-for-event_activation.patch
- LVM cannot be disabled on boot (bsc#1184687)
  + bug-1184687_Add-nolvm-for-kernel-cmdline.patch
- Update patch for avoiding apply warning message
  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
- Add metadata-based autoactivation property for VG and LV (bsc#1178680)
  + bug-1178680_add-metadata-based-autoactivation-property-for-VG-an.patch

==== lvm2-device-mapper ====
Subpackages: device-mapper libdevmapper-event1_03 libdevmapper1_03

- Honor lvm.conf event_activation=0 on "pvscan --cache -aay" (bsc#1185190)
  + bug-1185190_01-pvscan-support-disabled-event_activation.patch
  + bug-1185190_02-config-improve-description-for-event_activation.patch
- LVM cannot be disabled on boot (bsc#1184687)
  + bug-1184687_Add-nolvm-for-kernel-cmdline.patch
- Update patch for avoiding apply warning message
  + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
- Add metadata-based autoactivation property for VG and LV (bsc#1178680)
  + bug-1178680_add-metadata-based-autoactivation-property-for-VG-an.patch

==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap

- Suggest libdnf-repo-config-zypp explicitly
- Fix dependency on systemd-icon-branding-openSUSE
- Use only kernel-firmware-all instead of kernel-firmware to avoid
  duplicate firmware on the DVD
- spice-vdagent is available on all archs
- hyper-v and open-vm-tools are available on AArch64 as well
- A fresh install does not have xdg-open & friends. Fix by adding xdg-utils
- while there, fix the comment, as they're common tools, but not
  necessarily useful only "during initial setup"
- Add packages to the desktop commons pattern:
  systemd-icons-branding-openSUSE (to list the MicroOS logo on the
  Gnome Settings About page)
- Add packages to the DVD:
  - instead of adding firmware-all, add specific firmware packages for
  common hardware (or at least, for hardware for which we have bugs
  open, see bsc#1184767 and bsc#1184403)
- Add some packages in the DVD:
  - Spice guest driver so graphics works properly out of the box,
  when installing in VMs (mostly for desktops)
  - firmwares so that (wireless mostly, bot also wired) networking
  works in the installer and on the installed system

==== python-M2Crypto ====

- Add no-need-parameterized.patch ... we don't need run-time requirement
  of parameterized package (bsc#1185150).

==== python-MarkupSafe ====

- allow tests to be disabled (still on by default)

==== python-jsonpatch ====
Version update (1.28 -> 1.31)

- update to 1.31:
  * Add support for preserving Unicode charaters
  * remove pypy build

==== rook ====
Version update (1.5.7+git4.gae949004e -> 1.5.10+git4.g309ad2f64)

- Update to v1.5.8
  * Ceph
  * Update Ceph-CSI to v3.2.1 (#7506)
  * Use latest Ceph API for setting dashboard and rgw credentials (#7641)
  * Redact secret info from reconcile diffs in debug logs (#7630)
  * Continue to get available devices if failed to get a device info (#7608)
  * Include RGW pods in list for rescheduling from failed node (#7537)
  * Enforce pg_auto_scaler on rgw pools (#7513)
  * Prevent voluntary mon drain while another mon is failing over (#7442)
  * Avoid restarting all encrypted OSDs on cluster growth (#7489)
  * Set secret type on external cluster script (#7473)
  * Fix init container "expand-encrypted-bluefs" for encrypted OSDs (#7466)
  * Fail pool creation if the sub failure domain is the same as the failure domain (#7284)
  * Set default backend for vault and remove temp key for encrypted OSDs (#7454)

==== suse-module-tools ====
Version update (15.4.0 -> 15.4.1)

- Update to version 15.4.1:
  * dm-crypt requires essiv in SLE15 SP3 (boo#1183063 bsc#1184134 ltc#192244).