Packages changed:
  cilium (1.7.5 -> 1.7.6)
  installation-images-MicroOS (16.2 -> 16.3)
  libcontainers-common
  microos-tools (2.1 -> 2.2)
  podman (1.9.3 -> 2.0.4)
  python-jsonpatch (1.25 -> 1.26)
  python-pyzmq (19.0.1 -> 19.0.2)
  python-urllib3 (1.25.9 -> 1.25.10)
  setools
  systemd
  xen (4.13.1_04 -> 4.14.0_02)

=== Details ===

==== cilium ====
Version update (1.7.5 -> 1.7.6)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- update to 1.7.6:
  Fixes https://github.com/cilium/cilium/security/advisories/GHSA-9hx8-3wfx-q2vw
  (CVE-2020-8663, CVE-2020-12605, CVE-2020-12604, CVE-2020-12603, bsc#1173559)
  see https://github.com/cilium/cilium/releases/tag/v1.7.6
  * avoid having endpoints in 'restoring' state in case the connectivity with the KVStore is not reliable (Backport PR #12333, Upstream PR #12307, @aanm)
  * bpf: Use nproc --all for __NR_CPUS__ (Backport PR #12363, Upstream PR #12121, @gandro)
  * cilium: fix encryption flow labels in ip6 case (Backport PR #12056, Upstream PR #12015, @jrfastab)
  * Fix bug where etcd session renew would block indefinitely, causing endpoint provision to fail (Backport PR #12333, Upstream PR #12292, @joestringer)
  * Fix bug where identity allocation wouldn't cancel from api timeouts (Backport PR #12350, Upstream PR #12328, @joestringer)
  * Fix setting monitorAggregationLevel to max reflects via CLI (Backport PR #12333, Upstream PR #12014, @soumynathan)
  * Fix silent cilium monitor on systems with offline CPUs (Backport PR #12363, Upstream PR #12310, @pchaigno)
  * Fix syslog hook missing in DefaultLogger (Backport PR #12333, Upstream PR #12170, @ArthurChiao)
  * helm/operator: fix IPv6 liveness probe address for operator (Backport PR #12333, Upstream PR #12223, @Rolinh)
  * iptables: Remove '--nowildcard' from socket match (Backport PR #12333, Upstream PR #12248, @jrajahalme)
  * Istio integration is updated to Istio release 1.5.6. (Backport PR #12333, Upstream PR #12214, @jrajahalme)
  * Istio integration is updated to Istio release 1.5.7. (Backport PR #12357, Upstream PR #12353, @jrajahalme)
  * make: fix LOCKDEBUG env variable reference for docker-plugin-image (Backport PR #12333, Upstream PR #12318, @Rolinh)
  * option: Require native-routing-cidr only if IPv4 is enabled (Backport PR #12354, Upstream PR #12198, @brb)
  * policy/api: Add reserved:health entity (Backport PR #12333, Upstream PR #12199, @pchaigno)
  * stop Cilium from hanging on CNP or CCNP events from Kubernetes if running with 'k8s-event-handover=true' and 'kvstore=""' (Backport PR #12333, Upstream PR #12146, @aanm)
  * The host proxy is updated to Envoy release 1.13.3 (Backport PR #12350, Upstream PR #12343, @jrajahalme)
  * Valid CNP and CCNP 'matchLabel' values must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. (Backport PR #12354, Upstream PR #12117, @aanm)
- 0001-option-mark-keep-bpf-templates-as-deprecated.patch,
  0002-make-remove-the-need-for-go-bindata.patch,
  0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch,
  0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch,
  0005-bpf-re-add-a-proper-types.h-mapper.patch,
  0006-build-Avoid-using-git-if-not-in-a-git-repo.patch,
  0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch,
  0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch,
  0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch,
  0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch: rebase against 1.7.6

==== installation-images-MicroOS ====
Version update (16.2 -> 16.3)

- merge gh#openSUSE/installation-images#398
- Update the environment variable reference (doc/configoptions.md)
- Removed obsolete bin/mk_boot
- Remove unused liveeval option
- 16.3

==== libcontainers-common ====

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

==== microos-tools ====
Version update (2.1 -> 2.2)

- Update to version 2.2
  - tmpfs support got moved to systemd

==== podman ====
Version update (1.9.3 -> 2.0.4)
Subpackages: podman-cni-config

- Update to v2.0.4
  * Fixed a bug where the output of podman image search did not
    populate the Description field as it was mistakenly assigned to
    the ID field.
  * Fixed a bug where podman build - and podman build on an HTTP
    target would fail.
  * Fixed a bug where rootless Podman would improperly chown the
    copied-up contents of anonymous volumes (#7130).
  * Fixed a bug where Podman would sometimes HTML-escape special
    characters in its CLI output.
  * Fixed a bug where the podman start --attach --interactive
    command would print the container ID of the container attached
    to when exiting (#7068).
  * Fixed a bug where podman run --ipc=host --pid=host would only
    set --pid=host and not --ipc=host (#7100).
  * Fixed a bug where the --publish argument to podman run, podman
    create and podman pod create would not allow binding the same
    container port to more than one host port (#7062).
  * Fixed a bug where incorrect arguments to podman images --format
    could cause Podman to segfault.
  * Fixed a bug where podman rmi --force on an image ID with more
    than one name and at least one container using the image would
    not completely remove containers using the image (#7153).
  * Fixed a bug where memory usage in bytes and memory use
    percentage were swapped in the output of podman stats
  - -format=json.
  * Fixed a bug where the libpod and compat events endpoints would
    fail if no filters were specified (#7078).
  * Fixed a bug where the CgroupVersion field in responses from the
    compat Info endpoint was prefixed by "v" (instead of just being
    "1" or "2", as is documented).
- Remove obsolete libpod.conf from Package sources
- libpod got renamed to podman on GitHub. Point _service file to
  the new name.
- Remove obsolete old Requires on libcontainers-image and -storage
  all of that is inside libcontainers-common
- Require a new enough libcontainers-common version to have the
  default containers.conf installed.
- Remove deprecated libpod.conf and create an update notice pointing
  to containers.conf for user that made changes to libpod.conf
- Suggest katacontainers instead of recommending it. It's not
  enabled by default, so it's just bloat
- Update to v2.0.3
  * Fix handling of entrypoint
  * log API: add context to allow for cancelling
  * fix API: Create container with an invalid configuration
  * Remove all instances of named return "err" from Libpod
  * Fix: Correct connection counters for hijacked connections
  * Fix: Hijacking v2 endpoints to follow rfc 7230 semantics
  * Remove hijacked connections from active connections list
  * version/info: format: allow more json variants
  * Correctly print STDOUT on non-terminal remote exec
  * Fix container and pod create commands for remote create
  * Mask out /sys/dev to prevent information leak from the host
  * Ensure sig-proxy default is propagated in start
  * Add SystemdMode to inspect for containers
  * When determining systemd mode, use full command
  * Fix lint
  * Populate remaining unused fields in `pod inspect`
  * Include infra container information in `pod inspect`
  * play-kube: add suport for "IfNotPresent" pull type
  * docs: user namespace can't be shared in pods
  * Fix "Error: unrecognized protocol \"TCP\" in port mapping"
  * Error on rootless mac and ip addresses
  * Fix & add notes regarding problematic language in codebase
  * abi: set default umask and rlimits
  * Used reference package with errors for parsing tag
  * fix: system df error when an image has no name
  * Fix Generate API title/description
  * Add noop function disable-content-trust
  * fix play kube doesn't override dockerfile ENTRYPOINT
  * Support default profile for apparmor
  * Bump github.com/containers/common to v0.14.6
  * events endpoint: backwards compat to old type
  * events endpoint: fix panic and race condition
  * Switch references from libpod.conf to containers.conf
  * podman.service: set type to simple
  * podman.service: set doc to podman-system-service
  * podman.service: use default registries.conf
  * podman.service: use default killmode
  * podman.service: remove stop timeout
  * systemd: symlink user->system
  * vendor golang.org/x/text@v0.3.3
  * Fix a bug where --pids-limit was parsed incorrectly
  * search: allow wildcards
  * [CI:DOCS]Do not copy policy.json into gating image
  * Fix systemd pid 1 test
  * Cirrus: Rotate keys post repo. rename
- The libpod.conf(5) man page got removed and all references are
  now pointing towards containers.conf(5), which will be part
  of the libcontainers-common package.
- Update to podman v2.0.2
  * fix race condition in `libpod.GetEvents(...)`
  * Fix bug where `podman mount` didn't error as rootless
  * remove podman system connection
  * Fix imports to ensure v2 is used with libpod
  * Update release notes for v2.0.2
  * specgen: fix order for setting rlimits
  * Ensure umask is set appropriately for 'system service'
  * generate systemd: improve pod-flags filter
  * Fix a bug with APIv2 compat network remove to log an ErrNetworkNotFound instead of nil
  * Fixes --remote flag issues
  * Pids-limit should only be set if the user set it
  * Set console mode for windows
  * Allow empty host port in --publish flag
  * Add a note on the APIs supported by `system service`
  * fix: Don't override entrypoint if it's `nil`
  * Set TMPDIR to /var/tmp by default if not set
  * test: add tests for --user and volumes
  * container: move volume chown after spec generation
  * libpod: volume copyup honors namespace mappings
  * Fix `system service` panic from early hangup in events
  * stop podman service in e2e tests
  * Print errors from individual containers in pods
  * auto-update: clarify systemd-unit requirements
  * podman ps truncate the command
  * move go module to v2
  * Vendor containers/common v0.14.4
  * Bump to imagebuilder v1.1.6 on v2 branch
  * Account for non-default port number in image name
- Changes since v2.0.1
  * Update release notes with further v2.0.1 changes
  * Fix inspect to display multiple label: changes
  * Set syslog for exit commands on log-level=debug
  * Friendly amendment for pr 6751
  * podman run/create: support all transports
  * systemd generate: allow manual restart of container units in pods
  * Revert sending --remote flag to containers
  * Print port mappings in `ps` for ctrs sharing network
  * vendor github.com/containers/common@v0.14.3
  * Update release notes for v2.0.1
  * utils: drop default mapping when running uid!=0
  * Set stop signal to 15 when not explicitly set
  * podman untag: error if tag doesn't exist
  * Reformat inspect network settings
  * APIv2: Return `StatusCreated` from volume creation
  * APIv2:fix: Remove `/json` from compat network EPs
  * Fix ssh-agent support
  * libpod: specify mappings to the storage
  * APIv2:doc: Fix swagger doc to refer to volumes
  * Add podman network to bash command completions
  * Fix typo in manpage for `podman auto update`.
  * Add JSON output field for ps
  * V2 podman system connection
  * image load: no args required
  * Re-add PODMAN_USERNS environment variable
  * Fix conflicts between privileged and other flags
  * Bump required go version to 1.13
  * Add explicit command to alpine container in test case.
  * Use POLL_DURATION for timer
  * Stop following logs using timers
  * "pod" was being truncated to "po" in the names of the generated systemd unit files.
  * rootless_linux: improve error message
  * Fix podman build handling of --http-proxy flag
  * correct the absolute path of `rm` executable
  * Makefile: allow customizable GO_BUILD
  * Cirrus: Change DEST_BRANCH to v2.0
- Update to podman v2.0.0
  * The `podman generate systemd` command now supports the `--new`
    flag when used with pods, allowing portable services for pods
    to be created.
  * The `podman play kube` command now supports running Kubernetes
    Deployment YAML.
  * The `podman exec` command now supports the `--detach` flag to
    run commands in the container in the background.
  * The `-p` flag to `podman run` and `podman create` now supports
    forwarding ports to IPv6 addresses.
  * The `podman run`, `podman create` and `podman pod create`
    command now support a `--replace` flag to remove and replace any
    existing container (or, for `pod create`, pod) with the same name
  * The `--restart-policy` flag to `podman run` and `podman create`
    now supports the `unless-stopped` restart policy.
  * The `--log-driver` flag to `podman run` and `podman create`
    now supports the `none` driver, which does not log the
    container's output.
  * The `--mount` flag to `podman run` and `podman create` now
    accepts `readonly` option as an alias to `ro`.
  * The `podman generate systemd` command now supports the `--container-prefix`,
    `--pod-prefix`, and `--separator` arguments to control the
    name of generated unit files.
  * The `podman network ls` command now supports the `--filter`
    flag to filter results.
  * The `podman auto-update` command now supports specifying an
    authfile to use when pulling new images on a per-container
    basis using the `io.containers.autoupdate.authfile` label.
  * Fixed a bug where the `podman exec` command would log to journald
    when run in containers loggined to journald
    ([#6555](https://github.com/containers/libpod/issues/6555)).
  * Fixed a bug where the `podman auto-update` command would not
    preserve the OS and architecture of the original image when
    pulling a replacement
    ([#6613](https://github.com/containers/libpod/issues/6613)).
  * Fixed a bug where the `podman cp` command could create an extra
    `merged` directory when copying into an existing directory
    ([#6596](https://github.com/containers/libpod/issues/6596)).
  * Fixed a bug where the `podman pod stats` command would crash
    on pods run with `--network=host`
    ([#5652](https://github.com/containers/libpod/issues/5652)).
  * Fixed a bug where containers logs written to journald did not
    include the name of the container.
  * Fixed a bug where the `podman network inspect` and
    `podman network rm` commands did not properly handle non-default
    CNI configuration paths ([#6212](https://github.com/containers/libpod/issues/6212)).
  * Fixed a bug where Podman did not properly remove containers
    when using the Kata containers OCI runtime.
  * Fixed a bug where `podman inspect` would sometimes incorrectly
    report the network mode of containers started with `--net=none`.
  * Podman is now better able to deal with cases where `conmon`
    is killed before the container it is monitoring.
- Requires go 1.13 now

==== python-jsonpatch ====
Version update (1.25 -> 1.26)

- update to 1.26:
  * bugfixes (reject invalid json patches)

==== python-pyzmq ====
Version update (19.0.1 -> 19.0.2)

- update to version 19.0.2:
  - Regenerate Cython sources with 0.29.21 in sdists for compatibility with Python 3.9
  - Handle underlying socket being closed in ZMQStream with warning instead of error
  - Improvements to socket cleanup during process teardown
  - Fix debug-builds on Windows
  - Avoid importing ctypes during startup on Windows
  - Documentation improvements
  - Raise ``AttributeError`` instead of ``ZMQError(EINVAL)`` on attempts to read write-only attributes,
    for compatibility with mocking

==== python-urllib3 ====
Version update (1.25.9 -> 1.25.10)

- update to 1.25.10:
  * Added support for ``SSLKEYLOGFILE`` environment variable for
    logging TLS session keys with use with programs like
    Wireshark for decrypting captured web traffic (Pull #1867)
  * Fixed loading of SecureTransport libraries on macOS Big Sur
    due to the new dynamic linker cache (Pull #1905)
  * Collapse chunked request bodies data and framing into one
  call to ``send()`` to reduce the number of TCP packets by 2-4x (Pull #1906)
  * Don't insert ``None`` into ``ConnectionPool`` if the pool
    was empty when requesting a connection (Pull #1866)
  * Avoid ``hasattr`` call in ``BrotliDecoder.decompress()`` (Pull #1858)

==== setools ====

- python3-setools needs python3-networkx

==== systemd ====
Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev

- Restore default upstream tmp.mount (/tmp as tmpfs) behaviour (boo#1173461)

==== xen ====
Version update (4.13.1_04 -> 4.14.0_02)

- Correct license name
  * GPL-3.0+ is now GPL-3.0-or-later
- Upstream bug fixes (bsc#1027519)
  5f1a9916-x86-S3-put-data-sregs-into-known-state.patch
  5f21b9fd-x86-cpuid-APIC-bit-clearing.patch
- Update to Xen 4.14.0 FCS release
  xen-4.14.0-testing-src.tar.bz2
  * Linux stubdomains (contributed by QUBES OS)
  * Control-flow Enforcement Technology (CET) Shadow Stack support (contributed by Citrix)
  * Lightweight VM fork for fuzzing / introspection. (contributed by Intel)
  * Livepatch: buildid and hotpatch stack requirements
  * CONFIG_PV32
  * Hypervisor FS support
  * Running Xen as a Hyper-V Guest
  * Domain ID randomization, persistence across save / restore
  * Golang binding autogeneration
  * KDD support for Windows 7, 8.x and 10
- Dropped patches contained in new tarball
  5eb51be6-cpupool-fix-removing-cpu-from-pool.patch
  5eb51caa-sched-vcpu-pause-flags-atomic.patch
  5ec2a760-x86-determine-MXCSR-mask-always.patch
  5ec50b05-x86-idle-rework-C6-EOI-workaround.patch
  5ec7dcaa-x86-dont-enter-C6-with-in-service-intr.patch
  5ec7dcf6-x86-dont-enter-C3-C6-with-errata.patch
  5ec82237-x86-extend-ISR-C6-workaround-to-Haswell.patch
  5ece1b91-x86-clear-RDRAND-CPUID-bit-on-AMD-fam-15-16.patch
  5ece8ac4-x86-load_system_tables-NMI-MC-safe.patch
  5ed69804-x86-ucode-fix-start-end-update.patch
  5eda60cb-SVM-split-recalc-NPT-fault-handling.patch
  5edf6ad8-ioreq-pending-emulation-server-destruction-race.patch
  5edfbbea-x86-spec-ctrl-CPUID-MSR-defs-for-SRBDS.patch
  5edfbbea-x86-spec-ctrl-mitigate-SRBDS.patch
  5ee24d0e-x86-spec-ctrl-document-SRBDS-workaround.patch
  xsa317.patch
  xsa319.patch
  xsa321-1.patch
  xsa321-2.patch
  xsa321-3.patch
  xsa321-4.patch
  xsa321-5.patch
  xsa321-6.patch
  xsa321-7.patch
  xsa328-1.patch
  xsa328-2.patch
- bsc#1172356 - Not able to hot-plug NIC via virt-manager, asks to
  attach on next reboot while it should be live attached
  ignore-ip-command-script-errors.patch
- Enhance libxc.migrate_tracking.patch
  After transfer of domU memory, the target host has to assemble
  the backend devices. Track the time prior xc_domain_unpause.