systemd/SOURCES/0758-backport-new-mkosi.patch

2618 lines
81 KiB
Diff
Raw Normal View History

2024-11-12 10:48:44 +00:00
From ff59ed4492b545e375a03e32877ef6142c2efe67 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 26 Feb 2024 15:34:30 +0100
Subject: [PATCH] backport new mkosi
RHEL-only
Resolves: RHEL-27512
---
mkosi.build | 314 ------------------
mkosi.conf | 39 +++
mkosi.conf.d/05-qemu-mem.conf | 11 +
mkosi.conf.d/10-centos.conf | 10 +
mkosi.conf.d/10-debian.conf | 7 +
mkosi.conf.d/10-extra-search-paths.conf | 7 +
mkosi.conf.d/10-fedora.conf | 7 +
mkosi.conf.d/10-opensuse.conf | 7 +
mkosi.conf.d/10-tools.conf | 8 +
mkosi.conf.d/10-ubuntu.conf | 8 +
mkosi.default.d/10-systemd.conf | 73 ----
mkosi.default.d/arch/10-mkosi.arch | 37 ---
mkosi.default.d/fedora/10-mkosi.fedora | 72 ----
mkosi.default.d/ubuntu/10-mkosi.ubuntu | 70 ----
mkosi.images/base/mkosi.build.chroot | 183 ++++++++++
mkosi.images/base/mkosi.conf | 36 ++
mkosi.images/base/mkosi.conf.d/10-arch.conf | 33 ++
.../base/mkosi.conf.d/10-centos-fedora.conf | 53 ++-
.../base/mkosi.conf.d/10-debian-ubuntu.conf | 46 +--
mkosi.images/base/mkosi.conf.d/10-debian.conf | 11 +
mkosi.images/base/mkosi.conf.d/10-fedora.conf | 9 +
.../base/mkosi.conf.d/10-opensuse.conf | 52 +--
mkosi.images/base/mkosi.conf.d/10-ubuntu.conf | 12 +
.../lib/systemd/system-preset/00-mkosi.preset | 30 ++
.../lib/systemd/system-preset/99-mkosi.preset | 4 +
.../usr/lib/tmpfiles.d/locale.conf | 1 +
mkosi.images/initrd/mkosi.conf | 30 ++
.../initrd/mkosi.conf.d/10-centos.conf | 12 +
.../initrd/mkosi.conf.d/10-default.conf | 12 +
.../initrd/mkosi.conf.d/10-opensuse.conf | 11 +
mkosi.images/initrd/mkosi.postinst | 7 +
mkosi.images/system/mkosi.conf | 52 +++
.../system/mkosi.conf.d/05-initrd.conf | 12 +
mkosi.images/system/mkosi.conf.d/10-arch.conf | 27 ++
.../system/mkosi.conf.d/10-centos-fedora.conf | 33 ++
.../system/mkosi.conf.d/10-centos/mkosi.conf | 8 +
.../usr/lib/repart.d/20-root.conf.d/xfs.conf | 5 +
.../mkosi.repart/10-usr.conf.d/squashfs.conf | 5 +
.../system/mkosi.conf.d/10-debian-amd64.conf | 10 +
.../system/mkosi.conf.d/10-debian-arm64.conf | 10 +
.../system/mkosi.conf.d/10-debian-ubuntu.conf | 30 ++
.../system/mkosi.conf.d/10-fedora.conf | 11 +
.../system/mkosi.conf.d/10-opensuse.conf | 24 ++
.../system/mkosi.conf.d/10-ubuntu.conf | 14 +
mkosi.images/system/mkosi.extra/etc/issue | 2 +
.../mkosi.extra/usr/lib/repart.d/15-swap.conf | 6 +
.../mkosi.extra/usr/lib/repart.d/20-root.conf | 8 +
.../journald.conf.d/50-persistent.conf | 8 +
.../lib/systemd/mkosi-check-and-shutdown.sh | 19 ++
.../system/mkosi-check-and-shutdown.service | 15 +
.../usr/lib/tmpfiles.d/99-mkosi.conf | 3 +
.../share/factory/mkosi/gdbinit.d/systemd.gdb | 3 +
mkosi.images/system/mkosi.finalize | 4 +
mkosi.images/system/mkosi.postinst.chroot | 102 ++++++
mkosi.images/system/mkosi.repart/00-esp.conf | 9 +
mkosi.images/system/mkosi.repart/10-usr.conf | 9 +
.../system/mkosi.repart/11-usr-verity.conf | 7 +
.../mkosi.repart/12-usr-verity-sig.conf | 6 +
mkosi.kernel.config | 286 ++++++++++++++++
mkosi.postinst | 34 --
60 files changed, 1308 insertions(+), 666 deletions(-)
delete mode 100755 mkosi.build
create mode 100644 mkosi.conf
create mode 100644 mkosi.conf.d/05-qemu-mem.conf
create mode 100644 mkosi.conf.d/10-centos.conf
create mode 100644 mkosi.conf.d/10-debian.conf
create mode 100644 mkosi.conf.d/10-extra-search-paths.conf
create mode 100644 mkosi.conf.d/10-fedora.conf
create mode 100644 mkosi.conf.d/10-opensuse.conf
create mode 100644 mkosi.conf.d/10-tools.conf
create mode 100644 mkosi.conf.d/10-ubuntu.conf
delete mode 100644 mkosi.default.d/10-systemd.conf
delete mode 100644 mkosi.default.d/arch/10-mkosi.arch
delete mode 100644 mkosi.default.d/fedora/10-mkosi.fedora
delete mode 100644 mkosi.default.d/ubuntu/10-mkosi.ubuntu
create mode 100755 mkosi.images/base/mkosi.build.chroot
create mode 100644 mkosi.images/base/mkosi.conf
create mode 100644 mkosi.images/base/mkosi.conf.d/10-arch.conf
rename mkosi.default.d/centos_epel/10-mkosi.centos_epel => mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf (67%)
rename mkosi.default.d/debian/10-mkosi.debian => mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf (64%)
create mode 100644 mkosi.images/base/mkosi.conf.d/10-debian.conf
create mode 100644 mkosi.images/base/mkosi.conf.d/10-fedora.conf
rename mkosi.default.d/opensuse/10-mkosi.opensuse => mkosi.images/base/mkosi.conf.d/10-opensuse.conf (65%)
create mode 100644 mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
create mode 100644 mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
create mode 100644 mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
create mode 100644 mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
create mode 100644 mkosi.images/initrd/mkosi.conf
create mode 100644 mkosi.images/initrd/mkosi.conf.d/10-centos.conf
create mode 100644 mkosi.images/initrd/mkosi.conf.d/10-default.conf
create mode 100644 mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf
create mode 100755 mkosi.images/initrd/mkosi.postinst
create mode 100644 mkosi.images/system/mkosi.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/05-initrd.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-arch.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-fedora.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-opensuse.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
create mode 100644 mkosi.images/system/mkosi.extra/etc/issue
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
create mode 100755 mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
create mode 100644 mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
create mode 100755 mkosi.images/system/mkosi.finalize
create mode 100755 mkosi.images/system/mkosi.postinst.chroot
create mode 100644 mkosi.images/system/mkosi.repart/00-esp.conf
create mode 100644 mkosi.images/system/mkosi.repart/10-usr.conf
create mode 100644 mkosi.images/system/mkosi.repart/11-usr-verity.conf
create mode 100644 mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
create mode 100644 mkosi.kernel.config
delete mode 100755 mkosi.postinst
diff --git a/mkosi.build b/mkosi.build
deleted file mode 100755
index f02a15ad4d..0000000000
--- a/mkosi.build
+++ /dev/null
@@ -1,314 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Simply invoke "mkosi" in the project directory to build an OS image.
-
-ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
-UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
-
-# On Fedora "ld" is (unfortunately — if you ask me) managed via
-# "alternatives". Since we'd like to support building images in environments
-# with only /usr/ around (e.g. mkosi's UsrOnly=1 option), we have the problem
-# that /usr/bin/ld is a symlink that points to a non-existing file in
-# /etc/alternative/ in this mode. Let's work around this for now by manually
-# redirect "ld" to "ld.bfd", i.e. circumventing the /usr/bin/ld symlink.
-if [ ! -x /usr/bin/ld ] && [ -x /usr/bin/ld.bfd ]; then
- mkdir -p "$HOME"/bin
- ln -s /usr/bin/ld.bfd "$HOME"/bin/ld
- PATH="$HOME/bin:$PATH"
-fi
-
-# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
-# as out-of-tree build dir. Otherwise, let's make up our own builddir.
-[ -z "$BUILDDIR" ] && BUILDDIR=build
-
-# Meson uses Python 3 and requires a locale with an UTF-8 character map.
-# Not running under UTF-8 makes the `ninja test` step break with a CodecError.
-# So let's ensure we're running under UTF-8.
-#
-# If our current locale already is UTF-8, then we don't need to do anything:
-if [ "$(locale charmap 2>/dev/null)" != "UTF-8" ] ; then
- # Try using C.UTF-8 locale, if available. This locale is not shipped
- # by upstream glibc, so it's not available in all distros.
- # (In particular, it's not available in Arch Linux.)
- if locale -a | grep -q -E "C.UTF-8|C.utf8"; then
- export LC_CTYPE=C.UTF-8
- # Finally, try something like en_US.UTF-8, which should be
- # available in Arch Linux, but is not present in Debian's
- # minimal image in our mkosi config.
- elif locale -a | grep -q en_US.utf8; then
- export LC_CTYPE=en_US.UTF-8
- else
- # If nothing works, fail early.
- echo "*** Could not find a valid locale that supports UTF-8. ***" >&2
- exit 1
- fi
-fi
-
-# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
-# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
-# the ubuntu script with a symlink to the first bpftool program we can find.
-for bpftool in /usr/lib/linux-tools/*/bpftool; do
- [ -x "$bpftool" ] || continue
- ln -sf "$bpftool" /usr/sbin/bpftool
- break
-done
-
-# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
-# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
-# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
-if [ "$(grep '^ID=' /etc/os-release)" = "ID=\"centos\"" ] && [ "$(grep '^VERSION=' /etc/os-release)" = "VERSION=\"8\"" ]; then
- cp /usr/sbin/bpftool /usr/sbin/bpftool.real
- cat > /usr/sbin/bpftool <<EOF
-#!/bin/sh
-if [ "\$1" = --version ]; then
- echo 5.6.0
-else
- exec /usr/sbin/bpftool.real \$@
-fi
-EOF
- chmod +x /usr/sbin/bpftool
-fi
-
-if [ ! -f "$BUILDDIR"/build.ninja ] ; then
- sysvinit_path=$(realpath /etc/init.d)
-
- init_path=$(realpath /sbin/init 2>/dev/null)
- if [ -z "$init_path" ] ; then
- rootprefix=""
- else
- rootprefix=${init_path%/lib/systemd/systemd}
- rootprefix=/${rootprefix#/}
- fi
-
- meson "$BUILDDIR" \
- -D "sysvinit-path=$sysvinit_path" \
- -D "rootprefix=$rootprefix" \
- -D man=false \
- -D translations=false \
- -D version-tag="${VERSION_TAG}" \
- -D mode=developer \
- -D b_sanitize="${SANITIZERS:-none}" \
- -D install-tests=true \
- -D tests=unsafe \
- -D slow-tests=true \
- -D utmp=true \
- -D hibernate=true \
- -D ldconfig=true \
- -D resolve=true \
- -D efi=true \
- -D tpm=true \
- -D environment-d=true \
- -D binfmt=true \
- -D repart=true \
- -D sysupdate=true \
- -D coredump=true \
- -D pstore=true \
- -D oomd=true \
- -D logind=true \
- -D hostnamed=true \
- -D localed=true \
- -D machined=true \
- -D portabled=true \
- -D sysext=true \
- -D userdb=true \
- -D homed=true \
- -D networkd=true \
- -D timedated=true \
- -D timesyncd=true \
- -D remote=true \
- -D nss-myhostname=true \
- -D nss-mymachines=true \
- -D nss-resolve=true \
- -D nss-systemd=true \
- -D firstboot=true \
- -D randomseed=true \
- -D backlight=true \
- -D vconsole=true \
- -D quotacheck=true \
- -D sysusers=true \
- -D tmpfiles=true \
- -D importd=true \
- -D hwdb=true \
- -D rfkill=true \
- -D xdg-autostart=true \
- -D translations=true \
- -D polkit=true \
- -D acl=true \
- -D audit=true \
- -D blkid=true \
- -D fdisk=true \
- -D kmod=true \
- -D pam=true \
- -D pwquality=true \
- -D microhttpd=true \
- -D libcryptsetup=true \
- -D libcurl=true \
- -D idn=true \
- -D libidn2=true \
- -D qrencode=true \
- -D gcrypt=true \
- -D gnutls=true \
- -D openssl=true \
- -D cryptolib=openssl \
- -D p11kit=true \
- -D libfido2=true \
- -D tpm2=true \
- -D elfutils=true \
- -D zstd=true \
- -D xkbcommon=true \
- -D pcre2=true \
- -D glib=true \
- -D dbus=true \
- -D gnu-efi=true \
- -D kernel-install=true \
- -D analyze=true \
- -D bpf-framework=true
-fi
-
-cd "$BUILDDIR"
-ninja "$@"
-if [ "$WITH_TESTS" = 1 ] ; then
- for id in 1 2 3; do
- getent group $id >/dev/null || echo "g testgroup$id $id -" | ./systemd-sysusers -
- done
-
- if [ -n "$SANITIZERS" ]; then
- export ASAN_OPTIONS="$ASAN_OPTIONS"
- export UBSAN_OPTIONS="$UBSAN_OPTIONS"
- TIMEOUT_MULTIPLIER=3
- else
- TIMEOUT_MULTIPLIER=1
- fi
-
- meson test --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER
-fi
-cd "$SRCDIR"
-
-# Ubuntu Focal is stuck with meson 0.53.0.
-if [ "$(meson -v | cut -d . -f 2)" -gt 53 ] ; then
- meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed
-else
- meson install -C "$BUILDDIR" --no-rebuild --only-changed
-fi
-
-mkdir -p "$DESTDIR"/etc
-
-cat >"$DESTDIR"/etc/issue <<EOF
-\S (built from systemd tree)
-Kernel \r on an \m (\l)
-
-EOF
-
-if [ -n "$IMAGE_ID" ] ; then
- mkdir -p "$DESTDIR"/usr/lib
- sed -n \
- -e '/^IMAGE_ID=/!p' \
- -e "\$aIMAGE_ID=$IMAGE_ID" <"/usr/lib/os-release" >"${DESTDIR}/usr/lib/os-release"
-
- OSRELEASEFILE="$DESTDIR"/usr/lib/os-release
-else
- OSRELEASEFILE=/usr/lib/os-release
-fi
-
-
-if [ -n "$IMAGE_VERSION" ] ; then
- mkdir -p "$DESTDIR"/usr/lib
- sed -n \
- -e '/^IMAGE_VERSION=/!p' \
- -e "\$aIMAGE_VERSION=$IMAGE_VERSION" <$OSRELEASEFILE >"/tmp/os-release.tmp"
-
- cat /tmp/os-release.tmp > "$DESTDIR"/usr/lib/os-release
- rm /tmp/os-release.tmp
-fi
-
-# If $CI_BUILD is set, copy over the CI service which executes a service check
-# after boot and then shuts down the machine
-if [ -n "$CI_BUILD" ]; then
- mkdir -p "$DESTDIR/usr/lib/systemd/system"
- cp -v "$SRCDIR/test/mkosi-check-and-shutdown.service" "$DESTDIR/usr/lib/systemd/system/mkosi-check-and-shutdown.service"
- cp -v "$SRCDIR/test/mkosi-check-and-shutdown.sh" "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh"
- chmod +x "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh"
-fi
-
-if [ -n "$SANITIZERS" ]; then
- LD_PRELOAD=$(ldd $BUILDDIR/systemd | grep libasan.so | awk '{print $3}')
-
- mkdir -p "$DESTDIR/etc/systemd/system.conf.d"
-
- cat > "$DESTDIR/etc/systemd/system.conf.d/10-asan.conf" <<EOF
-[Manager]
-ManagerEnvironment=ASAN_OPTIONS=$ASAN_OPTIONS\\
- UBSAN_OPTIONS=$UBSAN_OPTIONS\\
- LD_PRELOAD=$LD_PRELOAD
-DefaultEnvironment=ASAN_OPTIONS=$ASAN_OPTIONS\\
- UBSAN_OPTIONS=$UBSAN_OPTIONS\\
- LD_PRELOAD=$LD_PRELOAD
-EOF
-
- # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
- # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
- # sanitizer failures appear directly on the user's console.
- mkdir -p "$DESTDIR/etc/systemd/system/systemd-journald.service.d"
-
- cat > "$DESTDIR/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf" <<EOF
-[Service]
-StandardOutput=tty
-EOF
-
- # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
- # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
- # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
- # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
-
- mkdir -p "$DESTDIR/etc/systemd/system/console-getty.service.d"
-
- cat > "$DESTDIR/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf" <<EOF
-[Service]
-TTYVHangup=no
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-EOF
-fi
-
-# Make sure services aren't enabled by default on Debian/Ubuntu.
-mkdir -p "$DESTDIR/etc/systemd/system-preset"
-echo "disable *" > "$DESTDIR/etc/systemd/system-preset/99-mkosi.preset"
-
-if [ -d mkosi.kernel/ ]; then
- cd "$SRCDIR/mkosi.kernel"
- mkdir -p "$BUILDDIR/mkosi.kernel"
-
- make O="$BUILDDIR/mkosi.kernel" defconfig
-
- scripts/config \
- --file $BUILDDIR/mkosi.kernel/.config \
- --enable BPF_SYSCALL \
- --enable BPF_JIT \
- --enable BPF_JIT_ALWAYS_ON \
- --enable BPF_JIT_DEFAULT_ON \
- --enable BPF_UNPRIV_DEFAULT_OFF \
- --enable USERMODE_DRIVER \
- --enable BPF_PRELOAD \
- --enable BPF_PRELOAD_UMD \
- --enable BPF_LSM \
- --enable BTRFS_FS \
- --enable BTRFS_FS_POSIX_ACL \
- --enable PSI \
- --enable CGROUPS \
- --enable CGROUP_BPF \
- --enable MEMCG \
- --enable MEMCG_SWAP \
- --enable MEMCG_KMEM
-
- # Make sure all unset options are set to their default value.
- make O="$BUILDDIR/mkosi.kernel" olddefconfig
-
- make O="$BUILDDIR/mkosi.kernel" -j "$(nproc)"
-
- KERNEL_RELEASE="$(make O=$BUILDDIR/mkosi.kernel -s kernelrelease)"
- mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE"
- make O="$BUILDDIR/mkosi.kernel" INSTALL_MOD_PATH="$DESTDIR/usr" modules_install
- make O="$BUILDDIR/mkosi.kernel" INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install
-fi
diff --git a/mkosi.conf b/mkosi.conf
new file mode 100644
index 0000000000..9ec4faf122
--- /dev/null
+++ b/mkosi.conf
@@ -0,0 +1,39 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Images=system
+
+[Output]
+@OutputDirectory=mkosi.output
+BuildDirectory=mkosi.builddir
+CacheDirectory=mkosi.cache
+
+[Content]
+# Prevent ASAN warnings when building the image and ship the real ASAN options prefixed with MKOSI_.
+Environment=ASAN_OPTIONS=verify_asan_link_order=false
+ MKOSI_ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
+ MKOSI_UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
+
+[Host]
+@Incremental=yes
+@QemuMem=2G
+@RuntimeSize=8G
+ToolsTreePackages=virtiofsd
+KernelCommandLineExtra=systemd.crash_shell
+ systemd.log_level=debug
+ systemd.log_ratelimit_kmsg=0
+ systemd.journald.forward_to_console
+ systemd.journald.max_level_console=warning
+ # Disable the kernel's ratelimiting on userspace logging to kmsg.
+ printk.devkmsg=on
+ # Make sure /sysroot is mounted rw in the initrd.
+ rw
+ # Lower the default device timeout so we get a shell earlier if the root device does
+ # not appear for some reason.
+ systemd.default_device_timeout_sec=10
+ # Make sure no LSMs are enabled by default.
+ apparmor=0
+ selinux=0
+ enforcing=0
+ systemd.early_core_pattern=/core
+ systemd.firstboot=no
diff --git a/mkosi.conf.d/05-qemu-mem.conf b/mkosi.conf.d/05-qemu-mem.conf
new file mode 100644
index 0000000000..3a6f24a7b0
--- /dev/null
+++ b/mkosi.conf.d/05-qemu-mem.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Arch and CentOS 8 Stream initrds are rather big so we need to give QEMU more memory so the kernel can load
+# them without OOMing.
+
+[Match]
+Distribution=|arch
+Distribution=|centos
+
+[Host]
+@QemuMem=3G
diff --git a/mkosi.conf.d/10-centos.conf b/mkosi.conf.d/10-centos.conf
new file mode 100644
index 0000000000..ae2706c791
--- /dev/null
+++ b/mkosi.conf.d/10-centos.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Distribution]
+@Release=9
+Repositories=epel
+ epel-next
+ hyperscale-packages-main
diff --git a/mkosi.conf.d/10-debian.conf b/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000000..8674e884fa
--- /dev/null
+++ b/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Distribution]
+@Release=testing
diff --git a/mkosi.conf.d/10-extra-search-paths.conf b/mkosi.conf.d/10-extra-search-paths.conf
new file mode 100644
index 0000000000..bd3cdb1de4
--- /dev/null
+++ b/mkosi.conf.d/10-extra-search-paths.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=build/
+
+[Host]
+ExtraSearchPaths=build/
diff --git a/mkosi.conf.d/10-fedora.conf b/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000000..006cdeded8
--- /dev/null
+++ b/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Distribution]
+@Release=39
diff --git a/mkosi.conf.d/10-opensuse.conf b/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..832c0d15fb
--- /dev/null
+++ b/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Distribution]
+@Release=tumbleweed
diff --git a/mkosi.conf.d/10-tools.conf b/mkosi.conf.d/10-tools.conf
new file mode 100644
index 0000000000..9d276d43c4
--- /dev/null
+++ b/mkosi.conf.d/10-tools.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=!build/
+SystemdVersion=<254
+
+[Host]
+@ToolsTree=default
diff --git a/mkosi.conf.d/10-ubuntu.conf b/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000000..b0ebbadd48
--- /dev/null
+++ b/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Distribution]
+@Release=jammy
+Repositories=universe
diff --git a/mkosi.default.d/10-systemd.conf b/mkosi.default.d/10-systemd.conf
deleted file mode 100644
index c144c86816..0000000000
--- a/mkosi.default.d/10-systemd.conf
+++ /dev/null
@@ -1,73 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-
-[Output]
-Format=gpt_btrfs
-Bootable=yes
-HostonlyInitrd=yes
-# Prevent ASAN warnings when building the image
-Environment=ASAN_OPTIONS=verify_asan_link_order=false
-OutputDirectory=mkosi.output
-
-[Content]
-BuildDirectory=mkosi.builddir
-Cache=mkosi.cache
-SourceFileTransfer=mount
-SourceFileTransferFinal=copy-git-others
-Packages=
- acl
- bash-completion
- coreutils
- diffutils
- dnsmasq
- findutils
- gcc # For sanitizer libraries
- gdb
- grep
- kbd
- kexec-tools
- kmod
- less
- nano
- nftables
- openssl
- python3
- qrencode
- sed
- strace
- tree
- util-linux
- valgrind
- wireguard-tools
- zsh
-
-BuildPackages=
- bc
- binutils
- bison
- clang
- flex
- gcc
- gettext
- git
- gnu-efi
- gperf
- llvm
- make
- meson
- pkgconf
- rpm
- rsync
- tar
- zstd
-
-[Host]
-QemuHeadless=yes
-Netdev=yes
-QemuMem=2G
-ExtraSearchPaths=build/
-
-[Validation]
-Password=
-Autologin=yes
diff --git a/mkosi.default.d/arch/10-mkosi.arch b/mkosi.default.d/arch/10-mkosi.arch
deleted file mode 100644
index 50194b960b..0000000000
--- a/mkosi.default.d/arch/10-mkosi.arch
+++ /dev/null
@@ -1,37 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-#
-# Copyright © 2016 Zeal Jagannatha
-
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image.
-
-[Distribution]
-Distribution=arch
-
-[Content]
-Packages=
- compsize
- dhcp
- gnutls
- iproute
- libbpf
- libfido2
- libmicrohttpd
- libpwquality
- libxkbcommon
- man-db
- openbsd-netcat
- polkit
- quota-tools
- tpm2-tss
- vim
-
-BuildPackages=
- bpf
- docbook-xsl
- libxslt
- linux-api-headers
- pahole
- perl
- python-jinja
- python-lxml
diff --git a/mkosi.default.d/fedora/10-mkosi.fedora b/mkosi.default.d/fedora/10-mkosi.fedora
deleted file mode 100644
index ab230f0b24..0000000000
--- a/mkosi.default.d/fedora/10-mkosi.fedora
+++ /dev/null
@@ -1,72 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image.
-
-[Distribution]
-Distribution=fedora
-Release=37
-
-[Content]
-Packages=
- compsize
- cryptsetup
- dhcp-server
- glib2
- glibc-minimal-langpack
- gnutls
- iproute
- iproute-tc
- libbpf
- libfido2
- libgcrypt
- libmicrohttpd
- libxcrypt
- libxkbcommon
- netcat
- pam
- polkit
- procps-ng
- quota
- tpm2-tss
- vim-common
-
-BuildPackages=
- bpftool
- docbook-xsl
- dwarves
- gnu-efi-devel
- pam-devel
- pkgconfig # pkgconf shim to provide /usr/bin/pkg-config
- pkgconfig(audit)
- pkgconfig(blkid)
- pkgconfig(dbus-1)
- pkgconfig(fdisk)
- pkgconfig(glib-2.0)
- pkgconfig(libacl)
- pkgconfig(libbpf)
- pkgconfig(libcap)
- pkgconfig(libcryptsetup)
- pkgconfig(libcurl)
- pkgconfig(libdw)
- pkgconfig(libfido2)
- pkgconfig(libgcrypt)
- pkgconfig(libidn2)
- pkgconfig(libkmod)
- pkgconfig(libmicrohttpd)
- pkgconfig(libpcre2-8)
- pkgconfig(libqrencode)
- pkgconfig(libseccomp)
- pkgconfig(libselinux)
- pkgconfig(libzstd)
- pkgconfig(mount)
- pkgconfig(openssl)
- pkgconfig(p11-kit-1)
- pkgconfig(pwquality)
- pkgconfig(tss2-esys)
- pkgconfig(tss2-mu)
- pkgconfig(tss2-rc)
- pkgconfig(valgrind)
- pkgconfig(xkbcommon)
- python3dist(jinja2)
- python3dist(lxml)
diff --git a/mkosi.default.d/ubuntu/10-mkosi.ubuntu b/mkosi.default.d/ubuntu/10-mkosi.ubuntu
deleted file mode 100644
index 14f337b7ea..0000000000
--- a/mkosi.default.d/ubuntu/10-mkosi.ubuntu
+++ /dev/null
@@ -1,70 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image.
-
-[Distribution]
-Distribution=ubuntu
-Release=jammy
-Repositories=main,universe
-
-[Content]
-Packages=
- cryptsetup-bin
- fdisk
- iproute2
- isc-dhcp-server
- libbpf0
- libfdisk1
- libfido2-1
- libglib2.0-0
- libidn2-0
- libmicrohttpd12
- libp11-kit0
- libpwquality1
- libqrencode4
- libtss2-dev # Use the -dev package to avoid churn in updating version numbers
- linux-tools-common
- linux-tools-generic
- netcat-openbsd
- policykit-1
- procps
- quota
- xxd
-
-BuildPackages=
- docbook-xsl
- g++
- libacl1-dev
- libaudit-dev
- libblkid-dev
- libbpf-dev
- libbz2-dev
- libcap-dev
- libcryptsetup-dev
- libcurl4-openssl-dev
- libdbus-1-dev
- libdw-dev
- libfdisk-dev
- libfido2-dev
- libgcrypt20-dev
- libglib2.0-dev
- libgnutls28-dev
- libidn2-dev
- libiptc-dev
- libkmod-dev
- libmicrohttpd-dev
- libmount-dev
- libp11-kit-dev
- libpam0g-dev
- libpwquality-dev
- libqrencode-dev
- libseccomp-dev
- libsmartcols-dev
- libssl-dev
- libxkbcommon-dev
- libzstd-dev
- pahole
- python3-jinja2
- python3-lxml
- xsltproc
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
new file mode 100755
index 0000000000..ba0c92eef2
--- /dev/null
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -0,0 +1,183 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
+# Simply invoke "mkosi" in the project directory to build an OS image.
+
+# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
+# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
+# an extra tree in the initrd and system image builds.
+DESTDIR="$OUTPUTDIR/systemd"
+
+# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
+# as out-of-tree build dir. Otherwise, let's make up our own builddir.
+[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
+
+# Let's make sure we're using stuff from the build directory first if available there.
+PATH="$BUILDDIR:$PATH"
+export PATH
+
+# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
+# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
+# the ubuntu script with a symlink to the first bpftool program we can find.
+for bpftool in /usr/lib/linux-tools/*/bpftool; do
+ [ -x "$bpftool" ] || continue
+ ln -sf "$bpftool" "$BUILDDIR"/bpftool
+ break
+done
+
+# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
+# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
+# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
+. /usr/lib/os-release
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ cat >"$BUILDDIR"/bpftool <<EOF
+#!/bin/sh
+if [ "\$1" = --version ]; then
+ echo 5.6.0
+else
+ exec /usr/sbin/bpftool \$@
+fi
+EOF
+ chmod +x "$BUILDDIR"/bpftool
+fi
+
+if [ ! -f "$BUILDDIR"/build.ninja ]; then
+ CONFIGURE_OPTS=(
+ -D sysvinit-path="$([[ -d /etc/rc.d/init.d ]] && echo /etc/rc.d/init.d || echo /etc/init.d)"
+ -D man=false
+ -D translations=false
+ -D version-tag="${VERSION_TAG}"
+ -D mode=developer
+ -D b_sanitize="${SANITIZERS:-none}"
+ -D install-tests=true
+ -D tests=unsafe
+ -D slow-tests="${SLOW_TESTS:-false}"
+ -D create-log-dirs=false
+ -D pamconfdir=/usr/lib/pam.d/
+ -D utmp=true
+ -D hibernate=true
+ -D ldconfig=true
+ -D resolve=true
+ -D efi=true
+ -D tpm=true
+ -D environment-d=true
+ -D binfmt=true
+ -D coredump=true
+ -D pstore=true
+ -D oomd=true
+ -D logind=true
+ -D hostnamed=true
+ -D localed=true
+ -D machined=true
+ -D portabled=true
+ -D sysext=true
+ -D userdb=true
+ -D networkd=true
+ -D timedated=true
+ -D timesyncd=true
+ -D nss-myhostname=true
+ -D nss-systemd=true
+ -D firstboot=true
+ -D randomseed=true
+ -D backlight=true
+ -D vconsole=true
+ -D quotacheck=true
+ -D sysusers=true
+ -D tmpfiles=true
+ -D hwdb=true
+ -D rfkill=true
+ -D xdg-autostart=true
+ -D translations=true
+ -D idn=true
+ -D cryptolib=openssl
+ -D kernel-install=true
+ -D analyze=true
+ -D ukify="$([[ "$ID" = "centos" ]] && [[ "$VERSION" = "8" ]] && echo false || echo true)"
+ -D selinux="$([[ "$ID" =~ centos|fedora|opensuse ]] && echo true || echo false)"
+ -D apparmor="$([[ "$ID" =~ ubuntu|debian ]] && echo true || echo false)"
+ -D smack=true
+ -D ima=true
+ -D first-boot-full-preset=true
+ -D initrd=true
+ -D fexecve=true
+ -D default-keymap="$([[ "$ID" =~ debian|ubuntu ]] && echo "" || echo "us")"
+ -D xenctrl="$([[ "$ID" =~ debian|ubuntu|fedora|opensuse ]] && echo true || echo false)"
+ -D libiptc="$([[ "$ID" =~ debian|ubuntu ]] && echo true || echo false)"
+ -D libcryptsetup-plugins="$([[ "$ID" = "centos" ]] && [[ "$VERSION" = "8" ]] && echo false || echo true)"
+ )
+
+ # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
+ # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
+ # installed in the wrong directory and not be found by cryptsetup. Assume native build.
+ if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
+ CONFIGURE_OPTS+=(
+ -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
+ -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
+ )
+ fi
+
+ # Set various uids and gids for which Fedora has "soft static" allocations.
+ # Without this, we would get warning about mismatched sysusers.d entries
+ # between the files that we and Fedora's setup package install.
+ if grep -q '^ID=fedora' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -D adm-gid=4
+ -D audio-gid=63
+ -D cdrom-gid=11
+ -D dialout-gid=18
+ -D disk-gid=6
+ -D input-gid=104
+ -D kmem-gid=9
+ -D kvm-gid=36
+ -D lp-gid=7
+ -D render-gid=105
+ -D sgx-gid=106
+ -D tape-gid=33
+ -D tty-gid=5
+ -D users-gid=100
+ -D utmp-gid=22
+ -D video-gid=39
+ -D wheel-gid=10
+ -D systemd-journal-gid=190
+ -D systemd-network-uid=192
+ -D systemd-resolve-uid=193
+ )
+ fi
+
+ if grep -q '^ID="opensuse' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dbpf-compiler=gcc
+ )
+ fi
+
+ ( set -x; meson setup "$BUILDDIR" "$SRCDIR" --auto-features=enabled "${CONFIGURE_OPTS[@]}" )
+fi
+
+( set -x; ninja -C "$BUILDDIR" "$@" )
+if [ "$WITH_TESTS" = 1 ]; then
+ if [ -n "$SANITIZERS" ]; then
+ export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
+ export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
+ TIMEOUT_MULTIPLIER=3
+ else
+ TIMEOUT_MULTIPLIER=1
+ fi
+
+ ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
+fi
+
+( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
+
+# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+if [ -d "${DESTDIR}/boot/loader" ]; then
+ addons_dir="${DESTDIR}/boot/loader/addons"
+elif [ -d "${DESTDIR}/efi/loader" ]; then
+ addons_dir="${DESTDIR}/efi/loader/addons"
+fi
+if [ -n "${addons_dir}" ]; then
+ mkdir -p "${addons_dir}"
+ ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
+ ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
+fi
diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf
new file mode 100644
index 0000000000..be8586ce3b
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+CleanPackageMetadata=no
+
+Packages=
+Packages=
+ kmod
+ less
+ util-linux
+
+BuildPackages=
+ acl
+ binutils
+ clang
+ diffutils
+ gawk
+ gdb
+ gettext
+ git
+ gperf
+ grep
+ lld
+ llvm
+ make
+ meson
+ pkgconf
+ rsync
+ sed
+ strace
+ tar
+ zstd
diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000000..385c73979f
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ cryptsetup
+ dbus
+ gnutls
+ libarchive
+ libbpf
+ libfido2
+ libmicrohttpd
+ libnftnl
+ libpwquality
+ libseccomp
+ libxkbcommon
+ openssl
+ qrencode
+ tpm2-tss
+
+BuildPackages=
+ bpf
+ docbook-xsl
+ glib2
+ libxslt
+ linux-api-headers
+ python
+ python-jinja
+ python-lxml
+ python-pefile
+ python-pyelftools
diff --git a/mkosi.default.d/centos_epel/10-mkosi.centos_epel b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
similarity index 67%
rename from mkosi.default.d/centos_epel/10-mkosi.centos_epel
rename to mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
index c09eb41800..d7a135a5c0 100644
--- a/mkosi.default.d/centos_epel/10-mkosi.centos_epel
+++ b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
@@ -1,49 +1,37 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image.
-
-[Distribution]
-Distribution=centos_epel
-
-[Output]
-Format=gpt_xfs
-HostonlyInitrd=no
+[Match]
+Distribution=|centos
+Distribution=|fedora
[Content]
Packages=
- audit
- cryptsetup
- dhcp-server
- glib2
- glibc-minimal-langpack
+ audit-libs
+ cryptsetup-libs
gnutls
- iproute
- iproute-tc
- kernel-modules-extra
+ libarchive
+ libasan
libbpf
libfido2
+ libgcrypt
libmicrohttpd
+ libnftnl
+ libubsan
libxcrypt
libxkbcommon
- netcat
- p11-kit
- pam
- polkit
- procps-ng
- quota
+ openssl-libs
+ qrencode-libs
tpm2-tss
- vim-common
+ util-linux
BuildPackages=
+ pkgconf
bpftool
docbook-xsl
- dwarves
- gnu-efi-devel
+ findutils
libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
libxslt
pam-devel
- perl-interpreter
pkgconfig(audit)
pkgconfig(blkid)
pkgconfig(bzip2)
@@ -52,6 +40,7 @@ BuildPackages=
pkgconfig(glib-2.0)
pkgconfig(gnutls)
pkgconfig(libacl)
+ pkgconfig(libarchive)
pkgconfig(libbpf)
pkgconfig(libcap)
pkgconfig(libcryptsetup)
@@ -60,20 +49,30 @@ BuildPackages=
pkgconfig(libfido2)
pkgconfig(libidn2)
pkgconfig(libkmod)
+ pkgconfig(liblz4)
pkgconfig(libmicrohttpd)
+ pkgconfig(libnftnl)
pkgconfig(libpcre2-8)
pkgconfig(libqrencode)
pkgconfig(libseccomp)
pkgconfig(libselinux)
pkgconfig(libzstd)
pkgconfig(mount)
+ pkgconfig(numa)
+ pkgconfig(openssl)
pkgconfig(openssl)
pkgconfig(p11-kit-1)
pkgconfig(pwquality)
pkgconfig(tss2-esys)
pkgconfig(tss2-mu)
pkgconfig(tss2-rc)
+ pkgconfig(tss2-tcti-device)
pkgconfig(valgrind)
pkgconfig(xkbcommon)
+ python3
python3dist(jinja2)
python3dist(lxml)
+ python3dist(pefile)
+ python3dist(pyelftools)
+ python3dist(pytest)
+ rpm
diff --git a/mkosi.default.d/debian/10-mkosi.debian b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
similarity index 64%
rename from mkosi.default.d/debian/10-mkosi.debian
rename to mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
index 3eea0c74b9..1d28be30f8 100644
--- a/mkosi.default.d/debian/10-mkosi.debian
+++ b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
@@ -1,40 +1,41 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image.
-
-[Distribution]
-Distribution=debian
-Release=testing
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
[Content]
Packages=
- cryptsetup-bin
- fdisk
- iproute2
- isc-dhcp-server
- libbpf0
+ ^libtss2-esys-[0-9\.]+-0$
+ dmsetup
+ libapparmor1
+ libarchive13
+ libfdisk1
libfido2-1
libglib2.0-0
libgnutls30
libidn2-0
+ liblz4-1
libmicrohttpd12
+ libnftnl11
libp11-kit0
libpam0g
libpwquality1
libqrencode4
- libtss2-dev # Use the -dev package to avoid churn in updating version numbers
- netcat-openbsd
- policykit-1
- procps
- quota
- xxd
+ libssl3
+ libip4tc2
+ ^libtss2-mu[0-9\.-]+$
+ libtss2-rc0
+ libtss2-tcti-device0
+ tzdata
BuildPackages=
- bpftool
docbook-xsl
+ dpkg-dev
g++
libacl1-dev
+ libapparmor-dev
+ libarchive-dev
libaudit-dev
libblkid-dev
libbpf-dev
@@ -52,8 +53,10 @@ BuildPackages=
libidn2-dev
libiptc-dev
libkmod-dev
+ liblz4-dev
libmicrohttpd-dev
libmount-dev
+ libnftnl-dev
libp11-kit-dev
libpam0g-dev
libpwquality-dev
@@ -61,9 +64,14 @@ BuildPackages=
libseccomp-dev
libsmartcols-dev
libssl-dev
+ libtss2-dev
+ libxen-dev
libxkbcommon-dev
libzstd-dev
- pahole
+ python3
python3-jinja2
python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
xsltproc
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/base/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000000..020b02b61c
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+ libbpf1
+
+BuildPackages=
+ bpftool
diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000000..a8fbce47fb
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+BuildPackages=
+ python3dist(pytest-flakes)
+ pkgconfig(xencontrol)
diff --git a/mkosi.default.d/opensuse/10-mkosi.opensuse b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
similarity index 65%
rename from mkosi.default.d/opensuse/10-mkosi.opensuse
rename to mkosi.images/base/mkosi.conf.d/10-opensuse.conf
index 804213baab..941a50a6d1 100644
--- a/mkosi.default.d/opensuse/10-mkosi.opensuse
+++ b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
@@ -1,17 +1,20 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
-# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image.
-
-[Distribution]
+[Match]
Distribution=opensuse
-Release=tumbleweed
[Content]
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
Packages=
- dbus-1
- glibc-locale-base
+ device-mapper
+ distribution-release
+ docbook-xsl-stylesheets
+ gawk
+ grep
+ gzip
libbpf1
+ libarchive13
libcrypt1
libcryptsetup12
libdw1
@@ -20,22 +23,30 @@ Packages=
libgcrypt20
libglib-2_0-0
libkmod2
- liblz4-1
libmount1
+ libnftnl11
+ libopenssl3
libp11-kit0
libqrencode4
libseccomp2
+ libtss2-esys0
+ libtss2-mu0
+ libtss2-rc0
+ libtss2-tcti-device0
libxkbcommon0
+ libzstd1
pam
+ rsync
+ sed
+ shadow
tpm2-0-tss
- vim
+ xz
BuildPackages=
audit-devel
bpftool
+ cross-bpf-gcc13
dbus-1-devel
- docbook-xsl-stylesheets
- dwarves
fdupes
gcc-c++
glib2-devel
@@ -43,6 +54,7 @@ BuildPackages=
intltool
libacl-devel
libapparmor-devel
+ libarchive-devel
libblkid-devel
libbpf-devel
libbz2-devel
@@ -56,28 +68,28 @@ BuildPackages=
libgcrypt-devel
libgnutls-devel
libkmod-devel
+ liblz4-devel
libmicrohttpd-devel
libmount-devel
+ libnftnl-devel
libpwquality-devel
libseccomp-devel
libselinux-devel
libxkbcommon-devel
libxslt-tools
- liblz4-devel
+ libzstd-devel
openssl-devel
pam-devel
- pcre-devel
pciutils-devel
+ python3
python3-Jinja2
python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ python3-pytest-flakes
qrencode-devel
shadow
- system-group-obsolete
- system-user-bin
- system-user-daemon
- system-user-nobody
- system-user-root
- systemd-sysvinit
timezone
tpm2-0-tss-devel
- zlib-devel
+ xen-devel
diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000000..717809fd03
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ libbpf0
+
+BuildPackages=
+ linux-tools-common
+ linux-tools-generic
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
new file mode 100644
index 0000000000..070af4c67a
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
+disable ssh.service
+disable sshd.service
+
+# These are started manually in integration tests so don't start them by default.
+disable dnsmasq.service
+disable isc-dhcp-server.service
+disable isc-dhcp-server6.service
+
+# Pulled in via dracut-network by kexec-tools on Fedora.
+disable NetworkManager*
+
+# Make sure dbus-broker is started by default on Debian/Ubuntu.
+enable dbus-broker.service
+
+# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
+enable systemd-networkd.service
+enable systemd-networkd-wait-online.service
+
+# We install dnf in some images but it's only going to be used rarely,
+# so let's not have dnf create its cache.
+disable dnf-makecache.*
+
+# We have journald to receive audit data so let's make sure we're not running auditd as well
+disable auditd.service
+
+# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
+enable systemd-timesyncd.service
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
new file mode 100644
index 0000000000..710ee7c6f9
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
+disable *
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
new file mode 100644
index 0000000000..e1a8e8171a
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
@@ -0,0 +1 @@
+L /etc/default/locale - - - - ../locale.conf
diff --git a/mkosi.images/initrd/mkosi.conf b/mkosi.images/initrd/mkosi.conf
new file mode 100644
index 0000000000..8e38dc1b78
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=base
+
+[Output]
+Format=cpio
+
+[Content]
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+MakeInitrd=yes
+Bootable=no
+BuildPackages=
+
+Packages=
+Packages=
+ gzip
+ systemd
+ udev
+
+# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
+# doesn't end up in the initrd.
+RemoveFiles=
+ /usr/lib/libgfortran.so*
+ /usr/lib/libgo.so*
+ /usr/lib/libgomp.so*
+ /usr/lib/libgphobos.so*
+ /usr/lib/libobjc.so*
+ /usr/lib/libstdc++.so*
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf
new file mode 100644
index 0000000000..3f92e52300
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Output]
+# TODO: Switch to zstd once we stop building CentOS Stream 8.
+CompressOutput=xz
+
+[Content]
+Packages=xfsprogs
+ tpm2-tools
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-default.conf b/mkosi.images/initrd/mkosi.conf.d/10-default.conf
new file mode 100644
index 0000000000..9224b92dd0
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf.d/10-default.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=!centos
+Distribution=!opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+ tpm2-tools
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..5cf2df397e
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+ tpm2.0-tools
diff --git a/mkosi.images/initrd/mkosi.postinst b/mkosi.images/initrd/mkosi.postinst
new file mode 100755
index 0000000000..de610dfeb6
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.postinst
@@ -0,0 +1,7 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f "$BUILDROOT/usr/lib/modprobe.d/60-blacklist_fs-erofs.conf"
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf
new file mode 100644
index 0000000000..9646bbefde
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf
@@ -0,0 +1,52 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=base
+
+[Output]
+@Format=directory
+
+[Content]
+Autologin=yes
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+Packages=
+ acl
+ bash-completion
+ coreutils
+ diffutils
+ dnsmasq
+ dosfstools
+ e2fsprogs
+ findutils
+ gcc # Sanitizer libraries
+ gdb
+ grep
+ gzip
+ kbd
+ kexec-tools
+ less
+ mtools
+ nano
+ nftables
+ openssl
+ qrencode
+ sed
+ socat
+ strace
+ systemd
+ tmux
+ tar
+ tree
+ udev
+ util-linux
+ valgrind
+ wireguard-tools
+ xfsprogs
+ zsh
+
+BuildPackages=
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
new file mode 100644
index 0000000000..9f21754058
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Bootable=!no
+Format=|disk
+Format=|directory
+
+[Config]
+Dependencies=initrd
+
+[Content]
+Initrds=../../mkosi.output/initrd
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000000..e1a511c979
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ bpf
+ btrfs-progs
+ compsize
+ dhcp
+ f2fs-tools
+ glib2
+ iproute
+ linux
+ man-db
+ openbsd-netcat
+ openssh
+ pacman
+ polkit
+ python-pefile
+ python-psutil
+ python-pytest
+ python3
+ quota-tools
+ shadow
+ vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000000..871186d5ca
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ bpftool
+ cryptsetup
+ dhcp-server
+ dnf
+ glib2
+ integritysetup
+ iproute
+ iproute-tc
+ kernel-core
+ libcap-ng-utils
+ netcat
+ openssh-server
+ openssh-clients
+ p11-kit
+ pam
+ passwd
+ polkit
+ procps-ng
+ python3
+ python3dist(pefile)
+ python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
+ python3dist(psutil)
+ python3dist(pytest)
+ quota
+ vim-common
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
new file mode 100644
index 0000000000..146e03a895
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Content]
+Packages=
+ kernel-modules # For squashfs support
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
new file mode 100644
index 0000000000..99b846d3a8
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
new file mode 100644
index 0000000000..393d5f038c
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
new file mode 100644
index 0000000000..d3c89f3a8c
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+Architecture=x86-64
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-amd64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
new file mode 100644
index 0000000000..76a6898111
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+Architecture=arm64
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-arm64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000000..348bdb2992
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ apt
+ btrfs-progs
+ cryptsetup-bin
+ dbus-broker
+ default-dbus-session-bus
+ f2fs-tools
+ fdisk
+ iproute2
+ isc-dhcp-server
+ libcap-ng-utils
+ netcat-openbsd
+ openssh-server
+ openssh-client
+ passwd
+ policykit-1
+ procps
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ xxd
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000000..5863f03b19
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+ btrfs-progs
+ compsize
+ f2fs-tools
+ glibc-langpack-en
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..71434b4560
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+ bpftool
+ btrfs-progs
+ cryptsetup
+ dbus-broker
+ f2fs-tools
+ glibc-locale-base
+ kernel-kvmsmall
+ libcap-ng-utils
+ openssh-server
+ openssh-clients
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ shadow
+ vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000000..b099e79132
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials.
+ linux-image-generic
+ linux-tools-common
+ linux-tools-generic
+# "orphan_file" is enabled by default in recent versions of mkfs.ext4 but not supported by the Jammy kernel
+# so we explicitly disable it.
+Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue
new file mode 100644
index 0000000000..6aa6fc0ec0
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/etc/issue
@@ -0,0 +1,2 @@
+\S (built from systemd tree)
+Kernel \r on an \m (\l)
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
new file mode 100644
index 0000000000..3755278462
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=swap
+SizeMinBytes=100M
+SizeMaxBytes=100M
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000000..71eb9e38c4
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
+Subvolumes=/home /var
+MakeDirectories=/home /var
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
new file mode 100644
index 0000000000..2f953290d3
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
+# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
+# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
+# Storage= to persistent to have systemd-journald create /var/log/journal itself.
+[Journal]
+Storage=persistent
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
new file mode 100755
index 0000000000..9bb246263e
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -eux
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# TODO: Figure out why this is failing
+systemctl reset-failed systemd-vconsole-setup.service
+
+systemctl --failed --no-legend | tee /failed-services
+
+# Check that secure boot keys were properly enrolled.
+if ! systemd-detect-virt --container; then
+ cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+ cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+ # TODO: Figure out why this is failing
+ # grep -q this_should_be_here /proc/cmdline
+ # grep -q this_should_not_be_here /proc/cmdline && exit 1
+fi
+
+# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
+[[ ! -s /failed-services ]]
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
new file mode 100644
index 0000000000..7942cbfa77
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Check if any service failed and then shutdown the machine
+After=multi-user.target network-online.target
+Requires=multi-user.target
+Wants=systemd-resolved.service systemd-networkd.service network-online.target
+SuccessAction=exit
+FailureAction=exit
+# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
+# host.
+SuccessActionExitStatus=123
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
new file mode 100644
index 0000000000..dac79ba4ed
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
new file mode 100644
index 0000000000..26f882bc2b
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
@@ -0,0 +1,3 @@
+set debuginfod enabled off
+set build-id-verbose 0
+set substitute-path ../src /root/src/systemd
diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize
new file mode 100755
index 0000000000..74b810c152
--- /dev/null
+++ b/mkosi.images/system/mkosi.finalize
@@ -0,0 +1,4 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
new file mode 100755
index 0000000000..692242da38
--- /dev/null
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -0,0 +1,102 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ]; then
+ exit 0
+fi
+
+if [ -n "$SANITIZERS" ]; then
+ LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+ mkdir -p /etc/systemd/system.conf.d
+
+ cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+EOF
+
+ # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+ # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+ # sanitizer failures appear directly on the user's console.
+ mkdir -p /etc/systemd/system/systemd-journald.service.d
+ cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+ # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+ # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+ # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+ # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+ mkdir -p /etc/systemd/system/console-getty.service.d
+ cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+ # ASAN and syscall filters aren't compatible with each other.
+ find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+ # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+ systemctl mask systemd-hwdb-update.service
+fi
+
+if [ -n "$IMAGE_ID" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_ID=/!p' \
+ -e "\$aIMAGE_ID=$IMAGE_ID" \
+ /usr/lib/os-release
+fi
+
+if [ -n "$IMAGE_VERSION" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_VERSION=/!p' \
+ -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
+ /usr/lib/os-release
+fi
+
+if command -v authselect >/dev/null; then
+ # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
+ # let's use the new name if it exists.
+ if [ -d /usr/share/authselect/default/local ]; then
+ PROFILE=local
+ else
+ PROFILE=minimal
+ fi
+
+ authselect select "$PROFILE"
+
+ if authselect list-features "$PROFILE" | grep -q "with-homed"; then
+ authselect enable-feature with-homed
+ fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
+# if that's the case.
+mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
+rm -f /etc/resolv.conf
+
+. /usr/lib/os-release
+
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+ alternatives --set python3 /usr/bin/python3.9
+fi
+
+mkdir -p /usr/lib/sysusers.d
+cat >/usr/lib/sysusers.d/testuser.conf <<EOF
+u testuser 4711 "Test User" /home/testuser
+EOF
+mkdir -p /usr/lib/tmpfiles.d
+cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
+q /home/testuser 0700 4711 4711
+EOF
diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000000..4be04661d9
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/00-esp.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000000..343761d097
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000000..b4d45dd7ef
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000000..1841d0a6db
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr
diff --git a/mkosi.kernel.config b/mkosi.kernel.config
new file mode 100644
index 0000000000..77657c2240
--- /dev/null
+++ b/mkosi.kernel.config
@@ -0,0 +1,286 @@
+# CONFIG_COMPAT_BRK is not set
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_ATA=y
+CONFIG_AUTOFS_FS=y
+CONFIG_BINFMT_MISC=y
+CONFIG_BLK_CGROUP_IOCOST=y
+CONFIG_BLK_CGROUP_IOLATENCY=y
+CONFIG_BLK_CGROUP_IOPRIO=y
+CONFIG_BLK_CGROUP=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_JIT=y
+CONFIG_BPF_LSM=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_BPF=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_BTRFS_FS_POSIX_ACL=y
+CONFIG_BTRFS_FS=y
+CONFIG_CFG80211=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_CGROUP_BPF=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_HUGETLB=y
+CONFIG_CGROUP_MISC=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_RDMA=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CGROUPS=y
+CONFIG_CONNECTOR=y
+CONFIG_CPUSETS=y
+CONFIG_CRASH_DUMP=y
+CONFIG_DEBUG_INFO_BTF=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS=y
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+CONFIG_DM_VERITY=y
+CONFIG_DMI_SYSFS=y
+CONFIG_DMI=y
+CONFIG_EFI_MIXED=y
+CONFIG_EFI_STUB=y
+CONFIG_EFI_ZBOOT=y
+CONFIG_EFI=y
+CONFIG_EROFS_FS=y
+CONFIG_EXPERT=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_FS=y
+CONFIG_HIBERNATION=y
+CONFIG_HIDRAW=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HPET=y
+CONFIG_HUGETLBFS=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_HW_RANDOM=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_IKCONFIG=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA=y
+CONFIG_INET=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INPUT_EVDEV=y
+CONFIG_INPUT_MISC=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_MACHINE_KEYRING=y
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IOSCHED_BFQ=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_ISO9660_FS=y
+CONFIG_KEXEC=y
+CONFIG_KPROBES=y
+CONFIG_KSM=y
+CONFIG_LOAD_UEFI_KEYS=y
+CONFIG_MAC80211=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_MD=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_MEMCG=y
+CONFIG_MICROCODE_AMD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULES=y
+CONFIG_MSDOS_FS=y
+CONFIG_NAMESPACES=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_NET_9P=y
+CONFIG_NET_CLS_ACT=y
+CONFIG_NET_CLS_CGROUP=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_SCHED=y
+CONFIG_NET=y
+CONFIG_NETCONSOLE=y
+CONFIG_NETDEVICES=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER=y
+CONFIG_NETLABEL=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NF_NAT=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_NO_HZ_FULL=y
+CONFIG_NUMA=y
+CONFIG_NVRAM=y
+CONFIG_PACKET=y
+CONFIG_PARAVIRT=y
+CONFIG_PCI=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_PERF_EVENTS=y
+CONFIG_PM_DEBUG=y
+CONFIG_PM_TRACE_RTC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_PRINTK_TIME=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROFILING=y
+CONFIG_PSI=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+CONFIG_QUOTA=y
+CONFIG_RFKILL=y
+CONFIG_RTC_CLASS=y
+CONFIG_SATA_AHCI=y
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_SPI_ATTRS=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_SCSI=y
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250=y
+CONFIG_SMP=y
+CONFIG_SWAP=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSVIPC=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_TMPFS=y
+CONFIG_UNIX=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_MON=y
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_STORAGE=y
+CONFIG_USB_UHCI_HCD=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB=y
+CONFIG_USER_NS=y
+CONFIG_VFAT_FS=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_INPUT=y
+CONFIG_VIRTIO_NET=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_VSOCKETS=y
+CONFIG_VSOCKETS=y
+CONFIG_WATCHDOG=y
+CONFIG_X86_ACPI_CPUFREQ=y
+CONFIG_X86_CPUID=y
+CONFIG_X86_MSR=y
+CONFIG_XFRM_USER=y
+CONFIG_XFS_FS=y
+CONFIG_XFS_POSIX_ACL=y
+
+# CONFIG_WIRELESS is not set
+# CONFIG_WLAN is not set
+# CONFIG_INPUT is not set
+# CONFIG_SERIO is not set
+# CONFIG_AGP is not set
+# CONFIG_FB is not set
+# CONFIG_HID is not set
+# CONFIG_NETDEVSIM is not set
+
+# CONFIG_NET_VENDOR_3COM is not set
+# CONFIG_NET_VENDOR_ADAPTEC is not set
+# CONFIG_NET_VENDOR_AGERE is not set
+# CONFIG_NET_VENDOR_ALACRITECH is not set
+# CONFIG_NET_VENDOR_ALTEON is not set
+# CONFIG_NET_VENDOR_AMAZON is not set
+# CONFIG_NET_VENDOR_AMD is not set
+# CONFIG_NET_VENDOR_ARC is not set
+# CONFIG_NET_VENDOR_ASIX is not set
+# CONFIG_NET_VENDOR_ATHEROS is not set
+# CONFIG_NET_VENDOR_BROADCOM is not set
+# CONFIG_NET_VENDOR_CADENCE is not set
+# CONFIG_NET_VENDOR_CAVIUM is not set
+# CONFIG_NET_VENDOR_CHELSIO is not set
+# CONFIG_NET_VENDOR_CISCO is not set
+# CONFIG_NET_VENDOR_CORTINA is not set
+# CONFIG_NET_VENDOR_DAVICOM is not set
+# CONFIG_NET_VENDOR_DEC is not set
+# CONFIG_NET_VENDOR_DLINK is not set
+# CONFIG_NET_VENDOR_EMULEX is not set
+# CONFIG_NET_VENDOR_ENGLEDER is not set
+# CONFIG_NET_VENDOR_EZCHIP is not set
+# CONFIG_NET_VENDOR_FUNGIBLE is not set
+# CONFIG_NET_VENDOR_GOOGLE is not set
+# CONFIG_NET_VENDOR_HUAWE is not set
+# CONFIG_NET_VENDOR_I825XX is not set
+# CONFIG_NET_VENDOR_INTEL is not set
+# CONFIG_NET_VENDOR_LITEX is not set
+# CONFIG_NET_VENDOR_MARVELL is not set
+# CONFIG_NET_VENDOR_MELLANOX is not set
+# CONFIG_NET_VENDOR_MICREL is not set
+# CONFIG_NET_VENDOR_MICROCHIP is not set
+# CONFIG_NET_VENDOR_MICROSEMI is not set
+# CONFIG_NET_VENDOR_MICROSOFT is not set
+# CONFIG_NET_VENDOR_MYRI is not set
+# CONFIG_NET_VENDOR_NI is not set
+# CONFIG_NET_VENDOR_NATSEMI is not set
+# CONFIG_NET_VENDOR_NETERION is not set
+# CONFIG_NET_VENDOR_NETRONOME is not set
+# CONFIG_NET_VENDOR_8390 is not set
+# CONFIG_NET_VENDOR_NVIDIA is not set
+# CONFIG_NET_VENDOR_OKI is not set
+# CONFIG_NET_VENDOR_PACKET_ENGINES is not set
+# CONFIG_NET_VENDOR_PENSANDO is not set
+# CONFIG_NET_VENDOR_QLOGIC is not set
+# CONFIG_NET_VENDOR_BROCADE is not set
+# CONFIG_NET_VENDOR_QUALCOMM is not set
+# CONFIG_NET_VENDOR_RDC is not set
+# CONFIG_NET_VENDOR_REALTEK is not set
+# CONFIG_NET_VENDOR_RENESAS is not set
+# CONFIG_NET_VENDOR_ROCKER is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+# CONFIG_NET_VENDOR_SILA is not set
+# CONFIG_NET_VENDOR_SIS is not set
+# CONFIG_NET_VENDOR_SOLARFLARE is not set
+# CONFIG_NET_VENDOR_SMSC is not set
+# CONFIG_NET_VENDOR_SOCIONEXT is not set
+# CONFIG_NET_VENDOR_STMICRO is not set
+# CONFIG_NET_VENDOR_SUN is not set
+# CONFIG_NET_VENDOR_SYNOPSYS is not set
+# CONFIG_NET_VENDOR_TEHUTI is not set
+# CONFIG_NET_VENDOR_TI is not set
+# CONFIG_NET_VENDOR_VERTEXCOM is not set
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WANGXUN is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+# CONFIG_NET_VENDOR_XILINX is not set
diff --git a/mkosi.postinst b/mkosi.postinst
deleted file mode 100755
index fb59d31115..0000000000
--- a/mkosi.postinst
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-if [ "$1" = "final" ]; then
- if command -v bootctl > /dev/null && [ -d "/efi" ]; then
- bootctl install
- fi
-
- cat >> /root/.gdbinit <<EOF
-set debuginfod enabled off
-set build-id-verbose 0
-EOF
-
- if [ -n "$SANITIZERS" ]; then
- # ASAN and syscall filters aren't compatible with each other.
- find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
-
- # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
- systemctl mask systemd-hwdb-update.service
- fi
-
- # Make sure dnsmasq.service doesn't start on boot on Debian/Ubuntu.
- rm -f /etc/systemd/system/multi-user.target.wants/dnsmasq.service
-fi
-
-# Temporary workaround until https://github.com/openSUSE/suse-module-tools/commit/158643414ddb8d8208016a5f03a4484d58944d7a
-# gets into OpenSUSE repos
-if [ "$1" = "final" ] && grep -q openSUSE /etc/os-release; then
- if [ -e "/usr/lib/systemd/system/boot-sysctl.service" ] && \
- ! grep -F -q 'ConditionPathExists=/boot/sysctl.conf' "/usr/lib/systemd/system/boot-sysctl.service"; then
- mkdir -p "/etc/systemd/system/boot-sysctl.service.d/"
- printf '[Unit]\nConditionPathExists=/boot/sysctl.conf-%%v' >"/etc/systemd/system/boot-sysctl.service.d/99-temporary-workaround.conf"
- fi
-fi