From ff59ed4492b545e375a03e32877ef6142c2efe67 Mon Sep 17 00:00:00 2001 From: Lukas Nykryn Date: Mon, 26 Feb 2024 15:34:30 +0100 Subject: [PATCH] backport new mkosi RHEL-only Resolves: RHEL-27512 --- mkosi.build | 314 ------------------ mkosi.conf | 39 +++ mkosi.conf.d/05-qemu-mem.conf | 11 + mkosi.conf.d/10-centos.conf | 10 + mkosi.conf.d/10-debian.conf | 7 + mkosi.conf.d/10-extra-search-paths.conf | 7 + mkosi.conf.d/10-fedora.conf | 7 + mkosi.conf.d/10-opensuse.conf | 7 + mkosi.conf.d/10-tools.conf | 8 + mkosi.conf.d/10-ubuntu.conf | 8 + mkosi.default.d/10-systemd.conf | 73 ---- mkosi.default.d/arch/10-mkosi.arch | 37 --- mkosi.default.d/fedora/10-mkosi.fedora | 72 ---- mkosi.default.d/ubuntu/10-mkosi.ubuntu | 70 ---- mkosi.images/base/mkosi.build.chroot | 183 ++++++++++ mkosi.images/base/mkosi.conf | 36 ++ mkosi.images/base/mkosi.conf.d/10-arch.conf | 33 ++ .../base/mkosi.conf.d/10-centos-fedora.conf | 53 ++- .../base/mkosi.conf.d/10-debian-ubuntu.conf | 46 +-- mkosi.images/base/mkosi.conf.d/10-debian.conf | 11 + mkosi.images/base/mkosi.conf.d/10-fedora.conf | 9 + .../base/mkosi.conf.d/10-opensuse.conf | 52 +-- mkosi.images/base/mkosi.conf.d/10-ubuntu.conf | 12 + .../lib/systemd/system-preset/00-mkosi.preset | 30 ++ .../lib/systemd/system-preset/99-mkosi.preset | 4 + .../usr/lib/tmpfiles.d/locale.conf | 1 + mkosi.images/initrd/mkosi.conf | 30 ++ .../initrd/mkosi.conf.d/10-centos.conf | 12 + .../initrd/mkosi.conf.d/10-default.conf | 12 + .../initrd/mkosi.conf.d/10-opensuse.conf | 11 + mkosi.images/initrd/mkosi.postinst | 7 + mkosi.images/system/mkosi.conf | 52 +++ .../system/mkosi.conf.d/05-initrd.conf | 12 + mkosi.images/system/mkosi.conf.d/10-arch.conf | 27 ++ .../system/mkosi.conf.d/10-centos-fedora.conf | 33 ++ .../system/mkosi.conf.d/10-centos/mkosi.conf | 8 + .../usr/lib/repart.d/20-root.conf.d/xfs.conf | 5 + .../mkosi.repart/10-usr.conf.d/squashfs.conf | 5 + .../system/mkosi.conf.d/10-debian-amd64.conf | 10 + .../system/mkosi.conf.d/10-debian-arm64.conf | 10 + .../system/mkosi.conf.d/10-debian-ubuntu.conf | 30 ++ .../system/mkosi.conf.d/10-fedora.conf | 11 + .../system/mkosi.conf.d/10-opensuse.conf | 24 ++ .../system/mkosi.conf.d/10-ubuntu.conf | 14 + mkosi.images/system/mkosi.extra/etc/issue | 2 + .../mkosi.extra/usr/lib/repart.d/15-swap.conf | 6 + .../mkosi.extra/usr/lib/repart.d/20-root.conf | 8 + .../journald.conf.d/50-persistent.conf | 8 + .../lib/systemd/mkosi-check-and-shutdown.sh | 19 ++ .../system/mkosi-check-and-shutdown.service | 15 + .../usr/lib/tmpfiles.d/99-mkosi.conf | 3 + .../share/factory/mkosi/gdbinit.d/systemd.gdb | 3 + mkosi.images/system/mkosi.finalize | 4 + mkosi.images/system/mkosi.postinst.chroot | 102 ++++++ mkosi.images/system/mkosi.repart/00-esp.conf | 9 + mkosi.images/system/mkosi.repart/10-usr.conf | 9 + .../system/mkosi.repart/11-usr-verity.conf | 7 + .../mkosi.repart/12-usr-verity-sig.conf | 6 + mkosi.kernel.config | 286 ++++++++++++++++ mkosi.postinst | 34 -- 60 files changed, 1308 insertions(+), 666 deletions(-) delete mode 100755 mkosi.build create mode 100644 mkosi.conf create mode 100644 mkosi.conf.d/05-qemu-mem.conf create mode 100644 mkosi.conf.d/10-centos.conf create mode 100644 mkosi.conf.d/10-debian.conf create mode 100644 mkosi.conf.d/10-extra-search-paths.conf create mode 100644 mkosi.conf.d/10-fedora.conf create mode 100644 mkosi.conf.d/10-opensuse.conf create mode 100644 mkosi.conf.d/10-tools.conf create mode 100644 mkosi.conf.d/10-ubuntu.conf delete mode 100644 mkosi.default.d/10-systemd.conf delete mode 100644 mkosi.default.d/arch/10-mkosi.arch delete mode 100644 mkosi.default.d/fedora/10-mkosi.fedora delete mode 100644 mkosi.default.d/ubuntu/10-mkosi.ubuntu create mode 100755 mkosi.images/base/mkosi.build.chroot create mode 100644 mkosi.images/base/mkosi.conf create mode 100644 mkosi.images/base/mkosi.conf.d/10-arch.conf rename mkosi.default.d/centos_epel/10-mkosi.centos_epel => mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf (67%) rename mkosi.default.d/debian/10-mkosi.debian => mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf (64%) create mode 100644 mkosi.images/base/mkosi.conf.d/10-debian.conf create mode 100644 mkosi.images/base/mkosi.conf.d/10-fedora.conf rename mkosi.default.d/opensuse/10-mkosi.opensuse => mkosi.images/base/mkosi.conf.d/10-opensuse.conf (65%) create mode 100644 mkosi.images/base/mkosi.conf.d/10-ubuntu.conf create mode 100644 mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset create mode 100644 mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset create mode 100644 mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf create mode 100644 mkosi.images/initrd/mkosi.conf create mode 100644 mkosi.images/initrd/mkosi.conf.d/10-centos.conf create mode 100644 mkosi.images/initrd/mkosi.conf.d/10-default.conf create mode 100644 mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf create mode 100755 mkosi.images/initrd/mkosi.postinst create mode 100644 mkosi.images/system/mkosi.conf create mode 100644 mkosi.images/system/mkosi.conf.d/05-initrd.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-arch.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-fedora.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-opensuse.conf create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu.conf create mode 100644 mkosi.images/system/mkosi.extra/etc/issue create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf create mode 100755 mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf create mode 100644 mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb create mode 100755 mkosi.images/system/mkosi.finalize create mode 100755 mkosi.images/system/mkosi.postinst.chroot create mode 100644 mkosi.images/system/mkosi.repart/00-esp.conf create mode 100644 mkosi.images/system/mkosi.repart/10-usr.conf create mode 100644 mkosi.images/system/mkosi.repart/11-usr-verity.conf create mode 100644 mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf create mode 100644 mkosi.kernel.config delete mode 100755 mkosi.postinst diff --git a/mkosi.build b/mkosi.build deleted file mode 100755 index f02a15ad4d..0000000000 --- a/mkosi.build +++ /dev/null @@ -1,314 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: LGPL-2.1-or-later -set -e - -# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Simply invoke "mkosi" in the project directory to build an OS image. - -ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1 -UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 - -# On Fedora "ld" is (unfortunately — if you ask me) managed via -# "alternatives". Since we'd like to support building images in environments -# with only /usr/ around (e.g. mkosi's UsrOnly=1 option), we have the problem -# that /usr/bin/ld is a symlink that points to a non-existing file in -# /etc/alternative/ in this mode. Let's work around this for now by manually -# redirect "ld" to "ld.bfd", i.e. circumventing the /usr/bin/ld symlink. -if [ ! -x /usr/bin/ld ] && [ -x /usr/bin/ld.bfd ]; then - mkdir -p "$HOME"/bin - ln -s /usr/bin/ld.bfd "$HOME"/bin/ld - PATH="$HOME/bin:$PATH" -fi - -# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it -# as out-of-tree build dir. Otherwise, let's make up our own builddir. -[ -z "$BUILDDIR" ] && BUILDDIR=build - -# Meson uses Python 3 and requires a locale with an UTF-8 character map. -# Not running under UTF-8 makes the `ninja test` step break with a CodecError. -# So let's ensure we're running under UTF-8. -# -# If our current locale already is UTF-8, then we don't need to do anything: -if [ "$(locale charmap 2>/dev/null)" != "UTF-8" ] ; then - # Try using C.UTF-8 locale, if available. This locale is not shipped - # by upstream glibc, so it's not available in all distros. - # (In particular, it's not available in Arch Linux.) - if locale -a | grep -q -E "C.UTF-8|C.utf8"; then - export LC_CTYPE=C.UTF-8 - # Finally, try something like en_US.UTF-8, which should be - # available in Arch Linux, but is not present in Debian's - # minimal image in our mkosi config. - elif locale -a | grep -q en_US.utf8; then - export LC_CTYPE=en_US.UTF-8 - else - # If nothing works, fail early. - echo "*** Could not find a valid locale that supports UTF-8. ***" >&2 - exit 1 - fi -fi - -# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and -# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override -# the ubuntu script with a symlink to the first bpftool program we can find. -for bpftool in /usr/lib/linux-tools/*/bpftool; do - [ -x "$bpftool" ] || continue - ln -sf "$bpftool" /usr/sbin/bpftool - break -done - -# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the -# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports -# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. -if [ "$(grep '^ID=' /etc/os-release)" = "ID=\"centos\"" ] && [ "$(grep '^VERSION=' /etc/os-release)" = "VERSION=\"8\"" ]; then - cp /usr/sbin/bpftool /usr/sbin/bpftool.real - cat > /usr/sbin/bpftool </dev/null) - if [ -z "$init_path" ] ; then - rootprefix="" - else - rootprefix=${init_path%/lib/systemd/systemd} - rootprefix=/${rootprefix#/} - fi - - meson "$BUILDDIR" \ - -D "sysvinit-path=$sysvinit_path" \ - -D "rootprefix=$rootprefix" \ - -D man=false \ - -D translations=false \ - -D version-tag="${VERSION_TAG}" \ - -D mode=developer \ - -D b_sanitize="${SANITIZERS:-none}" \ - -D install-tests=true \ - -D tests=unsafe \ - -D slow-tests=true \ - -D utmp=true \ - -D hibernate=true \ - -D ldconfig=true \ - -D resolve=true \ - -D efi=true \ - -D tpm=true \ - -D environment-d=true \ - -D binfmt=true \ - -D repart=true \ - -D sysupdate=true \ - -D coredump=true \ - -D pstore=true \ - -D oomd=true \ - -D logind=true \ - -D hostnamed=true \ - -D localed=true \ - -D machined=true \ - -D portabled=true \ - -D sysext=true \ - -D userdb=true \ - -D homed=true \ - -D networkd=true \ - -D timedated=true \ - -D timesyncd=true \ - -D remote=true \ - -D nss-myhostname=true \ - -D nss-mymachines=true \ - -D nss-resolve=true \ - -D nss-systemd=true \ - -D firstboot=true \ - -D randomseed=true \ - -D backlight=true \ - -D vconsole=true \ - -D quotacheck=true \ - -D sysusers=true \ - -D tmpfiles=true \ - -D importd=true \ - -D hwdb=true \ - -D rfkill=true \ - -D xdg-autostart=true \ - -D translations=true \ - -D polkit=true \ - -D acl=true \ - -D audit=true \ - -D blkid=true \ - -D fdisk=true \ - -D kmod=true \ - -D pam=true \ - -D pwquality=true \ - -D microhttpd=true \ - -D libcryptsetup=true \ - -D libcurl=true \ - -D idn=true \ - -D libidn2=true \ - -D qrencode=true \ - -D gcrypt=true \ - -D gnutls=true \ - -D openssl=true \ - -D cryptolib=openssl \ - -D p11kit=true \ - -D libfido2=true \ - -D tpm2=true \ - -D elfutils=true \ - -D zstd=true \ - -D xkbcommon=true \ - -D pcre2=true \ - -D glib=true \ - -D dbus=true \ - -D gnu-efi=true \ - -D kernel-install=true \ - -D analyze=true \ - -D bpf-framework=true -fi - -cd "$BUILDDIR" -ninja "$@" -if [ "$WITH_TESTS" = 1 ] ; then - for id in 1 2 3; do - getent group $id >/dev/null || echo "g testgroup$id $id -" | ./systemd-sysusers - - done - - if [ -n "$SANITIZERS" ]; then - export ASAN_OPTIONS="$ASAN_OPTIONS" - export UBSAN_OPTIONS="$UBSAN_OPTIONS" - TIMEOUT_MULTIPLIER=3 - else - TIMEOUT_MULTIPLIER=1 - fi - - meson test --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER -fi -cd "$SRCDIR" - -# Ubuntu Focal is stuck with meson 0.53.0. -if [ "$(meson -v | cut -d . -f 2)" -gt 53 ] ; then - meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed -else - meson install -C "$BUILDDIR" --no-rebuild --only-changed -fi - -mkdir -p "$DESTDIR"/etc - -cat >"$DESTDIR"/etc/issue <"${DESTDIR}/usr/lib/os-release" - - OSRELEASEFILE="$DESTDIR"/usr/lib/os-release -else - OSRELEASEFILE=/usr/lib/os-release -fi - - -if [ -n "$IMAGE_VERSION" ] ; then - mkdir -p "$DESTDIR"/usr/lib - sed -n \ - -e '/^IMAGE_VERSION=/!p' \ - -e "\$aIMAGE_VERSION=$IMAGE_VERSION" <$OSRELEASEFILE >"/tmp/os-release.tmp" - - cat /tmp/os-release.tmp > "$DESTDIR"/usr/lib/os-release - rm /tmp/os-release.tmp -fi - -# If $CI_BUILD is set, copy over the CI service which executes a service check -# after boot and then shuts down the machine -if [ -n "$CI_BUILD" ]; then - mkdir -p "$DESTDIR/usr/lib/systemd/system" - cp -v "$SRCDIR/test/mkosi-check-and-shutdown.service" "$DESTDIR/usr/lib/systemd/system/mkosi-check-and-shutdown.service" - cp -v "$SRCDIR/test/mkosi-check-and-shutdown.sh" "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh" - chmod +x "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh" -fi - -if [ -n "$SANITIZERS" ]; then - LD_PRELOAD=$(ldd $BUILDDIR/systemd | grep libasan.so | awk '{print $3}') - - mkdir -p "$DESTDIR/etc/systemd/system.conf.d" - - cat > "$DESTDIR/etc/systemd/system.conf.d/10-asan.conf" < "$DESTDIR/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf" < "$DESTDIR/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf" < "$DESTDIR/etc/systemd/system-preset/99-mkosi.preset" - -if [ -d mkosi.kernel/ ]; then - cd "$SRCDIR/mkosi.kernel" - mkdir -p "$BUILDDIR/mkosi.kernel" - - make O="$BUILDDIR/mkosi.kernel" defconfig - - scripts/config \ - --file $BUILDDIR/mkosi.kernel/.config \ - --enable BPF_SYSCALL \ - --enable BPF_JIT \ - --enable BPF_JIT_ALWAYS_ON \ - --enable BPF_JIT_DEFAULT_ON \ - --enable BPF_UNPRIV_DEFAULT_OFF \ - --enable USERMODE_DRIVER \ - --enable BPF_PRELOAD \ - --enable BPF_PRELOAD_UMD \ - --enable BPF_LSM \ - --enable BTRFS_FS \ - --enable BTRFS_FS_POSIX_ACL \ - --enable PSI \ - --enable CGROUPS \ - --enable CGROUP_BPF \ - --enable MEMCG \ - --enable MEMCG_SWAP \ - --enable MEMCG_KMEM - - # Make sure all unset options are set to their default value. - make O="$BUILDDIR/mkosi.kernel" olddefconfig - - make O="$BUILDDIR/mkosi.kernel" -j "$(nproc)" - - KERNEL_RELEASE="$(make O=$BUILDDIR/mkosi.kernel -s kernelrelease)" - mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" - make O="$BUILDDIR/mkosi.kernel" INSTALL_MOD_PATH="$DESTDIR/usr" modules_install - make O="$BUILDDIR/mkosi.kernel" INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install -fi diff --git a/mkosi.conf b/mkosi.conf new file mode 100644 index 0000000000..9ec4faf122 --- /dev/null +++ b/mkosi.conf @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Images=system + +[Output] +@OutputDirectory=mkosi.output +BuildDirectory=mkosi.builddir +CacheDirectory=mkosi.cache + +[Content] +# Prevent ASAN warnings when building the image and ship the real ASAN options prefixed with MKOSI_. +Environment=ASAN_OPTIONS=verify_asan_link_order=false + MKOSI_ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1 + MKOSI_UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 + +[Host] +@Incremental=yes +@QemuMem=2G +@RuntimeSize=8G +ToolsTreePackages=virtiofsd +KernelCommandLineExtra=systemd.crash_shell + systemd.log_level=debug + systemd.log_ratelimit_kmsg=0 + systemd.journald.forward_to_console + systemd.journald.max_level_console=warning + # Disable the kernel's ratelimiting on userspace logging to kmsg. + printk.devkmsg=on + # Make sure /sysroot is mounted rw in the initrd. + rw + # Lower the default device timeout so we get a shell earlier if the root device does + # not appear for some reason. + systemd.default_device_timeout_sec=10 + # Make sure no LSMs are enabled by default. + apparmor=0 + selinux=0 + enforcing=0 + systemd.early_core_pattern=/core + systemd.firstboot=no diff --git a/mkosi.conf.d/05-qemu-mem.conf b/mkosi.conf.d/05-qemu-mem.conf new file mode 100644 index 0000000000..3a6f24a7b0 --- /dev/null +++ b/mkosi.conf.d/05-qemu-mem.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# Arch and CentOS 8 Stream initrds are rather big so we need to give QEMU more memory so the kernel can load +# them without OOMing. + +[Match] +Distribution=|arch +Distribution=|centos + +[Host] +@QemuMem=3G diff --git a/mkosi.conf.d/10-centos.conf b/mkosi.conf.d/10-centos.conf new file mode 100644 index 0000000000..ae2706c791 --- /dev/null +++ b/mkosi.conf.d/10-centos.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos + +[Distribution] +@Release=9 +Repositories=epel + epel-next + hyperscale-packages-main diff --git a/mkosi.conf.d/10-debian.conf b/mkosi.conf.d/10-debian.conf new file mode 100644 index 0000000000..8674e884fa --- /dev/null +++ b/mkosi.conf.d/10-debian.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian + +[Distribution] +@Release=testing diff --git a/mkosi.conf.d/10-extra-search-paths.conf b/mkosi.conf.d/10-extra-search-paths.conf new file mode 100644 index 0000000000..bd3cdb1de4 --- /dev/null +++ b/mkosi.conf.d/10-extra-search-paths.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=build/ + +[Host] +ExtraSearchPaths=build/ diff --git a/mkosi.conf.d/10-fedora.conf b/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000000..006cdeded8 --- /dev/null +++ b/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Distribution] +@Release=39 diff --git a/mkosi.conf.d/10-opensuse.conf b/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000000..832c0d15fb --- /dev/null +++ b/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Distribution] +@Release=tumbleweed diff --git a/mkosi.conf.d/10-tools.conf b/mkosi.conf.d/10-tools.conf new file mode 100644 index 0000000000..9d276d43c4 --- /dev/null +++ b/mkosi.conf.d/10-tools.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=!build/ +SystemdVersion=<254 + +[Host] +@ToolsTree=default diff --git a/mkosi.conf.d/10-ubuntu.conf b/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000000..b0ebbadd48 --- /dev/null +++ b/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Distribution] +@Release=jammy +Repositories=universe diff --git a/mkosi.default.d/10-systemd.conf b/mkosi.default.d/10-systemd.conf deleted file mode 100644 index c144c86816..0000000000 --- a/mkosi.default.d/10-systemd.conf +++ /dev/null @@ -1,73 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). - -[Output] -Format=gpt_btrfs -Bootable=yes -HostonlyInitrd=yes -# Prevent ASAN warnings when building the image -Environment=ASAN_OPTIONS=verify_asan_link_order=false -OutputDirectory=mkosi.output - -[Content] -BuildDirectory=mkosi.builddir -Cache=mkosi.cache -SourceFileTransfer=mount -SourceFileTransferFinal=copy-git-others -Packages= - acl - bash-completion - coreutils - diffutils - dnsmasq - findutils - gcc # For sanitizer libraries - gdb - grep - kbd - kexec-tools - kmod - less - nano - nftables - openssl - python3 - qrencode - sed - strace - tree - util-linux - valgrind - wireguard-tools - zsh - -BuildPackages= - bc - binutils - bison - clang - flex - gcc - gettext - git - gnu-efi - gperf - llvm - make - meson - pkgconf - rpm - rsync - tar - zstd - -[Host] -QemuHeadless=yes -Netdev=yes -QemuMem=2G -ExtraSearchPaths=build/ - -[Validation] -Password= -Autologin=yes diff --git a/mkosi.default.d/arch/10-mkosi.arch b/mkosi.default.d/arch/10-mkosi.arch deleted file mode 100644 index 50194b960b..0000000000 --- a/mkosi.default.d/arch/10-mkosi.arch +++ /dev/null @@ -1,37 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -# -# Copyright © 2016 Zeal Jagannatha - -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image. - -[Distribution] -Distribution=arch - -[Content] -Packages= - compsize - dhcp - gnutls - iproute - libbpf - libfido2 - libmicrohttpd - libpwquality - libxkbcommon - man-db - openbsd-netcat - polkit - quota-tools - tpm2-tss - vim - -BuildPackages= - bpf - docbook-xsl - libxslt - linux-api-headers - pahole - perl - python-jinja - python-lxml diff --git a/mkosi.default.d/fedora/10-mkosi.fedora b/mkosi.default.d/fedora/10-mkosi.fedora deleted file mode 100644 index ab230f0b24..0000000000 --- a/mkosi.default.d/fedora/10-mkosi.fedora +++ /dev/null @@ -1,72 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image. - -[Distribution] -Distribution=fedora -Release=37 - -[Content] -Packages= - compsize - cryptsetup - dhcp-server - glib2 - glibc-minimal-langpack - gnutls - iproute - iproute-tc - libbpf - libfido2 - libgcrypt - libmicrohttpd - libxcrypt - libxkbcommon - netcat - pam - polkit - procps-ng - quota - tpm2-tss - vim-common - -BuildPackages= - bpftool - docbook-xsl - dwarves - gnu-efi-devel - pam-devel - pkgconfig # pkgconf shim to provide /usr/bin/pkg-config - pkgconfig(audit) - pkgconfig(blkid) - pkgconfig(dbus-1) - pkgconfig(fdisk) - pkgconfig(glib-2.0) - pkgconfig(libacl) - pkgconfig(libbpf) - pkgconfig(libcap) - pkgconfig(libcryptsetup) - pkgconfig(libcurl) - pkgconfig(libdw) - pkgconfig(libfido2) - pkgconfig(libgcrypt) - pkgconfig(libidn2) - pkgconfig(libkmod) - pkgconfig(libmicrohttpd) - pkgconfig(libpcre2-8) - pkgconfig(libqrencode) - pkgconfig(libseccomp) - pkgconfig(libselinux) - pkgconfig(libzstd) - pkgconfig(mount) - pkgconfig(openssl) - pkgconfig(p11-kit-1) - pkgconfig(pwquality) - pkgconfig(tss2-esys) - pkgconfig(tss2-mu) - pkgconfig(tss2-rc) - pkgconfig(valgrind) - pkgconfig(xkbcommon) - python3dist(jinja2) - python3dist(lxml) diff --git a/mkosi.default.d/ubuntu/10-mkosi.ubuntu b/mkosi.default.d/ubuntu/10-mkosi.ubuntu deleted file mode 100644 index 14f337b7ea..0000000000 --- a/mkosi.default.d/ubuntu/10-mkosi.ubuntu +++ /dev/null @@ -1,70 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image. - -[Distribution] -Distribution=ubuntu -Release=jammy -Repositories=main,universe - -[Content] -Packages= - cryptsetup-bin - fdisk - iproute2 - isc-dhcp-server - libbpf0 - libfdisk1 - libfido2-1 - libglib2.0-0 - libidn2-0 - libmicrohttpd12 - libp11-kit0 - libpwquality1 - libqrencode4 - libtss2-dev # Use the -dev package to avoid churn in updating version numbers - linux-tools-common - linux-tools-generic - netcat-openbsd - policykit-1 - procps - quota - xxd - -BuildPackages= - docbook-xsl - g++ - libacl1-dev - libaudit-dev - libblkid-dev - libbpf-dev - libbz2-dev - libcap-dev - libcryptsetup-dev - libcurl4-openssl-dev - libdbus-1-dev - libdw-dev - libfdisk-dev - libfido2-dev - libgcrypt20-dev - libglib2.0-dev - libgnutls28-dev - libidn2-dev - libiptc-dev - libkmod-dev - libmicrohttpd-dev - libmount-dev - libp11-kit-dev - libpam0g-dev - libpwquality-dev - libqrencode-dev - libseccomp-dev - libsmartcols-dev - libssl-dev - libxkbcommon-dev - libzstd-dev - pahole - python3-jinja2 - python3-lxml - xsltproc diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot new file mode 100755 index 0000000000..ba0c92eef2 --- /dev/null +++ b/mkosi.images/base/mkosi.build.chroot @@ -0,0 +1,183 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). +# Simply invoke "mkosi" in the project directory to build an OS image. + +# We don't want to install our build of systemd in the base image, but use it as an extra tree for the +# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as +# an extra tree in the initrd and system image builds. +DESTDIR="$OUTPUTDIR/systemd" + +# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it +# as out-of-tree build dir. Otherwise, let's make up our own builddir. +[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build + +# Let's make sure we're using stuff from the build directory first if available there. +PATH="$BUILDDIR:$PATH" +export PATH + +# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and +# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override +# the ubuntu script with a symlink to the first bpftool program we can find. +for bpftool in /usr/lib/linux-tools/*/bpftool; do + [ -x "$bpftool" ] || continue + ln -sf "$bpftool" "$BUILDDIR"/bpftool + break +done + +# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the +# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports +# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. +. /usr/lib/os-release +if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + cat >"$BUILDDIR"/bpftool </. + # It is important to use the right one especially for cryptsetup plugins, otherwise they will be + # installed in the wrong directory and not be found by cryptsetup. Assume native build. + if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then + CONFIGURE_OPTS+=( + -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" + -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" + ) + fi + + # Set various uids and gids for which Fedora has "soft static" allocations. + # Without this, we would get warning about mismatched sysusers.d entries + # between the files that we and Fedora's setup package install. + if grep -q '^ID=fedora' /usr/lib/os-release; then + CONFIGURE_OPTS+=( + -D adm-gid=4 + -D audio-gid=63 + -D cdrom-gid=11 + -D dialout-gid=18 + -D disk-gid=6 + -D input-gid=104 + -D kmem-gid=9 + -D kvm-gid=36 + -D lp-gid=7 + -D render-gid=105 + -D sgx-gid=106 + -D tape-gid=33 + -D tty-gid=5 + -D users-gid=100 + -D utmp-gid=22 + -D video-gid=39 + -D wheel-gid=10 + -D systemd-journal-gid=190 + -D systemd-network-uid=192 + -D systemd-resolve-uid=193 + ) + fi + + if grep -q '^ID="opensuse' /usr/lib/os-release; then + CONFIGURE_OPTS+=( + -Dbpf-compiler=gcc + ) + fi + + ( set -x; meson setup "$BUILDDIR" "$SRCDIR" --auto-features=enabled "${CONFIGURE_OPTS[@]}" ) +fi + +( set -x; ninja -C "$BUILDDIR" "$@" ) +if [ "$WITH_TESTS" = 1 ]; then + if [ -n "$SANITIZERS" ]; then + export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" + export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" + TIMEOUT_MULTIPLIER=3 + else + TIMEOUT_MULTIPLIER=1 + fi + + ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER ) +fi + +( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed ) + +# Ensure that side-loaded PE addons are loaded if signed, and ignored if not +if [ -d "${DESTDIR}/boot/loader" ]; then + addons_dir="${DESTDIR}/boot/loader/addons" +elif [ -d "${DESTDIR}/efi/loader" ]; then + addons_dir="${DESTDIR}/efi/loader/addons" +fi +if [ -n "${addons_dir}" ]; then + mkdir -p "${addons_dir}" + ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi" + ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi" +fi diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf new file mode 100644 index 0000000000..be8586ce3b --- /dev/null +++ b/mkosi.images/base/mkosi.conf @@ -0,0 +1,36 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Output] +Format=directory + +[Content] +Bootable=no +CleanPackageMetadata=no + +Packages= +Packages= + kmod + less + util-linux + +BuildPackages= + acl + binutils + clang + diffutils + gawk + gdb + gettext + git + gperf + grep + lld + llvm + make + meson + pkgconf + rsync + sed + strace + tar + zstd diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000000..385c73979f --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-arch.conf @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + cryptsetup + dbus + gnutls + libarchive + libbpf + libfido2 + libmicrohttpd + libnftnl + libpwquality + libseccomp + libxkbcommon + openssl + qrencode + tpm2-tss + +BuildPackages= + bpf + docbook-xsl + glib2 + libxslt + linux-api-headers + python + python-jinja + python-lxml + python-pefile + python-pyelftools diff --git a/mkosi.default.d/centos_epel/10-mkosi.centos_epel b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf similarity index 67% rename from mkosi.default.d/centos_epel/10-mkosi.centos_epel rename to mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf index c09eb41800..d7a135a5c0 100644 --- a/mkosi.default.d/centos_epel/10-mkosi.centos_epel +++ b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf @@ -1,49 +1,37 @@ # SPDX-License-Identifier: LGPL-2.1-or-later -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image. - -[Distribution] -Distribution=centos_epel - -[Output] -Format=gpt_xfs -HostonlyInitrd=no +[Match] +Distribution=|centos +Distribution=|fedora [Content] Packages= - audit - cryptsetup - dhcp-server - glib2 - glibc-minimal-langpack + audit-libs + cryptsetup-libs gnutls - iproute - iproute-tc - kernel-modules-extra + libarchive + libasan libbpf libfido2 + libgcrypt libmicrohttpd + libnftnl + libubsan libxcrypt libxkbcommon - netcat - p11-kit - pam - polkit - procps-ng - quota + openssl-libs + qrencode-libs tpm2-tss - vim-common + util-linux BuildPackages= + pkgconf bpftool docbook-xsl - dwarves - gnu-efi-devel + findutils libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file. libxslt pam-devel - perl-interpreter pkgconfig(audit) pkgconfig(blkid) pkgconfig(bzip2) @@ -52,6 +40,7 @@ BuildPackages= pkgconfig(glib-2.0) pkgconfig(gnutls) pkgconfig(libacl) + pkgconfig(libarchive) pkgconfig(libbpf) pkgconfig(libcap) pkgconfig(libcryptsetup) @@ -60,20 +49,30 @@ BuildPackages= pkgconfig(libfido2) pkgconfig(libidn2) pkgconfig(libkmod) + pkgconfig(liblz4) pkgconfig(libmicrohttpd) + pkgconfig(libnftnl) pkgconfig(libpcre2-8) pkgconfig(libqrencode) pkgconfig(libseccomp) pkgconfig(libselinux) pkgconfig(libzstd) pkgconfig(mount) + pkgconfig(numa) + pkgconfig(openssl) pkgconfig(openssl) pkgconfig(p11-kit-1) pkgconfig(pwquality) pkgconfig(tss2-esys) pkgconfig(tss2-mu) pkgconfig(tss2-rc) + pkgconfig(tss2-tcti-device) pkgconfig(valgrind) pkgconfig(xkbcommon) + python3 python3dist(jinja2) python3dist(lxml) + python3dist(pefile) + python3dist(pyelftools) + python3dist(pytest) + rpm diff --git a/mkosi.default.d/debian/10-mkosi.debian b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf similarity index 64% rename from mkosi.default.d/debian/10-mkosi.debian rename to mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf index 3eea0c74b9..1d28be30f8 100644 --- a/mkosi.default.d/debian/10-mkosi.debian +++ b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf @@ -1,40 +1,41 @@ # SPDX-License-Identifier: LGPL-2.1-or-later -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image. - -[Distribution] -Distribution=debian -Release=testing +[Match] +Distribution=|debian +Distribution=|ubuntu [Content] Packages= - cryptsetup-bin - fdisk - iproute2 - isc-dhcp-server - libbpf0 + ^libtss2-esys-[0-9\.]+-0$ + dmsetup + libapparmor1 + libarchive13 + libfdisk1 libfido2-1 libglib2.0-0 libgnutls30 libidn2-0 + liblz4-1 libmicrohttpd12 + libnftnl11 libp11-kit0 libpam0g libpwquality1 libqrencode4 - libtss2-dev # Use the -dev package to avoid churn in updating version numbers - netcat-openbsd - policykit-1 - procps - quota - xxd + libssl3 + libip4tc2 + ^libtss2-mu[0-9\.-]+$ + libtss2-rc0 + libtss2-tcti-device0 + tzdata BuildPackages= - bpftool docbook-xsl + dpkg-dev g++ libacl1-dev + libapparmor-dev + libarchive-dev libaudit-dev libblkid-dev libbpf-dev @@ -52,8 +53,10 @@ BuildPackages= libidn2-dev libiptc-dev libkmod-dev + liblz4-dev libmicrohttpd-dev libmount-dev + libnftnl-dev libp11-kit-dev libpam0g-dev libpwquality-dev @@ -61,9 +64,14 @@ BuildPackages= libseccomp-dev libsmartcols-dev libssl-dev + libtss2-dev + libxen-dev libxkbcommon-dev libzstd-dev - pahole + python3 python3-jinja2 python3-lxml + python3-pefile + python3-pyelftools + python3-pytest xsltproc diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/base/mkosi.conf.d/10-debian.conf new file mode 100644 index 0000000000..020b02b61c --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-debian.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian + +[Content] +Packages= + libbpf1 + +BuildPackages= + bpftool diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000000..a8fbce47fb --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +BuildPackages= + python3dist(pytest-flakes) + pkgconfig(xencontrol) diff --git a/mkosi.default.d/opensuse/10-mkosi.opensuse b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf similarity index 65% rename from mkosi.default.d/opensuse/10-mkosi.opensuse rename to mkosi.images/base/mkosi.conf.d/10-opensuse.conf index 804213baab..941a50a6d1 100644 --- a/mkosi.default.d/opensuse/10-mkosi.opensuse +++ b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf @@ -1,17 +1,20 @@ # SPDX-License-Identifier: LGPL-2.1-or-later -# This is a settings file for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Symlink this file to mkosi.default in the project root directory and invoke "mkosi" to build an OS image. - -[Distribution] +[Match] Distribution=opensuse -Release=tumbleweed [Content] +# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox +# versions don't get installed instead. Packages= - dbus-1 - glibc-locale-base + device-mapper + distribution-release + docbook-xsl-stylesheets + gawk + grep + gzip libbpf1 + libarchive13 libcrypt1 libcryptsetup12 libdw1 @@ -20,22 +23,30 @@ Packages= libgcrypt20 libglib-2_0-0 libkmod2 - liblz4-1 libmount1 + libnftnl11 + libopenssl3 libp11-kit0 libqrencode4 libseccomp2 + libtss2-esys0 + libtss2-mu0 + libtss2-rc0 + libtss2-tcti-device0 libxkbcommon0 + libzstd1 pam + rsync + sed + shadow tpm2-0-tss - vim + xz BuildPackages= audit-devel bpftool + cross-bpf-gcc13 dbus-1-devel - docbook-xsl-stylesheets - dwarves fdupes gcc-c++ glib2-devel @@ -43,6 +54,7 @@ BuildPackages= intltool libacl-devel libapparmor-devel + libarchive-devel libblkid-devel libbpf-devel libbz2-devel @@ -56,28 +68,28 @@ BuildPackages= libgcrypt-devel libgnutls-devel libkmod-devel + liblz4-devel libmicrohttpd-devel libmount-devel + libnftnl-devel libpwquality-devel libseccomp-devel libselinux-devel libxkbcommon-devel libxslt-tools - liblz4-devel + libzstd-devel openssl-devel pam-devel - pcre-devel pciutils-devel + python3 python3-Jinja2 python3-lxml + python3-pefile + python3-pyelftools + python3-pytest + python3-pytest-flakes qrencode-devel shadow - system-group-obsolete - system-user-bin - system-user-daemon - system-user-nobody - system-user-root - systemd-sysvinit timezone tpm2-0-tss-devel - zlib-devel + xen-devel diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000000..717809fd03 --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + libbpf0 + +BuildPackages= + linux-tools-common + linux-tools-generic diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset new file mode 100644 index 0000000000..070af4c67a --- /dev/null +++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# mkosi adds its own ssh units via the --ssh switch so disable the default ones. +disable ssh.service +disable sshd.service + +# These are started manually in integration tests so don't start them by default. +disable dnsmasq.service +disable isc-dhcp-server.service +disable isc-dhcp-server6.service + +# Pulled in via dracut-network by kexec-tools on Fedora. +disable NetworkManager* + +# Make sure dbus-broker is started by default on Debian/Ubuntu. +enable dbus-broker.service + +# systemd-networkd is disabled by default on Fedora so make sure it is enabled. +enable systemd-networkd.service +enable systemd-networkd-wait-online.service + +# We install dnf in some images but it's only going to be used rarely, +# so let's not have dnf create its cache. +disable dnf-makecache.* + +# We have journald to receive audit data so let's make sure we're not running auditd as well +disable auditd.service + +# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead. +enable systemd-timesyncd.service diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset new file mode 100644 index 0000000000..710ee7c6f9 --- /dev/null +++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# Make sure that services are disabled by default (primarily for Debian/Ubuntu). +disable * diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf new file mode 100644 index 0000000000..e1a8e8171a --- /dev/null +++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf @@ -0,0 +1 @@ +L /etc/default/locale - - - - ../locale.conf diff --git a/mkosi.images/initrd/mkosi.conf b/mkosi.images/initrd/mkosi.conf new file mode 100644 index 0000000000..8e38dc1b78 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=base + +[Output] +Format=cpio + +[Content] +BaseTrees=../../mkosi.output/base +ExtraTrees=../../mkosi.output/base-systemd +MakeInitrd=yes +Bootable=no +BuildPackages= + +Packages= +Packages= + gzip + systemd + udev + +# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it +# doesn't end up in the initrd. +RemoveFiles= + /usr/lib/libgfortran.so* + /usr/lib/libgo.so* + /usr/lib/libgomp.so* + /usr/lib/libgphobos.so* + /usr/lib/libobjc.so* + /usr/lib/libstdc++.so* diff --git a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf new file mode 100644 index 0000000000..3f92e52300 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos + +[Output] +# TODO: Switch to zstd once we stop building CentOS Stream 8. +CompressOutput=xz + +[Content] +Packages=xfsprogs + tpm2-tools diff --git a/mkosi.images/initrd/mkosi.conf.d/10-default.conf b/mkosi.images/initrd/mkosi.conf.d/10-default.conf new file mode 100644 index 0000000000..9224b92dd0 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf.d/10-default.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=!centos +Distribution=!opensuse + +[Output] +CompressOutput=zst + +[Content] +Packages=btrfs-progs + tpm2-tools diff --git a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000000..5cf2df397e --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Output] +CompressOutput=zst + +[Content] +Packages=btrfs-progs + tpm2.0-tools diff --git a/mkosi.images/initrd/mkosi.postinst b/mkosi.images/initrd/mkosi.postinst new file mode 100755 index 0000000000..de610dfeb6 --- /dev/null +++ b/mkosi.images/initrd/mkosi.postinst @@ -0,0 +1,7 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem. +# See https://github.com/openSUSE/suse-module-tools/pull/71 +rm -f "$BUILDROOT/usr/lib/modprobe.d/60-blacklist_fs-erofs.conf" diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf new file mode 100644 index 0000000000..9646bbefde --- /dev/null +++ b/mkosi.images/system/mkosi.conf @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=base + +[Output] +@Format=directory + +[Content] +Autologin=yes +BaseTrees=../../mkosi.output/base +ExtraTrees=../../mkosi.output/base-systemd +Packages= + acl + bash-completion + coreutils + diffutils + dnsmasq + dosfstools + e2fsprogs + findutils + gcc # Sanitizer libraries + gdb + grep + gzip + kbd + kexec-tools + less + mtools + nano + nftables + openssl + qrencode + sed + socat + strace + systemd + tmux + tar + tree + udev + util-linux + valgrind + wireguard-tools + xfsprogs + zsh + +BuildPackages= + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf new file mode 100644 index 0000000000..9f21754058 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/05-initrd.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Bootable=!no +Format=|disk +Format=|directory + +[Config] +Dependencies=initrd + +[Content] +Initrds=../../mkosi.output/initrd diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000000..e1a511c979 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + bpf + btrfs-progs + compsize + dhcp + f2fs-tools + glib2 + iproute + linux + man-db + openbsd-netcat + openssh + pacman + polkit + python-pefile + python-psutil + python-pytest + python3 + quota-tools + shadow + vim diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000000..871186d5ca --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + bpftool + cryptsetup + dhcp-server + dnf + glib2 + integritysetup + iproute + iproute-tc + kernel-core + libcap-ng-utils + netcat + openssh-server + openssh-clients + p11-kit + pam + passwd + polkit + procps-ng + python3 + python3dist(pefile) + python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason. + python3dist(psutil) + python3dist(pytest) + quota + vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf new file mode 100644 index 0000000000..146e03a895 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos + +[Content] +Packages= + kernel-modules # For squashfs support diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf new file mode 100644 index 0000000000..99b846d3a8 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# CentOS does not support btrfs so we use xfs instead. +[Partition] +Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf new file mode 100644 index 0000000000..393d5f038c --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# CentOS does not support erofs so we use squashfs instead. +[Partition] +Format=squashfs diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf new file mode 100644 index 0000000000..d3c89f3a8c --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian +Architecture=x86-64 + +[Content] +Packages= + bpftool + linux-image-cloud-amd64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf new file mode 100644 index 0000000000..76a6898111 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian +Architecture=arm64 + +[Content] +Packages= + bpftool + linux-image-cloud-arm64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf new file mode 100644 index 0000000000..348bdb2992 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Packages= + apt + btrfs-progs + cryptsetup-bin + dbus-broker + default-dbus-session-bus + f2fs-tools + fdisk + iproute2 + isc-dhcp-server + libcap-ng-utils + netcat-openbsd + openssh-server + openssh-client + passwd + policykit-1 + procps + python3 + python3-pefile + python3-psutil + python3-pytest + quota + xxd diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000000..5863f03b19 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +Packages= + btrfs-progs + compsize + f2fs-tools + glibc-langpack-en diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000000..71434b4560 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +Packages= + bpftool + btrfs-progs + cryptsetup + dbus-broker + f2fs-tools + glibc-locale-base + kernel-kvmsmall + libcap-ng-utils + openssh-server + openssh-clients + python3 + python3-pefile + python3-psutil + python3-pytest + quota + shadow + vim diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000000..b099e79132 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials. + linux-image-generic + linux-tools-common + linux-tools-generic +# "orphan_file" is enabled by default in recent versions of mkfs.ext4 but not supported by the Jammy kernel +# so we explicitly disable it. +Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file" diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue new file mode 100644 index 0000000000..6aa6fc0ec0 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/etc/issue @@ -0,0 +1,2 @@ +\S (built from systemd tree) +Kernel \r on an \m (\l) diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf new file mode 100644 index 0000000000..3755278462 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=swap +SizeMinBytes=100M +SizeMaxBytes=100M diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf new file mode 100644 index 0000000000..71eb9e38c4 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=btrfs +SizeMinBytes=1G +Subvolumes=/home /var +MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf new file mode 100644 index 0000000000..2f953290d3 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't +# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles +# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set +# Storage= to persistent to have systemd-journald create /var/log/journal itself. +[Journal] +Storage=persistent diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh new file mode 100755 index 0000000000..9bb246263e --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eux +# SPDX-License-Identifier: LGPL-2.1-or-later + +# TODO: Figure out why this is failing +systemctl reset-failed systemd-vconsole-setup.service + +systemctl --failed --no-legend | tee /failed-services + +# Check that secure boot keys were properly enrolled. +if ! systemd-detect-virt --container; then + cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') + cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') + # TODO: Figure out why this is failing + # grep -q this_should_be_here /proc/cmdline + # grep -q this_should_not_be_here /proc/cmdline && exit 1 +fi + +# Exit with non-zero EC if the /failed-services file is not empty (we have -e set) +[[ ! -s /failed-services ]] diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service new file mode 100644 index 0000000000..7942cbfa77 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Check if any service failed and then shutdown the machine +After=multi-user.target network-online.target +Requires=multi-user.target +Wants=systemd-resolved.service systemd-networkd.service network-online.target +SuccessAction=exit +FailureAction=exit +# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the +# host. +SuccessActionExitStatus=123 + +[Service] +Type=oneshot +ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf new file mode 100644 index 0000000000..dac79ba4ed --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +C+! /etc - - - - /usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb new file mode 100644 index 0000000000..26f882bc2b --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb @@ -0,0 +1,3 @@ +set debuginfod enabled off +set build-id-verbose 0 +set substitute-path ../src /root/src/systemd diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize new file mode 100755 index 0000000000..74b810c152 --- /dev/null +++ b/mkosi.images/system/mkosi.finalize @@ -0,0 +1,4 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later + +cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot new file mode 100755 index 0000000000..692242da38 --- /dev/null +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -0,0 +1,102 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ]; then + exit 0 +fi + +if [ -n "$SANITIZERS" ]; then + LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') + + mkdir -p /etc/systemd/system.conf.d + + cat >/etc/systemd/system.conf.d/10-asan.conf </etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf </etc/systemd/system/console-getty.service.d/10-no-vhangup.conf < 50s when built with sanitizers so let's not run it by default. + systemctl mask systemd-hwdb-update.service +fi + +if [ -n "$IMAGE_ID" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_ID=/!p' \ + -e "\$aIMAGE_ID=$IMAGE_ID" \ + /usr/lib/os-release +fi + +if [ -n "$IMAGE_VERSION" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_VERSION=/!p' \ + -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ + /usr/lib/os-release +fi + +if command -v authselect >/dev/null; then + # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so + # let's use the new name if it exists. + if [ -d /usr/share/authselect/default/local ]; then + PROFILE=local + else + PROFILE=minimal + fi + + authselect select "$PROFILE" + + if authselect list-features "$PROFILE" | grep -q "with-homed"; then + authselect enable-feature with-homed + fi +fi + +# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that +# if that's the case. +mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf +rm -f /etc/resolv.conf + +. /usr/lib/os-release + +if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 + alternatives --set python3 /usr/bin/python3.9 +fi + +mkdir -p /usr/lib/sysusers.d +cat >/usr/lib/sysusers.d/testuser.conf </usr/lib/tmpfiles.d/testuser.conf < /dev/null && [ -d "/efi" ]; then - bootctl install - fi - - cat >> /root/.gdbinit < 50s when built with sanitizers so let's not run it by default. - systemctl mask systemd-hwdb-update.service - fi - - # Make sure dnsmasq.service doesn't start on boot on Debian/Ubuntu. - rm -f /etc/systemd/system/multi-user.target.wants/dnsmasq.service -fi - -# Temporary workaround until https://github.com/openSUSE/suse-module-tools/commit/158643414ddb8d8208016a5f03a4484d58944d7a -# gets into OpenSUSE repos -if [ "$1" = "final" ] && grep -q openSUSE /etc/os-release; then - if [ -e "/usr/lib/systemd/system/boot-sysctl.service" ] && \ - ! grep -F -q 'ConditionPathExists=/boot/sysctl.conf' "/usr/lib/systemd/system/boot-sysctl.service"; then - mkdir -p "/etc/systemd/system/boot-sysctl.service.d/" - printf '[Unit]\nConditionPathExists=/boot/sysctl.conf-%%v' >"/etc/systemd/system/boot-sysctl.service.d/99-temporary-workaround.conf" - fi -fi