diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-04-29 22:13:11 +0200 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-04-30 10:46:18 +0200 |
| commit | e7c8507977e51df90aa929852af3d74c1d06be95 (patch) | |
| tree | f824d93ece9fa73537ea522ef1748989cf687530 | |
| parent | TEST-81-GENERATORS: Use SYSTEMD_PROC_CMDLINE more (diff) | |
| download | systemd-e7c8507977e51df90aa929852af3d74c1d06be95.tar.xz systemd-e7c8507977e51df90aa929852af3d74c1d06be95.zip | |
mkosi: Introduce particle profile
Unfortunately the current mkosi partitioning setup is a bit too
avant-garde for the integration tests. Both in that distributions
aren't ready for it yet (some more than others), and that software
which we depend on in the integration tests isn't ready for it yet
(e.g. libselinux does not read its configuration from /usr).
Let's switch back to a more boring partioning setup by default but
keep the fancy stuff around as a mkosi profile. This means that it
can still be used for manually testing stuff by running
"mkosi --profile particle -f qemu".
22 files changed, 71 insertions, 66 deletions
diff --git a/mkosi.conf b/mkosi.conf index b2e8ba62ba..d6bf53ee46 100644 --- a/mkosi.conf +++ b/mkosi.conf @@ -38,7 +38,6 @@ KernelCommandLine=systemd.crash_shell [Host] @Incremental=yes -@RuntimeSize=8G @RuntimeBuildSources=yes @QemuSmp=2 ToolsTreePackages=virtiofsd diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf index b124c5c94a..2f5c8af25b 100644 --- a/mkosi.images/system/mkosi.conf +++ b/mkosi.images/system/mkosi.conf @@ -7,6 +7,7 @@ Dependencies= [Output] @Format=directory +RepartDirectories=mkosi.repart [Content] Autologin=yes @@ -61,7 +62,3 @@ Packages= xfsprogs zsh zstd - -[Validation] -@SecureBoot=yes -@SignExpectedPcr=yes diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf index 79622c83f7..524ffa0de5 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf @@ -49,9 +49,6 @@ Packages= rpm rpm-build rpmautospec - selinux-policy - selinux-policy-targeted - setools-console squashfs-tools util-linux vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf new file mode 100644 index 0000000000..3dc1143fc8 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=!particle + +[Content] +# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're +# building a /usr-only image. +Packages= + selinux-policy + selinux-policy-targeted + setools-console diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf index 053f11be55..54f8f1c1bd 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -3,6 +3,9 @@ [Match] Distribution=centos +[Output] +RepartDirectories=mkosi.repart + [Content] Packages= rpmautospec-rpm-macros diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf deleted file mode 100644 index 99b846d3a8..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# CentOS does not support btrfs so we use xfs instead. -[Partition] -Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf deleted file mode 100644 index d69ff91cc3..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf +++ /dev/null @@ -1,24 +0,0 @@ -g root 0 -g bin 1 -g daemon 2 -g sys 3 -g adm 4 -g tty 5 -g disk 6 -g lp 7 -g mem 8 -g kmem 9 -g wheel 10 -g cdrom 11 -g mail 12 -g man 15 -g dialout 18 -g floppy 19 -g games 20 -g tape 33 -g video 39 -g ftp 50 -g lock 54 -g audio 63 -g users 100 -g nobody 65534 diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf deleted file mode 100644 index bea0ab3447..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf +++ /dev/null @@ -1,13 +0,0 @@ -u root 0:0 "Super User" /root /bin/bash -u bin 1:1 "bin" /bin - -u daemon 2:2 "daemon" /sbin - -u adm 3:4 "adm" /var/adm - -u lp 4:7 "lp" /var/spool/lpd - -u sync 5:0 "sync" /sbin /bin/sync -u shutdown 6:0 "shutdown" /sbin /sbin/shutdown -u halt 7:0 "halt" /sbin /sbin/halt -u mail 8:12 "mail" /var/spool/mail - -u operator 11:0 "operator" /root - -u games 12:100 "games" /usr/games - -u ftp 14:50 "FTP User" /var/ftp - -u nobody 65534:65534 "Kernel Overflow User" - - diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf new file mode 100644 index 0000000000..a50de68110 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +# btrfs isn't supported on CentOS. Ideally we'd use xfs instead but we lose xattrs when doing rootless +# population of xfs which is required for testing SELinux so let's do ext4 instead. +Format=ext4 diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf new file mode 100644 index 0000000000..8c1920b0ce --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=particle + +[Output] +RepartDirectories= +RepartDirectories=mkosi.repart + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes + +[Host] +@RuntimeSize=8G diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf index 3755278462..3755278462 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf index 71eb9e38c4..2f92af248f 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -4,5 +4,3 @@ Type=root Format=btrfs SizeMinBytes=1G -Subvolumes=/home /var -MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf index dac79ba4ed..dac79ba4ed 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize new file mode 100755 index 0000000000..f5523983d2 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize @@ -0,0 +1,15 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +mkdir -p "$BUILDROOT"/usr/share/factory/mkosi +cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi + +# sbsign is not available on CentOS Stream +if command -v sbsign &>/dev/null; then + # Ensure that side-loaded PE addons are loaded if signed, and ignored if not + addons_dir=/efi/loader/addons + mkdir -p "$addons_dir" + ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" + ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" +fi diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf new file mode 100644 index 0000000000..391543d1e7 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf index 343761d097..343761d097 100644 --- a/mkosi.images/system/mkosi.repart/10-usr.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf index b4d45dd7ef..b4d45dd7ef 100644 --- a/mkosi.images/system/mkosi.repart/11-usr-verity.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf index 1841d0a6db..1841d0a6db 100644 --- a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize deleted file mode 100755 index 6da35e5138..0000000000 --- a/mkosi.images/system/mkosi.finalize +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: LGPL-2.1-or-later - -mkdir -p "$BUILDROOT"/usr/share/factory/mkosi -cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot index 61a8e311e3..43978316fc 100755 --- a/mkosi.images/system/mkosi.postinst.chroot +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -65,15 +65,6 @@ fi mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf rm -f /etc/resolv.conf -# sbsign is not available on CentOS Stream -if command -v sbsign &>/dev/null; then - # Ensure that side-loaded PE addons are loaded if signed, and ignored if not - addons_dir=/efi/loader/addons - mkdir -p "$addons_dir" - ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" - ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" -fi - for f in "$BUILDROOT"/usr/share/*.verity.sig; do jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash" done diff --git a/mkosi.images/system/mkosi.repart/10-root.conf b/mkosi.images/system/mkosi.repart/10-root.conf new file mode 100644 index 0000000000..3c25dbfb14 --- /dev/null +++ b/mkosi.images/system/mkosi.repart/10-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=btrfs +CopyFiles=/ +SizeMinBytes=8G +SizeMaxBytes=8G diff --git a/mkosi.profiles/particle.conf b/mkosi.profiles/particle.conf new file mode 100644 index 0000000000..5f36d58e4d --- /dev/null +++ b/mkosi.profiles/particle.conf @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# This file exists to create the particle profile which is matched on by other configuration files. |