diff options
author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-01-25 22:48:55 +0100 |
---|---|---|
committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-03-07 10:47:19 +0100 |
commit | 4d0f1451b58dbd4b94da579b800adef4f4e42c34 (patch) | |
tree | 841684bfbb83f8028c8d4ca0a9e2a125ab4dbe54 /mkosi.images/system | |
parent | mkosi: Update to v21 (diff) | |
download | systemd-4d0f1451b58dbd4b94da579b800adef4f4e42c34.tar.xz systemd-4d0f1451b58dbd4b94da579b800adef4f4e42c34.zip |
Build distribution packages in mkosi
Instead of running meson install and hoping for the best, let's build
distribution packages from the downstream packaging specs. This gets
us the following:
- Vastly simplified mkosi scripts since we don't need a separate initrd
image anymore but can just reuse the default mkosi initrd.
- Almost everything can move to the base image as its not the basis
anymore for the initrd and as such we don't need to care about the
size anymore.
- The systemd packages that get pulled in as dependencies of other
packages get properly uninstalled and replaced with our packages that
we built instead of just installing on top of an existing systemd
installation with no guarantee that everything from that previous
installation was removed.
- Much better testing coverage as what we're testing is much closer
to what will actually be deployed in distributions.
- Immediate feedback if something we change breaks distribution packaging
- We get integration with the distribution for free as we'll automatically
use the proper directories and such instead of having to hack this
into a mkosi build script.
- ...
Diffstat (limited to 'mkosi.images/system')
21 files changed, 6 insertions, 389 deletions
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf index 5bcf6967c7..9937ad3a98 100644 --- a/mkosi.images/system/mkosi.conf +++ b/mkosi.images/system/mkosi.conf @@ -3,49 +3,15 @@ [Config] Dependencies=base +[Distribution] +CacheOnly=metadata + [Output] @Format=directory [Content] -Autologin=yes BaseTrees=%O/base -ExtraTrees=%O/base-systemd -Packages= - acl - bash-completion - coreutils - diffutils - dnsmasq - dosfstools - e2fsprogs - findutils - gcc # Sanitizer libraries - gdb - grep - gzip - kbd - kexec-tools - less - mtools - nano - nftables - openssl - qrencode - sed - socat - strace - systemd - tmux - tar - tree - udev - util-linux - valgrind - wireguard-tools - xfsprogs - zsh - -BuildPackages= +Initrds=%O/base.initrd [Validation] @SecureBoot=yes diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf deleted file mode 100644 index 23685871c6..0000000000 --- a/mkosi.images/system/mkosi.conf.d/05-initrd.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Bootable=!no -Format=|disk -Format=|directory - -[Config] -Dependencies=initrd - -[Content] -Initrds=%O/initrd diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf deleted file mode 100644 index a3d008d10f..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-arch.conf +++ /dev/null @@ -1,28 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=arch - -[Content] -Packages= - bpf - btrfs-progs - compsize - dhcp - f2fs-tools - glib2 - iproute - linux - man-db - openbsd-netcat - openssh - pacman - polkit - python-pefile - python-psutil - python-pytest - python3 - quota-tools - sbsigntools - shadow - vim diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf deleted file mode 100644 index 871186d5ca..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf +++ /dev/null @@ -1,33 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|centos -Distribution=|fedora - -[Content] -Packages= - bpftool - cryptsetup - dhcp-server - dnf - glib2 - integritysetup - iproute - iproute-tc - kernel-core - libcap-ng-utils - netcat - openssh-server - openssh-clients - p11-kit - pam - passwd - polkit - procps-ng - python3 - python3dist(pefile) - python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason. - python3dist(psutil) - python3dist(pytest) - quota - vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf index 146e03a895..af4862d4b1 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -2,7 +2,3 @@ [Match] Distribution=centos - -[Content] -Packages= - kernel-modules # For squashfs support diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf deleted file mode 100644 index 393d5f038c..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# CentOS does not support erofs so we use squashfs instead. -[Partition] -Format=squashfs diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf deleted file mode 100644 index d3c89f3a8c..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf +++ /dev/null @@ -1,10 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=debian -Architecture=x86-64 - -[Content] -Packages= - bpftool - linux-image-cloud-amd64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf deleted file mode 100644 index 76a6898111..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf +++ /dev/null @@ -1,10 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=debian -Architecture=arm64 - -[Content] -Packages= - bpftool - linux-image-cloud-arm64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf deleted file mode 100644 index d6e3f20222..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf +++ /dev/null @@ -1,31 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|debian -Distribution=|ubuntu - -[Content] -Packages= - apt - btrfs-progs - cryptsetup-bin - dbus-broker - default-dbus-session-bus - f2fs-tools - fdisk - iproute2 - isc-dhcp-server - libcap-ng-utils - netcat-openbsd - openssh-server - openssh-client - sbsigntool - passwd - policykit-1 - procps - python3 - python3-pefile - python3-psutil - python3-pytest - quota - xxd diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf deleted file mode 100644 index 7554ad2dc3..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=fedora - -[Content] -Packages= - btrfs-progs - compsize - f2fs-tools - glibc-langpack-en - sbsigntools diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf deleted file mode 100644 index ffcb664224..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf +++ /dev/null @@ -1,25 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=opensuse - -[Content] -Packages= - bpftool - btrfs-progs - cryptsetup - dbus-broker - f2fs-tools - glibc-locale-base - kernel-kvmsmall - libcap-ng-utils - openssh-server - openssh-clients - python3 - python3-pefile - python3-psutil - python3-pytest - quota - sbsigntools - shadow - vim diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf deleted file mode 100644 index b099e79132..0000000000 --- a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf +++ /dev/null @@ -1,14 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=ubuntu - -[Content] -Packages= - # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials. - linux-image-generic - linux-tools-common - linux-tools-generic -# "orphan_file" is enabled by default in recent versions of mkfs.ext4 but not supported by the Jammy kernel -# so we explicitly disable it. -Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file" diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue deleted file mode 100644 index 6aa6fc0ec0..0000000000 --- a/mkosi.images/system/mkosi.extra/etc/issue +++ /dev/null @@ -1,2 +0,0 @@ -\S (built from systemd tree) -Kernel \r on an \m (\l) diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf deleted file mode 100644 index 2f953290d3..0000000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf +++ /dev/null @@ -1,8 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't -# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles -# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set -# Storage= to persistent to have systemd-journald create /var/log/journal itself. -[Journal] -Storage=persistent diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh deleted file mode 100755 index e0fcf30498..0000000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -eux -# SPDX-License-Identifier: LGPL-2.1-or-later - -systemctl --failed --no-legend | tee /failed-services - -# Check that secure boot keys were properly enrolled. -if ! systemd-detect-virt --container; then - cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') - cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') - - if command -v sbsign &>/dev/null; then - cat /proc/cmdline - grep -q this_should_be_here /proc/cmdline - (! grep -q this_should_not_be_here /proc/cmdline) - fi -fi - -# Exit with non-zero EC if the /failed-services file is not empty (we have -e set) -[[ ! -s /failed-services ]] diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service deleted file mode 100644 index 7942cbfa77..0000000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -[Unit] -Description=Check if any service failed and then shutdown the machine -After=multi-user.target network-online.target -Requires=multi-user.target -Wants=systemd-resolved.service systemd-networkd.service network-online.target -SuccessAction=exit -FailureAction=exit -# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the -# host. -SuccessActionExitStatus=123 - -[Service] -Type=oneshot -ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf deleted file mode 100644 index dac79ba4ed..0000000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf +++ /dev/null @@ -1,3 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -C+! /etc - - - - /usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb deleted file mode 100644 index 26f882bc2b..0000000000 --- a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb +++ /dev/null @@ -1,3 +0,0 @@ -set debuginfod enabled off -set build-id-verbose 0 -set substitute-path ../src /root/src/systemd diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize deleted file mode 100755 index 74b810c152..0000000000 --- a/mkosi.images/system/mkosi.finalize +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: LGPL-2.1-or-later - -cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot deleted file mode 100755 index 330fa3b73e..0000000000 --- a/mkosi.images/system/mkosi.postinst.chroot +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: LGPL-2.1-or-later -set -e - -if [ "$1" = "build" ]; then - exit 0 -fi - -if [ -n "$SANITIZERS" ]; then - LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') - - mkdir -p /etc/systemd/system.conf.d - - cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF -[Manager] -ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ - UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ - UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -EOF - - # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose - # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any - # sanitizer failures appear directly on the user's console. - mkdir -p /etc/systemd/system/systemd-journald.service.d - cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF -[Service] -StandardOutput=tty -EOF - - # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. - # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As - # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login - # from calling vhangup() so that journald's ASAN logs correctly end up in the console. - - mkdir -p /etc/systemd/system/console-getty.service.d - cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF -[Service] -TTYVHangup=no -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -EOF - # ASAN and syscall filters aren't compatible with each other. - find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + - - # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. - systemctl mask systemd-hwdb-update.service -fi - -if [ -n "$IMAGE_ID" ] ; then - sed -n \ - -i \ - -e '/^IMAGE_ID=/!p' \ - -e "\$aIMAGE_ID=$IMAGE_ID" \ - /usr/lib/os-release -fi - -if [ -n "$IMAGE_VERSION" ] ; then - sed -n \ - -i \ - -e '/^IMAGE_VERSION=/!p' \ - -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ - /usr/lib/os-release -fi - -if command -v authselect >/dev/null; then - # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so - # let's use the new name if it exists. - if [ -d /usr/share/authselect/default/local ]; then - PROFILE=local - else - PROFILE=minimal - fi - - authselect select "$PROFILE" - - if authselect list-features "$PROFILE" | grep -q "with-homed"; then - authselect enable-feature with-homed - fi -fi - -# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that -# if that's the case. -mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf -rm -f /etc/resolv.conf - -. /usr/lib/os-release - -if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 - alternatives --set python3 /usr/bin/python3.9 -fi - -mkdir -p /usr/lib/sysusers.d -cat >/usr/lib/sysusers.d/testuser.conf <<EOF -u testuser 4711 "Test User" /home/testuser -EOF -mkdir -p /usr/lib/tmpfiles.d -cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF -q /home/testuser 0700 4711 4711 -EOF - -# sbsign is not available on CentOS Stream -if command -v sbsign &>/dev/null; then - # Ensure that side-loaded PE addons are loaded if signed, and ignored if not - addons_dir=/efi/loader/addons - mkdir -p "$addons_dir" - ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" - ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" -fi diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf index 4be04661d9..391543d1e7 100644 --- a/mkosi.images/system/mkosi.repart/00-esp.conf +++ b/mkosi.images/system/mkosi.repart/00-esp.conf @@ -5,5 +5,5 @@ Type=esp Format=vfat CopyFiles=/boot:/ CopyFiles=/efi:/ -SizeMinBytes=512M -SizeMaxBytes=512M +SizeMinBytes=1G +SizeMaxBytes=1G |