| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
We build with support for selinux/apparmor where applicable but
disable them at runtime as even in permissive mode they're horribly
broken.
|
| |
|
|
|
|
| |
We only really care about lowering the device timeout so we get to
a shell faster when the root device doesn't appear so let's only
lower that timeout instead of lowering all default timeouts.
|
| |
|
|
|
| |
This is now possible without a TMP device so let's start signing
PCRs when building images with mkosi.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
We rely on vsock to communicate the exit status back to us from the
VM but vsock in Github Actions is broken so let's switch back to
mounting for now.
|
| |
|
|
| |
Let's make CI green again and dig into this failure later
|
| |
|
|
|
|
| |
This fails but we didn't notice until now because error reporting
from the mkosi VM was broken. Let's disable it for now to get CI
green again.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Files placed in /EFI/Linux/UKI.efi.extra.d/ and /loader/addons/ are
opened and verified using the LoadImage protocol, and will thus get
verified via shim/firmware.
If they are valid signed PE files, the .cmdline section will be
extracted and appended. If there are multiple addons in each directory,
they will be parsed in alphanumerical order.
Optionally the .uname sections are also matched if present, so
that they can be used to filter out addons as well if needed, and only
addons that correspond exactly to the UKI being loaded are used.
It is recommended to also always add a .sbat section to addons, so
that they can be mass-revoked with just a policy update.
The files must have a .addon.efi suffix.
Files in the per-UKI directory are parsed, sorted, measured and
appended first. Then, files in the generic directory are processed.
|
| |
|
|
|
|
| |
We ship with empty /var, so /var/log/journal does not exist, which
means journald does not do persistent logging. Let's fix that by
setting the config to explicitly enable persistent logging.
|
| | |
|
| |
|
|
|
|
| |
This accidentally got pulled into a commit even though it was only
for local testing, let's drop it again so we correctly use erofs
when building local images.
|
| |
|
|
|
|
|
| |
We currently have to resort to SSH to get more than one interactive
terminal in a mkosi qemu VM. Let's increase our options by installing
tmux in the final image, which can multiplex the serial console into
many unique terminal sessions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's start moving towards a more involved partitioning setup to
test our stuff more when using mkosi.
The root partition is generated on boot with systemd-repart.
CentOS supports neither erofs nor btrfs so we use squashfs and xfs
instead.
We also enable SecureBoot= locally for additional coverage. This
and the use of verity means users need to run `mkosi genkey` once
to generate the keys necessary to do secure boot and verity.
|
| |
|
|
|
|
|
|
|
| |
If we're making a /usr only image, we still want to populate /etc
fully on first boot. To make that possible, let's copy /etc to
/usr/share/factory/mkosi in a finalize script, which runs after
all changes to the image have been made. Let's also add a tmpfiles
snippet that merges /usr/share/factory/mkosi with /etc on boot to
populate /etc.
|
| |
|
|
|
| |
Just because centos doesn't support it doesn't mean we can't use it
on the other distros.
|
| |
|
|
|
| |
With this change, Bootable= can be set to "no" for a faster build
intended for booting in systemd-nspawn but not qemu.
|
| |
|
|
|
| |
This way, we can change the compression (and even the output format)
in the future without having to modify the final preset.
|
| | |
|
| |
|
|
| |
Let's use the distro's pam config instead of installing the systemd one.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Disable the NetworkManager one and pull in the networkd one explicitly.
|
| | |
|
| |
|
|
|
|
| |
We run the build as a regular user and create-log-dirs requires to
run as root so let's disable the option to avoid error noise during
the install phase.
|
| |
|
|
|
| |
This was added for opensuse to make the tests pass but doesn't seem
to be needed anymore after recent changes so let's drop it.
|
| |
|
|
|
| |
Instead, allow enabling it via an environment variable and do so
in CI.
|
| |\
| |
| | |
Rewrite udev-test.pl in Python
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This undoes the effect of 1394a3ec351048bae008627a0775d1f9a6c46294 partially.
We print the fairly verbose output of the build commands, so let's also
print the commands themselves. This makes it much easier to understand what
is going on.
(The style was copied from other scripts where we do 'set -x' for one command.)
|
| | | |
|
| |/
|
|
|
| |
With bash, we can use an array for options. This is nice because we can
construct the commandline more easily. The file is now shellcheck-clean.
|
| |\
| |
| | |
Add kernel-install plugin that calls ukify
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Some web searches say that it's packaged for those distros and not the others…
v2:
- drop arch. https://aur.archlinux.org/packages/python-pytest-flakes exists,
but installation fails in CI.
|
| | |
| |
| |
| |
| | |
Let's make this slightly easier to use by looking for mkosi.kernel/
in the top level directory instead of in mkosi.presets/20-final/.
|
| |/
|
|
|
| |
Let's save on image size by using the kernel build for KVM from
opensuse.
|
|
|
Instead of building the initrds for the mkosi images with dracut,
let's switch to using mkosi presets to build the initrd with mkosi
as well.
This commit splits up our single image build into three separate
mkosi presets:
1. The "base" preset. This image contains systemd and all its runtime
dependencies. The sole purpose of this image is to serve as a base image
for the initrd and the final image. It's also responsible for building
systemd from source with the build script. The results are installed into
the base image. Note that we install the systemd and udev packages into this
image as well to prevent package managers from overriding the systemd we built
from source with the distro packaged systemd if it's pulled in as a dependency
by another package from the initrd or final profiles.
2. The "initrd" preset. This image provides the initrd. It's trivial and does
nothing more than packaging the base image up as a zstd compressed initramfs and
adds /init and /etc/initrd-release symlinks to the image.
3. The "final" preset. This image builds on top of the base image and adds
a kernel and extra packages that are useful for testing and debugging.
We also split out the optional kernel build into a separate set of config files
that are only included if a kernel to build is actually provided.
Note that this commit doesn't really change anything about how mkosi is used.
The commands remain the same, except that mkosi will now build all the presets
in order. "mkosi summary" will show the summary of all the presets. "mkosi qemu,
boot, shell" will always boot the final preset. With "-f", all presets will be
built and the final one is booted. "-i" makes a cache of each preset.
The only thing to keep in mind is that specifying config via the mkosi CLI will
apply to each of the presets. e.g. any extra packages added with "-p" will be
installed in both the initrd and the final image. To apply local configuration
to a single preset, create a file 00-local.conf in
mkosi.presets/<profile>/mkosi.conf.d and put all the preset specific configuration
in there.
|
