summaryrefslogtreecommitdiffstats
path: root/mkosi.conf
blob: 94c8697ded3aa2c9b5d3ce036f499521e4ffc60e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# SPDX-License-Identifier: LGPL-2.1-or-later

[Config]
MinimumVersion=25~devel
Dependencies=
        exitrd
        initrd
        minimal-base
        minimal-0
        minimal-1

PassEnvironment=
        NO_BUILD
        NO_SYNC
        WIPE
        SANITIZERS
        CFLAGS
        LDFLAGS
        LLVM
        MESON_VERBOSE
        MESON_OPTIONS
        SYSEXT
        WITH_DEBUG
        ASAN_OPTIONS

[Output]
RepartDirectories=mkosi.repart
OutputDirectory=build/mkosi.output

[Build]
BuildDirectory=build/mkosi.builddir
CacheDirectory=build/mkosi.cache
BuildSourcesEphemeral=yes
Incremental=yes

[Validation]
SignExpectedPcr=yes

[Content]
ExtraTrees=
        mkosi.extra.common
        mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
        %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
        %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
        %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
        %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
        %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
        %O/exitrd:/exitrd

Initrds=%O/initrd

# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
# and results in lots of errors when building images as a regular user.
SELinuxRelabel=no

# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
# various scenarios. Consider adding support for a credential instead if possible and using that.
KernelCommandLine=
        systemd.crash_shell
        systemd.log_level=debug,console:info
        systemd.log_ratelimit_kmsg=0
        # Disable the kernel's ratelimiting on userspace logging to kmsg.
        printk.devkmsg=on
        # Make sure /sysroot is mounted rw in the initrd.
        rw
        # Lower the default device timeout so we get a shell earlier if the root device does
        # not appear for some reason.
        systemd.default_device_timeout_sec=90
        # Make sure no LSMs are enabled by default.
        selinux=0
        systemd.early_core_pattern=/core
        systemd.firstboot=no
        raid=noautodetect
        oops=panic
        panic=-1
        softlockup_panic=1
        panic_on_warn=1
        # These don't ship proper units with [Install] directives so we have to mask them instead.
        systemd.mask=isc-dhcp-server.service
        systemd.mask=mdmonitor.service
        psi=1

KernelModulesInitrdExclude=.*
KernelModulesInitrdInclude=default

Packages=
        acl
        attr
        bash-completion
        binutils
        coreutils
        curl
        diffutils
        dnsmasq
        dosfstools
        e2fsprogs
        findutils
        gdb
        grep
        gzip
        jq
        kbd
        kexec-tools
        kmod
        less
        llvm
        lvm2
        man
        mdadm
        mtools
        nano
        nftables
        nvme-cli
        opensc
        openssl
        p11-kit
        pciutils
        python3
        radvd
        rsync
        sed
        socat
        strace
        tar
        tmux
        tree
        util-linux
        valgrind
        which
        wireguard-tools
        xfsprogs
        zsh
        zstd

[Host]
Credentials=
        journal.storage=persistent
        tty.serial.hvc0.agetty.autologin=root
        tty.serial.hvc0.login.noauth=yes
        tty.console.agetty.autologin=root
        tty.console.login.noauth=yes
RuntimeBuildSources=yes
RuntimeScratch=no
QemuSmp=2
QemuSwtpm=yes
QemuVsock=yes
QemuKvm=yes