[thirdparty/systemd.git] / mkosi.images / base / mkosi.build.chroot

#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e

# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
# Simply invoke "mkosi" in the project directory to build an OS image.

# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
# an extra tree in the initrd and system image builds.
DESTDIR="$OUTPUTDIR/systemd"

# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
# as out-of-tree build dir. Otherwise, let's make up our own builddir.
[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build

# Let's make sure we're using stuff from the build directory first if available there.
PATH="$BUILDDIR:$PATH"
export PATH

# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
# the ubuntu script with a symlink to the first bpftool program we can find.
for bpftool in /usr/lib/linux-tools/*/bpftool; do
    [ -x "$bpftool" ] || continue
    ln -sf "$bpftool" "$BUILDDIR"/bpftool
    break
done

# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
. /usr/lib/os-release
if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
    cat >"$BUILDDIR"/bpftool <<EOF
#!/bin/sh
if [ "\$1" = --version ]; then
    echo 5.6.0
else
    exec /usr/sbin/bpftool \$@
fi
EOF
    chmod +x "$BUILDDIR"/bpftool
fi

if [ ! -f "$BUILDDIR"/build.ninja ]; then
    [[ -d /etc/rc.d/init.d ]] && sysvinit_path="/etc/rc.d/init.d" || sysvinit_path="/etc/init.d"

    if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
        UKIFY="disabled"
    else
        UKIFY="enabled"
    fi

    # On Debian 'loadkeys us' fails
    if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
        DEFAULT_KEYMAP=""
    else
        DEFAULT_KEYMAP="us"
    fi

    CONFIGURE_OPTS=(
        -D sysvinit-path="$sysvinit_path"
        -D man=disabled
        -D translations=false
        -D version-tag="${VERSION_TAG}"
        -D mode=developer
        -D b_sanitize="${SANITIZERS:-none}"
        -D install-tests=true
        -D tests=unsafe
        -D slow-tests="${SLOW_TESTS:-false}"
        -D create-log-dirs=false
        -D pamconfdir=/usr/lib/pam.d/
        -D utmp=true
        -D hibernate=true
        -D ldconfig=true
        -D resolve=true
        -D efi=true
        -D tpm=true
        -D environment-d=true
        -D binfmt=true
        -D repart=enabled
        -D sysupdate=enabled
        -D coredump=true
        -D pstore=true
        -D oomd=true
        -D logind=true
        -D hostnamed=true
        -D localed=true
        -D machined=true
        -D portabled=true
        -D sysext=true
        -D userdb=true
        -D homed=enabled
        -D networkd=true
        -D timedated=true
        -D timesyncd=true
        -D remote=enabled
        -D nss-myhostname=true
        -D nss-mymachines=enabled
        -D nss-resolve=enabled
        -D nss-systemd=true
        -D firstboot=true
        -D randomseed=true
        -D backlight=true
        -D vconsole=true
        -D quotacheck=true
        -D sysusers=true
        -D tmpfiles=true
        -D importd=enabled
        -D hwdb=true
        -D rfkill=true
        -D xdg-autostart=true
        -D translations=true
        -D polkit=enabled
        -D acl=enabled
        -D audit=enabled
        -D blkid=enabled
        -D fdisk=enabled
        -D kmod=enabled
        -D pam=enabled
        -D pwquality=enabled
        -D microhttpd=enabled
        -D libcryptsetup=enabled
        -D libcurl=enabled
        -D idn=true
        -D libidn2=enabled
        -D qrencode=enabled
        -D gcrypt=enabled
        -D gnutls=enabled
        -D openssl=enabled
        -D cryptolib=openssl
        -D p11kit=enabled
        -D libfido2=enabled
        -D tpm2=enabled
        -D elfutils=enabled
        -D zstd=enabled
        -D xkbcommon=enabled
        -D pcre2=enabled
        -D glib=enabled
        -D dbus=enabled
        -D bootloader=enabled
        -D kernel-install=true
        -D analyze=true
        -D bpf-framework=enabled
        -D ukify="$UKIFY"
        -D seccomp=enabled
        -D selinux=auto
        -D apparmor=auto
        -D smack=true
        -D ima=true
        -D first-boot-full-preset=true
        -D initrd=true
        -D fexecve=true
        -D default-keymap="$DEFAULT_KEYMAP"
    )

    # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
    # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
    # installed in the wrong directory and not be found by cryptsetup. Assume native build.
    if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
        CONFIGURE_OPTS+=(
            -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
            -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
        )
    fi

    # Set various uids and gids for which Fedora has "soft static" allocations.
    # Without this, we would get warning about mismatched sysusers.d entries
    # between the files that we and Fedora's setup package install.
    if grep -q '^ID=fedora' /usr/lib/os-release; then
        CONFIGURE_OPTS+=(
            -Dadm-gid=4
            -Daudio-gid=63
            -Dcdrom-gid=11
            -Ddialout-gid=18
            -Ddisk-gid=6
            -Dinput-gid=104
            -Dkmem-gid=9
            -Dkvm-gid=36
            -Dlp-gid=7
            -Drender-gid=105
            -Dsgx-gid=106
            -Dtape-gid=33
            -Dtty-gid=5
            -Dusers-gid=100
            -Dutmp-gid=22
            -Dvideo-gid=39
            -Dwheel-gid=10
            -Dsystemd-journal-gid=190
            -Dsystemd-network-uid=192
            -Dsystemd-resolve-uid=193
        )
    fi

    if grep -q '^ID="opensuse' /usr/lib/os-release; then
        CONFIGURE_OPTS+=(
            -Dbpf-compiler=gcc
        )
    fi

    ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" )
fi

( set -x; ninja -C "$BUILDDIR" "$@" )
if [ "$WITH_TESTS" = 1 ]; then
    if [ -n "$SANITIZERS" ]; then
        export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
        export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
        TIMEOUT_MULTIPLIER=3
    else
        TIMEOUT_MULTIPLIER=1
    fi

    ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
fi

( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )

# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
if [ -d "${DESTDIR}/boot/loader" ]; then
    addons_dir="${DESTDIR}/boot/loader/addons"
elif [ -d "${DESTDIR}/efi/loader" ]; then
    addons_dir="${DESTDIR}/efi/loader/addons"
fi
if [ -n "${addons_dir}" ]; then
    mkdir -p "${addons_dir}"
    ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
    ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
fi
Commit	Line	Data
dede5394	1	#!/bin/bash
8f5bcd61	2	# SPDX-License-Identifier: LGPL-2.1-or-later
1394a3ec	3	set -e
1b0ff615	4
1b0ff615 LP	5	# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
	6	# Simply invoke "mkosi" in the project directory to build an OS image.
	7
6ac5aa97	8	# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
1f035c91 DDM	9	# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
1f035c91 DDM	10	# an extra tree in the initrd and system image builds.
6ac5aa97 DDM	11	DESTDIR="$OUTPUTDIR/systemd"
6ac5aa97 DDM	12
70e760e3 LP	13	# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
70e760e3 LP	14	# as out-of-tree build dir. Otherwise, let's make up our own builddir.
84a4af2c DDM	15	[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
	16
	17	# Let's make sure we're using stuff from the build directory first if available there.
	18	PATH="$BUILDDIR:$PATH"
	19	export PATH
70e760e3	20
37d35150 DDM	21	# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
	22	# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
	23	# the ubuntu script with a symlink to the first bpftool program we can find.
	24	for bpftool in /usr/lib/linux-tools/*/bpftool; do
a1cfe390 DDM	25	[ -x "$bpftool" ] \|\| continue
	26	ln -sf "$bpftool" "$BUILDDIR"/bpftool
	27	break
37d35150 DDM	28	done
37d35150 DDM	29
6afeac1d DDM	30	# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
	31	# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
	32	# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
6ac5aa97 DDM	33	. /usr/lib/os-release
6ac5aa97 DDM	34	if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
a1cfe390	35	cat >"$BUILDDIR"/bpftool <<EOF
6afeac1d DDM	36	#!/bin/sh
6afeac1d DDM	37	if [ "\$1" = --version ]; then
a1cfe390	38	echo 5.6.0
6afeac1d	39	else
a1cfe390	40	exec /usr/sbin/bpftool \$@
6afeac1d DDM	41	fi
6afeac1d DDM	42	EOF
a1cfe390	43	chmod +x "$BUILDDIR"/bpftool
6afeac1d DDM	44	fi
6afeac1d DDM	45
dede5394	46	if [ ! -f "$BUILDDIR"/build.ninja ]; then
566f1000	47	[[ -d /etc/rc.d/init.d ]] && sysvinit_path="/etc/rc.d/init.d" \|\| sysvinit_path="/etc/init.d"
a1cfe390	48
3e0718f2	49	if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
40e9c4e4	50	UKIFY="disabled"
3e0718f2	51	else
40e9c4e4	52	UKIFY="enabled"
3e0718f2 DDM	53	fi
3e0718f2 DDM	54
febbc24e LB	55	# On Debian 'loadkeys us' fails
	56	if [ "$ID" = "debian" ] \|\| [ "$ID_LIKE" = "debian" ]; then
	57	DEFAULT_KEYMAP=""
	58	else
	59	DEFAULT_KEYMAP="us"
	60	fi
	61
dede5394 ZJS	62	CONFIGURE_OPTS=(
dede5394 ZJS	63	-D sysvinit-path="$sysvinit_path"
1e73a64a	64	-D man=disabled
dede5394 ZJS	65	-D translations=false
	66	-D version-tag="${VERSION_TAG}"
	67	-D mode=developer
	68	-D b_sanitize="${SANITIZERS:-none}"
	69	-D install-tests=true
	70	-D tests=unsafe
4bfcb6ba	71	-D slow-tests="${SLOW_TESTS:-false}"
db7a46ed	72	-D create-log-dirs=false
b0936baf	73	-D pamconfdir=/usr/lib/pam.d/
dede5394 ZJS	74	-D utmp=true
	75	-D hibernate=true
	76	-D ldconfig=true
	77	-D resolve=true
	78	-D efi=true
	79	-D tpm=true
	80	-D environment-d=true
	81	-D binfmt=true
40e9c4e4 JJ	82	-D repart=enabled
40e9c4e4 JJ	83	-D sysupdate=enabled
dede5394 ZJS	84	-D coredump=true
	85	-D pstore=true
	86	-D oomd=true
	87	-D logind=true
	88	-D hostnamed=true
	89	-D localed=true
	90	-D machined=true
	91	-D portabled=true
	92	-D sysext=true
	93	-D userdb=true
40e9c4e4	94	-D homed=enabled
dede5394 ZJS	95	-D networkd=true
	96	-D timedated=true
	97	-D timesyncd=true
1e73a64a	98	-D remote=enabled
dede5394	99	-D nss-myhostname=true
1e73a64a JJ	100	-D nss-mymachines=enabled
1e73a64a JJ	101	-D nss-resolve=enabled
dede5394 ZJS	102	-D nss-systemd=true
	103	-D firstboot=true
	104	-D randomseed=true
	105	-D backlight=true
	106	-D vconsole=true
	107	-D quotacheck=true
	108	-D sysusers=true
	109	-D tmpfiles=true
40e9c4e4	110	-D importd=enabled
dede5394 ZJS	111	-D hwdb=true
	112	-D rfkill=true
	113	-D xdg-autostart=true
	114	-D translations=true
a0c9ac9a	115	-D polkit=enabled
43abc59a JJ	116	-D acl=enabled
	117	-D audit=enabled
	118	-D blkid=enabled
9ee80846	119	-D fdisk=enabled
43abc59a	120	-D kmod=enabled
a0c9ac9a	121	-D pam=enabled
1e73a64a	122	-D pwquality=enabled
43abc59a	123	-D microhttpd=enabled
1e73a64a	124	-D libcryptsetup=enabled
43abc59a	125	-D libcurl=enabled
dede5394	126	-D idn=true
1e73a64a	127	-D libidn2=enabled
43abc59a	128	-D qrencode=enabled
a0c9ac9a	129	-D gcrypt=enabled
43abc59a JJ	130	-D gnutls=enabled
43abc59a JJ	131	-D openssl=enabled
dede5394	132	-D cryptolib=openssl
43abc59a	133	-D p11kit=enabled
40e9c4e4	134	-D libfido2=enabled
43abc59a JJ	135	-D tpm2=enabled
	136	-D elfutils=enabled
	137	-D zstd=enabled
	138	-D xkbcommon=enabled
	139	-D pcre2=enabled
	140	-D glib=enabled
101b5943	141	-D dbus=enabled
40e9c4e4	142	-D bootloader=enabled
dede5394 ZJS	143	-D kernel-install=true
dede5394 ZJS	144	-D analyze=true
847e5585	145	-D bpf-framework=enabled
3e0718f2	146	-D ukify="$UKIFY"
43abc59a	147	-D seccomp=enabled
cc532533 DDM	148	-D selinux=auto
	149	-D apparmor=auto
	150	-D smack=true
	151	-D ima=true
	152	-D first-boot-full-preset=true
	153	-D initrd=true
	154	-D fexecve=true
febbc24e	155	-D default-keymap="$DEFAULT_KEYMAP"
dede5394 ZJS	156	)
dede5394 ZJS	157
a1cfe390 DDM	158	# On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
	159	# It is important to use the right one especially for cryptsetup plugins, otherwise they will be
	160	# installed in the wrong directory and not be found by cryptsetup. Assume native build.
6ac5aa97	161	if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
dede5394	162	CONFIGURE_OPTS+=(
b0d3095f	163	-D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
dede5394 ZJS	164	-D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
dede5394 ZJS	165	)
a1cfe390 DDM	166	fi
a1cfe390 DDM	167
385fb4e3 ZJS	168	# Set various uids and gids for which Fedora has "soft static" allocations.
	169	# Without this, we would get warning about mismatched sysusers.d entries
	170	# between the files that we and Fedora's setup package install.
6ac5aa97	171	if grep -q '^ID=fedora' /usr/lib/os-release; then
385fb4e3 ZJS	172	CONFIGURE_OPTS+=(
	173	-Dadm-gid=4
	174	-Daudio-gid=63
	175	-Dcdrom-gid=11
	176	-Ddialout-gid=18
	177	-Ddisk-gid=6
	178	-Dinput-gid=104
	179	-Dkmem-gid=9
	180	-Dkvm-gid=36
	181	-Dlp-gid=7
	182	-Drender-gid=105
	183	-Dsgx-gid=106
	184	-Dtape-gid=33
	185	-Dtty-gid=5
	186	-Dusers-gid=100
	187	-Dutmp-gid=22
	188	-Dvideo-gid=39
	189	-Dwheel-gid=10
	190	-Dsystemd-journal-gid=190
	191	-Dsystemd-network-uid=192
	192	-Dsystemd-resolve-uid=193
	193	)
	194	fi
	195
6ac5aa97	196	if grep -q '^ID="opensuse' /usr/lib/os-release; then
e4086f7d JH	197	CONFIGURE_OPTS+=(
	198	-Dbpf-compiler=gcc
	199	)
	200	fi
	201
bcb335ac	202	( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" )
c82ce4f2 LP	203	fi
c82ce4f2 LP	204
bcb335ac	205	( set -x; ninja -C "$BUILDDIR" "$@" )
dede5394	206	if [ "$WITH_TESTS" = 1 ]; then
a1cfe390	207	if [ -n "$SANITIZERS" ]; then
01a07564 DDM	208	export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
01a07564 DDM	209	export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
a1cfe390 DDM	210	TIMEOUT_MULTIPLIER=3
	211	else
	212	TIMEOUT_MULTIPLIER=1
	213	fi
	214
1bcad2de	215	( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
ff549982	216	fi
fe2b7631	217
1bcad2de	218	( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
05c9f9c2 LB	219
	220	# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
	221	if [ -d "${DESTDIR}/boot/loader" ]; then
	222	addons_dir="${DESTDIR}/boot/loader/addons"
	223	elif [ -d "${DESTDIR}/efi/loader" ]; then
	224	addons_dir="${DESTDIR}/efi/loader/addons"
	225	fi
	226	if [ -n "${addons_dir}" ]; then
	227	mkdir -p "${addons_dir}"
	228	ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
	229	ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
	230	fi