]>
Commit | Line | Data |
---|---|---|
dede5394 | 1 | #!/bin/bash |
8f5bcd61 | 2 | # SPDX-License-Identifier: LGPL-2.1-or-later |
1394a3ec | 3 | set -e |
1b0ff615 | 4 | |
1b0ff615 LP |
5 | # This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). |
6 | # Simply invoke "mkosi" in the project directory to build an OS image. | |
7 | ||
6ac5aa97 | 8 | # We don't want to install our build of systemd in the base image, but use it as an extra tree for the |
1f035c91 DDM |
9 | # initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as |
10 | # an extra tree in the initrd and system image builds. | |
6ac5aa97 DDM |
11 | DESTDIR="$OUTPUTDIR/systemd" |
12 | ||
70e760e3 LP |
13 | # If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it |
14 | # as out-of-tree build dir. Otherwise, let's make up our own builddir. | |
84a4af2c DDM |
15 | [ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build |
16 | ||
17 | # Let's make sure we're using stuff from the build directory first if available there. | |
18 | PATH="$BUILDDIR:$PATH" | |
19 | export PATH | |
70e760e3 | 20 | |
37d35150 DDM |
21 | # The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and |
22 | # using the current kernel version. This obviously doesn't work in containers. As a workaround, we override | |
23 | # the ubuntu script with a symlink to the first bpftool program we can find. | |
24 | for bpftool in /usr/lib/linux-tools/*/bpftool; do | |
a1cfe390 DDM |
25 | [ -x "$bpftool" ] || continue |
26 | ln -sf "$bpftool" "$BUILDDIR"/bpftool | |
27 | break | |
37d35150 DDM |
28 | done |
29 | ||
6afeac1d DDM |
30 | # CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the |
31 | # specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports | |
32 | # version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. | |
6ac5aa97 DDM |
33 | . /usr/lib/os-release |
34 | if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then | |
a1cfe390 | 35 | cat >"$BUILDDIR"/bpftool <<EOF |
6afeac1d DDM |
36 | #!/bin/sh |
37 | if [ "\$1" = --version ]; then | |
a1cfe390 | 38 | echo 5.6.0 |
6afeac1d | 39 | else |
a1cfe390 | 40 | exec /usr/sbin/bpftool \$@ |
6afeac1d DDM |
41 | fi |
42 | EOF | |
a1cfe390 | 43 | chmod +x "$BUILDDIR"/bpftool |
6afeac1d DDM |
44 | fi |
45 | ||
dede5394 | 46 | if [ ! -f "$BUILDDIR"/build.ninja ]; then |
566f1000 | 47 | [[ -d /etc/rc.d/init.d ]] && sysvinit_path="/etc/rc.d/init.d" || sysvinit_path="/etc/init.d" |
a1cfe390 | 48 | |
3e0718f2 | 49 | if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then |
40e9c4e4 | 50 | UKIFY="disabled" |
3e0718f2 | 51 | else |
40e9c4e4 | 52 | UKIFY="enabled" |
3e0718f2 DDM |
53 | fi |
54 | ||
febbc24e LB |
55 | # On Debian 'loadkeys us' fails |
56 | if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then | |
57 | DEFAULT_KEYMAP="" | |
58 | else | |
59 | DEFAULT_KEYMAP="us" | |
60 | fi | |
61 | ||
dede5394 ZJS |
62 | CONFIGURE_OPTS=( |
63 | -D sysvinit-path="$sysvinit_path" | |
1e73a64a | 64 | -D man=disabled |
dede5394 ZJS |
65 | -D translations=false |
66 | -D version-tag="${VERSION_TAG}" | |
67 | -D mode=developer | |
68 | -D b_sanitize="${SANITIZERS:-none}" | |
69 | -D install-tests=true | |
70 | -D tests=unsafe | |
4bfcb6ba | 71 | -D slow-tests="${SLOW_TESTS:-false}" |
db7a46ed | 72 | -D create-log-dirs=false |
b0936baf | 73 | -D pamconfdir=/usr/lib/pam.d/ |
dede5394 ZJS |
74 | -D utmp=true |
75 | -D hibernate=true | |
76 | -D ldconfig=true | |
77 | -D resolve=true | |
78 | -D efi=true | |
79 | -D tpm=true | |
80 | -D environment-d=true | |
81 | -D binfmt=true | |
40e9c4e4 JJ |
82 | -D repart=enabled |
83 | -D sysupdate=enabled | |
dede5394 ZJS |
84 | -D coredump=true |
85 | -D pstore=true | |
86 | -D oomd=true | |
87 | -D logind=true | |
88 | -D hostnamed=true | |
89 | -D localed=true | |
90 | -D machined=true | |
91 | -D portabled=true | |
92 | -D sysext=true | |
93 | -D userdb=true | |
40e9c4e4 | 94 | -D homed=enabled |
dede5394 ZJS |
95 | -D networkd=true |
96 | -D timedated=true | |
97 | -D timesyncd=true | |
1e73a64a | 98 | -D remote=enabled |
dede5394 | 99 | -D nss-myhostname=true |
1e73a64a JJ |
100 | -D nss-mymachines=enabled |
101 | -D nss-resolve=enabled | |
dede5394 ZJS |
102 | -D nss-systemd=true |
103 | -D firstboot=true | |
104 | -D randomseed=true | |
105 | -D backlight=true | |
106 | -D vconsole=true | |
107 | -D quotacheck=true | |
108 | -D sysusers=true | |
109 | -D tmpfiles=true | |
40e9c4e4 | 110 | -D importd=enabled |
dede5394 ZJS |
111 | -D hwdb=true |
112 | -D rfkill=true | |
113 | -D xdg-autostart=true | |
114 | -D translations=true | |
a0c9ac9a | 115 | -D polkit=enabled |
43abc59a JJ |
116 | -D acl=enabled |
117 | -D audit=enabled | |
118 | -D blkid=enabled | |
9ee80846 | 119 | -D fdisk=enabled |
43abc59a | 120 | -D kmod=enabled |
a0c9ac9a | 121 | -D pam=enabled |
1e73a64a | 122 | -D pwquality=enabled |
43abc59a | 123 | -D microhttpd=enabled |
1e73a64a | 124 | -D libcryptsetup=enabled |
43abc59a | 125 | -D libcurl=enabled |
dede5394 | 126 | -D idn=true |
1e73a64a | 127 | -D libidn2=enabled |
43abc59a | 128 | -D qrencode=enabled |
a0c9ac9a | 129 | -D gcrypt=enabled |
43abc59a JJ |
130 | -D gnutls=enabled |
131 | -D openssl=enabled | |
dede5394 | 132 | -D cryptolib=openssl |
43abc59a | 133 | -D p11kit=enabled |
40e9c4e4 | 134 | -D libfido2=enabled |
43abc59a JJ |
135 | -D tpm2=enabled |
136 | -D elfutils=enabled | |
137 | -D zstd=enabled | |
138 | -D xkbcommon=enabled | |
139 | -D pcre2=enabled | |
140 | -D glib=enabled | |
101b5943 | 141 | -D dbus=enabled |
40e9c4e4 | 142 | -D bootloader=enabled |
dede5394 ZJS |
143 | -D kernel-install=true |
144 | -D analyze=true | |
847e5585 | 145 | -D bpf-framework=enabled |
3e0718f2 | 146 | -D ukify="$UKIFY" |
43abc59a | 147 | -D seccomp=enabled |
cc532533 DDM |
148 | -D selinux=auto |
149 | -D apparmor=auto | |
150 | -D smack=true | |
151 | -D ima=true | |
152 | -D first-boot-full-preset=true | |
153 | -D initrd=true | |
154 | -D fexecve=true | |
febbc24e | 155 | -D default-keymap="$DEFAULT_KEYMAP" |
dede5394 ZJS |
156 | ) |
157 | ||
a1cfe390 DDM |
158 | # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/. |
159 | # It is important to use the right one especially for cryptsetup plugins, otherwise they will be | |
160 | # installed in the wrong directory and not be found by cryptsetup. Assume native build. | |
6ac5aa97 | 161 | if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then |
dede5394 | 162 | CONFIGURE_OPTS+=( |
b0d3095f | 163 | -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" |
dede5394 ZJS |
164 | -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" |
165 | ) | |
a1cfe390 DDM |
166 | fi |
167 | ||
385fb4e3 ZJS |
168 | # Set various uids and gids for which Fedora has "soft static" allocations. |
169 | # Without this, we would get warning about mismatched sysusers.d entries | |
170 | # between the files that we and Fedora's setup package install. | |
6ac5aa97 | 171 | if grep -q '^ID=fedora' /usr/lib/os-release; then |
385fb4e3 ZJS |
172 | CONFIGURE_OPTS+=( |
173 | -Dadm-gid=4 | |
174 | -Daudio-gid=63 | |
175 | -Dcdrom-gid=11 | |
176 | -Ddialout-gid=18 | |
177 | -Ddisk-gid=6 | |
178 | -Dinput-gid=104 | |
179 | -Dkmem-gid=9 | |
180 | -Dkvm-gid=36 | |
181 | -Dlp-gid=7 | |
182 | -Drender-gid=105 | |
183 | -Dsgx-gid=106 | |
184 | -Dtape-gid=33 | |
185 | -Dtty-gid=5 | |
186 | -Dusers-gid=100 | |
187 | -Dutmp-gid=22 | |
188 | -Dvideo-gid=39 | |
189 | -Dwheel-gid=10 | |
190 | -Dsystemd-journal-gid=190 | |
191 | -Dsystemd-network-uid=192 | |
192 | -Dsystemd-resolve-uid=193 | |
193 | ) | |
194 | fi | |
195 | ||
6ac5aa97 | 196 | if grep -q '^ID="opensuse' /usr/lib/os-release; then |
e4086f7d JH |
197 | CONFIGURE_OPTS+=( |
198 | -Dbpf-compiler=gcc | |
199 | ) | |
200 | fi | |
201 | ||
bcb335ac | 202 | ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" ) |
c82ce4f2 LP |
203 | fi |
204 | ||
bcb335ac | 205 | ( set -x; ninja -C "$BUILDDIR" "$@" ) |
dede5394 | 206 | if [ "$WITH_TESTS" = 1 ]; then |
a1cfe390 | 207 | if [ -n "$SANITIZERS" ]; then |
01a07564 DDM |
208 | export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" |
209 | export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" | |
a1cfe390 DDM |
210 | TIMEOUT_MULTIPLIER=3 |
211 | else | |
212 | TIMEOUT_MULTIPLIER=1 | |
213 | fi | |
214 | ||
1bcad2de | 215 | ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER ) |
ff549982 | 216 | fi |
fe2b7631 | 217 | |
1bcad2de | 218 | ( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed ) |
05c9f9c2 LB |
219 | |
220 | # Ensure that side-loaded PE addons are loaded if signed, and ignored if not | |
221 | if [ -d "${DESTDIR}/boot/loader" ]; then | |
222 | addons_dir="${DESTDIR}/boot/loader/addons" | |
223 | elif [ -d "${DESTDIR}/efi/loader" ]; then | |
224 | addons_dir="${DESTDIR}/efi/loader/addons" | |
225 | fi | |
226 | if [ -n "${addons_dir}" ]; then | |
227 | mkdir -p "${addons_dir}" | |
228 | ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi" | |
229 | ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi" | |
230 | fi |