- 'systemd-udevd'
- 'systemd-userdb'
- 'systemd-veritysetup'
+ - 'systemd-vmspawn'
- 'systemd-xdg-autostart-generator'
- 'timedatectl'
- 'udevadm'
- 'systemd-udevd'
- 'systemd-userdb'
- 'systemd-veritysetup'
+ - 'systemd-vmspawn'
- 'systemd-xdg-autostart-generator'
- 'timedatectl'
- 'udevadm'
- name: veritysetup
keys: ['systemd-veritysetup']
+ - name: vmspawn
+ keys: ['systemd-vmspawn']
+
- name: xdg-autostart
keys: ['systemd-xdg-autostart-generator']
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
- - uses: systemd/mkosi@1099ead1ccaa11b62b7a16ee312193bd0e6b6404
+ - uses: systemd/mkosi@5fd70560a1b1ac854b9e1c5a450df311f9000121
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location
ToolsTree=default
ToolsTreeDistribution=fedora
QemuVsock=yes
- # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it
QemuKvm=yes
# TODO: Drop once https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777 is fixed in Github Actions
QemuFirmware=uefi
tee mkosi.conf.d/99-ci.conf <<EOF
[Host]
KernelCommandLineExtra=systemd.unit=mkosi-check-and-shutdown.service
+ systemd.log_level=debug
systemd.journald.max_level_console=debug
# udev's debug log output is very verbose, so up it to info in CI.
udev.log_level=info
</a>
</xsl:template>
-<xsl:template match="citerefentry[@project='wireguard']">
- <a>
- <xsl:attribute name="href">
- <xsl:text>https://git.zx2c4.com/WireGuard/about/src/tools/</xsl:text>
- <xsl:value-of select="refentrytitle"/>
- <xsl:text>.</xsl:text>
- <xsl:value-of select="manvolnum"/>
- </xsl:attribute>
- <xsl:call-template name="inline.charseq"/>
- </a>
-</xsl:template>
-
<xsl:template match="citerefentry[@project='mankier']">
<a>
<xsl:attribute name="href">
<xsl:template match="citerefentry[@project='archlinux']">
<a>
<xsl:attribute name="href">
- <xsl:text>https://www.archlinux.org/</xsl:text>
- <xsl:value-of select="refentrytitle"/>
- <xsl:text>/</xsl:text>
+ <xsl:text>https://man.archlinux.org/man/</xsl:text>
<xsl:value-of select="refentrytitle"/>
<xsl:text>.</xsl:text>
<xsl:value-of select="manvolnum"/>
- <xsl:text>.html</xsl:text>
+ <xsl:text>.en.html</xsl:text>
</xsl:attribute>
<xsl:call-template name="inline.charseq"/>
</a>
<para>Depending on which build-time options are enabled, functions that operate on
<structname>sd_journal</structname> objects might cause optional shared libraries to be dynamically
loaded via
- <citerefentry project='man7'><refentrytitle>dlopen</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>dlopen</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
such as decompression libraries (xz, lz4, zstd) or cryptographic libraries (gcrypt).
</para>
</refsect1>
<refsect1>
<title>Description</title>
- <para><command>systemd-vmspawn</command> may be used to start a virtual machine from an OS image. In many ways it is similar to <citerefentry
- project='man-pages'><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but
+ <para><command>systemd-vmspawn</command> may be used to start a virtual machine from an OS image. In many ways it is similar to <citerefentry>
+ <refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but
launches a full virtual machine instead of using namespaces.</para>
<para>File descriptors for <filename>/dev/kvm</filename> and <filename>/dev/vhost-vsock</filename> can be
<listitem>
<para>Configure whether to use VM with a virtual TPM or not.</para>
- <para>If the option is not specified vmspawn will detect the presence of <citerefentry project='man-pages'>
+ <para>If the option is not specified vmspawn will detect the presence of <citerefentry project='debian'>
<refentrytitle>swtpm</refentrytitle><manvolnum>8</manvolnum></citerefentry> and use it if available.
- If yes is specified <citerefentry project='man-pages'><refentrytitle>swtpm</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- is always used, and vice versa if no is set <citerefentry project='man-pages'><refentrytitle>swtpm</refentrytitle>
+ If yes is specified <citerefentry project='debian'><refentrytitle>swtpm</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ is always used, and vice versa if no is set <citerefentry project='debian'><refentrytitle>swtpm</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> is never used.</para>
<para>Note: the virtual TPM used may change in future.</para>
<term><option>--private-users=</option><replaceable>UID_SHIFT[:UID_RANGE]</replaceable></term>
<listitem><para>Controls user namespacing under <option>--directory=</option>.
- If enabled, <citerefentry project='man-pages'><refentrytitle>virtiofsd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- is instructed to map user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the virtual machine
- (starting with the virtual machine's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other
- purposes (usually in the range beyond the host's UID/GID 65536).</para>
+ If enabled, <command>virtiofsd</command> is instructed to map user and group ids (UIDs and GIDs).
+ This involves mapping the private UIDs/GIDs used in the virtual machine (starting with the virtual machine's
+ root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other purposes (usually in the
+ range beyond the host's UID/GID 65536).</para>
<para>If one or two colon-separated numbers are specified, user namespacing is turned on. <replaceable>UID_SHIFT</replaceable>
specifies the first host UID/GID to map, <replaceable>UID_RANGE</replaceable> is optional and specifies number of host
<term><option>--ssh-key-type=</option><replaceable>TYPE</replaceable></term>
<listitem><para>Configures the type of SSH key to generate, see
- <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <citerefentry project="man-pages"><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for more information.</para>
<para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
- <member><citerefentry><refentrytitle>mkosi</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry project='debian'><refentrytitle>mkosi</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>importctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
<listitem>
<para>The Base64 encoded private key for the interface. It can be generated using
the <command>wg genkey</command> command
- (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
+ (see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as
the name of the credential from which the actual key shall be read. <command>systemd-networkd.service</command>
automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details
<term><varname>PublicKey=</varname></term>
<listitem>
<para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
- (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
+ (see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
from a private key, and usually transmitted out of band to the author of the configuration file.
This option honors the <literal>@</literal> prefix in the same way as the <option>PrivateKey=</option>
setting of the <option>[WireGuard]</option> section. This option is mandatory for this section.</para>
[Config]
Images=system
-MinimumVersion=21
+MinimumVersion=23~devel
[Output]
@OutputDirectory=mkosi.output
@RuntimeSize=8G
ToolsTreePackages=virtiofsd
KernelCommandLineExtra=systemd.crash_shell
- systemd.log_level=debug
+ systemd.log_level=debug,console:info
systemd.log_ratelimit_kmsg=0
systemd.journald.forward_to_console
systemd.journald.max_level_console=warning
# SPDX-License-Identifier: LGPL-2.1-or-later
-[Config]
-InitrdInclude=initrd/
-
[Output]
@Format=directory
Distribution=arch
[Content]
-Environment=
- SYSTEMD_PACKAGES="systemd systemd-ukify systemd-sysvcompat systemd-resolvconf systemd-tests"
- INITRD_PACKAGES="systemd systemd-sysvcompat"
+VolatilePackages=
+ systemd
+ systemd-ukify
+ systemd-sysvcompat
+ systemd-resolvconf
+ systemd-tests
Packages=
bpf
InitrdPackages=
btrfs-progs
tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ systemd-sysvcompat
Distribution=|fedora
[Content]
-Environment=
- SYSTEMD_PACKAGES="systemd
- systemd-udev
- systemd-container
- systemd-repart
- systemd-resolved
- systemd-networkd
- systemd-boot
- systemd-tests
- systemd-ukify
- systemd-pam
- systemd-oomd-defaults
- systemd-journal-remote
- systemd-networkd-defaults"
- INITRD_PACKAGES="systemd systemd-udev"
+VolatilePackages=
+ systemd
+ systemd-udev
+ systemd-container
+ systemd-repart
+ systemd-resolved
+ systemd-networkd
+ systemd-boot
+ systemd-tests
+ systemd-ukify
+ systemd-pam
+ systemd-oomd-defaults
+ systemd-journal-remote
+ systemd-networkd-defaults
Packages=
bpftool
InitrdPackages=
tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ systemd-udev
Distribution=|ubuntu
[Content]
-Environment=
- SYSTEMD_PACKAGES="systemd
- systemd-userdbd
- systemd-oomd
- systemd-sysv
- systemd-tests
- systemd-timesyncd
- systemd-resolved
- systemd-homed
- systemd-coredump
- systemd-journal-remote
- systemd-container
- systemd-boot
- systemd-ukify
- udev"
- INITRD_PACKAGES="systemd udev"
+VolatilePackages=
+ systemd
+ systemd-userdbd
+ systemd-oomd
+ systemd-sysv
+ systemd-tests
+ systemd-timesyncd
+ systemd-resolved
+ systemd-homed
+ systemd-coredump
+ systemd-journal-remote
+ systemd-container
+ systemd-boot
+ systemd-ukify
+ udev
Packages=
^libasan[0-9]+$
InitrdPackages=
btrfs-progs
tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ udev
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
-# shellcheck disable=SC2086
-mkosi-install $INITRD_PACKAGES
-
# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
# See https://github.com/openSUSE/suse-module-tools/pull/71
rm -f "$BUILDROOT/usr/lib/modprobe.d/60-blacklist_fs-erofs.conf"
[Match]
Distribution=opensuse
+[Config]
+InitrdInclude=initrd/
+
[Content]
-Environment=
- SYSTEMD_PACKAGES="systemd
- udev
- systemd-experimental
- systemd-boot
- systemd-container
- systemd-homed
- systemd-network
- systemd-portable
- systemd-sysvcompat
- systemd-testsuite"
- INITRD_PACKAGES="systemd udev systemd-experimental"
+VolatilePackages=
+ systemd
+ udev
+ systemd-experimental
+ systemd-boot
+ systemd-container
+ systemd-homed
+ systemd-network
+ systemd-portable
+ systemd-sysvcompat
+ systemd-testsuite
# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
# versions don't get installed instead.
kmod
libkmod2
tpm2.0-tools
+
+InitrdVolatilePackages=
+ systemd
+ udev
+ systemd-experimental
+++ /dev/null
-#!/bin/bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-# shellcheck disable=SC2086
-mkosi-install $SYSTEMD_PACKAGES