In systemd CI, we often run into issues caused by updates to third-party
components like the kernel package in rolling release distributions
like Arch Linux or Fedora Rawhide. When these happen, the corresponding
CI job starts failing on every PR and bisecting the distribution to figure
out when the breakage was introduced is rather tedious.
To mitigate this problem, we need to be able to pin the rolling release
distributions to a specific snapshot which we control. This allows us to
update the pinned snapshot in a PR created by a bot, so that any failures
introduced by moving to a newer snapshot will be limited to the PR that bumps
the snapshot. Any regressions can then be debugged and fixed before merging
the PR that switches us to the new snapshot.
To make this possible, let's introduce a new Snapshot= setting and implement
it for every distribution that has a snapshot concept or something that maps
to it. Per distribution:
- Debian => snapshot.debian.org (unlimited)
- Ubuntu => snapshot.ubuntu.com (unlimited)
- Arch => archive.archlinux.org (unlimited)
- OpenSUSE => download.opensuse.org/history (limited to a month of snapshots)
- CentOS => composes.stream.centos.org (limited to 3 weeks of snapshots)
- Fedora => https://kojipkgs.fedoraproject.org (limited to 2 weeks of snapshots)
Additionally, for CentOS, we also support using composes from mirror.facebook.net
which keeps them around forever so we get unlimited snapshots there as well for
CentOS Stream.
We also add a latest-snapshot verb to be able to easily figure out the latest
snapshot so it can be bumped regularly via a CI workflow. Because we do not track
sufficient information from config files to be able to insert the updated snapshot
into the right config file ourselves, we output it on stdout instead and leave it to
users to insert it into the right config file.
DaanDeMeyer [Fri, 22 Aug 2025 14:29:19 +0000 (16:29 +0200)]
Return false from want_efi() for UKI outputs
This may seem counter intuitive, but we do not want to make UKIs
bootable on EFI firmware. Making stuff bootable on EFI firmware involves
installing systemd-boot and shim and other things which aren't required
when building a UKI, so let's return false for UKIs from want_efi() unless
explicitly requested.
DaanDeMeyer [Mon, 25 Aug 2025 12:23:51 +0000 (14:23 +0200)]
kmod: Beef up firmware symlink chasing
- It turns out we need to handle absolutely symlinks after all as
/usr/lib/firmware/regulatory.db is a symlink to /etc/alternatives
in Debian and derivatives.
- Our previous implementation didn't handle cases where a symlink target
consisted out of two parts e.g. if C -> A/B then we wouldn't try to resolve
A.
Fix both issues by switching to a minimal implementation of the chase()
function in systemd.
To avoid having to include /etc stuff in the kernel modules initrd, we resolve
get rid of any intermediate symlinks to /etc/alternatives that we encounter.
DaanDeMeyer [Mon, 25 Aug 2025 19:55:38 +0000 (21:55 +0200)]
kmod: Narrow glob used to select firmware
We want to select the firmware regardless of which compression extension
it has, but let's insist on having at least a '.' which indicates what
follows is an extension in the first place.
DaanDeMeyer [Sun, 24 Aug 2025 15:48:39 +0000 (17:48 +0200)]
Make Bootable= determine whether we build a UKI for esp images
Currently, we build a UKI for ESP images only if a kernel is installed.
Let's make this a bit more flexible by hooking it up to the Bootable=
setting. If Bootable=no, then we won't add a UKI to the esp regardless
if a kernel is installed in the image or not.
tree-wide: Remove numbered prefixes from config files
With the following changes, there's no more need for numbered prefixes
for ordering:
- Assume EPEL is available for CentOS Stream 9/10
- Stop enabling epel-next repository for CentOS Stream 9
- Remove orphan_file hack for ubuntu jammy since we do it internally now
So we make these changes and remove the numbered prefixes throughout the
tree.
Remove mirror from default package cache directory cache key again
We added this initially to deal with pacman not having the mirror
in its cache key of repository metadata. The downside of this approach
is that we cannot cache packages across different mirrors. As an
aternative, let's simply not cache repository metadata for pacman in
the package cache directory.
While we're at it, remove the hack we did for zypper to ensure it had
the mirror in its cache key and also don't store its repository metadata
in the package cache directory. The reasoning here is while we can make
sure our own generated repository ids have the hashed mirror in them, we
cannot do so for any repositories added by users, which might end up causing
conflicts.
dnf: Share package cache between repositories with different baseurl=
Currently, the dnf5 package is not shared between repositories with the
same id but different baseurl=. For building images this is not ideal,
we do not want to have to redownload all packages when switching the
baseurl= or similar for a repository, so let's fix this by having
package_subdirs() return a tuple of source and destination path, and
in dnf's implementation of it, use the same package cache directory
for all repositories with the same id, regardless of the baseurl= used.
Note that this only applies to the package cache directory, the repository
metadata is still cached in the cache directory that is keyed by the baseurl=
or equivalent setting.
DaanDeMeyer [Fri, 22 Aug 2025 13:58:18 +0000 (15:58 +0200)]
Stop passing --workspace-dir= in mkosi-initrd and mkosi-addon
The default value when running as root is /var/tmp now so there's no
need to specify --workspace-dir= explicitly anymore. This allows the
workspace directory to be changed in the configuration file in
/etc/mkosi-initrd and /etc/mkosi-addon.
https://github.com/systemd/mkosi/issues/3852 is better fixed
by not configuring --workspace-dir at all within mkosi-initrd.
This allows it to be changed via the config file as the CLI argument
won't override it anymore and the default value used when running as
root is /var/tmp anyway.
DaanDeMeyer [Thu, 21 Aug 2025 11:47:03 +0000 (13:47 +0200)]
fedora: Rework rawhide GPG key logic
- Drop secondary key logic as looking at https://github.com/rpm-software-management/distribution-gpg-keys/tree/main/keys/fedora,
this hasn't been used for a long time.
- If repository key fetching is enabled, always look up the key remotely
as e.g. on CentOS 9 or so the rawhide symlink might be horribly outdated.
- If not using repository key fetching, Use all local keys newer than the
rawhide key as well to maximize the chances of including the current rawhide
key.
- Resolve symlinks within the sandbox in find_rpm_gpgkey() as we might not be
able to resolve the symlinks outside of the sandbox.
Luca Boccassi [Mon, 18 Aug 2025 13:04:59 +0000 (14:04 +0100)]
mkosi-tools: virtiofsd is only available on a subset of architectures on debian/ubuntu
Package virtiofsd is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package 'virtiofsd' has no installation candidate
‣ "/work/prepare final" returned non-zero exit code 123.
Afaict, this should work quite similar to the previous dpkg-scanpackages but
also doesn't use perl and is part of apt. Certain distros don't have reprepro
packaged, e.g. nixpkgs. It's also a simpler to work with and smaller compared
to reprepro.
DaanDeMeyer [Mon, 11 Aug 2025 13:26:50 +0000 (15:26 +0200)]
mkosi-tools: Drop systemd-boot-efi package
There's no need to install systemd-boot, systemd-stub, ... in the
tools tree as these are picked up from inside the image so let's stop
installing systemd-boot-efi in the tools tree.
Luca Boccassi [Sat, 9 Aug 2025 14:05:48 +0000 (15:05 +0100)]
mkosi-tools: move systemd-boot package to conf file matching older releases
Since debian 13/ubuntu 25.04 the tools needed at build time
(bootctl) are in the systemd-boot-tools package, so there's
no need to pull in the systemd-boot package in the tools image,
since it is an integration point that sets up the local ESP and
so on
Alberto Planas [Wed, 6 Aug 2025 10:58:55 +0000 (12:58 +0200)]
Drop microsecond resolution for datetime.now()
The RPM INSTALLTIME attribute is an integer represetantion of the
installation time of the package, and datetime.now is a date
representation of a float timestamp. This can produce some rounding
errors is powerful build servers.
For example, if the variable `_init_timestamp` has a value XXXXX.1 but
in the same sub-second the package gets installed, the registered
installation time will be the integer representation (XXXXX), making the
comparison done for exclusion of the package to be `True`.
This patch will remove the microsecond granularity of the datetime,
converting the timestamp on its integer representation, instead of the
default float one. The comparison is still done in the datetime data
type.
mkosi-initrd/vm: ensure TPM2 core modules are installed in the initrd
On arm64 the tpm_tis modules are not built-in, so /dev/tpmrm0 does
not show up in the initrd and it times out, and unlocking using
the tpm doesn't work.
Ensure the modules are included in the initrd if they are not
built in.
FirmwareVariables: allow generating during image build
The build immediately fails if FirmwareVariables=%O/somefile is used, as
the config parser won't be able to find it, so it is not possible to
generate it during the image build itself (e.g: mkosi.postoutput)
in order to add generated keys to MOK. Set required=False.
Deniz Adrian [Wed, 23 Jul 2025 20:04:53 +0000 (22:04 +0200)]
ensure builds with cache over device boundaries
when running mkosi with the default cache dir/XDG_CACHE_HOME on a
different device than the mkosi working directory, mkosi falls back to
trying to copy the cache using `copy_tree` from tree.py.
the cache contains symlinks which are pointing to files on the host:
e.g. `mkosi.cache/debian...cache/usr/bin/mt -> /etc/alternatives/mt`
`os.listxattr()` defaults to `follow_symlinks=True`, which leads to
`FileNotFoundError`s if the files don't exist on the host, which stops
the build.
this patch ignores symlinks, but feels like a workaround, as our
assumption would be that such absolute links should not be traversed
outside the chroot in the first place.
Change UnifiedKernelImages to enum and accept signed/unsigned
With custom firmware we enroll our keys in db, so local UKIs can be
built and there's no need to fail the build. Many distributions
ship signed bootloaders, but they still don't ship UKIs.
Add an enum and a parser (to keep backward compat), and if set to
unsigned build locally instead of failing when the bootloader is
signed.
hpet is an emulated clocksource that is generally discouraged in favor
of kvm-clock or tsc for virtual machines. While mkosi's virtual machines
already use kvm-clock, leaving hpet enabled causes qemu on the host to
consume a non-trivial amount of cpu, so let's disable the hpet feature since
we're not making use of it anyway.
EDK2 nowadays does provide secureboot for arm. Not only that, TPM2 support is
only enabled in builds that enable secure boot, probably because it's all
part of the TCG modules.
Default to uefi_secure_boot on arm too, like x86.
Also do not pass qemu x86-only configuration options that break booting
arm.
nfs-utils-2.8.4 will provide its own nfsroot-generator [1] to allow mounting the
real rootfs via NFSv4, so this initrd profile will enable this feature.
mkosi-tools: make sure p11-kit dir exists when configuring module
Fixes this failure, since I guess the dir may not exist:
‣ Running prepare script /tmp/tmphh1uwz2a/resources/mkosi-tools/mkosi.prepare…
/work/prepare: line 4: /buildroot/usr/share/p11-kit/modules/opensc.module: No such file or directory
Do not try to install packages that are listed in RemovePackages=
This allows using RemovePackages= in mkosi.local.conf to prevent
certain packages listed in the regular configuration from being
installed in the first place.
We also add RemovePackages= to the cache manifest because it now
affects the cached images.
projects / thirdparty / mkosi.git / log
