Luca Boccassi [Mon, 1 Jun 2026 22:16:40 +0000 (23:16 +0100)]
obs: enable PR CI workflow
Build packages on OBS against the PR and reports status back
to Github. This just builds the mkosi package for now, next
step is to also build particleos images.
Martin Pitt [Tue, 2 Jun 2026 09:21:17 +0000 (11:21 +0200)]
tests: Mark install tests and run them separately
The unit tests also run during package builds, but test_install.py
requires network access (venv creation) and is generally not necessary
for most code changes. This also speeds up running the unit tests
considerably.
Luca Boccassi [Mon, 1 Jun 2026 21:37:29 +0000 (22:37 +0100)]
Fix linter unit tests at package build time
Unit tests are broken as they expect a CI environment, but they are also
ran at package build time. Skip gracefully when the git or the
make-man-page.sh scripts are not available.
Martin Pitt [Mon, 1 Jun 2026 12:34:07 +0000 (14:34 +0200)]
Don't add El Torito boot catalog for BIOS/grub images by default
systemd-repart v261 adds an El Torito boot catalog, which writes an
ISO9660 header to the image. grub-bios-setup interprets that header as a
filesystem on the bare disk and fails:
> warning: Attempting to install GRUB to a disk with multiple partition labels. This is not supported yet
> Embedding is not possible. GRUB can only be installed in this setup by
. using blocklists. However, blocklists are UNRELIABLE and their use is
. discouraged
> error: will not proceed with blocklists
Adjust auto mode to only add the El Torito catalog when grub is not
installed as the BIOS bootloader (`Explicit ElTorito=yes` still forces
it on). This goes back to the status quo ante until systemd 260 for
grub/BIOS.
Martin Pitt [Thu, 28 May 2026 16:19:23 +0000 (18:19 +0200)]
tests: Move unit tests from GitHub workflow into pytest
Extract all CI linter/formatter/install checks from the GitHub workflow
into pytest tests. Workflows are hard to reproduce locally, and it's
much more convenient to reproduce what CI does with a simple `pytest`
command. Update the documentation and also stop recommending locally
installed `mypy` and friends -- let's always use the version from
`mkosi box` to get something halfway reproducible.
Keep the `sudo mkosi -h` test in the workflow, though -- it cannot run
inside `mkosi box` as that doesn't have `sudo`.
Some people like to run mypy and other linters from their own dev
environment. Skip tests whose tools aren't installed, but only if they
don't run in `mkosi box` -- in the latter (and in CI) we want to fail
tests, to avoid silently skipping tests due to accidentally dropping a
tool.
When building the box with Fedora instead of Arch, pyright fails:
> mkosi/sandbox.py:889:50 - error: "parent" is possibly unbound (reportPossiblyUnboundVariable)
> mkosi/sandbox.py:889:59 - error: "base" is possibly unbound (reportPossiblyUnboundVariable)
> mkosi/sandbox.py:899:52 - error: "parent" is possibly unbound (reportPossiblyUnboundVariable)
> mkosi/sandbox.py:899:61 - error: "base" is possibly unbound (reportPossiblyUnboundVariable)
This isn't a bug: The variables are only used when nofollow=True, but
pyright cannot infer this from the control flow. Just quiesce this by
initializing the variables.
Martin Pitt [Thu, 28 May 2026 16:04:36 +0000 (18:04 +0200)]
pytest: Restrict discovery to tests/
Configure pytest to only look in tests/ directory. That will prevent
picking up test files inside of built artifacts (like mkosi.output/ or mkosi.tools/).
Fixes this failure of `bin/mkosi box -- python3 -m pytest`:
> ImportError while importing test module 'mkosi/mkosi.tools/usr/lib/python3.14/site-packages/mypyc/test/test_run.py'.
> E ModuleNotFoundError: No module named 'distutils'
Paul Meyer [Fri, 22 May 2026 07:21:51 +0000 (09:21 +0200)]
finalize_scripts: tighten the PATH-strip condition to actual self-exec
The PATH-strip prelude exists to prevent `/scripts/<name>` from
recursing into itself when the script execs a binary named `<name>` via
PATH lookup. The current heuristic, `config.find_binary(name)`, checks a
broader condition: whether *some* binary called `<name>` exists in the
search path. That produces false positives for scripts that exec a
different binary entirely.
In particular, `mkosi-install` execs `dnf install $@`, expecting `dnf`
to resolve to the wrapped `/scripts/dnf` (which adds `--installroot=…`,
`--use-host-config`, `--setopt=…`). When the prelude gets emitted for
`mkosi-install` too, it strips `/scripts` from PATH before the exec, so
`dnf` resolves to the raw system binary and is invoked with none of the
wrapper's overrides.
Tighten the check: emit the prelude only when one of the exec'd argv
tokens is the unqualified string `name`, which is the only case where
PATH lookup could resolve back to `/scripts/<name>`.
Daan De Meyer [Tue, 26 May 2026 10:58:04 +0000 (10:58 +0000)]
Mount /etc/resolv.conf symlink into sandbox
Currently, if /etc/resolv.conf is a symlink, we
bind mount the actual file it points to into the
sandbox. Problem with this approach is that if the
file it points to is replaced on the host, creating
nested sandboxes will fail because bind mounting a
file whose source does not exist anymore fails with
ENOENT when you call mount.
To fix this (partially), make sure we bind mount the
/etc/resolv.conf symlink if it one. That way, on
resolved systems, we'll bind mount the /etc/resolv.conf
symlink and the /run/systemd/resolve directory into the
sandbox, with the latter containing the symlink target of
/etc/resolv.conf. Because we don't mount the target file
directly but its parent directory, if the file is replaced,
the sandbox will see the new file.
To make this work we add new --bind-nofollow and
--ro-bind-nofollow options to mkosi-sandbox.
Luca Boccassi [Tue, 26 May 2026 16:36:29 +0000 (17:36 +0100)]
nspawn: do not fail if --forward-journal is not available
--forward-journal is only available in 261, which means we cannot use the
current mkosi main in the systemd stable branches. Check the version and
fallback to the previous implementation if it's older.
Luca Boccassi [Tue, 26 May 2026 10:58:36 +0000 (11:58 +0100)]
tools: move grub-pc-bin to arch-specific drop-in
2026-05-26T09:06:43.9842316Z Package grub-pc-bin is not available, but is referred to by another package.
2026-05-26T09:06:43.9842760Z This may mean that the package is missing, has been obsoleted, or
2026-05-26T09:06:43.9843062Z is only available from another source
2026-05-26T09:06:43.9843221Z
2026-05-26T09:06:43.9867449Z E: Package 'grub-pc-bin' has no installation candidate
Michael Vogt [Wed, 13 May 2026 16:03:13 +0000 (18:03 +0200)]
fedora: allow Snapshot= for any kojipkgs-style mirror
The Snapshot= setting was gated to Release=rawhide and
Mirror=https://kojipkgs.fedoraproject.org with two hard die() checks,
but the URL builder underneath works for any release and any mirror
that mimics the koji compose layout.
So this commit drops the restrictions and just assuems a koji style
layout when snapshot is used. With that any koji style snapshot
can be used.
Daan De Meyer [Tue, 19 May 2026 20:15:49 +0000 (20:15 +0000)]
postmarketos: Persist fetched keyring across Contexts
Extract the fetched alpine-keys/postmarketos-keys apks straight into
context.keyring_dir so the trusted keys survive between Contexts (e.g.
when building an image after sync_repository_metadata). The per-Context
sandbox_tree is discarded between phases, so writing only there would
cause the keys to disappear before setup() needs them. setup() now does
all the arch-specific key selection, reading from
context.keyring_dir/usr/share/apk/keys/<arch>/ as well as the tools tree.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Daan De Meyer [Tue, 19 May 2026 14:33:21 +0000 (14:33 +0000)]
sandbox: split CLI and library entry points to fix console-script execution
When installed via pip/pipx/Nix, the mkosi-sandbox console-script calls
main() with __name__ == "mkosi.sandbox" rather than "__main__", so the
old is_main() check returned False and refused to execvp a trailing
command. Fix this by separating the two responsibilities: enter() is the
library function that sets up the sandbox in the current process and
returns any trailing argv, while main() is the CLI wrapper that calls
enter(), prints friendly error messages carried on a new SandboxOSError,
and execvp's the command. The console-script entry point points at
main() and works regardless of how it is invoked.
Fixes: https://github.com/systemd/mkosi/issues/4303 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Daan De Meyer [Tue, 19 May 2026 12:43:46 +0000 (12:43 +0000)]
Make full $PATH available when building tools tree
There's no risk of issues where stuff from $PATH expects
/usr from the host when building the tools tree or not using
it at all, so make the full $PATH available in that case.
This allows stuff like downloading apk to ~/.local/bin and
building postmarketos images.
To make this work we also have to mount /home into the sandbox.
This shouldn't be an issue generally. We don't expect tools to
accidentally pick stuff up from /home unless actually intended.
Daan De Meyer [Tue, 19 May 2026 13:01:15 +0000 (13:01 +0000)]
apk: Implement repository_key_fetch for the postmarketOS distribution
When repository_key_fetch is enabled, fetch the alpine-keys and postmarketos-keys
packages with --allow-untrusted, extract them, and copy the trusted public keys
into /etc/apk/keys/ in the sandbox tree so subsequent installs verify normally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Daan De Meyer [Sun, 17 May 2026 14:03:59 +0000 (14:03 +0000)]
mkosi-initrd: Trim orphaned GPU/audio modules, add ACPI platform attrs
The DRM and sound helpers (drm_buddy, drm_display_helper, ttm, intel-gtt,
mxm-wmi, snd-intel-dspcfg, snd-soc-hda-codec) had no actual KMS/audio
driver in the include list to pull them in, and there is no audio/GPU
userspace running in the initrd anyway. uvc and videobuf2-* are USB
webcam plumbing, also unused. Add firmware_attributes_class and
platform_profile so udev does not log autoload failures for those on
modern laptops.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Daan De Meyer [Thu, 14 May 2026 07:46:44 +0000 (09:46 +0200)]
mkosi-tools: Add fish to misc profile
Now that fish supports SHELL_PROMPT_PREFIX, it becomes more
viable again to run mkosi box -- /bin/fish since it will now
properly show that a box environment was entered. Hence let's
put it in the misc profile so that it is easily available in the
box environment.
Daan De Meyer [Thu, 14 May 2026 08:17:01 +0000 (08:17 +0000)]
box: Drop background tinting
Now that we have $SHELL_PROMPT_PREFIX integration,
let's drop the background tinting. Especially since it
doesn't quite nest all that well yet and we often invoke
nspawn and such from within mkosi box which does its own
background tinting.
Daan De Meyer [Mon, 11 May 2026 19:43:56 +0000 (21:43 +0200)]
vmspawn: Forward journal-remote settings to vmspawn
Pass the same MaxUse/KeepFree/MaxFileSize/MaxFiles settings to vmspawn
via its new --forward-journal-* options that we configure in
systemd-journal-remote.conf for qemu.
Daan De Meyer [Mon, 11 May 2026 19:47:19 +0000 (21:47 +0200)]
nspawn: Use --forward-journal instead of running journal-remote ourselves
systemd-nspawn now supports --forward-journal with matching
--forward-journal-max-use, --forward-journal-keep-free,
--forward-journal-max-file-size and --forward-journal-max-files options,
so let it run systemd-journal-remote itself instead of doing it ourselves
via a bind-mounted unix socket.
Clayton Craft [Fri, 8 May 2026 02:47:55 +0000 (19:47 -0700)]
apk: skip removal of packages that aren't installed
This fixes a failure when RemovePackages= listed package that wasn't
installed. The installed package database is queried first, and filter
to only packages that are actually present before calling apk del.
The query matches against both name and provides fields so packages
specified by a provider name are also found.
This omits armhf, which is armv6, since mkosi only knows a single
architecture for all 32-bit ARM variants. It is eventually going to be
removed upstream anyways, so let's not bother with it.
apk: Fix EBUSY in sync() when context.root is a mount point
sync() temporarily moved context.root out of the way to get an empty
directory to run apk against without touching the image root. This fails
when context.root is a mount point, e.g. when Overlay= is enabled:
Previously --cache-max-age was unconditionally applied in install()
and scripts(), suppressing metadata refresh even with CacheOnly=never.
This updates it to respect the CacheOnly config option instead.
This does not work as a per distribution CacheKey= means that
we can switch between distributions without invalidating caches,
meaning the output files won't be removed yet will still be those
of the previous distribution rather than the new one.
Revert for now until I figure out a better approach.
Avoid invalidating all caches on mid-build-failure recovery
Previously, repository_metadata_needs_sync() returned True whenever any
Cacheonly=auto image lacked a cache, which caused run_clean() to wipe
every image cache to avoid partial-upgrade scenarios. As a result, if
mkosi was building several images for the first time and one of them
failed mid-way, the next run would re-sync metadata, wipe the caches of
the images that had already succeeded, and rebuild everything from
scratch.
Use the manifest file as a "previously cached" marker — it's written
when an image builds successfully and survives even after the cache
contents go stale — and only re-sync metadata (and invalidate all
caches) when every incremental image was previously cached and at least
one of them is now out of date. In the mid-build-failure case, the image
that failed never wrote a manifest, so we don't trigger the re-sync and
the surviving caches are preserved.
For all-non-incremental setups we keep the previous behavior of always
syncing — there are no caches to preserve and every build downloads
packages. In a mixed setup, the non-incremental images are ignored by
the heuristic and may eventually fail because of stale metadata, but
that's the cost of mixing them with incremental images we want to
preserve.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nspawn: Drop logic to run systemd-repart on the image before booting
This bit still requires root and it's unlikely we'll ever be able to
make it work unprivileged. Instead we should probably do something with
mstack in the future instead. But for now let's drop this logic so that
booting (verity signed) disk images works unprivileged on systems with
nsresourced and mountfsd.
Fall back from nsresourced on UserNamespaceInterfaceNotSupported
This fixes an issue with running mkosi on postmarketOS, where mkosi
was failing if nsresourced was unable to initialize BPF support. The
error is treated the same as InvalidParameter so mkosi falls back to an
unprivileged user namespace when the kernel lacks BPF LSM support.
Work to enable BPF LSM support there is ongoing[1].
Build UKI when making directory images with Bootable=auto
qemu supports direct kernel booting UKI images with virtiofs as the
rootfs so let's make that work by building UKIs if we're building
directory images with Bootable=auto. Importantly, we build a UKI
without an initrd in that case so that the time consuming step of
building the initrd is still skipped.
Add DriveType= setting for qemu root disk device type
Add a new DriveType= setting that allows configuring the device type
used for the root disk when booting a virtual machine with qemu. The
supported types are virtio-blk (default, preserving existing behavior),
virtio-scsi, and nvme.
Previously, the only way to use nvme was by manually adding qemu device
arguments via QemuArgs=. This makes nvme a first-class option.
When Removable= is enabled, the drive type is forced to virtio-scsi
regardless of the DriveType= setting, preserving existing behavior.
Signed-off-by: Christian Brauner <brauner@kernel.org>
Daan De Meyer [Sat, 28 Mar 2026 15:10:51 +0000 (15:10 +0000)]
detect_distribution: Fall back to default_release() when VERSION_ID is unset
Some distributions like Arch Linux don't set VERSION_ID in their
os-release file (they use BUILD_ID=rolling instead). This caused
detect_distribution() to return None for the release, which had two
consequences:
1. The MKOSI_HOST_RELEASE environment variable was never propagated
into sandbox/box environments (since the truthy check at the
sandbox setup skipped it), losing host release information.
2. The cache key specifier &r expanded to an empty string, producing
cache paths like arch~~x86-64~main.cache instead of the expected
arch~rolling~x86-64~main.cache.
Fix this by falling back to the distribution's default_release() in
detect_distribution() when VERSION_ID is not available. This also
allows simplifying the hr is not None guard in config_default_release()
to a simple truthy check, since detect_distribution() now always
returns a release for known distributions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Daan De Meyer [Fri, 27 Mar 2026 13:57:28 +0000 (14:57 +0100)]
vmspawn: Add support for FirmwareVariables=
Use vmspawn's new --firmware=describe to query the selected firmware
description as JSON, and extract the NVRAM template path from it. This
avoids duplicating vmspawn's firmware selection logic in mkosi.
The NVRAM template is then prepared via finalize_firmware_variables()
(handling custom cert enrollment, MOK enrollment, or plain copy) and
passed to vmspawn via --efi-nvram-template.
We also pass --firmware-features to vmspawn so it selects the right
firmware description (e.g. secure-boot, enrolled-keys).
As part of this, finalize_firmware_variables() is refactored to accept
the vars template Path directly instead of the full OvmfConfig, with
the vars format logic moved to the run_qemu() caller since vmspawn
does not need it.
Andre Wagner [Wed, 25 Mar 2026 10:47:29 +0000 (11:47 +0100)]
Allow multiarch in mkosi.sources
If the mkosi.sources contains other package sources for other
architectures (e.g. armhf or arm64 from ports.ubuntu.com)
than the architecture it is build for (e.g. amd64), then
apt will fail because of package conflicts of the form:
Even if the versions meantioned there are exactly the same
and apt is run with:
APT::Architecture="<debbuildarch>" and APT:Architectures="<debbuildarch>"
So adding ?architecture(<debbuildarch>) really forces
<buildarch> on all packages, the packages for other architectures
are not considered anymore and building succeeds.
The underlying problem seems to be that ?essential apt-pattern
(and perhaps all other apt-patterns) do not filter with
APT::Architecture(s)
Jörg Behrmann [Thu, 26 Mar 2026 08:31:53 +0000 (09:31 +0100)]
Add /usr/local/bin to PATH
While things installed in images can be controlled by the image creator and
should go to /usr/bin, they can't always control where tools install things and
so adding /usr/local/bin to PATH is an often needed workaround.
Daan De Meyer [Mon, 23 Mar 2026 19:43:29 +0000 (20:43 +0100)]
Allow booting directory images owned by root if running as root
Alternative to #4214. While we still don't support booting images
built as non-root uids without the foreign UID range, we can make
an exception for images built and booted as root.
Daan De Meyer [Mon, 23 Mar 2026 19:58:41 +0000 (20:58 +0100)]
qemu: Drop support for booting with BIOS firmware
We want to drop support for mkosi qemu sooner rather than later and
rely on systemd-vmspawn. Since we won't add BIOS firmware support
to systemd-vmspawn, let's drop support for booting with BIOS firmware.
This is quite useful to figure out what configuration is used.
(I considered adding an option to allow arbitrary mkosi verbs.
But most verbs either don't make sense or don't work. E.g. 'shell'
could be potentially useful but it doesn't support cpio atm. So
limiting this to 'summary' for now seems OK. Having an easy way
to show the config will be useful even if we add a more generic
hookup into mkosi later.)
config: change comma|newline separators to comma|whitespace
Configuration like 'FirmwareFiles=intel/ibt-0093-* intel/ipu/*' would be
interpreted as a single word. This is surprising and not useful. In
practice, none of the names that we use should ever have a space in
them. Change the parsing for host names, profile names, artifact output
lists, includes, dependency names, scripts, repository names, manifest
formats, repart directories, packages, package directories, trees, files
to remove, uki profiles, initrds, device trees, module and firmware
include/exclude lists to accept any-whitespace|comma instead of just
newline|comma as separators.
(The parsers that used space|newline as separators are not touched.)
Arguably, this is a compat break. But I think it's unlikely to matter in
any practical case and the removal of the surprising behaviour is more
important. The case where a space would be most likely to be used is
RemoveFiles… Fortunately that setting takes a glob so the user can just
"escape" the path with space as '?' or something to make it work.
This makes the callers a bit simpler because then they don't need
to do explicit conversions of the returned object.
There are a few callers which previously turned the value into a
set, and one other caller which passed the value to make_cpio,
which turns it into a list with sorted(files). So the change should
be a noop.
The tools that mkosi invokes are often quite verbose. So let's also
print what those executed commands are by default. This makes it
easier to figure out what is going on and doesn't change the total
number of printed lines too much.
projects / thirdparty / mkosi.git / log
