From: Daan De Meyer Date: Mon, 29 Apr 2024 20:13:11 +0000 (+0200) Subject: mkosi: Introduce particle profile X-Git-Tag: v256-rc2~156^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7c8507977e51df90aa929852af3d74c1d06be95;p=thirdparty%2Fsystemd.git mkosi: Introduce particle profile Unfortunately the current mkosi partitioning setup is a bit too avant-garde for the integration tests. Both in that distributions aren't ready for it yet (some more than others), and that software which we depend on in the integration tests isn't ready for it yet (e.g. libselinux does not read its configuration from /usr). Let's switch back to a more boring partioning setup by default but keep the fancy stuff around as a mkosi profile. This means that it can still be used for manually testing stuff by running "mkosi --profile particle -f qemu". --- diff --git a/mkosi.conf b/mkosi.conf index b2e8ba62bac..d6bf53ee46d 100644 --- a/mkosi.conf +++ b/mkosi.conf @@ -38,7 +38,6 @@ KernelCommandLine=systemd.crash_shell [Host] @Incremental=yes -@RuntimeSize=8G @RuntimeBuildSources=yes @QemuSmp=2 ToolsTreePackages=virtiofsd diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf index b124c5c94a7..2f5c8af25b3 100644 --- a/mkosi.images/system/mkosi.conf +++ b/mkosi.images/system/mkosi.conf @@ -7,6 +7,7 @@ Dependencies= [Output] @Format=directory +RepartDirectories=mkosi.repart [Content] Autologin=yes @@ -61,7 +62,3 @@ Packages= xfsprogs zsh zstd - -[Validation] -@SecureBoot=yes -@SignExpectedPcr=yes diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf index 79622c83f73..524ffa0de5d 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf @@ -49,9 +49,6 @@ Packages= rpm rpm-build rpmautospec - selinux-policy - selinux-policy-targeted - setools-console squashfs-tools util-linux vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf new file mode 100644 index 00000000000..3dc1143fc84 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=!particle + +[Content] +# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're +# building a /usr-only image. +Packages= + selinux-policy + selinux-policy-targeted + setools-console diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf index 053f11be55c..54f8f1c1bd3 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -3,6 +3,9 @@ [Match] Distribution=centos +[Output] +RepartDirectories=mkosi.repart + [Content] Packages= rpmautospec-rpm-macros diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf deleted file mode 100644 index 99b846d3a80..00000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# CentOS does not support btrfs so we use xfs instead. -[Partition] -Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf deleted file mode 100644 index d69ff91cc32..00000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf +++ /dev/null @@ -1,24 +0,0 @@ -g root 0 -g bin 1 -g daemon 2 -g sys 3 -g adm 4 -g tty 5 -g disk 6 -g lp 7 -g mem 8 -g kmem 9 -g wheel 10 -g cdrom 11 -g mail 12 -g man 15 -g dialout 18 -g floppy 19 -g games 20 -g tape 33 -g video 39 -g ftp 50 -g lock 54 -g audio 63 -g users 100 -g nobody 65534 diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf deleted file mode 100644 index bea0ab34471..00000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf +++ /dev/null @@ -1,13 +0,0 @@ -u root 0:0 "Super User" /root /bin/bash -u bin 1:1 "bin" /bin - -u daemon 2:2 "daemon" /sbin - -u adm 3:4 "adm" /var/adm - -u lp 4:7 "lp" /var/spool/lpd - -u sync 5:0 "sync" /sbin /bin/sync -u shutdown 6:0 "shutdown" /sbin /sbin/shutdown -u halt 7:0 "halt" /sbin /sbin/halt -u mail 8:12 "mail" /var/spool/mail - -u operator 11:0 "operator" /root - -u games 12:100 "games" /usr/games - -u ftp 14:50 "FTP User" /var/ftp - -u nobody 65534:65534 "Kernel Overflow User" - - diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf new file mode 100644 index 00000000000..a50de68110e --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +# btrfs isn't supported on CentOS. Ideally we'd use xfs instead but we lose xattrs when doing rootless +# population of xfs which is required for testing SELinux so let's do ext4 instead. +Format=ext4 diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf new file mode 100644 index 00000000000..8c1920b0ce4 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=particle + +[Output] +RepartDirectories= +RepartDirectories=mkosi.repart + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes + +[Host] +@RuntimeSize=8G diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf similarity index 100% rename from mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf similarity index 66% rename from mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf index 71eb9e38c49..2f92af248f3 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -4,5 +4,3 @@ Type=root Format=btrfs SizeMinBytes=1G -Subvolumes=/home /var -MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf similarity index 100% rename from mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize new file mode 100755 index 00000000000..f5523983d2e --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize @@ -0,0 +1,15 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +mkdir -p "$BUILDROOT"/usr/share/factory/mkosi +cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi + +# sbsign is not available on CentOS Stream +if command -v sbsign &>/dev/null; then + # Ensure that side-loaded PE addons are loaded if signed, and ignored if not + addons_dir=/efi/loader/addons + mkdir -p "$addons_dir" + ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" + ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" +fi diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf new file mode 100644 index 00000000000..391543d1e78 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf similarity index 100% rename from mkosi.images/system/mkosi.repart/10-usr.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf similarity index 100% rename from mkosi.images/system/mkosi.repart/11-usr-verity.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf similarity index 100% rename from mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize deleted file mode 100755 index 6da35e51380..00000000000 --- a/mkosi.images/system/mkosi.finalize +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: LGPL-2.1-or-later - -mkdir -p "$BUILDROOT"/usr/share/factory/mkosi -cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot index 61a8e311e36..43978316fcd 100755 --- a/mkosi.images/system/mkosi.postinst.chroot +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -65,15 +65,6 @@ fi mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf rm -f /etc/resolv.conf -# sbsign is not available on CentOS Stream -if command -v sbsign &>/dev/null; then - # Ensure that side-loaded PE addons are loaded if signed, and ignored if not - addons_dir=/efi/loader/addons - mkdir -p "$addons_dir" - ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" - ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" -fi - for f in "$BUILDROOT"/usr/share/*.verity.sig; do jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash" done diff --git a/mkosi.images/system/mkosi.repart/10-root.conf b/mkosi.images/system/mkosi.repart/10-root.conf new file mode 100644 index 00000000000..3c25dbfb14d --- /dev/null +++ b/mkosi.images/system/mkosi.repart/10-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=btrfs +CopyFiles=/ +SizeMinBytes=8G +SizeMaxBytes=8G diff --git a/mkosi.profiles/particle.conf b/mkosi.profiles/particle.conf new file mode 100644 index 00000000000..5f36d58e4d2 --- /dev/null +++ b/mkosi.profiles/particle.conf @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# This file exists to create the particle profile which is matched on by other configuration files.