We generally don't use environment variables passed to the process,
but let's be a little more relaxed on this policy and make sure we
use any configured proxy variables so mkosi works out of the box on
servers behind a proxy.
CentOS Stream 9 is still on bwrap 0.4 which is unfortunately still
important so let's add back support for bwrap 0.4. Luckily, instead
of doing awkward template formatting, shells pass extra arguments
received when "-c" is used as arguments to the invoked command, so
we can make use of that to keep the same API for bwrap_cmd().
ubuntu: Enable universe repository by default on kinetic and later
From kinetic onwards, the usr-is-merged package is available and
has to be installed to get a proper usrmerge system but for some
reason it's in the universe repository so we enable the universe
repository by default from kinetic onwards so we can install the
usrmerge package.
Currently, when you want to build multiple projects together, you
have to make the other projects subdirectories of the one with the
mkosi config, which is inconvenient. To make this more flexible, let's
allow specifying multiple source trees and where to mount them under
/work/src so that multiple projects can be mounted in a fixed location
regardless of their location on the host.
centos: Add Special Interest Group (SIG) repositories
See https://wiki.centos.org/SpecialInterestGroup for more information
on SIGs. This commit only adds the Hyperscale SIG repositories. More can
be added later on an as-needed basis.
Protect common system directories when running with bubblewrap
Let's make sure that even when we run as root the tools we run
can't brick the system by making core system directories read-only
bind mounts when running tools with bubblewrap.
As an example of the stuff this protects again, let's say a package
installs an absolute symlink to /usr and in the finalize script a
user tries to remove everything under this symlink, they'll end up
erasing /usr from their host system. By making /usr read-only, we
prevent this from happening.
Currently, mkosi image builds can differ depending on the host they
were built from. This can happen because we execute all kinds of
binaries to build the image and depending on the host these binaries
can differ. Usually, it's different versions of tools causing issues,
but it can also be due to different build configurations, such as rpm
writing its database in a different format depending on whether it's
executed from CentOS, Fedora, or Opensuse.
To allow for more reproducibility in image builds regardless of the
host system, this commit adds a new option --tools-tree= that allows
specifying a tree in which we look up most of the programs that we
execute during an image build.
Of course, that still leaves the question of what tree should be passed
to --tools-tree=. To solve that problem, --tools-tree= can be used
together with presets, so that as the first preset, a "bootstrap" image
can be built which can then be used with --tools-tree= in later presets.
Note that we only use /usr from the given tree. If tools end up using
config files from /etc or such, we expect those tools to expose a knob
to specify a different configuration file (instead of us overmounting
/etc).
Note that in a few cases, we don't yet execute tools in the given tree:
- systemd-analyze in GenericVersion() can't be executed in the tree
because it could be executed during config parsing when we don't
know the tree to use yet.
- newuidmap/newgidmap have to be executed before we can run
bubblewrap so we can't run them in bubblewrap itself
- Figuring out the credentials is inherently tied to the host system
so we execute all scripts and tools to figure out credentials on
the host system as well
- mount because bubblewrap does not propagate mounts to the real root
so any mounts we do within bubblewrap don't survive the bubblewrap
process
- systemd-dissect for the same reason
Use stat tool to check if we're on a btrfs subsystem
Currently, we let the btrfs tool log errors when we're not on a
btrfs filesystem. Let's avoid unnecessary errors by checking if we're
on a btrfs filesystem before invoking the btrfs tool.
Drop shell workaround in bwrap() and run_workspace_command()
Let's use --perms and --chmod to fix the permissions of /tmp, /var/tmp
and /dev/shm instead of our hacky shell workaround. Let's also drop
all usage of shlex.join() in run() since it doesn't really by us anything.
Daan De Meyer [Tue, 27 Jun 2023 11:40:43 +0000 (13:40 +0200)]
Gentoo fixes
- Use boot use flag for systemd instead of gnuefi
- Add --deep to emerge invocation to fix dep resolution failures
- Use curl to download stage3 tarball so we get a progress bar
- Do not exclude dev, proc and sys directories when extracting tarball
(only exclude their contents)
- Copy pkgmngr/ directory into stage3/ directory wholesale instead of
individual files
- Various coding style fixes
- Stop using Repositories= to specify binary package repositories as it
is not its intended purpose. Instead, pass configured environment
variables to emerge so users can set PORTAGE_BINHOST instead.
Daan De Meyer [Tue, 27 Jun 2023 14:04:58 +0000 (16:04 +0200)]
Use systemd-repart's new --offline argument
When building images, we never want to use loop devices, so use
--offline=yes in that case. When booting images, we know that
systemd-nspawn requires loop devices, so require them for
systemd-repart as well using --offline=no.
Paymon MARANDI [Tue, 20 Jun 2023 15:41:05 +0000 (11:41 -0400)]
gentoo: hardcode stage3 path
2 more things:
- bring back cache_clean so we extract stage3 once. that also means
configure pkgmngr once
- add ./proc to exclusion list during extraction
Paymon MARANDI [Thu, 25 May 2023 13:19:34 +0000 (09:19 -0400)]
gentoo: default to btrfs
Given that mkosi is *bespoken* and since it leverages features from
btrfs in some configurations we switch to btrfs by default.
Gentoo doesn't actually care one way or the other what the undelying fs
is and ext4, previous default, was in fact an arbitrarily choice (a
copy-pasted from some other distro's module).
Marius Schiffer [Fri, 16 Jun 2023 10:00:53 +0000 (10:00 +0000)]
Add support for ukify config at /etc/kernel/uki.conf.
This allows specifying further options, e.g. a splash image for the
generated UKI file, given to ukify.
Ukify is run from the same working directory as mkosi itself,
so given paths in the ukify config can be relative to this.
config: reword help message for --root-{password,shell}
"system root" doesn't seem right, because it sounds like we're talking about
the file system. We would often say just "root password", but that's nor
gramatically correct. "root's password" would be correct, but seems strange.
So let's rephase this to avoid the awkwardness.
@@ -85,6 +85,6 @@
- --bootable [FEATURE] Generate ESP partition with systemd-boot and UKIs for
- installed kernels
--kernel-command-line OPTIONS
Set the kernel command line (only bootable images)
+ --bootable [FEATURE] Generate ESP partition with systemd-boot and UKIs for
+ installed kernels
Daan De Meyer [Tue, 20 Jun 2023 15:40:49 +0000 (17:40 +0200)]
Add "none" output format
This is a re-implementation of the --skip-final-phase option, but
instead of doing it via an option, we do it via a new output format,
which feels much more natural. In combination with mounting the
staging directory into the build script, this allows using mkosi to
produce arbitrary artifacts using the build script.
Daan De Meyer [Tue, 20 Jun 2023 15:24:12 +0000 (17:24 +0200)]
Mount staging directory into build script
The build script might produce additional outputs, so let's allow
the user to funnel those out of the container by mounting the staging
directory and setting the OUTPUTDIR environment variable.
Daan De Meyer [Tue, 20 Jun 2023 14:07:49 +0000 (16:07 +0200)]
Remove --install-directory= option
We don't benefit from the caching anymore since we started emptying
the directory completely on reuse as otherwise old leftover files
might get installed. Without the caching, the option does not have
a ton of use anymore, so let's remove it.
Daan De Meyer [Wed, 14 Jun 2023 15:41:32 +0000 (17:41 +0200)]
Run systemd-repart before booting image with systemd-nspawn
To match the behavior when running in qemu, let's run systemd-repart
on the image before running it in systemd-nspawn to make sure that
all the necessary partitions are added if the image has repart
definition files included.
Daan De Meyer [Tue, 13 Jun 2023 13:45:11 +0000 (15:45 +0200)]
qemu: Use SOCK_STREAM for notify socket
The CentOS 8 Stream kernel does not support SOCK_SEQPACKET for
AF_VSOCK so let's use SOCK_STREAM instead and explicitly instruct
systemd running in the VM to use SOCK_STREAM as well.
Daan De Meyer [Mon, 12 Jun 2023 13:12:01 +0000 (15:12 +0200)]
Ensure we return the same exit code in debug mode
When running in debug mode, we shouldn't return a different exit
code compared to when we run outside of debug mode.
A trivial example is when running the boot or qemu verbs where we
exit with the exit code of the container/VM by raising an instance
of CalledProcessError. In --debug mode, this exception is handled
as an unhandled exception by the python runtime which always exits
with 1 when an unhandled exception is encountered, whereas outside
of debug mode we exit with the value contained in
CalledProcessError.returncode.
With this commit, we'll always exit with the return value in
CalledProcessError.returncode.
projects / thirdparty / mkosi.git / log
