Let's leave it to bwrap() to set up any sandboxing that we need.
Let's also add a bit more sandboxing to bwrap(), to avoid details
from the host accidentally leaking into the image builds.
This was removed when we had a brief experiment with running everything
with bwrap(), but since we don't do that anymore, let's add this back
to make chroot detection work again.
I initially added this because no shell is pulled into the initrd
by default on gentoo when just installing systemd and util-linux.
Since this seems to override other distro's default shell, let's
limit this to just gentoo and rely on other distros pulling in a
shell via dependencies.
- Drop --update, we never want to update packages, only install new
ones
- Drop --changed-use and --new-use, these apply to updating an existing
system, we're always installing a new one
- Drop --deep and --complete-graph-if-new-use, these don't seem to
have any noticeable effect
- Move getbinpkg from FEATURE to emerge CLI option --getbinpkg
- Do not disable spinner and candy option
- Explicitly disable all sandboxing features
This function is intended to be a more efficient way of moving trees
than shutil.move(). Specifically, it will use reflinks and btrfs
snapshots if possible to make copying more efficient.
Rename btrfs.py to tree.py and move copy_path() into it
Let's hide btrfs subvolumes as an implementation detail in a new
tree module. We have two functions, make_tree() and copy_tree()
(renamed from copy_path()), which will both take advantage of btrfs
subvolumes if configured to do so.
We also extend copy_tree() to not try to snapshot files.
gentoo: Set FEATURES by appending to /etc/portage/make.conf
Setting via the environment variable doesn't work in all cases, so
let's append to /etc/portage/make.conf instead. This allows us to
get rid of the custom devtpms for portage as it doesn't try to chown
tty's anymore now that userpriv is actually disabled.
Drop filesystem_options() and make xfs default for centos again
Requires https://github.com/systemd/systemd/pull/26541 but after that
building XFS root filesystems will work reliably again and we can use
xfs as the default filesystem for centos which removes the need for
filesystem_options().
gentoo: Use bwrap() instead of run_workspace_command() to run emerge
Similar to the other distros, run the package manager with bwrap()
instead of run_workspace_command(). Also disable the sandboxing of
emerge as we do it in mkosi already.
This also reworks the mirror specification for centos and related
distros to duplicate less code. gpgurls of the Repo() struct is also
made into a tuple instead of a list.
- Instead of forking, use spawn() to start the newuidmap, newgidmap
processes early
- Instead of multiprocessing.Event(), use flock to handle the necessary
locking
- Add some more information on what we're doing
- Move running modinfo and calculating dependencies out of the files()
generator so that the "Making cpio" step doesn't include running modinfo
and calculating the dependencies.
Let's run setfiles on the host instead of inside the image. To make
this work, we have to explicitly tell it to use the binary policy
from the image to check contexts against.
Rework user/mount namespace handling and tools tree
The biggest change is that instead of making bwrap() responsible
for mounting the tools tree, we do it ourselves before we build/boot
each image. We do the same for remounting the top level directories
read-only, instead of leaving it to bwrap(), we do it once at the
start of run_verb(). Because we now mess with the host system mounts
ourselves again, we also go back to unconditionally unsharing a mount
namespace, even when running as root.
With the above out of the way, there's no real reason left to run
regular executables with bwrap(), so those are moved back to be
executed using run(). The above changes also remove the need for
bwrap_cmd(), so it is merged back with bwrap() again.
One nasty caveat of overmounting /usr ourselves at the start of
execution is that some python modules are loaded dynamically and we
need to make sure this has happened before we start overmounting /usr.
Finally, this commit also gets rid of running the image build in a
subprocess. Instead, after doing the build and doing the final tools
tree mount for the image we're going to boot/qemu/ssh into, if we're
going to do an unprivleged operation, we change uid/gid to the invoking
user. This is more or less the same as running these operations unprivileged
outside of the user namespace.
For boot/shell, these only run privileged, so we check beforehand
that we're running as root, and this doesn't change after become_root(),
so since we're just root all the time, there's no need to run the image
build in a subprocess.
To keep ssh working, we have to trick it into recognizing our user in
the user namespace by overmounting /etc/passwd with a file containing
an entry for the mapped user uid.
We also unify more of the uid/gid handling in run_verb() in general.
Allow overriding the python interpreter used by mkosi
e.g. on CentOS 8 python3 is python 3.6. python 3.9 can be installed,
but it'll be installed as python3.9, so we need a way to override the
interpreter used by mkosi.
systemd on Fedora prefers to install util-linux-core instead of
util-linux which doesn't ship sulogin which makes starting
emergency.service enter an infinite loop. Let's make sure util-linux
is installed so sulogin is available in the initrd.
Add scripts support to bwrap() and use it for chrooting
The new scripts argument to bwrap() allows providing a mapping of
script names to command lines. Each of these becomes a script in a
directory that's prepended to PATH before executing the command
given to bwrap(). This allows us to make extra commands available
to scripts we execute with bwrap().
The first usage of this is to replace the extra argument which is
used to provide the extra arguments to chroot into the root directory.
Instead, we provide a chroot script and use that in the command line
we pass to bwrap() to perform the chroot.
Implement run_workspace_command() on top of bwrap()
Instead of duplicating the apivfs setup between bwrap() and
run_workspace_command(), let's make bwrap() responsible for setting
up the apivfs and implement chrooting on top of it. Specifically,
to chroot, we just run bwrap nested to do the chroot and any
additional setup before running the actual command. This is implemented
in the new chroot_cmd() function which returns the command to do the
chroot. This also sets the stage for running scripts on the host and
somehow providing the chroot_cmd() command to scripts to use themselves
to run something inside the root directory.
To keep --debug-shell working smoothly for scripts, we pass the chroot
command as a new extra argument to bwrap() so we can also apply it when
starting the debug shell.
We also rework the /etc/resolv.conf bind mounting so we don't have
to do any cleanup after the command finishes.
Replace kwargs from bwrap with individual arguments
kwargs makes it impossible for mypy to point out wrong arguments
so let's drop it in favor of individual arguments to get more out
of the type checker.
It only has to be in front of the cmd specific options, which in
our case was only --allowerasing, so since that's gone now, let's
put the command last again.
logdir= is always taken relative to the installroot. Let's leave it
at it's default value and remove any log files from the install root
after running dnf.
Beef up --kernel-command-line-extra= defaults a little bit
Let's provide a better experience out of the box when booting an image:
- Always blacklist vmw_vmci so it can't interfere with vsock
- Always pull in network-online.target
- Configure systemd-network-generator for enp0s1 and host0 if not
configured explicitly
- Use a default loglevel where only warnings or higher are logged to
the serial console by the kernel
- Set SYSTEMD_SULOGIN_FORCE=1 unless configured explicitly so users
get a shell in the initrd if something goes wrong, even if no root
password is configured
We generally don't use environment variables passed to the process,
but let's be a little more relaxed on this policy and make sure we
use any configured proxy variables so mkosi works out of the box on
servers behind a proxy.
CentOS Stream 9 is still on bwrap 0.4 which is unfortunately still
important so let's add back support for bwrap 0.4. Luckily, instead
of doing awkward template formatting, shells pass extra arguments
received when "-c" is used as arguments to the invoked command, so
we can make use of that to keep the same API for bwrap_cmd().
ubuntu: Enable universe repository by default on kinetic and later
From kinetic onwards, the usr-is-merged package is available and
has to be installed to get a proper usrmerge system but for some
reason it's in the universe repository so we enable the universe
repository by default from kinetic onwards so we can install the
usrmerge package.
Currently, when you want to build multiple projects together, you
have to make the other projects subdirectories of the one with the
mkosi config, which is inconvenient. To make this more flexible, let's
allow specifying multiple source trees and where to mount them under
/work/src so that multiple projects can be mounted in a fixed location
regardless of their location on the host.
centos: Add Special Interest Group (SIG) repositories
See https://wiki.centos.org/SpecialInterestGroup for more information
on SIGs. This commit only adds the Hyperscale SIG repositories. More can
be added later on an as-needed basis.
Protect common system directories when running with bubblewrap
Let's make sure that even when we run as root the tools we run
can't brick the system by making core system directories read-only
bind mounts when running tools with bubblewrap.
As an example of the stuff this protects again, let's say a package
installs an absolute symlink to /usr and in the finalize script a
user tries to remove everything under this symlink, they'll end up
erasing /usr from their host system. By making /usr read-only, we
prevent this from happening.
projects / thirdparty / mkosi.git / log
