Daan De Meyer [Mon, 4 Mar 2024 09:15:09 +0000 (10:15 +0100)]
Don't mount pkgmngr/ when installing trees
If we're copying from the host's /etc, the mounts get very weird as
we end up mounting over the directory we're copying from. Let's avoid
the weirdness by using the Config sandbox instead of the Context sandbox
which means we don't mount anything from the pkgmngr directory.
Daan De Meyer [Fri, 23 Feb 2024 15:27:50 +0000 (16:27 +0100)]
Set DISTRIBUTION= and RELEASE= when invoking scripts
Until now once could simply source /etc/os-release to figure this
out but this is not possible in sync scripts, so add two new env
variables to expose the distribution and release config options.
Daan De Meyer [Fri, 23 Feb 2024 10:48:11 +0000 (11:48 +0100)]
Use --keep-directory-symlink from cp 9.5 onwards
--keep-directory-symlink instructs cp to not fail when trying to
copy a directory onto a symlink but to follow the symlink instead.
The patch to introduce it was merged into coreutils and will be
available from coreutils 9.5 onwards.
--copy-contents has to be added as well to make
--keep-directory-symlink work. --copy-contents is generally harmless
for our use cases and won't change anything.
We also make sure gpg creates its sockets in /run instead of the
gpg homedir so they don't become part of the image. gpg automatically
uses /run if /run/user/uid exists so we create /run/user/0 to satisfy
that check.
Daan De Meyer [Fri, 23 Feb 2024 11:34:50 +0000 (12:34 +0100)]
Stop using /etc/crypto-policies from host or tools tree
Instead we provide our policy for rpm-sequoia that generally follows
the sequoia default policy except SHA1 is allowed as various distributions
still use SHA1 in their GPG keys.
Daan De Meyer [Thu, 22 Feb 2024 07:47:52 +0000 (08:47 +0100)]
Only mount ephemeral build sources for package managers when running as root
If we're not running as root, we won't have permissions to do the overlay
mount. Hopefully bubblewrap will eventually get overlayfs support which would
make this possible.
Daan De Meyer [Wed, 21 Feb 2024 17:47:33 +0000 (18:47 +0100)]
Write a default /etc/passwd to the package manager tree
Tools like git and ssh need to be able to resolve a user so let's
make sure we write a passwd file containing information on the
invoking user and root.
We also move creation of the /var/log directory into
install_package_manager_trees().
Daan De Meyer [Wed, 21 Feb 2024 17:42:12 +0000 (18:42 +0100)]
Various scripts fixes
- Lazy evaluate mkosi-as-caller so it uses the right uid as the
uid/gid of INVOKING_USER change after become_root()
- Mount the host scripts to /scripts so we don't run into permission
errors when trying to use the scripts with mkosi-as-caller
- Don't add the package manager scripts by default
- Don't remove /scripts from PATH in a script if the name of the
script does not have the same name as a tool in PATH so that one
script can call another
Daan De Meyer [Mon, 19 Feb 2024 12:31:55 +0000 (13:31 +0100)]
Give CentOS SIG repositories a higher priority
CentOS SIGs often ship rebuilds of existing packages which can get
out of date when CentOS 9 Stream ships a newer version. Let's make
sure that the SIG rebuild is still installed by giving all SIG
repositories a priority of 50.
Daan De Meyer [Sun, 18 Feb 2024 21:11:38 +0000 (22:11 +0100)]
ubuntu: Switch default release to noble
lunar is EOL. Mantic is broken because systemd-gpt-auto-generator
is missing. We can either change the default back to Jammy or move
forward to Noble. Let's go for the second option as Noble will
release in about two months.
Daan De Meyer [Sun, 18 Feb 2024 14:48:59 +0000 (15:48 +0100)]
Make sure to include the /usr/lib/firmware directory
When creating a cpio, all parent directories have to be included
separately as well. We already did this properly for the parent
directories of the kernel modules directory but not yet for
/usr/lib/firmware which this commit fixes.
Daan De Meyer [Tue, 26 Dec 2023 15:35:49 +0000 (16:35 +0100)]
Have systemd-repart generate fstab and crypttab if requested
If systemd-repart is new enough, let's specify --generate-fstab= and
--generate-crypttab= so that these files are automatically generated
and included in the disk image if the corresponding new settings are
used in any partition definition files.
We also make sure systemd-repart always uses the same seed by
generating the random seed ourselves instead of leaving it up to
systemd-repart.
See https://github.com/systemd/systemd/pull/30636.
fedora: for rawhide, also load key for FN+1 just in case
See the commit for explanation. This fixes a problem where during
each Fedora upgrades, the local key for rawhide points to e.g. F40,
but Fedora has already branched and rawhide is actually F41.
We may specify an additional key, that will be used a future version,
but that doesn't really matter, we assume all keys as equally good.
Older Fedora versions distributed and used those. No recent
versions do that, but I think they are still generated "just in case".
So let's check for them, in case Fedora decides to use them
again, and so that checking for the very old versions works too.
Daan De Meyer [Thu, 15 Feb 2024 09:01:07 +0000 (10:01 +0100)]
Manifest improvements
- Pass in Context instead of Config
- Fix the sandbox for all the executed commands
- Move complete_step() into record_packages()
- Fix writing of changelog
Daan De Meyer [Fri, 16 Feb 2024 08:43:02 +0000 (09:43 +0100)]
Introduce is_x86_variant() and is_arm_variant()
Let's make sure we always check for both the 64-bit and the 32-bit
variant where it makes sense to do so. Also make sure the Debian
default image can be built for x86.
Daan De Meyer [Thu, 15 Feb 2024 18:52:59 +0000 (19:52 +0100)]
Configure rpm dbpath using rpm macro
Let's get rid of all our cruft for fixing up the rpmdb location
after running rpm by simply making sure it gets written to the right
location in the first place.
Daan De Meyer [Thu, 15 Feb 2024 09:43:48 +0000 (10:43 +0100)]
Make package manager invoke() methods return the result
We also move the rpm database fixup call to the install() method
of the distribution so we don't try to do it every time we invoke
the package manager as it only needs to be done once.
Daan De Meyer [Wed, 14 Feb 2024 15:51:26 +0000 (16:51 +0100)]
Use a private file for the newuidmap/newgidmap locking dance
Using a publicly accessible file such as /etc/subuid means that other
applications can interrupt mkosi's operation by taking the lock
themselves, so let's lock a private temporary file instead which only
mkosi's user can lock.
Daan De Meyer [Wed, 14 Feb 2024 08:53:45 +0000 (09:53 +0100)]
Add used package manager to cache manifest
If the package manager changes, the cache is invalid as the
repository metadata directories change as well, so let's invalidate
the cache when that happens.
Daan De Meyer [Tue, 13 Feb 2024 20:24:42 +0000 (21:24 +0100)]
docs: Make "Building rpms from source" non-dnf specific
Let's make the doc non-dnf specific by not relying on dnf builddep
and using mkosi-install to install packages. This allows using the
same logic for opensuse images.
We also simplify things by only installing --buildrequires since
trying to cache --requires from the rpm spec isn't very useful as
most of the --requires dependencies are automatically generated and
won't be listed by rpmspec --requires in the first place.
Daan De Meyer [Tue, 13 Feb 2024 15:06:31 +0000 (16:06 +0100)]
Add Ubuntu Focal support to default image
We install fewer packages that are not available on Focal and make
sure to configure repart to disable an ext4 default feature that
isn't supported by the Jammy and Focal kernels.
Daan De Meyer [Tue, 13 Feb 2024 11:26:46 +0000 (12:26 +0100)]
Fail early with a clear error if keyring does not exist
We also introduce listify() and apply it to all repositories()
functions to make them return lists instead of generators to avoid
tripping up on the fact that generators can only be iterated once.
projects / thirdparty / mkosi.git / log
