Daan De Meyer [Mon, 11 Mar 2024 13:57:58 +0000 (14:57 +0100)]
Rework QemuFirmware=
- Use the qemu official firmware descriptions to look up OVMF
firmware instead of having our own homegrown logic.
- Add QemuFirmware=uefi-secure-boot to explicitly look for firmware
with secure boot support
- Add QemuFirmwareVariables=microsoft to use OVMF variables with
Microsoft keys enrolled
- Add QemuFirmwareVariables=custom to enroll the certificate from
SecureBootCertificate= into the OVMF variables
This commit also contains the changes from a second commit that
was accidentally rebased into this one:
Only use already signed binaries when ShimBootloader=signed
When we're using signed shim, we need to make sure we use already
signed bootloaders, kernel images and UKIs. Anything we sign ourselves
will cause security violations in shim.
Daan De Meyer [Tue, 12 Mar 2024 20:05:50 +0000 (20:05 +0000)]
Check for TERM=unknown and set TERM=dumb if not on tty
in CI, TERM is set to "unknown" so let's check for that and translate
it to "dumb" if we're not on a tty which systemd checks for when it
decides whether to enable logging or not. Also set TERM itself on
the kernel command line which is another thing parsed by systemd to check
whether to log colors or not. Finally, make sure we set "TERM" correctly
in our own environment that is passed to scripts
Daan De Meyer [Tue, 12 Mar 2024 16:41:51 +0000 (16:41 +0000)]
Disable SELinux relabeling by default for default image
Sometimes selinux-policy gets pulled in as a dependency, causing
SELinux relabels even though we don't care about SELinux at all in
the general case, so let's by default not relabel anything.
Daan De Meyer [Tue, 12 Mar 2024 16:12:06 +0000 (16:12 +0000)]
Streamline test logging
Let's get rid of the status messages in favor of logging the journal
itself to the console. Let's also make sure we get info messages on
the console from the journal. Finally, make the kernel log at INFO
level instead of the default WARNING.
Daan De Meyer [Mon, 11 Mar 2024 11:22:09 +0000 (12:22 +0100)]
Run sync scripts in relaxed sandbox without package manager trees
Sync scripts run as the invoking user in the sandbox, which means
that they're not able to mount an overlayfs over /usr in the sandbox
to overlay extra files from package manager trees.
To circumvent the issue, let's run sync scripts in a relaxed sandbox
without package manager trees, which shouldn't be crucial to have
when running sync scripts.
Daan De Meyer [Mon, 11 Mar 2024 11:18:01 +0000 (12:18 +0100)]
Always run as root in Context sandbox
If there's files in /usr in the package manager tree, we need to
be running as root to mount an overlayfs on top of /usr so make
sure we are always root in the Context sandbox.
Daan De Meyer [Sun, 10 Mar 2024 21:15:39 +0000 (22:15 +0100)]
Add grub for EFI support
We also rework the grub setup to not copy the grub modules into the
ESP anymore. We do this as grub for EFI booted in secure boot mode
does not load any unsigned modules for security reasons so we opt
to include all necessary modules into the grub image itself.
Daan De Meyer [Thu, 7 Mar 2024 13:10:25 +0000 (14:10 +0100)]
Make sure the default initrd cache is properly cleaned up by mkosi clean
Instead of doing the cleanup in build_default_initrd(), let's split off
finalize_default_initrd() so that we can clean up the cache in run_clean()
instead.
Daan De Meyer [Thu, 7 Mar 2024 13:09:33 +0000 (14:09 +0100)]
Use lint.select in pyproject.toml
Fixes the following warning:
"""
warning: The top-level linter settings are deprecated in favour of their counterparts in the `lint` section. Please update the following options in `pyproject.toml`:
- 'select' -> 'lint.select'
"""
Daan De Meyer [Wed, 6 Mar 2024 19:53:11 +0000 (20:53 +0100)]
Copy existing crypto policies from the host into package manager tree
apt on Fedora uses gnutls which requires
/etc/crypto-policies/back-ends/gnutls.config to work properly. Let's
copy the default crypto policies from the tools tree into the package
manager tree to make sure things keep working.
Daan De Meyer [Wed, 6 Mar 2024 12:01:35 +0000 (13:01 +0100)]
Speed up kernel modules initrd generation if no excludes were specified
If no excludes were specified, we can just glob all modules and firmware
without going via modinfo. We can only do this if no firmware was installed
as otherwise we end up copying firmware into the initrd that's not depended
on by any kernel modules.
Daan De Meyer [Tue, 5 Mar 2024 10:40:12 +0000 (11:40 +0100)]
Prefer to not clean package manager metadata when building directory or tar image
These output formats are often intended to be used as base trees on
which to build extension images so let's not remove package manager
metadata from these unless explicitly requested by the user.
Daan De Meyer [Tue, 5 Mar 2024 10:35:44 +0000 (11:35 +0100)]
Always copy repository metadata to workspace directory
Even if the repository metadata is not removed in
clean_package_manager_metadata(), it might still be removed by
RemoveFiles= or in a finalize script later on, so let's be safe
rather than sorry and always copy the package manager metadata if
it's located inside the image root directory.
Daan De Meyer [Tue, 5 Mar 2024 09:16:39 +0000 (10:16 +0100)]
Make sure unpacked resources can be accessed by the invoking user
Sometimes we run commands as the invoking user and these commands
should be able to access the resources. If the resources are unpacked
to a temporary directory, this directory will have mode 0700 so we
need to relax the permissions to make sure it can be accessed by the
invoking user.
Daan De Meyer [Mon, 4 Mar 2024 21:17:33 +0000 (22:17 +0100)]
Change user to invoking user for syncing
We want to make sure all repository metadata that we cache in the
user's cache directory is owned by the invoking user. Let's achieve
that by running the sync stuff in a fork and dropping privileges if
we're running as root.
Daan De Meyer [Mon, 4 Mar 2024 09:15:09 +0000 (10:15 +0100)]
Don't mount pkgmngr/ when installing trees
If we're copying from the host's /etc, the mounts get very weird as
we end up mounting over the directory we're copying from. Let's avoid
the weirdness by using the Config sandbox instead of the Context sandbox
which means we don't mount anything from the pkgmngr directory.
Daan De Meyer [Fri, 23 Feb 2024 15:27:50 +0000 (16:27 +0100)]
Set DISTRIBUTION= and RELEASE= when invoking scripts
Until now once could simply source /etc/os-release to figure this
out but this is not possible in sync scripts, so add two new env
variables to expose the distribution and release config options.
Daan De Meyer [Fri, 23 Feb 2024 10:48:11 +0000 (11:48 +0100)]
Use --keep-directory-symlink from cp 9.5 onwards
--keep-directory-symlink instructs cp to not fail when trying to
copy a directory onto a symlink but to follow the symlink instead.
The patch to introduce it was merged into coreutils and will be
available from coreutils 9.5 onwards.
--copy-contents has to be added as well to make
--keep-directory-symlink work. --copy-contents is generally harmless
for our use cases and won't change anything.
We also make sure gpg creates its sockets in /run instead of the
gpg homedir so they don't become part of the image. gpg automatically
uses /run if /run/user/uid exists so we create /run/user/0 to satisfy
that check.
Daan De Meyer [Fri, 23 Feb 2024 11:34:50 +0000 (12:34 +0100)]
Stop using /etc/crypto-policies from host or tools tree
Instead we provide our policy for rpm-sequoia that generally follows
the sequoia default policy except SHA1 is allowed as various distributions
still use SHA1 in their GPG keys.
projects / thirdparty / mkosi.git / log
