Daan De Meyer [Thu, 21 Mar 2024 12:35:01 +0000 (13:35 +0100)]
Only set extra_groups for mkdir() if we were invoked as root
The extra groups of the user are not mapped into the user namespace
we create and as such can't be set when invoking a subprocess if
we weren't invoked as root.
Daan De Meyer [Thu, 21 Mar 2024 11:13:05 +0000 (12:13 +0100)]
Explicitly set mode of workspace to 700
If the sticky bit is set on the parent directory of the workspace,
it's inherited by the workspace directory and then inherited by the
image root directory and infects the entire image. Let's make sure
it is not set on the workspace directory to avoid leaking host specific
details into the image.
Daan De Meyer [Thu, 21 Mar 2024 10:32:27 +0000 (11:32 +0100)]
Add proxy settings
These allow using mkosi behind a proxy that requires proxy authentication.
Only dnf seems to allow specifying these certificates as individual settings
so other package managers are not fully supported for now.
We mount the proxy certificates and keys to /proxy.xxx in the sandbox because
otherwise they might end up being mounted at the same location as the certificates
from the tools tree, which means those wouldn't be used.
Daan De Meyer [Wed, 20 Mar 2024 08:57:26 +0000 (09:57 +0100)]
Mount pkgmngr/etc as a whole instead of individual files in it.
We stopped doing this because bubblewrap would create the /etc/mtab
in the package manager tree /etc and leave it there after exiting,
which would cause bubblewrap to fail the next time we executed it as
the symlink already existed.
To avoid reintroducing this issue, we only have bubblewrap create the
symlink if nothing's going to be mounted to /etc and create the symlink
ourselves in the pkgmngr/etc.
These changes also make sure that the mounts from finalize_passwd_mounts()
take precedence over the passwd and group files from pkgmngr/etc.
Daan De Meyer [Wed, 20 Mar 2024 08:13:16 +0000 (09:13 +0100)]
Only set some environment variables when invoking package managers
We really only want to set KERNEL_INSTALL_BYPASS and
SYSTEMD_HWDB_UPDATE_BYPASS when we're invoking package managers so
let's make sure those are only set when invoking package managers.
Let's also allow users to override both all of these and let's not
set them when Bootable=no so distros can do whatever they want if
mkosi's bootable image logic is not being used.
Richard Maw [Tue, 19 Mar 2024 18:02:33 +0000 (18:02 +0000)]
Relax mkdir/rchown subpath of home check to owns a parent dir
"the user owns a parent directory" is a lot less strict than
being under the home directory, but allows using shared directories
that are not mounted under home, and at least requires some explicit config
to create the directory before it can be used
rather than just being any directory the user is able to create.
Richard Maw [Tue, 19 Mar 2024 17:57:05 +0000 (17:57 +0000)]
Set extra groups in INVOKING_USER.mkdir
If a parent directory of the path to create isn't traversable
then mkdir will fail to create the directory even if the immediate parent
exists and has the correct permissions.
This can happen in shared development hardware where storage is allocated
using a directory with a common unix group e.g.
$ ls -ld /data
drwxrws--- 4 root devgroup 4096 Mar 12 17:11 /data
Daan De Meyer [Sun, 17 Mar 2024 08:47:54 +0000 (09:47 +0100)]
qemu: Set vmm.notify_socket credential even if SMBIOS is not supported
Let's apply the same credential passing logic to vmm.notify_socket that
we apply to all other credentials. Use SMBIOS if available and fall back
to fw_cfg and kernel command line otherwise.
Daan De Meyer [Sat, 16 Mar 2024 19:04:36 +0000 (20:04 +0100)]
Remove vmspawn verb in favor of VirtualMachineMonitor= setting
Instead of adding a new verb for each new virtual machine monitor we
want to support, let's configure the vmm to use with a new setting. As
vmspawn is still experimental we don't need to keep backwards compat
intact in this case.
Daan De Meyer [Fri, 15 Mar 2024 16:13:45 +0000 (17:13 +0100)]
Fix kernel module glob
When dkms modules are installed there will be .ko modules in directories
other than "kernel" so make sure we only look for modules in the "kernel"
directory.
Daan De Meyer [Fri, 15 Mar 2024 12:09:39 +0000 (13:09 +0100)]
Always mount context.root to /buildroot
Let's leak fewer host specific details into the sandbox by always
mounting the image root directory to /buildroot in the sandbox. This
also simplifies debugging as the image rootfs will always be at /rootfs
instead of in some host specific path.
Daan De Meyer [Fri, 15 Mar 2024 16:11:12 +0000 (17:11 +0100)]
Force virtiofsd to use inode-handles when running as root
When running as root virtiofsd should have all it needs to use
file handles which reduces the chance of running out of file descriptors,
so make sure it uses them when running as root.
Daan De Meyer [Fri, 15 Mar 2024 13:41:12 +0000 (14:41 +0100)]
Enable --cache=always for virtiofsd
According to the documentation, this can be enabled when virtiofsd
has exclusive access to the directory, which is the case for us so
let's enable this.
Daan De Meyer [Fri, 15 Mar 2024 10:57:14 +0000 (11:57 +0100)]
Filter and sort all mounts in sandbox_cmd()
We don't want users of sandbox_cmd() to have to care about mount
ordering. Currently, if mounts with a more general destination are
ordered after mounts with a more specific destination, the earlier
mount is hidden by the later mount. By sorting by destination, we
avoid this issue.
Richard Maw [Wed, 13 Mar 2024 17:30:34 +0000 (17:30 +0000)]
Restore all of a user's groups when running sync
Shared development hardware often has storage partitioned up by project
groups, with the root of the shared storage owned by root:project.
Since this group isn't the primary group of the user
using setgroups and restoring groups to just the user's primary gid
will mean that it does not have this project group gid
and so won't be able to see the contents of this shared directory.
Using getgrouplist to get all of the groups from the user database
allows these additional groups to be set.
Richard Maw [Wed, 13 Mar 2024 17:17:39 +0000 (17:17 +0000)]
Reorder ExtraSearchPaths mounts before options
When not running in a tools tree the extra search paths are
read-only bind-mounted into the sandbox.
Files are initially created in the workspace tree but then moved
into the output directory after they are complete.
If the directories are on different devices the rename syscall
falls back to a copy then delete.
It is not unusual to have a single build output directory
and you might potentially want your mkosi output directory in there.
If you are adding ExtraSearchPaths to use just-built executables
then this probably points to your `build/` directory.
If search paths are bind-mounted in read-only after the copy command's
sandboxing options, then this generates a command-line with options:
`--bind build/mkosi.output build/mkosi.output ... --bind-ro build build`
which means that the output directory is not writable.
Ordering the sandbox's own mount arguments before the command's options
should ensure the read-only search paths mount doesn't inferfere with
the command's writable bind-mounts.
Daan De Meyer [Thu, 14 Mar 2024 13:54:45 +0000 (14:54 +0100)]
Introduce flock_or_die() and use it in various places
Let's avoid weird error cases caused by two instances of mkosi trying
to currently do stuff with the same output by taking a BSD lock when
trying to do something with the output.
Jörg Behrmann [Tue, 12 Mar 2024 16:56:27 +0000 (17:56 +0100)]
arch: install dbus-broker and dbus-broker-units explicitly
dbus and dbus-units have been split in Arch recently. Currently everything
seems to be pulled in CI, let's see whether we can get this down to just
dbus-broker.
Daan De Meyer [Wed, 13 Mar 2024 22:51:11 +0000 (23:51 +0100)]
ci: Btrfs mount option tuning
Let's choose the lowest compression level so as to not impact CPU
usage too much. Use noatime as it's generally a straight speed boost
and make sure some new btrfs features are enabled (should already
be enabled but never hurts to be sure).
Daan De Meyer [Wed, 13 Mar 2024 16:20:19 +0000 (17:20 +0100)]
ci: Do all work on a btrfs filesystem
Let's make sure we take advantage of our COW and subvolume support
in CI by doing all work in a btrfs filesystem. Additionally enable
compression and user subvolume deletes on the btrfs filesystem to
speed things up even more.
Daan De Meyer [Wed, 13 Mar 2024 21:05:24 +0000 (22:05 +0100)]
Always create directories as invoking user if not invoked as root
We don't want to leak the subuids into the system, so make sure any
directories created by INVOKING_USER.mkdir() are always created as
the invoking user if we're not invoked as root.
Daan De Meyer [Wed, 13 Mar 2024 16:18:50 +0000 (17:18 +0100)]
Optimize rmtree() for btrfs subvolumes
Try "btrfs subvolume delete" on subvolumes and fall back to a regular
delete since it will fail for unprivileged users without the
user_subvol_rm_allowed mount option.
Daan De Meyer [Wed, 13 Mar 2024 13:16:17 +0000 (14:16 +0100)]
ci: Enable KVM
Since https://github.blog/2024-01-17-github-hosted-runners-double-the-power-for-open-source/,
it seems that KVM has started working, so let's make sure we take
advantage of it to speed up CI.
Daan De Meyer [Wed, 13 Mar 2024 08:43:08 +0000 (09:43 +0100)]
Run sync scripts in strict sandbox again
We can't use a relaxed sandbox as we need to be able to mount the
directories containing certificates and keys from the tools tree
(finalize_crypto_mounts()) which will fail with permission errors
in a relaxed sandbox if the required mountpoints do not already
exist in the host filesystem.
So let's switch back to a strict sandbox, except that we now always
run as root in the strict sandbox so the overlay mount for /usr from
the package manager tree won't fail anymore.
projects / thirdparty / mkosi.git / log
