Daan De Meyer [Thu, 31 Oct 2024 10:58:28 +0000 (11:58 +0100)]
Map current user to root in subuid user namespace
By mapping the current user to root in the subuid user namespace,
we don't have to change the ownership of all the files in the directory
tree to root in the subuid uid/gid range. This means that on btrfs
filesystems, we can do a subvolume snapshot instead of an expensive
full tree recursion to copy each file individually.
Daan De Meyer [Thu, 31 Oct 2024 11:36:09 +0000 (12:36 +0100)]
Bind /run when an engine might be used instead of only /run/pcscd
It's not guaranteed that the engine will be the pkcs#11 one so let's
bind the entirety of /run in case another daemon might be used with
a socket elsewhere in /run.
Daan De Meyer [Wed, 30 Oct 2024 09:38:05 +0000 (10:38 +0100)]
Never clean output directory when Format=none
If Format=none no outputs can be produced at all so let's make sure
we always keep the previous outputs intact when Format=none regardless
of whether -f is specified or not.
Check if firmware subdirectory still exists before trying to remove it
Detected with `mkosi-initrd`:
```
Calculating required kernel modules and firmware
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/mkosi/run.py", line 64, in uncaught_exception_handler
yield
File "/usr/lib/python3.11/site-packages/mkosi/run.py", line 105, in fork_and_wait
target(*args, **kwargs)
File "/usr/lib/python3.11/site-packages/mkosi/__init__.py", line 4450, in run_build
build_image(
File "/usr/lib/python3.11/site-packages/mkosi/__init__.py", line 3668, in build_image
run_depmod(context)
File "/usr/lib/python3.11/site-packages/mkosi/__init__.py", line 2721, in run_depmod
process_kernel_modules(
File "/usr/lib/python3.11/site-packages/mkosi/kmod.py", line 248, in process_kernel_modules
p.rmdir()
File "/usr/lib64/python3.11/pathlib.py", line 1156, in rmdir
os.rmdir(self)
FileNotFoundError: [Errno 2] No such file or directory: '/var/tmp/mkosi-workspace-9r8egfmc/root/usr/lib/firmware/yamaha'
```
Daan De Meyer [Mon, 28 Oct 2024 20:27:30 +0000 (21:27 +0100)]
Remove access to the output directory in build scripts
With mkosi -t none, we can rerun the build script without cleaning
the output directory. This creates an awkward situation, as the build
script might create new outputs but is unable to remove previous ones,
which could lead to weird situations where the output directory contains
artifacts from multiple builds.
Let's tighten this up by disallowing access to the output directory in
build scripts. Users can still copy from the build script to the output
directory by doing the copy from a post-installation script which is not
invoked when we run mkosi -t none so it only runs when we've cleaned up
the output directory.
`less` had hard requirements on `which` and `file` (so also `file-magic` and
`libmagic1`), reworked via packaging in Tumbleweed (
https://build.opensuse.org/request/show/1218137) and available since snapshot 20241025.
```
‣ /tmp/tmpgpvfc6y8/initrd.cpio.zst size is 44.9M, consumes 44.9M.
‣ Copying /tmp/tmpgpvfc6y8/initrd to /tmp/kernel-install.staging.KXnXSC/initrd
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/mkosi/run.py", line 64, in uncaught_exception_handler
yield
File "/usr/lib64/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/kernel/install.d/50-mkosi.install", line 167, in main
shutil.move(next(context.staging_area.glob("initrd*.cpio*")), context.staging_area / "initrd")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
StopIteration
/usr/lib/kernel/install.d/50-mkosi.install failed with exit status 1.
```
Daan De Meyer [Tue, 22 Oct 2024 17:40:10 +0000 (19:40 +0200)]
Use virtio-blk-pci unless scsi-hd is really needed
https://www.qemu.org/2021/01/19/virtio-blk-scsi-configuration/
mentions that for performance critical use cases, virtio-blk should
be preferred so let's use virtio-blk unless we actually need scsi-hd.
We don't currently have a way to enable the epel repositories when
using mkosi-initrd, because it always uses the exact same repositories
as the host system. However, erofs-utils can still be installed by just
including it using /usr/lib/mkosi-initrd/mkosi.conf without a match
section.
Michael Ferrari [Sun, 20 Oct 2024 11:11:32 +0000 (13:11 +0200)]
Make SplitArtifacts= take a list of values
This allows more precision on which artifacts are actually split out of
the image and placed into the output directory. Defaults to splitting
the UKI, vmlinuz and the initrd out.
Michael Ferrari [Thu, 17 Oct 2024 19:52:28 +0000 (21:52 +0200)]
Refactor copy_{uki,vmlinuz,initrd}
A follow-up commit will introduce the ability to disable copying these
to the output directory, so refactor all the logic so that they are
contained within their respectiv functions.
opensuse: prevent zypper from pulling busybox in the initrd
zypper's internal logic selects busybox-package variants of packages that are
required via dependency and not explicitly listed to install, which also causes
busybox to be added to the initrd.
Also, remove the shadow package (the equivalent to the shadow-utils package in
Fedora).
Daan De Meyer [Wed, 9 Oct 2024 11:51:51 +0000 (13:51 +0200)]
Run various cleanup operations without the base trees mounted
When running cleanup operations just before we finish the build and
we're building with Overlay=yes, we only want the cleanup to apply
to the overlay, not the base trees, so it makes sense to run the
final cleanup operations and the finalize scripts without the base
trees mounted.
This makes using chroot finalize scripts for overlay images impossible
but this shouldn't be a huge issue.
Package removals and selinux relabelling still run with the base trees
mounted because those operations rely on various files included in the
base trees.
Daan De Meyer [Sun, 6 Oct 2024 13:30:57 +0000 (15:30 +0200)]
Define our own config for PE addons and UKI profiles
ukify's config parser uses python's configparser module and as such
suffers from all its issues just like we used to in mkosi. Having ukify
parse the config file also means that we have to make sure any paths
configured in the profile are available in the sandbox.
Instead, let's define our own configs for the PE addons and UKI profiles
so we get to take advantage of our own config file parser and have full
knowledge of all the configured settings so we can mount extra stuff into
the sandbox if needed.
It also gets rid of the hack where we parse ukify's config file to figure
out the command line.
Daan De Meyer [Fri, 4 Oct 2024 14:23:11 +0000 (16:23 +0200)]
Relax read-only mounts even more
Turns out having home directories as a subdirectory of /usr is a thing.
Let's relax the readonly mount requirements even more to make this use
case work as well.
Daan De Meyer [Fri, 4 Oct 2024 12:13:41 +0000 (14:13 +0200)]
Rename Profile= match to Profiles=
Matches related to settings are named after their setting so this
should be Profiles= similarly to the Repositories= match. The old
name will still work as well but we use the new one in docs.
on current Debian stable on gets an error that the package 'ubuntu-keyring'
doesn't have any installable candidates. Moving the inclusion of the package
out of the purview of apt and back into mkosi's fixes this issue.
Daan De Meyer [Wed, 2 Oct 2024 10:26:23 +0000 (12:26 +0200)]
Don't store default kernel command line and credentials in Config
Let's delay calculation of these until the last moment instead of
storing them in the Config object. This makes the summary more succinct
and reduces the amount of work we do to parse the configuration.
projects / thirdparty / mkosi.git / log
