Daan De Meyer [Sat, 2 Nov 2024 17:57:31 +0000 (18:57 +0100)]
Add sandbox verb
In systemd, to run the integration tests, we need to run meson on
the host which will itself invoke mkosi to run the integration tests.
This means all the dependencies to run meson need to be installed on
the host. This doesn't just mean meson needs to be installed, but also
a compiler and various required build dependencies of systemd to allow
building tools invoked by mkosi to build the image.
To avoid having to install these dependencies on the host system, let's
introduce a sandbox verb which runs a command in the mkosi sandbox that's
also used by other verbs such as boot, qemu and shell. This then allows
extra required tools to be installed in the tools tree via ToolsTreePackages=
to allow running these commands without having to install them on the host
system.
Daan De Meyer [Sat, 2 Nov 2024 15:11:07 +0000 (16:11 +0100)]
Add PATH entries beneath the user's home to PATH in relaxed sandbox
This handles the case where a user adds ~/.local/bin to the PATH.
Let's make sure we use that even when running with a tools tree.
This might not work for binaries that are built against libraries
from the user's host /usr but there's lots of tools that will either
be statically compiled or written in an interpreted language like
python that will still work even when we switch out /usr from underneath
them.
Daan De Meyer [Sat, 2 Nov 2024 15:09:29 +0000 (16:09 +0100)]
Ignore crypto mount if it only contains empty directories
Let's beef up the crypto mount check and check if there are only
empty directories in the mount and ignore it if that's the case.
This handles the case where e.g. on Arch installing pesign leads
to /etc/pki containing only /etc/pki/pesign as an empty directory.
Daan De Meyer [Sat, 2 Nov 2024 15:08:05 +0000 (16:08 +0100)]
Don't remove default tools tree when mkosi -ff is used
Generally when -ff is specified users won't want to remove the
default tools tree if they're using one, so let's stop doing that.
The default tools tree is still removed when mkosi -f clean is invoked.
Daan De Meyer [Sat, 2 Nov 2024 15:06:42 +0000 (16:06 +0100)]
Make default tools tree output name distribution independent
We included the distribution name when we first added this because
the tools tree distribution was different depending on which distribution
we were building. Now that we choose the tools tree distribution based on
the host distribution, this doesn't make much sense anymore, so get rid
of the distribution in the default tools tree output name and name it just
"tools" instead.
Michael Ferrari [Fri, 1 Nov 2024 12:24:21 +0000 (13:24 +0100)]
Remove BuildDirectory= from PrepareScripts=
The BuildDirectory= is meant for files which are non-essential and can
be recreated during the build process of the image, so source files that
need to be acquired should be saved somewhere within the $BUILDROOT to
be cached for runs when PrepareScripts= aren't run (assuming incremental
builds).
Daan De Meyer [Thu, 31 Oct 2024 10:58:28 +0000 (11:58 +0100)]
Map current user to root in subuid user namespace
By mapping the current user to root in the subuid user namespace,
we don't have to change the ownership of all the files in the directory
tree to root in the subuid uid/gid range. This means that on btrfs
filesystems, we can do a subvolume snapshot instead of an expensive
full tree recursion to copy each file individually.
Daan De Meyer [Thu, 31 Oct 2024 11:36:09 +0000 (12:36 +0100)]
Bind /run when an engine might be used instead of only /run/pcscd
It's not guaranteed that the engine will be the pkcs#11 one so let's
bind the entirety of /run in case another daemon might be used with
a socket elsewhere in /run.
Daan De Meyer [Wed, 30 Oct 2024 09:38:05 +0000 (10:38 +0100)]
Never clean output directory when Format=none
If Format=none no outputs can be produced at all so let's make sure
we always keep the previous outputs intact when Format=none regardless
of whether -f is specified or not.
Check if firmware subdirectory still exists before trying to remove it
Detected with `mkosi-initrd`:
```
Calculating required kernel modules and firmware
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/mkosi/run.py", line 64, in uncaught_exception_handler
yield
File "/usr/lib/python3.11/site-packages/mkosi/run.py", line 105, in fork_and_wait
target(*args, **kwargs)
File "/usr/lib/python3.11/site-packages/mkosi/__init__.py", line 4450, in run_build
build_image(
File "/usr/lib/python3.11/site-packages/mkosi/__init__.py", line 3668, in build_image
run_depmod(context)
File "/usr/lib/python3.11/site-packages/mkosi/__init__.py", line 2721, in run_depmod
process_kernel_modules(
File "/usr/lib/python3.11/site-packages/mkosi/kmod.py", line 248, in process_kernel_modules
p.rmdir()
File "/usr/lib64/python3.11/pathlib.py", line 1156, in rmdir
os.rmdir(self)
FileNotFoundError: [Errno 2] No such file or directory: '/var/tmp/mkosi-workspace-9r8egfmc/root/usr/lib/firmware/yamaha'
```
Daan De Meyer [Mon, 28 Oct 2024 20:27:30 +0000 (21:27 +0100)]
Remove access to the output directory in build scripts
With mkosi -t none, we can rerun the build script without cleaning
the output directory. This creates an awkward situation, as the build
script might create new outputs but is unable to remove previous ones,
which could lead to weird situations where the output directory contains
artifacts from multiple builds.
Let's tighten this up by disallowing access to the output directory in
build scripts. Users can still copy from the build script to the output
directory by doing the copy from a post-installation script which is not
invoked when we run mkosi -t none so it only runs when we've cleaned up
the output directory.
`less` had hard requirements on `which` and `file` (so also `file-magic` and
`libmagic1`), reworked via packaging in Tumbleweed (
https://build.opensuse.org/request/show/1218137) and available since snapshot 20241025.
```
‣ /tmp/tmpgpvfc6y8/initrd.cpio.zst size is 44.9M, consumes 44.9M.
‣ Copying /tmp/tmpgpvfc6y8/initrd to /tmp/kernel-install.staging.KXnXSC/initrd
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/mkosi/run.py", line 64, in uncaught_exception_handler
yield
File "/usr/lib64/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/kernel/install.d/50-mkosi.install", line 167, in main
shutil.move(next(context.staging_area.glob("initrd*.cpio*")), context.staging_area / "initrd")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
StopIteration
/usr/lib/kernel/install.d/50-mkosi.install failed with exit status 1.
```
Daan De Meyer [Tue, 22 Oct 2024 17:40:10 +0000 (19:40 +0200)]
Use virtio-blk-pci unless scsi-hd is really needed
https://www.qemu.org/2021/01/19/virtio-blk-scsi-configuration/
mentions that for performance critical use cases, virtio-blk should
be preferred so let's use virtio-blk unless we actually need scsi-hd.
We don't currently have a way to enable the epel repositories when
using mkosi-initrd, because it always uses the exact same repositories
as the host system. However, erofs-utils can still be installed by just
including it using /usr/lib/mkosi-initrd/mkosi.conf without a match
section.
Michael Ferrari [Sun, 20 Oct 2024 11:11:32 +0000 (13:11 +0200)]
Make SplitArtifacts= take a list of values
This allows more precision on which artifacts are actually split out of
the image and placed into the output directory. Defaults to splitting
the UKI, vmlinuz and the initrd out.
Michael Ferrari [Thu, 17 Oct 2024 19:52:28 +0000 (21:52 +0200)]
Refactor copy_{uki,vmlinuz,initrd}
A follow-up commit will introduce the ability to disable copying these
to the output directory, so refactor all the logic so that they are
contained within their respectiv functions.
opensuse: prevent zypper from pulling busybox in the initrd
zypper's internal logic selects busybox-package variants of packages that are
required via dependency and not explicitly listed to install, which also causes
busybox to be added to the initrd.
Also, remove the shadow package (the equivalent to the shadow-utils package in
Fedora).
Daan De Meyer [Wed, 9 Oct 2024 11:51:51 +0000 (13:51 +0200)]
Run various cleanup operations without the base trees mounted
When running cleanup operations just before we finish the build and
we're building with Overlay=yes, we only want the cleanup to apply
to the overlay, not the base trees, so it makes sense to run the
final cleanup operations and the finalize scripts without the base
trees mounted.
This makes using chroot finalize scripts for overlay images impossible
but this shouldn't be a huge issue.
Package removals and selinux relabelling still run with the base trees
mounted because those operations rely on various files included in the
base trees.
Daan De Meyer [Sun, 6 Oct 2024 13:30:57 +0000 (15:30 +0200)]
Define our own config for PE addons and UKI profiles
ukify's config parser uses python's configparser module and as such
suffers from all its issues just like we used to in mkosi. Having ukify
parse the config file also means that we have to make sure any paths
configured in the profile are available in the sandbox.
Instead, let's define our own configs for the PE addons and UKI profiles
so we get to take advantage of our own config file parser and have full
knowledge of all the configured settings so we can mount extra stuff into
the sandbox if needed.
It also gets rid of the hack where we parse ukify's config file to figure
out the command line.
Daan De Meyer [Fri, 4 Oct 2024 14:23:11 +0000 (16:23 +0200)]
Relax read-only mounts even more
Turns out having home directories as a subdirectory of /usr is a thing.
Let's relax the readonly mount requirements even more to make this use
case work as well.
Daan De Meyer [Fri, 4 Oct 2024 12:13:41 +0000 (14:13 +0200)]
Rename Profile= match to Profiles=
Matches related to settings are named after their setting so this
should be Profiles= similarly to the Repositories= match. The old
name will still work as well but we use the new one in docs.
projects / thirdparty / mkosi.git / log
