Daan De Meyer [Sun, 22 Dec 2024 11:47:06 +0000 (12:47 +0100)]
Wait until sandbox exec()'s specified command before continuing
Let's wait in spawn() until all setup logic has completed before
continuing if a sandbox is used. When using spawn() without run(),
this helps us fail early if the setup logic fails instead of later
on if we're not checking the result of the spawn() command immediately
afterwards.
As a side effect, this also acts as a synchronization point when using
systemd-run --scope where when spawn() returns, we can be 100% sure that
the scope has been created, which is important when calling RegisterMachine
from systemd-machined which does the wrong thing if the scope for the specified
machine does not yet exist and ends up killing the parent unit (often the user
session) instead of just the virtual machine.
Daan De Meyer [Fri, 20 Dec 2024 10:20:54 +0000 (11:20 +0100)]
Don't use ExtraSearchPaths= when building default tools tree
Since eba43f034c5c19a478249ba50fc1b97faffda75c, we always run binaries
from ExtraSearchPaths= within the tools tree if one is used. This generally
implies the binaries have to be built against the tools tree to be able to
run within it. This means that the binaries won't necessarily work when
executed on the host, which is the case when building the default tools tree.
To avoid failures when building the default tools tree and using ExtraSearchPaths=,
don't use binaries from ExtraSearchPaths= when building the default tools tree.
Daan De Meyer [Fri, 20 Dec 2024 08:56:48 +0000 (09:56 +0100)]
Use "tools" as the cache key for the default tools tree
Currently we still use "distribution~release~architecture", which
breaks checking if the cache is out of date, since we'll always check
against the cache of the currently configured tools tree distribution,
even if we used a different tools tree distribution to build the tools
tree. Let's fix this by using the same cache key for all default tools
trees.
This shouldn't introduce any performance regression as users are not
expected to change the default tools tree distribution all the time
unlike the target image distribution.
Daan De Meyer [Thu, 19 Dec 2024 11:35:47 +0000 (12:35 +0100)]
Run binaries from ExtraSearchPaths= within tools tree
Until now, there was always the implicit assumption that any paths
configured with ExtraSearchPaths= contained binaries built against
the host's /usr. With that assumption, it made sense to execute binaries
found in these paths outside of the tools tree as otherwise you might
end up with missing or out of date libraries if these are not available
within the tools tree.
However, with the introduction of "mkosi sandbox", what I want to do
in systemd is to have contributors build systemd within the sandbox and
then use those binaries in mkosi to build the image. This means that the
build directory configured with ExtrasSearchPaths= suddenly contains
binaries built against the tools tree's /usr (if one is configured) instead
of the host's /usr.
Given this new use case, let's get rid of the logic to not use the tools
tree for binaries in ExtraSearchPaths=, instead, users of ExtraSearchPaths=
using a tools tree will have to make sure to use a tools tree that mostly
matches their host's /usr.
Daan De Meyer [Wed, 18 Dec 2024 13:00:49 +0000 (14:00 +0100)]
Drop PEAddons=
Putting these inside the image isn't very useful except for the very
specific use case of being able to skip copying the addon when copying
the ESP to another disk to implement a "live" installer mode. For all
other use cases, PE addons are either supposed to be generated locally
or optionally downloaded alongside the image. For these use cases it
makes much more sense to output the addons alongside the image, but not
in it.
But if it makes more sense to output the addons alongside the image, then
it becomes unclear whether this is something that should be implemented inside
mkosi in the first place. Until we figure whether this makes sense and how
to implement it, let's remove the functionality.
Addons can still be added to the image or generated alongside it by running
ukify in a postinst script. The secure boot signing options will have to be
passed manually but this isn't an unsolvable problem.
Daan De Meyer [Thu, 19 Dec 2024 09:33:00 +0000 (10:33 +0100)]
Recommend symlinking to ~/.local/bin
When using mkosi sandbox with a tools tree, /usr is replaced which
means the symlink is gone which prevents running mkosi from within
mkosi so let's recommend ~/.local/bin instead.
Daan De Meyer [Thu, 19 Dec 2024 10:09:36 +0000 (11:09 +0100)]
Rename [Host] section to [Runtime] section
[Host] is not a very descriptive name for the settings in this section.
As all these settings affect the behavior of mkosi shell, mkosi qemu,
mkosi boot or mkosi vmspawn, let's rename the section to [Runtime]. We
make sure to still parse [Host] as well to keep backwards compat.
Daan De Meyer [Tue, 17 Dec 2024 08:09:16 +0000 (09:09 +0100)]
Refactor extension image helper methods
Let's have two helper methods, is_extension_image() and
is_extension_or_portable_image(). The first is for true extensions,
that are overlayed on top of an existing system, whereas the second
one includes portable images, which are standalone and not overlayed
on top of an existing system.
Daan De Meyer [Fri, 13 Dec 2024 11:58:16 +0000 (12:58 +0100)]
pacman: Make sure repositories from dropins take priority
When multiple repositories ship the same package, the repository
defined first in the pacman config file takes priority. Let's make
sure user defined repositories take priority over the ones defined
in mkosi by moving the Include= statement up a little in the config
file.
Daan De Meyer [Fri, 13 Dec 2024 13:24:36 +0000 (14:24 +0100)]
sandbox: Show better error on missing mountpoints
Currently, if a crypto mountpoint does not exist, we fail with a
PermissionError exception. Let's show a better error and guide users
to what they can do to prevent this from happening. Also fix the action
to create all the necessary mountpoints upfront.
Daan De Meyer [Fri, 13 Dec 2024 09:20:40 +0000 (09:20 +0000)]
tests: Build with --incremental=strict
Let's require cached images to be present before running the
integration tests. This makes sure the tests only need to build the
output that they're testing and it also opens up the road for running
tests in parallel in the future.
Daan De Meyer [Fri, 13 Dec 2024 10:23:39 +0000 (10:23 +0000)]
Remove package manager from cache manifest
We don't always have the tools tree available yet when generating the
cache manifest which can lead to cache manifest mismatches depending on
whether the tools tree is available or not. Since the package manager field
depends on whether the tools tree is available or not (dnf or dnf5, dnf or zypper),
let's remove it from the cache manifest.
Matteo Croce [Thu, 12 Dec 2024 16:47:44 +0000 (17:47 +0100)]
Use host model cpu
mkosi currently calls qemu with `-cpu max`. This enables all features
supported by the accelerator, which could be less than the ones
supported by the host.
Switch to the default `-cpu host` and keep max only when using binary
translation.
Daan De Meyer [Thu, 12 Dec 2024 10:08:36 +0000 (10:08 +0000)]
Rework crypto-policies handling slightly
Let's bind mount from the tools tree if it provides crypto policies
and only write our own for rpm-sequoia if the tools tree doesn't provide
its own crypto policies.
Brendan Jackman [Sun, 8 Dec 2024 12:03:57 +0000 (13:03 +0100)]
sandbox: Spit out some info when initial unshare gets EPERM
To try and minimise the pain of this issue
(https://github.com/systemd/mkosi/issues/3265), dump some info that might help
users resolve it.
I had a quick look around expecting to find a document from Red Hat discussing
this topic much like the Ubuntu one I've linked here, but I didn't find it.
Hopefully if it exists someone else can add it later.
I'm doing this via a direct write to stderr because of the comment at the top of
sandbox.py saying to avoid imports. If this is highly undesirable it looks like
log.log_notice would be the right choice here (then you don't need the
annoying ANSI codes).
Luca Boccassi [Sun, 8 Dec 2024 13:55:25 +0000 (13:55 +0000)]
mkosi-initrd: also take input from /etc/kernel/cmdline
Other kernel-install plugins (for Type 1) already take /etc/kernel/cmdline
into account when generating the local cmdline entry, so do the same
in mkosi-initrd for the UKI
Akihiko Odaki [Thu, 5 Dec 2024 04:51:21 +0000 (13:51 +0900)]
Define virt as default QEMU machine for riscv64
The documentation says:
> It is the recommended board type if you simply want to run a guest
> such as Linux and do not care about reproducing the idiosyncrasies and
> limitations of a particular bit of real-world hardware.
https://qemu.readthedocs.io/en/v9.1.0/system/riscv/virt.html
Daan De Meyer [Thu, 28 Nov 2024 21:43:03 +0000 (22:43 +0100)]
Fix Partition split_path calculation
Now that we use workdir() in make_image(), we have to change the
Partition initializer to remove the path added by workdir() again
to get the proper path on the host.
Daan De Meyer [Thu, 28 Nov 2024 15:12:03 +0000 (16:12 +0100)]
Don't resolve deps if we're reusing previous config
We ignore subimages if we're reusing the previous config so let's
make sure we ignore subimages as well after running configure scripts
if we're reusing previous config.
Daan De Meyer [Sun, 24 Nov 2024 20:34:57 +0000 (21:34 +0100)]
mkosi-initrd: Install btrfs-progs
Even if fsck.btrfs doesn't do anything particularly useful, given we
install the fs tools of all the other filesystems, let's install btrfs-progs
as well. This is also useful when using systemd-repart to create the
root filesystem on first boot.
Daan De Meyer [Sat, 23 Nov 2024 13:54:59 +0000 (14:54 +0100)]
Drop ForwardJournal= integration for coredumpctl and journalctl verbs
Now that we have the sandbox verb, this is trivial to achieve with the
sandbox verb so let's keep the coredumpctl and journalctl verbs focused
solely on reading the journal and coredumps from the image itself and leave
inspecting the forwarded journal to mkosi sandbox.
Technically this breaks compat but I'm convinced nobody's actually using this
specific bit of integration so it shouldn't matter if we remove it.
Daan De Meyer [Sat, 23 Nov 2024 13:36:19 +0000 (14:36 +0100)]
Use tools tree again for ssh, coredumpctl and journalctl
In effect these verbs are very similar to the sandbox verb except
they run a predefined command line instead of an arbitrary one. So
let's make them behave the same as the sandbox verb when it comes to
the tools tree.
Brendan Jackman [Fri, 22 Nov 2024 14:14:58 +0000 (14:14 +0000)]
Clarify shell vs boot in man page
In retrospect it seems like this should have been obvious but it
confused me. Thanks to Daan for pointing it out on Matrix. Reword to
help out people like me in the future.
Daan De Meyer [Fri, 22 Nov 2024 09:37:06 +0000 (10:37 +0100)]
Include machine name in virtiofsd unit name
If the same directory is shared across multiple guests, we end up
with duplicate unit names even though we need separate virtiofsd
instances. Let's fix this by including the machine name in the
virtiofsd unit name so that the unit names will be unique across
guests.
Daan De Meyer [Thu, 21 Nov 2024 20:51:43 +0000 (21:51 +0100)]
sysupdate: Make it work in combination with a tools tree
- We have to make sure systemd-sysupdate looks at the os-release
from the host even when using a tools tree.
- systemd-sysupdate can't detect the root block device when running
with a tools tree. Let's abuse /run/systemd/volatile-root to shortcut
the detection logic instead.
Septatrix [Wed, 20 Nov 2024 22:10:45 +0000 (23:10 +0100)]
Keep track of collection resets from CLI arguments (fixes #3208)
Previously it was only possible to completely reset but not append,
or only append but not reset to collection/list settings
via command line arguments.
Now we track if a setting has ever been set to None (i.e. reset)
during command line parsing.
This information is used during value finalization
to decide whether to merge both collections or only keep the CLI value.
Martin Hundebøll [Tue, 19 Nov 2024 11:11:25 +0000 (12:11 +0100)]
Propagate --tools-tree-certificates to initrd build
The initrd build uses a config created from a "hand-crafted" command
line passed to `parse_config()`. This command line includes the relevant
settings (i.e. those deemed relevant for build the initrd) from the
"proper" config object.
Since the --tools-tree-certificates setting wasn't added to that command
line, it defaults to true regardless of any setting configured when
invoking mkosi. When building behind a cooperate (transparent) proxy
using a self-signed certificate, the initrd build fails when trying to
download packages (unless the needed packages happened to be downloaded
as part of a previous image build).
Make sure the --tools-tree-certificates setting applies to the initrd
build also, by explicitly including it in the hand-crafted command line.
The setting can be added unconditionally because of the default value
specified in config.py.
projects / thirdparty / mkosi.git / log
