Daan De Meyer [Tue, 21 Jan 2025 22:33:37 +0000 (23:33 +0100)]
tests: Remove privilege dropping for image builds
This just does not work reliably at all. We change uid/gid but keep
all the environment variables which is just a recipe for issues. Let's
enforce running everything as root if one wants to run the tests that
require root privileges.
Daan De Meyer [Tue, 21 Jan 2025 22:47:57 +0000 (23:47 +0100)]
Move uid check back to have_cache()
We moved this to reuse_cache() before the introduction of mkosi-sandbox
because we would change uids during execution. Now that we don't do that
anymore, we can move the check back to have_cache().
Daan De Meyer [Tue, 21 Jan 2025 19:18:15 +0000 (20:18 +0100)]
tests: Skip booting from directory in user namespace with single user
We need newuidmap/newgidmap to be able to boot from a directory which
can't ever work in a user namespace with a single user so skip the
test in that case.
Daan De Meyer [Tue, 21 Jan 2025 21:41:06 +0000 (22:41 +0100)]
action: Only install package managers and debian-keyring
Instead, let's recommend users to use the default tools tree to get
their dependencies which is generally recommended as it reduces their
dependencies on what's installed on the host system.
Daan De Meyer [Tue, 21 Jan 2025 16:41:27 +0000 (17:41 +0100)]
mkosi-tools: Install systemd-ukify on Azure, CentOS and Fedora
systemd-ukify is not architecture dependant anymore so let's always
install it. It's also packaged in CentOS Stream and Azure Linux so
let's install it there as well.
Daan De Meyer [Tue, 21 Jan 2025 16:40:30 +0000 (17:40 +0100)]
mkosi-tools: Fix architecture condition
We need to match the architecture of the tools tree we're building,
not the host architecture. In practice these will always be the same
so this doesn't actually change behavior.
Daan De Meyer [Wed, 22 Jan 2025 11:32:35 +0000 (12:32 +0100)]
Make mkosi available inside mkosi sandbox via zipapp
Currently, mkosi has to be installed outside of /usr when using a
tools tree with mkosi sandbox to make it available inside mkosi
sandbox. Let's remove this restriction by packaging up the host's
mkosi as a zipapp and making the zipapp available in the sandbox.
Daan De Meyer [Wed, 22 Jan 2025 11:15:42 +0000 (12:15 +0100)]
Special case tools image in keyring_cache() and metadata_cache()
Similar to cache_tree_paths(), give the metadata and keyring cache
for the default tools tree a custom name to avoid conflicts with the
other image caches.
Daan De Meyer [Tue, 21 Jan 2025 21:21:38 +0000 (22:21 +0100)]
Rework crypto-policies again
Currently, we only write our own rpm-sequoia crypto policy if one
isn't provided by the tools tree. However, the centos stream 10 crypto
policy is restrictive enough that we can't build older centos releases
or opensuse images with it.
To fix this, let's switch things around again and go back to copying
the crypto policy from the tools tree into the sandbox tree and modifying
the rpm-sequoia policy to fit our needs. For mkosi sandbox, we do reuse
the crypto policies from the tools tree unmodified.
Note that we copy from /usr/share/crypto-policies/DEFAULT instead of
/etc/crypto-policies, as when using mkosi sandbox, we get
/etc/crypto-policies from the host which is full of symlink's to the host's
/usr, even if the tools tree might not be using crypto policies at all.
We also rename finalize_crypto_mounts() to finalize_certificate_mounts()
as it only handles certificates now.
Daan De Meyer [Tue, 21 Jan 2025 11:58:28 +0000 (12:58 +0100)]
Add support for pre-signed Bootloader variants without shim
Currently we only pick up pre-signed bootloader binaries if
ShimBootloader=signed is configured. Let's also add support for
installing pre-signed bootloader binaries without using shim.
Daan De Meyer [Mon, 20 Jan 2025 09:42:08 +0000 (10:42 +0100)]
Enforce that images with Overlay=yes only add files
Any extension images built with Overlay=yes should never override
files in the base image, so let's add some enforcement to make
sure that's the case by automatically removing files that already
exist in the base image.
Daan De Meyer [Sun, 19 Jan 2025 19:11:20 +0000 (20:11 +0100)]
Don't check for populated OS root if Format == none
Let's skip checking if the OS root is populated if Format == none
so that Format=none and Distribution=custom can be used to execute
arbitrary code in a build script without actually building an image.
Daan De Meyer [Sun, 19 Jan 2025 19:34:31 +0000 (20:34 +0100)]
Allow adding kernel modules in extension images
When building standalone extension images (without Overlay=yes),
let's process kernel modules but not run depmod. depmod produces a
single monolithic file which means we can't extend it from an
extension image without overriding the base file.
Daan De Meyer [Thu, 16 Jan 2025 23:07:07 +0000 (00:07 +0100)]
Add package manager back to the cache manifest
As detailed in the previous commit, it's important to cache the
package manager used in the cache manifest. If we don't, we'll end
up reusing the wrong metadata cache which won't have any metadata in
it for the new package manager.
Daan De Meyer [Thu, 16 Jan 2025 23:02:52 +0000 (00:02 +0100)]
Rebuild default tools tree before cleaning up other images
It turns out we have to put the used package manager in the cache
manifest as the metadata cache needs to be refreshed if the package
manager used changes, otherwise the metadata cache will be reused but
the new package manager won't actually be able to find any metadata
since the metadata cache contains metadata for another package manager.
To avoid running into all the problems we had previously trying to do
this, we have to make sure that the default tools tree is always available
whenever we run have_cache() on a (non-default tools tree) image, so that
the package manager we decide to use to build the image is always the same.
To achieve that, we make sure to rebuild the tools tree before doing checks
and cleaning up other images when doing a regular build. This means whenever
we call have_cache() the default tools tree will be available if it is used.
Daan De Meyer [Thu, 16 Jan 2025 21:42:23 +0000 (22:42 +0100)]
fedora: Use a lower repository metadata expire time for rawhide
Let's mimick Fedora's own rawhide repository configuration and use
a metadata expire time of 6h when building rawhide images so that
we don't end up keeping stale repository metadata around for too
long which will result in dnf being unable to find certain packages
as they will have been replaced by a newer version in rawhide already.
Daan De Meyer [Thu, 16 Jan 2025 13:53:16 +0000 (14:53 +0100)]
centos: Enable EPEL for c10s tools tree as well
Now that EPEL exists for c10s, let's enable it for the c10s tools
tree as EPEL has distribution-gpg-keys which is crucial to be able
to use c10s as a tools tree.
Daan De Meyer [Wed, 15 Jan 2025 22:07:07 +0000 (23:07 +0100)]
Add a keyring cache and use it for Arch Linux
Currently, the Arch keyring from the host or tools tree is always
used directly without any option to modify it (except by modifying
it directly on the host or in the tools tree). We also don't support
RepositoryKeyFetch= for the Arch Linux keyring and it's one of the
sources of annoying mounts outside of /usr which complicates
"mkosi sandbox".
Let's improve the situation by switching to our own pacman keyring
instead of using the one from the tools tree or host. Instead, we'll
only use /usr/share/pacman/keyrings from the host or tools tree to
populate the keyring we maintain ourselves. Users can extend the
keyring created by mkosi with their own keys via sandbox trees. If
RepositoryKeyFetch= is enabled, we'll download the archlinux-keyring
package and extract the keyring from there into the sandbox.
The keyring cache is maintained together with the repository metadata
cache. The only difference is that sync_repository_metadata() will
update the global package cache whereas the keyring directory is always
maintained per cache directory instead of globally.
We take the opportunity to stop using Michel's kernel-utils ppa with a
more recent archlinux-keyring package in favor of enabling
RepositoryKeyFetch= by default for Arch builds on Ubuntu.
Bjorn Andersson [Thu, 29 Feb 2024 15:00:13 +0000 (16:00 +0100)]
Introduce support for overriding system's DeviceTree
While experimenting with OS images on development boards where either
the bootloader doesn't load a Flattened DeviceTree Blob, or if one wants
to replace the one provided by the bootloader with a specific/new one
for development/experimentation/testing purposes, it's convenient to use
the OS-loaders ability to load a specific DeviceTree blob.
Add a new option to mkosi, to cause a specified DeviceTree blob to be
baked into the UKI, or copied into /boot and added to the systemd loader
entry.
As different distributions store the dtb files in different locations
the requested file is searched for in the locations spotted in Debian,
Fedora, Arch Linux packages (both from distro and kernel build system -
as these differs as well).
Resolves #2439
Based on initial effort by Manuel Traut.
Daan De Meyer [Wed, 15 Jan 2025 08:48:21 +0000 (09:48 +0100)]
Use MKOSI_HOST_DISTRIBUTION in config_default_tools_tree_distribution()
It doesn't really matter since we won't use the tools tree in the
sandbox anyway but this reduces the diff between mkosi summary outside
and inside the sandbox.
Daan De Meyer [Tue, 14 Jan 2025 14:32:20 +0000 (15:32 +0100)]
Make sure we use the same host distribution/release in sandbox
If the distribution is not explicitly specified in the config file
and the host distribution does not match the tools tree distribution,
then currently mkosi -f sandbox mkosi -f and mkosi -f will build images
for different distributions.
Let's make sure these commands use the same default distribution by
communicating the host distribution and release to the sandbox via
environment variables and using them to determine the default values to
use if available.
Martin Hundebøll [Tue, 14 Jan 2025 07:09:22 +0000 (08:09 +0100)]
Bind mount /dev/fuse in sandbox
/dev/fuse is needed to support building container images from within the
mkosi.build scripts. Make it avaiable in the sandbox just like /dev/null
and its friends.
Since not all mkosi builds runs in host contexts where /dev/fuse is
actually available, update the logic to skip the /dev/fuse node if it is
not present.
Daan De Meyer [Mon, 13 Jan 2025 11:10:29 +0000 (12:10 +0100)]
Only use extra search paths when running in sandbox
Since ExtraSearchPaths= might be built within the sandbox, we have
to make sure that we're in the sandbox when potentially executing
binaries from ExtraSearchPaths=. This was almost always the case,
except when setup= was used when constructing the sandbox, as the
command in setup= is executed outside of the sandbox.
To fix this we also had the option to remove the setup= argument
from sandbox_cmd() and execute the command from setup= within the
sandbox as well, but this would mean the synchronization mechanism
we added in https://github.com/systemd/mkosi/pull/3298 to make sure
we don't register vms with machined before the scope is started would
stop working, so for now we keep setup= and instead make sure we don't
use paths from ExtraSearchPaths= when executing the commands in setup=.
Implementation wise, we get rid of modifying mkosi's own $PATH to append
the extra search paths, and instead construct the proper $PATH in
sandbox_cmd().
Because we get rid of prepend_to_environ_path(), we also get rid of
the logic to construct a separate directory for any files listed in
ExtraSearchPaths=, but this logic turned out to be undocumented and
broken because the separate directory we add to $PATH wasn't mounted
into the sandbox so since this logic was always broken and nobody ever
complained we opt to remove it here to keep the implementation simple.
Luca Boccassi [Sat, 11 Jan 2025 01:48:47 +0000 (01:48 +0000)]
apt: avoid ?exact-name for systemd packages
There is a strange interaction between ?exact-name, apt repositories
generated by OBS and multiple architectures, that breaks installing
packages:
$ apt install --dry-run '?exact-name(systemd-cryptsetup)'
NOTE: This is only a simulation!
apt needs root privileges for real execution.
Keep also in mind that locking is deactivated,
so don't depend on the relevance to the real current situation!
systemd-cryptsetup is already the newest version (257.999+731+g8c5b35957-0).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
Unsatisfied dependencies:
systemd-cryptsetup : Conflicts: systemd-cryptsetup:i386 but 257.999+731+g8c5b35957-0 is to be installed
Conflicts: systemd-cryptsetup:arm64 but 257.999+731+g8c5b35957-0 is to be installed
systemd-cryptsetup:i386 : Conflicts: systemd-cryptsetup but 257.999+731+g8c5b35957-0 is to be installed
Conflicts: systemd-cryptsetup:arm64 but 257.999+731+g8c5b35957-0 is to be installed
systemd-cryptsetup:arm64 : Depends: libc6:arm64 (>= 2.38) but it is not installable
Depends: libcryptsetup12:arm64 (>= 2:2.7) but it is not installable
Depends: libssl3t64:arm64 (>= 3.0.0) but it is not installable
Depends: libsystemd-shared:arm64 (= 257.999+731+g8c5b35957-0) but it is not going to be installed
Conflicts: systemd-cryptsetup but 257.999+731+g8c5b35957-0 is to be installed
Conflicts: systemd-cryptsetup:i386 but 257.999+731+g8c5b35957-0 is to be installed
Error: Unable to correct problems, you have held broken packages.
It seems ?exact-name selects _all_ available packages, unless an architecture
is specified:
$ apt install --dry-run '?exact-name(systemd-cryptsetup:amd64)'
NOTE: This is only a simulation!
apt needs root privileges for real execution.
Keep also in mind that locking is deactivated,
so don't depend on the relevance to the real current situation!
Summary:
Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 0
But this only happens with the repository metadata format generated
on OBS. There are multiple formats, apparently.
So either we set the specific architecture in the common mkosi.conf,
or we need a separate mkosi.conf with a trigger to filter out releases
where the packages are not available.
I chose the latter as it the filters are fixed, while adding by architecture
means every time a new arch is added, it needs to be duplicated.
This is only necessary for packages that are hosted on OBS, ie: the
systemd ones.
projects / thirdparty / mkosi.git / log
