mkosi: properly remove root tree and /var/tmp between first and second build
Let's make sure to remove both the old OS tree and its /var/tmp file
after the first build finished and we ran the build script inside of it,
but before we start the next iteration.
This was an unfortunate typo I unfortunately didn't notice earlier. The
file was really supposed to be created as SHA256SUMS rather than
SHA256SUM, in order to follow Ubuntu's naming of the checksums of OS
images. Moreover systemd's importd tool will actually look for
SHA256SUMS rather than SHA256SUM.
Hence, let's rename this now, even if this is to some level a compat
break. But as nobody noticed this earlier I figure people didn't care so
far.
mkosi: also bind mount /var/tmp for the build script
This is a follow-up for efa2f8593f0adf1009a9b221b51fb2b5203ac81c, and
also ensures /var/tmp is writable during the main build script
invocation (in addition to the already patched "workspace" invocations).
mkosi: optionally sign resulting kernel images with "sbsign" for UEFI SecureBoot
Maybe one day we can also support using "pesign" for this, but for now
"sbsign" is much simpler to use, and fits neatly into mkosi's design as
we can simply invoke it with key material loaded from mkosi.* key
material in the working directory.
This also moves the "Bootable" information away from the "Partitions"
section, and into the "Output" section, as "Bootable" is hardly a
specific type of partition, but more general information about the
output.
mkosi: generate a unified UEFI kernel+initrd binary as last step of the build
On verity-enabled builds we want to embedd the root hash of the root
file system in the kernel command line, and want to package the kernel,
the initrd, a kernel command line as a single EFI executable that later
may be signed.
This adds an aditional step to the build process: after the verity data
has been generated, invoke "dracut --uefi" in the image to generate the
unified image, and place it in /EFI/Linux in the ESP. sd-boot already
knows how to deal with these single-file boot items, hence this is
sufficient to make a boot image appear in its menu.
This also disables ESP kernel installation during the usual RPM process,
as we aren't interested in the images generated that way.
This patch makes the necessary changes for all of this only for Fedora.
Other distributions using dracut should be able to make the similar
logic work, but that's left for a later commit.
(the roothash= related bits in this PR will only be honoured by systemd
at boot-time with https://github.com/systemd/systemd/pull/4879 in place)
mkosi: tweak the default fedora package list in some conditions
When we generate a bootable ext4 image, include the e2fsck in the image. Similar for btrfs. This way we can properly fsck all devices during boot.
The Arch Linux code already had a similar tweak, let's copy that.
Also, install "cryptsetup" if encryption is requested. Strictly speaking
nothing will call the tool, however Dracut uses it has condition when to
pack DM rules into the initrd. Hence let's add it for now, even though
we can eventually drop this, when Dracut gets fixed.
This makes sure the --read-only setting has an effect on the GPT
read-only flags of the root partition.
Note that we generate the sfdisk lines in a format that works around an
sfdisk bug with older version: we place the partition name last in each
line, as we need to enclose it in "", but the sfdisk parser is confused
by it otherwise. (See: https://github.com/karelzak/util-linux/issues/380)
This adds an additional scripting hook to the build script. We look for
"mkosi.postinst". If it exists the script will be run as last step of the
each build. The script will be passed one parameter: either "build" or
"final", depending if it is invoked on the first iteration of the image
creation (the "build phase") or the second iteration (the "final
phase").
There's no point in running it for any of the other commands, and as it
conflicts with using nspawn on the directory as is let's just mount them
for the shortest possible time.
mkosi: pass the same uuid to all nspawn invocations
This is useful so that tools that need one have always the same. This is
particularly useful for dracut which uses the machine ID for creating
directories in the ESP.
mkosi: let's remove if checks from build_image() a bit
Let's move most remaining if conditions into the functions we are about
to call. This way the flow of control of build_image() is easier to
follow as the exceptions are hidden and the common flow of control
emphasised.
There's really nothing to hide here, and installation might fail
if the cache is not readable:
W: Can't drop privileges for downloading as file '/var/cache/apt/archives/partial/libexpat1_2.2.0-1_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
We need to do some buffering here, because the files we are hashing can be gigabytes
in size, but Python loops are slow, so it's better to use a larger buffer.
mkosi: extend complete_step with customizable end message
A context manager cannot see any values from the block directly, so
a mutable object (list) is used to pass the state to format the final message.
This isn't entirely elegant, but I think it is worth it, because it allows
the opening and closing messages to be specified next to one another and makes
things a bit more concise and consistent.
This adds a new switch --verity. When passed the root partition will be
complemented by a dm-verity partition, and the root hash is written to a
<image>.roothash file, as well as printed to the status output.
If this mode is enabled the partition UUID of the root partition is
changed to the first 128bit of the top-level hash, and the partition
UUID of the verity partition is changed to the second (and final) 128bit
of the top-level hash (assuming sha256 is used as hash algorithm, which
is the default). This means the two partitions can be easily determined
from the specification of the roothash alone. Since both the root
partition and the verity partition in this case are read-only and the
roothash describes both it's a good candidate for using as partition
UUID.
The partition type UUID of the verity partition is initialized to a new
set of UUIDs that match the existing per-architecture root partition
type UUIDs, that I generated randomly.
mkosi: if we build a read-only image, use nspawn's --overlay= switch to make /root/src writable
This way, we can build on the source tree even if the disk image is
read-only. This primarily useful for squashfs where the file system
can#t be made writable even if we wanted to. We turn this on for all
kind of read-only images however, to keep the codepaths similar, and to
isolate the build artifacts from the disk image we build from.
This makes use of the new nspawn --overlay=+/root/src::/root/src syntax
added by #4694.
When the commands fail, it is useful to see the their error output.
In the normal case they don't print anything, so it should be OK
to just remove the redirection.
THis adds a new type raw_squashfs that refers to a GPT disk image with a
compressed root file system as squashfs. Note that directories such as
/home and /srv are left ext4, as they generally are supposed to be
writable, if configured.
Images made like this are particularly useful with nspawn's --volatile=
switch which permits ready-only root images, with writable /var.
mkosi: make sure to create /root/dest when prepping image
if we create a read-only image we might not be able to rely on nspawn's
automatic creation of the dir due to --bind=. Hence, let's create the
dir early on, so that --bind= can just mount things there, and doesn't
have to create the dir explicitly.
mkosi: make sure /run and /tmp are empty in the disk image
Let's mount a tmpfs to /run and /tmp while we put together the image, so
that anything the install scripts install there does not end up in the
disk image.
Jonathan Groth [Tue, 25 Oct 2016 23:45:36 +0000 (19:45 -0400)]
README: ensure fedora is distro used in directory example (#33)
If "-d" is not used, distribution is autodetected. This line was supposed to install Fedora though,
so add "-d Fedora" so no autodetection is performed.
Felipe Sateler [Wed, 12 Oct 2016 13:58:02 +0000 (10:58 -0300)]
debian: Use apt for installing extra packages
Debootstrap does not have a proper dependency resolver, so installing
extra stuff with it will cause conflicts. For example, installing
libpam-systemd will bring in systemd-shim as first preference, which
conflicts with systemd-sysv. Instead, only install the base system with
debootstrap, and then use apt to install the extra packages.
Fix argument parsing for --boolean and --use-git-files
bool('0') evaluates to True, so type=bool does not work as expected.
It is necessary to use a helper function which converts strings to
True/False as expected.
README: tweak qemu invocation to avoid warning, recommend edk2-ovmf
WARNING: Image format was not specified for 'image.raw' and probing
guessed raw. Automatically detecting the format is dangerous
for raw images, write operations on block 0 will be restricted.
Specify the 'raw' format explicitly to remove the restrictions.
In a git repo, do not copy files that git itself would ignore
The file list to copy is generated using git ls-files --other --cached,
i.e. anything in git ignore lists is ignored.
Without that, mkosi chokes on the test/sys directory in systemd source
tree that is generated as part of tests. I think the new behaviour is
a good default, since most of the times people are going to be running
this from a git tree anyway.
Also skip .git directory by default.
This requires mkosi.build to be updated to remove 'git clean …'.
projects / thirdparty / mkosi.git / log
