This does not work as a per distribution CacheKey= means that
we can switch between distributions without invalidating caches,
meaning the output files won't be removed yet will still be those
of the previous distribution rather than the new one.
Revert for now until I figure out a better approach.
Avoid invalidating all caches on mid-build-failure recovery
Previously, repository_metadata_needs_sync() returned True whenever any
Cacheonly=auto image lacked a cache, which caused run_clean() to wipe
every image cache to avoid partial-upgrade scenarios. As a result, if
mkosi was building several images for the first time and one of them
failed mid-way, the next run would re-sync metadata, wipe the caches of
the images that had already succeeded, and rebuild everything from
scratch.
Use the manifest file as a "previously cached" marker — it's written
when an image builds successfully and survives even after the cache
contents go stale — and only re-sync metadata (and invalidate all
caches) when every incremental image was previously cached and at least
one of them is now out of date. In the mid-build-failure case, the image
that failed never wrote a manifest, so we don't trigger the re-sync and
the surviving caches are preserved.
For all-non-incremental setups we keep the previous behavior of always
syncing — there are no caches to preserve and every build downloads
packages. In a mixed setup, the non-incremental images are ignored by
the heuristic and may eventually fail because of stale metadata, but
that's the cost of mixing them with incremental images we want to
preserve.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nspawn: Drop logic to run systemd-repart on the image before booting
This bit still requires root and it's unlikely we'll ever be able to
make it work unprivileged. Instead we should probably do something with
mstack in the future instead. But for now let's drop this logic so that
booting (verity signed) disk images works unprivileged on systems with
nsresourced and mountfsd.
Fall back from nsresourced on UserNamespaceInterfaceNotSupported
This fixes an issue with running mkosi on postmarketOS, where mkosi
was failing if nsresourced was unable to initialize BPF support. The
error is treated the same as InvalidParameter so mkosi falls back to an
unprivileged user namespace when the kernel lacks BPF LSM support.
Work to enable BPF LSM support there is ongoing[1].
Build UKI when making directory images with Bootable=auto
qemu supports direct kernel booting UKI images with virtiofs as the
rootfs so let's make that work by building UKIs if we're building
directory images with Bootable=auto. Importantly, we build a UKI
without an initrd in that case so that the time consuming step of
building the initrd is still skipped.
Add DriveType= setting for qemu root disk device type
Add a new DriveType= setting that allows configuring the device type
used for the root disk when booting a virtual machine with qemu. The
supported types are virtio-blk (default, preserving existing behavior),
virtio-scsi, and nvme.
Previously, the only way to use nvme was by manually adding qemu device
arguments via QemuArgs=. This makes nvme a first-class option.
When Removable= is enabled, the drive type is forced to virtio-scsi
regardless of the DriveType= setting, preserving existing behavior.
Signed-off-by: Christian Brauner <brauner@kernel.org>
Daan De Meyer [Sat, 28 Mar 2026 15:10:51 +0000 (15:10 +0000)]
detect_distribution: Fall back to default_release() when VERSION_ID is unset
Some distributions like Arch Linux don't set VERSION_ID in their
os-release file (they use BUILD_ID=rolling instead). This caused
detect_distribution() to return None for the release, which had two
consequences:
1. The MKOSI_HOST_RELEASE environment variable was never propagated
into sandbox/box environments (since the truthy check at the
sandbox setup skipped it), losing host release information.
2. The cache key specifier &r expanded to an empty string, producing
cache paths like arch~~x86-64~main.cache instead of the expected
arch~rolling~x86-64~main.cache.
Fix this by falling back to the distribution's default_release() in
detect_distribution() when VERSION_ID is not available. This also
allows simplifying the hr is not None guard in config_default_release()
to a simple truthy check, since detect_distribution() now always
returns a release for known distributions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Daan De Meyer [Fri, 27 Mar 2026 13:57:28 +0000 (14:57 +0100)]
vmspawn: Add support for FirmwareVariables=
Use vmspawn's new --firmware=describe to query the selected firmware
description as JSON, and extract the NVRAM template path from it. This
avoids duplicating vmspawn's firmware selection logic in mkosi.
The NVRAM template is then prepared via finalize_firmware_variables()
(handling custom cert enrollment, MOK enrollment, or plain copy) and
passed to vmspawn via --efi-nvram-template.
We also pass --firmware-features to vmspawn so it selects the right
firmware description (e.g. secure-boot, enrolled-keys).
As part of this, finalize_firmware_variables() is refactored to accept
the vars template Path directly instead of the full OvmfConfig, with
the vars format logic moved to the run_qemu() caller since vmspawn
does not need it.
Andre Wagner [Wed, 25 Mar 2026 10:47:29 +0000 (11:47 +0100)]
Allow multiarch in mkosi.sources
If the mkosi.sources contains other package sources for other
architectures (e.g. armhf or arm64 from ports.ubuntu.com)
than the architecture it is build for (e.g. amd64), then
apt will fail because of package conflicts of the form:
Even if the versions meantioned there are exactly the same
and apt is run with:
APT::Architecture="<debbuildarch>" and APT:Architectures="<debbuildarch>"
So adding ?architecture(<debbuildarch>) really forces
<buildarch> on all packages, the packages for other architectures
are not considered anymore and building succeeds.
The underlying problem seems to be that ?essential apt-pattern
(and perhaps all other apt-patterns) do not filter with
APT::Architecture(s)
Jörg Behrmann [Thu, 26 Mar 2026 08:31:53 +0000 (09:31 +0100)]
Add /usr/local/bin to PATH
While things installed in images can be controlled by the image creator and
should go to /usr/bin, they can't always control where tools install things and
so adding /usr/local/bin to PATH is an often needed workaround.
Daan De Meyer [Mon, 23 Mar 2026 19:43:29 +0000 (20:43 +0100)]
Allow booting directory images owned by root if running as root
Alternative to #4214. While we still don't support booting images
built as non-root uids without the foreign UID range, we can make
an exception for images built and booted as root.
Daan De Meyer [Mon, 23 Mar 2026 19:58:41 +0000 (20:58 +0100)]
qemu: Drop support for booting with BIOS firmware
We want to drop support for mkosi qemu sooner rather than later and
rely on systemd-vmspawn. Since we won't add BIOS firmware support
to systemd-vmspawn, let's drop support for booting with BIOS firmware.
This is quite useful to figure out what configuration is used.
(I considered adding an option to allow arbitrary mkosi verbs.
But most verbs either don't make sense or don't work. E.g. 'shell'
could be potentially useful but it doesn't support cpio atm. So
limiting this to 'summary' for now seems OK. Having an easy way
to show the config will be useful even if we add a more generic
hookup into mkosi later.)
config: change comma|newline separators to comma|whitespace
Configuration like 'FirmwareFiles=intel/ibt-0093-* intel/ipu/*' would be
interpreted as a single word. This is surprising and not useful. In
practice, none of the names that we use should ever have a space in
them. Change the parsing for host names, profile names, artifact output
lists, includes, dependency names, scripts, repository names, manifest
formats, repart directories, packages, package directories, trees, files
to remove, uki profiles, initrds, device trees, module and firmware
include/exclude lists to accept any-whitespace|comma instead of just
newline|comma as separators.
(The parsers that used space|newline as separators are not touched.)
Arguably, this is a compat break. But I think it's unlikely to matter in
any practical case and the removal of the surprising behaviour is more
important. The case where a space would be most likely to be used is
RemoveFiles… Fortunately that setting takes a glob so the user can just
"escape" the path with space as '?' or something to make it work.
This makes the callers a bit simpler because then they don't need
to do explicit conversions of the returned object.
There are a few callers which previously turned the value into a
set, and one other caller which passed the value to make_cpio,
which turns it into a list with sorted(files). So the change should
be a noop.
The tools that mkosi invokes are often quite verbose. So let's also
print what those executed commands are by default. This makes it
easier to figure out what is going on and doesn't change the total
number of printed lines too much.
Kai Lüke [Tue, 17 Mar 2026 14:51:45 +0000 (23:51 +0900)]
Handle absence of /home gracefully
When running mkosi nested in a systemd unit where /home exists but is
empty as a special build user is used, then the inner mkosi fails to
bind mount /home for some reason. Since this won't be interesting to
bind mount anyway, skip the bind mount.
Michael Vogt [Tue, 17 Mar 2026 11:11:48 +0000 (12:11 +0100)]
manifest: use `dataclasses.asdict` in PackageManifest
PackageManifest is already a dataclass and now we include
all fields so we can just use `dataclasses.asdict()` to convert
PackageManifest to a dict instead of doing it manually.
Michael Vogt [Thu, 12 Mar 2026 16:10:27 +0000 (17:10 +0100)]
manifest: include size in PackageManifest
For many use-cases the package size is interesting information,
e.g. when trying to build small images. Its also not that much
extra data so this commit adds it to the default manifest.
Kai Lüke [Mon, 2 Mar 2026 02:39:24 +0000 (11:39 +0900)]
Allow printing of step durations with CLI flag
The printing of the duration for each step was behind the --debug flag
which adds more noise when one is just interested in the build times.
Also, the printing of the step duration serves as good marker during
log reading to understand where the above log output belongs to.
Add a new --debug-timing flag to always print the step durations.
Kai Lüke [Mon, 2 Mar 2026 02:17:53 +0000 (11:17 +0900)]
Add context to log output
Currently it's not really easy to know which log output belongs to which
mkosi image when there's the tools tree image, the main image, and any
sub images.
Add a log prefix that remembers the current image so that it's not just
"‣ Installing Fedora Linux" but "‣ [tools] Installing Fedora Linux",
"‣ [default-initrd] Installing Fedora Linux", and
"‣ [main] Installing Fedora Linux".
Tulip Blossom [Mon, 16 Mar 2026 08:43:50 +0000 (05:43 -0300)]
Explicitly fail on socket connection if connection is denied
When the user does have `systemd-nsresourced`, but the socket is unavailable for any reason (i.e. when the service is disabled/stopped), mkosi gets a `Connection refused` error and hangs instead of getting a varlink error.
For the swtpm work in systemd it's kinda handy being able to spawn an
swtpm during initrd as a fallback solution for tpm-less systems. To do
this we need the vtpm kernel module. Add it.
Luca Boccassi [Wed, 11 Mar 2026 01:00:36 +0000 (01:00 +0000)]
Revert "debian: use new tpm2-tss metapackage instead of library packages"
This actually makes life harder when building UKIs for multiple
distros on the same OBS project, so revert it for now. Once
trixie stops being interesting to build it can be readded.
Daan De Meyer [Tue, 10 Mar 2026 13:46:22 +0000 (14:46 +0100)]
ci: Add claude-review workflow
Same as in systemd repo, allows asking claude to review pull requests.
While we're at it, add some instructions for agents when working with
the mkosi repository.
Luca Boccassi [Mon, 2 Mar 2026 22:49:16 +0000 (22:49 +0000)]
Use userdbd creds instead of manual useradd call for mkosi user
This helps dogfooding one more bit of systemd, and also makes it
resilient to a factory reset.
userdbd was introduced in v245 in 2019, so should be fine to use.
Daan De Meyer [Mon, 9 Mar 2026 08:43:10 +0000 (09:43 +0100)]
Rework credential serialization/deserialization
Currently this is lossy as paths are deserialized as strings instead
of Paths. Make this non-lossy by introducing a dataclass and a special
serialization format.
Daan De Meyer [Thu, 26 Feb 2026 19:03:20 +0000 (20:03 +0100)]
Store outputs in config directory by default
If no output location is explicitly configured and we have a mkosi/
subdirectory, let's store the .mkosi-private directory and the tools
tree and everything else there instead of in the top level directory.
Daan De Meyer [Mon, 2 Mar 2026 17:22:16 +0000 (18:22 +0100)]
Fix error checks for nsresource_allocate_user_range()
We have to check for VarlinkError(org.varlink.service.InvalidParameter)
instead of errno.EINVAL. While we're at it, check for FileNotFoundError
instead of OSError(ENOENT) as well.
Daan De Meyer [Thu, 12 Feb 2026 10:45:01 +0000 (11:45 +0100)]
Add support for using the foreign UID range for directory images
systemd recently introduced the foreign UID range to enable unprivileged
nspawn containers using directory rootfs trees. Let's get rid of all our
hacks to get directory images booting in nspawn and qemu and instead insist
on the foreign UID range when booting directory images.
Because the foreign UID range is rather new, we don't insist on using it
to build images. The new ForeignUIDRange= option has to be enabled to make
use of the foreign UID range. When enabled, we'll enter a user namespace
with the foreign UID range mapped into it when building an image and use
systemd-dissect at the end of the image build to recursively chown the
directory image to the foreign UID range.
run_clean() now needs access to the foreign UID range to remove directory
trees owned by the foreign UID range so we run it with fork_and_wait() as
well now.
To get access to the foreign UID range, we use a few extensions to
AllocateUserRange() from systemd-nsresourced which means we add a minimal
varlink implementation to sandbox.py.
To boot directory images with systemd-nspawn and systemd-vmspawn, we have
to delegate a transient UID range to the mkosi sandbox so that it can be
allocated to systemd-nspawn as a transient UID range by systemd-nsresourced.
For mkosi qemu, we have to set things up for virtiofsd ourselves which we
do with the new --bind-foreign option for mkosi-sandbox in which case it does
the same setup that vmspawn does for virtiofsd itself.
Because we don't use newuidmap/newgidmap anymore in run_qemu() now, there's no
need to run image builds in a fork anymore. Instead, we can join a user namespace
with some delegated UID ranges and the foreign UID range which will suffice both
for the image builds and for nspawn/vmspawn/qemu. So this commit also gets rid of
various uses of fork_and_wait() across the codebase which aren't required anymore.
All the foreign UID range functionality will require systemd v260 or newer,
specifically the following PRs:
- https://github.com/systemd/systemd/pull/40212
- https://github.com/systemd/systemd/pull/40564
- https://github.com/systemd/systemd/pull/40415
Kai Lüke [Tue, 24 Feb 2026 14:38:33 +0000 (23:38 +0900)]
Allow nesting mkosi box both sessions and indicate nesting in prompt
So far nesting mkosi box was forbidden because it's confusing if there
is no indicator. For scripts running commands it would not be an issue,
though, and one would force MKOSI_IN_BOX=0 for that. But with
SHELL_PROMPT_PREFIX becomming common we can now indicate the current
level of nesting.
Allow mkosi box nesting for both interactive and scripted usage without
requring a MKOSI_IN_BOX overwrite. Indicate the current nesting level in
the shell prompt.
Petr Pavlu [Fri, 20 Feb 2026 16:35:49 +0000 (17:35 +0100)]
zypper: Use --oldpackage when downgrading packages is allowed
Commit 78f155bb ("Add support for downgrading when installing volatile
packages") introduced the allow_downgrade parameter to the
PackageManager.install() method. The motivation for adding this parameter
was to ensure that when updating volatile packages, mkosi can install
a local package even if it is older that what the distribution provides.
For zypper, the parameter was implemented by adding the --allow-downgrade
option to the tool's install command. However, this doesn't work fully and
volatiles packages might not be properly updated. The issue is that even
though the --allow-downgrade option allows the solver to downgrade
installed packages, zypper rejects the operation if the selected package is
not the latest version available in the repositories.
To force the installation of an older package, zypper additionally provides
the --oldpackage option. Use this option in Zypper.install() for correctly
updating volatile packages.
Clayton Craft [Fri, 20 Feb 2026 19:06:57 +0000 (11:06 -0800)]
kmod: actually ignore missing module deps
Prior to f9e7527e, IIUC modules in todo were ignored when they were
popped and `moddep.get(m)` returned None for any modules that were
missin. After f9e7527e, missing modules aren't actually ignored, which
leads to e.g.:
```
‣ aes is a dependency of cifs but is not installed, ignoring
‣ nls is a dependency of cifs but is not installed, ignoring
‣ aead2 is a dependency of cifs but is not installed, ignoring
modinfo: ERROR: Module name nls not found.
```
(nls.ko doesn't exist, and shouldn't exist in recent (6.19-ish) kernel
trees)
Daan De Meyer [Thu, 19 Feb 2026 13:00:52 +0000 (14:00 +0100)]
Stop setting hostname via kernel command line
This overrides the hostname from other sources, such as the nspawn
config file. Given we have DEFAULT_HOSTNAME= now, let's have users
use that and stop setting it explicitly ourselves.
Daan De Meyer [Thu, 19 Feb 2026 10:28:55 +0000 (11:28 +0100)]
nspawn: Add --suppress-sync=yes by default
We're doing development containers, so making sure changes actually
hit the disk isn't all that important. Let's add --suppress-sync=yes
by default to speed things up. This prevents
systemd-machine-id-commit.service from delaying the boot by 5s every
first boot of a container.
Jörg Behrmann [Wed, 18 Feb 2026 13:07:05 +0000 (14:07 +0100)]
config: exclude multiple inheritance from JSON loading typing
As pointed out in [1], the reason that ty cannot infer that the assignment of
the dict instance s to the dict j when loading JSON after checking that s is
instance of dict, is because multiple inheritance is a thing and the passed in
object could be a dict that doesn't have string keys, but does have a read
method. So let's be explicit and disallow these unhandled cases. This also
fixes that the order of these branches is not stable against reordering with
pyright and type checking fails if e.g. the check for the read attribute is
moved above the dict instance check.
Jörg Behrmann [Mon, 16 Feb 2026 12:17:26 +0000 (13:17 +0100)]
config: annotate json object before assignment
This makes comments from type checkers clearer in this case, since the type is
clear before it is first assignment, but what is assigned to the object comes
from different functions.
Daan De Meyer [Mon, 16 Feb 2026 08:05:54 +0000 (09:05 +0100)]
Remove all cached images if repository metadata will be synced
If we don't do this, and packages are installed in postinstall scripts,
we can end up in partial upgrade situations, where we install packages
that depend on newer versions of libraries that are installed. This is
particularly a problem on Arch Linux, which explicitly does not support
partial upgrades.
To solve the issue, if we decide we need to sync repository metadata,
remove all cached images.
To avoid removing syncing repository metadata (and thus removing all
cached images) when a cached image is invalidated, CacheOnly=metadata
can be configured for the image.
Daan De Meyer [Sat, 14 Feb 2026 21:37:43 +0000 (22:37 +0100)]
Look at all CacheOnly= settings to determine if we need to sync metadata
Instead of only looking at the CacheOnly= setting of the main image,
let's allow subimages to also configure it to instruct whether repository
metadata should be synced for that image or not.
Also, let's change the behavior of "auto". Currently, we don't sync
repository metadata as long as we have a cached image. The idea behind
this was to avoid weird problems when installing packages in postinst
scripts or such that would see newer repository metadata than the repository
metadata that the image was built with.
While this still holds, the problem with the current approach is that
for regular uses, the default initrd will always have a cache and as such,
even when the main image is out-of-date, we still won't sync repository metadata,
eventually resulting in the repository metadata being so out of date that
the packages can't be found in the mirrors anymore.
The latter is much more likely to happen than the former, so let's sync
repository metadata every time we have any image that does not have a cache.
The user now has the option to customize the behavior per image if they don't
like the default behavior.
Gregory Price [Fri, 23 Jan 2026 19:48:09 +0000 (14:48 -0500)]
config / qemu: add Console=headless
Add a headless option for Console so automation can run the qemu
instance in a background task. In the current modes, qemu just
exits on boot because the console has nothing to attach to.
vmspawn does not support headless for now, just die if this is set.
Turns out using python3.12 on CentOS causes more issues than
we thought it would, so let's revert the move to python 3.9.
Instead, we'll conditionally import Union in sandbox.py only on
python 3.9 and use the Union operator otherwise.
projects / thirdparty / mkosi.git / log
