Luca Boccassi [Fri, 28 Nov 2025 12:18:09 +0000 (12:18 +0000)]
initrd: pass through --architecture when parsing config files for kmods
--architecture is currently ignored when building the list of
kernel modules, so the native one is used, breaking cross-builds
when there are architecture-specific configs to include modules
Marc Herbert [Fri, 7 Nov 2025 02:04:19 +0000 (18:04 -0800)]
config.py: add config_default_proxy_exclude()
Automagically defaulting --proxy-url to a proxy value found in the
environment is nice. But it backfires seriously when not ignoring the
no_proxy= value in the same environment, because it effectively blocks
access to internal mirrors with timeouts and/or confusing error
messages.
Signed-off-by: Marc Herbert <marc.herbert@intel.com>
Daan De Meyer [Mon, 3 Nov 2025 08:59:03 +0000 (09:59 +0100)]
installer: Only mount configured state subdirs into sandbox
This got lost somewhere with the countless refactorings. Let's not
mount a state directory to /var/lib unless one is configured. Most
package managers don't actually store anything there that we care
about and if we use PackageCacheDirectory=/var, we might end up mounting
too much state there, such as the pacman host db lock file.
Daan De Meyer [Sat, 25 Oct 2025 21:10:16 +0000 (23:10 +0200)]
sandbox: Drop all capabilities that don't make sense in userns
When unsharing a user namespace, we get a full set of capabilities,
of which a ton don't make sense to keep. Why drop them? Because it's
possible that other tools check if they have the required capabilities
to run, like systing now checking if it is invoked with CAP_BPF. If
we don't drop CAP_BPF, systing will think it's able to attach BPF
programs even though in reality it can't as CAP_BPF in a user namespace
doesn't actually allow you to attach BPF programs.
While we're at it, let's be a bit more thorough with the capability
logic and make sure we modify all capability sets to only contain the
capabilities we want to keep.
Respect SYSTEMD_TINT_BACKGROUND and SYSTEMD_ADJUST_TERMINAL_TITLE
When mkosi creates a new console with systemd-pty-forward, it sets a
custom (dark) color, which might not play nice depending on your
terminal theme. Environment variables SYSTEMD_TINT_BACKGROUND and
SYSTEMD_ADJUST_TERMINAL_TITLE allow the user the customize this behaviour, but
they were ignored until a recent change in systemd (c.f. 9c3359f).
Modify mkosi behaviour to respect SYSTEMD_TINT_BACKGROUND and
SYSTEMD_ADJUST_TERMINAL_TITLE when calling systemd-pty-forward.
Daan De Meyer [Fri, 24 Oct 2025 10:29:44 +0000 (12:29 +0200)]
log: Drop konsole hack
You have to configure
"Menu->Settings->Configure Konsole... ->General->"Show window title on the titlebar"
and then konsole will show the window title as expected, so drop the
hack.
Daan De Meyer [Thu, 23 Oct 2025 06:25:23 +0000 (08:25 +0200)]
mkosi-vm: Enable universe repository for ubuntu in mkosi-vm
dbus-broker, systemd-boot and various other packages installed by
mkosi-vm come from the universe repository, so let's enable it for
the mkosi-vm config.
Jörg Behrmann [Wed, 22 Oct 2025 11:53:56 +0000 (13:53 +0200)]
log: make OSC escape sequences valid
OSC escape sequences ("ESC ]" aka "\033]") need to be terminated with a string
terminator code ST ("\033\").
Commit f26cb341 introduced some OSC escape sequences that resulted in all mkosi
output being hidden when using the Kitty terminal:
https://github.com/kovidgoyal/kitty/issues/9139
Daan De Meyer [Tue, 21 Oct 2025 11:33:10 +0000 (13:33 +0200)]
Drop support for CDROM=
We want to align on systemd-vmspawn in the future, and it's very
unlikely it'll ever support this option, so let's drop support for
it since it's very niche and not useful except for testing systemd-repart
ISO stuff.
Daan De Meyer [Tue, 21 Oct 2025 11:27:29 +0000 (13:27 +0200)]
Remove support for RuntimeScratch=
systemd-vmspawn solves the problem solved by RuntimeScratch= by
resizing the entire image instead. Let's align with vmspawn and drop
RuntimeScratch= and require users to use RuntimeSize= instead.
Martin Hundebøll [Mon, 20 Oct 2025 07:24:23 +0000 (09:24 +0200)]
Match compressed pacman packages too
Arch packages can be compressed using various codecs, in which case the
package filename is suffixed with the compression method (e.g. .zst for
zstandard compression). Make sure to find such compressed packages in
the volatile package directory exposed to the build script as
$PACKAGEDIR, so they are installable using VolatilePackages=.
Fixes: 71ffced0 ("Rework PACKAGE_GLOBS to be a PackageManager classmethod")
Daan De Meyer [Thu, 16 Oct 2025 12:52:37 +0000 (14:52 +0200)]
Make sure apt sources are installed when BaseTrees= is in the mix
Let's make sure to install apt sources every time we install the apt
package, even if BaseTrees= or volatile packages or such are in the mix.
To make this work we unfortunately have to reintroduce install_packages().
While we're at it, make sure the installed apt sources don't use the
configured mirror or snapshot. We only install a default set of sources
and for anything custom users should install their own sources.
Daan De Meyer [Fri, 17 Oct 2025 07:36:46 +0000 (09:36 +0200)]
Simplify implementation of distribution installers
- Use __init_subclass__() to automatically have distribution
installers register themselves with the DistributionInstaller class
on import
- Remove duplicated methods from Distribution that only forward to the
corresponding DistributionInstaller and instead have callers access
the Installer class directly. Make it a property to make this less
verbose
Daan De Meyer [Wed, 15 Oct 2025 19:39:02 +0000 (21:39 +0200)]
Look for .sdmagic before we consider a PE binary a UKI/addon
In ubuntu devel they started using the stubble bootloader for their
kernel images which includes a .linux and a .osrel section which means
it identifies as a UKI so we skip it. Let's additionally look for
.sdmagic as a workaround to fix this for now.
To implement this we can't make use of bootctl kernel-identify anymore
so we reimplement the logic ourselves with pefile. While we're at it,
we move KernelType to bootloader.py as it makes more sense to live there
than in qemu.py.
Let's introduce some profiles and remove unused packages to reduce
the size of the default image.
Both building the rpm and running mkosi inside the default image are
only rarely useful and shouldn't slow down image builds by default,
so we move both of these operations into their own profiles.
We drop the fish,zsh shells from the default image and also drop
qemu-user-static.
We also clean up a little inside mkosi-vm, getting rid of duplicated
packages across the main and per distro configs.
Daan De Meyer [Wed, 15 Oct 2025 10:32:13 +0000 (12:32 +0200)]
Add support for assert sections
Often you only want to support a single distribution. Adding a
[Match] section to mkosi.conf will be very confusing for users as
they will end up with an empty image. By using [Assert], they'll get
a clear error that what they're doing is not supported.
Daan De Meyer [Wed, 15 Oct 2025 10:58:40 +0000 (12:58 +0200)]
ubuntu: Switch to devel as the default release
Same reasoning as for the other distros, devel will always point to
something recent, whereas hardcoding stable release names will get out
of date very soon.
Daan De Meyer [Thu, 9 Oct 2025 06:50:44 +0000 (08:50 +0200)]
Don't unconditionally sync when PackageCacheDirectory=/var
If PackageCacheDirectory=/var and a cache directory is not configured
(like in mkosi-initrd), then we'd always sync repository metadata,
regardless of the value of CacheOnly=. Let's fix that by disallowing
CacheOnly=metadata|always if a cache directory is not configured and
only syncing if CacheOnly=never|auto, regardless if a cache directory
is configured or not.
config: serialize dataclass instances in our JSONEncoder
During config parsing we have partial dictionaries of our config, that are not
our Config object, but that we need to serialize as well. These may contain
dataclass instances such as ConfigTree objects on which the default encoder
chokes.
There are many many kernel packages in pmOS+Alpine and the pkg names
don't follow any specific pattern that sets them apart from some other
non-kernel packages, so the implementation tries to exclude known
pkgs that are not kernels and assume anything that doesn't match these
package names/patterns are kernel packages.
Currently, because we build the default initrd as a substep of building
a regular image, we have lots of special cased logic for it and we still
propagate settings manually from the regular image to its default initrd.
Let's streamline this by treating the default initrd as a regular image.
The only complication about making this change is that we used to build
the default initrd on demand only if a kernel was actually installed into
the image. Because we have to make the decision of whether to build the
default initrd or not way earlier now, we can't check if kernels were
installed into the image or not. Instead, we check if any known kernel
packages are listed to be installed which should be a decent enough
heuristic.
Another regression is that the default initrd won't have access to any
packages built as part of the main image build anymore. We used to rely
on this in systemd but now we build the systemd packages in a separate
build subimage and those will still be available to the default initrd
image build.
We have to stop using Bootable=yes in a few tests as using it now means
the resources folder has to be available and we don't propagate it
during tests.
apk does not use any subdirectories under /var/cache/apk to store
packages, which means that our usual tricks to mount package cache
directories from the package cache directory and repository metadata
from the metadata cache directory into the expected locations don't work.
There might be a way to get this to work with overlayfs but this would
be a very complex change. Instead, let's just disable repository metadata
caching for apk and always use the package cache directory for everything.
Let's simplify things by always caching repository metadata per image
instead of sharing repository metadata for some scenarios. We already
stopped sharing repository metadata for pacman and zypper due to these
package managers not being able to handle this use case. For dnf and apt,
while they can handle the use case, the repository metadata isn't so big
that sharing it across multiple mkosi projects saves a lot.
On the other hand, we can drastically reduce complexity by not sharing
repository metadata and reduce the number of copies as well. Instead of
always copying repository metadata to a temporary directory, we now have
package managers read it directly from the metadata cache directory if one
is configured and a temporary directory otherwise. This avoids having to copy
the repository metadata around completely which means we can remove
copy_repository_metadata() completely.
To avoid introducing a requirement on Incremental=yes to have cached repository
metadata, we simply always create a repository metadata (and keyring) cache if
a cache directory is configured. The usage of repository metadata and keyring
caching is now fully independent of Incremental=. Only CacheOnly= will affect
whether we sync repository metadata or use the already cached repository metadata.
When cleaning, we stop cleaning repository metadata and keyring caches with -ff
and move this to -fff. Additionally, we stop making -fff clean up the package cache
as I doubt users will ever want to clean up the shared package cache with mkosi clean
and are mostly interested in cleaning up their project directory of mkosi files.
Currently we only read uppercase variables starting with a letter, but shell
variables only restriction is not starting with a number, so lowercase names
and names starting with an underscore are allowed.
Add ASCII flag to regexes using backslash character classes
By default Python regexes like strings are unicode meaning that they match
anything unicode consides, e.g. a number in the case of \d, which is more than
the usually expected [0-9]. Tighten this in the places where these classes are
used for better readability.
Also reorder the character classes for KERNEL_VERSION_PATTERN and the
systemd-stub version to be the same order for clarity and escape the dash in
the latter, since the need to escape a dash in a character range is position
dependent.
postmarketos: Set up usrmerge in install() instead of setup()
We try to not touch the rootfs directory in setup() at all, so set
up merged /usr in install() instead like we do for debian. Additionally,
we also make sync() does not touch the rootfs either by having it operate
on a temporary directory instead of the real rootfs.
Clayton Craft [Wed, 4 Jun 2025 22:44:50 +0000 (15:44 -0700)]
Detect kernel ver from modules sub dir if unable to extract from filename
postmarketOS doesn't include the kernel version in the filename of the
kernel image. It would be cleaner to update kernel packages to make a
symlink for the kernel under /usr/lib/modules/<ver>, but this would be
difficult to implement in postmarketOS where we ship something like >400
kernel packages for a huge array of different devices / kernel versions.
Currently Alpine/pmOS only support having 1 kernel / version installed
at one time, so this fails if, for some reason, multiple kernel dirs
are found since there's no way to determine which one maps to the kernel
binary mkosi is using.
projects / thirdparty / mkosi.git / log
