[Distribution]
Distribution=${{ matrix.distro }}
Release=${{ matrix.release }}
- SecureBoot=yes
[Content]
Environment=CI_BUILD=1
- DEFAULT_TIMEOUT_SEC=90
+ DEFAULT_TIMEOUT_SEC=120
SLOW_TESTS=true
[Output]
ExtraSearchPaths=!*
EOF
+ # For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
+ # version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
+
+ mkdir -p mkosi.presets/20-final/mkosi.repart/10-usr.conf.d
+ tee mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
+ [Partition]
+ Format=squashfs
+ EOF
+
- name: Generate secure boot key
run: mkosi --debug genkey
- name: Boot ${{ matrix.distro }} systemd-nspawn
run: sudo mkosi --debug boot
- - name: Check ${{ matrix.distro }} systemd-nspawn
- run: sudo mkosi --debug shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"
-
- name: Boot ${{ matrix.distro }} QEMU
run: timeout -k 30 10m mkosi --debug qemu
-
- - name: Check ${{ matrix.distro }} QEMU
- run: sudo mkosi --debug shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"
image for the host distro by default. Currently, the latest github commit is
required. `mkosi` also requires systemd v253 (unreleased) or newer. If systemd v253
is not available, `mkosi` will automatically use executables from the systemd build
-directory if it's executed from the systemd repository root directory. It is
-sufficient to type `mkosi` in the systemd project directory to generate a disk image
-you can boot either in `systemd-nspawn` or in a UEFI-capable VM:
+directory if it's executed from the systemd repository root directory. First, run
+`mkosi genkey` to generate a key and certificate to be used for secure boot and
+verity signing. After that is done, it is sufficient to type `mkosi` in the systemd
+project directory to generate a disk image you can boot either in `systemd-nspawn`
+or in a UEFI-capable VM:
```sh
$ sudo mkosi boot # nspawn still needs sudo for now
BuildDirectory=mkosi.builddir
CacheDirectory=mkosi.cache
+[Validation]
+SecureBoot=yes
+# Disabled until systemd-measure can operate without a TPM device.
+SignExpectedPcr=no
+
[Host]
QemuMem=2G
ExtraSearchPaths=build/
ip=enp0s1:any
# Make sure sulogin works even with a locked root account.
SYSTEMD_SULOGIN_FORCE=1
+ # Make sure /sysroot is mounted rw in the initrd.
+ rw
[Content]
Packages=
+ dmsetup
libfdisk1
libfido2-1
libglib2.0-0
[Content]
# We install gawk, gzip, grep, xz here explicitly so that the busybox versions don't get installed instead.
Packages=
+ device-mapper
gawk
grep
gzip
[Output]
# TODO: Switch to zstd once we stop building CentOS Stream 8.
CompressOutput=xz
+
+[Content]
+Packages=xfsprogs
[Output]
CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
iproute
iproute-tc
kernel-core
+ kernel-modules # For squashfs support
libcap-ng-utils
netcat
openssh-server
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
[Content]
Packages=
- linux-virtual
+ # We would like to use linux-image-kvm but it does not have support for dm-verity
+ # See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
+ linux-image-generic
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
[[ ! -s /failed-services ]]
-
-: >/testok
After=multi-user.target network-online.target
Requires=multi-user.target
Wants=systemd-resolved.service systemd-networkd.service network-online.target
-OnFailure=poweroff.target
-OnFailureJobMode=replace-irreversibly
+SuccessAction=exit
+FailureAction=exit
[Service]
Type=oneshot
-ExecStartPre=-rm -f /failed-services
ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
-ExecStartPost=systemctl poweroff --no-block
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
--- /dev/null
+[Partition]
+Format=squashfs
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr
projects / thirdparty / systemd.git / commitdiff
