diff options
Diffstat (limited to 'upstream/opensuse-tumbleweed/man1/mkosi.1')
-rw-r--r-- | upstream/opensuse-tumbleweed/man1/mkosi.1 | 606 |
1 files changed, 506 insertions, 100 deletions
diff --git a/upstream/opensuse-tumbleweed/man1/mkosi.1 b/upstream/opensuse-tumbleweed/man1/mkosi.1 index 66ac1b58..8e610b07 100644 --- a/upstream/opensuse-tumbleweed/man1/mkosi.1 +++ b/upstream/opensuse-tumbleweed/man1/mkosi.1 @@ -1,5 +1,5 @@ '\" t -.\" Automatically generated by Pandoc 3.1.11.1 +.\" Automatically generated by Pandoc 3.1.12.3 .\" .TH "mkosi" "1" "" "" "" .SH NAME @@ -15,6 +15,8 @@ mkosi \[em] Build Bespoke OS Images .PP \f[CR]mkosi [options\&...] qemu [qemu parameters\&...]\f[R] .PP +\f[CR]mkosi [options\&...] vmspawn [vmspawn settings\&...]\f[R] +.PP \f[CR]mkosi [options\&...] ssh [command line\&...]\f[R] .PP \f[CR]mkosi [options\&...] journalctl [command line\&...]\f[R] @@ -84,6 +86,15 @@ For cpio images a kernel can also be provided by passing the Any arguments specified after the \f[CR]qemu\f[R] verb are appended to the \f[CR]qemu\f[R] invocation. .TP +\f[CR]vmspawn\f[R] +Similar to \f[CR]boot\f[R], but uses \f[CR]systemd\-vmspawn\f[R] to boot +up the image, i.e. +instead of container virtualization virtual machine virtualization is +used. +This verb is only supported for disk and directory type images. +Any arguments specified after the \f[CR]vmspawn\f[R] verb are appended +to the \f[CR]systemd\-vmspawn\f[R] invocation. +.TP \f[CR]ssh\f[R] When the image is built with the \f[CR]Ssh=yes\f[R] option, this command connects to a booted virtual machine (\f[CR]qemu\f[R]) via SSH. @@ -192,7 +203,7 @@ project located in a specific directory. \f[CR]\-\-debug=\f[R] Enable additional debugging output. .TP -\f[CR]\-\-debug\-shell=\f[R] +\f[CR]\-\-debug\-shell\f[R] When executing a command in the image fails, mkosi will start an interactive shell in the image allowing further debugging. .TP @@ -318,20 +329,21 @@ the CLI. .PP To conditionally include configuration files, the \f[CR][Match]\f[R] section can be used. -Matches can use a pipe symbol (\f[CR]|\f[R]) after the equals sign -(\f[CR]\&...=|\&...\f[R]), which causes the match to become a triggering -match. +A \f[CR][Match]\f[R] section consists of invididual conditions. +Conditions can use a pipe symbol (\f[CR]|\f[R]) after the equals sign +(\f[CR]\&...=|\&...\f[R]), which causes the condition to become a +triggering condition. The config file will be included if the logical AND of all -non\-triggering matches and the logical OR of all triggering matches is -satisfied. -To negate the result of a match, prefix the argument with an exclamation -mark. +non\-triggering conditions and the logical OR of all triggering +conditions is satisfied. +To negate the result of a condition, prefix the argument with an +exclamation mark. If an argument is prefixed with the pipe symbol and an exclamation mark, the pipe symbol must be passed first, and the exclamation second. .PP -Note that \f[CR][Match]\f[R] settings match against the current values -of specific settings, and do not take into account changes made to the -setting in configuration files that have not been parsed yet. +Note that \f[CR][Match]\f[R] conditions compare against the current +values of specific settings, and do not take into account changes made +to the setting in configuration files that have not been parsed yet. Also note that matching against a setting and then changing its value afterwards in a different config file may lead to unexpected results. .PP @@ -344,7 +356,7 @@ The \f[CR][Match]\f[R] sections of files in \f[CR]mkosi.conf.d/\f[R] and If there are multiple \f[CR][Match]\f[R] sections in the same configuration file, each of them has to be satisfied in order for the configuration file to be included. -Specifically, triggering matches only apply to the current +Specifically, triggering conditions only apply to the current \f[CR][Match]\f[R] section and are reset between multiple \f[CR][Match]\f[R] sections. As an example, the following will only match if the output format is one @@ -352,13 +364,44 @@ of \f[CR]disk\f[R] or \f[CR]directory\f[R] and the architecture is one of \f[CR]x86\-64\f[R] or \f[CR]arm64\f[R]: .IP .EX -[Match] -Format=|disk -Format=|directory +\f[B][Match]\f[R] +Format=\f[B]|\f[R]disk +Format=\f[B]|\f[R]directory + +\f[B][Match]\f[R] +Architecture=\f[B]|\f[R]x86\-64 +Architecture=\f[B]|\f[R]arm64 +.EE +.PP +The \f[CR][TriggerMatch]\f[R] section can be used to indicate triggering +match sections. +These are identical to triggering conditions except they apply to the +entire match section instead of just a single condition. +As an example, the following will match if the distribution is +\f[CR]debian\f[R] and the release is \f[CR]bookworm\f[R] or if the +distribution is \f[CR]ubuntu\f[R] and the release is \f[CR]focal\f[R]. +.IP +.EX +\f[B][TriggerMatch]\f[R] +Distribution=debian +Release=bookworm -[Match] -Architecture=|x86\-64 -Architecture=|arm64 +\f[B][TriggerMatch]\f[R] +Distribution=ubuntu +Release=focal +.EE +.PP +The semantics of conditions in \f[CR][TriggerMatch]\f[R] sections is the +same as in \f[CR][Match]\f[R], i.e.\ all normal conditions are joined by +a logical AND and all triggering conditions are joined by a logical OR. +When mixing \f[CR][Match]\f[R] and \f[CR][TriggerMatch]\f[R] sections, a +match is achieved when all \f[CR][Match]\f[R] sections match and at +least one \f[CR][TriggerMatch]\f[R] section matches. +No match sections are valued as true. +Logically this means: +.IP +.EX +(⋀ᵢ Matchᵢ) ∧ (⋁ᵢ TriggerMatchᵢ) .EE .PP Command line options that take no argument are shown without @@ -431,14 +474,14 @@ target path. For example, if we have a \f[CR]mkosi.conf\f[R] file containing: .IP .EX -[Content] -BuildSources=../abc/qed:kernel +\f[B][Content]\f[R] +BuildSources=..\f[B]/\f[R]abc\f[B]/\f[R]qed\f[B]:\f[R]kernel .EE .PP and a drop\-in containing: .IP .EX -[Match] +\f[B][Match]\f[R] BuildSources=kernel .EE .TP @@ -590,6 +633,12 @@ which case the configuration is included after parsing all the other configuration files. Note that each path containing extra configuration is only parsed once, even if included more than once with \f[CR]Include=\f[R]. +The builtin configs for the mkosi default initrd and default tools tree +can be included by including the literal value \f[CR]mkosi\-initrd\f[R] +and \f[CR]mkosi\-tools\f[R] respectively. +Note: Include names starting with either of the literals +\f[CR]mkosi\-\f[R] or \f[CR]contrib\-\f[R] are reserved for use by mkosi +itself. .TP \f[CR]InitrdInclude=\f[R], \f[CR]\-\-initrd\-include=\f[R] Same as \f[CR]Include=\f[R], but the extra configuration files or @@ -764,10 +813,15 @@ This can be used to enable the EPEL repos for CentOS or different components of the Debian/Ubuntu repositories. .TP \f[CR]CacheOnly=\f[R], \f[CR]\-\-cache\-only=\f[R] -If specified, the package manager is instructed not to contact the -network for updating package data. +Takes one of \f[CR]none\f[R], \f[CR]metadata\f[R] or \f[CR]always\f[R]. +If \f[CR]always\f[R], the package manager is instructed not to contact +the network. This provides a minimal level of reproducibility, as long as the package cache is already fully populated. +If set to \f[CR]metadata\f[R], the package manager can still download +packages, but we won\[cq]t sync the repository metadata. +If set to \f[CR]none\f[R], the repository metadata is synced and +packages can be downloaded during the build. .TP \f[CR]PackageManagerTrees=\f[R], \f[CR]\-\-package\-manager\-tree=\f[R] This option mirrors the above \f[CR]SkeletonTrees=\f[R] option and @@ -848,6 +902,11 @@ This also means that the \f[CR]shell\f[R], \f[CR]boot\f[R], Implied for \f[CR]tar\f[R], \f[CR]cpio\f[R], \f[CR]uki\f[R], and \f[CR]esp\f[R]. .TP +\f[CR]CompressLevel=\f[R], \f[CR]\-\-compress\-level=\f[R] +Configure the compression level to use. +Takes an integer. +The possible values depend on the compression being used. +.TP \f[CR]OutputDirectory=\f[R], \f[CR]\-\-output\-dir=\f[R], \f[CR]\-O\f[R] Path to a directory where to place all generated artifacts. If this is not specified and the directory \f[CR]mkosi.output/\f[R] @@ -867,11 +926,18 @@ an \f[CR]mkosi\f[R] invocation be aborted abnormally (for example, due to reboot/power failure). .TP \f[CR]CacheDirectory=\f[R], \f[CR]\-\-cache\-dir=\f[R] -Takes a path to a directory to use as package cache for the distribution -package manager used. +Takes a path to a directory to use as the incremental cache directory +for the incremental images produced when the \f[CR]Incremental=\f[R] +option is enabled. If this option is not used, but a \f[CR]mkosi.cache/\f[R] directory is found in the local directory it is automatically used for this purpose. .TP +\f[CR]PackageCacheDirectory=\f[R], \f[CR]\-\-package\-cache\-dir\f[R] +Takes a path to a directory to use as the package cache directory for +the distribution package manager used. +If unset, a suitable directory in the user\[cq]s home directory or +system is used. +.TP \f[CR]BuildDirectory=\f[R], \f[CR]\-\-build\-dir=\f[R] Takes a path to a directory to use as the build directory for build systems that support out\-of\-tree builds (such as Meson). @@ -920,8 +986,7 @@ If specified and building a disk image, pass \f[CR]\-\-split=yes\f[R] to systemd\-repart to have it write out split partition files for each configured partition. Read the \c -.UR -https://www.freedesktop.org/software/systemd/man/systemd-repart.html#--split=BOOL +.UR https://www.freedesktop.org/software/systemd/man/systemd-repart.html#--split=BOOL man .UE \c \ page for more information. @@ -993,8 +1058,7 @@ subvolumes are ignored. \f[CR]Seed=\f[R], \f[CR]\-\-seed=\f[R] Takes a UUID as argument or the special value \f[CR]random\f[R]. Overrides the seed that \c -.UR -https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html +.UR https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html \f[CR]systemd\-repart(8)\f[R] .UE \c \ uses when building a disk image. @@ -1046,11 +1110,11 @@ that provides \f[CR]/usr/bin/ld\f[R], the packages in the .EX Packages=meson libfdisk\-devel.i686 - git\-* - prebuilt/rpms/systemd\-249\-rc1.local.rpm - /usr/bin/ld - \[at]development\-tools - python3dist(mypy) + git\-\f[B]*\f[R] + prebuilt\f[B]/\f[R]rpms\f[B]/\f[R]systemd\-249\-rc1.local.rpm + \f[B]/\f[R]usr\f[B]/\f[R]bin\f[B]/\f[R]ld + \f[B]\[at]\f[R]development\-tools + python3dist\f[B](\f[R]mypy\f[B])\f[R] .EE .PP : Note that since mkosi runs in a sandbox with most of the host files @@ -1061,8 +1125,8 @@ For example, let\[cq]s say we have a local package located at directory, then we\[cq]d be able to install it as follows: .IP .EX -BuildSources=../my\-packages:my\-packages\-in\-sandbox -Packages=my\-packages\-in\-sandbox/abc.rpm +BuildSources=..\f[B]/\f[R]my\-packages\f[B]:\f[R]my\-packages\-in\-sandbox +Packages=my\-packages\-in\-sandbox\f[B]/\f[R]abc.rpm .EE .TP \f[CR]BuildPackages=\f[R], \f[CR]\-\-build\-package=\f[R] @@ -1110,7 +1174,8 @@ scratch. Only extra packages are installed on top of the ones already installed in the base trees. Note that for this to work properly, the base image still needs to -contain the package manager metadata (see +contain the package manager metadata by setting +\f[CR]CleanPackageMetadata=no\f[R] (see \f[CR]CleanPackageMetadata=\f[R]). Instead of a directory, a tar file or a disk image may be provided. In this case it is unpacked into the OS tree. @@ -1172,13 +1237,18 @@ Takes a comma\-separated list of globs. Files in the image matching the globs will be purged at the end. .TP \f[CR]CleanPackageMetadata=\f[R], \f[CR]\-\-clean\-package\-metadata=\f[R] -Enable/disable removal of package manager databases at the end of -installation. +Enable/disable removal of package manager databases and repository +metadata at the end of installation. Can be specified as \f[CR]true\f[R], \f[CR]false\f[R], or \f[CR]auto\f[R] (the default). -With \f[CR]auto\f[R], files will be removed if the respective package -manager executable is \f[I]not\f[R] present at the end of the -installation. +With \f[CR]auto\f[R], package manager databases and repository metadata +will be removed if the respective package manager executable is +\f[I]not\f[R] present at the end of the installation. +.TP +\f[CR]SyncScripts=\f[R], \f[CR]\-\-sync\-script=\f[R] +Takes a comma\-separated list of paths to executables that are used as +the sync scripts for this image. +See the \f[B]Scripts\f[R] section for more information. .TP \f[CR]PrepareScripts=\f[R], \f[CR]\-\-prepare\-script=\f[R] Takes a comma\-separated list of paths to executables that are used as @@ -1218,7 +1288,7 @@ Disabled by default. Configures whether changes to source directories (The working directory and configured using \f[CR]BuildSources=\f[R]) are persisted. If enabled, all source directories will be reset to their original state -after scripts finish executing. +after scripts (except sync scripts) finish executing. .TP \f[CR]Environment=\f[R], \f[CR]\-\-environment=\f[R] Adds variables to the environment that package managers and the @@ -1338,6 +1408,25 @@ binaries again. Note that this option only takes effect when an image that is bootable on UEFI firmware is requested using other options (\f[CR]Bootable=\f[R], \f[CR]Bootloader=\f[R]). +Note that when this option is enabled, mkosi will only install already +signed bootloader binaries, kernel image files and unified kernel images +as self\-signed binaries would not be accepted by the signed version of +shim. +.TP +\f[CR]UnifiedKernelImages=\f[R], \f[CR]\-\-unified\-kernel\-images=\f[R] +Specifies whether to use unified kernel images or not when +\f[CR]Bootloader=\f[R] is set to \f[CR]systemd\-boot\f[R] or +\f[CR]grub\f[R]. +Takes a boolean value or \f[CR]auto\f[R]. +Defaults to \f[CR]auto\f[R]. +If enabled, unified kernel images are always used and the build will +fail if any components required to build unified kernel images are +missing. +If set to \f[CR]auto\f[R], unified kernel images will be used if all +necessary components are available. +Otherwise Type 1 entries as defined by the Boot Loader Specification +will be used instead. +If disabled, Type 1 entries will always be used. .TP \f[CR]Initrds=\f[R], \f[CR]\-\-initrd\f[R] Use user\-provided initrd(s). @@ -1353,8 +1442,16 @@ Takes a comma separated list of package specifications. This option may be used multiple times in which case the specified package lists are combined. .TP +\f[CR]MicrocodeHost=\f[R], \f[CR]\-\-microcode\-host=\f[R] +When set to true only include microcode for the host\[cq]s CPU in the +image. +.TP \f[CR]KernelCommandLine=\f[R], \f[CR]\-\-kernel\-command\-line=\f[R] Use the specified kernel command line when building images. +Defaults to \f[CR]console=ttyS0\f[R]. +For \f[CR]arm\f[R], \f[CR]s390\f[R] and \f[CR]ppc\f[R], \f[CR]ttyS0\f[R] +is replaced with \f[CR]ttyAMA0\f[R], \f[CR]ttysclp0\f[R] or +\f[CR]hvc0\f[R], respectively. .TP \f[CR]KernelModulesInclude=\f[R], \f[CR]\-\-kernel\-modules\-include=\f[R] Takes a list of regex patterns that specify kernel modules to include in @@ -1419,8 +1516,7 @@ The settings \f[CR]Locale=\f[R], \f[CR]\-\-locale=\f[R], \f[CR]\-\-root\-shell=\f[R] correspond to the identically named systemd\-firstboot options. See the systemd firstboot \c -.UR -https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html +.UR https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html manpage .UE \c \ for more information. @@ -1503,7 +1599,14 @@ Defaults to \f[CR]yes\f[R]. .TP \f[CR]SecureBootKey=\f[R], \f[CR]\-\-secure\-boot\-key=\f[R] Path to the PEM file containing the secret key for signing the UEFI -kernel image, if \f[CR]SecureBoot=\f[R] is used. +kernel image if \f[CR]SecureBoot=\f[R] is used and PCR signatures when +\f[CR]SignExpectedPcr=\f[R] is also used. +When \f[CR]SecureBootKeySource=\f[R] is specified, the input type +depends on the source. +.TP +\f[CR]SecureBootKeySource=\f[R], \f[CR]\-\-secure\-boot\-key\-source=\f[R] +Source of \f[CR]SecureBootKey=\f[R], to support OpenSSL engines. +E.g.: \f[CR]\-\-secure\-boot\-key\-source=engine:pkcs11\f[R] .TP \f[CR]SecureBootCertificate=\f[R], \f[CR]\-\-secure\-boot\-certificate=\f[R] Path to the X.509 file containing the certificate for the signed UEFI @@ -1520,6 +1623,12 @@ available, with sbsign being preferred if both are installed. Path to the PEM file containing the secret key for signing the verity signature, if a verity signature partition is added with systemd\-repart. +When \f[CR]VerityKeySource=\f[R] is specified, the input type depends on +the source. +.TP +\f[CR]VerityKeySource=\f[R], \f[CR]\-\-verity\-key\-source=\f[R] +Source of \f[CR]VerityKey=\f[R], to support OpenSSL engines. +E.g.: \f[CR]\-\-verity\-key\-source=engine:pkcs11\f[R] .TP \f[CR]VerityCertificate=\f[R], \f[CR]\-\-verity\-certificate=\f[R] Path to the X.509 file containing the certificate for signing the verity @@ -1533,6 +1642,8 @@ kernel image. This option takes a boolean value or the special value \f[CR]auto\f[R], which is the default, which is equal to a true value if the \f[CR]systemd\-measure\f[R] binary is in \f[CR]PATH\f[R]. +Depends on \f[CR]SecureBoot=\f[R] being enabled and key from +\f[CR]SecureBootKey=\f[R]. .TP \f[CR]Passphrase=\f[R], \f[CR]\-\-passphrase\f[R] Specify the path to a file containing the passphrase to use for LUKS @@ -1642,37 +1753,37 @@ Defaults to \f[CR]no\f[R]. \f[CR]QemuFirmware=\f[R], \f[CR]\-\-qemu\-firmware=\f[R] When used with the \f[CR]qemu\f[R] verb, this option specifies which firmware to use. -Takes one of \f[CR]uefi\f[R], \f[CR]bios\f[R], \f[CR]linux\f[R], or -\f[CR]auto\f[R]. +Takes one of \f[CR]uefi\f[R], \f[CR]uefi\-secure\-boot\f[R], +\f[CR]bios\f[R], \f[CR]linux\f[R], or \f[CR]auto\f[R]. Defaults to \f[CR]auto\f[R]. -When set to \f[CR]uefi\f[R], the OVMF firmware is used. +When set to \f[CR]uefi\f[R], the OVMF firmware without secure boot +support is used. +When set to \f[CR]uefi\-secure\-boot\f[R], the OVMF firmware with secure +boot support is used. When set to \f[CR]bios\f[R], the default SeaBIOS firmware is used. When set to \f[CR]linux\f[R], direct kernel boot is used. See the \f[CR]QemuKernel=\f[R] option for more details on which kernel image is used with direct kernel boot. -When set to \f[CR]auto\f[R], \f[CR]linux\f[R] is used if a cpio image is -being booted, \f[CR]uefi\f[R] otherwise. +When set to \f[CR]auto\f[R], \f[CR]uefi\-secure\-boot\f[R] is used if +possible and \f[CR]linux\f[R] otherwise. .TP \f[CR]QemuFirmwareVariables=\f[R], \f[CR]\-\-qemu\-firmware\-variables=\f[R] When used with the \f[CR]qemu\f[R] verb, this option specifies the path to the the firmware variables file to use. Currently, this option is only taken into account when the -\f[CR]uefi\f[R] firmware is used. +\f[CR]uefi\f[R] or \f[CR]uefi\-secure\-boot\f[R] firmware is used. If not specified, mkosi will search for the default variables file and use that instead. +When set to \f[CR]microsoft\f[R], a firmware variables file with the +Microsoft secure boot certificates already enrolled will be used. +When set to \f[CR]custom\f[R], the secure boot certificate from +\f[CR]SecureBootCertificate=\f[R] will be enrolled into the default +firmware variables file. \f[CR]virt\-fw\-vars\f[R] from the \c .UR https://gitlab.com/kraxel/virt-firmware virt\-firmware .UE \c \ project can be used to customize OVMF variable files. -Some distributions also provide variable files which already have -Microsoft\[cq]s certificates for secure boot enrolled. -For Fedora and Debian these are \f[CR]OVMF_VARS.secboot.fd\f[R] and -\f[CR]OVMF_VARS_4M.ms.fd\f[R] under \f[CR]/usr/share/OVMF\f[R] -respectively. -You can use \f[CR]locate\f[R] and look under -\f[CR]/usr/share/qemu/firmware\f[R] for hints on where to find these -files if your distribution ships them. .TP \f[CR]QemuKernel=\f[R], \f[CR]\-\-qemu\-kernel=\f[R] Set the kernel image to use for qemu direct kernel boot. @@ -1700,8 +1811,17 @@ respectively. \f[CR]directory\f[R] optionally specifies the directory in which to create the file backing the drive. \f[CR]options\f[R] optionally specifies extra comma\-delimited -properties which are passed verbatime to qemu\[cq]s \f[CR]\-drive\f[R] +properties which are passed verbatim to qemu\[cq]s \f[CR]\-drive\f[R] option. +Example usage: +.IP +.EX +\f[B][Host]\f[R] +QemuDrives=btrfs\f[B]:\f[R]10G + ext4\f[B]:\f[R]20G +QemuArgs=\-device nvme\f[B],\f[R]serial=btrfs\f[B],\f[R]drive=btrfs + \-device nvme\f[B],\f[R]serial=ext4\f[B],\f[R]drive=ext4 +.EE .TP \f[CR]QemuArgs=\f[R] Space\-delimited list of additional arguments to pass when invoking @@ -1737,8 +1857,8 @@ directories that allow the user running mkosi to remove them without needing privileges. .TP \f[CR]ToolsTree=\f[R], \f[CR]\-\-tools\-tree=\f[R] -If specified, programs executed by mkosi are looked up inside the given -tree instead of in the host system. +If specified, programs executed by mkosi to build and boot an image are +looked up inside the given tree instead of in the host system. Use this option to make image builds more reproducible by always using the same versions of programs to build the final image instead of whatever version is installed on the host system. @@ -1774,6 +1894,21 @@ openSUSE T} _ T{ +\f[CR]acl\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ \f[CR]apt\f[R] T}@T{ X @@ -1801,6 +1936,21 @@ X T}@T{ T} T{ +\f[CR]attr\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ \f[CR]bash\f[R] T}@T{ X @@ -2052,6 +2202,66 @@ T}@T{ X T} T{ +\f[CR]findutils\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]git\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]grep\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]jq\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ \f[CR]kmod\f[R] T}@T{ X @@ -2142,6 +2352,21 @@ T}@T{ X T} T{ +\f[CR]sed\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ \f[CR]pacman\f[R] T}@T{ X @@ -2359,6 +2584,18 @@ T}@T{ X T} T{ +\f[CR]virt\-firmware\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +T}@T{ +T}@T{ +X +T}@T{ +T} +T{ \f[CR]xfsprogs\f[R] T}@T{ X @@ -2433,6 +2670,12 @@ is used. Set the mirror to use for the default tools tree. By default, the default mirror for the tools tree distribution is used. .TP +\f[CR]ToolsTreeRepositories=\f[R], \f[CR]\-\-tools\-tree\-repository\f[R] +Same as \f[CR]Repositories=\f[R] but for the default tools tree. +.TP +\f[CR]ToolsTreePackageManagerTrees=\f[R], \f[CR]\-\-tools\-tree\-package\-manager\-tree=\f[R] +Same as \f[CR]PackageManagerTrees=\f[R] but for the default tools tree. +.TP \f[CR]ToolsTreePackages=\f[R], \f[CR]\-\-tools\-tree\-packages=\f[R] Extra packages to install into the default tools tree. Takes a comma separated list of package specifications. @@ -2474,6 +2717,22 @@ If enabled, practically unlimited scratch space is made available under Note that using this feature with \f[CR]mkosi qemu\f[R] requires systemd v254 or newer in the guest. .TP +\f[CR]RuntimeNetwork=\f[R]: \f[CR]\-\-runtime\-network=\f[R] +Takes one of \f[CR]user\f[R], \f[CR]interface\f[R] or \f[CR]none\f[R]. +Defaults to \f[CR]user\f[R]. +Specifies the networking to set up when booting the image. +\f[CR]user\f[R] sets up usermode networking. +\f[CR]interface\f[R] sets up a virtual network connection between the +host and the image. +This translates to a veth interface for \f[CR]mkosi shell\f[R] and +\f[CR]mkosi boot\f[R] and a tap interface for \f[CR]mkosi qemu\f[R] and +\f[CR]mkosi vmspawn\f[R]. +Note that when using \f[CR]interface\f[R], mkosi does not automatically +configure the host interface. +It is expected that a recent version of \f[CR]systemd\-networkd\f[R] is +running on the host which will automatically configure the host +interface of the link. +.TP \f[CR]SshKey=\f[R], \f[CR]\-\-ssh\-key=\f[R] Path to the X509 private key in PEM format to use to connect to a virtual machine started with \f[CR]mkosi qemu\f[R] and built with the @@ -2575,10 +2834,6 @@ distributions: .IP \[bu] 2 \f[I]Alma Linux\f[R] .IP \[bu] 2 -\f[I]Gentoo\f[R] (\f[B]Gentoo is experimental and unsupported. -We make no guarantee that it will work at all and the core maintainers -will generally not fix gentoo specific issues\f[R]) -.IP \[bu] 2 \f[I]None\f[R] (\f[B]Requires the user to provide a pre\-built rootfs\f[R]) .PP @@ -2646,61 +2901,67 @@ Then, for each image, we execute the following steps: .IP " 1." 4 Copy package manager trees into the workspace .IP " 2." 4 -Copy base trees (\f[CR]\-\-base\-tree=\f[R]) into the image +Sync the package manager repository metadata .IP " 3." 4 -Copy skeleton trees (\f[CR]mkosi.skeleton\f[R]) into image +Copy base trees (\f[CR]\-\-base\-tree=\f[R]) into the image .IP " 4." 4 -Install distribution and packages into image or use cache tree if -available +Reuse a cached image if one is available .IP " 5." 4 +Copy a snapshot of the package manager repository metadata into the +image +.IP " 6." 4 +Copy skeleton trees (\f[CR]mkosi.skeleton\f[R]) into image +.IP " 7." 4 +Install distribution and packages into image +.IP " 8." 4 Run prepare scripts on image with the \f[CR]final\f[R] argument (\f[CR]mkosi.prepare\f[R]) -.IP " 6." 4 +.IP " 9." 4 Install build packages in overlay if any build scripts are configured -.IP " 7." 4 +.IP "10." 4 Run prepare scripts on overlay with the \f[CR]build\f[R] argument if any build scripts are configured (\f[CR]mkosi.prepare\f[R]) -.IP " 8." 4 +.IP "11." 4 Cache the image if configured (\f[CR]\-\-incremental\f[R]) -.IP " 9." 4 +.IP "12." 4 Run build scripts on image + overlay if any build scripts are configured (\f[CR]mkosi.build\f[R]) -.IP "10." 4 +.IP "13." 4 Finalize the build if the output format \f[CR]none\f[R] is configured -.IP "11." 4 +.IP "14." 4 Copy the build scripts outputs into the image -.IP "12." 4 +.IP "15." 4 Copy the extra trees into the image (\f[CR]mkosi.extra\f[R]) -.IP "13." 4 +.IP "16." 4 Run post\-install scripts (\f[CR]mkosi.postinst\f[R]) -.IP "14." 4 +.IP "17." 4 Write config files required for \f[CR]Ssh=\f[R], \f[CR]Autologin=\f[R] and \f[CR]MakeInitrd=\f[R] -.IP "15." 4 +.IP "18." 4 Install systemd\-boot and configure secure boot if configured (\f[CR]\-\-secure\-boot\f[R]) -.IP "16." 4 +.IP "19." 4 Run \f[CR]systemd\-sysusers\f[R] -.IP "17." 4 +.IP "20." 4 Run \f[CR]systemd\-tmpfiles\f[R] -.IP "18." 4 +.IP "21." 4 Run \f[CR]systemctl preset\-all\f[R] -.IP "19." 4 +.IP "22." 4 Run \f[CR]depmod\f[R] -.IP "20." 4 +.IP "23." 4 Run \f[CR]systemd\-firstboot\f[R] -.IP "21." 4 +.IP "24." 4 Run \f[CR]systemd\-hwdb\f[R] -.IP "22." 4 +.IP "25." 4 Remove packages and files (\f[CR]RemovePackages=\f[R], \f[CR]RemoveFiles=\f[R]) -.IP "23." 4 +.IP "26." 4 Run SELinux relabel is a SELinux policy is installed -.IP "24." 4 +.IP "27." 4 Run finalize scripts (\f[CR]mkosi.finalize\f[R]) -.IP "25." 4 +.IP "28." 4 Generate unified kernel image if configured to do so -.IP "26." 4 +.IP "29." 4 Generate final output format .SH Scripts To allow for image customization that cannot be implemented using @@ -2717,6 +2978,16 @@ in the current working directory. \f[CR]$SRCDIR\f[R] is set to point to the current working directory. The following scripts are supported: .IP \[bu] 2 +If \f[B]\f[CB]mkosi.sync\f[B]\f[R] (\f[CR]SyncScripts=\f[R]) exists, it +is executed before the image is built. +This script may be used to update various sources that are used to build +the image. +One use case is to run \f[CR]git pull\f[R] on various source +repositories before building the image. +Specifically, the \f[CR]BuildSourcesEphemeral=\f[R] setting does not +apply to sync scripts, which means sync scripts can be used to update +build sources even if \f[CR]BuildSourcesEphemeral=\f[R] is enabled. +.IP \[bu] 2 If \f[B]\f[CB]mkosi.prepare\f[B]\f[R] (\f[CR]PrepareScripts=\f[R]) exists, it is first called with the \f[CR]final\f[R] argument, right after the software packages are installed. @@ -2771,6 +3042,18 @@ architecture of the host machine. See the documentation of \f[CR]Architecture=\f[R] for possible values for this variable. .IP \[bu] 2 +\f[CR]$DISTRIBUTION\f[R] contains the distribution from the +\f[CR]Distribution=\f[R] setting. +.IP \[bu] 2 +\f[CR]$RELEASE\f[R] contains the release from the \f[CR]Release=\f[R] +setting. +.IP \[bu] 2 +\f[CR]$PROFILE\f[R] contains the profile from the \f[CR]Profile=\f[R] +setting. +.IP \[bu] 2 +\f[CR]$CACHED=\f[R] is set to \f[CR]1\f[R] if a cached image is +available, \f[CR]0\f[R] otherwise. +.IP \[bu] 2 \f[CR]$CHROOT_SCRIPT\f[R] contains the path to the running script relative to the image root directory. The primary usecase for this variable is in combination with the @@ -2846,16 +3129,23 @@ in the user namespace that mkosi is running in. These can be used in combination with \f[CR]setpriv\f[R] to run commands as the user that invoked mkosi (e.g. \f[CR]setpriv \-\-reuid=$MKOSI_UID \-\-regid=$MKOSI_GID \-\-clear\-groups <command>\f[R]) +.IP \[bu] 2 +\f[CR]$MKOSI_CONFIG\f[R] is a file containing a json summary of the +settings of the current image. +This file can be parsed inside scripts to gain access to all settings +for the current image. .PP Consult this table for which script receives which environment variables: .PP .TS tab(@); -lw(16.5n) lw(13.4n) lw(11.8n) lw(14.2n) lw(14.2n). +lw(14.3n) lw(9.5n) lw(11.6n) lw(10.2n) lw(12.2n) lw(12.2n). T{ Variable T}@T{ +\f[CR]mkosi.sync\f[R] +T}@T{ \f[CR]mkosi.prepare\f[R] T}@T{ \f[CR]mkosi.build\f[R] @@ -2866,7 +3156,9 @@ T}@T{ T} _ T{ -\f[CR]$CHROOT_SCRIPT\f[R] +\f[CR]ARCHITECTURE\f[R] +T}@T{ +X T}@T{ X T}@T{ @@ -2877,7 +3169,69 @@ T}@T{ X T} T{ -\f[CR]$SRCDIR\f[R] +\f[CR]DISTRIBUTION\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]RELEASE\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]PROFILE\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]CACHED\f[R] +T}@T{ +X +T}@T{ +T}@T{ +T}@T{ +T}@T{ +T} +T{ +\f[CR]CHROOT_SCRIPT\f[R] +T}@T{ +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T} +T{ +\f[CR]SRCDIR\f[R] +T}@T{ +X T}@T{ X T}@T{ @@ -2890,6 +3244,7 @@ T} T{ \f[CR]CHROOT_SRCDIR\f[R] T}@T{ +T}@T{ X T}@T{ X @@ -2899,7 +3254,8 @@ T}@T{ X T} T{ -\f[CR]$BUILDDIR\f[R] +\f[CR]BUILDDIR\f[R] +T}@T{ T}@T{ T}@T{ X @@ -2910,6 +3266,7 @@ T{ \f[CR]CHROOT_BUILDDIR\f[R] T}@T{ T}@T{ +T}@T{ X T}@T{ T}@T{ @@ -2918,6 +3275,7 @@ T{ \f[CR]DESTDIR\f[R] T}@T{ T}@T{ +T}@T{ X T}@T{ T}@T{ @@ -2926,12 +3284,14 @@ T{ \f[CR]CHROOT_DESTDIR\f[R] T}@T{ T}@T{ +T}@T{ X T}@T{ T}@T{ T} T{ -\f[CR]$OUTPUTDIR\f[R] +\f[CR]OUTPUTDIR\f[R] +T}@T{ T}@T{ T}@T{ X @@ -2944,6 +3304,7 @@ T{ \f[CR]CHROOT_OUTPUTDIR\f[R] T}@T{ T}@T{ +T}@T{ X T}@T{ X @@ -2951,7 +3312,8 @@ T}@T{ X T} T{ -\f[CR]$BUILDROOT\f[R] +\f[CR]BUILDROOT\f[R] +T}@T{ T}@T{ X T}@T{ @@ -2964,6 +3326,7 @@ T} T{ \f[CR]WITH_DOCS\f[R] T}@T{ +T}@T{ X T}@T{ X @@ -2973,6 +3336,7 @@ T} T{ \f[CR]WITH_TESTS\f[R] T}@T{ +T}@T{ X T}@T{ X @@ -2982,6 +3346,7 @@ T} T{ \f[CR]WITH_NETWORK\f[R] T}@T{ +T}@T{ X T}@T{ X @@ -2991,6 +3356,7 @@ T} T{ \f[CR]SOURCE_DATE_EPOCH\f[R] T}@T{ +T}@T{ X T}@T{ X @@ -3009,6 +3375,8 @@ T}@T{ X T}@T{ X +T}@T{ +X T} T{ \f[CR]MKOSI_GID\f[R] @@ -3020,6 +3388,21 @@ T}@T{ X T}@T{ X +T}@T{ +X +T} +T{ +\f[CR]MKOSI_CONFIG\f[R] +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X +T}@T{ +X T} .TE .PP @@ -3062,6 +3445,13 @@ image\[cq]s root directory with the configuration supplied by the user instead of on the host system. This means that from a script, you can do e.g.\ \f[CR]dnf install vim\f[R] to install vim into the image. +.RS 2 +.PP +Additionally, \f[CR]mkosi\-install\f[R], \f[CR]mkosi\-reinstall\f[R], +\f[CR]mkosi\-upgrade\f[R] and \f[CR]mkosi\-remove\f[R] will invoke the +corresponding operation of the package manager being used to built the +image. +.RE .IP \[bu] 2 \f[CR]mkosi\-as\-caller\f[R]: This script uses \f[CR]setpriv\f[R] to switch from the user \f[CR]root\f[R] in the user namespace used for @@ -3482,7 +3872,7 @@ dependencies. For example, on \f[I]Fedora Linux\f[R] you need: .IP .EX -# dnf install bubblewrap btrfs\-progs apt dosfstools mtools edk2\-ovmf e2fsprogs squashfs\-tools gnupg python3 tar xfsprogs xz zypper sbsigntools +\f[I]# dnf install bubblewrap btrfs\-progs apt dosfstools mtools edk2\-ovmf e2fsprogs squashfs\-tools gnupg python3 tar xfsprogs xz zypper sbsigntools\f[R] .EE .PP On Debian/Ubuntu it might be necessary to install the @@ -3495,6 +3885,7 @@ Note that the minimum required Python version is 3.9. .SH Frequently Asked Questions (FAQ) .IP \[bu] 2 Why does \f[CR]mkosi qemu\f[R] with KVM not work on Debian/Ubuntu? +.RS 2 .PP While other distributions are OK with allowing access to \f[CR]/dev/kvm\f[R], on Debian/Ubuntu this is only allowed for users in @@ -3510,6 +3901,21 @@ To persist these settings across reboots, copy \f[CR]/usr/lib/tmpfiles.d/static\-nodes\-permissions.conf\f[R] to \f[CR]/etc/tmpfiles.d/static\-nodes\-permissions.conf\f[R] and change the mode of \f[CR]/dev/kvm\f[R] from \f[CR]0660\f[R] to \f[CR]0666\f[R]. +.RE +.IP \[bu] 2 +How do I add a regular user to an image? +.RS 2 +.PP +You can use the following snippet in a post\-installation script: +.IP +.EX +useradd \-\-create\-home \-\-user\-group $USER \-\-password \[dq]$(openssl passwd \-stdin \-6 <$USER_PASSWORD_FILE)\[dq] +.EE +.PP +Note that from systemd v256 onwards, if enabled, +\f[CR]systemd\-homed\-firstboot.service\f[R] will prompt to create a +regular user on first boot if there are no regular users. +.RE .SH REFERENCES .IP \[bu] 2 \c |