diff options
Diffstat (limited to '')
12 files changed, 14 insertions, 550 deletions
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot deleted file mode 100755 index 02dcbc7..0000000 --- a/mkosi.images/base/mkosi.build.chroot +++ /dev/null @@ -1,224 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: LGPL-2.1-or-later -set -e - -# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Simply invoke "mkosi" in the project directory to build an OS image. - -# We don't want to install our build of systemd in the base image, but use it as an extra tree for the -# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as -# an extra tree in the initrd and system image builds. -DESTDIR="$OUTPUTDIR/systemd" - -# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it -# as out-of-tree build dir. Otherwise, let's make up our own builddir. -[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build - -# Let's make sure we're using stuff from the build directory first if available there. -PATH="$BUILDDIR:$PATH" -export PATH - -# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and -# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override -# the ubuntu script with a symlink to the first bpftool program we can find. -for bpftool in /usr/lib/linux-tools/*/bpftool; do - [ -x "$bpftool" ] || continue - ln -sf "$bpftool" "$BUILDDIR"/bpftool - break -done - -# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the -# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports -# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. -. /usr/lib/os-release -if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - cat >"$BUILDDIR"/bpftool <<EOF -#!/bin/sh -if [ "\$1" = --version ]; then - echo 5.6.0 -else - exec /usr/sbin/bpftool \$@ -fi -EOF - chmod +x "$BUILDDIR"/bpftool -fi - -if [ ! -f "$BUILDDIR"/build.ninja ]; then - sysvinit_path=$(realpath /etc/init.d) - - if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - UKIFY="disabled" - else - UKIFY="enabled" - fi - - # On Debian 'loadkeys us' fails - if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then - DEFAULT_KEYMAP="" - else - DEFAULT_KEYMAP="us" - fi - - CONFIGURE_OPTS=( - -D sysvinit-path="$sysvinit_path" - -D man=disabled - -D translations=false - -D version-tag="${VERSION_TAG}" - -D mode=developer - -D b_sanitize="${SANITIZERS:-none}" - -D install-tests=true - -D tests=unsafe - -D slow-tests="${SLOW_TESTS:-false}" - -D create-log-dirs=false - -D pamconfdir=no - -D utmp=true - -D hibernate=true - -D ldconfig=true - -D resolve=true - -D efi=true - -D tpm=true - -D environment-d=true - -D binfmt=true - -D repart=enabled - -D sysupdate=enabled - -D coredump=true - -D pstore=true - -D oomd=true - -D logind=true - -D hostnamed=true - -D localed=true - -D machined=true - -D portabled=true - -D sysext=true - -D userdb=true - -D homed=enabled - -D networkd=true - -D timedated=true - -D timesyncd=true - -D remote=enabled - -D nss-myhostname=true - -D nss-mymachines=enabled - -D nss-resolve=enabled - -D nss-systemd=true - -D firstboot=true - -D randomseed=true - -D backlight=true - -D vconsole=true - -D quotacheck=true - -D sysusers=true - -D tmpfiles=true - -D importd=enabled - -D hwdb=true - -D rfkill=true - -D xdg-autostart=true - -D translations=true - -D polkit=enabled - -D acl=enabled - -D audit=enabled - -D blkid=enabled - -D fdisk=enabled - -D kmod=enabled - -D pam=enabled - -D pwquality=enabled - -D microhttpd=enabled - -D libcryptsetup=enabled - -D libcurl=enabled - -D idn=true - -D libidn2=enabled - -D qrencode=enabled - -D gcrypt=enabled - -D gnutls=enabled - -D openssl=enabled - -D cryptolib=openssl - -D p11kit=enabled - -D libfido2=enabled - -D tpm2=enabled - -D elfutils=enabled - -D zstd=enabled - -D xkbcommon=enabled - -D pcre2=enabled - -D glib=enabled - -D dbus=enabled - -D bootloader=enabled - -D kernel-install=true - -D analyze=true - -D bpf-framework=enabled - -D ukify="$UKIFY" - -D seccomp=enabled - -D selinux=auto - -D apparmor=auto - -D smack=true - -D ima=true - -D first-boot-full-preset=true - -D initrd=true - -D fexecve=true - -D default-keymap="$DEFAULT_KEYMAP" - ) - - # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/. - # It is important to use the right one especially for cryptsetup plugins, otherwise they will be - # installed in the wrong directory and not be found by cryptsetup. Assume native build. - if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then - CONFIGURE_OPTS+=( - -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" - -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" - ) - fi - - # Set various uids and gids for which Fedora has "soft static" allocations. - # Without this, we would get warning about mismatched sysusers.d entries - # between the files that we and Fedora's setup package install. - if grep -q '^ID=fedora' /usr/lib/os-release; then - CONFIGURE_OPTS+=( - -Dadm-gid=4 - -Daudio-gid=63 - -Dcdrom-gid=11 - -Ddialout-gid=18 - -Ddisk-gid=6 - -Dinput-gid=104 - -Dkmem-gid=9 - -Dkvm-gid=36 - -Dlp-gid=7 - -Drender-gid=105 - -Dsgx-gid=106 - -Dtape-gid=33 - -Dtty-gid=5 - -Dusers-gid=100 - -Dutmp-gid=22 - -Dvideo-gid=39 - -Dwheel-gid=10 - -Dsystemd-journal-gid=190 - -Dsystemd-network-uid=192 - -Dsystemd-resolve-uid=193 - ) - fi - - ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" ) -fi - -( set -x; ninja -C "$BUILDDIR" "$@" ) -if [ "$WITH_TESTS" = 1 ]; then - if [ -n "$SANITIZERS" ]; then - export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" - export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" - TIMEOUT_MULTIPLIER=3 - else - TIMEOUT_MULTIPLIER=1 - fi - - ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER ) -fi - -( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed ) - -# Ensure that side-loaded PE addons are loaded if signed, and ignored if not -if [ -d "${DESTDIR}/boot/loader" ]; then - addons_dir="${DESTDIR}/boot/loader/addons" -elif [ -d "${DESTDIR}/efi/loader" ]; then - addons_dir="${DESTDIR}/efi/loader/addons" -fi -if [ -n "${addons_dir}" ]; then - mkdir -p "${addons_dir}" - ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi" - ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi" -fi diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf deleted file mode 100644 index 6c6d045..0000000 --- a/mkosi.images/base/mkosi.conf +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Output] -Format=directory - -[Content] -Bootable=no -CleanPackageMetadata=no - -Packages= -Packages= - kmod - less - util-linux - -BuildPackages= - acl - diffutils - gawk - binutils - clang - gettext - git - gperf - grep - lld - llvm - make - meson - pkgconf - rsync - sed - tar - zstd diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf deleted file mode 100644 index 7ab0c71..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-arch.conf +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=arch - -[Content] -Packages= - cryptsetup - dbus - gnutls - libbpf - libfido2 - libmicrohttpd - libnftnl - libpwquality - libseccomp - libxkbcommon - openssl - qrencode - tpm2-tss - -BuildPackages= - bpf - docbook-xsl - glib2 - libxslt - linux-api-headers - python - python-jinja - python-lxml - python-pefile - python-pyelftools diff --git a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf deleted file mode 100644 index 8ada9b0..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf +++ /dev/null @@ -1,75 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|centos -Distribution=|fedora - -[Content] -Packages= - audit-libs - cryptsetup-libs - gnutls - libasan - libbpf - libfido2 - libgcrypt - libmicrohttpd - libnftnl - libubsan - libxcrypt - libxkbcommon - openssl-libs - qrencode-libs - tpm2-tss - util-linux - -BuildPackages= - pkgconf - bpftool - docbook-xsl - findutils - libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file. - libxslt - pam-devel - pkgconfig(audit) - pkgconfig(blkid) - pkgconfig(bzip2) - pkgconfig(dbus-1) - pkgconfig(fdisk) - pkgconfig(glib-2.0) - pkgconfig(gnutls) - pkgconfig(libacl) - pkgconfig(libbpf) - pkgconfig(libcap) - pkgconfig(libcryptsetup) - pkgconfig(libcurl) - pkgconfig(libdw) - pkgconfig(libfido2) - pkgconfig(libidn2) - pkgconfig(libkmod) - pkgconfig(libmicrohttpd) - pkgconfig(libnftnl) - pkgconfig(libpcre2-8) - pkgconfig(libqrencode) - pkgconfig(libseccomp) - pkgconfig(libselinux) - pkgconfig(libzstd) - pkgconfig(mount) - pkgconfig(numa) - pkgconfig(openssl) - pkgconfig(openssl) - pkgconfig(p11-kit-1) - pkgconfig(pwquality) - pkgconfig(tss2-esys) - pkgconfig(tss2-mu) - pkgconfig(tss2-rc) - pkgconfig(tss2-tcti-device) - pkgconfig(valgrind) - pkgconfig(xkbcommon) - python3 - python3dist(jinja2) - python3dist(lxml) - python3dist(pefile) - python3dist(pyelftools) - python3dist(pytest) - rpm diff --git a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf deleted file mode 100644 index c529e0b..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf +++ /dev/null @@ -1,69 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|debian -Distribution=|ubuntu - -[Content] -Packages= - dmsetup - libapparmor1 - libfdisk1 - libfido2-1 - libglib2.0-0 - libgnutls30 - libidn2-0 - libmicrohttpd12 - libnftnl11 - libp11-kit0 - libpam0g - libpwquality1 - libqrencode4 - libssl3 - libip4tc2 - libtss2-dev # Use the -dev package to avoid churn in updating version numbers - tzdata - -BuildPackages= - docbook-xsl - dpkg-dev - g++ - libacl1-dev - libapparmor-dev - libaudit-dev - libblkid-dev - libbpf-dev - libbz2-dev - libcap-dev - libcryptsetup-dev - libcurl4-openssl-dev - libdbus-1-dev - libdw-dev - libfdisk-dev - libfido2-dev - libgcrypt20-dev - libglib2.0-dev - libgnutls28-dev - libidn2-dev - libiptc-dev - libkmod-dev - libmicrohttpd-dev - libmount-dev - libnftnl-dev - libp11-kit-dev - libpam0g-dev - libpwquality-dev - libqrencode-dev - libseccomp-dev - libsmartcols-dev - libssl-dev - libxen-dev - libxkbcommon-dev - libzstd-dev - python3 - python3-jinja2 - python3-lxml - python3-pefile - python3-pyelftools - python3-pytest - xsltproc diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf deleted file mode 100644 index a8fbce4..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-fedora.conf +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=fedora - -[Content] -BuildPackages= - python3dist(pytest-flakes) - pkgconfig(xencontrol) diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf deleted file mode 100644 index 5aae0ed..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf +++ /dev/null @@ -1,90 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=opensuse - -[Content] -# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox -# versions don't get installed instead. -Packages= - device-mapper - distribution-release - docbook-xsl-stylesheets - gawk - grep - gzip - libbpf1 - libcrypt1 - libcryptsetup12 - libdw1 - libelf1 - libfido2 - libgcrypt20 - libglib-2_0-0 - libkmod2 - libmount1 - libnftnl11 - libopenssl3 - libp11-kit0 - libqrencode4 - libseccomp2 - libtss2-esys0 - libtss2-mu0 - libtss2-rc0 - libtss2-tcti-device0 - libxkbcommon0 - libzstd1 - pam - rsync - sed - shadow - tpm2-0-tss - xz - -BuildPackages= - audit-devel - bpftool - dbus-1-devel - fdupes - gcc-c++ - glib2-devel - glibc-locale - intltool - libacl-devel - libapparmor-devel - libblkid-devel - libbpf-devel - libcap-devel - libcryptsetup-devel - libcurl-devel - libdw-devel - libelf-devel - libfdisk-devel - libfido2-devel - libgcrypt-devel - libgnutls-devel - libkmod-devel - libmicrohttpd-devel - libmount-devel - libnftnl-devel - libpwquality-devel - libseccomp-devel - libselinux-devel - libxkbcommon-devel - libxslt-tools - libzstd-devel - openssl-devel - pam-devel - pciutils-devel - python3 - python3-Jinja2 - python3-lxml - python3-pefile - python3-pyelftools - python3-pytest - python3-pytest-flakes - qrencode-devel - shadow - timezone - tpm2-0-tss-devel - xen-devel diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf deleted file mode 100644 index 717809f..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=ubuntu - -[Content] -Packages= - libbpf0 - -BuildPackages= - linux-tools-common - linux-tools-generic diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf index 020b02b..babde60 100644 --- a/mkosi.images/base/mkosi.conf.d/10-debian.conf +++ b/mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf @@ -1,11 +1,9 @@ # SPDX-License-Identifier: LGPL-2.1-or-later [Match] -Distribution=debian +Distribution=|debian +Distribution=|ubuntu [Content] Packages= - libbpf1 - -BuildPackages= - bpftool + systemd diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset index 070af4c..c364058 100644 --- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -19,6 +19,9 @@ enable dbus-broker.service enable systemd-networkd.service enable systemd-networkd-wait-online.service +# systemd-resolved is disable by default on CentOS so make sure it is enabled. +enable systemd-resolved.service + # We install dnf in some images but it's only going to be used rarely, # so let's not have dnf create its cache. disable dnf-makecache.* @@ -28,3 +31,11 @@ disable auditd.service # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead. enable systemd-timesyncd.service + +# Skipped if selinux is not enabled, required for TEST-06-SELINUX. +enable autorelabel.service + +# Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead. +disable iscsi.service +disable iscsid.socket +disable iscsiuio.socket diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset index 710ee7c..710ee7c 100644 --- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf index e1a8e81..e1a8e81 100644 --- a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf +++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf |