summaryrefslogtreecommitdiffstats
path: root/mkosi.images/base
diff options
context:
space:
mode:
Diffstat (limited to 'mkosi.images/base')
-rwxr-xr-xmkosi.images/base/mkosi.build.chroot230
-rw-r--r--mkosi.images/base/mkosi.conf34
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-arch.conf32
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf75
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf69
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-debian.conf11
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-fedora.conf9
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-opensuse.conf91
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-ubuntu.conf12
-rw-r--r--mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset30
-rw-r--r--mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset4
-rw-r--r--mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf1
12 files changed, 598 insertions, 0 deletions
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
new file mode 100755
index 0000000..f26098c
--- /dev/null
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -0,0 +1,230 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
+# Simply invoke "mkosi" in the project directory to build an OS image.
+
+# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
+# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
+# an extra tree in the initrd and system image builds.
+DESTDIR="$OUTPUTDIR/systemd"
+
+# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
+# as out-of-tree build dir. Otherwise, let's make up our own builddir.
+[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
+
+# Let's make sure we're using stuff from the build directory first if available there.
+PATH="$BUILDDIR:$PATH"
+export PATH
+
+# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
+# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
+# the ubuntu script with a symlink to the first bpftool program we can find.
+for bpftool in /usr/lib/linux-tools/*/bpftool; do
+ [ -x "$bpftool" ] || continue
+ ln -sf "$bpftool" "$BUILDDIR"/bpftool
+ break
+done
+
+# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
+# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
+# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
+. /usr/lib/os-release
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ cat >"$BUILDDIR"/bpftool <<EOF
+#!/bin/sh
+if [ "\$1" = --version ]; then
+ echo 5.6.0
+else
+ exec /usr/sbin/bpftool \$@
+fi
+EOF
+ chmod +x "$BUILDDIR"/bpftool
+fi
+
+if [ ! -f "$BUILDDIR"/build.ninja ]; then
+ sysvinit_path=$(realpath /etc/init.d)
+
+ if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ UKIFY="disabled"
+ else
+ UKIFY="enabled"
+ fi
+
+ # On Debian 'loadkeys us' fails
+ if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
+ DEFAULT_KEYMAP=""
+ else
+ DEFAULT_KEYMAP="us"
+ fi
+
+ CONFIGURE_OPTS=(
+ -D sysvinit-path="$sysvinit_path"
+ -D man=disabled
+ -D translations=false
+ -D version-tag="${VERSION_TAG}"
+ -D mode=developer
+ -D b_sanitize="${SANITIZERS:-none}"
+ -D install-tests=true
+ -D tests=unsafe
+ -D slow-tests="${SLOW_TESTS:-false}"
+ -D create-log-dirs=false
+ -D pamconfdir=no
+ -D utmp=true
+ -D hibernate=true
+ -D ldconfig=true
+ -D resolve=true
+ -D efi=true
+ -D tpm=true
+ -D environment-d=true
+ -D binfmt=true
+ -D repart=enabled
+ -D sysupdate=enabled
+ -D coredump=true
+ -D pstore=true
+ -D oomd=true
+ -D logind=true
+ -D hostnamed=true
+ -D localed=true
+ -D machined=true
+ -D portabled=true
+ -D sysext=true
+ -D userdb=true
+ -D homed=enabled
+ -D networkd=true
+ -D timedated=true
+ -D timesyncd=true
+ -D remote=enabled
+ -D nss-myhostname=true
+ -D nss-mymachines=enabled
+ -D nss-resolve=enabled
+ -D nss-systemd=true
+ -D firstboot=true
+ -D randomseed=true
+ -D backlight=true
+ -D vconsole=true
+ -D quotacheck=true
+ -D sysusers=true
+ -D tmpfiles=true
+ -D importd=enabled
+ -D hwdb=true
+ -D rfkill=true
+ -D xdg-autostart=true
+ -D translations=true
+ -D polkit=enabled
+ -D acl=enabled
+ -D audit=enabled
+ -D blkid=enabled
+ -D fdisk=enabled
+ -D kmod=enabled
+ -D pam=enabled
+ -D pwquality=enabled
+ -D microhttpd=enabled
+ -D libcryptsetup=enabled
+ -D libcurl=enabled
+ -D idn=true
+ -D libidn2=enabled
+ -D qrencode=enabled
+ -D gcrypt=enabled
+ -D gnutls=enabled
+ -D openssl=enabled
+ -D cryptolib=openssl
+ -D p11kit=enabled
+ -D libfido2=enabled
+ -D tpm2=enabled
+ -D elfutils=enabled
+ -D zstd=enabled
+ -D xkbcommon=enabled
+ -D pcre2=enabled
+ -D glib=enabled
+ -D dbus=enabled
+ -D bootloader=enabled
+ -D kernel-install=true
+ -D analyze=true
+ -D bpf-framework=enabled
+ -D ukify="$UKIFY"
+ -D seccomp=enabled
+ -D selinux=auto
+ -D apparmor=auto
+ -D smack=true
+ -D ima=true
+ -D first-boot-full-preset=true
+ -D initrd=true
+ -D fexecve=true
+ -D default-keymap="$DEFAULT_KEYMAP"
+ )
+
+ # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
+ # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
+ # installed in the wrong directory and not be found by cryptsetup. Assume native build.
+ if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
+ CONFIGURE_OPTS+=(
+ -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
+ -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
+ )
+ fi
+
+ # Set various uids and gids for which Fedora has "soft static" allocations.
+ # Without this, we would get warning about mismatched sysusers.d entries
+ # between the files that we and Fedora's setup package install.
+ if grep -q '^ID=fedora' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dadm-gid=4
+ -Daudio-gid=63
+ -Dcdrom-gid=11
+ -Ddialout-gid=18
+ -Ddisk-gid=6
+ -Dinput-gid=104
+ -Dkmem-gid=9
+ -Dkvm-gid=36
+ -Dlp-gid=7
+ -Drender-gid=105
+ -Dsgx-gid=106
+ -Dtape-gid=33
+ -Dtty-gid=5
+ -Dusers-gid=100
+ -Dutmp-gid=22
+ -Dvideo-gid=39
+ -Dwheel-gid=10
+ -Dsystemd-journal-gid=190
+ -Dsystemd-network-uid=192
+ -Dsystemd-resolve-uid=193
+ )
+ fi
+
+ if grep -q '^ID="opensuse' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dbpf-compiler=gcc
+ )
+ fi
+
+ ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" )
+fi
+
+( set -x; ninja -C "$BUILDDIR" "$@" )
+if [ "$WITH_TESTS" = 1 ]; then
+ if [ -n "$SANITIZERS" ]; then
+ export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
+ export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
+ TIMEOUT_MULTIPLIER=3
+ else
+ TIMEOUT_MULTIPLIER=1
+ fi
+
+ ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
+fi
+
+( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
+
+# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+if [ -d "${DESTDIR}/boot/loader" ]; then
+ addons_dir="${DESTDIR}/boot/loader/addons"
+elif [ -d "${DESTDIR}/efi/loader" ]; then
+ addons_dir="${DESTDIR}/efi/loader/addons"
+fi
+if [ -n "${addons_dir}" ]; then
+ mkdir -p "${addons_dir}"
+ ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
+ ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
+fi
diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf
new file mode 100644
index 0000000..6c6d045
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+CleanPackageMetadata=no
+
+Packages=
+Packages=
+ kmod
+ less
+ util-linux
+
+BuildPackages=
+ acl
+ diffutils
+ gawk
+ binutils
+ clang
+ gettext
+ git
+ gperf
+ grep
+ lld
+ llvm
+ make
+ meson
+ pkgconf
+ rsync
+ sed
+ tar
+ zstd
diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000..7ab0c71
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ cryptsetup
+ dbus
+ gnutls
+ libbpf
+ libfido2
+ libmicrohttpd
+ libnftnl
+ libpwquality
+ libseccomp
+ libxkbcommon
+ openssl
+ qrencode
+ tpm2-tss
+
+BuildPackages=
+ bpf
+ docbook-xsl
+ glib2
+ libxslt
+ linux-api-headers
+ python
+ python-jinja
+ python-lxml
+ python-pefile
+ python-pyelftools
diff --git a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000..8ada9b0
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ audit-libs
+ cryptsetup-libs
+ gnutls
+ libasan
+ libbpf
+ libfido2
+ libgcrypt
+ libmicrohttpd
+ libnftnl
+ libubsan
+ libxcrypt
+ libxkbcommon
+ openssl-libs
+ qrencode-libs
+ tpm2-tss
+ util-linux
+
+BuildPackages=
+ pkgconf
+ bpftool
+ docbook-xsl
+ findutils
+ libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
+ libxslt
+ pam-devel
+ pkgconfig(audit)
+ pkgconfig(blkid)
+ pkgconfig(bzip2)
+ pkgconfig(dbus-1)
+ pkgconfig(fdisk)
+ pkgconfig(glib-2.0)
+ pkgconfig(gnutls)
+ pkgconfig(libacl)
+ pkgconfig(libbpf)
+ pkgconfig(libcap)
+ pkgconfig(libcryptsetup)
+ pkgconfig(libcurl)
+ pkgconfig(libdw)
+ pkgconfig(libfido2)
+ pkgconfig(libidn2)
+ pkgconfig(libkmod)
+ pkgconfig(libmicrohttpd)
+ pkgconfig(libnftnl)
+ pkgconfig(libpcre2-8)
+ pkgconfig(libqrencode)
+ pkgconfig(libseccomp)
+ pkgconfig(libselinux)
+ pkgconfig(libzstd)
+ pkgconfig(mount)
+ pkgconfig(numa)
+ pkgconfig(openssl)
+ pkgconfig(openssl)
+ pkgconfig(p11-kit-1)
+ pkgconfig(pwquality)
+ pkgconfig(tss2-esys)
+ pkgconfig(tss2-mu)
+ pkgconfig(tss2-rc)
+ pkgconfig(tss2-tcti-device)
+ pkgconfig(valgrind)
+ pkgconfig(xkbcommon)
+ python3
+ python3dist(jinja2)
+ python3dist(lxml)
+ python3dist(pefile)
+ python3dist(pyelftools)
+ python3dist(pytest)
+ rpm
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000..c529e0b
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,69 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ dmsetup
+ libapparmor1
+ libfdisk1
+ libfido2-1
+ libglib2.0-0
+ libgnutls30
+ libidn2-0
+ libmicrohttpd12
+ libnftnl11
+ libp11-kit0
+ libpam0g
+ libpwquality1
+ libqrencode4
+ libssl3
+ libip4tc2
+ libtss2-dev # Use the -dev package to avoid churn in updating version numbers
+ tzdata
+
+BuildPackages=
+ docbook-xsl
+ dpkg-dev
+ g++
+ libacl1-dev
+ libapparmor-dev
+ libaudit-dev
+ libblkid-dev
+ libbpf-dev
+ libbz2-dev
+ libcap-dev
+ libcryptsetup-dev
+ libcurl4-openssl-dev
+ libdbus-1-dev
+ libdw-dev
+ libfdisk-dev
+ libfido2-dev
+ libgcrypt20-dev
+ libglib2.0-dev
+ libgnutls28-dev
+ libidn2-dev
+ libiptc-dev
+ libkmod-dev
+ libmicrohttpd-dev
+ libmount-dev
+ libnftnl-dev
+ libp11-kit-dev
+ libpam0g-dev
+ libpwquality-dev
+ libqrencode-dev
+ libseccomp-dev
+ libsmartcols-dev
+ libssl-dev
+ libxen-dev
+ libxkbcommon-dev
+ libzstd-dev
+ python3
+ python3-jinja2
+ python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ xsltproc
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/base/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000..020b02b
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+ libbpf1
+
+BuildPackages=
+ bpftool
diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000..a8fbce4
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+BuildPackages=
+ python3dist(pytest-flakes)
+ pkgconfig(xencontrol)
diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000..ec91b49
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
+Packages=
+ device-mapper
+ distribution-release
+ docbook-xsl-stylesheets
+ gawk
+ grep
+ gzip
+ libbpf1
+ libcrypt1
+ libcryptsetup12
+ libdw1
+ libelf1
+ libfido2
+ libgcrypt20
+ libglib-2_0-0
+ libkmod2
+ libmount1
+ libnftnl11
+ libopenssl3
+ libp11-kit0
+ libqrencode4
+ libseccomp2
+ libtss2-esys0
+ libtss2-mu0
+ libtss2-rc0
+ libtss2-tcti-device0
+ libxkbcommon0
+ libzstd1
+ pam
+ rsync
+ sed
+ shadow
+ tpm2-0-tss
+ xz
+
+BuildPackages=
+ audit-devel
+ bpftool
+ cross-bpf-gcc13
+ dbus-1-devel
+ fdupes
+ gcc-c++
+ glib2-devel
+ glibc-locale
+ intltool
+ libacl-devel
+ libapparmor-devel
+ libblkid-devel
+ libbpf-devel
+ libcap-devel
+ libcryptsetup-devel
+ libcurl-devel
+ libdw-devel
+ libelf-devel
+ libfdisk-devel
+ libfido2-devel
+ libgcrypt-devel
+ libgnutls-devel
+ libkmod-devel
+ libmicrohttpd-devel
+ libmount-devel
+ libnftnl-devel
+ libpwquality-devel
+ libseccomp-devel
+ libselinux-devel
+ libxkbcommon-devel
+ libxslt-tools
+ libzstd-devel
+ openssl-devel
+ pam-devel
+ pciutils-devel
+ python3
+ python3-Jinja2
+ python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ python3-pytest-flakes
+ qrencode-devel
+ shadow
+ timezone
+ tpm2-0-tss-devel
+ xen-devel
diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000..717809f
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ libbpf0
+
+BuildPackages=
+ linux-tools-common
+ linux-tools-generic
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
new file mode 100644
index 0000000..070af4c
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
+disable ssh.service
+disable sshd.service
+
+# These are started manually in integration tests so don't start them by default.
+disable dnsmasq.service
+disable isc-dhcp-server.service
+disable isc-dhcp-server6.service
+
+# Pulled in via dracut-network by kexec-tools on Fedora.
+disable NetworkManager*
+
+# Make sure dbus-broker is started by default on Debian/Ubuntu.
+enable dbus-broker.service
+
+# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
+enable systemd-networkd.service
+enable systemd-networkd-wait-online.service
+
+# We install dnf in some images but it's only going to be used rarely,
+# so let's not have dnf create its cache.
+disable dnf-makecache.*
+
+# We have journald to receive audit data so let's make sure we're not running auditd as well
+disable auditd.service
+
+# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
+enable systemd-timesyncd.service
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
new file mode 100644
index 0000000..710ee7c
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
+disable *
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
new file mode 100644
index 0000000..e1a8e81
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
@@ -0,0 +1 @@
+L /etc/default/locale - - - - ../locale.conf
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 16:35:27 +0000