diff options
Diffstat (limited to 'mkosi.images/system')
27 files changed, 422 insertions, 0 deletions
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf new file mode 100644 index 0000000..7612f22 --- /dev/null +++ b/mkosi.images/system/mkosi.conf @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=base + +[Content] +Autologin=yes +BaseTrees=../../mkosi.output/base +ExtraTrees=../../mkosi.output/base-systemd +Packages= + acl + bash-completion + coreutils + diffutils + dnsmasq + dosfstools + e2fsprogs + findutils + gcc # Sanitizer libraries + gdb + grep + gzip + kbd + kexec-tools + less + mtools + nano + nftables + openssl + qrencode + sed + socat + strace + systemd + tmux + tree + udev + util-linux + valgrind + wireguard-tools + xfsprogs + zsh + +BuildPackages= + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf new file mode 100644 index 0000000..9f21754 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/05-initrd.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Bootable=!no +Format=|disk +Format=|directory + +[Config] +Dependencies=initrd + +[Content] +Initrds=../../mkosi.output/initrd diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000..e1a511c --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + bpf + btrfs-progs + compsize + dhcp + f2fs-tools + glib2 + iproute + linux + man-db + openbsd-netcat + openssh + pacman + polkit + python-pefile + python-psutil + python-pytest + python3 + quota-tools + shadow + vim diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000..67d4643 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + bpftool + cryptsetup + dhcp-server + dnf + glib2 + integritysetup + iproute + iproute-tc + kernel-core + libcap-ng-utils + netcat + openssh-server + p11-kit + pam + passwd + polkit + procps-ng + python3 + python3dist(pefile) + python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason. + python3dist(psutil) + python3dist(pytest) + quota + vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf new file mode 100644 index 0000000..146e03a --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos + +[Content] +Packages= + kernel-modules # For squashfs support diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf new file mode 100644 index 0000000..99b846d --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# CentOS does not support btrfs so we use xfs instead. +[Partition] +Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf new file mode 100644 index 0000000..393d5f0 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# CentOS does not support erofs so we use squashfs instead. +[Partition] +Format=squashfs diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf new file mode 100644 index 0000000..d3c89f3 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian +Architecture=x86-64 + +[Content] +Packages= + bpftool + linux-image-cloud-amd64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf new file mode 100644 index 0000000..76a6898 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian +Architecture=arm64 + +[Content] +Packages= + bpftool + linux-image-cloud-arm64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf new file mode 100644 index 0000000..588f833 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Packages= + apt + btrfs-progs + cryptsetup-bin + dbus-broker + default-dbus-session-bus + f2fs-tools + fdisk + iproute2 + isc-dhcp-server + libcap-ng-utils + netcat-openbsd + openssh-server + passwd + policykit-1 + procps + python3 + python3-pefile + python3-psutil + python3-pytest + quota + xxd diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000..42d0093 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +Packages= + btrfs-progs + compsize + f2fs-tools diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000..60a2b6d --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +Packages= + bpftool + btrfs-progs + cryptsetup + dbus-broker + f2fs-tools + glibc-locale-base + kernel-kvmsmall + libcap-ng-utils + openssh-server + python3 + python3-pefile + python3-psutil + python3-pytest + quota + shadow + vim diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000..f58ee7e --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials. + linux-image-generic + linux-tools-common + linux-tools-generic diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue new file mode 100644 index 0000000..6aa6fc0 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/etc/issue @@ -0,0 +1,2 @@ +\S (built from systemd tree) +Kernel \r on an \m (\l) diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf new file mode 100644 index 0000000..3755278 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=swap +SizeMinBytes=100M +SizeMaxBytes=100M diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf new file mode 100644 index 0000000..71eb9e3 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=btrfs +SizeMinBytes=1G +Subvolumes=/home /var +MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf new file mode 100644 index 0000000..2f95329 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't +# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles +# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set +# Storage= to persistent to have systemd-journald create /var/log/journal itself. +[Journal] +Storage=persistent diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh new file mode 100755 index 0000000..9bb2462 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eux +# SPDX-License-Identifier: LGPL-2.1-or-later + +# TODO: Figure out why this is failing +systemctl reset-failed systemd-vconsole-setup.service + +systemctl --failed --no-legend | tee /failed-services + +# Check that secure boot keys were properly enrolled. +if ! systemd-detect-virt --container; then + cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') + cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') + # TODO: Figure out why this is failing + # grep -q this_should_be_here /proc/cmdline + # grep -q this_should_not_be_here /proc/cmdline && exit 1 +fi + +# Exit with non-zero EC if the /failed-services file is not empty (we have -e set) +[[ ! -s /failed-services ]] diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service new file mode 100644 index 0000000..7942cbf --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Check if any service failed and then shutdown the machine +After=multi-user.target network-online.target +Requires=multi-user.target +Wants=systemd-resolved.service systemd-networkd.service network-online.target +SuccessAction=exit +FailureAction=exit +# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the +# host. +SuccessActionExitStatus=123 + +[Service] +Type=oneshot +ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf new file mode 100644 index 0000000..dac79ba --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +C+! /etc - - - - /usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb new file mode 100644 index 0000000..26f882b --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb @@ -0,0 +1,3 @@ +set debuginfod enabled off +set build-id-verbose 0 +set substitute-path ../src /root/src/systemd diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize new file mode 100755 index 0000000..74b810c --- /dev/null +++ b/mkosi.images/system/mkosi.finalize @@ -0,0 +1,4 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later + +cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot new file mode 100755 index 0000000..0cb9b9c --- /dev/null +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -0,0 +1,93 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ]; then + exit 0 +fi + +if [ -n "$SANITIZERS" ]; then + LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') + + mkdir -p /etc/systemd/system.conf.d + + cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF +[Manager] +ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +EOF + + # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose + # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any + # sanitizer failures appear directly on the user's console. + mkdir -p /etc/systemd/system/systemd-journald.service.d + cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF +[Service] +StandardOutput=tty +EOF + + # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. + # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As + # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login + # from calling vhangup() so that journald's ASAN logs correctly end up in the console. + + mkdir -p /etc/systemd/system/console-getty.service.d + cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF +[Service] +TTYVHangup=no +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +EOF + # ASAN and syscall filters aren't compatible with each other. + find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + + + # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. + systemctl mask systemd-hwdb-update.service +fi + +if [ -n "$IMAGE_ID" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_ID=/!p' \ + -e "\$aIMAGE_ID=$IMAGE_ID" \ + /usr/lib/os-release +fi + +if [ -n "$IMAGE_VERSION" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_VERSION=/!p' \ + -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ + /usr/lib/os-release +fi + +if command -v authselect >/dev/null; then + # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so + # let's use the new name if it exists. + if [ -d /usr/share/authselect/default/local ]; then + PROFILE=local + else + PROFILE=minimal + fi + + authselect select "$PROFILE" + + if authselect list-features "$PROFILE" | grep -q "with-homed"; then + authselect enable-feature with-homed + fi +fi + +# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that +# if that's the case. +mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf +rm -f /etc/resolv.conf + +. /usr/lib/os-release + +if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 + alternatives --set python3 /usr/bin/python3.9 +fi diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf new file mode 100644 index 0000000..4be0466 --- /dev/null +++ b/mkosi.images/system/mkosi.repart/00-esp.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=512M +SizeMaxBytes=512M diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.repart/10-usr.conf new file mode 100644 index 0000000..343761d --- /dev/null +++ b/mkosi.images/system/mkosi.repart/10-usr.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=usr +Format=erofs +CopyFiles=/usr:/ +Verity=data +VerityMatchKey=usr +Minimize=yes diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.repart/11-usr-verity.conf new file mode 100644 index 0000000..b4d45dd --- /dev/null +++ b/mkosi.images/system/mkosi.repart/11-usr-verity.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=usr-verity +Verity=hash +VerityMatchKey=usr +Minimize=yes diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf new file mode 100644 index 0000000..1841d0a --- /dev/null +++ b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=usr-verity-sig +Verity=signature +VerityMatchKey=usr |