diff options
Diffstat (limited to '')
44 files changed, 1092 insertions, 0 deletions
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot new file mode 100755 index 0000000..f26098c --- /dev/null +++ b/mkosi.images/base/mkosi.build.chroot @@ -0,0 +1,230 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). +# Simply invoke "mkosi" in the project directory to build an OS image. + +# We don't want to install our build of systemd in the base image, but use it as an extra tree for the +# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as +# an extra tree in the initrd and system image builds. +DESTDIR="$OUTPUTDIR/systemd" + +# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it +# as out-of-tree build dir. Otherwise, let's make up our own builddir. +[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build + +# Let's make sure we're using stuff from the build directory first if available there. +PATH="$BUILDDIR:$PATH" +export PATH + +# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and +# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override +# the ubuntu script with a symlink to the first bpftool program we can find. +for bpftool in /usr/lib/linux-tools/*/bpftool; do + [ -x "$bpftool" ] || continue + ln -sf "$bpftool" "$BUILDDIR"/bpftool + break +done + +# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the +# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports +# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. +. /usr/lib/os-release +if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + cat >"$BUILDDIR"/bpftool <<EOF +#!/bin/sh +if [ "\$1" = --version ]; then + echo 5.6.0 +else + exec /usr/sbin/bpftool \$@ +fi +EOF + chmod +x "$BUILDDIR"/bpftool +fi + +if [ ! -f "$BUILDDIR"/build.ninja ]; then + sysvinit_path=$(realpath /etc/init.d) + + if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + UKIFY="disabled" + else + UKIFY="enabled" + fi + + # On Debian 'loadkeys us' fails + if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then + DEFAULT_KEYMAP="" + else + DEFAULT_KEYMAP="us" + fi + + CONFIGURE_OPTS=( + -D sysvinit-path="$sysvinit_path" + -D man=disabled + -D translations=false + -D version-tag="${VERSION_TAG}" + -D mode=developer + -D b_sanitize="${SANITIZERS:-none}" + -D install-tests=true + -D tests=unsafe + -D slow-tests="${SLOW_TESTS:-false}" + -D create-log-dirs=false + -D pamconfdir=no + -D utmp=true + -D hibernate=true + -D ldconfig=true + -D resolve=true + -D efi=true + -D tpm=true + -D environment-d=true + -D binfmt=true + -D repart=enabled + -D sysupdate=enabled + -D coredump=true + -D pstore=true + -D oomd=true + -D logind=true + -D hostnamed=true + -D localed=true + -D machined=true + -D portabled=true + -D sysext=true + -D userdb=true + -D homed=enabled + -D networkd=true + -D timedated=true + -D timesyncd=true + -D remote=enabled + -D nss-myhostname=true + -D nss-mymachines=enabled + -D nss-resolve=enabled + -D nss-systemd=true + -D firstboot=true + -D randomseed=true + -D backlight=true + -D vconsole=true + -D quotacheck=true + -D sysusers=true + -D tmpfiles=true + -D importd=enabled + -D hwdb=true + -D rfkill=true + -D xdg-autostart=true + -D translations=true + -D polkit=enabled + -D acl=enabled + -D audit=enabled + -D blkid=enabled + -D fdisk=enabled + -D kmod=enabled + -D pam=enabled + -D pwquality=enabled + -D microhttpd=enabled + -D libcryptsetup=enabled + -D libcurl=enabled + -D idn=true + -D libidn2=enabled + -D qrencode=enabled + -D gcrypt=enabled + -D gnutls=enabled + -D openssl=enabled + -D cryptolib=openssl + -D p11kit=enabled + -D libfido2=enabled + -D tpm2=enabled + -D elfutils=enabled + -D zstd=enabled + -D xkbcommon=enabled + -D pcre2=enabled + -D glib=enabled + -D dbus=enabled + -D bootloader=enabled + -D kernel-install=true + -D analyze=true + -D bpf-framework=enabled + -D ukify="$UKIFY" + -D seccomp=enabled + -D selinux=auto + -D apparmor=auto + -D smack=true + -D ima=true + -D first-boot-full-preset=true + -D initrd=true + -D fexecve=true + -D default-keymap="$DEFAULT_KEYMAP" + ) + + # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/. + # It is important to use the right one especially for cryptsetup plugins, otherwise they will be + # installed in the wrong directory and not be found by cryptsetup. Assume native build. + if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then + CONFIGURE_OPTS+=( + -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" + -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" + ) + fi + + # Set various uids and gids for which Fedora has "soft static" allocations. + # Without this, we would get warning about mismatched sysusers.d entries + # between the files that we and Fedora's setup package install. + if grep -q '^ID=fedora' /usr/lib/os-release; then + CONFIGURE_OPTS+=( + -Dadm-gid=4 + -Daudio-gid=63 + -Dcdrom-gid=11 + -Ddialout-gid=18 + -Ddisk-gid=6 + -Dinput-gid=104 + -Dkmem-gid=9 + -Dkvm-gid=36 + -Dlp-gid=7 + -Drender-gid=105 + -Dsgx-gid=106 + -Dtape-gid=33 + -Dtty-gid=5 + -Dusers-gid=100 + -Dutmp-gid=22 + -Dvideo-gid=39 + -Dwheel-gid=10 + -Dsystemd-journal-gid=190 + -Dsystemd-network-uid=192 + -Dsystemd-resolve-uid=193 + ) + fi + + if grep -q '^ID="opensuse' /usr/lib/os-release; then + CONFIGURE_OPTS+=( + -Dbpf-compiler=gcc + ) + fi + + ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" ) +fi + +( set -x; ninja -C "$BUILDDIR" "$@" ) +if [ "$WITH_TESTS" = 1 ]; then + if [ -n "$SANITIZERS" ]; then + export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" + export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" + TIMEOUT_MULTIPLIER=3 + else + TIMEOUT_MULTIPLIER=1 + fi + + ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER ) +fi + +( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed ) + +# Ensure that side-loaded PE addons are loaded if signed, and ignored if not +if [ -d "${DESTDIR}/boot/loader" ]; then + addons_dir="${DESTDIR}/boot/loader/addons" +elif [ -d "${DESTDIR}/efi/loader" ]; then + addons_dir="${DESTDIR}/efi/loader/addons" +fi +if [ -n "${addons_dir}" ]; then + mkdir -p "${addons_dir}" + ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi" + ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi" +fi diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf new file mode 100644 index 0000000..6c6d045 --- /dev/null +++ b/mkosi.images/base/mkosi.conf @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Output] +Format=directory + +[Content] +Bootable=no +CleanPackageMetadata=no + +Packages= +Packages= + kmod + less + util-linux + +BuildPackages= + acl + diffutils + gawk + binutils + clang + gettext + git + gperf + grep + lld + llvm + make + meson + pkgconf + rsync + sed + tar + zstd diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000..7ab0c71 --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-arch.conf @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + cryptsetup + dbus + gnutls + libbpf + libfido2 + libmicrohttpd + libnftnl + libpwquality + libseccomp + libxkbcommon + openssl + qrencode + tpm2-tss + +BuildPackages= + bpf + docbook-xsl + glib2 + libxslt + linux-api-headers + python + python-jinja + python-lxml + python-pefile + python-pyelftools diff --git a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000..8ada9b0 --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,75 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + audit-libs + cryptsetup-libs + gnutls + libasan + libbpf + libfido2 + libgcrypt + libmicrohttpd + libnftnl + libubsan + libxcrypt + libxkbcommon + openssl-libs + qrencode-libs + tpm2-tss + util-linux + +BuildPackages= + pkgconf + bpftool + docbook-xsl + findutils + libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file. + libxslt + pam-devel + pkgconfig(audit) + pkgconfig(blkid) + pkgconfig(bzip2) + pkgconfig(dbus-1) + pkgconfig(fdisk) + pkgconfig(glib-2.0) + pkgconfig(gnutls) + pkgconfig(libacl) + pkgconfig(libbpf) + pkgconfig(libcap) + pkgconfig(libcryptsetup) + pkgconfig(libcurl) + pkgconfig(libdw) + pkgconfig(libfido2) + pkgconfig(libidn2) + pkgconfig(libkmod) + pkgconfig(libmicrohttpd) + pkgconfig(libnftnl) + pkgconfig(libpcre2-8) + pkgconfig(libqrencode) + pkgconfig(libseccomp) + pkgconfig(libselinux) + pkgconfig(libzstd) + pkgconfig(mount) + pkgconfig(numa) + pkgconfig(openssl) + pkgconfig(openssl) + pkgconfig(p11-kit-1) + pkgconfig(pwquality) + pkgconfig(tss2-esys) + pkgconfig(tss2-mu) + pkgconfig(tss2-rc) + pkgconfig(tss2-tcti-device) + pkgconfig(valgrind) + pkgconfig(xkbcommon) + python3 + python3dist(jinja2) + python3dist(lxml) + python3dist(pefile) + python3dist(pyelftools) + python3dist(pytest) + rpm diff --git a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf new file mode 100644 index 0000000..c529e0b --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf @@ -0,0 +1,69 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Packages= + dmsetup + libapparmor1 + libfdisk1 + libfido2-1 + libglib2.0-0 + libgnutls30 + libidn2-0 + libmicrohttpd12 + libnftnl11 + libp11-kit0 + libpam0g + libpwquality1 + libqrencode4 + libssl3 + libip4tc2 + libtss2-dev # Use the -dev package to avoid churn in updating version numbers + tzdata + +BuildPackages= + docbook-xsl + dpkg-dev + g++ + libacl1-dev + libapparmor-dev + libaudit-dev + libblkid-dev + libbpf-dev + libbz2-dev + libcap-dev + libcryptsetup-dev + libcurl4-openssl-dev + libdbus-1-dev + libdw-dev + libfdisk-dev + libfido2-dev + libgcrypt20-dev + libglib2.0-dev + libgnutls28-dev + libidn2-dev + libiptc-dev + libkmod-dev + libmicrohttpd-dev + libmount-dev + libnftnl-dev + libp11-kit-dev + libpam0g-dev + libpwquality-dev + libqrencode-dev + libseccomp-dev + libsmartcols-dev + libssl-dev + libxen-dev + libxkbcommon-dev + libzstd-dev + python3 + python3-jinja2 + python3-lxml + python3-pefile + python3-pyelftools + python3-pytest + xsltproc diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/base/mkosi.conf.d/10-debian.conf new file mode 100644 index 0000000..020b02b --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-debian.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian + +[Content] +Packages= + libbpf1 + +BuildPackages= + bpftool diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000..a8fbce4 --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +BuildPackages= + python3dist(pytest-flakes) + pkgconfig(xencontrol) diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000..ec91b49 --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,91 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox +# versions don't get installed instead. +Packages= + device-mapper + distribution-release + docbook-xsl-stylesheets + gawk + grep + gzip + libbpf1 + libcrypt1 + libcryptsetup12 + libdw1 + libelf1 + libfido2 + libgcrypt20 + libglib-2_0-0 + libkmod2 + libmount1 + libnftnl11 + libopenssl3 + libp11-kit0 + libqrencode4 + libseccomp2 + libtss2-esys0 + libtss2-mu0 + libtss2-rc0 + libtss2-tcti-device0 + libxkbcommon0 + libzstd1 + pam + rsync + sed + shadow + tpm2-0-tss + xz + +BuildPackages= + audit-devel + bpftool + cross-bpf-gcc13 + dbus-1-devel + fdupes + gcc-c++ + glib2-devel + glibc-locale + intltool + libacl-devel + libapparmor-devel + libblkid-devel + libbpf-devel + libcap-devel + libcryptsetup-devel + libcurl-devel + libdw-devel + libelf-devel + libfdisk-devel + libfido2-devel + libgcrypt-devel + libgnutls-devel + libkmod-devel + libmicrohttpd-devel + libmount-devel + libnftnl-devel + libpwquality-devel + libseccomp-devel + libselinux-devel + libxkbcommon-devel + libxslt-tools + libzstd-devel + openssl-devel + pam-devel + pciutils-devel + python3 + python3-Jinja2 + python3-lxml + python3-pefile + python3-pyelftools + python3-pytest + python3-pytest-flakes + qrencode-devel + shadow + timezone + tpm2-0-tss-devel + xen-devel diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000..717809f --- /dev/null +++ b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + libbpf0 + +BuildPackages= + linux-tools-common + linux-tools-generic diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset new file mode 100644 index 0000000..070af4c --- /dev/null +++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# mkosi adds its own ssh units via the --ssh switch so disable the default ones. +disable ssh.service +disable sshd.service + +# These are started manually in integration tests so don't start them by default. +disable dnsmasq.service +disable isc-dhcp-server.service +disable isc-dhcp-server6.service + +# Pulled in via dracut-network by kexec-tools on Fedora. +disable NetworkManager* + +# Make sure dbus-broker is started by default on Debian/Ubuntu. +enable dbus-broker.service + +# systemd-networkd is disabled by default on Fedora so make sure it is enabled. +enable systemd-networkd.service +enable systemd-networkd-wait-online.service + +# We install dnf in some images but it's only going to be used rarely, +# so let's not have dnf create its cache. +disable dnf-makecache.* + +# We have journald to receive audit data so let's make sure we're not running auditd as well +disable auditd.service + +# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead. +enable systemd-timesyncd.service diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset new file mode 100644 index 0000000..710ee7c --- /dev/null +++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# Make sure that services are disabled by default (primarily for Debian/Ubuntu). +disable * diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf new file mode 100644 index 0000000..e1a8e81 --- /dev/null +++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf @@ -0,0 +1 @@ +L /etc/default/locale - - - - ../locale.conf diff --git a/mkosi.images/initrd/mkosi.conf b/mkosi.images/initrd/mkosi.conf new file mode 100644 index 0000000..8e38dc1 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=base + +[Output] +Format=cpio + +[Content] +BaseTrees=../../mkosi.output/base +ExtraTrees=../../mkosi.output/base-systemd +MakeInitrd=yes +Bootable=no +BuildPackages= + +Packages= +Packages= + gzip + systemd + udev + +# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it +# doesn't end up in the initrd. +RemoveFiles= + /usr/lib/libgfortran.so* + /usr/lib/libgo.so* + /usr/lib/libgomp.so* + /usr/lib/libgphobos.so* + /usr/lib/libobjc.so* + /usr/lib/libstdc++.so* diff --git a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf new file mode 100644 index 0000000..3f92e52 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos + +[Output] +# TODO: Switch to zstd once we stop building CentOS Stream 8. +CompressOutput=xz + +[Content] +Packages=xfsprogs + tpm2-tools diff --git a/mkosi.images/initrd/mkosi.conf.d/10-default.conf b/mkosi.images/initrd/mkosi.conf.d/10-default.conf new file mode 100644 index 0000000..9224b92 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf.d/10-default.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=!centos +Distribution=!opensuse + +[Output] +CompressOutput=zst + +[Content] +Packages=btrfs-progs + tpm2-tools diff --git a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000..5cf2df3 --- /dev/null +++ b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Output] +CompressOutput=zst + +[Content] +Packages=btrfs-progs + tpm2.0-tools diff --git a/mkosi.images/initrd/mkosi.postinst b/mkosi.images/initrd/mkosi.postinst new file mode 100755 index 0000000..de610df --- /dev/null +++ b/mkosi.images/initrd/mkosi.postinst @@ -0,0 +1,7 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem. +# See https://github.com/openSUSE/suse-module-tools/pull/71 +rm -f "$BUILDROOT/usr/lib/modprobe.d/60-blacklist_fs-erofs.conf" diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf new file mode 100644 index 0000000..7612f22 --- /dev/null +++ b/mkosi.images/system/mkosi.conf @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=base + +[Content] +Autologin=yes +BaseTrees=../../mkosi.output/base +ExtraTrees=../../mkosi.output/base-systemd +Packages= + acl + bash-completion + coreutils + diffutils + dnsmasq + dosfstools + e2fsprogs + findutils + gcc # Sanitizer libraries + gdb + grep + gzip + kbd + kexec-tools + less + mtools + nano + nftables + openssl + qrencode + sed + socat + strace + systemd + tmux + tree + udev + util-linux + valgrind + wireguard-tools + xfsprogs + zsh + +BuildPackages= + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf new file mode 100644 index 0000000..9f21754 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/05-initrd.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Bootable=!no +Format=|disk +Format=|directory + +[Config] +Dependencies=initrd + +[Content] +Initrds=../../mkosi.output/initrd diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000..e1a511c --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + bpf + btrfs-progs + compsize + dhcp + f2fs-tools + glib2 + iproute + linux + man-db + openbsd-netcat + openssh + pacman + polkit + python-pefile + python-psutil + python-pytest + python3 + quota-tools + shadow + vim diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000..67d4643 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + bpftool + cryptsetup + dhcp-server + dnf + glib2 + integritysetup + iproute + iproute-tc + kernel-core + libcap-ng-utils + netcat + openssh-server + p11-kit + pam + passwd + polkit + procps-ng + python3 + python3dist(pefile) + python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason. + python3dist(psutil) + python3dist(pytest) + quota + vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf new file mode 100644 index 0000000..146e03a --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos + +[Content] +Packages= + kernel-modules # For squashfs support diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf new file mode 100644 index 0000000..99b846d --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# CentOS does not support btrfs so we use xfs instead. +[Partition] +Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf new file mode 100644 index 0000000..393d5f0 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# CentOS does not support erofs so we use squashfs instead. +[Partition] +Format=squashfs diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf new file mode 100644 index 0000000..d3c89f3 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian +Architecture=x86-64 + +[Content] +Packages= + bpftool + linux-image-cloud-amd64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf new file mode 100644 index 0000000..76a6898 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian +Architecture=arm64 + +[Content] +Packages= + bpftool + linux-image-cloud-arm64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf new file mode 100644 index 0000000..588f833 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Packages= + apt + btrfs-progs + cryptsetup-bin + dbus-broker + default-dbus-session-bus + f2fs-tools + fdisk + iproute2 + isc-dhcp-server + libcap-ng-utils + netcat-openbsd + openssh-server + passwd + policykit-1 + procps + python3 + python3-pefile + python3-psutil + python3-pytest + quota + xxd diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000..42d0093 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +Packages= + btrfs-progs + compsize + f2fs-tools diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000..60a2b6d --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +Packages= + bpftool + btrfs-progs + cryptsetup + dbus-broker + f2fs-tools + glibc-locale-base + kernel-kvmsmall + libcap-ng-utils + openssh-server + python3 + python3-pefile + python3-psutil + python3-pytest + quota + shadow + vim diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000..f58ee7e --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials. + linux-image-generic + linux-tools-common + linux-tools-generic diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue new file mode 100644 index 0000000..6aa6fc0 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/etc/issue @@ -0,0 +1,2 @@ +\S (built from systemd tree) +Kernel \r on an \m (\l) diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf new file mode 100644 index 0000000..3755278 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=swap +SizeMinBytes=100M +SizeMaxBytes=100M diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf new file mode 100644 index 0000000..71eb9e3 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=btrfs +SizeMinBytes=1G +Subvolumes=/home /var +MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf new file mode 100644 index 0000000..2f95329 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't +# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles +# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set +# Storage= to persistent to have systemd-journald create /var/log/journal itself. +[Journal] +Storage=persistent diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh new file mode 100755 index 0000000..9bb2462 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eux +# SPDX-License-Identifier: LGPL-2.1-or-later + +# TODO: Figure out why this is failing +systemctl reset-failed systemd-vconsole-setup.service + +systemctl --failed --no-legend | tee /failed-services + +# Check that secure boot keys were properly enrolled. +if ! systemd-detect-virt --container; then + cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') + cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') + # TODO: Figure out why this is failing + # grep -q this_should_be_here /proc/cmdline + # grep -q this_should_not_be_here /proc/cmdline && exit 1 +fi + +# Exit with non-zero EC if the /failed-services file is not empty (we have -e set) +[[ ! -s /failed-services ]] diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service new file mode 100644 index 0000000..7942cbf --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Check if any service failed and then shutdown the machine +After=multi-user.target network-online.target +Requires=multi-user.target +Wants=systemd-resolved.service systemd-networkd.service network-online.target +SuccessAction=exit +FailureAction=exit +# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the +# host. +SuccessActionExitStatus=123 + +[Service] +Type=oneshot +ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf new file mode 100644 index 0000000..dac79ba --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +C+! /etc - - - - /usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb new file mode 100644 index 0000000..26f882b --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb @@ -0,0 +1,3 @@ +set debuginfod enabled off +set build-id-verbose 0 +set substitute-path ../src /root/src/systemd diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize new file mode 100755 index 0000000..74b810c --- /dev/null +++ b/mkosi.images/system/mkosi.finalize @@ -0,0 +1,4 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later + +cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot new file mode 100755 index 0000000..0cb9b9c --- /dev/null +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -0,0 +1,93 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ]; then + exit 0 +fi + +if [ -n "$SANITIZERS" ]; then + LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') + + mkdir -p /etc/systemd/system.conf.d + + cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF +[Manager] +ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +EOF + + # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose + # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any + # sanitizer failures appear directly on the user's console. + mkdir -p /etc/systemd/system/systemd-journald.service.d + cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF +[Service] +StandardOutput=tty +EOF + + # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. + # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As + # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login + # from calling vhangup() so that journald's ASAN logs correctly end up in the console. + + mkdir -p /etc/systemd/system/console-getty.service.d + cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF +[Service] +TTYVHangup=no +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +EOF + # ASAN and syscall filters aren't compatible with each other. + find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + + + # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. + systemctl mask systemd-hwdb-update.service +fi + +if [ -n "$IMAGE_ID" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_ID=/!p' \ + -e "\$aIMAGE_ID=$IMAGE_ID" \ + /usr/lib/os-release +fi + +if [ -n "$IMAGE_VERSION" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_VERSION=/!p' \ + -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ + /usr/lib/os-release +fi + +if command -v authselect >/dev/null; then + # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so + # let's use the new name if it exists. + if [ -d /usr/share/authselect/default/local ]; then + PROFILE=local + else + PROFILE=minimal + fi + + authselect select "$PROFILE" + + if authselect list-features "$PROFILE" | grep -q "with-homed"; then + authselect enable-feature with-homed + fi +fi + +# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that +# if that's the case. +mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf +rm -f /etc/resolv.conf + +. /usr/lib/os-release + +if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 + alternatives --set python3 /usr/bin/python3.9 +fi diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf new file mode 100644 index 0000000..4be0466 --- /dev/null +++ b/mkosi.images/system/mkosi.repart/00-esp.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=512M +SizeMaxBytes=512M diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.repart/10-usr.conf new file mode 100644 index 0000000..343761d --- /dev/null +++ b/mkosi.images/system/mkosi.repart/10-usr.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=usr +Format=erofs +CopyFiles=/usr:/ +Verity=data +VerityMatchKey=usr +Minimize=yes diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.repart/11-usr-verity.conf new file mode 100644 index 0000000..b4d45dd --- /dev/null +++ b/mkosi.images/system/mkosi.repart/11-usr-verity.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=usr-verity +Verity=hash +VerityMatchKey=usr +Minimize=yes diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf new file mode 100644 index 0000000..1841d0a --- /dev/null +++ b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=usr-verity-sig +Verity=signature +VerityMatchKey=usr |