summaryrefslogtreecommitdiffstats
path: root/mkosi.images
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xmkosi.images/base/mkosi.build.chroot224
-rw-r--r--mkosi.images/base/mkosi.conf34
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-arch.conf32
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf75
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf69
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-fedora.conf9
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-opensuse.conf90
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-ubuntu.conf12
-rw-r--r--mkosi.images/exitrd/mkosi.conf22
-rw-r--r--mkosi.images/exitrd/mkosi.conf.d/10-arch.conf29
-rw-r--r--mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf9
-rw-r--r--mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf (renamed from mkosi.images/base/mkosi.conf.d/10-debian.conf)8
-rw-r--r--mkosi.images/exitrd/mkosi.conf.d/10-opensuse.conf (renamed from mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf)7
-rwxr-xr-xmkosi.images/exitrd/mkosi.extra/shutdown12
-rw-r--r--mkosi.images/initrd/mkosi.conf30
-rw-r--r--mkosi.images/initrd/mkosi.conf.d/10-centos.conf12
-rw-r--r--mkosi.images/initrd/mkosi.conf.d/10-default.conf12
-rw-r--r--mkosi.images/minimal-0/mkosi.conf25
-rw-r--r--mkosi.images/minimal-0/mkosi.extra/opt/some_file (renamed from test/testsuite-07.units/issue2467.socket)2
-rw-r--r--mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service5
-rwxr-xr-xmkosi.images/minimal-0/mkosi.postinst11
-rw-r--r--mkosi.images/minimal-1/mkosi.conf25
-rw-r--r--mkosi.images/minimal-1/mkosi.extra/opt/some_file1
-rw-r--r--mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service5
-rwxr-xr-xmkosi.images/minimal-1/mkosi.postinst11
-rw-r--r--mkosi.images/minimal-base/mkosi.conf24
-rw-r--r--mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf31
-rw-r--r--mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf12
-rw-r--r--mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf12
-rw-r--r--mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf11
l---------mkosi.images/minimal-base/mkosi.extra/etc/os-release1
-rw-r--r--mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf3
-rwxr-xr-xmkosi.images/minimal-base/mkosi.postinst11
-rw-r--r--mkosi.images/system/coredump-journal-storage.conf4
-rw-r--r--mkosi.images/system/initrd/mkosi.conf7
-rw-r--r--mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf15
-rw-r--r--mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service20
-rw-r--r--mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service11
-rw-r--r--mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service9
-rw-r--r--mkosi.images/system/leak-sanitizer-suppressions1
-rwxr-xr-xmkosi.images/system/mkosi.clean5
-rw-r--r--mkosi.images/system/mkosi.conf48
-rw-r--r--mkosi.images/system/mkosi.conf.d/05-initrd.conf12
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch.conf27
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot93
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf71
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf7
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare29
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf32
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot116
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf75
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf17
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf20
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare65
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf11
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf29
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot142
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf93
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf27
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf7
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst29
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare18
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf4
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf (renamed from mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf)2
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf (renamed from mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf)2
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-fedora.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf23
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse.conf23
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst (renamed from mkosi.images/initrd/mkosi.postinst)2
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot132
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf100
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf22
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare61
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf (renamed from mkosi.images/system/mkosi.conf.d/10-ubuntu.conf)6
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources6
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-images.conf22
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf15
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf (renamed from mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf)0
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf (renamed from mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf)2
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf (renamed from mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf)0
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize (renamed from mkosi.images/system/mkosi.finalize)4
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot12
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf9
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf (renamed from mkosi.images/system/mkosi.repart/10-usr.conf)0
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf (renamed from mkosi.images/system/mkosi.repart/11-usr-verity.conf)0
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf (renamed from mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf)0
-rw-r--r--mkosi.images/system/mkosi.extra/.autorelabel1
-rw-r--r--mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf3
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf8
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf5
-rwxr-xr-xmkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh19
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset (renamed from mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset)11
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset (renamed from mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset)0
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf7
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service15
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf4
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf (renamed from mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf)0
-rw-r--r--mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf13
-rw-r--r--mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb3
-rwxr-xr-xmkosi.images/system/mkosi.postinst.chroot211
-rw-r--r--mkosi.images/system/mkosi.repart/00-esp.conf4
-rw-r--r--mkosi.images/system/mkosi.repart/10-root.conf8
-rwxr-xr-xmkosi.images/system/mkosi.sanitizers.chroot127
-rwxr-xr-xmkosi.images/system/mkosi.sync36
106 files changed, 1970 insertions, 888 deletions
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
deleted file mode 100755
index 02dcbc7..0000000
--- a/mkosi.images/base/mkosi.build.chroot
+++ /dev/null
@@ -1,224 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Simply invoke "mkosi" in the project directory to build an OS image.
-
-# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
-# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
-# an extra tree in the initrd and system image builds.
-DESTDIR="$OUTPUTDIR/systemd"
-
-# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
-# as out-of-tree build dir. Otherwise, let's make up our own builddir.
-[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
-
-# Let's make sure we're using stuff from the build directory first if available there.
-PATH="$BUILDDIR:$PATH"
-export PATH
-
-# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
-# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
-# the ubuntu script with a symlink to the first bpftool program we can find.
-for bpftool in /usr/lib/linux-tools/*/bpftool; do
- [ -x "$bpftool" ] || continue
- ln -sf "$bpftool" "$BUILDDIR"/bpftool
- break
-done
-
-# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
-# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
-# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
-. /usr/lib/os-release
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
- cat >"$BUILDDIR"/bpftool <<EOF
-#!/bin/sh
-if [ "\$1" = --version ]; then
- echo 5.6.0
-else
- exec /usr/sbin/bpftool \$@
-fi
-EOF
- chmod +x "$BUILDDIR"/bpftool
-fi
-
-if [ ! -f "$BUILDDIR"/build.ninja ]; then
- sysvinit_path=$(realpath /etc/init.d)
-
- if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
- UKIFY="disabled"
- else
- UKIFY="enabled"
- fi
-
- # On Debian 'loadkeys us' fails
- if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
- DEFAULT_KEYMAP=""
- else
- DEFAULT_KEYMAP="us"
- fi
-
- CONFIGURE_OPTS=(
- -D sysvinit-path="$sysvinit_path"
- -D man=disabled
- -D translations=false
- -D version-tag="${VERSION_TAG}"
- -D mode=developer
- -D b_sanitize="${SANITIZERS:-none}"
- -D install-tests=true
- -D tests=unsafe
- -D slow-tests="${SLOW_TESTS:-false}"
- -D create-log-dirs=false
- -D pamconfdir=no
- -D utmp=true
- -D hibernate=true
- -D ldconfig=true
- -D resolve=true
- -D efi=true
- -D tpm=true
- -D environment-d=true
- -D binfmt=true
- -D repart=enabled
- -D sysupdate=enabled
- -D coredump=true
- -D pstore=true
- -D oomd=true
- -D logind=true
- -D hostnamed=true
- -D localed=true
- -D machined=true
- -D portabled=true
- -D sysext=true
- -D userdb=true
- -D homed=enabled
- -D networkd=true
- -D timedated=true
- -D timesyncd=true
- -D remote=enabled
- -D nss-myhostname=true
- -D nss-mymachines=enabled
- -D nss-resolve=enabled
- -D nss-systemd=true
- -D firstboot=true
- -D randomseed=true
- -D backlight=true
- -D vconsole=true
- -D quotacheck=true
- -D sysusers=true
- -D tmpfiles=true
- -D importd=enabled
- -D hwdb=true
- -D rfkill=true
- -D xdg-autostart=true
- -D translations=true
- -D polkit=enabled
- -D acl=enabled
- -D audit=enabled
- -D blkid=enabled
- -D fdisk=enabled
- -D kmod=enabled
- -D pam=enabled
- -D pwquality=enabled
- -D microhttpd=enabled
- -D libcryptsetup=enabled
- -D libcurl=enabled
- -D idn=true
- -D libidn2=enabled
- -D qrencode=enabled
- -D gcrypt=enabled
- -D gnutls=enabled
- -D openssl=enabled
- -D cryptolib=openssl
- -D p11kit=enabled
- -D libfido2=enabled
- -D tpm2=enabled
- -D elfutils=enabled
- -D zstd=enabled
- -D xkbcommon=enabled
- -D pcre2=enabled
- -D glib=enabled
- -D dbus=enabled
- -D bootloader=enabled
- -D kernel-install=true
- -D analyze=true
- -D bpf-framework=enabled
- -D ukify="$UKIFY"
- -D seccomp=enabled
- -D selinux=auto
- -D apparmor=auto
- -D smack=true
- -D ima=true
- -D first-boot-full-preset=true
- -D initrd=true
- -D fexecve=true
- -D default-keymap="$DEFAULT_KEYMAP"
- )
-
- # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
- # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
- # installed in the wrong directory and not be found by cryptsetup. Assume native build.
- if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
- CONFIGURE_OPTS+=(
- -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
- -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
- )
- fi
-
- # Set various uids and gids for which Fedora has "soft static" allocations.
- # Without this, we would get warning about mismatched sysusers.d entries
- # between the files that we and Fedora's setup package install.
- if grep -q '^ID=fedora' /usr/lib/os-release; then
- CONFIGURE_OPTS+=(
- -Dadm-gid=4
- -Daudio-gid=63
- -Dcdrom-gid=11
- -Ddialout-gid=18
- -Ddisk-gid=6
- -Dinput-gid=104
- -Dkmem-gid=9
- -Dkvm-gid=36
- -Dlp-gid=7
- -Drender-gid=105
- -Dsgx-gid=106
- -Dtape-gid=33
- -Dtty-gid=5
- -Dusers-gid=100
- -Dutmp-gid=22
- -Dvideo-gid=39
- -Dwheel-gid=10
- -Dsystemd-journal-gid=190
- -Dsystemd-network-uid=192
- -Dsystemd-resolve-uid=193
- )
- fi
-
- ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" )
-fi
-
-( set -x; ninja -C "$BUILDDIR" "$@" )
-if [ "$WITH_TESTS" = 1 ]; then
- if [ -n "$SANITIZERS" ]; then
- export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
- export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
- TIMEOUT_MULTIPLIER=3
- else
- TIMEOUT_MULTIPLIER=1
- fi
-
- ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
-fi
-
-( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
-
-# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-if [ -d "${DESTDIR}/boot/loader" ]; then
- addons_dir="${DESTDIR}/boot/loader/addons"
-elif [ -d "${DESTDIR}/efi/loader" ]; then
- addons_dir="${DESTDIR}/efi/loader/addons"
-fi
-if [ -n "${addons_dir}" ]; then
- mkdir -p "${addons_dir}"
- ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
- ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
-fi
diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf
deleted file mode 100644
index 6c6d045..0000000
--- a/mkosi.images/base/mkosi.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Output]
-Format=directory
-
-[Content]
-Bootable=no
-CleanPackageMetadata=no
-
-Packages=
-Packages=
- kmod
- less
- util-linux
-
-BuildPackages=
- acl
- diffutils
- gawk
- binutils
- clang
- gettext
- git
- gperf
- grep
- lld
- llvm
- make
- meson
- pkgconf
- rsync
- sed
- tar
- zstd
diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf
deleted file mode 100644
index 7ab0c71..0000000
--- a/mkosi.images/base/mkosi.conf.d/10-arch.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
- cryptsetup
- dbus
- gnutls
- libbpf
- libfido2
- libmicrohttpd
- libnftnl
- libpwquality
- libseccomp
- libxkbcommon
- openssl
- qrencode
- tpm2-tss
-
-BuildPackages=
- bpf
- docbook-xsl
- glib2
- libxslt
- linux-api-headers
- python
- python-jinja
- python-lxml
- python-pefile
- python-pyelftools
diff --git a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
deleted file mode 100644
index 8ada9b0..0000000
--- a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
+++ /dev/null
@@ -1,75 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
- audit-libs
- cryptsetup-libs
- gnutls
- libasan
- libbpf
- libfido2
- libgcrypt
- libmicrohttpd
- libnftnl
- libubsan
- libxcrypt
- libxkbcommon
- openssl-libs
- qrencode-libs
- tpm2-tss
- util-linux
-
-BuildPackages=
- pkgconf
- bpftool
- docbook-xsl
- findutils
- libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
- libxslt
- pam-devel
- pkgconfig(audit)
- pkgconfig(blkid)
- pkgconfig(bzip2)
- pkgconfig(dbus-1)
- pkgconfig(fdisk)
- pkgconfig(glib-2.0)
- pkgconfig(gnutls)
- pkgconfig(libacl)
- pkgconfig(libbpf)
- pkgconfig(libcap)
- pkgconfig(libcryptsetup)
- pkgconfig(libcurl)
- pkgconfig(libdw)
- pkgconfig(libfido2)
- pkgconfig(libidn2)
- pkgconfig(libkmod)
- pkgconfig(libmicrohttpd)
- pkgconfig(libnftnl)
- pkgconfig(libpcre2-8)
- pkgconfig(libqrencode)
- pkgconfig(libseccomp)
- pkgconfig(libselinux)
- pkgconfig(libzstd)
- pkgconfig(mount)
- pkgconfig(numa)
- pkgconfig(openssl)
- pkgconfig(openssl)
- pkgconfig(p11-kit-1)
- pkgconfig(pwquality)
- pkgconfig(tss2-esys)
- pkgconfig(tss2-mu)
- pkgconfig(tss2-rc)
- pkgconfig(tss2-tcti-device)
- pkgconfig(valgrind)
- pkgconfig(xkbcommon)
- python3
- python3dist(jinja2)
- python3dist(lxml)
- python3dist(pefile)
- python3dist(pyelftools)
- python3dist(pytest)
- rpm
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
deleted file mode 100644
index c529e0b..0000000
--- a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
+++ /dev/null
@@ -1,69 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
- dmsetup
- libapparmor1
- libfdisk1
- libfido2-1
- libglib2.0-0
- libgnutls30
- libidn2-0
- libmicrohttpd12
- libnftnl11
- libp11-kit0
- libpam0g
- libpwquality1
- libqrencode4
- libssl3
- libip4tc2
- libtss2-dev # Use the -dev package to avoid churn in updating version numbers
- tzdata
-
-BuildPackages=
- docbook-xsl
- dpkg-dev
- g++
- libacl1-dev
- libapparmor-dev
- libaudit-dev
- libblkid-dev
- libbpf-dev
- libbz2-dev
- libcap-dev
- libcryptsetup-dev
- libcurl4-openssl-dev
- libdbus-1-dev
- libdw-dev
- libfdisk-dev
- libfido2-dev
- libgcrypt20-dev
- libglib2.0-dev
- libgnutls28-dev
- libidn2-dev
- libiptc-dev
- libkmod-dev
- libmicrohttpd-dev
- libmount-dev
- libnftnl-dev
- libp11-kit-dev
- libpam0g-dev
- libpwquality-dev
- libqrencode-dev
- libseccomp-dev
- libsmartcols-dev
- libssl-dev
- libxen-dev
- libxkbcommon-dev
- libzstd-dev
- python3
- python3-jinja2
- python3-lxml
- python3-pefile
- python3-pyelftools
- python3-pytest
- xsltproc
diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
deleted file mode 100644
index a8fbce4..0000000
--- a/mkosi.images/base/mkosi.conf.d/10-fedora.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-BuildPackages=
- python3dist(pytest-flakes)
- pkgconfig(xencontrol)
diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
deleted file mode 100644
index 5aae0ed..0000000
--- a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
+++ /dev/null
@@ -1,90 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
-# versions don't get installed instead.
-Packages=
- device-mapper
- distribution-release
- docbook-xsl-stylesheets
- gawk
- grep
- gzip
- libbpf1
- libcrypt1
- libcryptsetup12
- libdw1
- libelf1
- libfido2
- libgcrypt20
- libglib-2_0-0
- libkmod2
- libmount1
- libnftnl11
- libopenssl3
- libp11-kit0
- libqrencode4
- libseccomp2
- libtss2-esys0
- libtss2-mu0
- libtss2-rc0
- libtss2-tcti-device0
- libxkbcommon0
- libzstd1
- pam
- rsync
- sed
- shadow
- tpm2-0-tss
- xz
-
-BuildPackages=
- audit-devel
- bpftool
- dbus-1-devel
- fdupes
- gcc-c++
- glib2-devel
- glibc-locale
- intltool
- libacl-devel
- libapparmor-devel
- libblkid-devel
- libbpf-devel
- libcap-devel
- libcryptsetup-devel
- libcurl-devel
- libdw-devel
- libelf-devel
- libfdisk-devel
- libfido2-devel
- libgcrypt-devel
- libgnutls-devel
- libkmod-devel
- libmicrohttpd-devel
- libmount-devel
- libnftnl-devel
- libpwquality-devel
- libseccomp-devel
- libselinux-devel
- libxkbcommon-devel
- libxslt-tools
- libzstd-devel
- openssl-devel
- pam-devel
- pciutils-devel
- python3
- python3-Jinja2
- python3-lxml
- python3-pefile
- python3-pyelftools
- python3-pytest
- python3-pytest-flakes
- qrencode-devel
- shadow
- timezone
- tpm2-0-tss-devel
- xen-devel
diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
deleted file mode 100644
index 717809f..0000000
--- a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=ubuntu
-
-[Content]
-Packages=
- libbpf0
-
-BuildPackages=
- linux-tools-common
- linux-tools-generic
diff --git a/mkosi.images/exitrd/mkosi.conf b/mkosi.images/exitrd/mkosi.conf
new file mode 100644
index 0000000..2e867cb
--- /dev/null
+++ b/mkosi.images/exitrd/mkosi.conf
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+ConfigureScripts=
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+@Locale=C.UTF-8
+WithDocs=no
+CleanPackageMetadata=yes
+MakeInitrd=yes
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+Packages=
+ bash
diff --git a/mkosi.images/exitrd/mkosi.conf.d/10-arch.conf b/mkosi.images/exitrd/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000..c8b1904
--- /dev/null
+++ b/mkosi.images/exitrd/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ systemd
+
+RemoveFiles=
+ # Arch Linux doesn't split their gcc-libs package so we manually remove
+ # unneeded stuff here to make sure it doesn't end up in the image.
+ /usr/lib/libgfortran.so*
+ /usr/lib/libgo.so*
+ /usr/lib/libgomp.so*
+ /usr/lib/libgphobos.so*
+ /usr/lib/libobjc.so*
+ /usr/lib/libgdruntime.so*
+
+ # Remove all files that are only required for development.
+ /usr/lib/*.a
+ /usr/include/*
+
+ /usr/share/i18n/*
+ /usr/share/hwdata/*
+ /usr/share/iana-etc/*
+ /usr/share/locale/*
+ /usr/share/terminfo/*
+ /usr/share/zoneinfo/*
diff --git a/mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000..8458dee
--- /dev/null
+++ b/mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ systemd-standalone-shutdown
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf
index 020b02b..babde60 100644
--- a/mkosi.images/base/mkosi.conf.d/10-debian.conf
+++ b/mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf
@@ -1,11 +1,9 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
-Distribution=debian
+Distribution=|debian
+Distribution=|ubuntu
[Content]
Packages=
- libbpf1
-
-BuildPackages=
- bpftool
+ systemd
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.images/exitrd/mkosi.conf.d/10-opensuse.conf
index 5cf2df3..3f6df21 100644
--- a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.images/exitrd/mkosi.conf.d/10-opensuse.conf
@@ -3,9 +3,6 @@
[Match]
Distribution=opensuse
-[Output]
-CompressOutput=zst
-
[Content]
-Packages=btrfs-progs
- tpm2.0-tools
+Packages=
+ systemd
diff --git a/mkosi.images/exitrd/mkosi.extra/shutdown b/mkosi.images/exitrd/mkosi.extra/shutdown
new file mode 100755
index 0000000..e4c6087
--- /dev/null
+++ b/mkosi.images/exitrd/mkosi.extra/shutdown
@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+EXIT_CODE=()
+
+# Translate a successful exit code to 124 so that we can detect that the exitrd was actually used.
+if [[ "$*" == *"--exit-code=123"* ]]; then
+ EXIT_CODE+=("--exit-code=124")
+fi
+
+exec /usr/lib/systemd/systemd-shutdown "$@" "${EXIT_CODE[@]}"
diff --git a/mkosi.images/initrd/mkosi.conf b/mkosi.images/initrd/mkosi.conf
deleted file mode 100644
index 8e38dc1..0000000
--- a/mkosi.images/initrd/mkosi.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Config]
-Dependencies=base
-
-[Output]
-Format=cpio
-
-[Content]
-BaseTrees=../../mkosi.output/base
-ExtraTrees=../../mkosi.output/base-systemd
-MakeInitrd=yes
-Bootable=no
-BuildPackages=
-
-Packages=
-Packages=
- gzip
- systemd
- udev
-
-# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
-# doesn't end up in the initrd.
-RemoveFiles=
- /usr/lib/libgfortran.so*
- /usr/lib/libgo.so*
- /usr/lib/libgomp.so*
- /usr/lib/libgphobos.so*
- /usr/lib/libobjc.so*
- /usr/lib/libstdc++.so*
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf
deleted file mode 100644
index 3f92e52..0000000
--- a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
-
-[Output]
-# TODO: Switch to zstd once we stop building CentOS Stream 8.
-CompressOutput=xz
-
-[Content]
-Packages=xfsprogs
- tpm2-tools
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-default.conf b/mkosi.images/initrd/mkosi.conf.d/10-default.conf
deleted file mode 100644
index 9224b92..0000000
--- a/mkosi.images/initrd/mkosi.conf.d/10-default.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=!centos
-Distribution=!opensuse
-
-[Output]
-CompressOutput=zst
-
-[Content]
-Packages=btrfs-progs
- tpm2-tools
diff --git a/mkosi.images/minimal-0/mkosi.conf b/mkosi.images/minimal-0/mkosi.conf
new file mode 100644
index 0000000..a929fb6
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.conf
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+ConfigureScripts=
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no
diff --git a/test/testsuite-07.units/issue2467.socket b/mkosi.images/minimal-0/mkosi.extra/opt/some_file
index af1317b..bd4fba4 100644
--- a/test/testsuite-07.units/issue2467.socket
+++ b/mkosi.images/minimal-0/mkosi.extra/opt/some_file
@@ -1,3 +1 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
-[Socket]
-ListenStream=/run/test.ctl
diff --git a/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service b/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
new file mode 100644
index 0000000..0532112
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120
diff --git a/mkosi.images/minimal-0/mkosi.postinst b/mkosi.images/minimal-0/mkosi.postinst
new file mode 100755
index 0000000..a66cf68
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.postinst
@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=1
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service"
diff --git a/mkosi.images/minimal-1/mkosi.conf b/mkosi.images/minimal-1/mkosi.conf
new file mode 100644
index 0000000..a929fb6
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.conf
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+ConfigureScripts=
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no
diff --git a/mkosi.images/minimal-1/mkosi.extra/opt/some_file b/mkosi.images/minimal-1/mkosi.extra/opt/some_file
new file mode 100644
index 0000000..bd4fba4
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.extra/opt/some_file
@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
diff --git a/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service b/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
new file mode 100644
index 0000000..0532112
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120
diff --git a/mkosi.images/minimal-1/mkosi.postinst b/mkosi.images/minimal-1/mkosi.postinst
new file mode 100755
index 0000000..e2d08d0
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.postinst
@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=2
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service"
diff --git a/mkosi.images/minimal-base/mkosi.conf b/mkosi.images/minimal-base/mkosi.conf
new file mode 100644
index 0000000..7eb1473
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+ConfigureScripts=
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+@Locale=C.UTF-8
+WithDocs=no
+CleanPackageMetadata=yes
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+Packages=
+ bash
+ coreutils
+ grep
+ util-linux
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000..9b03397
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ inetutils
+ iproute
+ openbsd-netcat
+
+RemoveFiles=
+ # Arch Linux doesn't split their gcc-libs package so we manually remove
+ # unneeded stuff here to make sure it doesn't end up in the image.
+ /usr/lib/libgfortran.so*
+ /usr/lib/libgo.so*
+ /usr/lib/libgomp.so*
+ /usr/lib/libgphobos.so*
+ /usr/lib/libobjc.so*
+ /usr/lib/libgdruntime.so*
+
+ # Remove all files that are only required for development.
+ /usr/lib/*.a
+ /usr/include/*
+
+ /usr/share/i18n/*
+ /usr/share/hwdata/*
+ /usr/share/iana-etc/*
+ /usr/share/locale/*
+ /usr/share/terminfo/*
+ /usr/share/zoneinfo/*
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000..3a3e528
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ hostname
+ iproute
+ iproute-tc
+ netcat
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
new file mode 100644
index 0000000..a715ec1
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ hostname
+ iproute2
+ mount
+ netcat-openbsd
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000..2e370ec
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+ hostname
+ iproute2
+ netcat-openbsd
+ patterns-base-minimal_base
diff --git a/mkosi.images/minimal-base/mkosi.extra/etc/os-release b/mkosi.images/minimal-base/mkosi.extra/etc/os-release
new file mode 120000
index 0000000..c4c75b4
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.extra/etc/os-release
@@ -0,0 +1 @@
+../usr/lib/os-release \ No newline at end of file
diff --git a/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf b/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf
new file mode 100644
index 0000000..d2c5ef4
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# This is a stub resolv.conf intended as a mountpoint for the host's resolv.conf
diff --git a/mkosi.images/minimal-base/mkosi.postinst b/mkosi.images/minimal-base/mkosi.postinst
new file mode 100755
index 0000000..c76fb0a
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.postinst
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+# We don't use mkosi.extra because /usr/sbin could be a symlink and cp doesn't handle that properly until
+# coreutils 9.5 or newer.
+cat >"$BUILDROOT/sbin/init" <<EOF
+#!/bin/bash
+echo "Hello from dummy init, beautiful day, innit?"
+ip link
+EOF
+chmod +x "$BUILDROOT/sbin/init"
diff --git a/mkosi.images/system/coredump-journal-storage.conf b/mkosi.images/system/coredump-journal-storage.conf
new file mode 100644
index 0000000..cde9785
--- /dev/null
+++ b/mkosi.images/system/coredump-journal-storage.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Coredump]
+Storage=journal
diff --git a/mkosi.images/system/initrd/mkosi.conf b/mkosi.images/system/initrd/mkosi.conf
new file mode 100644
index 0000000..ed9bfdc
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Content]
+PostInstallationScripts=../mkosi.sanitizers.chroot
+ExtraTrees=
+ ../leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
+ ../coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf b/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf
new file mode 100644
index 0000000..b252491
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=var
+# This label is the partition's label. The filesystem inside may have its own label.
+Label=varcrypt
+# This UUID is the decrypted partition UUID, there are also filesystem and luks UUIDs.
+# The original test finds the partition by this UUID, but it doesn't appear
+# since the luks UUID, which is derived by hash of this UUID, is different
+# and the luks UUID is needed before the decrypted partition UUID.
+# The resulting luks UUID is 0d318174-56b0-4d6e-a324-ac1e7e7d235d.
+UUID=deadbeef-dead-dead-beef-000000000000
+Format=ext4
+Encrypt=key-file
+SizeMinBytes=1G
diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service
new file mode 100644
index 0000000..54a9b8a
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Unit]
+Description=Add encrypted var partition to root disk
+Documentation=man:systemd-repart.service(8)
+
+ConditionVirtualization=!container
+
+DefaultDependencies=no
+Wants=modprobe@loop.service modprobe@dm_mod.service
+After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount
+Before=initrd-root-fs.target
+Conflicts=shutdown.target initrd-switch-root.target
+Before=shutdown.target initrd-switch-root.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-repart --definitions /usr/lib/encrypted-var.repart.d --key-file %d/keyfile --dry-run=no /sysroot
+ImportCredential=keyfile
diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service
new file mode 100644
index 0000000..845ac57
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Unit]
+Description=Create a mount in /run that should survive the transition from initrd
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=mkdir /run/initrd-mount-source /run/initrd-mount-target
+ExecStart=mount -v --bind /run/initrd-mount-source /run/initrd-mount-target
+ExecStart=cp -v /etc/initrd-release /run/initrd-mount-target/hello-world
diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service
new file mode 100644
index 0000000..2c709bc
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Unit]
+Description=populate initrd credential dir for TEST-54-CREDS
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=sh -c "mkdir -m 0755 -p /run/credentials && mkdir -m 0700 /run/credentials/@initrd && umask 0077 && echo guatemala > /run/credentials/@initrd/myinitrdcred"
diff --git a/mkosi.images/system/leak-sanitizer-suppressions b/mkosi.images/system/leak-sanitizer-suppressions
new file mode 100644
index 0000000..639abb8
--- /dev/null
+++ b/mkosi.images/system/leak-sanitizer-suppressions
@@ -0,0 +1 @@
+leak:libselinux
diff --git a/mkosi.images/system/mkosi.clean b/mkosi.images/system/mkosi.clean
new file mode 100755
index 0000000..64810b7
--- /dev/null
+++ b/mkosi.images/system/mkosi.clean
@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+set -o nounset
+
+rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar}
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf
index 7612f22..562650a 100644
--- a/mkosi.images/system/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf
@@ -1,48 +1,76 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Config]
-Dependencies=base
+InitrdInclude=initrd/
+
+[Output]
+@Format=directory
+RepartDirectories=mkosi.repart
[Content]
Autologin=yes
-BaseTrees=../../mkosi.output/base
-ExtraTrees=../../mkosi.output/base-systemd
+ExtraTrees=
+ %D/mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
+ leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
+ coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
+
+PostInstallationScripts=mkosi.sanitizers.chroot
+
+InitrdPackages=
+ findutils
+ grep
+ sed
+
Packages=
acl
+ attr
bash-completion
+ bpftrace
+ clang
coreutils
+ curl
diffutils
dnsmasq
dosfstools
e2fsprogs
findutils
- gcc # Sanitizer libraries
gdb
grep
gzip
+ jq
kbd
kexec-tools
+ kmod
+ knot
less
+ lld
+ llvm
+ lvm2
+ man
+ mdadm
mtools
nano
nftables
+ nvme-cli
+ opensc
openssl
+ p11-kit
+ python3
qrencode
+ radvd
+ rsync
sed
socat
strace
systemd
+ tar
tmux
tree
udev
util-linux
valgrind
+ which
wireguard-tools
xfsprogs
zsh
-
-BuildPackages=
-
-[Validation]
-@SecureBoot=yes
-@SignExpectedPcr=yes
+ zstd
diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
deleted file mode 100644
index 9f21754..0000000
--- a/mkosi.images/system/mkosi.conf.d/05-initrd.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Bootable=!no
-Format=|disk
-Format=|directory
-
-[Config]
-Dependencies=initrd
-
-[Content]
-Initrds=../../mkosi.output/initrd
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
deleted file mode 100644
index e1a511c..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-arch.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
- bpf
- btrfs-progs
- compsize
- dhcp
- f2fs-tools
- glib2
- iproute
- linux
- man-db
- openbsd-netcat
- openssh
- pacman
- polkit
- python-pefile
- python-psutil
- python-pytest
- python3
- quota-tools
- shadow
- vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot
new file mode 100755
index 0000000..1f6e0c3
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot
@@ -0,0 +1,93 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+
+if [ ! -f "pkg/$ID/PKGBUILD" ]; then
+ echo "PKGBUILD not found at pkg/$ID/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
+ exit 1
+fi
+
+# We can't configure the source or build directory so we use symlinks instead to make sure they are in the
+# expected locations.
+ln --symbolic "$SRCDIR" "pkg/$ID/systemd-stable"
+ln --symbolic "$BUILDDIR" "pkg/$ID/build"
+# Because we run with --noextract we are responsible for making sure the source files appear in src/.
+ln --symbolic . "pkg/$ID/src"
+
+MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS=""
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+# Override the default options. We specifically disable "strip", "zipman" and "lto" as they slow down builds
+# significantly. OPTIONS= cannot be overridden on the makepkg command line so we append to /etc/makepkg.conf
+# instead. The rootfs is overlaid with a writable tmpfs during the build script so these changes don't end up
+# in the image itself.
+tee --append /etc/makepkg.conf >/dev/null <<EOF
+export CC="$( ((LLVM)) && echo clang || echo gcc)"
+export CXX="$( ((LLVM)) && echo clang++ || echo g++)"
+export CC_LD="$( ((LLVM)) && echo lld)"
+export CXX_LD="$( ((LLVM)) && echo lld)"
+export CFLAGS="\$CFLAGS $MKOSI_CFLAGS $CFLAGS"
+export CXXFLAGS="\$CXXFLAGS $MKOSI_CFLAGS $CFLAGS"
+export LDFLAGS="\$LDFLAGS $MKOSI_LDFLAGS $LDFLAGS"
+OPTIONS=(
+ docs
+ !libtool
+ !staticlibs
+ emptydirs
+ !zipman
+ purge
+ $( ((WITH_DEBUG)) && echo strip || echo !strip)
+ $( ((WITH_DEBUG)) && echo debug || echo !debug)
+ !lto
+)
+EOF
+
+# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions.
+rm /usr/share/makepkg/lint_pkgbuild/*
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+sed --in-place "pkg/$ID/PKGBUILD" \
+ --expression "s/^_tag=.*/_tag=$(cat meson.version)/" \
+ --expression "s/^pkgrel=.*/pkgrel=$(date "+%Y%m%d%H%M%S" --date "@$TS")/"
+
+# We get around makepkg's root check by setting EUID to something else.
+# shellcheck disable=SC2046
+env --chdir="pkg/$ID" \
+ EUID=123 \
+ makepkg \
+ --noextract \
+ $( ((WITH_TESTS)) || echo --nocheck) \
+ --force \
+ _systemd_UPSTREAM=1 \
+ _systemd_QUIET=$( ((MESON_VERBOSE)); echo $? ) \
+ BUILDDIR="$PWD/pkg/$ID" \
+ PKGDEST="$OUTPUTDIR" \
+ PKGEXT=".pkg.tar" \
+ MESON_EXTRA_CONFIGURE_OPTIONS="$MKOSI_MESON_OPTIONS $MESON_OPTIONS"
+
+cp "$OUTPUTDIR"/*.pkg.tar "$PACKAGEDIR"
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
new file mode 100644
index 0000000..036b0a3
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Environment=
+ GIT_URL=https://gitlab.archlinux.org/archlinux/packaging/packages/systemd.git
+ GIT_BRANCH=main
+ GIT_COMMIT=dc6c099e0785753c1c88b4adcbcbfc209a8d12e3
+
+VolatilePackages=
+ systemd
+ systemd-libs
+ systemd-resolvconf
+ systemd-sysvcompat
+ systemd-tests
+ systemd-ukify
+
+Packages=
+ bind
+ bpf
+ btrfs-progs
+ compiler-rt
+ compsize
+ cryptsetup
+ dbus-broker
+ dbus-broker-units
+ debugedit
+ dhcp
+ f2fs-tools
+ fakeroot
+ git
+ gnutls
+ gnutls
+ iproute
+ iputils
+ linux
+ man-db
+ multipath-tools
+ open-iscsi
+ openbsd-netcat
+ openssh
+ openssl
+ pacman
+ pkgconf
+ polkit
+ procps-ng
+ psmisc
+ python-pexpect
+ python-psutil
+ quota-tools
+ sbsigntools
+ shadow
+ softhsm
+ squashfs-tools
+ stress
+ tgt
+ tpm2-tools
+ tpm2-tss
+ vim
+
+InitrdPackages=
+ btrfs-progs
+ compiler-rt
+ tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ systemd-libs
+ systemd-sysvcompat
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..4a6d2e9
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=systemd-debug
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare
new file mode 100755
index 0000000..fd78e81
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare
@@ -0,0 +1,29 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+
+if [ ! -f "pkg/$ID/PKGBUILD" ]; then
+ echo "PKGBUILD not found at pkg/$ID/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
+ exit 1
+fi
+
+# We get depends and optdepends from .SRCINFO as getting them from the PKGBUILD is rather complex.
+sed --expression 's/^[ \t]*//' "pkg/$ID/.SRCINFO" |
+ grep --regexp '^depends =' --regexp '^optdepends =' |
+ sed --expression 's/^depends = //' --expression 's/^optdepends = //' --expression 's/:.*//' --expression 's/=.*//' |
+ xargs --delimiter '\n' mkosi-install
+
+# We get makedepends from the PKGBUILD as .SRCINFO can't encode conditional dependencies depending on
+# whether some environment variable is set or not.
+# shellcheck source=/dev/null
+_systemd_UPSTREAM=1 . "pkg/$ID/PKGBUILD"
+
+# shellcheck disable=SC2154
+mkosi-install "${makedepends[@]}"
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
deleted file mode 100644
index 67d4643..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
- bpftool
- cryptsetup
- dhcp-server
- dnf
- glib2
- integritysetup
- iproute
- iproute-tc
- kernel-core
- libcap-ng-utils
- netcat
- openssh-server
- p11-kit
- pam
- passwd
- polkit
- procps-ng
- python3
- python3dist(pefile)
- python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
- python3dist(psutil)
- python3dist(pytest)
- quota
- vim-common
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
new file mode 100755
index 0000000..2c05787
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
@@ -0,0 +1,116 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+if systemd-analyze compare-versions "$(rpm --version | cut -d ' ' -f3)" lt "4.19.91"; then
+ # Fix the %install override so debuginfo packages are generated even when --build-in-place is used.
+ # See https://github.com/rpm-software-management/rpm/issues/3042.
+ tee --append /usr/lib/rpm/redhat/macros <<'EOF'
+%install %{?_enable_debug_packages:%{debug_package}}\
+%%install\
+%{nil}
+EOF
+fi
+
+VERSION="$(cat meson.version)"
+RELEASE="$(date "+%Y%m%d%H%M%S" --date "@$TS")"
+
+DIST="$(rpm --eval %dist)"
+ARCH="$(rpm --eval %_arch)"
+SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH"
+
+COMMON_MACRO_OVERRIDES=(
+ --define "toolchain $( ((LLVM)) && echo clang || echo gcc)"
+ --define "_fortify_level 0"
+ --undefine _lto_cflags
+ # TODO: Remove once redhat-rpm-config 292 is available everywhere.
+ --define "_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg"
+ --define "_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg"
+)
+
+# TODO: Drop -U_FORTIFY_SOURCE when we switch to CentOS Stream 10.
+MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+if ((WITH_DEBUG)); then
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST"
+fi
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS=""
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(dirname "$(clang --print-file-name=libclang_rt.asan.so)")"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+IFS=
+# TODO: Replace meson_build and meson_install overrides with "--undefine __meson_verbose" once
+# https://github.com/mesonbuild/meson/pull/12835 is available.
+# shellcheck disable=SC2046
+env \
+--unset=CFLAGS \
+--unset=CXXFLAGS \
+--unset=LDFLAGS \
+ANNOBIN="no-active-checks" \
+CC_LD="$( ((LLVM)) && echo lld)" \
+CXX_LD="$( ((LLVM)) && echo lld)" \
+ rpmbuild \
+ -bb \
+ --build-in-place \
+ --with upstream \
+ $( ((WITH_TESTS)) || echo "--nocheck") \
+ $( ((WITH_DOCS)) || echo "--without=docs") \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_rpmdir $OUTPUTDIR" \
+ ${BUILDDIR:+"--define=_vpath_builddir $BUILDDIR"} \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ --define "_binary_payload w.ufdio" \
+ $( ((WITH_DEBUG)) || echo "--define=debug_package %{nil}") \
+ --define "version_override $VERSION" \
+ --define "release_override $RELEASE" \
+ "${COMMON_MACRO_OVERRIDES[@]}" \
+ --define "build_cflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_cflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_cxxflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_cxxflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_ldflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_ldflags}") $MKOSI_LDFLAGS $LDFLAGS" \
+ --define "meson_build %{shrink:%{__meson} compile -C %{_vpath_builddir} -j %{_smp_build_ncpus} $( ((MESON_VERBOSE)) && echo --verbose) %{nil}}" \
+ --define "meson_install %{shrink:DESTDIR=%{buildroot} %{__meson} install -C %{_vpath_builddir} --no-rebuild --quiet %{nil}}" \
+ --define "meson_extra_configure_options $MKOSI_MESON_OPTIONS $MESON_OPTIONS" \
+ $( ((WITH_DEBUG)) || echo "--define=__brp_strip %{nil}") \
+ --define "__brp_compress %{nil}" \
+ --define "__brp_mangle_shebangs %{nil}" \
+ --define "__brp_strip_comment_note %{nil}" \
+ --define "__brp_strip_static_archive %{nil}" \
+ --define "__brp_check_rpaths %{nil}" \
+ --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \
+ --define "__script_requires %{nil}" \
+ --define "_find_debuginfo_dwz_opts %{nil}" \
+ --define "_fixperms true" \
+ --undefine _package_note_flags \
+ --noclean \
+ "pkg/$ID/systemd.spec"
+
+cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
new file mode 100644
index 0000000..6fbd507
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+VolatilePackages=
+ systemd
+ systemd-boot
+ systemd-container
+ systemd-devel
+ systemd-journal-remote
+ systemd-networkd
+ systemd-networkd-defaults
+ systemd-oomd-defaults
+ systemd-pam
+ systemd-resolved
+ systemd-tests
+ systemd-udev
+ systemd-ukify
+
+Packages=
+ bind-utils
+ bpftool
+ compiler-rt
+ cryptsetup
+ device-mapper-event
+ device-mapper-multipath
+ dfuzzer
+ dhcp-server
+ dnf
+ git-core
+ glibc-langpack-de
+ glibc-langpack-en
+ gnutls
+ gnutls-utils
+ integritysetup
+ iproute
+ iproute-tc
+ iputils
+ iscsi-initiator-utils
+ kernel-core
+ libasan
+ libcap-ng-utils
+ libubsan
+ man-db
+ netcat
+ openssh-clients
+ openssh-server
+ pam
+ passwd
+ policycoreutils
+ polkit
+ procps-ng
+ python3-pexpect
+ quota
+ rpm
+ rpm-build
+ rpmautospec
+ sbsigntools
+ softhsm
+ squashfs-tools
+ stress
+ tpm2-tools
+ util-linux
+ veritysetup
+ vim-common
+
+InitrdPackages=
+ tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ systemd-udev
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..0c3707b
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=
+ systemd-container-debuginfo
+ systemd-debuginfo
+ systemd-debugsource
+ systemd-journal-remote-debuginfo
+ systemd-libs-debuginfo
+ systemd-networkd-debuginfo
+ systemd-pam-debuginfo
+ systemd-resolved-debuginfo
+ systemd-tests-debuginfo
+ systemd-udev-debuginfo
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
new file mode 100644
index 0000000..9fe5509
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=!particle
+
+[Content]
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+Packages=
+ selinux-policy
+ selinux-policy-targeted
+ setools-console
+
+# We relabel on first boot instead of at build time because it is only possible to label without root
+# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
+SELinuxRelabel=no
+
+InitrdPackages=
+ selinux-policy
+ selinux-policy-targeted
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare
new file mode 100755
index 0000000..1b86073
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare
@@ -0,0 +1,65 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+for DEPS in --requires --buildrequires; do
+ mkosi-chroot \
+ rpmspec \
+ --with upstream \
+ --query \
+ "$DEPS" \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ "pkg/$ID/systemd.spec" |
+ grep --invert-match --regexp systemd --regexp /bin/sh --regexp "rpmlib(" --regexp udev --regexp grubby --regexp sdubby |
+ sort --unique |
+ tee /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
+
+# rpmbuild -br tries to build a source package which means all source files have to exist which isn't the
+# case when using --build-in-place so we get rid of the source file that doesn't exist to make it happy.
+# TODO: Use -bd instead of -br and get rid of this once we don't need to build on CentOS Stream 9 anymore.
+sed '/Source0/d' --in-place "pkg/$ID/systemd.spec"
+
+until mkosi-chroot \
+ rpmbuild \
+ -br \
+ --build-in-place \
+ --with upstream \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ "pkg/$ID/systemd.spec"
+do
+ EXIT_STATUS=$?
+ if [ $EXIT_STATUS -ne 11 ]; then
+ exit $EXIT_STATUS
+ fi
+
+ mkosi-chroot \
+ rpm \
+ --query \
+ --package \
+ --requires \
+ /var/tmp/SRPMS/systemd-*.buildreqs.nosrc.rpm |
+ grep --invert-match '^rpmlib(' |
+ sort --unique >/tmp/dynamic-buildrequires
+
+ sort /tmp/buildrequires /tmp/dynamic-buildrequires |
+ uniq --unique |
+ tee --append /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
index 146e03a..25059c2 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -4,5 +4,14 @@
Distribution=centos
[Content]
+Environment=
+ # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of
+ # mkfs.ext4 enabled it by default, so we disable it explicitly.
+ Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
+ GIT_URL=https://git.centos.org/rpms/systemd.git
+ GIT_BRANCH=c9s-sig-hyperscale
+ GIT_COMMIT=8cf2aed0181920611421384f7374720db269d6c7
+
Packages=
- kernel-modules # For squashfs support
+ kernel-modules # For squashfs
+ rpmautospec-rpm-macros
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
deleted file mode 100644
index 99b846d..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support btrfs so we use xfs instead.
-[Partition]
-Format=xfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
deleted file mode 100644
index 393d5f0..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support erofs so we use squashfs instead.
-[Partition]
-Format=squashfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
deleted file mode 100644
index 588f833..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
- apt
- btrfs-progs
- cryptsetup-bin
- dbus-broker
- default-dbus-session-bus
- f2fs-tools
- fdisk
- iproute2
- isc-dhcp-server
- libcap-ng-utils
- netcat-openbsd
- openssh-server
- passwd
- policykit-1
- procps
- python3
- python3-pefile
- python3-psutil
- python3-pytest
- quota
- xxd
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
new file mode 100755
index 0000000..7e4eab9
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+
+if [ ! -d "pkg/$ID/debian" ]; then
+ echo "deb rules not found at pkg/$ID/debian, run mkosi once with -ff to make sure the rules are cloned" >&2
+ exit 1
+fi
+
+# We transplant the debian/ folder from the deb package sources into the upstream sources.
+mount --mkdir --bind "$SRCDIR/pkg/$ID/debian" "$SRCDIR"/debian
+
+# We remove the patches so they don't get applied.
+rm -rf "$SRCDIR"/debian/patches/*
+
+# While the build directory can be specified through DH_OPTIONS, the default one is hardcoded everywhere so
+# we have to use that. Because it is architecture dependent, we query it using dpkg-architecture first.
+DEB_HOST_GNU_TYPE="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"
+mount --mkdir --bind "$BUILDDIR" "$SRCDIR/obj-$DEB_HOST_GNU_TYPE"
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+# Add a new changelog entry to update the version. We use a fixed date since a dynamic one causes a full
+# rebuild every time.
+cat >debian/changelog.new <<EOF
+systemd ($(cat meson.version)-$(date "+%Y%m%d%H%M%S" --date "@$TS")) UNRELEASED; urgency=low
+
+ * Automatic build from mkosi
+
+ -- systemd test <systemd-devel@lists.freedesktop.org> $(date --rfc-email --date "@$TS")
+
+EOF
+cat debian/changelog >>debian/changelog.new
+mv debian/changelog.new debian/changelog
+
+MKOSI_CFLAGS="-O0"
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS=""
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+# TODO: Drop GENSYMBOLS_LEVEL once https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986746 is fixed.
+build() {
+ env \
+ CC="$( ((LLVM)) && echo clang || echo gcc)" \
+ CXX="$( ((LLVM)) && echo clang++ || echo g++)" \
+ CC_LD="$( ((LLVM)) && echo lld)" \
+ CXX_LD="$( ((LLVM)) && echo lld)" \
+ DEB_BUILD_OPTIONS="$(awk '$1=$1' <<<"\
+ $( ((WITH_TESTS)) || echo nocheck) \
+ $( ((WITH_DOCS)) || echo nodoc) \
+ $( ((WITH_DEBUG)) && echo debug || echo nostrip) \
+ $( ! ((MESON_VERBOSE)) && echo terse) \
+ optimize=-lto \
+ hardening=-fortify \
+ ")" \
+ DEB_BUILD_PROFILES="$(awk '$1=$1' <<<"\
+ $( ((WITH_TESTS)) || echo nocheck) \
+ $( ((WITH_DOCS)) || echo nodoc) \
+ pkg.systemd.upstream \
+ ")" \
+ DEB_CFLAGS_APPEND="$MKOSI_CFLAGS $CFLAGS" \
+ DEB_CXXFLAGS_APPEND="$MKOSI_CFLAGS $CFLAGS" \
+ DEB_LDFLAGS_APPEND="$MKOSI_LDFLAGS $LDFLAGS" \
+ DPKG_FORCE="unsafe-io" \
+ DPKG_DEB_COMPRESSOR_TYPE="none" \
+ DH_MISSING="--fail-missing" \
+ CONFFLAGS_UPSTREAM="$MKOSI_MESON_OPTIONS $MESON_OPTIONS" \
+ GENSYMBOLS_LEVEL="$( ((LLVM)) && echo 0 || echo 1)" \
+ dpkg-buildpackage \
+ --no-pre-clean \
+ --unsigned-changes \
+ --build=binary
+
+ EXIT_STATUS=$?
+
+ # Make sure we don't reconfigure twice.
+ MKOSI_MESON_OPTIONS="${MKOSI_MESON_OPTIONS//"--wipe"/}"
+
+ return $EXIT_STATUS
+}
+
+if ! build; then
+ # debhelper installs files for each package to debian/<package> so we figure out which files were
+ # packaged by querying all the package names from debian/control and running find on each of the
+ # corresponding package directory in debian/.
+ grep "Package:" debian/control |
+ sed "s/Package: //" |
+ xargs -d '\n' -I {} sh -c "[ -d debian/{} ] && (cd debian/{} && find . ! -type d ! -path "*dh-exec*" -printf '%P\n')" |
+ # Remove compression suffix from compressed manpages as the manpages in debian/tmp will be uncompressed.
+ sed --regexp-extended 's/([0-9])\.gz$/\1/' |
+ sort --unique >/tmp/packaged-files
+
+ # We figure out the installed files by running find on debian/tmp/ which contains the files installed
+ # by meson install.
+ (cd debian/tmp/ && find . ! -type d ! -path "*dh-exec*" -printf '%P\n') >/tmp/installed-files
+
+ if [ -f debian/not-installed ]; then
+ grep --invert-match "^#" debian/not-installed >>/tmp/installed-files
+ fi
+
+ sort --unique --output /tmp/installed-files /tmp/installed-files
+
+ # We get all the installed files that were not packaged by finding entries in the installed file that are
+ # not in the packaged file.
+ comm -23 /tmp/installed-files /tmp/packaged-files > /tmp/unpackaged-files
+ # If there are no unpackaged files something else went wrong.
+ if [ ! -s /tmp/unpackaged-files ]; then
+ exit 1
+ fi
+
+ # Otherwise, we append the unpackaged files to the filelist for the systemd package and retry the build.
+ cat /tmp/unpackaged-files >>debian/systemd.install
+ build
+fi
+
+(
+ shopt -s nullglob
+ cp ../*.deb ../*.ddeb "$PACKAGEDIR"
+ cp ../*.deb ../*.ddeb "$OUTPUTDIR"
+)
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
new file mode 100644
index 0000000..ae014fa
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -0,0 +1,93 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Environment=
+ GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
+ GIT_SUBDIR=debian
+ GIT_BRANCH=debian/master
+ GIT_COMMIT=596a70511736d78c1d8a5a27dca3989806cfa733
+
+VolatilePackages=
+ libnss-myhostname
+ libnss-mymachines
+ libnss-resolve
+ libnss-systemd
+ libpam-systemd
+ libsystemd-dev
+ libudev-dev
+ systemd
+ systemd-boot
+ systemd-boot-efi
+ systemd-container
+ systemd-coredump
+ systemd-dev
+ systemd-homed
+ systemd-journal-remote
+ systemd-oomd
+ systemd-resolved
+ systemd-sysv
+ systemd-tests
+ systemd-timesyncd
+ systemd-ukify
+ systemd-userdbd
+ udev
+
+Packages=
+ ^libasan[0-9]+$
+ ^libtss2-esys-[0-9.]+-0$
+ ^libtss2-mu-[0-9.]+-0$
+ ^libubsan[0-9]+$
+ apt
+ bind9-dnsutils
+ btrfs-progs
+ cryptsetup-bin
+ dbus-broker
+ dbus-user-session
+ dmsetup
+ dpkg-dev
+ f2fs-tools
+ fdisk
+ git-core
+ gnutls-bin
+ iproute2
+ iputils-ping
+ isc-dhcp-server
+ libcap-ng-utils
+ libclang-rt-dev
+ libtss2-rc0
+ libtss2-tcti-device0
+ locales
+ man-db
+ multipath-tools
+ netcat-openbsd
+ open-iscsi
+ openssh-client
+ openssh-server
+ passwd
+ policykit-1
+ procps
+ psmisc
+ python3-pexpect
+ python3-psutil
+ quota
+ sbsigntool
+ softhsm2
+ squashfs-tools
+ stress
+ tgt
+ tpm2-tools
+ tzdata
+ xxd
+
+InitrdPackages=
+ btrfs-progs
+ libclang-rt-dev
+ tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ udev
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..b53b3dc
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=
+ libnss-myhostname-dbgsym
+ libnss-mymachines-dbgsym
+ libnss-resolve-dbgsym
+ libnss-systemd-dbgsym
+ libpam-systemd-dbgsym
+ libsystemd-shared-dbgsym
+ libsystemd0-dbgsym
+ libudev1-dbgsym
+ systemd-boot-dbgsym
+ systemd-container-dbgsym
+ systemd-coredump-dbgsym
+ systemd-dbgsym
+ systemd-homed-dbgsym
+ systemd-journal-remote-dbgsym
+ systemd-oomd-dbgsym
+ systemd-resolved-dbgsym
+ systemd-tests-dbgsym
+ systemd-timesyncd-dbgsym
+ systemd-userdbd-dbgsym
+ udev-dbgsym
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf
new file mode 100644
index 0000000..4fb4f46
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=NO_BUILD=1
+
+[Content]
+WithNetwork=yes
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst
new file mode 100755
index 0000000..314f235
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst
@@ -0,0 +1,29 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# By default Suggests are not installed (and often Recommends are disabled too), which means we will miss
+# the dlopen optional dependencies, but the tests need them, so parse them from the package metadata and
+# install them. This is not an issue when building locally, as the build and runtime images are the same,
+# so they would get installed as build dependencies anyway.
+
+if [ "$1" = "build" ] || ! ((NO_BUILD)); then
+ exit 0
+fi
+
+# Query the Recommends and Suggests of all systemd packages, by matching on the version
+systemd_version="$(dpkg-query --showformat '${Version}' --show systemd)"
+mapfile -t systemd_packages < <( dpkg --list | grep '^ii' | grep "$systemd_version" | awk '{print $2}' | tr '\n' ' ' )
+extra_packages=()
+# shellcheck disable=SC2068
+for package in ${systemd_packages[@]}; do
+ # We are looking for dlopens, so filter for libraries
+ mapfile -t -O "${#extra_packages[@]}" extra_packages < <(dpkg-query --showformat '${Suggests}' --show "$package" | sed -e "s/, /\n/g" -e "s/|.*//" | grep "lib")
+ mapfile -t -O "${#extra_packages[@]}" extra_packages < <(dpkg-query --showformat '${Recommends}' --show "$package" | sed -e "s/, /\n/g" -e "s/|.*//" | grep "lib")
+done
+
+if [ "${#extra_packages[@]}" -eq 0 ]; then
+ exit 0
+fi
+
+apt install "${extra_packages[@]}"
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare
new file mode 100755
index 0000000..645671a
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare
@@ -0,0 +1,18 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+
+if [ ! -d "pkg/$ID/debian" ]; then
+ echo "deb rules not found at pkg/$ID/debian, run mkosi once with -ff to make sure the rules are cloned" >&2
+ exit 1
+fi
+
+cd "pkg/$ID"
+DEB_BUILD_PROFILES="pkg.systemd.upstream" apt-get build-dep .
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf
new file mode 100644
index 0000000..c6b6155
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf
index 76a6898..af923fa 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf
@@ -1,10 +1,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
-Distribution=debian
Architecture=arm64
[Content]
Packages=
- bpftool
linux-image-cloud-arm64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf
index d3c89f3..615de52 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf
@@ -1,10 +1,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
-Distribution=debian
Architecture=x86-64
[Content]
Packages=
- bpftool
linux-image-cloud-amd64
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
deleted file mode 100644
index 42d0093..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-Packages=
- btrfs-progs
- compsize
- f2fs-tools
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf
new file mode 100644
index 0000000..689fe7d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Environment=
+ GIT_URL=https://src.fedoraproject.org/rpms/systemd.git
+ GIT_BRANCH=rawhide
+ GIT_COMMIT=1f94b56cee818068f57debfd78f035edd29f0e61
+
+Packages=
+ btrfs-progs
+ compsize
+ dnf5
+ f2fs-tools
+ scsi-target-utils
+ # Required for systemd-networkd-tests.py (netdevsim and sch_xxx modules)
+ kernel-modules-extra
+ kernel-modules-internal
+
+InitrdPackages=
+ btrfs-progs
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
deleted file mode 100644
index 60a2b6d..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-Packages=
- bpftool
- btrfs-progs
- cryptsetup
- dbus-broker
- f2fs-tools
- glibc-locale-base
- kernel-kvmsmall
- libcap-ng-utils
- openssh-server
- python3
- python3-pefile
- python3-psutil
- python3-pytest
- quota
- shadow
- vim
diff --git a/mkosi.images/initrd/mkosi.postinst b/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst
index de610df..417132f 100755
--- a/mkosi.images/initrd/mkosi.postinst
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot
new file mode 100755
index 0000000..3d6cc58
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot
@@ -0,0 +1,132 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+ID="${ID%-*}"
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+# The openSUSE filelists hardcode the manpage compression extension. This causes rpmbuild errors since we
+# disable manpage compression as the files cannot be found. Fix the issue by removing the compression
+# extension.
+find "pkg/$ID" -name "files.*" -exec sed --in-place 's/\.gz$//' {} \;
+
+if systemd-analyze compare-versions "$(rpm --version | cut -d ' ' -f3)" lt "4.20"; then
+ # Fix the %install override so debuginfo packages are generated.
+ tee --append /usr/lib/rpm/suse/macros <<'EOF'
+%install %{debug_package}\
+%%install\
+%{nil}
+EOF
+fi
+
+VERSION="$(cat meson.version)"
+RELEASE="$(date "+%Y%m%d%H%M%S" --date "@$TS")"
+
+DIST="$(rpm --eval %dist)"
+ARCH="$(rpm --eval %_arch)"
+SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH"
+
+MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+if ((WITH_DEBUG)); then
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST"
+fi
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS="$(rpm --eval "%{?build_ldflags}")"
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux"
+fi
+
+# A macro can't have an empty body and currently opensuse does not specify any of its own linker flags so
+# set LDFLAGS to %{nil} if there are no linker flags.
+if [[ -z "${MKOSI_LDFLAGS// }" ]]; then
+ MKOSI_LDFLAGS="%{nil}"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+build() {
+ IFS=
+ # shellcheck disable=SC2046
+ env \
+ --unset CFLAGS \
+ --unset CXXFLAGS \
+ --unset LDFLAGS \
+ CC="$( ((LLVM)) && echo clang || echo gcc)" \
+ CXX="$( ((LLVM)) && echo clang++ || echo g++)" \
+ CC_LD="$( ((LLVM)) && echo lld)" \
+ CXX_LD="$( ((LLVM)) && echo lld)" \
+ rpmbuild \
+ -bb \
+ --build-in-place \
+ --with upstream \
+ $( ((WITH_TESTS)) || echo "--nocheck") \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_rpmdir $OUTPUTDIR" \
+ ${BUILDDIR:+"--define=_vpath_builddir $BUILDDIR"} \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ --define "_binary_payload w.ufdio" \
+ $( ((WITH_DEBUG)) || echo "--define=debug_package %{nil}") \
+ --define "vendor openSUSE" \
+ --define "version_override $VERSION" \
+ --define "release_override $RELEASE" \
+ --define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'" \
+ --define "build_cflags $(rpm --eval "%{?build_cflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_cxxflags $(rpm --eval "%{?build_cxxflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_ldflags $MKOSI_LDFLAGS $LDFLAGS" \
+ $( ((MESON_VERBOSE)) || echo "--undefine=__meson_verbose") \
+ --define "meson_extra_configure_options $MKOSI_MESON_OPTIONS $MESON_OPTIONS" \
+ --define "__os_install_post /usr/lib/rpm/brp-suse %{nil}" \
+ --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \
+ --define "__script_requires %{nil}" \
+ --define "_find_debuginfo_dwz_opts %{nil}" \
+ --define "_fixperms true" \
+ --noclean \
+ "$@" \
+ "pkg/$ID/systemd.spec"
+
+ EXIT_STATUS=$?
+
+ # Make sure we don't reconfigure twice.
+ MKOSI_MESON_OPTIONS="${MKOSI_MESON_OPTIONS//"--wipe"/}"
+
+ return $EXIT_STATUS
+}
+
+if ! build; then
+ if [ ! -s /tmp/unpackaged-files ]; then
+ exit 1
+ fi
+
+ # rpm will append to any existing systemd.lang so delete it explicitly so we don't get duplicate file
+ # warnings.
+ rm systemd.lang
+
+ grep -v ".debug" /tmp/unpackaged-files >>"pkg/$ID/files.systemd"
+ build --noprep --nocheck
+fi
+
+cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
new file mode 100644
index 0000000..38ae052
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
@@ -0,0 +1,100 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Config]
+InitrdInclude=initrd/
+
+[Content]
+Environment=
+ GIT_URL=https://src.opensuse.org/rpm/systemd
+ GIT_BRANCH=factory
+ GIT_COMMIT=973534fe1a0a5746ead5bbb6dff8b9ccb9e010982997ed56eba8e44a41c5895d
+
+VolatilePackages=
+ systemd
+ systemd-boot
+ systemd-container
+ systemd-devel
+ systemd-doc
+ systemd-experimental
+ systemd-homed
+ systemd-lang
+ systemd-network
+ systemd-portable
+ systemd-sysvcompat
+ systemd-testsuite
+ udev
+
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
+Packages=
+ bind-utils
+ bpftool
+ btrfs-progs
+ cryptsetup
+ device-mapper
+ dhcp-server
+ docbook-xsl-stylesheets
+ f2fs-tools
+ gawk
+ gcc-c++
+ git-core
+ glibc-locale-base
+ gnutls
+ grep
+ group(bin)
+ group(daemon)
+ group(games)
+ group(nobody)
+ group(root)
+ gzip
+ iputils
+ kernel-default
+ kmod
+ libasan8
+ libkmod2
+ libubsan1
+ multipath-tools
+ open-iscsi
+ openssh-clients
+ openssh-server
+ pam
+ patterns-base-minimal_base
+ procps4
+ psmisc
+ python3-pefile
+ python3-pexpect
+ python3-psutil
+ quota
+ rpm-build
+ rsync
+ sbsigntools
+ sed
+ shadow
+ softhsm
+ squashfs
+ tgt
+ timezone
+ tpm2.0-tools
+ user(bin)
+ user(daemon)
+ user(games)
+ user(nobody)
+ user(root)
+ veritysetup
+ vim
+ xz
+
+InitrdPackages=
+ btrfs-progs
+ clang
+ kmod
+ libkmod2
+ tpm2.0-tools
+
+InitrdVolatilePackages=
+ systemd
+ udev
+ systemd-experimental
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..2262eae
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=
+ libsystemd0-debuginfo
+ libudev1-debuginfo
+ systemd-boot-debuginfo
+ systemd-container-debuginfo
+ systemd-coredump-debuginfo
+ systemd-debuginfo
+ systemd-debugsource
+ systemd-experimental-debuginfo
+ systemd-homed-debuginfo
+ systemd-journal-remote-debuginfo
+ systemd-network-debuginfo
+ systemd-portable-debuginfo
+ systemd-sysvcompat-debuginfo
+ systemd-testsuite-debuginfo
+ udev-debuginfo
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare
new file mode 100755
index 0000000..282a360
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare
@@ -0,0 +1,61 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+ID="${ID%-*}"
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+for DEPS in --requires --buildrequires; do
+ mkosi-chroot \
+ rpmspec \
+ --with upstream \
+ --query \
+ "$DEPS" \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ "pkg/$ID/systemd.spec" |
+ grep --invert-match --regexp systemd --regexp /bin/sh --regexp "rpmlib(" --regexp udev |
+ sort --unique |
+ tee /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
+
+until mkosi-chroot \
+ rpmbuild \
+ -bd \
+ --build-in-place \
+ --with upstream \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ "pkg/$ID/systemd.spec"
+do
+ EXIT_STATUS=$?
+ if [ $EXIT_STATUS -ne 11 ]; then
+ exit $EXIT_STATUS
+ fi
+
+ mkosi-chroot \
+ rpm \
+ --query \
+ --package \
+ --requires \
+ /var/tmp/SRPMS/systemd-*.buildreqs.nosrc.rpm |
+ grep --invert-match '^rpmlib(' |
+ sort --unique >/tmp/dynamic-buildrequires
+
+ sort /tmp/buildrequires /tmp/dynamic-buildrequires |
+ uniq --unique |
+ tee --append /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
index f58ee7e..25957b1 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
@@ -3,9 +3,11 @@
[Match]
Distribution=ubuntu
+[Distribution]
+PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
+
[Content]
Packages=
- # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials.
linux-image-generic
linux-tools-common
- linux-tools-generic
+ linux-tools-virtual
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources
new file mode 100644
index 0000000..d10c1e8
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+Types: deb
+URIs: http://archive.ubuntu.com/ubuntu
+Suites: noble-backports
+Components: main universe
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
diff --git a/mkosi.images/system/mkosi.conf.d/20-images.conf b/mkosi.images/system/mkosi.conf.d/20-images.conf
new file mode 100644
index 0000000..8641984
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-images.conf
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Format=!none
+
+[Config]
+Dependencies=
+ exitrd
+ minimal-base
+ minimal-0
+ minimal-1
+
+[Content]
+ExtraTrees=
+ %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
+ %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
+ %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
+ %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
+ %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
+ %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
+ %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
+ %O/exitrd:/exitrd
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf
new file mode 100644
index 0000000..8c1920b
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=particle
+
+[Output]
+RepartDirectories=
+RepartDirectories=mkosi.repart
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
+
+[Host]
+@RuntimeSize=8G
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
index 3755278..3755278 100644
--- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
index 71eb9e3..2f92af2 100644
--- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -4,5 +4,3 @@
Type=root
Format=btrfs
SizeMinBytes=1G
-Subvolumes=/home /var
-MakeDirectories=/home /var
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
index dac79ba..dac79ba 100644
--- a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
index 74b810c..69f9554 100755
--- a/mkosi.images/system/mkosi.finalize
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
@@ -1,4 +1,6 @@
-#!/bin/sh
+#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot
new file mode 100755
index 0000000..95e0552
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot
@@ -0,0 +1,12 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+ # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+ addons_dir=/efi/loader/addons
+ mkdir -p "$addons_dir"
+ ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+ ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000..391543d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=1G
+SizeMaxBytes=1G
diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
index 343761d..343761d 100644
--- a/mkosi.images/system/mkosi.repart/10-usr.conf
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
index b4d45dd..b4d45dd 100644
--- a/mkosi.images/system/mkosi.repart/11-usr-verity.conf
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
index 1841d0a..1841d0a 100644
--- a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
diff --git a/mkosi.images/system/mkosi.extra/.autorelabel b/mkosi.images/system/mkosi.extra/.autorelabel
new file mode 100644
index 0000000..bd4fba4
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/.autorelabel
@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
diff --git a/mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf b/mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf
new file mode 100644
index 0000000..fcf4cd9
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+iscsid.startup = /usr/bin/systemctl start iscsid.socket
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
deleted file mode 100644
index 2f95329..0000000
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
-# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
-# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
-# Storage= to persistent to have systemd-journald create /var/log/journal itself.
-[Journal]
-Storage=persistent
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf
new file mode 100644
index 0000000..3baede4
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Journal]
+RateLimitIntervalSec=0
+RateLimitBurst=0
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
deleted file mode 100755
index 9bb2462..0000000
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash -eux
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# TODO: Figure out why this is failing
-systemctl reset-failed systemd-vconsole-setup.service
-
-systemctl --failed --no-legend | tee /failed-services
-
-# Check that secure boot keys were properly enrolled.
-if ! systemd-detect-virt --container; then
- cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
- cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
- # TODO: Figure out why this is failing
- # grep -q this_should_be_here /proc/cmdline
- # grep -q this_should_not_be_here /proc/cmdline && exit 1
-fi
-
-# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
-[[ ! -s /failed-services ]]
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
index 070af4c..c364058 100644
--- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -19,6 +19,9 @@ enable dbus-broker.service
enable systemd-networkd.service
enable systemd-networkd-wait-online.service
+# systemd-resolved is disable by default on CentOS so make sure it is enabled.
+enable systemd-resolved.service
+
# We install dnf in some images but it's only going to be used rarely,
# so let's not have dnf create its cache.
disable dnf-makecache.*
@@ -28,3 +31,11 @@ disable auditd.service
# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
enable systemd-timesyncd.service
+
+# Skipped if selinux is not enabled, required for TEST-06-SELINUX.
+enable autorelabel.service
+
+# Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead.
+disable iscsi.service
+disable iscsid.socket
+disable iscsiuio.socket
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
index 710ee7c..710ee7c 100644
--- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf
new file mode 100644
index 0000000..ebf7899
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# The iscsi-init.service calls `sh` which might, in certain circumstances, pull in instrumented systemd NSS
+# modules causing `sh` to fail. Avoid the issue by setting LD_PRELOAD to load the sanitizer libraries if
+# needed.
+[Service]
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
deleted file mode 100644
index 7942cbf..0000000
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
+++ /dev/null
@@ -1,15 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Unit]
-Description=Check if any service failed and then shutdown the machine
-After=multi-user.target network-online.target
-Requires=multi-user.target
-Wants=systemd-resolved.service systemd-networkd.service network-online.target
-SuccessAction=exit
-FailureAction=exit
-# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
-# host.
-SuccessActionExitStatus=123
-
-[Service]
-Type=oneshot
-ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf
new file mode 100644
index 0000000..d0093b7
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+PassEnvironment=SYSTEMD_UNIT_PATH
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
index e1a8e81..e1a8e81 100644
--- a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
+++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
diff --git a/mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf b/mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf
new file mode 100644
index 0000000..ddd36ed
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<!--
+ SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+<busconfig>
+ <policy user="root">
+ <allow own="systemd.test.ExecStopPost"/>
+ </policy>
+</busconfig>
diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
deleted file mode 100644
index 26f882b..0000000
--- a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
+++ /dev/null
@@ -1,3 +0,0 @@
-set debuginfod enabled off
-set build-id-verbose 0
-set substitute-path ../src /root/src/systemd
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index 0cb9b9c..4686802 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -1,68 +1,9 @@
-#!/bin/sh
+#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
+set -o nounset
-if [ "$1" = "build" ]; then
- exit 0
-fi
-
-if [ -n "$SANITIZERS" ]; then
- LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
-
- mkdir -p /etc/systemd/system.conf.d
-
- cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
-[Manager]
-ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
- UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
- LD_PRELOAD=$LD_PRELOAD
-DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
- UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
- LD_PRELOAD=$LD_PRELOAD
-EOF
-
- # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
- # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
- # sanitizer failures appear directly on the user's console.
- mkdir -p /etc/systemd/system/systemd-journald.service.d
- cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
-[Service]
-StandardOutput=tty
-EOF
-
- # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
- # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
- # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
- # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
-
- mkdir -p /etc/systemd/system/console-getty.service.d
- cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
-[Service]
-TTYVHangup=no
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-EOF
- # ASAN and syscall filters aren't compatible with each other.
- find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
-
- # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
- systemctl mask systemd-hwdb-update.service
-fi
-
-if [ -n "$IMAGE_ID" ] ; then
- sed -n \
- -i \
- -e '/^IMAGE_ID=/!p' \
- -e "\$aIMAGE_ID=$IMAGE_ID" \
- /usr/lib/os-release
-fi
-
-if [ -n "$IMAGE_VERSION" ] ; then
- sed -n \
- -i \
- -e '/^IMAGE_VERSION=/!p' \
- -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
- /usr/lib/os-release
-fi
+useradd --uid 4711 --create-home --user-group testuser
if command -v authselect >/dev/null; then
# authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
@@ -85,9 +26,147 @@ fi
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf
-. /usr/lib/os-release
+for f in "$BUILDROOT"/usr/share/*.verity.sig; do
+ jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+done
+
+# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
+# systemd-journald.
+rm -r "$BUILDROOT/var/log/journal"
+
+rm -f /etc/nsswitch.conf
+cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
+
+# Remove to make TEST-73-LOCALE pass on Ubuntu.
+rm -f /etc/default/keyboard
+
+# This is executed inside the chroot so no need to disable any features as the default features will match
+# the kernel's supported features.
+SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
+ systemd-repart \
+ --empty=create \
+ --dry-run=no \
+ --size=auto \
+ --offline=true \
+ --root test/TEST-24-CRYPTSETUP \
+ --definitions test/TEST-24-CRYPTSETUP/keydev.repart \
+ "$OUTPUTDIR/keydev.raw"
+
+can_test_pkcs11() {
+ if ! command -v "softhsm2-util" >/dev/null; then
+ echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+ if ! command -v "pkcs11-tool" >/dev/null; then
+ echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+ if ! command -v "certtool" >/dev/null; then
+ echo "certtool not available, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+ if ! systemctl --version | grep -q "+P11KIT"; then
+ echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+ if ! systemctl --version | grep -q "+OPENSSL"; then
+ echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+ if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
+ echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+ if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
+ echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
+ return 1
+ fi
+
+ return 0
+}
+
+setup_pkcs11_token() {
+ echo "Setup PKCS#11 token" >&2
+ local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
+
+ export SOFTHSM2_CONF="/tmp/softhsm2.conf"
+ mkdir -p /usr/lib/softhsm/tokens/
+ cat >$SOFTHSM2_CONF <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+EOF
+ export GNUTLS_PIN="1234"
+ export GNUTLS_SO_PIN="12345678"
+ softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
+
+ if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
+ echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
+ P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
+ fi
+
+ if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
+ echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
+ P11_MODULE_DIR="/usr/lib/pkcs11"
+ fi
+
+ SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
+ if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
+ SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
+ fi
+
+ # RSA #####################################################
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
+
+ certtool --generate-self-signed \
+ --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
+ --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
+ --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+ --outder --outfile "/tmp/rsa_test.crt"
+
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
+ rm "/tmp/rsa_test.crt"
+
+ # prime256v1 ##############################################
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
+
+ certtool --generate-self-signed \
+ --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
+ --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
+ --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+ --outder --outfile "/tmp/ec_test.crt"
+
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
+ rm "/tmp/ec_test.crt"
+
+ ###########################################################
+ rm "$SOFTHSM2_CONF"
+ unset SOFTHSM2_CONF
+
+ cat >/etc/softhsm2.conf <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = INFO
+EOF
+
+ mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
+ cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
+[Unit]
+# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
+StartLimitBurst=10
+
+[Service]
+Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
+Environment="PIN=$GNUTLS_PIN"
+EOF
+
+ unset GNUTLS_PIN
+ unset GNUTLS_SO_PIN
+}
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
- alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
- alternatives --set python3 /usr/bin/python3.9
+if can_test_pkcs11; then
+ setup_pkcs11_token
fi
diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf
index 4be0466..391543d 100644
--- a/mkosi.images/system/mkosi.repart/00-esp.conf
+++ b/mkosi.images/system/mkosi.repart/00-esp.conf
@@ -5,5 +5,5 @@ Type=esp
Format=vfat
CopyFiles=/boot:/
CopyFiles=/efi:/
-SizeMinBytes=512M
-SizeMaxBytes=512M
+SizeMinBytes=1G
+SizeMaxBytes=1G
diff --git a/mkosi.images/system/mkosi.repart/10-root.conf b/mkosi.images/system/mkosi.repart/10-root.conf
new file mode 100644
index 0000000..715b925
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/10-root.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=ext4
+CopyFiles=/
+SizeMinBytes=8G
+SizeMaxBytes=8G
diff --git a/mkosi.images/system/mkosi.sanitizers.chroot b/mkosi.images/system/mkosi.sanitizers.chroot
new file mode 100755
index 0000000..524e3da
--- /dev/null
+++ b/mkosi.images/system/mkosi.sanitizers.chroot
@@ -0,0 +1,127 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+set -o nounset
+
+if [[ -z "${SANITIZERS:-}" ]]; then
+ exit 0
+fi
+
+# Sanitizers log to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+# all the sanitizer logs. To rectify that, let's connect journald's stdout to kmsg so that the sanitizer
+# failures end up in the journal.
+mkdir -p /etc/systemd/system/systemd-journald.service.d
+cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=kmsg
+EOF
+
+# ASAN and syscall filters aren't compatible with each other.
+find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+# 'systemd-hwdb update' takes > 50s when built with sanitizers so let's not run it by default.
+systemctl mask systemd-hwdb-update.service
+
+ASAN_RT_PATH="$(grep libasan.so < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)"
+if [[ -z "$ASAN_RT_PATH" ]]; then
+ ASAN_RT_PATH="$(grep libclang_rt.asan < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)"
+
+ # As clang's ASan DSO is usually in a non-standard path, let's check if the RUNPATH is set accordingly.
+ if ldd /usr/lib/systemd/systemd | grep -q "libclang_rt.asan.*not found"; then
+ echo >&2 "clang's ASan DSO libclang_rt.asan is not present in the runtime library path"
+ exit 1
+ fi
+fi
+if [[ -z "$ASAN_RT_PATH" ]]; then
+ echo >&2 "systemd is not linked against the ASan DSO"
+ echo >&2 "gcc does this by default, for clang compile with -shared-libasan"
+ exit 1
+fi
+
+wrap=(
+ /usr/lib/polkit-1/polkitd
+ /usr/libexec/polkit-1/polkitd
+ agetty
+ btrfs
+ capsh
+ chgrp
+ chown
+ cryptsetup
+ curl
+ dbus-broker-launch
+ dbus-daemon
+ delv
+ dhcpd
+ dig
+ dmsetup
+ dnsmasq
+ findmnt
+ getent
+ getfacl
+ id
+ integritysetup
+ iscsid
+ kpartx
+ logger
+ login
+ ls
+ lsblk
+ lvm
+ mdadm
+ mkfs.btrfs
+ mkfs.erofs
+ mkfs.ext4
+ mkfs.vfat
+ mkfs.xfs
+ mksquashfs
+ mkswap
+ multipath
+ multipathd
+ nvme
+ p11-kit
+ pkill
+ ps
+ setfacl
+ setpriv
+ sshd
+ stat
+ su
+ tar
+ tgtd
+ useradd
+ userdel
+ veritysetup
+)
+
+for bin in "${wrap[@]}"; do
+ if ! command -v "$bin" >/dev/null; then
+ continue
+ fi
+
+ if [[ "$bin" == getent ]]; then
+ enable_lsan=1
+ else
+ enable_lsan=0
+ fi
+
+ target="$(command -v "$bin")"
+
+ mv "$target" "$target.orig"
+
+ cat >"$target" <<EOF
+#!/bin/bash
+# Preload the ASan runtime DSO, otherwise ASAn will complain
+export LD_PRELOAD="$ASAN_RT_PATH"
+# Disable LSan to speed things up, since we don't care about leak reports
+# from 'external' binaries
+export ASAN_OPTIONS=detect_leaks=$enable_lsan
+# Set argv[0] to the original binary name without the ".orig" suffix
+exec -a "\$0" -- "${target}.orig" "\$@"
+EOF
+ chmod +x "$target"
+done
+
+cat >/usr/lib/systemd/systemd-asan-env <<EOF
+LD_PRELOAD=$ASAN_RT_PATH
+LSAN_OPTIONS=detect_leaks=0
+EOF
diff --git a/mkosi.images/system/mkosi.sync b/mkosi.images/system/mkosi.sync
new file mode 100755
index 0000000..d21ecd1
--- /dev/null
+++ b/mkosi.images/system/mkosi.sync
@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+set -o nounset
+
+if ((${NO_SYNC:-0})); then
+ exit 0
+fi
+
+PKG_SUBDIR="$(realpath --canonicalize-missing "pkg/$DISTRIBUTION" --relative-to "$PWD")"
+
+if [[ -d "$PKG_SUBDIR/.git" ]] && [[ "$(git -C "$PKG_SUBDIR" rev-parse HEAD)" == "$GIT_COMMIT" ]]; then
+ exit 0
+fi
+
+# The repository on Salsa has the full upstream sources, so it's a waste of space to
+# redownload and duplicate everything, so do a sparse checkout as we only need the
+# packaging directory anyway
+if [[ -n "${GIT_SUBDIR:-}" ]]; then
+ sparse=(--no-checkout --filter=tree:0)
+else
+ sparse=()
+fi
+
+if [[ ! -e "$PKG_SUBDIR" ]] || [[ -z "$(ls --almost-all "$PKG_SUBDIR")" ]]; then
+ git clone "$GIT_URL" --branch "$GIT_BRANCH" "${sparse[@]}" "$PKG_SUBDIR"
+ if [[ -n "${GIT_SUBDIR:-}" ]]; then
+ # --no-cone is needed to check out only one top-level directory
+ git -C "$PKG_SUBDIR" sparse-checkout set --no-cone "${GIT_SUBDIR:-}"
+ fi
+else
+ git -C "$PKG_SUBDIR" remote set-url origin "$GIT_URL"
+ git -C "$PKG_SUBDIR" fetch origin "$GIT_BRANCH"
+fi
+
+git -C "$PKG_SUBDIR" -c advice.detachedHead=false checkout "$GIT_COMMIT"