diff options
Diffstat (limited to '')
106 files changed, 1970 insertions, 888 deletions
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot deleted file mode 100755 index 02dcbc7..0000000 --- a/mkosi.images/base/mkosi.build.chroot +++ /dev/null @@ -1,224 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: LGPL-2.1-or-later -set -e - -# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). -# Simply invoke "mkosi" in the project directory to build an OS image. - -# We don't want to install our build of systemd in the base image, but use it as an extra tree for the -# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as -# an extra tree in the initrd and system image builds. -DESTDIR="$OUTPUTDIR/systemd" - -# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it -# as out-of-tree build dir. Otherwise, let's make up our own builddir. -[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build - -# Let's make sure we're using stuff from the build directory first if available there. -PATH="$BUILDDIR:$PATH" -export PATH - -# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and -# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override -# the ubuntu script with a symlink to the first bpftool program we can find. -for bpftool in /usr/lib/linux-tools/*/bpftool; do - [ -x "$bpftool" ] || continue - ln -sf "$bpftool" "$BUILDDIR"/bpftool - break -done - -# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the -# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports -# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. -. /usr/lib/os-release -if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - cat >"$BUILDDIR"/bpftool <<EOF -#!/bin/sh -if [ "\$1" = --version ]; then - echo 5.6.0 -else - exec /usr/sbin/bpftool \$@ -fi -EOF - chmod +x "$BUILDDIR"/bpftool -fi - -if [ ! -f "$BUILDDIR"/build.ninja ]; then - sysvinit_path=$(realpath /etc/init.d) - - if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - UKIFY="disabled" - else - UKIFY="enabled" - fi - - # On Debian 'loadkeys us' fails - if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then - DEFAULT_KEYMAP="" - else - DEFAULT_KEYMAP="us" - fi - - CONFIGURE_OPTS=( - -D sysvinit-path="$sysvinit_path" - -D man=disabled - -D translations=false - -D version-tag="${VERSION_TAG}" - -D mode=developer - -D b_sanitize="${SANITIZERS:-none}" - -D install-tests=true - -D tests=unsafe - -D slow-tests="${SLOW_TESTS:-false}" - -D create-log-dirs=false - -D pamconfdir=no - -D utmp=true - -D hibernate=true - -D ldconfig=true - -D resolve=true - -D efi=true - -D tpm=true - -D environment-d=true - -D binfmt=true - -D repart=enabled - -D sysupdate=enabled - -D coredump=true - -D pstore=true - -D oomd=true - -D logind=true - -D hostnamed=true - -D localed=true - -D machined=true - -D portabled=true - -D sysext=true - -D userdb=true - -D homed=enabled - -D networkd=true - -D timedated=true - -D timesyncd=true - -D remote=enabled - -D nss-myhostname=true - -D nss-mymachines=enabled - -D nss-resolve=enabled - -D nss-systemd=true - -D firstboot=true - -D randomseed=true - -D backlight=true - -D vconsole=true - -D quotacheck=true - -D sysusers=true - -D tmpfiles=true - -D importd=enabled - -D hwdb=true - -D rfkill=true - -D xdg-autostart=true - -D translations=true - -D polkit=enabled - -D acl=enabled - -D audit=enabled - -D blkid=enabled - -D fdisk=enabled - -D kmod=enabled - -D pam=enabled - -D pwquality=enabled - -D microhttpd=enabled - -D libcryptsetup=enabled - -D libcurl=enabled - -D idn=true - -D libidn2=enabled - -D qrencode=enabled - -D gcrypt=enabled - -D gnutls=enabled - -D openssl=enabled - -D cryptolib=openssl - -D p11kit=enabled - -D libfido2=enabled - -D tpm2=enabled - -D elfutils=enabled - -D zstd=enabled - -D xkbcommon=enabled - -D pcre2=enabled - -D glib=enabled - -D dbus=enabled - -D bootloader=enabled - -D kernel-install=true - -D analyze=true - -D bpf-framework=enabled - -D ukify="$UKIFY" - -D seccomp=enabled - -D selinux=auto - -D apparmor=auto - -D smack=true - -D ima=true - -D first-boot-full-preset=true - -D initrd=true - -D fexecve=true - -D default-keymap="$DEFAULT_KEYMAP" - ) - - # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/. - # It is important to use the right one especially for cryptsetup plugins, otherwise they will be - # installed in the wrong directory and not be found by cryptsetup. Assume native build. - if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then - CONFIGURE_OPTS+=( - -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" - -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" - ) - fi - - # Set various uids and gids for which Fedora has "soft static" allocations. - # Without this, we would get warning about mismatched sysusers.d entries - # between the files that we and Fedora's setup package install. - if grep -q '^ID=fedora' /usr/lib/os-release; then - CONFIGURE_OPTS+=( - -Dadm-gid=4 - -Daudio-gid=63 - -Dcdrom-gid=11 - -Ddialout-gid=18 - -Ddisk-gid=6 - -Dinput-gid=104 - -Dkmem-gid=9 - -Dkvm-gid=36 - -Dlp-gid=7 - -Drender-gid=105 - -Dsgx-gid=106 - -Dtape-gid=33 - -Dtty-gid=5 - -Dusers-gid=100 - -Dutmp-gid=22 - -Dvideo-gid=39 - -Dwheel-gid=10 - -Dsystemd-journal-gid=190 - -Dsystemd-network-uid=192 - -Dsystemd-resolve-uid=193 - ) - fi - - ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" ) -fi - -( set -x; ninja -C "$BUILDDIR" "$@" ) -if [ "$WITH_TESTS" = 1 ]; then - if [ -n "$SANITIZERS" ]; then - export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" - export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" - TIMEOUT_MULTIPLIER=3 - else - TIMEOUT_MULTIPLIER=1 - fi - - ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER ) -fi - -( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed ) - -# Ensure that side-loaded PE addons are loaded if signed, and ignored if not -if [ -d "${DESTDIR}/boot/loader" ]; then - addons_dir="${DESTDIR}/boot/loader/addons" -elif [ -d "${DESTDIR}/efi/loader" ]; then - addons_dir="${DESTDIR}/efi/loader/addons" -fi -if [ -n "${addons_dir}" ]; then - mkdir -p "${addons_dir}" - ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi" - ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi" -fi diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf deleted file mode 100644 index 6c6d045..0000000 --- a/mkosi.images/base/mkosi.conf +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Output] -Format=directory - -[Content] -Bootable=no -CleanPackageMetadata=no - -Packages= -Packages= - kmod - less - util-linux - -BuildPackages= - acl - diffutils - gawk - binutils - clang - gettext - git - gperf - grep - lld - llvm - make - meson - pkgconf - rsync - sed - tar - zstd diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf deleted file mode 100644 index 7ab0c71..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-arch.conf +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=arch - -[Content] -Packages= - cryptsetup - dbus - gnutls - libbpf - libfido2 - libmicrohttpd - libnftnl - libpwquality - libseccomp - libxkbcommon - openssl - qrencode - tpm2-tss - -BuildPackages= - bpf - docbook-xsl - glib2 - libxslt - linux-api-headers - python - python-jinja - python-lxml - python-pefile - python-pyelftools diff --git a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf deleted file mode 100644 index 8ada9b0..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf +++ /dev/null @@ -1,75 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|centos -Distribution=|fedora - -[Content] -Packages= - audit-libs - cryptsetup-libs - gnutls - libasan - libbpf - libfido2 - libgcrypt - libmicrohttpd - libnftnl - libubsan - libxcrypt - libxkbcommon - openssl-libs - qrencode-libs - tpm2-tss - util-linux - -BuildPackages= - pkgconf - bpftool - docbook-xsl - findutils - libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file. - libxslt - pam-devel - pkgconfig(audit) - pkgconfig(blkid) - pkgconfig(bzip2) - pkgconfig(dbus-1) - pkgconfig(fdisk) - pkgconfig(glib-2.0) - pkgconfig(gnutls) - pkgconfig(libacl) - pkgconfig(libbpf) - pkgconfig(libcap) - pkgconfig(libcryptsetup) - pkgconfig(libcurl) - pkgconfig(libdw) - pkgconfig(libfido2) - pkgconfig(libidn2) - pkgconfig(libkmod) - pkgconfig(libmicrohttpd) - pkgconfig(libnftnl) - pkgconfig(libpcre2-8) - pkgconfig(libqrencode) - pkgconfig(libseccomp) - pkgconfig(libselinux) - pkgconfig(libzstd) - pkgconfig(mount) - pkgconfig(numa) - pkgconfig(openssl) - pkgconfig(openssl) - pkgconfig(p11-kit-1) - pkgconfig(pwquality) - pkgconfig(tss2-esys) - pkgconfig(tss2-mu) - pkgconfig(tss2-rc) - pkgconfig(tss2-tcti-device) - pkgconfig(valgrind) - pkgconfig(xkbcommon) - python3 - python3dist(jinja2) - python3dist(lxml) - python3dist(pefile) - python3dist(pyelftools) - python3dist(pytest) - rpm diff --git a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf deleted file mode 100644 index c529e0b..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf +++ /dev/null @@ -1,69 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|debian -Distribution=|ubuntu - -[Content] -Packages= - dmsetup - libapparmor1 - libfdisk1 - libfido2-1 - libglib2.0-0 - libgnutls30 - libidn2-0 - libmicrohttpd12 - libnftnl11 - libp11-kit0 - libpam0g - libpwquality1 - libqrencode4 - libssl3 - libip4tc2 - libtss2-dev # Use the -dev package to avoid churn in updating version numbers - tzdata - -BuildPackages= - docbook-xsl - dpkg-dev - g++ - libacl1-dev - libapparmor-dev - libaudit-dev - libblkid-dev - libbpf-dev - libbz2-dev - libcap-dev - libcryptsetup-dev - libcurl4-openssl-dev - libdbus-1-dev - libdw-dev - libfdisk-dev - libfido2-dev - libgcrypt20-dev - libglib2.0-dev - libgnutls28-dev - libidn2-dev - libiptc-dev - libkmod-dev - libmicrohttpd-dev - libmount-dev - libnftnl-dev - libp11-kit-dev - libpam0g-dev - libpwquality-dev - libqrencode-dev - libseccomp-dev - libsmartcols-dev - libssl-dev - libxen-dev - libxkbcommon-dev - libzstd-dev - python3 - python3-jinja2 - python3-lxml - python3-pefile - python3-pyelftools - python3-pytest - xsltproc diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf deleted file mode 100644 index a8fbce4..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-fedora.conf +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=fedora - -[Content] -BuildPackages= - python3dist(pytest-flakes) - pkgconfig(xencontrol) diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf deleted file mode 100644 index 5aae0ed..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf +++ /dev/null @@ -1,90 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=opensuse - -[Content] -# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox -# versions don't get installed instead. -Packages= - device-mapper - distribution-release - docbook-xsl-stylesheets - gawk - grep - gzip - libbpf1 - libcrypt1 - libcryptsetup12 - libdw1 - libelf1 - libfido2 - libgcrypt20 - libglib-2_0-0 - libkmod2 - libmount1 - libnftnl11 - libopenssl3 - libp11-kit0 - libqrencode4 - libseccomp2 - libtss2-esys0 - libtss2-mu0 - libtss2-rc0 - libtss2-tcti-device0 - libxkbcommon0 - libzstd1 - pam - rsync - sed - shadow - tpm2-0-tss - xz - -BuildPackages= - audit-devel - bpftool - dbus-1-devel - fdupes - gcc-c++ - glib2-devel - glibc-locale - intltool - libacl-devel - libapparmor-devel - libblkid-devel - libbpf-devel - libcap-devel - libcryptsetup-devel - libcurl-devel - libdw-devel - libelf-devel - libfdisk-devel - libfido2-devel - libgcrypt-devel - libgnutls-devel - libkmod-devel - libmicrohttpd-devel - libmount-devel - libnftnl-devel - libpwquality-devel - libseccomp-devel - libselinux-devel - libxkbcommon-devel - libxslt-tools - libzstd-devel - openssl-devel - pam-devel - pciutils-devel - python3 - python3-Jinja2 - python3-lxml - python3-pefile - python3-pyelftools - python3-pytest - python3-pytest-flakes - qrencode-devel - shadow - timezone - tpm2-0-tss-devel - xen-devel diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf deleted file mode 100644 index 717809f..0000000 --- a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=ubuntu - -[Content] -Packages= - libbpf0 - -BuildPackages= - linux-tools-common - linux-tools-generic diff --git a/mkosi.images/exitrd/mkosi.conf b/mkosi.images/exitrd/mkosi.conf new file mode 100644 index 0000000..2e867cb --- /dev/null +++ b/mkosi.images/exitrd/mkosi.conf @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +ConfigureScripts= + +[Output] +Format=directory + +[Content] +Bootable=no +@Locale=C.UTF-8 +WithDocs=no +CleanPackageMetadata=yes +MakeInitrd=yes + +BuildSources= +Packages= +BuildPackages= +VolatilePackages= + +Packages= + bash diff --git a/mkosi.images/exitrd/mkosi.conf.d/10-arch.conf b/mkosi.images/exitrd/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000..c8b1904 --- /dev/null +++ b/mkosi.images/exitrd/mkosi.conf.d/10-arch.conf @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + systemd + +RemoveFiles= + # Arch Linux doesn't split their gcc-libs package so we manually remove + # unneeded stuff here to make sure it doesn't end up in the image. + /usr/lib/libgfortran.so* + /usr/lib/libgo.so* + /usr/lib/libgomp.so* + /usr/lib/libgphobos.so* + /usr/lib/libobjc.so* + /usr/lib/libgdruntime.so* + + # Remove all files that are only required for development. + /usr/lib/*.a + /usr/include/* + + /usr/share/i18n/* + /usr/share/hwdata/* + /usr/share/iana-etc/* + /usr/share/locale/* + /usr/share/terminfo/* + /usr/share/zoneinfo/* diff --git a/mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000..8458dee --- /dev/null +++ b/mkosi.images/exitrd/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + systemd-standalone-shutdown diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf index 020b02b..babde60 100644 --- a/mkosi.images/base/mkosi.conf.d/10-debian.conf +++ b/mkosi.images/exitrd/mkosi.conf.d/10-debian-ubuntu.conf @@ -1,11 +1,9 @@ # SPDX-License-Identifier: LGPL-2.1-or-later [Match] -Distribution=debian +Distribution=|debian +Distribution=|ubuntu [Content] Packages= - libbpf1 - -BuildPackages= - bpftool + systemd diff --git a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.images/exitrd/mkosi.conf.d/10-opensuse.conf index 5cf2df3..3f6df21 100644 --- a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf +++ b/mkosi.images/exitrd/mkosi.conf.d/10-opensuse.conf @@ -3,9 +3,6 @@ [Match] Distribution=opensuse -[Output] -CompressOutput=zst - [Content] -Packages=btrfs-progs - tpm2.0-tools +Packages= + systemd diff --git a/mkosi.images/exitrd/mkosi.extra/shutdown b/mkosi.images/exitrd/mkosi.extra/shutdown new file mode 100755 index 0000000..e4c6087 --- /dev/null +++ b/mkosi.images/exitrd/mkosi.extra/shutdown @@ -0,0 +1,12 @@ +#!/usr/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux + +EXIT_CODE=() + +# Translate a successful exit code to 124 so that we can detect that the exitrd was actually used. +if [[ "$*" == *"--exit-code=123"* ]]; then + EXIT_CODE+=("--exit-code=124") +fi + +exec /usr/lib/systemd/systemd-shutdown "$@" "${EXIT_CODE[@]}" diff --git a/mkosi.images/initrd/mkosi.conf b/mkosi.images/initrd/mkosi.conf deleted file mode 100644 index 8e38dc1..0000000 --- a/mkosi.images/initrd/mkosi.conf +++ /dev/null @@ -1,30 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Config] -Dependencies=base - -[Output] -Format=cpio - -[Content] -BaseTrees=../../mkosi.output/base -ExtraTrees=../../mkosi.output/base-systemd -MakeInitrd=yes -Bootable=no -BuildPackages= - -Packages= -Packages= - gzip - systemd - udev - -# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it -# doesn't end up in the initrd. -RemoveFiles= - /usr/lib/libgfortran.so* - /usr/lib/libgo.so* - /usr/lib/libgomp.so* - /usr/lib/libgphobos.so* - /usr/lib/libobjc.so* - /usr/lib/libstdc++.so* diff --git a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf deleted file mode 100644 index 3f92e52..0000000 --- a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=centos - -[Output] -# TODO: Switch to zstd once we stop building CentOS Stream 8. -CompressOutput=xz - -[Content] -Packages=xfsprogs - tpm2-tools diff --git a/mkosi.images/initrd/mkosi.conf.d/10-default.conf b/mkosi.images/initrd/mkosi.conf.d/10-default.conf deleted file mode 100644 index 9224b92..0000000 --- a/mkosi.images/initrd/mkosi.conf.d/10-default.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=!centos -Distribution=!opensuse - -[Output] -CompressOutput=zst - -[Content] -Packages=btrfs-progs - tpm2-tools diff --git a/mkosi.images/minimal-0/mkosi.conf b/mkosi.images/minimal-0/mkosi.conf new file mode 100644 index 0000000..a929fb6 --- /dev/null +++ b/mkosi.images/minimal-0/mkosi.conf @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=minimal-base +ConfigureScripts= + +[Distribution] +CacheOnly=always + +[Output] +Format=portable +SplitArtifacts=yes + +[Content] +BaseTrees=%O/minimal-base +Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs +Bootable=no + +BuildSources= +Packages= +BuildPackages= +VolatilePackages= + +[Host] +Incremental=no diff --git a/test/testsuite-07.units/issue2467.socket b/mkosi.images/minimal-0/mkosi.extra/opt/some_file index af1317b..bd4fba4 100644 --- a/test/testsuite-07.units/issue2467.socket +++ b/mkosi.images/minimal-0/mkosi.extra/opt/some_file @@ -1,3 +1 @@ # SPDX-License-Identifier: LGPL-2.1-or-later -[Socket] -ListenStream=/run/test.ctl diff --git a/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service b/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service new file mode 100644 index 0000000..0532112 --- /dev/null +++ b/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Service] +ExecStartPre=cat /usr/lib/os-release +ExecStart=sleep 120 diff --git a/mkosi.images/minimal-0/mkosi.postinst b/mkosi.images/minimal-0/mkosi.postinst new file mode 100755 index 0000000..a66cf68 --- /dev/null +++ b/mkosi.images/minimal-0/mkosi.postinst @@ -0,0 +1,11 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux + +mkdir -p "$BUILDROOT/var/lib/app1" + +cat >>"$BUILDROOT/usr/lib/os-release" <<EOF +MARKER=1 +PORTABLE_PREFIXES=app0 minimal minimal-app0 +EOF +cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service" diff --git a/mkosi.images/minimal-1/mkosi.conf b/mkosi.images/minimal-1/mkosi.conf new file mode 100644 index 0000000..a929fb6 --- /dev/null +++ b/mkosi.images/minimal-1/mkosi.conf @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +Dependencies=minimal-base +ConfigureScripts= + +[Distribution] +CacheOnly=always + +[Output] +Format=portable +SplitArtifacts=yes + +[Content] +BaseTrees=%O/minimal-base +Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs +Bootable=no + +BuildSources= +Packages= +BuildPackages= +VolatilePackages= + +[Host] +Incremental=no diff --git a/mkosi.images/minimal-1/mkosi.extra/opt/some_file b/mkosi.images/minimal-1/mkosi.extra/opt/some_file new file mode 100644 index 0000000..bd4fba4 --- /dev/null +++ b/mkosi.images/minimal-1/mkosi.extra/opt/some_file @@ -0,0 +1 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later diff --git a/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service b/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service new file mode 100644 index 0000000..0532112 --- /dev/null +++ b/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Service] +ExecStartPre=cat /usr/lib/os-release +ExecStart=sleep 120 diff --git a/mkosi.images/minimal-1/mkosi.postinst b/mkosi.images/minimal-1/mkosi.postinst new file mode 100755 index 0000000..e2d08d0 --- /dev/null +++ b/mkosi.images/minimal-1/mkosi.postinst @@ -0,0 +1,11 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux + +mkdir -p "$BUILDROOT/var/lib/app1" + +cat >>"$BUILDROOT/usr/lib/os-release" <<EOF +MARKER=2 +PORTABLE_PREFIXES=app0 minimal minimal-app0 +EOF +cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service" diff --git a/mkosi.images/minimal-base/mkosi.conf b/mkosi.images/minimal-base/mkosi.conf new file mode 100644 index 0000000..7eb1473 --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.conf @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Config] +ConfigureScripts= + +[Output] +Format=directory + +[Content] +Bootable=no +@Locale=C.UTF-8 +WithDocs=no +CleanPackageMetadata=yes + +BuildSources= +Packages= +BuildPackages= +VolatilePackages= + +Packages= + bash + coreutils + grep + util-linux diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000..9b03397 --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + inetutils + iproute + openbsd-netcat + +RemoveFiles= + # Arch Linux doesn't split their gcc-libs package so we manually remove + # unneeded stuff here to make sure it doesn't end up in the image. + /usr/lib/libgfortran.so* + /usr/lib/libgo.so* + /usr/lib/libgomp.so* + /usr/lib/libgphobos.so* + /usr/lib/libobjc.so* + /usr/lib/libgdruntime.so* + + # Remove all files that are only required for development. + /usr/lib/*.a + /usr/include/* + + /usr/share/i18n/* + /usr/share/hwdata/* + /usr/share/iana-etc/* + /usr/share/locale/* + /usr/share/terminfo/* + /usr/share/zoneinfo/* diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000..3a3e528 --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + hostname + iproute + iproute-tc + netcat diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf new file mode 100644 index 0000000..a715ec1 --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Packages= + hostname + iproute2 + mount + netcat-openbsd diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000..2e370ec --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +Packages= + hostname + iproute2 + netcat-openbsd + patterns-base-minimal_base diff --git a/mkosi.images/minimal-base/mkosi.extra/etc/os-release b/mkosi.images/minimal-base/mkosi.extra/etc/os-release new file mode 120000 index 0000000..c4c75b4 --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.extra/etc/os-release @@ -0,0 +1 @@ +../usr/lib/os-release
\ No newline at end of file diff --git a/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf b/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf new file mode 100644 index 0000000..d2c5ef4 --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# This is a stub resolv.conf intended as a mountpoint for the host's resolv.conf diff --git a/mkosi.images/minimal-base/mkosi.postinst b/mkosi.images/minimal-base/mkosi.postinst new file mode 100755 index 0000000..c76fb0a --- /dev/null +++ b/mkosi.images/minimal-base/mkosi.postinst @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +# We don't use mkosi.extra because /usr/sbin could be a symlink and cp doesn't handle that properly until +# coreutils 9.5 or newer. +cat >"$BUILDROOT/sbin/init" <<EOF +#!/bin/bash +echo "Hello from dummy init, beautiful day, innit?" +ip link +EOF +chmod +x "$BUILDROOT/sbin/init" diff --git a/mkosi.images/system/coredump-journal-storage.conf b/mkosi.images/system/coredump-journal-storage.conf new file mode 100644 index 0000000..cde9785 --- /dev/null +++ b/mkosi.images/system/coredump-journal-storage.conf @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Coredump] +Storage=journal diff --git a/mkosi.images/system/initrd/mkosi.conf b/mkosi.images/system/initrd/mkosi.conf new file mode 100644 index 0000000..ed9bfdc --- /dev/null +++ b/mkosi.images/system/initrd/mkosi.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Content] +PostInstallationScripts=../mkosi.sanitizers.chroot +ExtraTrees= + ../leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions + ../coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf b/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf new file mode 100644 index 0000000..b252491 --- /dev/null +++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=var +# This label is the partition's label. The filesystem inside may have its own label. +Label=varcrypt +# This UUID is the decrypted partition UUID, there are also filesystem and luks UUIDs. +# The original test finds the partition by this UUID, but it doesn't appear +# since the luks UUID, which is derived by hash of this UUID, is different +# and the luks UUID is needed before the decrypted partition UUID. +# The resulting luks UUID is 0d318174-56b0-4d6e-a324-ac1e7e7d235d. +UUID=deadbeef-dead-dead-beef-000000000000 +Format=ext4 +Encrypt=key-file +SizeMinBytes=1G diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service new file mode 100644 index 0000000..54a9b8a --- /dev/null +++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Unit] +Description=Add encrypted var partition to root disk +Documentation=man:systemd-repart.service(8) + +ConditionVirtualization=!container + +DefaultDependencies=no +Wants=modprobe@loop.service modprobe@dm_mod.service +After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount +Before=initrd-root-fs.target +Conflicts=shutdown.target initrd-switch-root.target +Before=shutdown.target initrd-switch-root.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=systemd-repart --definitions /usr/lib/encrypted-var.repart.d --key-file %d/keyfile --dry-run=no /sysroot +ImportCredential=keyfile diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service new file mode 100644 index 0000000..845ac57 --- /dev/null +++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrd-run-mount.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Unit] +Description=Create a mount in /run that should survive the transition from initrd + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=mkdir /run/initrd-mount-source /run/initrd-mount-target +ExecStart=mount -v --bind /run/initrd-mount-source /run/initrd-mount-target +ExecStart=cp -v /etc/initrd-release /run/initrd-mount-target/hello-world diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service new file mode 100644 index 0000000..2c709bc --- /dev/null +++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/initrdcred.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Unit] +Description=populate initrd credential dir for TEST-54-CREDS + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=sh -c "mkdir -m 0755 -p /run/credentials && mkdir -m 0700 /run/credentials/@initrd && umask 0077 && echo guatemala > /run/credentials/@initrd/myinitrdcred" diff --git a/mkosi.images/system/leak-sanitizer-suppressions b/mkosi.images/system/leak-sanitizer-suppressions new file mode 100644 index 0000000..639abb8 --- /dev/null +++ b/mkosi.images/system/leak-sanitizer-suppressions @@ -0,0 +1 @@ +leak:libselinux diff --git a/mkosi.images/system/mkosi.clean b/mkosi.images/system/mkosi.clean new file mode 100755 index 0000000..64810b7 --- /dev/null +++ b/mkosi.images/system/mkosi.clean @@ -0,0 +1,5 @@ +#!/bin/bash +set -e +set -o nounset + +rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar} diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf index 7612f22..562650a 100644 --- a/mkosi.images/system/mkosi.conf +++ b/mkosi.images/system/mkosi.conf @@ -1,48 +1,76 @@ # SPDX-License-Identifier: LGPL-2.1-or-later [Config] -Dependencies=base +InitrdInclude=initrd/ + +[Output] +@Format=directory +RepartDirectories=mkosi.repart [Content] Autologin=yes -BaseTrees=../../mkosi.output/base -ExtraTrees=../../mkosi.output/base-systemd +ExtraTrees= + %D/mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key + leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions + coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf + +PostInstallationScripts=mkosi.sanitizers.chroot + +InitrdPackages= + findutils + grep + sed + Packages= acl + attr bash-completion + bpftrace + clang coreutils + curl diffutils dnsmasq dosfstools e2fsprogs findutils - gcc # Sanitizer libraries gdb grep gzip + jq kbd kexec-tools + kmod + knot less + lld + llvm + lvm2 + man + mdadm mtools nano nftables + nvme-cli + opensc openssl + p11-kit + python3 qrencode + radvd + rsync sed socat strace systemd + tar tmux tree udev util-linux valgrind + which wireguard-tools xfsprogs zsh - -BuildPackages= - -[Validation] -@SecureBoot=yes -@SignExpectedPcr=yes + zstd diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf deleted file mode 100644 index 9f21754..0000000 --- a/mkosi.images/system/mkosi.conf.d/05-initrd.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Bootable=!no -Format=|disk -Format=|directory - -[Config] -Dependencies=initrd - -[Content] -Initrds=../../mkosi.output/initrd diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf deleted file mode 100644 index e1a511c..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-arch.conf +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=arch - -[Content] -Packages= - bpf - btrfs-progs - compsize - dhcp - f2fs-tools - glib2 - iproute - linux - man-db - openbsd-netcat - openssh - pacman - polkit - python-pefile - python-psutil - python-pytest - python3 - quota-tools - shadow - vim diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot new file mode 100755 index 0000000..1f6e0c3 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot @@ -0,0 +1,93 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. /usr/lib/os-release + +if [ ! -f "pkg/$ID/PKGBUILD" ]; then + echo "PKGBUILD not found at pkg/$ID/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2 + exit 1 +fi + +# We can't configure the source or build directory so we use symlinks instead to make sure they are in the +# expected locations. +ln --symbolic "$SRCDIR" "pkg/$ID/systemd-stable" +ln --symbolic "$BUILDDIR" "pkg/$ID/build" +# Because we run with --noextract we are responsible for making sure the source files appear in src/. +ln --symbolic . "pkg/$ID/src" + +MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE" +if ((LLVM)); then + # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed. + MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function" +fi + +MKOSI_LDFLAGS="" +if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then + MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux" +fi + +MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}" +if ((WIPE)); then + MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe" +fi + +# Override the default options. We specifically disable "strip", "zipman" and "lto" as they slow down builds +# significantly. OPTIONS= cannot be overridden on the makepkg command line so we append to /etc/makepkg.conf +# instead. The rootfs is overlaid with a writable tmpfs during the build script so these changes don't end up +# in the image itself. +tee --append /etc/makepkg.conf >/dev/null <<EOF +export CC="$( ((LLVM)) && echo clang || echo gcc)" +export CXX="$( ((LLVM)) && echo clang++ || echo g++)" +export CC_LD="$( ((LLVM)) && echo lld)" +export CXX_LD="$( ((LLVM)) && echo lld)" +export CFLAGS="\$CFLAGS $MKOSI_CFLAGS $CFLAGS" +export CXXFLAGS="\$CXXFLAGS $MKOSI_CFLAGS $CFLAGS" +export LDFLAGS="\$LDFLAGS $MKOSI_LDFLAGS $LDFLAGS" +OPTIONS=( + docs + !libtool + !staticlibs + emptydirs + !zipman + purge + $( ((WITH_DEBUG)) && echo strip || echo !strip) + $( ((WITH_DEBUG)) && echo debug || echo !debug) + !lto +) +EOF + +# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions. +rm /usr/share/makepkg/lint_pkgbuild/* + +if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then + TS="$(git show --no-patch --format=%ct HEAD)" +else + TS="${SOURCE_DATE_EPOCH:-$(date +%s)}" +fi + +sed --in-place "pkg/$ID/PKGBUILD" \ + --expression "s/^_tag=.*/_tag=$(cat meson.version)/" \ + --expression "s/^pkgrel=.*/pkgrel=$(date "+%Y%m%d%H%M%S" --date "@$TS")/" + +# We get around makepkg's root check by setting EUID to something else. +# shellcheck disable=SC2046 +env --chdir="pkg/$ID" \ + EUID=123 \ + makepkg \ + --noextract \ + $( ((WITH_TESTS)) || echo --nocheck) \ + --force \ + _systemd_UPSTREAM=1 \ + _systemd_QUIET=$( ((MESON_VERBOSE)); echo $? ) \ + BUILDDIR="$PWD/pkg/$ID" \ + PKGDEST="$OUTPUTDIR" \ + PKGEXT=".pkg.tar" \ + MESON_EXTRA_CONFIGURE_OPTIONS="$MKOSI_MESON_OPTIONS $MESON_OPTIONS" + +cp "$OUTPUTDIR"/*.pkg.tar "$PACKAGEDIR" diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf new file mode 100644 index 0000000..036b0a3 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf @@ -0,0 +1,71 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Environment= + GIT_URL=https://gitlab.archlinux.org/archlinux/packaging/packages/systemd.git + GIT_BRANCH=main + GIT_COMMIT=dc6c099e0785753c1c88b4adcbcbfc209a8d12e3 + +VolatilePackages= + systemd + systemd-libs + systemd-resolvconf + systemd-sysvcompat + systemd-tests + systemd-ukify + +Packages= + bind + bpf + btrfs-progs + compiler-rt + compsize + cryptsetup + dbus-broker + dbus-broker-units + debugedit + dhcp + f2fs-tools + fakeroot + git + gnutls + gnutls + iproute + iputils + linux + man-db + multipath-tools + open-iscsi + openbsd-netcat + openssh + openssl + pacman + pkgconf + polkit + procps-ng + psmisc + python-pexpect + python-psutil + quota-tools + sbsigntools + shadow + softhsm + squashfs-tools + stress + tgt + tpm2-tools + tpm2-tss + vim + +InitrdPackages= + btrfs-progs + compiler-rt + tpm2-tools + +InitrdVolatilePackages= + systemd + systemd-libs + systemd-sysvcompat diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf new file mode 100644 index 0000000..4a6d2e9 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Environment=WITH_DEBUG=1 + +[Content] +VolatilePackages=systemd-debug diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare new file mode 100755 index 0000000..fd78e81 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare @@ -0,0 +1,29 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ] || ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. "$BUILDROOT/usr/lib/os-release" + +if [ ! -f "pkg/$ID/PKGBUILD" ]; then + echo "PKGBUILD not found at pkg/$ID/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2 + exit 1 +fi + +# We get depends and optdepends from .SRCINFO as getting them from the PKGBUILD is rather complex. +sed --expression 's/^[ \t]*//' "pkg/$ID/.SRCINFO" | + grep --regexp '^depends =' --regexp '^optdepends =' | + sed --expression 's/^depends = //' --expression 's/^optdepends = //' --expression 's/:.*//' --expression 's/=.*//' | + xargs --delimiter '\n' mkosi-install + +# We get makedepends from the PKGBUILD as .SRCINFO can't encode conditional dependencies depending on +# whether some environment variable is set or not. +# shellcheck source=/dev/null +_systemd_UPSTREAM=1 . "pkg/$ID/PKGBUILD" + +# shellcheck disable=SC2154 +mkosi-install "${makedepends[@]}" diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf deleted file mode 100644 index 67d4643..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|centos -Distribution=|fedora - -[Content] -Packages= - bpftool - cryptsetup - dhcp-server - dnf - glib2 - integritysetup - iproute - iproute-tc - kernel-core - libcap-ng-utils - netcat - openssh-server - p11-kit - pam - passwd - polkit - procps-ng - python3 - python3dist(pefile) - python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason. - python3dist(psutil) - python3dist(pytest) - quota - vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot new file mode 100755 index 0000000..2c05787 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot @@ -0,0 +1,116 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. /usr/lib/os-release + +if [ ! -f "pkg/$ID/systemd.spec" ]; then + echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2 + exit 1 +fi + +if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then + TS="$(git show --no-patch --format=%ct HEAD)" +else + TS="${SOURCE_DATE_EPOCH:-$(date +%s)}" +fi + +if systemd-analyze compare-versions "$(rpm --version | cut -d ' ' -f3)" lt "4.19.91"; then + # Fix the %install override so debuginfo packages are generated even when --build-in-place is used. + # See https://github.com/rpm-software-management/rpm/issues/3042. + tee --append /usr/lib/rpm/redhat/macros <<'EOF' +%install %{?_enable_debug_packages:%{debug_package}}\ +%%install\ +%{nil} +EOF +fi + +VERSION="$(cat meson.version)" +RELEASE="$(date "+%Y%m%d%H%M%S" --date "@$TS")" + +DIST="$(rpm --eval %dist)" +ARCH="$(rpm --eval %_arch)" +SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH" + +COMMON_MACRO_OVERRIDES=( + --define "toolchain $( ((LLVM)) && echo clang || echo gcc)" + --define "_fortify_level 0" + --undefine _lto_cflags + # TODO: Remove once redhat-rpm-config 292 is available everywhere. + --define "_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg" + --define "_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg" +) + +# TODO: Drop -U_FORTIFY_SOURCE when we switch to CentOS Stream 10. +MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE" +if ((WITH_DEBUG)); then + MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST" +fi +if ((LLVM)); then + # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed. + MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function" +fi + +MKOSI_LDFLAGS="" +if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then + MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(dirname "$(clang --print-file-name=libclang_rt.asan.so)")" +fi + +MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}" +if ((WIPE)); then + MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe" +fi + +IFS= +# TODO: Replace meson_build and meson_install overrides with "--undefine __meson_verbose" once +# https://github.com/mesonbuild/meson/pull/12835 is available. +# shellcheck disable=SC2046 +env \ +--unset=CFLAGS \ +--unset=CXXFLAGS \ +--unset=LDFLAGS \ +ANNOBIN="no-active-checks" \ +CC_LD="$( ((LLVM)) && echo lld)" \ +CXX_LD="$( ((LLVM)) && echo lld)" \ + rpmbuild \ + -bb \ + --build-in-place \ + --with upstream \ + $( ((WITH_TESTS)) || echo "--nocheck") \ + $( ((WITH_DOCS)) || echo "--without=docs") \ + --define "_topdir /var/tmp" \ + --define "_sourcedir pkg/$ID" \ + --define "_rpmdir $OUTPUTDIR" \ + ${BUILDDIR:+"--define=_vpath_builddir $BUILDDIR"} \ + --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \ + --define "_binary_payload w.ufdio" \ + $( ((WITH_DEBUG)) || echo "--define=debug_package %{nil}") \ + --define "version_override $VERSION" \ + --define "release_override $RELEASE" \ + "${COMMON_MACRO_OVERRIDES[@]}" \ + --define "build_cflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_cflags}") $MKOSI_CFLAGS $CFLAGS" \ + --define "build_cxxflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_cxxflags}") $MKOSI_CFLAGS $CFLAGS" \ + --define "build_ldflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_ldflags}") $MKOSI_LDFLAGS $LDFLAGS" \ + --define "meson_build %{shrink:%{__meson} compile -C %{_vpath_builddir} -j %{_smp_build_ncpus} $( ((MESON_VERBOSE)) && echo --verbose) %{nil}}" \ + --define "meson_install %{shrink:DESTDIR=%{buildroot} %{__meson} install -C %{_vpath_builddir} --no-rebuild --quiet %{nil}}" \ + --define "meson_extra_configure_options $MKOSI_MESON_OPTIONS $MESON_OPTIONS" \ + $( ((WITH_DEBUG)) || echo "--define=__brp_strip %{nil}") \ + --define "__brp_compress %{nil}" \ + --define "__brp_mangle_shebangs %{nil}" \ + --define "__brp_strip_comment_note %{nil}" \ + --define "__brp_strip_static_archive %{nil}" \ + --define "__brp_check_rpaths %{nil}" \ + --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \ + --define "__script_requires %{nil}" \ + --define "_find_debuginfo_dwz_opts %{nil}" \ + --define "_fixperms true" \ + --undefine _package_note_flags \ + --noclean \ + "pkg/$ID/systemd.spec" + +cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR" diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf new file mode 100644 index 0000000..6fbd507 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf @@ -0,0 +1,75 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +VolatilePackages= + systemd + systemd-boot + systemd-container + systemd-devel + systemd-journal-remote + systemd-networkd + systemd-networkd-defaults + systemd-oomd-defaults + systemd-pam + systemd-resolved + systemd-tests + systemd-udev + systemd-ukify + +Packages= + bind-utils + bpftool + compiler-rt + cryptsetup + device-mapper-event + device-mapper-multipath + dfuzzer + dhcp-server + dnf + git-core + glibc-langpack-de + glibc-langpack-en + gnutls + gnutls-utils + integritysetup + iproute + iproute-tc + iputils + iscsi-initiator-utils + kernel-core + libasan + libcap-ng-utils + libubsan + man-db + netcat + openssh-clients + openssh-server + pam + passwd + policycoreutils + polkit + procps-ng + python3-pexpect + quota + rpm + rpm-build + rpmautospec + sbsigntools + softhsm + squashfs-tools + stress + tpm2-tools + util-linux + veritysetup + vim-common + +InitrdPackages= + tpm2-tools + +InitrdVolatilePackages= + systemd + systemd-udev diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf new file mode 100644 index 0000000..0c3707b --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Environment=WITH_DEBUG=1 + +[Content] +VolatilePackages= + systemd-container-debuginfo + systemd-debuginfo + systemd-debugsource + systemd-journal-remote-debuginfo + systemd-libs-debuginfo + systemd-networkd-debuginfo + systemd-pam-debuginfo + systemd-resolved-debuginfo + systemd-tests-debuginfo + systemd-udev-debuginfo diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf new file mode 100644 index 0000000..9fe5509 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=!particle + +[Content] +# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're +# building a /usr-only image. +Packages= + selinux-policy + selinux-policy-targeted + setools-console + +# We relabel on first boot instead of at build time because it is only possible to label without root +# if the labels exist in the host system, and we want to be able to cross-build to other distributions. +SELinuxRelabel=no + +InitrdPackages= + selinux-policy + selinux-policy-targeted diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare new file mode 100755 index 0000000..1b86073 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare @@ -0,0 +1,65 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ] || ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. "$BUILDROOT/usr/lib/os-release" + +if [ ! -f "pkg/$ID/systemd.spec" ]; then + echo "spec not found at pkg/$ID/systemd.spec, run mkosi with -ff to make sure the spec is cloned" >&2 + exit 1 +fi + +for DEPS in --requires --buildrequires; do + mkosi-chroot \ + rpmspec \ + --with upstream \ + --query \ + "$DEPS" \ + --define "_topdir /var/tmp" \ + --define "_sourcedir pkg/$ID" \ + "pkg/$ID/systemd.spec" | + grep --invert-match --regexp systemd --regexp /bin/sh --regexp "rpmlib(" --regexp udev --regexp grubby --regexp sdubby | + sort --unique | + tee /tmp/buildrequires | + xargs --delimiter '\n' mkosi-install +done + +# rpmbuild -br tries to build a source package which means all source files have to exist which isn't the +# case when using --build-in-place so we get rid of the source file that doesn't exist to make it happy. +# TODO: Use -bd instead of -br and get rid of this once we don't need to build on CentOS Stream 9 anymore. +sed '/Source0/d' --in-place "pkg/$ID/systemd.spec" + +until mkosi-chroot \ + rpmbuild \ + -br \ + --build-in-place \ + --with upstream \ + --define "_topdir /var/tmp" \ + --define "_sourcedir pkg/$ID" \ + --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \ + "pkg/$ID/systemd.spec" +do + EXIT_STATUS=$? + if [ $EXIT_STATUS -ne 11 ]; then + exit $EXIT_STATUS + fi + + mkosi-chroot \ + rpm \ + --query \ + --package \ + --requires \ + /var/tmp/SRPMS/systemd-*.buildreqs.nosrc.rpm | + grep --invert-match '^rpmlib(' | + sort --unique >/tmp/dynamic-buildrequires + + sort /tmp/buildrequires /tmp/dynamic-buildrequires | + uniq --unique | + tee --append /tmp/buildrequires | + xargs --delimiter '\n' mkosi-install +done diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf index 146e03a..25059c2 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -4,5 +4,14 @@ Distribution=centos [Content] +Environment= + # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of + # mkfs.ext4 enabled it by default, so we disable it explicitly. + Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file" + GIT_URL=https://git.centos.org/rpms/systemd.git + GIT_BRANCH=c9s-sig-hyperscale + GIT_COMMIT=8cf2aed0181920611421384f7374720db269d6c7 + Packages= - kernel-modules # For squashfs support + kernel-modules # For squashfs + rpmautospec-rpm-macros diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf deleted file mode 100644 index 99b846d..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# CentOS does not support btrfs so we use xfs instead. -[Partition] -Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf deleted file mode 100644 index 393d5f0..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# CentOS does not support erofs so we use squashfs instead. -[Partition] -Format=squashfs diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf deleted file mode 100644 index 588f833..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf +++ /dev/null @@ -1,29 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=|debian -Distribution=|ubuntu - -[Content] -Packages= - apt - btrfs-progs - cryptsetup-bin - dbus-broker - default-dbus-session-bus - f2fs-tools - fdisk - iproute2 - isc-dhcp-server - libcap-ng-utils - netcat-openbsd - openssh-server - passwd - policykit-1 - procps - python3 - python3-pefile - python3-psutil - python3-pytest - quota - xxd diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot new file mode 100755 index 0000000..7e4eab9 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot @@ -0,0 +1,142 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. /usr/lib/os-release + +if [ ! -d "pkg/$ID/debian" ]; then + echo "deb rules not found at pkg/$ID/debian, run mkosi once with -ff to make sure the rules are cloned" >&2 + exit 1 +fi + +# We transplant the debian/ folder from the deb package sources into the upstream sources. +mount --mkdir --bind "$SRCDIR/pkg/$ID/debian" "$SRCDIR"/debian + +# We remove the patches so they don't get applied. +rm -rf "$SRCDIR"/debian/patches/* + +# While the build directory can be specified through DH_OPTIONS, the default one is hardcoded everywhere so +# we have to use that. Because it is architecture dependent, we query it using dpkg-architecture first. +DEB_HOST_GNU_TYPE="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)" +mount --mkdir --bind "$BUILDDIR" "$SRCDIR/obj-$DEB_HOST_GNU_TYPE" + +if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then + TS="$(git show --no-patch --format=%ct HEAD)" +else + TS="${SOURCE_DATE_EPOCH:-$(date +%s)}" +fi + +# Add a new changelog entry to update the version. We use a fixed date since a dynamic one causes a full +# rebuild every time. +cat >debian/changelog.new <<EOF +systemd ($(cat meson.version)-$(date "+%Y%m%d%H%M%S" --date "@$TS")) UNRELEASED; urgency=low + + * Automatic build from mkosi + + -- systemd test <systemd-devel@lists.freedesktop.org> $(date --rfc-email --date "@$TS") + +EOF +cat debian/changelog >>debian/changelog.new +mv debian/changelog.new debian/changelog + +MKOSI_CFLAGS="-O0" +if ((LLVM)); then + # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed. + MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function" +fi + +MKOSI_LDFLAGS="" +if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then + MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux" +fi + +MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}" +if ((WIPE)); then + MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe" +fi + +# TODO: Drop GENSYMBOLS_LEVEL once https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986746 is fixed. +build() { + env \ + CC="$( ((LLVM)) && echo clang || echo gcc)" \ + CXX="$( ((LLVM)) && echo clang++ || echo g++)" \ + CC_LD="$( ((LLVM)) && echo lld)" \ + CXX_LD="$( ((LLVM)) && echo lld)" \ + DEB_BUILD_OPTIONS="$(awk '$1=$1' <<<"\ + $( ((WITH_TESTS)) || echo nocheck) \ + $( ((WITH_DOCS)) || echo nodoc) \ + $( ((WITH_DEBUG)) && echo debug || echo nostrip) \ + $( ! ((MESON_VERBOSE)) && echo terse) \ + optimize=-lto \ + hardening=-fortify \ + ")" \ + DEB_BUILD_PROFILES="$(awk '$1=$1' <<<"\ + $( ((WITH_TESTS)) || echo nocheck) \ + $( ((WITH_DOCS)) || echo nodoc) \ + pkg.systemd.upstream \ + ")" \ + DEB_CFLAGS_APPEND="$MKOSI_CFLAGS $CFLAGS" \ + DEB_CXXFLAGS_APPEND="$MKOSI_CFLAGS $CFLAGS" \ + DEB_LDFLAGS_APPEND="$MKOSI_LDFLAGS $LDFLAGS" \ + DPKG_FORCE="unsafe-io" \ + DPKG_DEB_COMPRESSOR_TYPE="none" \ + DH_MISSING="--fail-missing" \ + CONFFLAGS_UPSTREAM="$MKOSI_MESON_OPTIONS $MESON_OPTIONS" \ + GENSYMBOLS_LEVEL="$( ((LLVM)) && echo 0 || echo 1)" \ + dpkg-buildpackage \ + --no-pre-clean \ + --unsigned-changes \ + --build=binary + + EXIT_STATUS=$? + + # Make sure we don't reconfigure twice. + MKOSI_MESON_OPTIONS="${MKOSI_MESON_OPTIONS//"--wipe"/}" + + return $EXIT_STATUS +} + +if ! build; then + # debhelper installs files for each package to debian/<package> so we figure out which files were + # packaged by querying all the package names from debian/control and running find on each of the + # corresponding package directory in debian/. + grep "Package:" debian/control | + sed "s/Package: //" | + xargs -d '\n' -I {} sh -c "[ -d debian/{} ] && (cd debian/{} && find . ! -type d ! -path "*dh-exec*" -printf '%P\n')" | + # Remove compression suffix from compressed manpages as the manpages in debian/tmp will be uncompressed. + sed --regexp-extended 's/([0-9])\.gz$/\1/' | + sort --unique >/tmp/packaged-files + + # We figure out the installed files by running find on debian/tmp/ which contains the files installed + # by meson install. + (cd debian/tmp/ && find . ! -type d ! -path "*dh-exec*" -printf '%P\n') >/tmp/installed-files + + if [ -f debian/not-installed ]; then + grep --invert-match "^#" debian/not-installed >>/tmp/installed-files + fi + + sort --unique --output /tmp/installed-files /tmp/installed-files + + # We get all the installed files that were not packaged by finding entries in the installed file that are + # not in the packaged file. + comm -23 /tmp/installed-files /tmp/packaged-files > /tmp/unpackaged-files + # If there are no unpackaged files something else went wrong. + if [ ! -s /tmp/unpackaged-files ]; then + exit 1 + fi + + # Otherwise, we append the unpackaged files to the filelist for the systemd package and retry the build. + cat /tmp/unpackaged-files >>debian/systemd.install + build +fi + +( + shopt -s nullglob + cp ../*.deb ../*.ddeb "$PACKAGEDIR" + cp ../*.deb ../*.ddeb "$OUTPUTDIR" +) diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf new file mode 100644 index 0000000..ae014fa --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf @@ -0,0 +1,93 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Environment= + GIT_URL=https://salsa.debian.org/systemd-team/systemd.git + GIT_SUBDIR=debian + GIT_BRANCH=debian/master + GIT_COMMIT=596a70511736d78c1d8a5a27dca3989806cfa733 + +VolatilePackages= + libnss-myhostname + libnss-mymachines + libnss-resolve + libnss-systemd + libpam-systemd + libsystemd-dev + libudev-dev + systemd + systemd-boot + systemd-boot-efi + systemd-container + systemd-coredump + systemd-dev + systemd-homed + systemd-journal-remote + systemd-oomd + systemd-resolved + systemd-sysv + systemd-tests + systemd-timesyncd + systemd-ukify + systemd-userdbd + udev + +Packages= + ^libasan[0-9]+$ + ^libtss2-esys-[0-9.]+-0$ + ^libtss2-mu-[0-9.]+-0$ + ^libubsan[0-9]+$ + apt + bind9-dnsutils + btrfs-progs + cryptsetup-bin + dbus-broker + dbus-user-session + dmsetup + dpkg-dev + f2fs-tools + fdisk + git-core + gnutls-bin + iproute2 + iputils-ping + isc-dhcp-server + libcap-ng-utils + libclang-rt-dev + libtss2-rc0 + libtss2-tcti-device0 + locales + man-db + multipath-tools + netcat-openbsd + open-iscsi + openssh-client + openssh-server + passwd + policykit-1 + procps + psmisc + python3-pexpect + python3-psutil + quota + sbsigntool + softhsm2 + squashfs-tools + stress + tgt + tpm2-tools + tzdata + xxd + +InitrdPackages= + btrfs-progs + libclang-rt-dev + tpm2-tools + +InitrdVolatilePackages= + systemd + udev diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf new file mode 100644 index 0000000..b53b3dc --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Environment=WITH_DEBUG=1 + +[Content] +VolatilePackages= + libnss-myhostname-dbgsym + libnss-mymachines-dbgsym + libnss-resolve-dbgsym + libnss-systemd-dbgsym + libpam-systemd-dbgsym + libsystemd-shared-dbgsym + libsystemd0-dbgsym + libudev1-dbgsym + systemd-boot-dbgsym + systemd-container-dbgsym + systemd-coredump-dbgsym + systemd-dbgsym + systemd-homed-dbgsym + systemd-journal-remote-dbgsym + systemd-oomd-dbgsym + systemd-resolved-dbgsym + systemd-tests-dbgsym + systemd-timesyncd-dbgsym + systemd-userdbd-dbgsym + udev-dbgsym diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf new file mode 100644 index 0000000..4fb4f46 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Environment=NO_BUILD=1 + +[Content] +WithNetwork=yes diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst new file mode 100755 index 0000000..314f235 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst @@ -0,0 +1,29 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# By default Suggests are not installed (and often Recommends are disabled too), which means we will miss +# the dlopen optional dependencies, but the tests need them, so parse them from the package metadata and +# install them. This is not an issue when building locally, as the build and runtime images are the same, +# so they would get installed as build dependencies anyway. + +if [ "$1" = "build" ] || ! ((NO_BUILD)); then + exit 0 +fi + +# Query the Recommends and Suggests of all systemd packages, by matching on the version +systemd_version="$(dpkg-query --showformat '${Version}' --show systemd)" +mapfile -t systemd_packages < <( dpkg --list | grep '^ii' | grep "$systemd_version" | awk '{print $2}' | tr '\n' ' ' ) +extra_packages=() +# shellcheck disable=SC2068 +for package in ${systemd_packages[@]}; do + # We are looking for dlopens, so filter for libraries + mapfile -t -O "${#extra_packages[@]}" extra_packages < <(dpkg-query --showformat '${Suggests}' --show "$package" | sed -e "s/, /\n/g" -e "s/|.*//" | grep "lib") + mapfile -t -O "${#extra_packages[@]}" extra_packages < <(dpkg-query --showformat '${Recommends}' --show "$package" | sed -e "s/, /\n/g" -e "s/|.*//" | grep "lib") +done + +if [ "${#extra_packages[@]}" -eq 0 ]; then + exit 0 +fi + +apt install "${extra_packages[@]}" diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare new file mode 100755 index 0000000..645671a --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare @@ -0,0 +1,18 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ] || ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. "$BUILDROOT/usr/lib/os-release" + +if [ ! -d "pkg/$ID/debian" ]; then + echo "deb rules not found at pkg/$ID/debian, run mkosi once with -ff to make sure the rules are cloned" >&2 + exit 1 +fi + +cd "pkg/$ID" +DEB_BUILD_PROFILES="pkg.systemd.upstream" apt-get build-dep . diff --git a/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf new file mode 100644 index 0000000..c6b6155 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf index 76a6898..af923fa 100644 --- a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf +++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf @@ -1,10 +1,8 @@ # SPDX-License-Identifier: LGPL-2.1-or-later [Match] -Distribution=debian Architecture=arm64 [Content] Packages= - bpftool linux-image-cloud-arm64 diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf index d3c89f3..615de52 100644 --- a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf +++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf @@ -1,10 +1,8 @@ # SPDX-License-Identifier: LGPL-2.1-or-later [Match] -Distribution=debian Architecture=x86-64 [Content] Packages= - bpftool linux-image-cloud-amd64 diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf deleted file mode 100644 index 42d0093..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf +++ /dev/null @@ -1,10 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=fedora - -[Content] -Packages= - btrfs-progs - compsize - f2fs-tools diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf new file mode 100644 index 0000000..689fe7d --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +Environment= + GIT_URL=https://src.fedoraproject.org/rpms/systemd.git + GIT_BRANCH=rawhide + GIT_COMMIT=1f94b56cee818068f57debfd78f035edd29f0e61 + +Packages= + btrfs-progs + compsize + dnf5 + f2fs-tools + scsi-target-utils + # Required for systemd-networkd-tests.py (netdevsim and sch_xxx modules) + kernel-modules-extra + kernel-modules-internal + +InitrdPackages= + btrfs-progs diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf deleted file mode 100644 index 60a2b6d..0000000 --- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf +++ /dev/null @@ -1,23 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[Match] -Distribution=opensuse - -[Content] -Packages= - bpftool - btrfs-progs - cryptsetup - dbus-broker - f2fs-tools - glibc-locale-base - kernel-kvmsmall - libcap-ng-utils - openssh-server - python3 - python3-pefile - python3-psutil - python3-pytest - quota - shadow - vim diff --git a/mkosi.images/initrd/mkosi.postinst b/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst index de610df..417132f 100755 --- a/mkosi.images/initrd/mkosi.postinst +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot new file mode 100755 index 0000000..3d6cc58 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot @@ -0,0 +1,132 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. /usr/lib/os-release +ID="${ID%-*}" + +if [ ! -f "pkg/$ID/systemd.spec" ]; then + echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2 + exit 1 +fi + +if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then + TS="$(git show --no-patch --format=%ct HEAD)" +else + TS="${SOURCE_DATE_EPOCH:-$(date +%s)}" +fi + +# The openSUSE filelists hardcode the manpage compression extension. This causes rpmbuild errors since we +# disable manpage compression as the files cannot be found. Fix the issue by removing the compression +# extension. +find "pkg/$ID" -name "files.*" -exec sed --in-place 's/\.gz$//' {} \; + +if systemd-analyze compare-versions "$(rpm --version | cut -d ' ' -f3)" lt "4.20"; then + # Fix the %install override so debuginfo packages are generated. + tee --append /usr/lib/rpm/suse/macros <<'EOF' +%install %{debug_package}\ +%%install\ +%{nil} +EOF +fi + +VERSION="$(cat meson.version)" +RELEASE="$(date "+%Y%m%d%H%M%S" --date "@$TS")" + +DIST="$(rpm --eval %dist)" +ARCH="$(rpm --eval %_arch)" +SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH" + +MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE" +if ((WITH_DEBUG)); then + MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST" +fi +if ((LLVM)); then + # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed. + MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function" +fi + +MKOSI_LDFLAGS="$(rpm --eval "%{?build_ldflags}")" +if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then + MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux" +fi + +# A macro can't have an empty body and currently opensuse does not specify any of its own linker flags so +# set LDFLAGS to %{nil} if there are no linker flags. +if [[ -z "${MKOSI_LDFLAGS// }" ]]; then + MKOSI_LDFLAGS="%{nil}" +fi + +MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}" +if ((WIPE)); then + MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe" +fi + +build() { + IFS= + # shellcheck disable=SC2046 + env \ + --unset CFLAGS \ + --unset CXXFLAGS \ + --unset LDFLAGS \ + CC="$( ((LLVM)) && echo clang || echo gcc)" \ + CXX="$( ((LLVM)) && echo clang++ || echo g++)" \ + CC_LD="$( ((LLVM)) && echo lld)" \ + CXX_LD="$( ((LLVM)) && echo lld)" \ + rpmbuild \ + -bb \ + --build-in-place \ + --with upstream \ + $( ((WITH_TESTS)) || echo "--nocheck") \ + --define "_topdir /var/tmp" \ + --define "_sourcedir pkg/$ID" \ + --define "_rpmdir $OUTPUTDIR" \ + ${BUILDDIR:+"--define=_vpath_builddir $BUILDDIR"} \ + --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \ + --define "_binary_payload w.ufdio" \ + $( ((WITH_DEBUG)) || echo "--define=debug_package %{nil}") \ + --define "vendor openSUSE" \ + --define "version_override $VERSION" \ + --define "release_override $RELEASE" \ + --define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'" \ + --define "build_cflags $(rpm --eval "%{?build_cflags}") $MKOSI_CFLAGS $CFLAGS" \ + --define "build_cxxflags $(rpm --eval "%{?build_cxxflags}") $MKOSI_CFLAGS $CFLAGS" \ + --define "build_ldflags $MKOSI_LDFLAGS $LDFLAGS" \ + $( ((MESON_VERBOSE)) || echo "--undefine=__meson_verbose") \ + --define "meson_extra_configure_options $MKOSI_MESON_OPTIONS $MESON_OPTIONS" \ + --define "__os_install_post /usr/lib/rpm/brp-suse %{nil}" \ + --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \ + --define "__script_requires %{nil}" \ + --define "_find_debuginfo_dwz_opts %{nil}" \ + --define "_fixperms true" \ + --noclean \ + "$@" \ + "pkg/$ID/systemd.spec" + + EXIT_STATUS=$? + + # Make sure we don't reconfigure twice. + MKOSI_MESON_OPTIONS="${MKOSI_MESON_OPTIONS//"--wipe"/}" + + return $EXIT_STATUS +} + +if ! build; then + if [ ! -s /tmp/unpackaged-files ]; then + exit 1 + fi + + # rpm will append to any existing systemd.lang so delete it explicitly so we don't get duplicate file + # warnings. + rm systemd.lang + + grep -v ".debug" /tmp/unpackaged-files >>"pkg/$ID/files.systemd" + build --noprep --nocheck +fi + +cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR" diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf new file mode 100644 index 0000000..38ae052 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf @@ -0,0 +1,100 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Config] +InitrdInclude=initrd/ + +[Content] +Environment= + GIT_URL=https://src.opensuse.org/rpm/systemd + GIT_BRANCH=factory + GIT_COMMIT=973534fe1a0a5746ead5bbb6dff8b9ccb9e010982997ed56eba8e44a41c5895d + +VolatilePackages= + systemd + systemd-boot + systemd-container + systemd-devel + systemd-doc + systemd-experimental + systemd-homed + systemd-lang + systemd-network + systemd-portable + systemd-sysvcompat + systemd-testsuite + udev + +# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox +# versions don't get installed instead. +Packages= + bind-utils + bpftool + btrfs-progs + cryptsetup + device-mapper + dhcp-server + docbook-xsl-stylesheets + f2fs-tools + gawk + gcc-c++ + git-core + glibc-locale-base + gnutls + grep + group(bin) + group(daemon) + group(games) + group(nobody) + group(root) + gzip + iputils + kernel-default + kmod + libasan8 + libkmod2 + libubsan1 + multipath-tools + open-iscsi + openssh-clients + openssh-server + pam + patterns-base-minimal_base + procps4 + psmisc + python3-pefile + python3-pexpect + python3-psutil + quota + rpm-build + rsync + sbsigntools + sed + shadow + softhsm + squashfs + tgt + timezone + tpm2.0-tools + user(bin) + user(daemon) + user(games) + user(nobody) + user(root) + veritysetup + vim + xz + +InitrdPackages= + btrfs-progs + clang + kmod + libkmod2 + tpm2.0-tools + +InitrdVolatilePackages= + systemd + udev + systemd-experimental diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf new file mode 100644 index 0000000..2262eae --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Environment=WITH_DEBUG=1 + +[Content] +VolatilePackages= + libsystemd0-debuginfo + libudev1-debuginfo + systemd-boot-debuginfo + systemd-container-debuginfo + systemd-coredump-debuginfo + systemd-debuginfo + systemd-debugsource + systemd-experimental-debuginfo + systemd-homed-debuginfo + systemd-journal-remote-debuginfo + systemd-network-debuginfo + systemd-portable-debuginfo + systemd-sysvcompat-debuginfo + systemd-testsuite-debuginfo + udev-debuginfo diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare new file mode 100755 index 0000000..282a360 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare @@ -0,0 +1,61 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ] || ((NO_BUILD)); then + exit 0 +fi + +# shellcheck source=/dev/null +. "$BUILDROOT/usr/lib/os-release" +ID="${ID%-*}" + +if [ ! -f "pkg/$ID/systemd.spec" ]; then + echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2 + exit 1 +fi + +for DEPS in --requires --buildrequires; do + mkosi-chroot \ + rpmspec \ + --with upstream \ + --query \ + "$DEPS" \ + --define "_topdir /var/tmp" \ + --define "_sourcedir pkg/$ID" \ + "pkg/$ID/systemd.spec" | + grep --invert-match --regexp systemd --regexp /bin/sh --regexp "rpmlib(" --regexp udev | + sort --unique | + tee /tmp/buildrequires | + xargs --delimiter '\n' mkosi-install +done + +until mkosi-chroot \ + rpmbuild \ + -bd \ + --build-in-place \ + --with upstream \ + --define "_topdir /var/tmp" \ + --define "_sourcedir pkg/$ID" \ + --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \ + "pkg/$ID/systemd.spec" +do + EXIT_STATUS=$? + if [ $EXIT_STATUS -ne 11 ]; then + exit $EXIT_STATUS + fi + + mkosi-chroot \ + rpm \ + --query \ + --package \ + --requires \ + /var/tmp/SRPMS/systemd-*.buildreqs.nosrc.rpm | + grep --invert-match '^rpmlib(' | + sort --unique >/tmp/dynamic-buildrequires + + sort /tmp/buildrequires /tmp/dynamic-buildrequires | + uniq --unique | + tee --append /tmp/buildrequires | + xargs --delimiter '\n' mkosi-install +done diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf index f58ee7e..25957b1 100644 --- a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf @@ -3,9 +3,11 @@ [Match] Distribution=ubuntu +[Distribution] +PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources + [Content] Packages= - # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials. linux-image-generic linux-tools-common - linux-tools-generic + linux-tools-virtual diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources new file mode 100644 index 0000000..d10c1e8 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +Types: deb +URIs: http://archive.ubuntu.com/ubuntu +Suites: noble-backports +Components: main universe +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg diff --git a/mkosi.images/system/mkosi.conf.d/20-images.conf b/mkosi.images/system/mkosi.conf.d/20-images.conf new file mode 100644 index 0000000..8641984 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-images.conf @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Format=!none + +[Config] +Dependencies= + exitrd + minimal-base + minimal-0 + minimal-1 + +[Content] +ExtraTrees= + %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw + %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity + %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig + %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw + %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity + %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig + %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template + %O/exitrd:/exitrd diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf new file mode 100644 index 0000000..8c1920b --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=particle + +[Output] +RepartDirectories= +RepartDirectories=mkosi.repart + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes + +[Host] +@RuntimeSize=8G diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf index 3755278..3755278 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf index 71eb9e3..2f92af2 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -4,5 +4,3 @@ Type=root Format=btrfs SizeMinBytes=1G -Subvolumes=/home /var -MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf index dac79ba..dac79ba 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize index 74b810c..69f9554 100755 --- a/mkosi.images/system/mkosi.finalize +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize @@ -1,4 +1,6 @@ -#!/bin/sh +#!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later +set -e +mkdir -p "$BUILDROOT"/usr/share/factory/mkosi cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot new file mode 100755 index 0000000..95e0552 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot @@ -0,0 +1,12 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# sbsign is not available on CentOS Stream +if command -v sbsign &>/dev/null; then + # Ensure that side-loaded PE addons are loaded if signed, and ignored if not + addons_dir=/efi/loader/addons + mkdir -p "$addons_dir" + ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" + ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" +fi diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf new file mode 100644 index 0000000..391543d --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf index 343761d..343761d 100644 --- a/mkosi.images/system/mkosi.repart/10-usr.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf index b4d45dd..b4d45dd 100644 --- a/mkosi.images/system/mkosi.repart/11-usr-verity.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf index 1841d0a..1841d0a 100644 --- a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf diff --git a/mkosi.images/system/mkosi.extra/.autorelabel b/mkosi.images/system/mkosi.extra/.autorelabel new file mode 100644 index 0000000..bd4fba4 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/.autorelabel @@ -0,0 +1 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later diff --git a/mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf b/mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf new file mode 100644 index 0000000..fcf4cd9 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/etc/iscsi/iscsid.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +iscsid.startup = /usr/bin/systemctl start iscsid.socket diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf deleted file mode 100644 index 2f95329..0000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf +++ /dev/null @@ -1,8 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't -# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles -# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set -# Storage= to persistent to have systemd-journald create /var/log/journal itself. -[Journal] -Storage=persistent diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf new file mode 100644 index 0000000..3baede4 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/ratelimit.conf @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Journal] +RateLimitIntervalSec=0 +RateLimitBurst=0 diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh deleted file mode 100755 index 9bb2462..0000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -eux -# SPDX-License-Identifier: LGPL-2.1-or-later - -# TODO: Figure out why this is failing -systemctl reset-failed systemd-vconsole-setup.service - -systemctl --failed --no-legend | tee /failed-services - -# Check that secure boot keys were properly enrolled. -if ! systemd-detect-virt --container; then - cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') - cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') - # TODO: Figure out why this is failing - # grep -q this_should_be_here /proc/cmdline - # grep -q this_should_not_be_here /proc/cmdline && exit 1 -fi - -# Exit with non-zero EC if the /failed-services file is not empty (we have -e set) -[[ ! -s /failed-services ]] diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset index 070af4c..c364058 100644 --- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -19,6 +19,9 @@ enable dbus-broker.service enable systemd-networkd.service enable systemd-networkd-wait-online.service +# systemd-resolved is disable by default on CentOS so make sure it is enabled. +enable systemd-resolved.service + # We install dnf in some images but it's only going to be used rarely, # so let's not have dnf create its cache. disable dnf-makecache.* @@ -28,3 +31,11 @@ disable auditd.service # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead. enable systemd-timesyncd.service + +# Skipped if selinux is not enabled, required for TEST-06-SELINUX. +enable autorelabel.service + +# Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead. +disable iscsi.service +disable iscsid.socket +disable iscsiuio.socket diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset index 710ee7c..710ee7c 100644 --- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf new file mode 100644 index 0000000..ebf7899 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# The iscsi-init.service calls `sh` which might, in certain circumstances, pull in instrumented systemd NSS +# modules causing `sh` to fail. Avoid the issue by setting LD_PRELOAD to load the sanitizer libraries if +# needed. +[Service] +EnvironmentFile=-/usr/lib/systemd/systemd-asan-env diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service deleted file mode 100644 index 7942cbf..0000000 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -[Unit] -Description=Check if any service failed and then shutdown the machine -After=multi-user.target network-online.target -Requires=multi-user.target -Wants=systemd-resolved.service systemd-networkd.service network-online.target -SuccessAction=exit -FailureAction=exit -# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the -# host. -SuccessActionExitStatus=123 - -[Service] -Type=oneshot -ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf new file mode 100644 index 0000000..d0093b7 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Service] +PassEnvironment=SYSTEMD_UNIT_PATH diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf index e1a8e81..e1a8e81 100644 --- a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf +++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/locale.conf diff --git a/mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf b/mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf new file mode 100644 index 0000000..ddd36ed --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/share/dbus-1/system.d/systemd.test.ExecStopPost.conf @@ -0,0 +1,13 @@ +<?xml version="1.0"?> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<!-- + SPDX-License-Identifier: LGPL-2.1-or-later +--> + +<busconfig> + <policy user="root"> + <allow own="systemd.test.ExecStopPost"/> + </policy> +</busconfig> diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb deleted file mode 100644 index 26f882b..0000000 --- a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb +++ /dev/null @@ -1,3 +0,0 @@ -set debuginfod enabled off -set build-id-verbose 0 -set substitute-path ../src /root/src/systemd diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot index 0cb9b9c..4686802 100755 --- a/mkosi.images/system/mkosi.postinst.chroot +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -1,68 +1,9 @@ -#!/bin/sh +#!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e +set -o nounset -if [ "$1" = "build" ]; then - exit 0 -fi - -if [ -n "$SANITIZERS" ]; then - LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') - - mkdir -p /etc/systemd/system.conf.d - - cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF -[Manager] -ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ - UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ - UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -EOF - - # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose - # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any - # sanitizer failures appear directly on the user's console. - mkdir -p /etc/systemd/system/systemd-journald.service.d - cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF -[Service] -StandardOutput=tty -EOF - - # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. - # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As - # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login - # from calling vhangup() so that journald's ASAN logs correctly end up in the console. - - mkdir -p /etc/systemd/system/console-getty.service.d - cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF -[Service] -TTYVHangup=no -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -EOF - # ASAN and syscall filters aren't compatible with each other. - find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + - - # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. - systemctl mask systemd-hwdb-update.service -fi - -if [ -n "$IMAGE_ID" ] ; then - sed -n \ - -i \ - -e '/^IMAGE_ID=/!p' \ - -e "\$aIMAGE_ID=$IMAGE_ID" \ - /usr/lib/os-release -fi - -if [ -n "$IMAGE_VERSION" ] ; then - sed -n \ - -i \ - -e '/^IMAGE_VERSION=/!p' \ - -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ - /usr/lib/os-release -fi +useradd --uid 4711 --create-home --user-group testuser if command -v authselect >/dev/null; then # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so @@ -85,9 +26,147 @@ fi mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf rm -f /etc/resolv.conf -. /usr/lib/os-release +for f in "$BUILDROOT"/usr/share/*.verity.sig; do + jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash" +done + +# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by +# systemd-journald. +rm -r "$BUILDROOT/var/log/journal" + +rm -f /etc/nsswitch.conf +cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf + +# Remove to make TEST-73-LOCALE pass on Ubuntu. +rm -f /etc/default/keyboard + +# This is executed inside the chroot so no need to disable any features as the default features will match +# the kernel's supported features. +SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \ + systemd-repart \ + --empty=create \ + --dry-run=no \ + --size=auto \ + --offline=true \ + --root test/TEST-24-CRYPTSETUP \ + --definitions test/TEST-24-CRYPTSETUP/keydev.repart \ + "$OUTPUTDIR/keydev.raw" + +can_test_pkcs11() { + if ! command -v "softhsm2-util" >/dev/null; then + echo "softhsm2-util not available, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! command -v "pkcs11-tool" >/dev/null; then + echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! command -v "certtool" >/dev/null; then + echo "certtool not available, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+P11KIT"; then + echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+OPENSSL"; then + echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then + echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then + echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + + return 0 +} + +setup_pkcs11_token() { + echo "Setup PKCS#11 token" >&2 + local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE + + export SOFTHSM2_CONF="/tmp/softhsm2.conf" + mkdir -p /usr/lib/softhsm/tokens/ + cat >$SOFTHSM2_CONF <<EOF +directories.tokendir = /usr/lib/softhsm/tokens/ +objectstore.backend = file +slots.removable = false +slots.mechanisms = ALL +EOF + export GNUTLS_PIN="1234" + export GNUTLS_SO_PIN="12345678" + softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN" + + if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then + echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2 + P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules" + fi + + if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then + echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2 + P11_MODULE_DIR="/usr/lib/pkcs11" + fi + + SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs) + if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then + SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE" + fi + + # RSA ##################################################### + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt + + certtool --generate-self-signed \ + --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \ + --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \ + --template "test/TEST-24-CRYPTSETUP/template.cfg" \ + --outder --outfile "/tmp/rsa_test.crt" + + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey" + rm "/tmp/rsa_test.crt" + + # prime256v1 ############################################## + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive + + certtool --generate-self-signed \ + --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \ + --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \ + --template "test/TEST-24-CRYPTSETUP/template.cfg" \ + --outder --outfile "/tmp/ec_test.crt" + + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey" + rm "/tmp/ec_test.crt" + + ########################################################### + rm "$SOFTHSM2_CONF" + unset SOFTHSM2_CONF + + cat >/etc/softhsm2.conf <<EOF +directories.tokendir = /usr/lib/softhsm/tokens/ +objectstore.backend = file +slots.removable = false +slots.mechanisms = ALL +log.level = INFO +EOF + + mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d + cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF +[Unit] +# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times +StartLimitBurst=10 + +[Service] +Environment="SOFTHSM2_CONF=/etc/softhsm2.conf" +Environment="PIN=$GNUTLS_PIN" +EOF + + unset GNUTLS_PIN + unset GNUTLS_SO_PIN +} -if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 - alternatives --set python3 /usr/bin/python3.9 +if can_test_pkcs11; then + setup_pkcs11_token fi diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf index 4be0466..391543d 100644 --- a/mkosi.images/system/mkosi.repart/00-esp.conf +++ b/mkosi.images/system/mkosi.repart/00-esp.conf @@ -5,5 +5,5 @@ Type=esp Format=vfat CopyFiles=/boot:/ CopyFiles=/efi:/ -SizeMinBytes=512M -SizeMaxBytes=512M +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/mkosi.images/system/mkosi.repart/10-root.conf b/mkosi.images/system/mkosi.repart/10-root.conf new file mode 100644 index 0000000..715b925 --- /dev/null +++ b/mkosi.images/system/mkosi.repart/10-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=ext4 +CopyFiles=/ +SizeMinBytes=8G +SizeMaxBytes=8G diff --git a/mkosi.images/system/mkosi.sanitizers.chroot b/mkosi.images/system/mkosi.sanitizers.chroot new file mode 100755 index 0000000..524e3da --- /dev/null +++ b/mkosi.images/system/mkosi.sanitizers.chroot @@ -0,0 +1,127 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e +set -o nounset + +if [[ -z "${SANITIZERS:-}" ]]; then + exit 0 +fi + +# Sanitizers log to stderr by default. However, journald's stderr is connected to /dev/null, so we lose +# all the sanitizer logs. To rectify that, let's connect journald's stdout to kmsg so that the sanitizer +# failures end up in the journal. +mkdir -p /etc/systemd/system/systemd-journald.service.d +cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF +[Service] +StandardOutput=kmsg +EOF + +# ASAN and syscall filters aren't compatible with each other. +find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + + +# 'systemd-hwdb update' takes > 50s when built with sanitizers so let's not run it by default. +systemctl mask systemd-hwdb-update.service + +ASAN_RT_PATH="$(grep libasan.so < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)" +if [[ -z "$ASAN_RT_PATH" ]]; then + ASAN_RT_PATH="$(grep libclang_rt.asan < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)" + + # As clang's ASan DSO is usually in a non-standard path, let's check if the RUNPATH is set accordingly. + if ldd /usr/lib/systemd/systemd | grep -q "libclang_rt.asan.*not found"; then + echo >&2 "clang's ASan DSO libclang_rt.asan is not present in the runtime library path" + exit 1 + fi +fi +if [[ -z "$ASAN_RT_PATH" ]]; then + echo >&2 "systemd is not linked against the ASan DSO" + echo >&2 "gcc does this by default, for clang compile with -shared-libasan" + exit 1 +fi + +wrap=( + /usr/lib/polkit-1/polkitd + /usr/libexec/polkit-1/polkitd + agetty + btrfs + capsh + chgrp + chown + cryptsetup + curl + dbus-broker-launch + dbus-daemon + delv + dhcpd + dig + dmsetup + dnsmasq + findmnt + getent + getfacl + id + integritysetup + iscsid + kpartx + logger + login + ls + lsblk + lvm + mdadm + mkfs.btrfs + mkfs.erofs + mkfs.ext4 + mkfs.vfat + mkfs.xfs + mksquashfs + mkswap + multipath + multipathd + nvme + p11-kit + pkill + ps + setfacl + setpriv + sshd + stat + su + tar + tgtd + useradd + userdel + veritysetup +) + +for bin in "${wrap[@]}"; do + if ! command -v "$bin" >/dev/null; then + continue + fi + + if [[ "$bin" == getent ]]; then + enable_lsan=1 + else + enable_lsan=0 + fi + + target="$(command -v "$bin")" + + mv "$target" "$target.orig" + + cat >"$target" <<EOF +#!/bin/bash +# Preload the ASan runtime DSO, otherwise ASAn will complain +export LD_PRELOAD="$ASAN_RT_PATH" +# Disable LSan to speed things up, since we don't care about leak reports +# from 'external' binaries +export ASAN_OPTIONS=detect_leaks=$enable_lsan +# Set argv[0] to the original binary name without the ".orig" suffix +exec -a "\$0" -- "${target}.orig" "\$@" +EOF + chmod +x "$target" +done + +cat >/usr/lib/systemd/systemd-asan-env <<EOF +LD_PRELOAD=$ASAN_RT_PATH +LSAN_OPTIONS=detect_leaks=0 +EOF diff --git a/mkosi.images/system/mkosi.sync b/mkosi.images/system/mkosi.sync new file mode 100755 index 0000000..d21ecd1 --- /dev/null +++ b/mkosi.images/system/mkosi.sync @@ -0,0 +1,36 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e +set -o nounset + +if ((${NO_SYNC:-0})); then + exit 0 +fi + +PKG_SUBDIR="$(realpath --canonicalize-missing "pkg/$DISTRIBUTION" --relative-to "$PWD")" + +if [[ -d "$PKG_SUBDIR/.git" ]] && [[ "$(git -C "$PKG_SUBDIR" rev-parse HEAD)" == "$GIT_COMMIT" ]]; then + exit 0 +fi + +# The repository on Salsa has the full upstream sources, so it's a waste of space to +# redownload and duplicate everything, so do a sparse checkout as we only need the +# packaging directory anyway +if [[ -n "${GIT_SUBDIR:-}" ]]; then + sparse=(--no-checkout --filter=tree:0) +else + sparse=() +fi + +if [[ ! -e "$PKG_SUBDIR" ]] || [[ -z "$(ls --almost-all "$PKG_SUBDIR")" ]]; then + git clone "$GIT_URL" --branch "$GIT_BRANCH" "${sparse[@]}" "$PKG_SUBDIR" + if [[ -n "${GIT_SUBDIR:-}" ]]; then + # --no-cone is needed to check out only one top-level directory + git -C "$PKG_SUBDIR" sparse-checkout set --no-cone "${GIT_SUBDIR:-}" + fi +else + git -C "$PKG_SUBDIR" remote set-url origin "$GIT_URL" + git -C "$PKG_SUBDIR" fetch origin "$GIT_BRANCH" +fi + +git -C "$PKG_SUBDIR" -c advice.detachedHead=false checkout "$GIT_COMMIT" |