summaryrefslogtreecommitdiffstats
path: root/mkosi.images/system/mkosi.postinst.chroot
blob: 0cb9b9cf6771992aa43afb272df515a095ea52f5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/sh
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e

if [ "$1" = "build" ]; then
    exit 0
fi

if [ -n "$SANITIZERS" ]; then
    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')

    mkdir -p /etc/systemd/system.conf.d

    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
[Manager]
ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
                   LD_PRELOAD=$LD_PRELOAD
DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
                   LD_PRELOAD=$LD_PRELOAD
EOF

    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
    # sanitizer failures appear directly on the user's console.
    mkdir -p /etc/systemd/system/systemd-journald.service.d
    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
[Service]
StandardOutput=tty
EOF

    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.

    mkdir -p /etc/systemd/system/console-getty.service.d
    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
[Service]
TTYVHangup=no
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
EOF
    # ASAN and syscall filters aren't compatible with each other.
    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +

    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
    systemctl mask systemd-hwdb-update.service
fi

if [ -n "$IMAGE_ID" ] ; then
    sed -n \
        -i \
        -e '/^IMAGE_ID=/!p' \
        -e "\$aIMAGE_ID=$IMAGE_ID" \
        /usr/lib/os-release
fi

if [ -n "$IMAGE_VERSION" ] ; then
    sed -n \
        -i \
        -e '/^IMAGE_VERSION=/!p' \
        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
        /usr/lib/os-release
fi

if command -v authselect >/dev/null; then
    # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
    # let's use the new name if it exists.
    if [ -d /usr/share/authselect/default/local ]; then
        PROFILE=local
    else
        PROFILE=minimal
    fi

    authselect select "$PROFILE"

    if authselect list-features "$PROFILE" | grep -q "with-homed"; then
        authselect enable-feature with-homed
    fi
fi

# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
# if that's the case.
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf

. /usr/lib/os-release

if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
    alternatives --set python3 /usr/bin/python3.9
fi