steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- - uses: systemd/mkosi@f61dac009ee584797e61a961d508cc52d7f4a03c
+ - uses: systemd/mkosi@9ffcdac128c66935aa5d5a98633fa7498bce92d1
- name: Configure
run: |
# For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
# version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
- mkdir -p mkosi.presets/20-final/mkosi.repart/10-usr.conf.d
- tee mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
+ mkdir -p mkosi.presets/system/mkosi.repart/10-usr.conf.d
+ tee mkosi.presets/system/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
[Partition]
Format=squashfs
EOF
# The emergency shell is not useful in the CI, as it just blocks for a long time before the job
# eventually times out. Override it to just shutdown immediately.
- mkdir -p mkosi.presets/10-initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
- mkdir -p mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
- tee mkosi.presets/10-initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF
+ mkdir -p mkosi.presets/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
+ mkdir -p mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
+ tee mkosi.presets/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF
[Unit]
FailureAction=exit
[Service]
ExecStart=
ExecStart=false
EOF
- cp mkosi.presets/10-initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf
+ cp mkosi.presets/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf
- name: Generate secure boot key
run: mkosi --debug genkey
+++ /dev/null
-#!/bin/bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Simply invoke "mkosi" in the project directory to build an OS image.
-
-if [ "${container:-}" != "mkosi" ]; then
- exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
-# initrd and final images, so override DESTDIR to store it in the output directory so we can reference it as
-# an extra tree in the initrd and final image builds.
-DESTDIR="$OUTPUTDIR/systemd"
-
-# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
-# as out-of-tree build dir. Otherwise, let's make up our own builddir.
-[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
-
-# Let's make sure we're using stuff from the build directory first if available there.
-PATH="$BUILDDIR:$PATH"
-export PATH
-
-# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
-# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
-# the ubuntu script with a symlink to the first bpftool program we can find.
-for bpftool in /usr/lib/linux-tools/*/bpftool; do
- [ -x "$bpftool" ] || continue
- ln -sf "$bpftool" "$BUILDDIR"/bpftool
- break
-done
-
-# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
-# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
-# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
-. /usr/lib/os-release
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
- cat >"$BUILDDIR"/bpftool <<EOF
-#!/bin/sh
-if [ "\$1" = --version ]; then
- echo 5.6.0
-else
- exec /usr/sbin/bpftool \$@
-fi
-EOF
- chmod +x "$BUILDDIR"/bpftool
-fi
-
-if [ ! -f "$BUILDDIR"/build.ninja ]; then
- sysvinit_path=$(realpath /etc/init.d)
-
- if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
- UKIFY=false
- else
- UKIFY=true
- fi
-
- # On Debian 'loadkeys us' fails
- if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
- DEFAULT_KEYMAP=""
- else
- DEFAULT_KEYMAP="us"
- fi
-
- CONFIGURE_OPTS=(
- -D sysvinit-path="$sysvinit_path"
- -D man=false
- -D translations=false
- -D version-tag="${VERSION_TAG}"
- -D mode=developer
- -D b_sanitize="${SANITIZERS:-none}"
- -D install-tests=true
- -D tests=unsafe
- -D slow-tests="${SLOW_TESTS:-false}"
- -D create-log-dirs=false
- -D pamconfdir=no
- -D utmp=true
- -D hibernate=true
- -D ldconfig=true
- -D resolve=true
- -D efi=true
- -D tpm=true
- -D environment-d=true
- -D binfmt=true
- -D repart=true
- -D sysupdate=true
- -D coredump=true
- -D pstore=true
- -D oomd=true
- -D logind=true
- -D hostnamed=true
- -D localed=true
- -D machined=true
- -D portabled=true
- -D sysext=true
- -D userdb=true
- -D homed=true
- -D networkd=true
- -D timedated=true
- -D timesyncd=true
- -D remote=true
- -D nss-myhostname=true
- -D nss-mymachines=true
- -D nss-resolve=true
- -D nss-systemd=true
- -D firstboot=true
- -D randomseed=true
- -D backlight=true
- -D vconsole=true
- -D quotacheck=true
- -D sysusers=true
- -D tmpfiles=true
- -D importd=true
- -D hwdb=true
- -D rfkill=true
- -D xdg-autostart=true
- -D translations=true
- -D polkit=true
- -D acl=true
- -D audit=true
- -D blkid=true
- -D fdisk=true
- -D kmod=true
- -D pam=true
- -D pwquality=true
- -D microhttpd=true
- -D libcryptsetup=true
- -D libcurl=true
- -D idn=true
- -D libidn2=true
- -D qrencode=true
- -D gcrypt=true
- -D gnutls=true
- -D openssl=true
- -D cryptolib=openssl
- -D p11kit=true
- -D libfido2=true
- -D tpm2=true
- -D elfutils=true
- -D zstd=true
- -D xkbcommon=true
- -D pcre2=true
- -D glib=true
- -D dbus=true
- -D bootloader=true
- -D kernel-install=true
- -D analyze=true
- -D bpf-framework=true
- -D ukify="$UKIFY"
- -D seccomp=true
- -D selinux=auto
- -D apparmor=auto
- -D smack=true
- -D ima=true
- -D first-boot-full-preset=true
- -D initrd=true
- -D fexecve=true
- -D default-keymap="$DEFAULT_KEYMAP"
- )
-
- # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
- # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
- # installed in the wrong directory and not be found by cryptsetup. Assume native build.
- if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
- CONFIGURE_OPTS+=(
- -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
- -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
- )
- fi
-
- # Set various uids and gids for which Fedora has "soft static" allocations.
- # Without this, we would get warning about mismatched sysusers.d entries
- # between the files that we and Fedora's setup package install.
- if grep -q '^ID=fedora' /usr/lib/os-release; then
- CONFIGURE_OPTS+=(
- -Dadm-gid=4
- -Daudio-gid=63
- -Dcdrom-gid=11
- -Ddialout-gid=18
- -Ddisk-gid=6
- -Dinput-gid=104
- -Dkmem-gid=9
- -Dkvm-gid=36
- -Dlp-gid=7
- -Drender-gid=105
- -Dsgx-gid=106
- -Dtape-gid=33
- -Dtty-gid=5
- -Dusers-gid=100
- -Dutmp-gid=22
- -Dvideo-gid=39
- -Dwheel-gid=10
- -Dsystemd-journal-gid=190
- -Dsystemd-network-uid=192
- -Dsystemd-resolve-uid=193
- )
- fi
-
- if grep -q '^ID="opensuse' /usr/lib/os-release; then
- CONFIGURE_OPTS+=(
- -Dbpf-compiler=gcc
- )
- fi
-
- ( set -x; meson setup "$BUILDDIR" "${CONFIGURE_OPTS[@]}" )
-fi
-
-( set -x; ninja -C "$BUILDDIR" "$@" )
-if [ "$WITH_TESTS" = 1 ]; then
- if [ -n "$SANITIZERS" ]; then
- export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
- export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
- TIMEOUT_MULTIPLIER=3
- else
- TIMEOUT_MULTIPLIER=1
- fi
-
- ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
-fi
-
-( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
-
-# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-if [ -d "${DESTDIR}/boot/loader" ]; then
- addons_dir="${DESTDIR}/boot/loader/addons"
-elif [ -d "${DESTDIR}/efi/loader" ]; then
- addons_dir="${DESTDIR}/efi/loader/addons"
-fi
-if [ -n "${addons_dir}" ]; then
- mkdir -p "${addons_dir}"
- ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
- ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
-fi
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Output]
-Format=directory
-
-[Content]
-Bootable=no
-CleanPackageMetadata=no
-Packages=
- kmod
- less
- util-linux
-
-BuildPackages=
- acl
- diffutils
- gawk
- binutils
- clang
- gettext
- git
- gperf
- grep
- lld
- llvm
- make
- meson
- pkgconf
- rsync
- sed
- tar
- zstd
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
- cryptsetup
- dbus
- gnutls
- libbpf
- libfido2
- libmicrohttpd
- libnftnl
- libpwquality
- libseccomp
- libxkbcommon
- openssl
- qrencode
- tpm2-tss
-
-BuildPackages=
- bpf
- docbook-xsl
- glib2
- libxslt
- linux-api-headers
- python
- python-jinja
- python-lxml
- python-pefile
- python-pyelftools
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
- audit-libs
- cryptsetup-libs
- gnutls
- libasan
- libbpf
- libfido2
- libgcrypt
- libmicrohttpd
- libnftnl
- libubsan
- libxcrypt
- libxkbcommon
- openssl-libs
- qrencode-libs
- tpm2-tss
- util-linux
-
-BuildPackages=
- /usr/bin/pkg-config
- bpftool
- docbook-xsl
- findutils
- libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
- libxslt
- pam-devel
- pkgconfig(audit)
- pkgconfig(blkid)
- pkgconfig(bzip2)
- pkgconfig(dbus-1)
- pkgconfig(fdisk)
- pkgconfig(glib-2.0)
- pkgconfig(gnutls)
- pkgconfig(libacl)
- pkgconfig(libbpf)
- pkgconfig(libcap)
- pkgconfig(libcryptsetup)
- pkgconfig(libcurl)
- pkgconfig(libdw)
- pkgconfig(libfido2)
- pkgconfig(libidn2)
- pkgconfig(libkmod)
- pkgconfig(libmicrohttpd)
- pkgconfig(libnftnl)
- pkgconfig(libpcre2-8)
- pkgconfig(libqrencode)
- pkgconfig(libseccomp)
- pkgconfig(libselinux)
- pkgconfig(libzstd)
- pkgconfig(mount)
- pkgconfig(numa)
- pkgconfig(openssl)
- pkgconfig(openssl)
- pkgconfig(p11-kit-1)
- pkgconfig(pwquality)
- pkgconfig(tss2-esys)
- pkgconfig(tss2-mu)
- pkgconfig(tss2-rc)
- pkgconfig(tss2-tcti-device)
- pkgconfig(valgrind)
- pkgconfig(xkbcommon)
- python3
- python3dist(jinja2)
- python3dist(lxml)
- python3dist(pefile)
- python3dist(pyelftools)
- python3dist(pytest)
- rpm
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
- dmsetup
- libapparmor1
- libfdisk1
- libfido2-1
- libglib2.0-0
- libgnutls30
- libidn2-0
- libmicrohttpd12
- libnftnl11
- libp11-kit0
- libpam0g
- libpwquality1
- libqrencode4
- libssl3
- libtss2-dev # Use the -dev package to avoid churn in updating version numbers
- tzdata
-
-BuildPackages=
- docbook-xsl
- dpkg-dev
- g++
- libacl1-dev
- libapparmor-dev
- libaudit-dev
- libblkid-dev
- libbpf-dev
- libbz2-dev
- libcap-dev
- libcryptsetup-dev
- libcurl4-openssl-dev
- libdbus-1-dev
- libdw-dev
- libfdisk-dev
- libfido2-dev
- libgcrypt20-dev
- libglib2.0-dev
- libgnutls28-dev
- libidn2-dev
- libiptc-dev
- libkmod-dev
- libmicrohttpd-dev
- libmount-dev
- libnftnl-dev
- libp11-kit-dev
- libpam0g-dev
- libpwquality-dev
- libqrencode-dev
- libseccomp-dev
- libsmartcols-dev
- libssl-dev
- libxen-dev
- libxkbcommon-dev
- libzstd-dev
- python3
- python3-jinja2
- python3-lxml
- python3-pefile
- python3-pyelftools
- python3-pytest
- xsltproc
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=debian
-
-[Content]
-Packages=
- libbpf1
-
-BuildPackages=
- bpftool
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-Packages=
- python3dist(pytest-flakes)
-
-BuildPackages=
- pkgconfig(xencontrol)
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
-# versions don't get installed instead.
-Packages=
- device-mapper
- distribution-release
- docbook-xsl-stylesheets
- gawk
- grep
- gzip
- libbpf1
- libcrypt1
- libcryptsetup12
- libdw1
- libelf1
- libfido2
- libgcrypt20
- libglib-2_0-0
- libkmod2
- libmount1
- libnftnl11
- libopenssl3
- libp11-kit0
- libqrencode4
- libseccomp2
- libtss2-esys0
- libtss2-mu0
- libtss2-rc0
- libtss2-tcti-device0
- libxkbcommon0
- libzstd1
- pam
- rsync
- sed
- shadow
- tpm2-0-tss
- xz
-
-BuildPackages=
- audit-devel
- bpftool
- cross-bpf-gcc13
- dbus-1-devel
- fdupes
- gcc-c++
- glib2-devel
- glibc-locale
- intltool
- libacl-devel
- libapparmor-devel
- libblkid-devel
- libbpf-devel
- libcap-devel
- libcryptsetup-devel
- libcurl-devel
- libdw-devel
- libelf-devel
- libfdisk-devel
- libfido2-devel
- libgcrypt-devel
- libgnutls-devel
- libkmod-devel
- libmicrohttpd-devel
- libmount-devel
- libnftnl-devel
- libpwquality-devel
- libseccomp-devel
- libselinux-devel
- libxkbcommon-devel
- libxslt-tools
- libzstd-devel
- openssl-devel
- pam-devel
- pciutils-devel
- python3
- python3-Jinja2
- python3-lxml
- python3-pefile
- python3-pyelftools
- python3-pytest
- python3-pytest-flakes
- qrencode-devel
- shadow
- timezone
- tpm2-0-tss-devel
- xen-devel
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=ubuntu
-
-[Content]
-Packages=
- libbpf0
-
-BuildPackages=
- linux-tools-common
- linux-tools-generic
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
-disable ssh.service
-disable sshd.service
-
-# These are started manually in integration tests so don't start them by default.
-disable dnsmasq.service
-disable isc-dhcp-server.service
-disable isc-dhcp-server6.service
-
-# Pulled in via dracut-network by kexec-tools on Fedora.
-disable NetworkManager*
-
-# Make sure dbus-broker is started by default on Debian/Ubuntu.
-enable dbus-broker.service
-
-# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
-enable systemd-networkd.service
-enable systemd-networkd-wait-online.service
-
-# We install dnf in some images but it's only going to be used rarely,
-# so let's not have dnf create its cache.
-disable dnf-makecache.*
-
-# We have journald to receive audit data so let's make sure we're not running auditd as well
-disable auditd.service
-
-# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
-enable systemd-timesyncd.service
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
-disable *
+++ /dev/null
-L /etc/default/locale - - - - ../locale.conf
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Bootable=|auto
-Bootable=|yes
-
-[Output]
-Format=cpio
-
-[Content]
-BaseTrees=../../mkosi.output/base
-ExtraTrees=../../mkosi.output/base-systemd
-MakeInitrd=yes
-Packages=
- systemd
- udev
-
-# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
-# doesn't end up in the initrd.
-RemoveFiles=
- /usr/lib/libgfortran.so*
- /usr/lib/libgo.so*
- /usr/lib/libgomp.so*
- /usr/lib/libgphobos.so*
- /usr/lib/libobjc.so*
- /usr/lib/libstdc++.so*
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
-
-[Output]
-# TODO: Switch to zstd once we stop building CentOS Stream 8.
-CompressOutput=xz
-
-[Content]
-Packages=xfsprogs
- tpm2-tools
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=!centos
-Distribution=!opensuse
-
-[Output]
-CompressOutput=zst
-
-[Content]
-Packages=btrfs-progs
- tpm2-tools
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Output]
-CompressOutput=zst
-
-[Content]
-Packages=btrfs-progs
- tpm2.0-tools
+++ /dev/null
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-if [ "${container:-}" != "mkosi" ]; then
- exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
-# See https://github.com/openSUSE/suse-module-tools/pull/71
-rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Content]
-Autologin=yes
-BaseTrees=../../mkosi.output/base
-ExtraTrees=../../mkosi.output/base-systemd
-ExtraTrees=../../src:/root/src
-Initrds=../../mkosi.output/initrd
-Packages=
- acl
- bash-completion
- coreutils
- diffutils
- dnsmasq
- dosfstools
- e2fsprogs
- findutils
- gcc # Sanitizer libraries
- gdb
- grep
- kbd
- kexec-tools
- less
- mtools
- nano
- nftables
- openssl
- qrencode
- sed
- socat
- strace
- systemd
- tmux
- tree
- udev
- util-linux
- valgrind
- wireguard-tools
- xfsprogs
- zsh
-
-[Validation]
-SecureBoot=yes
-SignExpectedPcr=yes
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
- bpf
- btrfs-progs
- compsize
- dhcp
- f2fs-tools
- glib2
- iproute
- linux
- man-db
- openbsd-netcat
- openssh
- polkit
- python-pefile
- python-psutil
- python-pytest
- python3
- quota-tools
- shadow
- vim
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
- bpftool
- cryptsetup
- dhcp-server
- dnf
- glib2
- iproute
- iproute-tc
- kernel-core
- kernel-modules # For squashfs support
- libcap-ng-utils
- netcat
- openssh-server
- p11-kit
- pam
- passwd
- polkit
- procps-ng
- python3
- python3dist(pefile)
- python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
- python3dist(psutil)
- python3dist(pytest)
- quota
- vim-common
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support btrfs so we use xfs instead.
-[Partition]
-Format=xfs
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support erofs so we use squashfs instead.
-[Partition]
-Format=squashfs
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
- apt
- btrfs-progs
- cryptsetup-bin
- dbus-broker
- default-dbus-session-bus
- f2fs-tools
- fdisk
- iproute2
- isc-dhcp-server
- libcap-ng-utils
- netcat-openbsd
- openssh-server
- passwd
- policykit-1
- procps
- python3
- python3-pefile
- python3-psutil
- python3-pytest
- quota
- xxd
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=debian
-
-[Content]
-Packages=
- bpftool
- linux-image-cloud-amd64
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-Packages=
- btrfs-progs
- compsize
- f2fs-tools
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-Packages=
- bpftool
- btrfs-progs
- cryptsetup
- dbus-broker
- f2fs-tools
- glibc-locale-base
- kernel-kvmsmall
- libcap-ng-utils
- openssh-server
- python3
- python3-pefile
- python3-psutil
- python3-pytest
- quota
- shadow
- vim
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=ubuntu
-
-[Content]
-Packages=
- # We would like to use linux-image-kvm but it does not have support for dm-verity
- # See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
- linux-image-generic
- linux-tools-common
- linux-tools-generic
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=arch
-
-[Content]
-Packages=
- alsa-lib
- fuse2
- libcap
- libcap-ng
- libelf
- libmnl
- numactl
- popt
-
-BuildPackages=
- pahole
- python-docutils
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
- alsa-lib
- elfutils-libelf
- fuse
- glibc.i686
- libcap
- libcap-ng
- libcap-ng-utils
- libmnl
- numactl-libs
- popt
-
-BuildPackages=
- dwarves
- glibc-devel.i686
- glibc-static
- glibc-static.i686
- pkgconfig(alsa)
- pkgconfig(fuse)
- pkgconfig(libcap-ng)
- pkgconfig(libcap)
- pkgconfig(libelf)
- pkgconfig(libmnl)
- pkgconfig(numa)
- pkgconfig(openssl)
- pkgconfig(popt)
- python3-docutils
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
- fuse
- libasound2
- libc6-i386
- libcap-ng0
- libcap2
- libelf1
- libmnl0
- libnuma1
- libpopt0
-
-BuildPackages=
- gcc-multilib
- libasound-dev
- libc6-dev
- libc6-dev-i686
- libcap-ng-dev
- libcap-dev
- libelf-dev
- libfuse-dev
- libmnl-dev
- libnuma-dev
- libpopt-dev
- pahole
- python3-docutils
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=fedora
-
-[Content]
-BuildPackages=
- libcap-static
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=opensuse
-
-[Content]
-Packages=
- fuse
- glibc-32bit
- libasound2
- libcap-ng0
- libcap2
- libelf1
- libmnl0
- libnuma1
- libpopt0
-
-BuildPackages=
- alsa-devel
- dwarves
- fuse-devel
- gcc-32bit
- glibc-devel-32bit
- glibc-devel-static-32bit
- glibc-static
- libcap-devel
- libcap-ng-dev
- libelf-devel
- liblz4-dev
- libmnl-dev
- libnuma-devel
- pcre-devel
- popt-devel
- python3-docutils
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-
-[Content]
-BuildScript=mkosi.kernel.build
-BuildSources=../..
-BuildPackages=
- bc
- binutils
- bison
- clang
- flex
- gcc
- lld
- llvm
- make
- make
- rsync
- tar
+++ /dev/null
-\S (built from systemd tree)
-Kernel \r on an \m (\l)
+++ /dev/null
-set debuginfod enabled off
-set build-id-verbose 0
-set substitute-path ../src /root/src
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=root
-Format=btrfs
-SizeMinBytes=1G
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
-# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
-# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
-# Storage= to persistent to have systemd-journald create /var/log/journal itself.
-[Journal]
-Storage=persistent
+++ /dev/null
-#!/bin/bash -eux
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# TODO: Figure out why this is failing
-systemctl reset-failed systemd-vconsole-setup.service
-
-systemctl --failed --no-legend | tee /failed-services
-
-# Check that secure boot keys were properly enrolled.
-if ! systemd-detect-virt --container; then
- cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
- cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
- # TODO: Figure out why this is failing
- # grep -q this_should_be_here /proc/cmdline
- # grep -q this_should_not_be_here /proc/cmdline && exit 1
-fi
-
-# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
-[[ ! -s /failed-services ]]
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Unit]
-Description=Check if any service failed and then shutdown the machine
-After=multi-user.target network-online.target
-Requires=multi-user.target
-Wants=systemd-resolved.service systemd-networkd.service network-online.target
-SuccessAction=exit
-FailureAction=exit
-# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
-# host.
-SuccessActionExitStatus=123
-
-[Service]
-Type=oneshot
-ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-C+! /etc - - - - /usr/share/factory/mkosi
+++ /dev/null
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
+++ /dev/null
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-if [ "${container:-}" != "mkosi" ]; then
- exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-if [ -d "$SRCDIR"/mkosi.kernel/ ]; then
- SRCDIR="$SRCDIR/mkosi.kernel"
- BUILDDIR="$BUILDDIR/mkosi.kernel"
- cd "$SRCDIR"
- mkdir -p "$BUILDDIR"
-
- # Ensure fast incremental builds by fixating these values which usually change for each build.
- export KBUILD_BUILD_TIMESTAMP="Fri Jun 5 15:58:00 CEST 2015"
- export KBUILD_BUILD_HOST="mkosi"
-
- scripts/kconfig/merge_config.sh -O "$BUILDDIR" \
- ../mkosi.kernel.config \
- tools/testing/selftests/bpf/config.x86_64 \
- tools/testing/selftests/bpf/config
-
- # Make sure systemd-boot boots this kernel and not the distro provided one by overriding the version.
- make O="$BUILDDIR" VERSION=99 -j "$(nproc)"
- make O="$BUILDDIR" VERSION=99 -j "$(nproc)" headers
-
- KERNEL_RELEASE=$(make O="$BUILDDIR" VERSION=99 -s kernelrelease)
- mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE"
- make O="$BUILDDIR" VERSION=99 INSTALL_MOD_PATH="$DESTDIR/usr" modules_install
- make O="$BUILDDIR" VERSION=99 INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install
- mkdir -p "$DESTDIR/usr/lib/kernel/selftests"
- make -C tools/testing/selftests -j "$(nproc)" O="$BUILDDIR" VERSION=99 KSFT_INSTALL_PATH="$DESTDIR/usr/lib/kernel/selftests" SKIP_TARGETS="" install
-
- mkdir -p "$DESTDIR"/usr/bin
- ln -sf /usr/lib/kernel/selftests/bpf/bpftool "$DESTDIR/usr/bin/bpftool"
-fi
+++ /dev/null
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-if [ "$1" = "build" ]; then
- exit 0
-fi
-
-if [ "${container:-}" != "mkosi" ]; then
- exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-if [ -n "$SANITIZERS" ]; then
- LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
-
- mkdir -p /etc/systemd/system.conf.d
-
- cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
-[Manager]
-ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
- UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
- LD_PRELOAD=$LD_PRELOAD
-DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
- UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
- LD_PRELOAD=$LD_PRELOAD
-EOF
-
- # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
- # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
- # sanitizer failures appear directly on the user's console.
- mkdir -p /etc/systemd/system/systemd-journald.service.d
- cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
-[Service]
-StandardOutput=tty
-EOF
-
- # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
- # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
- # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
- # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
-
- mkdir -p /etc/systemd/system/console-getty.service.d
- cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
-[Service]
-TTYVHangup=no
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-EOF
- # ASAN and syscall filters aren't compatible with each other.
- find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
-
- # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
- systemctl mask systemd-hwdb-update.service
-fi
-
-if [ -n "$IMAGE_ID" ] ; then
- sed -n \
- -i \
- -e '/^IMAGE_ID=/!p' \
- -e "\$aIMAGE_ID=$IMAGE_ID" \
- /usr/lib/os-release
-fi
-
-if [ -n "$IMAGE_VERSION" ] ; then
- sed -n \
- -i \
- -e '/^IMAGE_VERSION=/!p' \
- -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
- /usr/lib/os-release
-fi
-
-if command -v authselect >/dev/null; then
- authselect select minimal
-
- if authselect list-features minimal | grep -q "with-homed"; then
- authselect enable-feature with-homed
- fi
-fi
-
-# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
-# if that's the case.
-mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
-rm -f /etc/resolv.conf
-
-. /usr/lib/os-release
-
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
- alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
- alternatives --set python3 /usr/bin/python3.9
-fi
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=esp
-Format=vfat
-CopyFiles=/efi:/
-SizeMinBytes=512M
-SizeMaxBytes=512M
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr
-Format=erofs
-CopyFiles=/usr:/
-Verity=data
-VerityMatchKey=usr
-Minimize=yes
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr-verity
-Verity=hash
-VerityMatchKey=usr
-Minimize=yes
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr-verity-sig
-Verity=signature
-VerityMatchKey=usr
--- /dev/null
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
+# Simply invoke "mkosi" in the project directory to build an OS image.
+
+if [ "${container:-}" != "mkosi" ]; then
+ exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
+# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
+# an extra tree in the initrd and system image builds.
+DESTDIR="$OUTPUTDIR/systemd"
+
+# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
+# as out-of-tree build dir. Otherwise, let's make up our own builddir.
+[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
+
+# Let's make sure we're using stuff from the build directory first if available there.
+PATH="$BUILDDIR:$PATH"
+export PATH
+
+# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
+# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
+# the ubuntu script with a symlink to the first bpftool program we can find.
+for bpftool in /usr/lib/linux-tools/*/bpftool; do
+ [ -x "$bpftool" ] || continue
+ ln -sf "$bpftool" "$BUILDDIR"/bpftool
+ break
+done
+
+# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
+# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
+# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
+. /usr/lib/os-release
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ cat >"$BUILDDIR"/bpftool <<EOF
+#!/bin/sh
+if [ "\$1" = --version ]; then
+ echo 5.6.0
+else
+ exec /usr/sbin/bpftool \$@
+fi
+EOF
+ chmod +x "$BUILDDIR"/bpftool
+fi
+
+if [ ! -f "$BUILDDIR"/build.ninja ]; then
+ sysvinit_path=$(realpath /etc/init.d)
+
+ if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ UKIFY=false
+ else
+ UKIFY=true
+ fi
+
+ # On Debian 'loadkeys us' fails
+ if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
+ DEFAULT_KEYMAP=""
+ else
+ DEFAULT_KEYMAP="us"
+ fi
+
+ CONFIGURE_OPTS=(
+ -D sysvinit-path="$sysvinit_path"
+ -D man=false
+ -D translations=false
+ -D version-tag="${VERSION_TAG}"
+ -D mode=developer
+ -D b_sanitize="${SANITIZERS:-none}"
+ -D install-tests=true
+ -D tests=unsafe
+ -D slow-tests="${SLOW_TESTS:-false}"
+ -D create-log-dirs=false
+ -D pamconfdir=no
+ -D utmp=true
+ -D hibernate=true
+ -D ldconfig=true
+ -D resolve=true
+ -D efi=true
+ -D tpm=true
+ -D environment-d=true
+ -D binfmt=true
+ -D repart=true
+ -D sysupdate=true
+ -D coredump=true
+ -D pstore=true
+ -D oomd=true
+ -D logind=true
+ -D hostnamed=true
+ -D localed=true
+ -D machined=true
+ -D portabled=true
+ -D sysext=true
+ -D userdb=true
+ -D homed=true
+ -D networkd=true
+ -D timedated=true
+ -D timesyncd=true
+ -D remote=true
+ -D nss-myhostname=true
+ -D nss-mymachines=true
+ -D nss-resolve=true
+ -D nss-systemd=true
+ -D firstboot=true
+ -D randomseed=true
+ -D backlight=true
+ -D vconsole=true
+ -D quotacheck=true
+ -D sysusers=true
+ -D tmpfiles=true
+ -D importd=true
+ -D hwdb=true
+ -D rfkill=true
+ -D xdg-autostart=true
+ -D translations=true
+ -D polkit=true
+ -D acl=true
+ -D audit=true
+ -D blkid=true
+ -D fdisk=true
+ -D kmod=true
+ -D pam=true
+ -D pwquality=true
+ -D microhttpd=true
+ -D libcryptsetup=true
+ -D libcurl=true
+ -D idn=true
+ -D libidn2=true
+ -D qrencode=true
+ -D gcrypt=true
+ -D gnutls=true
+ -D openssl=true
+ -D cryptolib=openssl
+ -D p11kit=true
+ -D libfido2=true
+ -D tpm2=true
+ -D elfutils=true
+ -D zstd=true
+ -D xkbcommon=true
+ -D pcre2=true
+ -D glib=true
+ -D dbus=true
+ -D bootloader=true
+ -D kernel-install=true
+ -D analyze=true
+ -D bpf-framework=true
+ -D ukify="$UKIFY"
+ -D seccomp=true
+ -D selinux=auto
+ -D apparmor=auto
+ -D smack=true
+ -D ima=true
+ -D first-boot-full-preset=true
+ -D initrd=true
+ -D fexecve=true
+ -D default-keymap="$DEFAULT_KEYMAP"
+ )
+
+ # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
+ # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
+ # installed in the wrong directory and not be found by cryptsetup. Assume native build.
+ if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
+ CONFIGURE_OPTS+=(
+ -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
+ -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
+ )
+ fi
+
+ # Set various uids and gids for which Fedora has "soft static" allocations.
+ # Without this, we would get warning about mismatched sysusers.d entries
+ # between the files that we and Fedora's setup package install.
+ if grep -q '^ID=fedora' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dadm-gid=4
+ -Daudio-gid=63
+ -Dcdrom-gid=11
+ -Ddialout-gid=18
+ -Ddisk-gid=6
+ -Dinput-gid=104
+ -Dkmem-gid=9
+ -Dkvm-gid=36
+ -Dlp-gid=7
+ -Drender-gid=105
+ -Dsgx-gid=106
+ -Dtape-gid=33
+ -Dtty-gid=5
+ -Dusers-gid=100
+ -Dutmp-gid=22
+ -Dvideo-gid=39
+ -Dwheel-gid=10
+ -Dsystemd-journal-gid=190
+ -Dsystemd-network-uid=192
+ -Dsystemd-resolve-uid=193
+ )
+ fi
+
+ if grep -q '^ID="opensuse' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dbpf-compiler=gcc
+ )
+ fi
+
+ ( set -x; meson setup "$BUILDDIR" "${CONFIGURE_OPTS[@]}" )
+fi
+
+( set -x; ninja -C "$BUILDDIR" "$@" )
+if [ "$WITH_TESTS" = 1 ]; then
+ if [ -n "$SANITIZERS" ]; then
+ export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
+ export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
+ TIMEOUT_MULTIPLIER=3
+ else
+ TIMEOUT_MULTIPLIER=1
+ fi
+
+ ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
+fi
+
+( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
+
+# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+if [ -d "${DESTDIR}/boot/loader" ]; then
+ addons_dir="${DESTDIR}/boot/loader/addons"
+elif [ -d "${DESTDIR}/efi/loader" ]; then
+ addons_dir="${DESTDIR}/efi/loader/addons"
+fi
+if [ -n "${addons_dir}" ]; then
+ mkdir -p "${addons_dir}"
+ ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
+ ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
+fi
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+CleanPackageMetadata=no
+Packages=
+ kmod
+ less
+ util-linux
+
+BuildPackages=
+ acl
+ diffutils
+ gawk
+ binutils
+ clang
+ gettext
+ git
+ gperf
+ grep
+ lld
+ llvm
+ make
+ meson
+ pkgconf
+ rsync
+ sed
+ tar
+ zstd
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ cryptsetup
+ dbus
+ gnutls
+ libbpf
+ libfido2
+ libmicrohttpd
+ libnftnl
+ libpwquality
+ libseccomp
+ libxkbcommon
+ openssl
+ qrencode
+ tpm2-tss
+
+BuildPackages=
+ bpf
+ docbook-xsl
+ glib2
+ libxslt
+ linux-api-headers
+ python
+ python-jinja
+ python-lxml
+ python-pefile
+ python-pyelftools
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ audit-libs
+ cryptsetup-libs
+ gnutls
+ libasan
+ libbpf
+ libfido2
+ libgcrypt
+ libmicrohttpd
+ libnftnl
+ libubsan
+ libxcrypt
+ libxkbcommon
+ openssl-libs
+ qrencode-libs
+ tpm2-tss
+ util-linux
+
+BuildPackages=
+ /usr/bin/pkg-config
+ bpftool
+ docbook-xsl
+ findutils
+ libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
+ libxslt
+ pam-devel
+ pkgconfig(audit)
+ pkgconfig(blkid)
+ pkgconfig(bzip2)
+ pkgconfig(dbus-1)
+ pkgconfig(fdisk)
+ pkgconfig(glib-2.0)
+ pkgconfig(gnutls)
+ pkgconfig(libacl)
+ pkgconfig(libbpf)
+ pkgconfig(libcap)
+ pkgconfig(libcryptsetup)
+ pkgconfig(libcurl)
+ pkgconfig(libdw)
+ pkgconfig(libfido2)
+ pkgconfig(libidn2)
+ pkgconfig(libkmod)
+ pkgconfig(libmicrohttpd)
+ pkgconfig(libnftnl)
+ pkgconfig(libpcre2-8)
+ pkgconfig(libqrencode)
+ pkgconfig(libseccomp)
+ pkgconfig(libselinux)
+ pkgconfig(libzstd)
+ pkgconfig(mount)
+ pkgconfig(numa)
+ pkgconfig(openssl)
+ pkgconfig(openssl)
+ pkgconfig(p11-kit-1)
+ pkgconfig(pwquality)
+ pkgconfig(tss2-esys)
+ pkgconfig(tss2-mu)
+ pkgconfig(tss2-rc)
+ pkgconfig(tss2-tcti-device)
+ pkgconfig(valgrind)
+ pkgconfig(xkbcommon)
+ python3
+ python3dist(jinja2)
+ python3dist(lxml)
+ python3dist(pefile)
+ python3dist(pyelftools)
+ python3dist(pytest)
+ rpm
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ dmsetup
+ libapparmor1
+ libfdisk1
+ libfido2-1
+ libglib2.0-0
+ libgnutls30
+ libidn2-0
+ libmicrohttpd12
+ libnftnl11
+ libp11-kit0
+ libpam0g
+ libpwquality1
+ libqrencode4
+ libssl3
+ libtss2-dev # Use the -dev package to avoid churn in updating version numbers
+ tzdata
+
+BuildPackages=
+ docbook-xsl
+ dpkg-dev
+ g++
+ libacl1-dev
+ libapparmor-dev
+ libaudit-dev
+ libblkid-dev
+ libbpf-dev
+ libbz2-dev
+ libcap-dev
+ libcryptsetup-dev
+ libcurl4-openssl-dev
+ libdbus-1-dev
+ libdw-dev
+ libfdisk-dev
+ libfido2-dev
+ libgcrypt20-dev
+ libglib2.0-dev
+ libgnutls28-dev
+ libidn2-dev
+ libiptc-dev
+ libkmod-dev
+ libmicrohttpd-dev
+ libmount-dev
+ libnftnl-dev
+ libp11-kit-dev
+ libpam0g-dev
+ libpwquality-dev
+ libqrencode-dev
+ libseccomp-dev
+ libsmartcols-dev
+ libssl-dev
+ libxen-dev
+ libxkbcommon-dev
+ libzstd-dev
+ python3
+ python3-jinja2
+ python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ xsltproc
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+ libbpf1
+
+BuildPackages=
+ bpftool
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+ python3dist(pytest-flakes)
+
+BuildPackages=
+ pkgconfig(xencontrol)
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
+Packages=
+ device-mapper
+ distribution-release
+ docbook-xsl-stylesheets
+ gawk
+ grep
+ gzip
+ libbpf1
+ libcrypt1
+ libcryptsetup12
+ libdw1
+ libelf1
+ libfido2
+ libgcrypt20
+ libglib-2_0-0
+ libkmod2
+ libmount1
+ libnftnl11
+ libopenssl3
+ libp11-kit0
+ libqrencode4
+ libseccomp2
+ libtss2-esys0
+ libtss2-mu0
+ libtss2-rc0
+ libtss2-tcti-device0
+ libxkbcommon0
+ libzstd1
+ pam
+ rsync
+ sed
+ shadow
+ tpm2-0-tss
+ xz
+
+BuildPackages=
+ audit-devel
+ bpftool
+ cross-bpf-gcc13
+ dbus-1-devel
+ fdupes
+ gcc-c++
+ glib2-devel
+ glibc-locale
+ intltool
+ libacl-devel
+ libapparmor-devel
+ libblkid-devel
+ libbpf-devel
+ libcap-devel
+ libcryptsetup-devel
+ libcurl-devel
+ libdw-devel
+ libelf-devel
+ libfdisk-devel
+ libfido2-devel
+ libgcrypt-devel
+ libgnutls-devel
+ libkmod-devel
+ libmicrohttpd-devel
+ libmount-devel
+ libnftnl-devel
+ libpwquality-devel
+ libseccomp-devel
+ libselinux-devel
+ libxkbcommon-devel
+ libxslt-tools
+ libzstd-devel
+ openssl-devel
+ pam-devel
+ pciutils-devel
+ python3
+ python3-Jinja2
+ python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ python3-pytest-flakes
+ qrencode-devel
+ shadow
+ timezone
+ tpm2-0-tss-devel
+ xen-devel
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ libbpf0
+
+BuildPackages=
+ linux-tools-common
+ linux-tools-generic
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
+disable ssh.service
+disable sshd.service
+
+# These are started manually in integration tests so don't start them by default.
+disable dnsmasq.service
+disable isc-dhcp-server.service
+disable isc-dhcp-server6.service
+
+# Pulled in via dracut-network by kexec-tools on Fedora.
+disable NetworkManager*
+
+# Make sure dbus-broker is started by default on Debian/Ubuntu.
+enable dbus-broker.service
+
+# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
+enable systemd-networkd.service
+enable systemd-networkd-wait-online.service
+
+# We install dnf in some images but it's only going to be used rarely,
+# so let's not have dnf create its cache.
+disable dnf-makecache.*
+
+# We have journald to receive audit data so let's make sure we're not running auditd as well
+disable auditd.service
+
+# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
+enable systemd-timesyncd.service
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
+disable *
--- /dev/null
+L /etc/default/locale - - - - ../locale.conf
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Bootable=|auto
+Bootable=|yes
+
+[Preset]
+Dependencies=base
+
+[Output]
+Format=cpio
+
+[Content]
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+MakeInitrd=yes
+Packages=
+ systemd
+ udev
+
+# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
+# doesn't end up in the initrd.
+RemoveFiles=
+ /usr/lib/libgfortran.so*
+ /usr/lib/libgo.so*
+ /usr/lib/libgomp.so*
+ /usr/lib/libgphobos.so*
+ /usr/lib/libobjc.so*
+ /usr/lib/libstdc++.so*
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Output]
+# TODO: Switch to zstd once we stop building CentOS Stream 8.
+CompressOutput=xz
+
+[Content]
+Packages=xfsprogs
+ tpm2-tools
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=!centos
+Distribution=!opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+ tpm2-tools
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+ tpm2.0-tools
--- /dev/null
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "${container:-}" != "mkosi" ]; then
+ exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Preset]
+Dependencies=base
+ initrd
+
+[Content]
+Autologin=yes
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+ExtraTrees=../../src:/root/src
+Initrds=../../mkosi.output/initrd
+Packages=
+ acl
+ bash-completion
+ coreutils
+ diffutils
+ dnsmasq
+ dosfstools
+ e2fsprogs
+ findutils
+ gcc # Sanitizer libraries
+ gdb
+ grep
+ kbd
+ kexec-tools
+ less
+ mtools
+ nano
+ nftables
+ openssl
+ qrencode
+ sed
+ socat
+ strace
+ systemd
+ tmux
+ tree
+ udev
+ util-linux
+ valgrind
+ wireguard-tools
+ xfsprogs
+ zsh
+
+[Validation]
+SecureBoot=yes
+SignExpectedPcr=yes
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ bpf
+ btrfs-progs
+ compsize
+ dhcp
+ f2fs-tools
+ glib2
+ iproute
+ linux
+ man-db
+ openbsd-netcat
+ openssh
+ polkit
+ python-pefile
+ python-psutil
+ python-pytest
+ python3
+ quota-tools
+ shadow
+ vim
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ bpftool
+ cryptsetup
+ dhcp-server
+ dnf
+ glib2
+ iproute
+ iproute-tc
+ kernel-core
+ kernel-modules # For squashfs support
+ libcap-ng-utils
+ netcat
+ openssh-server
+ p11-kit
+ pam
+ passwd
+ polkit
+ procps-ng
+ python3
+ python3dist(pefile)
+ python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
+ python3dist(psutil)
+ python3dist(pytest)
+ quota
+ vim-common
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ apt
+ btrfs-progs
+ cryptsetup-bin
+ dbus-broker
+ default-dbus-session-bus
+ f2fs-tools
+ fdisk
+ iproute2
+ isc-dhcp-server
+ libcap-ng-utils
+ netcat-openbsd
+ openssh-server
+ passwd
+ policykit-1
+ procps
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ xxd
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-amd64
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+ btrfs-progs
+ compsize
+ f2fs-tools
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+ bpftool
+ btrfs-progs
+ cryptsetup
+ dbus-broker
+ f2fs-tools
+ glibc-locale-base
+ kernel-kvmsmall
+ libcap-ng-utils
+ openssh-server
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ shadow
+ vim
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ # We would like to use linux-image-kvm but it does not have support for dm-verity
+ # See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
+ linux-image-generic
+ linux-tools-common
+ linux-tools-generic
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=arch
+
+[Content]
+Packages=
+ alsa-lib
+ fuse2
+ libcap
+ libcap-ng
+ libelf
+ libmnl
+ numactl
+ popt
+
+BuildPackages=
+ pahole
+ python-docutils
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ alsa-lib
+ elfutils-libelf
+ fuse
+ glibc.i686
+ libcap
+ libcap-ng
+ libcap-ng-utils
+ libmnl
+ numactl-libs
+ popt
+
+BuildPackages=
+ dwarves
+ glibc-devel.i686
+ glibc-static
+ glibc-static.i686
+ pkgconfig(alsa)
+ pkgconfig(fuse)
+ pkgconfig(libcap-ng)
+ pkgconfig(libcap)
+ pkgconfig(libelf)
+ pkgconfig(libmnl)
+ pkgconfig(numa)
+ pkgconfig(openssl)
+ pkgconfig(popt)
+ python3-docutils
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ fuse
+ libasound2
+ libc6-i386
+ libcap-ng0
+ libcap2
+ libelf1
+ libmnl0
+ libnuma1
+ libpopt0
+
+BuildPackages=
+ gcc-multilib
+ libasound-dev
+ libc6-dev
+ libc6-dev-i686
+ libcap-ng-dev
+ libcap-dev
+ libelf-dev
+ libfuse-dev
+ libmnl-dev
+ libnuma-dev
+ libpopt-dev
+ pahole
+ python3-docutils
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=fedora
+
+[Content]
+BuildPackages=
+ libcap-static
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=opensuse
+
+[Content]
+Packages=
+ fuse
+ glibc-32bit
+ libasound2
+ libcap-ng0
+ libcap2
+ libelf1
+ libmnl0
+ libnuma1
+ libpopt0
+
+BuildPackages=
+ alsa-devel
+ dwarves
+ fuse-devel
+ gcc-32bit
+ glibc-devel-32bit
+ glibc-devel-static-32bit
+ glibc-static
+ libcap-devel
+ libcap-ng-dev
+ libelf-devel
+ liblz4-dev
+ libmnl-dev
+ libnuma-devel
+ pcre-devel
+ popt-devel
+ python3-docutils
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+
+[Content]
+BuildScript=mkosi.kernel.build
+BuildSources=../..
+BuildPackages=
+ bc
+ binutils
+ bison
+ clang
+ flex
+ gcc
+ lld
+ llvm
+ make
+ make
+ rsync
+ tar
--- /dev/null
+\S (built from systemd tree)
+Kernel \r on an \m (\l)
--- /dev/null
+set debuginfod enabled off
+set build-id-verbose 0
+set substitute-path ../src /root/src
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
+# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
+# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
+# Storage= to persistent to have systemd-journald create /var/log/journal itself.
+[Journal]
+Storage=persistent
--- /dev/null
+#!/bin/bash -eux
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# TODO: Figure out why this is failing
+systemctl reset-failed systemd-vconsole-setup.service
+
+systemctl --failed --no-legend | tee /failed-services
+
+# Check that secure boot keys were properly enrolled.
+if ! systemd-detect-virt --container; then
+ cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+ cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+ # TODO: Figure out why this is failing
+ # grep -q this_should_be_here /proc/cmdline
+ # grep -q this_should_not_be_here /proc/cmdline && exit 1
+fi
+
+# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
+[[ ! -s /failed-services ]]
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Check if any service failed and then shutdown the machine
+After=multi-user.target network-online.target
+Requires=multi-user.target
+Wants=systemd-resolved.service systemd-networkd.service network-online.target
+SuccessAction=exit
+FailureAction=exit
+# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
+# host.
+SuccessActionExitStatus=123
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
--- /dev/null
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
--- /dev/null
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "${container:-}" != "mkosi" ]; then
+ exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+if [ -d "$SRCDIR"/mkosi.kernel/ ]; then
+ SRCDIR="$SRCDIR/mkosi.kernel"
+ BUILDDIR="$BUILDDIR/mkosi.kernel"
+ cd "$SRCDIR"
+ mkdir -p "$BUILDDIR"
+
+ # Ensure fast incremental builds by fixating these values which usually change for each build.
+ export KBUILD_BUILD_TIMESTAMP="Fri Jun 5 15:58:00 CEST 2015"
+ export KBUILD_BUILD_HOST="mkosi"
+
+ scripts/kconfig/merge_config.sh -O "$BUILDDIR" \
+ ../mkosi.kernel.config \
+ tools/testing/selftests/bpf/config.x86_64 \
+ tools/testing/selftests/bpf/config
+
+ # Make sure systemd-boot boots this kernel and not the distro provided one by overriding the version.
+ make O="$BUILDDIR" VERSION=99 -j "$(nproc)"
+ make O="$BUILDDIR" VERSION=99 -j "$(nproc)" headers
+
+ KERNEL_RELEASE=$(make O="$BUILDDIR" VERSION=99 -s kernelrelease)
+ mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE"
+ make O="$BUILDDIR" VERSION=99 INSTALL_MOD_PATH="$DESTDIR/usr" modules_install
+ make O="$BUILDDIR" VERSION=99 INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install
+ mkdir -p "$DESTDIR/usr/lib/kernel/selftests"
+ make -C tools/testing/selftests -j "$(nproc)" O="$BUILDDIR" VERSION=99 KSFT_INSTALL_PATH="$DESTDIR/usr/lib/kernel/selftests" SKIP_TARGETS="" install
+
+ mkdir -p "$DESTDIR"/usr/bin
+ ln -sf /usr/lib/kernel/selftests/bpf/bpftool "$DESTDIR/usr/bin/bpftool"
+fi
--- /dev/null
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ]; then
+ exit 0
+fi
+
+if [ "${container:-}" != "mkosi" ]; then
+ exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+if [ -n "$SANITIZERS" ]; then
+ LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+ mkdir -p /etc/systemd/system.conf.d
+
+ cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+EOF
+
+ # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+ # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+ # sanitizer failures appear directly on the user's console.
+ mkdir -p /etc/systemd/system/systemd-journald.service.d
+ cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+ # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+ # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+ # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+ # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+ mkdir -p /etc/systemd/system/console-getty.service.d
+ cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+ # ASAN and syscall filters aren't compatible with each other.
+ find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+ # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+ systemctl mask systemd-hwdb-update.service
+fi
+
+if [ -n "$IMAGE_ID" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_ID=/!p' \
+ -e "\$aIMAGE_ID=$IMAGE_ID" \
+ /usr/lib/os-release
+fi
+
+if [ -n "$IMAGE_VERSION" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_VERSION=/!p' \
+ -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
+ /usr/lib/os-release
+fi
+
+if command -v authselect >/dev/null; then
+ authselect select minimal
+
+ if authselect list-features minimal | grep -q "with-homed"; then
+ authselect enable-feature with-homed
+ fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
+# if that's the case.
+mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
+rm -f /etc/resolv.conf
+
+. /usr/lib/os-release
+
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+ alternatives --set python3 /usr/bin/python3.9
+fi
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr
projects / systemd / .git / commitdiff