[Host]
@Incremental=yes
-@RuntimeSize=8G
@RuntimeBuildSources=yes
@QemuSmp=2
ToolsTreePackages=virtiofsd
[Output]
@Format=directory
+RepartDirectories=mkosi.repart
[Content]
Autologin=yes
xfsprogs
zsh
zstd
-
-[Validation]
-@SecureBoot=yes
-@SignExpectedPcr=yes
rpm
rpm-build
rpmautospec
- selinux-policy
- selinux-policy-targeted
- setools-console
squashfs-tools
util-linux
vim-common
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=!particle
+
+[Content]
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+Packages=
+ selinux-policy
+ selinux-policy-targeted
+ setools-console
[Match]
Distribution=centos
+[Output]
+RepartDirectories=mkosi.repart
+
[Content]
Packages=
rpmautospec-rpm-macros
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support btrfs so we use xfs instead.
-[Partition]
-Format=xfs
+++ /dev/null
-g root 0
-g bin 1
-g daemon 2
-g sys 3
-g adm 4
-g tty 5
-g disk 6
-g lp 7
-g mem 8
-g kmem 9
-g wheel 10
-g cdrom 11
-g mail 12
-g man 15
-g dialout 18
-g floppy 19
-g games 20
-g tape 33
-g video 39
-g ftp 50
-g lock 54
-g audio 63
-g users 100
-g nobody 65534
+++ /dev/null
-u root 0:0 "Super User" /root /bin/bash
-u bin 1:1 "bin" /bin -
-u daemon 2:2 "daemon" /sbin -
-u adm 3:4 "adm" /var/adm -
-u lp 4:7 "lp" /var/spool/lpd -
-u sync 5:0 "sync" /sbin /bin/sync
-u shutdown 6:0 "shutdown" /sbin /sbin/shutdown
-u halt 7:0 "halt" /sbin /sbin/halt
-u mail 8:12 "mail" /var/spool/mail -
-u operator 11:0 "operator" /root -
-u games 12:100 "games" /usr/games -
-u ftp 14:50 "FTP User" /var/ftp -
-u nobody 65534:65534 "Kernel Overflow User" - -
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+# btrfs isn't supported on CentOS. Ideally we'd use xfs instead but we lose xattrs when doing rootless
+# population of xfs which is required for testing SELinux so let's do ext4 instead.
+Format=ext4
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=particle
+
+[Output]
+RepartDirectories=
+RepartDirectories=mkosi.repart
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
+
+[Host]
+@RuntimeSize=8G
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=swap
+SizeMinBytes=100M
+SizeMaxBytes=100M
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
--- /dev/null
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+ # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+ addons_dir=/efi/loader/addons
+ mkdir -p "$addons_dir"
+ ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+ ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=1G
+SizeMaxBytes=1G
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=swap
-SizeMinBytes=100M
-SizeMaxBytes=100M
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=root
-Format=btrfs
-SizeMinBytes=1G
-Subvolumes=/home /var
-MakeDirectories=/home /var
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-C+! /etc - - - - /usr/share/factory/mkosi
+++ /dev/null
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
-cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf
-# sbsign is not available on CentOS Stream
-if command -v sbsign &>/dev/null; then
- # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
- addons_dir=/efi/loader/addons
- mkdir -p "$addons_dir"
- ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
- ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
-fi
-
for f in "$BUILDROOT"/usr/share/*.verity.sig; do
jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
done
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+CopyFiles=/
+SizeMinBytes=8G
+SizeMaxBytes=8G
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr
-Format=erofs
-CopyFiles=/usr:/
-Verity=data
-VerityMatchKey=usr
-Minimize=yes
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr-verity
-Verity=hash
-VerityMatchKey=usr
-Minimize=yes
+++ /dev/null
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr-verity-sig
-Verity=signature
-VerityMatchKey=usr
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# This file exists to create the particle profile which is matched on by other configuration files.
projects / systemd / .git / commitdiff