diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-02-21 15:09:38 +0100 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-02-21 15:20:18 +0100 |
| commit | 01a0756427c847b26402ceffe508d726ffb42882 (patch) | |
| tree | e40e866aed5141cb7c99cc448fa5d805477d8a57 | |
| parent | fff772bee8c10813b419be9808977fad1cc547f0 (diff) | |
| download | systemd-01a0756427c847b26402ceffe508d726ffb42882.tar.gz | |
mkosi: Move more logic to the postinst script
Let's move stuff that only applies to the final image to the
postinst script. Let's also move out some of the static files to
mkosi.extra/ instead of hardcoding them in scripts.
| -rwxr-xr-x | mkosi.build | 85 | ||||
| -rw-r--r-- | mkosi.conf.d/10-systemd.conf | 4 | ||||
| -rw-r--r-- | mkosi.extra/etc/issue | 2 | ||||
| -rw-r--r-- | mkosi.extra/etc/systemd/system/mkosi-check-and-shutdown.service (renamed from test/mkosi-check-and-shutdown.service) | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | mkosi.extra/etc/systemd/system/mkosi-check-and-shutdown.sh (renamed from test/mkosi-check-and-shutdown.sh) | 0 | ||||
| -rw-r--r-- | mkosi.extra/root/.gdbinit | 2 | ||||
| -rwxr-xr-x | mkosi.postinst | 53 |
7 files changed, 58 insertions, 88 deletions
diff --git a/mkosi.build b/mkosi.build index 6fed078fef..7b50a60db7 100755 --- a/mkosi.build +++ b/mkosi.build @@ -5,9 +5,6 @@ set -e # This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). # Simply invoke "mkosi" in the project directory to build an OS image. -ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1 -UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 - # If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it # as out-of-tree build dir. Otherwise, let's make up our own builddir. [ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build @@ -153,8 +150,8 @@ cd "$BUILDDIR" ninja "$@" if [ "$WITH_TESTS" = 1 ] ; then if [ -n "$SANITIZERS" ]; then - export ASAN_OPTIONS="$ASAN_OPTIONS" - export UBSAN_OPTIONS="$UBSAN_OPTIONS" + export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" + export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" TIMEOUT_MULTIPLIER=3 else TIMEOUT_MULTIPLIER=1 @@ -166,84 +163,6 @@ cd "$SRCDIR" meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed -mkdir -p "$DESTDIR"/etc - -cat >"$DESTDIR"/etc/issue <<EOF -\S (built from systemd tree) -Kernel \r on an \m (\l) - -EOF - -if [ -n "$IMAGE_ID" ] ; then - mkdir -p "$DESTDIR"/usr/lib - sed -n \ - -e '/^IMAGE_ID=/!p' \ - -e "\$aIMAGE_ID=$IMAGE_ID" <"/usr/lib/os-release" >"${DESTDIR}/usr/lib/os-release" - - OSRELEASEFILE="$DESTDIR"/usr/lib/os-release -else - OSRELEASEFILE=/usr/lib/os-release -fi - - -if [ -n "$IMAGE_VERSION" ] ; then - mkdir -p "$DESTDIR"/usr/lib - sed -n \ - -e '/^IMAGE_VERSION=/!p' \ - -e "\$aIMAGE_VERSION=$IMAGE_VERSION" <$OSRELEASEFILE >"/tmp/os-release.tmp" - - cat /tmp/os-release.tmp >"$DESTDIR"/usr/lib/os-release - rm /tmp/os-release.tmp -fi - -# If $CI_BUILD is set, copy over the CI service which executes a service check -# after boot and then shuts down the machine -if [ -n "$CI_BUILD" ]; then - mkdir -p "$DESTDIR/usr/lib/systemd/system" - cp -v "$SRCDIR/test/mkosi-check-and-shutdown.service" "$DESTDIR/usr/lib/systemd/system/mkosi-check-and-shutdown.service" - cp -v "$SRCDIR/test/mkosi-check-and-shutdown.sh" "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh" - chmod +x "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh" -fi - -if [ -n "$SANITIZERS" ]; then - LD_PRELOAD=$(ldd "$BUILDDIR"/systemd | grep libasan.so | awk '{print $3}') - - mkdir -p "$DESTDIR/etc/systemd/system.conf.d" - - cat >"$DESTDIR/etc/systemd/system.conf.d/10-asan.conf" <<EOF -[Manager] -ManagerEnvironment=ASAN_OPTIONS=$ASAN_OPTIONS\\ - UBSAN_OPTIONS=$UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -DefaultEnvironment=ASAN_OPTIONS=$ASAN_OPTIONS\\ - UBSAN_OPTIONS=$UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -EOF - - # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose - # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any - # sanitizer failures appear directly on the user's console. - mkdir -p "$DESTDIR/etc/systemd/system/systemd-journald.service.d" - - cat >"$DESTDIR/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf" <<EOF -[Service] -StandardOutput=tty -EOF - - # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. - # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As - # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login - # from calling vhangup() so that journald's ASAN logs correctly end up in the console. - - mkdir -p "$DESTDIR/etc/systemd/system/console-getty.service.d" - - cat >"$DESTDIR/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf" <<EOF -[Service] -TTYVHangup=no -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -EOF -fi - if [ -d mkosi.kernel/ ]; then cd "$SRCDIR/mkosi.kernel" mkdir -p "$BUILDDIR/mkosi.kernel" diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf index 57db7ecda9..0eeee89052 100644 --- a/mkosi.conf.d/10-systemd.conf +++ b/mkosi.conf.d/10-systemd.conf @@ -4,8 +4,10 @@ [Output] Bootable=yes -# Prevent ASAN warnings when building the image +# Prevent ASAN warnings when building the image and ship the real ASAN options prefixed with MKOSI_. Environment=ASAN_OPTIONS=verify_asan_link_order=false + MKOSI_ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1 + MKOSI_UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 OutputDirectory=mkosi.output [Content] diff --git a/mkosi.extra/etc/issue b/mkosi.extra/etc/issue new file mode 100644 index 0000000000..6aa6fc0ec0 --- /dev/null +++ b/mkosi.extra/etc/issue @@ -0,0 +1,2 @@ +\S (built from systemd tree) +Kernel \r on an \m (\l) diff --git a/test/mkosi-check-and-shutdown.service b/mkosi.extra/etc/systemd/system/mkosi-check-and-shutdown.service index 6539325108..6539325108 100644 --- a/test/mkosi-check-and-shutdown.service +++ b/mkosi.extra/etc/systemd/system/mkosi-check-and-shutdown.service diff --git a/test/mkosi-check-and-shutdown.sh b/mkosi.extra/etc/systemd/system/mkosi-check-and-shutdown.sh index b86d2d3e69..b86d2d3e69 100644..100755 --- a/test/mkosi-check-and-shutdown.sh +++ b/mkosi.extra/etc/systemd/system/mkosi-check-and-shutdown.sh diff --git a/mkosi.extra/root/.gdbinit b/mkosi.extra/root/.gdbinit new file mode 100644 index 0000000000..522e1fecb6 --- /dev/null +++ b/mkosi.extra/root/.gdbinit @@ -0,0 +1,2 @@ +set debuginfod enabled off +set build-id-verbose 0 diff --git a/mkosi.postinst b/mkosi.postinst index fc2aeabf4e..0a6946e600 100755 --- a/mkosi.postinst +++ b/mkosi.postinst @@ -2,12 +2,41 @@ # SPDX-License-Identifier: LGPL-2.1-or-later if [ "$1" = "final" ]; then - cat >>/root/.gdbinit <<EOF -set debuginfod enabled off -set build-id-verbose 0 + if [ -n "$SANITIZERS" ]; then + LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') + + mkdir -p /etc/systemd/system.conf.d + + cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF +[Manager] +ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD EOF - if [ -n "$SANITIZERS" ]; then + # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose + # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any + # sanitizer failures appear directly on the user's console. + mkdir -p /etc/systemd/system/systemd-journald.service.d + cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF +[Service] +StandardOutput=tty +EOF + + # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. + # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As + # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login + # from calling vhangup() so that journald's ASAN logs correctly end up in the console. + + mkdir -p /etc/systemd/system/console-getty.service.d + cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF +[Service] +TTYVHangup=no +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +EOF # ASAN and syscall filters aren't compatible with each other. find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + @@ -17,4 +46,20 @@ EOF # Make sure dnsmasq.service doesn't start on boot on Debian/Ubuntu. rm -f /etc/systemd/system/multi-user.target.wants/dnsmasq.service + + if [ -n "$IMAGE_ID" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_ID=/!p' \ + -e "\$aIMAGE_ID=$IMAGE_ID" \ + /usr/lib/os-release + fi + + if [ -n "$IMAGE_VERSION" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_VERSION=/!p' \ + -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ + /usr/lib/os-release + fi fi |