diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-04-25 16:04:49 +0200 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-05-01 15:39:50 +0200 |
| commit | d052cc88932926f964bcf227c1c5032c5400cd4a (patch) | |
| tree | ffff1487d6835c6359cf25334fd75ee589391540 /mkosi.presets | |
| parent | d9081eb0ae848b5066edc1b20b36a35729577edd (diff) | |
| download | systemd-d052cc88932926f964bcf227c1c5032c5400cd4a.tar.gz | |
mkosi: Switch to use mkosi presets with prebuilt initrds
Instead of building the initrds for the mkosi images with dracut,
let's switch to using mkosi presets to build the initrd with mkosi
as well.
This commit splits up our single image build into three separate
mkosi presets:
1. The "base" preset. This image contains systemd and all its runtime
dependencies. The sole purpose of this image is to serve as a base image
for the initrd and the final image. It's also responsible for building
systemd from source with the build script. The results are installed into
the base image. Note that we install the systemd and udev packages into this
image as well to prevent package managers from overriding the systemd we built
from source with the distro packaged systemd if it's pulled in as a dependency
by another package from the initrd or final profiles.
2. The "initrd" preset. This image provides the initrd. It's trivial and does
nothing more than packaging the base image up as a zstd compressed initramfs and
adds /init and /etc/initrd-release symlinks to the image.
3. The "final" preset. This image builds on top of the base image and adds
a kernel and extra packages that are useful for testing and debugging.
We also split out the optional kernel build into a separate set of config files
that are only included if a kernel to build is actually provided.
Note that this commit doesn't really change anything about how mkosi is used.
The commands remain the same, except that mkosi will now build all the presets
in order. "mkosi summary" will show the summary of all the presets. "mkosi qemu,
boot, shell" will always boot the final preset. With "-f", all presets will be
built and the final one is booted. "-i" makes a cache of each preset.
The only thing to keep in mind is that specifying config via the mkosi CLI will
apply to each of the presets. e.g. any extra packages added with "-p" will be
installed in both the initrd and the final image. To apply local configuration
to a single preset, create a file 00-local.conf in
mkosi.presets/<profile>/mkosi.conf.d and put all the preset specific configuration
in there.
Diffstat (limited to 'mkosi.presets')
38 files changed, 1266 insertions, 0 deletions
diff --git a/mkosi.presets/00-base/mkosi.build b/mkosi.presets/00-base/mkosi.build new file mode 100755 index 0000000000..e19251157d --- /dev/null +++ b/mkosi.presets/00-base/mkosi.build @@ -0,0 +1,164 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi). +# Simply invoke "mkosi" in the project directory to build an OS image. + +# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it +# as out-of-tree build dir. Otherwise, let's make up our own builddir. +[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build + +# Let's make sure we're using stuff from the build directory first if available there. +PATH="$BUILDDIR:$PATH" +export PATH + +# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and +# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override +# the ubuntu script with a symlink to the first bpftool program we can find. +for bpftool in /usr/lib/linux-tools/*/bpftool; do + [ -x "$bpftool" ] || continue + ln -sf "$bpftool" "$BUILDDIR"/bpftool + break +done + +# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the +# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports +# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well. +if [ "$(grep '^ID=' /etc/os-release)" = "ID=\"centos\"" ] && [ "$(grep '^VERSION=' /etc/os-release)" = "VERSION=\"8\"" ]; then + cat >"$BUILDDIR"/bpftool <<EOF +#!/bin/sh +if [ "\$1" = --version ]; then + echo 5.6.0 +else + exec /usr/sbin/bpftool \$@ +fi +EOF + chmod +x "$BUILDDIR"/bpftool +fi + +if [ ! -f "$BUILDDIR"/build.ninja ] ; then + sysvinit_path=$(realpath /etc/init.d) + + init_path=$(realpath /sbin/init 2>/dev/null) + if [ -z "$init_path" ] ; then + rootprefix="" + else + rootprefix=${init_path%/lib/systemd/systemd} + rootprefix=/${rootprefix#/} + fi + + # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/. + # It is important to use the right one especially for cryptsetup plugins, otherwise they will be + # installed in the wrong directory and not be found by cryptsetup. Assume native build. + if grep -q -e "ID=debian" -e "ID_LIKE=debian" /etc/os-release && command -v dpkg 2>/dev/null; then + LIBDIR="-Drootlibdir=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" + PAMDIR="-Dpamlibdir=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" + fi + + # Cannot quote $LIBDIR and $PAMDIR, because they may be empty, and meson will fail. + # shellcheck disable=SC2086 + meson setup "$BUILDDIR" \ + ${LIBDIR:-} \ + ${PAMDIR:-} \ + -D "sysvinit-path=$sysvinit_path" \ + -D "rootprefix=$rootprefix" \ + -D default-timeout-sec=${DEFAULT_TIMEOUT_SEC:-10} \ + -D default-user-timeout-sec=${DEFAULT_TIMEOUT_SEC:-10} \ + -D man=false \ + -D translations=false \ + -D version-tag="${VERSION_TAG}" \ + -D mode=developer \ + -D b_sanitize="${SANITIZERS:-none}" \ + -D install-tests=true \ + -D tests=unsafe \ + -D slow-tests=true \ + -D utmp=true \ + -D hibernate=true \ + -D ldconfig=true \ + -D resolve=true \ + -D efi=true \ + -D tpm=true \ + -D environment-d=true \ + -D binfmt=true \ + -D repart=true \ + -D sysupdate=true \ + -D coredump=true \ + -D pstore=true \ + -D oomd=true \ + -D logind=true \ + -D hostnamed=true \ + -D localed=true \ + -D machined=true \ + -D portabled=true \ + -D sysext=true \ + -D userdb=true \ + -D homed=true \ + -D networkd=true \ + -D timedated=true \ + -D timesyncd=true \ + -D remote=true \ + -D nss-myhostname=true \ + -D nss-mymachines=true \ + -D nss-resolve=true \ + -D nss-systemd=true \ + -D firstboot=true \ + -D randomseed=true \ + -D backlight=true \ + -D vconsole=true \ + -D quotacheck=true \ + -D sysusers=true \ + -D tmpfiles=true \ + -D importd=true \ + -D hwdb=true \ + -D rfkill=true \ + -D xdg-autostart=true \ + -D translations=true \ + -D polkit=true \ + -D acl=true \ + -D audit=true \ + -D blkid=true \ + -D fdisk=true \ + -D kmod=true \ + -D pam=true \ + -D pwquality=true \ + -D microhttpd=true \ + -D libcryptsetup=true \ + -D libcurl=true \ + -D idn=true \ + -D libidn2=true \ + -D qrencode=true \ + -D gcrypt=true \ + -D gnutls=true \ + -D openssl=true \ + -D cryptolib=openssl \ + -D p11kit=true \ + -D libfido2=true \ + -D tpm2=true \ + -D elfutils=true \ + -D zstd=true \ + -D xkbcommon=true \ + -D pcre2=true \ + -D glib=true \ + -D dbus=true \ + -D bootloader=true \ + -D kernel-install=true \ + -D analyze=true \ + -D bpf-framework=true \ + -D ukify=true +fi + +ninja -C "$BUILDDIR" "$@" +if [ "$WITH_TESTS" = 1 ] ; then + if [ -n "$SANITIZERS" ]; then + export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS" + export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS" + TIMEOUT_MULTIPLIER=3 + else + TIMEOUT_MULTIPLIER=1 + fi + + meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER +fi + +meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed diff --git a/mkosi.presets/00-base/mkosi.conf b/mkosi.presets/00-base/mkosi.conf new file mode 100644 index 0000000000..a65d427067 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Output] +Format=directory + +[Content] +Bootable=no +BuildSources=../.. +CleanPackageMetadata=no +Packages= + kmod + less + systemd + udev + +BuildPackages= + acl + diffutils + gawk + binutils + clang + gettext + git + gperf + grep + lld + llvm + make + meson + pkgconf + rsync + sed + tar + zstd diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-arch.conf b/mkosi.presets/00-base/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000000..473d199718 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-arch.conf @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + gnutls + libbpf + libfido2 + libmicrohttpd + libnftnl + libpwquality + libxkbcommon + openssl + qrencode + systemd-sysvcompat + tpm2-tss + +BuildPackages= + bpf + docbook-xsl + glib2 + libxslt + linux-api-headers + perl + python + python-jinja + python-lxml + python-pefile + python-pyelftools diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000000..090daf60db --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,67 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos fedora + +[Content] +Packages= + audit-libs + cryptsetup-libs + gnutls + libasan + libbpf + libfido2 + libgcrypt + libmicrohttpd + libnftnl + libubsan + libxcrypt + libxkbcommon + openssl-libs + qrencode-libs + tpm2-tss + util-linux + +BuildPackages= + /usr/bin/pkg-config + bpftool + docbook-xsl + findutils + libxslt + pam-devel + perl-interpreter + pkgconfig(audit) + pkgconfig(blkid) + pkgconfig(bzip2) + pkgconfig(dbus-1) + pkgconfig(fdisk) + pkgconfig(glib-2.0) + pkgconfig(gnutls) + pkgconfig(libacl) + pkgconfig(libbpf) + pkgconfig(libcap) + pkgconfig(libcryptsetup) + pkgconfig(libcurl) + pkgconfig(libdw) + pkgconfig(libfido2) + pkgconfig(libidn2) + pkgconfig(libkmod) + pkgconfig(libmicrohttpd) + pkgconfig(libnftnl) + pkgconfig(libpcre2-8) + pkgconfig(libqrencode) + pkgconfig(libseccomp) + pkgconfig(libselinux) + pkgconfig(libzstd) + pkgconfig(mount) + pkgconfig(numa) + pkgconfig(openssl) + pkgconfig(openssl) + pkgconfig(p11-kit-1) + pkgconfig(pwquality) + pkgconfig(tss2-esys) + pkgconfig(tss2-mu) + pkgconfig(tss2-rc) + pkgconfig(valgrind) + pkgconfig(xkbcommon) + rpm diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf new file mode 100644 index 0000000000..f5c3afbef4 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf @@ -0,0 +1,66 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian ubuntu + +[Content] +Packages= + libfdisk1 + libfido2-1 + libglib2.0-0 + libgnutls30 + libidn2-0 + libmicrohttpd12 + libnftnl11 + libp11-kit0 + libpam0g + libpwquality1 + libqrencode4 + libssl3 + libtss2-dev # Use the -dev package to avoid churn in updating version numbers + systemd + systemd-sysv + tzdata + +BuildPackages= + docbook-xsl + dpkg-dev + g++ + libacl1-dev + libaudit-dev + libblkid-dev + libbpf-dev + libbz2-dev + libcap-dev + libcryptsetup-dev + libcurl4-openssl-dev + libdbus-1-dev + libdw-dev + libfdisk-dev + libfido2-dev + libgcrypt20-dev + libglib2.0-dev + libgnutls28-dev + libidn2-dev + libiptc-dev + libkmod-dev + libmicrohttpd-dev + libmount-dev + libnftnl-dev + libp11-kit-dev + libpam0g-dev + libpwquality-dev + libqrencode-dev + libseccomp-dev + libsmartcols-dev + libssl-dev + libxen-dev + libxkbcommon-dev + libzstd-dev + python3 + python3-jinja2 + python3-lxml + python3-pefile + python3-pyelftools + python3-pytest + xsltproc diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-debian.conf b/mkosi.presets/00-base/mkosi.conf.d/10-debian.conf new file mode 100644 index 0000000000..020b02b61c --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-debian.conf @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian + +[Content] +Packages= + libbpf1 + +BuildPackages= + bpftool diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-fedora.conf b/mkosi.presets/00-base/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000000..035715979c --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +BuildPackages= + pkgconfig(libgcrypt) + pkgconfig(xencontrol) + python3 + python3dist(jinja2) + python3dist(lxml) + python3dist(pefile) + python3dist(pyelftools) + python3dist(pytest) diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000000..b8bce7148e --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,81 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +# We install gawk, gzip, grep, xz here explicitly so that the busybox versions don't get installed instead. +Packages= + gawk + grep + gzip + libbpf1 + libcrypt1 + libcryptsetup12 + libdw1 + libelf1 + libfido2 + libgcrypt20 + libglib-2_0-0 + libkmod2 + libmount1 + libnftnl11 + libopenssl3 + libp11-kit0 + libqrencode4 + libseccomp2 + libxkbcommon0 + libzstd1 + pam + shadow + tpm2-0-tss + xz + +BuildPackages= + audit-devel + bpftool + dbus-1-devel + docbook-xsl-stylesheets + fdupes + gcc-c++ + glib2-devel + glibc-locale + intltool + libacl-devel + libapparmor-devel + libblkid-devel + libbpf-devel + libcap-devel + libcryptsetup-devel + libcurl-devel + libdw-devel + libelf-devel + libfdisk-devel + libfido2-devel + libgcrypt-devel + libgnutls-devel + libkmod-devel + libmicrohttpd-devel + libmount-devel + libnftnl-devel + libpwquality-devel + libseccomp-devel + libselinux-devel + libxkbcommon-devel + libxslt-tools + libzstd-devel + openssl-devel + pam-devel + pciutils-devel + python3 + python3-Jinja2 + python3-lxml + python3-pefile + python3-pyelftools + python3-pytest + qrencode-devel + shadow + systemd-sysvinit + timezone + tpm2-0-tss-devel + xen-devel diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/00-base/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000000..717809fd03 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + libbpf0 + +BuildPackages= + linux-tools-common + linux-tools-generic diff --git a/mkosi.presets/00-base/mkosi.conf.d/11-centos-8.conf b/mkosi.presets/00-base/mkosi.conf.d/11-centos-8.conf new file mode 100644 index 0000000000..ef001c92c9 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/11-centos-8.conf @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos +Release=8 + +[Content] +BuildPackages= + libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file. + platform-python + python3.9dist(jinja2) + python3.9dist(lxml) + python3.9dist(pefile) + python3.9dist(pyelftools) + python3.9dist(pytest) + python39 diff --git a/mkosi.presets/00-base/mkosi.conf.d/11-centos-9.conf b/mkosi.presets/00-base/mkosi.conf.d/11-centos-9.conf new file mode 100644 index 0000000000..61c1d27f44 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.conf.d/11-centos-9.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos +Release=9 + +[Content] +BuildPackages= + pkgconfig(libgcrypt) + platform-python + python3dist(jinja2) + python3dist(lxml) + python3dist(pefile) + python3dist(pyelftools) + python3dist(pytest) diff --git a/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset new file mode 100644 index 0000000000..64baf3ba6e --- /dev/null +++ b/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# mkosi adds its own ssh units via the --ssh switch so disable the default ones. +disable ssh.service +disable sshd.service + +# These are started manually in integration tests so don't start them by default. +disable dnsmasq.service +disable isc-dhcp-server.service +disable isc-dhcp-server6.service + +# Pulled in via dracut-network by kexec-tools on Fedora. +disable NetworkManager.service + +# Make sure dbus-broker is started by default on Debian/Ubuntu. +enable dbus-broker.service + +# systemd-networkd is disabled by default on Fedora so make sure it is enabled. +enable systemd-networkd.service diff --git a/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset new file mode 100644 index 0000000000..710ee7c6f9 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# Make sure that services are disabled by default (primarily for Debian/Ubuntu). +disable * diff --git a/mkosi.presets/00-base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.presets/00-base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf new file mode 100644 index 0000000000..e1a8e8171a --- /dev/null +++ b/mkosi.presets/00-base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf @@ -0,0 +1 @@ +L /etc/default/locale - - - - ../locale.conf diff --git a/mkosi.presets/00-base/mkosi.prepare b/mkosi.presets/00-base/mkosi.prepare new file mode 100755 index 0000000000..269ba3e153 --- /dev/null +++ b/mkosi.presets/00-base/mkosi.prepare @@ -0,0 +1,18 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ "$1" = "build" ]; then + . /etc/os-release + + if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 + alternatives --set python3 /usr/bin/python3.9 + fi + + # Make sure the necessary test users are available in the build image. We do this here because the build + # script does not run as root. + for id in 1 2 3; do + getent group $id >/dev/null || echo "g testgroup$id $id -" | systemd-sysusers - + done +fi diff --git a/mkosi.presets/10-initrd.conf b/mkosi.presets/10-initrd.conf new file mode 100644 index 0000000000..4201770f2e --- /dev/null +++ b/mkosi.presets/10-initrd.conf @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Output] +Format=cpio +# TODO: Switch to zstd once we stop building CentOS Stream 8. +CompressOutput=xz + +[Content] +BaseTrees=mkosi.output/base +MakeInitrd=yes + +# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it +# doesn't end up in the initrd. +RemoveFiles= + /usr/lib/libgfortran.so* + /usr/lib/libgo.so* + /usr/lib/libgomp.so* + /usr/lib/libgphobos.so* + /usr/lib/libobjc.so* + /usr/lib/libstdc++.so* diff --git a/mkosi.presets/20-final/mkosi.build b/mkosi.presets/20-final/mkosi.build new file mode 100755 index 0000000000..ed355abd20 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.build @@ -0,0 +1,32 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +if [ -d "$SRCDIR"/mkosi.kernel/ ]; then + SRCDIR="$SRCDIR/mkosi.kernel" + BUILDDIR="$BUILDDIR/mkosi.kernel" + cd "$SRCDIR" + mkdir -p "$BUILDDIR" + + # Ensure fast incremental builds by fixating these values which usually change for each build. + export KBUILD_BUILD_TIMESTAMP="Fri Jun 5 15:58:00 CEST 2015" + export KBUILD_BUILD_HOST="mkosi" + + scripts/kconfig/merge_config.sh -O "$BUILDDIR" \ + ../mkosi.kernel.config \ + tools/testing/selftests/bpf/config.x86_64 \ + tools/testing/selftests/bpf/config + + # Make sure systemd-boot boots this kernel and not the distro provided one by overriding the version. + make O="$BUILDDIR" VERSION=99 -j "$(nproc)" + + KERNEL_RELEASE=$(make O="$BUILDDIR" VERSION=99 -s kernelrelease) + mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" + make O="$BUILDDIR" VERSION=99 INSTALL_MOD_PATH="$DESTDIR/usr" modules_install + make O="$BUILDDIR" VERSION=99 INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install + mkdir -p "$DESTDIR/usr/lib/kernel/selftests" + make -C tools/testing/selftests -j "$(nproc)" O="$BUILDDIR" VERSION=99 KSFT_INSTALL_PATH="$DESTDIR/usr/lib/kernel/selftests" SKIP_TARGETS="" install + + mkdir -p "$DESTDIR"/usr/bin + ln -sf /usr/lib/kernel/selftests/bpf/bpftool "$DESTDIR/usr/bin/bpftool" +fi diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf new file mode 100644 index 0000000000..d15a17a161 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf @@ -0,0 +1,38 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Content] +BaseTrees=../../mkosi.output/base +ExtraTrees=../../src:/root/src +Initrds=../../mkosi.output/initrd.cpio.xz +Packages= + acl + bash-completion + coreutils + diffutils + dnsmasq + dosfstools + e2fsprogs + findutils + gcc # Sanitizer libraries + gdb + grep + kbd + kexec-tools + less + mtools + nano + nftables + openssl + qrencode + sed + strace + tree + util-linux + valgrind + wireguard-tools + xfsprogs + zsh + +[Validation] +Password= +Autologin=yes diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf b/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf new file mode 100644 index 0000000000..b0bbcf0c6a --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=arch + +[Content] +Packages= + btrfs-progs + compsize + dhcp + f2fs-tools + glib2 + iproute + linux + man-db + openbsd-netcat + openssh + polkit + python-pefile + python-psutil + python-pytest + python3 + quota-tools + shadow + vim diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf new file mode 100644 index 0000000000..d89f827839 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos fedora + +[Content] +Packages= + cryptsetup + dhcp-server + dnf + glib2 + iproute + iproute-tc + kernel-core + libcap-ng-utils + netcat + openssh-server + p11-kit + pam + passwd + polkit + procps-ng + quota + vim-common diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf new file mode 100644 index 0000000000..804aa67228 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian ubuntu + +[Content] +Packages= + btrfs-progs + cryptsetup-bin + dbus-broker + default-dbus-session-bus + f2fs-tools + fdisk + iproute2 + isc-dhcp-server + libcap-ng-utils + netcat-openbsd + openssh-server + passwd + policykit-1 + procps + python3 + python3-pefile + python3-psutil + python3-pytest + quota + xxd diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf b/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf new file mode 100644 index 0000000000..3eb7a5453e --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=debian + +[Content] +Packages= + linux-image-cloud-amd64 diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf new file mode 100644 index 0000000000..5ae623e47d --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=fedora + +[Content] +Packages= + btrfs-progs + compsize + f2fs-tools + python3 + python3dist(pefile) + python3dist(psutil) + python3dist(pytest) diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf new file mode 100644 index 0000000000..f948dd6a37 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=opensuse + +[Content] +Packages= + btrfs-progs + cryptsetup + dbus-broker + f2fs-tools + glibc-locale-base + kernel-default + libcap-ng-utils + openssh-server + python3 + python3-pefile + python3-psutil + python3-pytest + quota + shadow + vim diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf new file mode 100644 index 0000000000..eb88ca7644 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=ubuntu + +[Content] +Packages= + linux-virtual diff --git a/mkosi.presets/20-final/mkosi.conf.d/11-centos-8.conf b/mkosi.presets/20-final/mkosi.conf.d/11-centos-8.conf new file mode 100644 index 0000000000..2fa476454d --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/11-centos-8.conf @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos +Release=8 + +[Content] +Packages= + platform-python + python3.9dist(pefile) + python3.9dist(pluggy) # python39-pluggy is a pytest dependency that's not installed for some reason. + python3.9dist(psutil) + python3.9dist(pytest) + python39 diff --git a/mkosi.presets/20-final/mkosi.conf.d/11-centos-9.conf b/mkosi.presets/20-final/mkosi.conf.d/11-centos-9.conf new file mode 100644 index 0000000000..d6ab3ee1c3 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/11-centos-9.conf @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Distribution=centos +Release=9 + +[Content] +Packages= + platform-python + python3dist(pefile) + python3dist(pluggy) # python39-pluggy is a pytest dependency that's not installed for some reason. + python3dist(psutil) + python3dist(pytest) diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf new file mode 100644 index 0000000000..6ac0b58495 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=mkosi.kernel/ +Distribution=arch + +[Content] +Packages= + alsa-lib + fuse2 + libcap + libcap-ng + libelf + libmnl + numactl + popt + +BuildPackages= + pahole + python-docutils diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf new file mode 100644 index 0000000000..c42f9916ee --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=mkosi.kernel/ +Distribution=centos fedora + +[Content] +Packages= + alsa-lib + elfutils-libelf + fuse + glibc.i686 + libcap + libcap-ng + libcap-ng-utils + libmnl + numactl-libs + popt + +BuildPackages= + dwarves + glibc-devel.i686 + glibc-static + glibc-static.i686 + pkgconfig(alsa) + pkgconfig(fuse) + pkgconfig(libcap-ng) + pkgconfig(libcap) + pkgconfig(libelf) + pkgconfig(libmnl) + pkgconfig(numa) + pkgconfig(openssl) + pkgconfig(popt) + python3-docutils diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf new file mode 100644 index 0000000000..00338fa4d1 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=mkosi.kernel/ +Distribution=debian ubuntu + +[Content] +Packages= + fuse + libasound2 + libc6-i386 + libcap-ng0 + libcap2 + libelf1 + libmnl0 + libnuma1 + libpopt0 + +BuildPackages= + gcc-multilib + libasound-dev + libc6-dev + libc6-dev-i686 + libcap-ng-dev + libcap-dev + libelf-dev + libfuse-dev + libmnl-dev + libnuma-dev + libpopt-dev + pahole + python3-docutils diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf new file mode 100644 index 0000000000..ea94c14346 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=mkosi.kernel/ +Distribution=fedora + +[Content] +BuildPackages= + libcap-static diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf new file mode 100644 index 0000000000..aec631f1af --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf @@ -0,0 +1,35 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=mkosi.kernel/ +Distribution=opensuse + +[Content] +Packages= + fuse + glibc-32bit + libasound2 + libcap-ng0 + libcap2 + libelf1 + libmnl0 + libnuma1 + libpopt0 + +BuildPackages= + alsa-devel + dwarves + fuse-devel + gcc-32bit + glibc-devel-32bit + glibc-devel-static-32bit + glibc-static + libcap-devel + libcap-ng-dev + libelf-devel + liblz4-dev + libmnl-dev + libnuma-devel + pcre-devel + popt-devel + python3-docutils diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf new file mode 100644 index 0000000000..5505b41a86 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +PathExists=mkosi.kernel/ + +[Content] +BuildSources=./ +BuildPackages= + bc + binutils + bison + clang + flex + gcc + lld + llvm + make + make + rsync + tar diff --git a/mkosi.presets/20-final/mkosi.extra/etc/issue b/mkosi.presets/20-final/mkosi.extra/etc/issue new file mode 100644 index 0000000000..6aa6fc0ec0 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.extra/etc/issue @@ -0,0 +1,2 @@ +\S (built from systemd tree) +Kernel \r on an \m (\l) diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh new file mode 100755 index 0000000000..b86d2d3e69 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh @@ -0,0 +1,15 @@ +#!/bin/bash -eux +# SPDX-License-Identifier: LGPL-2.1-or-later + +systemctl --failed --no-legend | tee /failed-services + +# Check that secure boot keys were properly enrolled. +if [[ -d /sys/firmware/efi/efivars/ ]]; then + cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') + cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') +fi + +# Exit with non-zero EC if the /failed-services file is not empty (we have -e set) +[[ ! -s /failed-services ]] + +: >/testok diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service new file mode 100644 index 0000000000..6539325108 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Check if any service failed and then shutdown the machine +After=multi-user.target network-online.target +Requires=multi-user.target +Wants=systemd-resolved.service systemd-networkd.service network-online.target +OnFailure=poweroff.target +OnFailureJobMode=replace-irreversibly + +[Service] +Type=oneshot +ExecStartPre=-rm -f /failed-services +ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh +ExecStartPost=systemctl poweroff --no-block diff --git a/mkosi.presets/20-final/mkosi.kernel.config b/mkosi.presets/20-final/mkosi.kernel.config new file mode 100644 index 0000000000..ab3ffe2fea --- /dev/null +++ b/mkosi.presets/20-final/mkosi.kernel.config @@ -0,0 +1,204 @@ +# CONFIG_COMPAT_BRK is not set +# CONFIG_LEGACY_PTYS is not set +CONFIG_ATA=y +CONFIG_AUTOFS4_FS=y +CONFIG_BINFMT_MISC=y +CONFIG_BLK_CGROUP_IOCOST=y +CONFIG_BLK_CGROUP_IOLATENCY=y +CONFIG_BLK_CGROUP_IOPRIO=y +CONFIG_BLK_CGROUP=y +CONFIG_BLK_DEV_DM=y +CONFIG_BLK_DEV_INITRD=y +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_MD=y +CONFIG_BLK_DEV_SD=y +CONFIG_BLK_DEV_SR=y +CONFIG_BPF_EVENTS=y +CONFIG_BPF_JIT=y +CONFIG_BPF_LSM=y +CONFIG_BPF_SYSCALL=y +CONFIG_BPF=y +CONFIG_BSD_PROCESS_ACCT=y +CONFIG_BTRFS_FS_POSIX_ACL=y +CONFIG_BTRFS_FS=y +CONFIG_CFG80211=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_CGROUP_BPF=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_HUGETLB=y +CONFIG_CGROUP_MISC=y +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_RDMA=y +CONFIG_CGROUP_SCHED=y +CONFIG_CGROUPS=y +CONFIG_CONNECTOR=y +CONFIG_CPUSETS=y +CONFIG_CRASH_DUMP=y +CONFIG_DEBUG_INFO_BTF=y +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS=y +CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y +CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y +CONFIG_DM_VERITY=y +CONFIG_DMI_SYSFS=y +CONFIG_DMI=y +CONFIG_EFI_MIXED=y +CONFIG_EFI_STUB=y +CONFIG_EFI_ZBOOT=y +CONFIG_EFI=y +CONFIG_EXPERT=y +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_EXT4_FS=y +CONFIG_HIBERNATION=y +CONFIG_HIDRAW=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_HOTPLUG_PCI=y +CONFIG_HPET=y +CONFIG_HUGETLBFS=y +CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_HW_RANDOM=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_IKCONFIG_PROC=y +CONFIG_IKCONFIG=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA=y +CONFIG_INET=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +CONFIG_INPUT_EVDEV=y +CONFIG_INPUT_MISC=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_MACHINE_KEYRING=y +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_IOSCHED_BFQ=y +CONFIG_IP_ADVANCED_ROUTER=y +CONFIG_IP_MULTICAST=y +CONFIG_IP_MULTIPLE_TABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_PNP_BOOTP=y +CONFIG_IP_PNP_DHCP=y +CONFIG_IP_PNP=y +CONFIG_IP_ROUTE_MULTIPATH=y +CONFIG_IP_ROUTE_VERBOSE=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_TARGET_REJECT=y +CONFIG_ISO9660_FS=y +CONFIG_KEXEC=y +CONFIG_KPROBES=y +CONFIG_LOAD_UEFI_KEYS=y +CONFIG_MAC80211=y +CONFIG_MAGIC_SYSRQ=y +CONFIG_MD=y +CONFIG_MEMCG_KMEM=y +CONFIG_MEMCG=y +CONFIG_MICROCODE_AMD=y +CONFIG_MODULE_FORCE_UNLOAD=y +CONFIG_MODULE_UNLOAD=y +CONFIG_MODULES=y +CONFIG_MSDOS_FS=y +CONFIG_NAMESPACES=y +CONFIG_NET_9P_VIRTIO=y +CONFIG_NET_9P=y +CONFIG_NET_CLS_ACT=y +CONFIG_NET_CLS_CGROUP=y +CONFIG_NET_EMATCH=y +CONFIG_NET_SCHED=y +CONFIG_NET=y +CONFIG_NETCONSOLE=y +CONFIG_NETDEVICES=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +CONFIG_NETFILTER=y +CONFIG_NETLABEL=y +CONFIG_NF_CONNTRACK_FTP=y +CONFIG_NF_CONNTRACK_IRC=y +CONFIG_NF_CONNTRACK_SIP=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_CT_NETLINK=y +CONFIG_NF_NAT=y +CONFIG_NLS_ASCII=y +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_DEFAULT="utf8" +CONFIG_NLS_ISO8859_1=y +CONFIG_NLS_UTF8=y +CONFIG_NO_HZ_FULL=y +CONFIG_NUMA=y +CONFIG_NVRAM=y +CONFIG_PACKET=y +CONFIG_PARAVIRT=y +CONFIG_PCI=y +CONFIG_PCIEPORTBUS=y +CONFIG_PERF_EVENTS=y +CONFIG_PM_DEBUG=y +CONFIG_PM_TRACE_RTC=y +CONFIG_POSIX_MQUEUE=y +CONFIG_PRINTK_TIME=y +CONFIG_PROC_KCORE=y +CONFIG_PROFILING=y +CONFIG_PSI=y +CONFIG_QUOTA_NETLINK_INTERFACE=y +CONFIG_QUOTA=y +CONFIG_RFKILL=y +CONFIG_RTC_CLASS=y +CONFIG_SATA_AHCI=y +CONFIG_SCSI_CONSTANTS=y +CONFIG_SCSI_SPI_ATTRS=y +CONFIG_SCSI_VIRTIO=y +CONFIG_SCSI=y +CONFIG_SECONDARY_TRUSTED_KEYRING=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_YAMA=y +CONFIG_SECURITY=y +CONFIG_SERIAL_8250_CONSOLE=y +CONFIG_SERIAL_8250_PCI=y +CONFIG_SERIAL_8250=y +CONFIG_SMP=y +CONFIG_SWAP=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSVIPC=y +CONFIG_TMPFS_POSIX_ACL=y +CONFIG_TMPFS_XATTR=y +CONFIG_TMPFS=y +CONFIG_UNIX=y +CONFIG_USB_ANNOUNCE_NEW_DEVICES=y +CONFIG_USB_EHCI_HCD=y +CONFIG_USB_MON=y +CONFIG_USB_OHCI_HCD=y +CONFIG_USB_STORAGE=y +CONFIG_USB_UHCI_HCD=y +CONFIG_USB_XHCI_HCD=y +CONFIG_USB=y +CONFIG_USER_NS=y +CONFIG_VFAT_FS=y +CONFIG_VIRTIO_BLK=y +CONFIG_VIRTIO_CONSOLE=y +CONFIG_VIRTIO_INPUT=y +CONFIG_VIRTIO_NET=y +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_VSOCKETS=y +CONFIG_VSOCKETS=y +CONFIG_WATCHDOG=y +CONFIG_X86_ACPI_CPUFREQ=y +CONFIG_X86_CPUID=y +CONFIG_X86_MSR=y +CONFIG_XFRM_USER=y +CONFIG_XFS_FS=y +CONFIG_XFS_POSIX_ACL=y diff --git a/mkosi.presets/20-final/mkosi.postinst b/mkosi.presets/20-final/mkosi.postinst new file mode 100755 index 0000000000..4339d7fd22 --- /dev/null +++ b/mkosi.presets/20-final/mkosi.postinst @@ -0,0 +1,82 @@ +#!/bin/sh +# SPDX-License-Identifier: LGPL-2.1-or-later + +if [ "$1" = "build" ]; then + exit 0 +fi + +if [ -n "$SANITIZERS" ]; then + LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') + + mkdir -p /etc/systemd/system.conf.d + + cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF +[Manager] +ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ + UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ + LD_PRELOAD=$LD_PRELOAD +EOF + + # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose + # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any + # sanitizer failures appear directly on the user's console. + mkdir -p /etc/systemd/system/systemd-journald.service.d + cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF +[Service] +StandardOutput=tty +EOF + + # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. + # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As + # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login + # from calling vhangup() so that journald's ASAN logs correctly end up in the console. + + mkdir -p /etc/systemd/system/console-getty.service.d + cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF +[Service] +TTYVHangup=no +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +EOF + # ASAN and syscall filters aren't compatible with each other. + find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + + + # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. + systemctl mask systemd-hwdb-update.service +fi + +if [ -n "$IMAGE_ID" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_ID=/!p' \ + -e "\$aIMAGE_ID=$IMAGE_ID" \ + /usr/lib/os-release +fi + +if [ -n "$IMAGE_VERSION" ] ; then + sed -n \ + -i \ + -e '/^IMAGE_VERSION=/!p' \ + -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ + /usr/lib/os-release +fi + +if command -v authselect >/dev/null; then + authselect select minimal + + if authselect list-features minimal | grep -q "with-homed"; then + authselect enable-feature with-homed + fi +fi + +# Let tmpfiles.d/systemd-resolve.conf handle the symlink +rm -f /etc/resolv.conf + +. /etc/os-release + +if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 + alternatives --set python3 /usr/bin/python3.9 +fi |