system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-09-28 20:33:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

mkosi: Introduce particle profile

Browse source 
Unfortunately the current mkosi partitioning setup is a bit too
avant-garde for the integration tests. Both in that distributions
aren't ready for it yet (some more than others), and that software
which we depend on in the integration tests isn't ready for it yet
(e.g. libselinux does not read its configuration from /usr).

Let's switch back to a more boring partioning setup by default but
keep the fancy stuff around as a mkosi profile. This means that it
can still be used for manually testing stuff by running
"mkosi --profile particle -f qemu".
This commit is contained in:
Daan De Meyer 2024-04-29 22:13:11 +02:00
parent 1ce32f2f5f
commit e7c8507977
22 changed files with 71 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
mkosi.conf
View file

@ -38,7 +38,6 @@ KernelCommandLine=systemd.crash_shell
[Host]
@Incremental=yes
@RuntimeSize=8G
@RuntimeBuildSources=yes
@QemuSmp=2
ToolsTreePackages=virtiofsd

5
mkosi.images/system/mkosi.conf
View file

@ -7,6 +7,7 @@ Dependencies=
[Output]
@Format=directory
RepartDirectories=mkosi.repart
[Content]
Autologin=yes
@ -61,7 +62,3 @@ Packages=
xfsprogs
zsh
zstd
[Validation]
@SecureBoot=yes
@SignExpectedPcr=yes

3
mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
View file

@ -49,9 +49,6 @@ Packages=
rpm
rpm-build
rpmautospec
selinux-policy
selinux-policy-targeted
setools-console
squashfs-tools
util-linux
vim-common

12
mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf Normal file
View file

@ -0,0 +1,12 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
Profile=!particle
[Content]
# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
# building a /usr-only image.
Packages=
selinux-policy
selinux-policy-targeted
setools-console

3
mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
View file

@ -3,6 +3,9 @@
[Match]
Distribution=centos
[Output]
RepartDirectories=mkosi.repart
[Content]
Packages=
rpmautospec-rpm-macros

5
mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
View file

@ -1,5 +0,0 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# CentOS does not support btrfs so we use xfs instead.
[Partition]
Format=xfs

24
mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf
View file

@ -1,24 +0,0 @@
g root 0
g bin 1
g daemon 2
g sys 3
g adm 4
g tty 5
g disk 6
g lp 7
g mem 8
g kmem 9
g wheel 10
g cdrom 11
g mail 12
g man 15
g dialout 18
g floppy 19
g games 20
g tape 33
g video 39
g ftp 50
g lock 54
g audio 63
g users 100
g nobody 65534

13
mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf
View file

@ -1,13 +0,0 @@
u root 0:0 "Super User" /root /bin/bash
u bin 1:1 "bin" /bin -
u daemon 2:2 "daemon" /sbin -
u adm 3:4 "adm" /var/adm -
u lp 4:7 "lp" /var/spool/lpd -
u sync 5:0 "sync" /sbin /bin/sync
u shutdown 6:0 "shutdown" /sbin /sbin/shutdown
u halt 7:0 "halt" /sbin /sbin/halt
u mail 8:12 "mail" /var/spool/mail -
u operator 11:0 "operator" /root -
u games 12:100 "games" /usr/games -
u ftp 14:50 "FTP User" /var/ftp -
u nobody 65534:65534 "Kernel Overflow User" - -

6
mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf Normal file
View file

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
# btrfs isn't supported on CentOS. Ideally we'd use xfs instead but we lose xattrs when doing rootless
# population of xfs which is required for testing SELinux so let's do ext4 instead.
Format=ext4

15
mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf Normal file
View file

@ -0,0 +1,15 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
Profile=particle
[Output]
RepartDirectories=
RepartDirectories=mkosi.repart
[Validation]
@SecureBoot=yes
@SignExpectedPcr=yes
[Host]
@RuntimeSize=8G

0
mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf → mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
View file

2
mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf → mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
View file

@ -4,5 +4,3 @@
Type=root
Format=btrfs
SizeMinBytes=1G
Subvolumes=/home /var
MakeDirectories=/home /var

0
mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf → mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
View file

15
mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize Executable file
View file

@ -0,0 +1,15 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
# sbsign is not available on CentOS Stream
if command -v sbsign &>/dev/null; then
# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
addons_dir=/efi/loader/addons
mkdir -p "$addons_dir"
ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
fi

9
mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf Normal file
View file

@ -0,0 +1,9 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=esp
Format=vfat
CopyFiles=/boot:/
CopyFiles=/efi:/
SizeMinBytes=1G
SizeMaxBytes=1G

0
mkosi.images/system/mkosi.repart/10-usr.conf → mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
View file

0
mkosi.images/system/mkosi.repart/11-usr-verity.conf → mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
View file

0
mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf → mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
View file

5
mkosi.images/system/mkosi.finalize
View file

@ -1,5 +0,0 @@
#!/bin/sh
# SPDX-License-Identifier: LGPL-2.1-or-later
mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi

9
mkosi.images/system/mkosi.postinst.chroot
View file

@ -65,15 +65,6 @@ fi
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf
# sbsign is not available on CentOS Stream
if command -v sbsign &>/dev/null; then
# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
addons_dir=/efi/loader/addons
mkdir -p "$addons_dir"
ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
fi
for f in "$BUILDROOT"/usr/share/*.verity.sig; do
jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
done

8
mkosi.images/system/mkosi.repart/10-root.conf Normal file
View file

@ -0,0 +1,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=root
Format=btrfs
CopyFiles=/
SizeMinBytes=8G
SizeMaxBytes=8G

2
mkosi.profiles/particle.conf Normal file
View file

@ -0,0 +1,2 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# This file exists to create the particle profile which is matched on by other configuration files.