meson does not support changing compilation flags on the fly, when
doing so, the entire build directory has to be cleared explicitly, so
let's add a way to do that by setting WIPE=1.
Let's also allow developers to specify their own meson options via
$MESON_OPTIONS.
If the none format is specified, we don't use the extra trees at all
so let's make the dependencies on the subimages conditional on Format=
not being set to "none".
This speeds up builds when using Format=none.
When we query dependencies with rpmspec, we get the following:
"""
bash-5.2# mkosi-chroot rpmspec --with upstream --query --requires --define "_topdir /var/tmp" --define "_sourcedir pkg/fedora" "pkg/fedora/systemd.spec" | sort --unique
(grubby > 8.40-72 if grubby)
(sdubby > 1.0-3 if sdubby)
(systemd-rpm-macros = 256~rc3-1.fc41 if rpm-build)
(util-linux-core or util-linux)
/bin/sh
coreutils
dbus >= 1.9.18
firewalld-filesystem
grep
kbd
kmod >= 18-4
libidn2.so.0()(64bit)
libidn2.so.0(IDN2_0.0.0)(64bit)
libkmod.so.2()(64bit)
libkmod.so.2(LIBKMOD_5)(64bit)
openssl-libs
python3dist(cryptography)
python3dist(pefile)
python3dist(psutil)
python3dist(zstd)
systemd = 256~rc3-1.fc41
systemd(x86-64) = 256~rc3-1.fc41
systemd-boot
systemd-libs(x86-64) = 256~rc3-1.fc41
systemd-networkd = 256~rc3-1.fc41
systemd-pam(x86-64) = 256~rc3-1.fc41
systemd-udev = 256~rc3-1.fc41
"""
Trying to install with dnf5 correctly filters out grubby and sdubby
as they are conditional dependencies and shouldn't be installed. However,
dnf doesn't do the right thing and tries to install both grubby and sdubby,
and since they conflict this causes the build to fail.
Let's filter out sdubby and grubby explicitly to work around the bug in dnf
as it's unlikely to get fixed since all development effort is now focused on
dnf5.
- Let's set the environment on the kernel command line so it applies
to initrd and main system.
- Let's add the necessary wrappers that are also added in test-functions.
Unlike test-functions we don't use gcc/clang to get the library path as
that requires installing gcc/clang in the initrd.
- Let's drop the hack to get journald writing to the console and have
it write to kmsg instead. We'll get the output either way.
- Stop removing libstdc++ and sanitizer libraries from Arch Linux
initrds and other images as it's required by the sanitizer libraries.
- Add a workaround for specifying extra meson options for opensuse
- Add a leak sanitizer suppression file as a workaround for a false
positive leak in verify_selinuxmnt() in libselinux. We do a soname match
because the stacktrace can't be properly symbolized on Debian.
This reverts commit e74a994ebf.
The description in that commit was confused, add-determinism was not broken
and was not causing any problems, except a log message.
Since rpm 4.20 it tries to fix the permissions of all source files
in the sources. This takes forever and fails in our case with a
permission error. Since we don't want rpm touching our source files,
override the script to be a noop.
This was added for reproducible builds which we don't really care
about when building rpms in mkosi, so disable it from running as it's
broken and breaks our rpm builds.
The corresponding bug was fixed in rpm 4.20 (of which the alpha is in
rawhide as rpm 4.19.91) so skip the workaround when we detect a newer
rpm version.
Unfortunately, git submodules break in all sorts of ways:
- Various github workflows (dependabot, github pages) try to do a shallow
clone of git submodules which does not work at all when the git repository
is hosted on pagure (https://pagure.io/pagure/issue/5453,
https://github.com/dependabot/dependabot-core/issues/9391).
- If the git forge hosting the git repository uses SHA256, then it breaks our
usage of it as a submodule as SHA256 repositories cannot be used as submodules
in SHA1 repositories (src.opensuse.org moved to SHA256 which broke our usage of
opensuse's systemd spec as a submodule).
- git submodules completely break usage of git worktrees.
- ...
Let's avoid all these issues by just doing our own home grown implementation of
git submodules. We lose the automatic dependabot updates this way but since dependabot
fails to run more often that not with submodules we don't really lose anything.
- Let's set the environment on the kernel command line so it applies
to initrd and main system.
- Let's add the necessary wrappers that are also added in test-functions.
Unlike test-functions we don't use gcc/clang to get the library path as
that requires installing gcc/clang in the initrd.
- Let's drop the hack to get journald writing to the console and have
it write to kmsg instead. We'll get the output either way.
- Stop removing libstdc++ and sanitizer libraries from Arch Linux
initrds and other images as it's required by the sanitizer libraries.
- Add a workaround for specifying extra meson options for opensuse
- Add a leak sanitizer suppression file as a workaround for a false
positive leak in verify_selinuxmnt() in libselinux. We do a soname match
because the stacktrace can't be properly symbolized on Debian.
dbus-broker and dbus-daemon have not been made interchangable on
OpenSUSE so we currently end up with dbus-broker used for the system
bus and dbus-daemon for the session bus. Let's stick to dbus-daemon
on OpenSUSE until they switch to dbus-broker.
Mounting multiple btrfs filesystems with the same fsid only works
properly from kernel 6.7 onwards. Let's switch to ext4 for now which
does support this.
In mkosi, we run the test inside the VM instead of outside. To simplify
the implementation we drop the reboot part and only verify that we can
schedule and cancel shutdowns and that the wall messages are sent as
expected.
Encrypted /var is skipped because meson's limitations make per test
images not really feasible and we can't encrypt /var by default because
it slows down the image build too much.
Co-authored-by: Richard Maw <richard.maw@codethink.co.uk>
Having these named differently than the test itself mostly creates
unecessary confusion and makes writing logic against the tests harder
so let's rename the testsuite-xx units and scripts to just use the
test name itself.
Required to run systemd-networkd-tests.py. Already a dependency of
systemd-tests on Fedora so we don't add it there as it'll be pulled
in via the prepare script.
We want /tmp to be a tmpfs so let's hack the debian packaging to
make sure that's the case until the debian packaging is fixed to
make /tmp a tmpfs for UPSTREAM=1 builds.
Only missing on CentOS/Fedora/OpenSUSE as in Arch/Debian/Ubuntu it's
part of the cryptsetup package which we already install.
Required for TEST-58-REPART.
It is necessary to install the selinux policy in the initramfs
so that userland is entered with the correct label.
SELinuxRelabel defaults to auto, which will skip if the relabelling
command is not installed and will treat failure to relabel as non-fatal.
We can't force it on because root privileges are required if the labels
don't exist on the host system and we would like to be able to
cross-build from other distributions.
Since we are already committed to relabelling on first boot
there is no value in even trying to label.
Make sure the correct buildroot gets expanded instead of the default
opensuse build root location.
We also remove debug files from the unpackaged files list as they're
handled separately by rpm.
With bind mounts, the directories we bind mount to get recorded as
the meson source and build directories. This means meson will complain
if we later try to run meson install -C /work/build in the virtual
machine or container. If we use symlinks, the directories we symlink to
will be recorded as the meson source and build directories, which means
meson install -C /work/build will work when executed after booting the
VM or container.
I tried to do the same for debian as well but the debian package tooling
changes directory into the build directory and then does meson setup ..
which is completely broken when switching to a symlink.
If we're not debugging tests, there's no point in persisting the journal,
so let's use the volatile journal storage mode in that case to avoid doing
unnecessary work.
We don't disable journal storage alltogether since various tests check
that stuff is written to the journal.
Unfortunately the current mkosi partitioning setup is a bit too
avant-garde for the integration tests. Both in that distributions
aren't ready for it yet (some more than others), and that software
which we depend on in the integration tests isn't ready for it yet
(e.g. libselinux does not read its configuration from /usr).
Let's switch back to a more boring partioning setup by default but
keep the fancy stuff around as a mkosi profile. This means that it
can still be used for manually testing stuff by running
"mkosi --profile particle -f qemu".
Dependencies in .SRCINFO can be versioned. Let's make sure we ignore
any specified versions when grepping it for dependencies. Also update
the arch submodule to the latest to make sure the change works.
TEST-17-UDEV expects to find scsi_debug and TEST-84-STORAGETM expects to
find nvmet-tcp.
This isn't ideal as it adds firmware, microcode and other drivers to the
initramfs, but there's no linux-modules-extra virtual package
to just include the extra modules.
This commit adds definitions to build the minimal_0 and minimal_1
images with mkosi and includes them into the system image. We also
move the building of the various app-xxx and similar images that are
extremely minimal into the tests itself by moving the related logic
from install_verity_minimal() into a new function
install_extension_images() in util.sh. Because the mkosi /usr is
read-only, we now place the extension images in /tmp instead of
/usr/share.
Co-authored-by: Richard Maw <richard.maw@codethink.co.uk>
Co-authored-by: sam-leonard-ct <sam.leonard@codethink.co.uk>
We do the image build and run the tests in a btrfs loopback so we
can make use of btrfs subvolumes and COW to keep the disk space
requirements to a minimum and speed up the ephemeral copies we make
of the image to run the tests.
We also switch to building debug packages and publishing the built
packages as artifacts.
Building debug packages on ubuntu requires the "debug" option to be
specified explicitly. Debug packages on Ubuntu have the .ddeb extension,
so let's make sure we handle that by copying the .ddeb packages in the
build script as well.
-ffile-prefix-map= implies -fmacro-prefix-map= which is incompatible
with our definition of PROJECT_FILE.
See https://github.com/systemd/systemd/issues/32417.
-fdebug-prefix-map= only affects debuginfo without affecting macros.
isc-dhcp-server does not ship units, only sysv scripts, so the mkosi
presets that disable it have no effect. The generated unit is started on
each boot and fails, causing delays and noise.
Mask it so that the generated unit is overridden. It is installed only
to bring in binaries used by the networkd tests anyway.
These don't get pulled in automatically and there doesn't seem to
be a "system-users" package so install the ones we need for the
integration tests manually.
CentOS does not ship these sysusers dropins which set up basic system
users and groups. Until we can move to CentOS Stream 10, let's add the
dropins ourselves to make sure the base system users/groups are available
on CentOS.
The Arch Linux PKGBUILD does not (yet) have versioned dependencies
between the systemd packages, causing systemd-libs to not get updated
to 256-devel if systemd 256-devel is installed. Let's explicitly install
the newer version of systemd-libs as well for now until this problem is
fixed.
This introduces dependencies on various environment variables set
by rpmbuild which will not be set when rerunning meson inside the
VM/container so let's disable package notes to avoid these dependencies,
as the package notes aren't terribly useful in this scenario anyway.
CentOS/Fedora use annobin which will complain if FORTIFY_SOURCE=0
is used so we disable those checks to avoid the warnings.
We also make sure that when we query the compilation flags so we can
add more, we set _fortify_level=0 and undefine _lto_flags so that we
don't get those flags in the result.
When we're building debuginfo packages, the original binaries and
libraries are stripped so make sure we install the debuginfo
packages to make sure debugging in the container/VM still works.
This doesn't actually work because the opensuse spec doesn't allow
adding extra build flags, but I'm working on fixing that, so let's
already set things up for later.
-Og still causes a lot of "<optimized out>" in GDB so let's use -O0
instead and disable FORTIFY_SOURCE as it doesn't work without
optimizations enabled.
This makes sure that the debuginfo files contain source files pointing
to the source files shipped by the debugsource package.
Normally this should be done automatically by rpm invoking debugedit
but for some unknown reason debugedit refuses to rewrite the source
files in our binaries.
Given that debugedit is completely undebugable (does not generate any
logs at all, and its source code is ridiculously obtuse), let's set
-ffile-prefix-map= when building instead which achieves the same
effect.
This allows building debug packages by setting WITH_DEBUG=1. This
slows down the build a lot so it's opt in. We don't yet install
these but can do so in a future commit.
The entire build environment is ephemeral anyway so everything is
cleaned regardless. By specifying --noclean, we make debugging
easier as the rpm build root can be inspected when using --debug-shell.
- We have ssh-generator now, so need for mkosi's Ssh= option anymore.
- By enabling RuntimeBuildSources= by default, we don't need the gdb
config file in the image anymore, since the build and source
directories will be mounted at the expected locations.
mkosi just learned to do natively what we currently do with environment
variables and a postinst script, so let's update to the latest version
and start using the new settings instead.
Just like we already have $SYSTEMD_PACKAGES for systemd packages to
re-install in the main image, let's add $INITRD_PACKAGES for all
systemd packages to re-install in the initrd.
distribution-release is a virtual package that is by default satisfied
by the openSUSE MicroOS-release package. Let's make sure we pull in the
generic openSUSE-release package instead by installing
patterns-base-minimal_base which has a Suggests dependency on
openSUSE-release which makes sure it takes priority over the MicroOS one.
We might want to run the build scripts outside of mkosi as well at
some point, e.g. to build an rpm after booting the image, so let's
make them more generic by using /usr/lib/os-release to figure out
which pkg specs we should use instead of $PKG_SUBDIR. To make ubuntu
use the debian pkg spec, we add a symlink pkg/ubuntu which points to
debian/ in the same directory.
This allows us to build and install after booting without having to
build a new image. Together with
https://github.com/systemd/mkosi/pull/2601 and after enabling
RuntimeBuildSources=yes, after booting, "meson install -C /work/build"
can be used to do an incremental build and install. This won't build
proper packages, but will be invaluable for having a quick compile,
edit, test cycle without having to rebuild the image all the time.
- Install individual asan libraries instead of gcc
- Drop duplicate qrencode package from arch config
- Install dbus-user-session which provides default-dbus-session-bus
- Explicitly install dbus-broker on Arch Linux
Also install setools-console and policycoreutils instead of setools
which pulls in the kitchen sink. Also install selinux-policy-targeted
to make sure the right policy is installed.
The debian revision starts after the '-' character, so make sure the
timestamp we append is treated as the revision instead of being a part
of the upstream version.
The only reason to have these split up is to be able to build extension
images that use the base image as a base tree and install extra packages.
Until we have such a use case, let's merge the base and system images to
simplify things a bit.
We keep the mkosi.images/ directory to not cause too many conflicts with
the integration tests PR.
The testuser user is only needed for integration tests,
which are used in the system user and this config
can be provided as drop-ins instead of inline in postinst scripts.
ukify is part of systemd-experimental on OpenSUSE and not its own
package. Because the OpenSUSE systemd maintainers do not want to
introduce a python dependency for systemd-experimental, we have to
install python3-pefile manually to make sure ukify works properly.
By always cloning the latest branch commit, we can't bisect properly
using mkosi as when bisecting wildly different packaging sources will
be used compared to when the commit was merged. By using submodules, we
track individual commits which means when bisecting the same packaging
sources will be used.
We use git submodules as dependabot has support for automatically making
PRs to update git submodules. This commit also includes the necessary
dependabot configuration to enable this.
We make ubuntu/debian use the same submodule instead of adding the debian
packaging sources twice by introducing a new $PKG_SUBDIR environment variable
and using it instead of $DISTRIBUTION.
