Accepting request 1240114 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/1240114 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mkosi?expand=0&rev=22
2025-01-24 12:41:19 +00:00 · 2025-01-24 12:41:19 +00:00 · 7894fe7f9a
commit 7894fe7f9a
parent 6cda111433 f738251106
5 changed files with 219 additions and 60 deletions
--- a/mkosi-24.3.tar.gz
+++ b/mkosi-24.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:27e4ee602089509c20d41e6deabae906368dcdc906e44460656272f546b8e2bd
-size 349900
--- a/mkosi-25.tar.gz
+++ b/mkosi-25.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1c8c5d1501cb9acb7ed1fbee701c03cd26047262cc854f2cbb17215159246a86
+size 403613
--- a/mkosi-initrd-chroot.sh
+++ b/mkosi-initrd-chroot.sh
@ -1,12 +0,0 @@
-#!/bin/bash
-
-__mkosi_initrd_chroot_call() {
-    mount --rbind / /.mkosi-root --mkdir
-    cd /.mkosi-root
-    mount --move . /
-    chroot . /usr/libexec/mkosi-initrd/mkosi-initrd $@
-    exit
-}
-export -f __mkosi_initrd_chroot_call
-
-unshare --mount /bin/bash -c '__mkosi_initrd_chroot_call $@' -- $@
--- a/mkosi.changes
+++ b/mkosi.changes
@ -1,3 +1,178 @@
+-------------------------------------------------------------------
+Thu Jan 23 15:36:15 UTC 2025 - Antonio Feijoo <antonio.feijoo@suse.com>
+
+- Drop the mkosi-initrd-tukit subpackage.
+  * Since v25 implements its own sandboxing tool and does not use bubblewrap,
+    this is not required anymore.
+
+- Update to 25:
+  * Instead of using bubblewrap, sandboxing is now done with a new tool
+    `mkosi-sandbox`. This tool has a public API and can be used
+    independently of mkosi.
+  * Image builds are now done in a user namespace with a single user when
+    running unprivileged instead of using newuidmap/newgidmap. When
+    running unprivileged, all files and directories in the image will be
+    owned by the invoking user (and by root inside any produced archives).
+    Any attempt to chown files to other users in scripts will fail unless
+    the new environment variable `$MKOSI_CHROOT_SUPPRESS_CHOWN` is set to
+    a true value.
+  * `mkosi` does not drop privileges anymore to the invoking user when
+    running as root for various steps.
+  * A new `cat-config` verb will show all configuration files that were
+    included for each configured image.
+  * Added support for Azure Linux
+  * Added support for Kali Linux
+  * If `mkosi.version` is executable, we now execute it and read the
+    version from stdout.
+  * Added `--wipe-build-dir` to wipe the build directory before rebuilding
+    the image.
+  * Introduced `RepositoryKeyFetch=` to control whether to fetch
+    distribution GPG keys remotely. This setting is **disabled** by
+    default for security reasons except when building rpm based
+    or Arch Linux images on Ubuntu.
+  * We now handle `SIGHUP` gracefully
+  * Universal settings that take a collection of values cannot be
+    appended to anymore in subimages. Usage of package manager trees in
+    subimages will have to be moved to the top level image. Similarly,
+    repositories will have to be enabled in the top level image.
+  * Repository metadata is not copied into images anymore.
+  * Repository metadata from base trees is not used anymore.
+  * Package manager trees are now named sandbox trees.
+  * Package manager trees (sandbox trees) do not use the skeleton trees as
+    their default anymore if unset.
+  * Note to packagers: The manual pages have been moved to resources/man
+    and now include man pages for mkosi-initrd and mkosi-sandbox as
+    well.
+  * `InitrdInclude=` was removed. If you're using `InitrdInclude=`, please
+    build your initrd via a subimage in `mkosi.images` containing
+    `Include=mkosi-initrd` and any customizations you wish to add and use
+    the `Initrds=` setting to use it as the initrd for the main image
+    instead of the default initrd.
+  * Added `History=` to have mkosi save the config used to build the image
+    and reuse it when verbs such as `qemu`, `boot`, … are invoked
+    without `-f`.
+  * Introduced new `[Build]` section and moved various settings to it.
+  * Moved `Include=` to `[Include]` section
+  * Added `sysupdate` verb as a wrapper around `systemd-sysupdate` which
+    invokes it with definitions from `mkosi.sysupdate`.
+  * Added `RuntimeHome=` to mount the current home directory to `/root`
+    when running a command that boots the image
+  * More directories aside from `/etc` and `/usr` are now picked up from
+    sandbox trees (formerly known as package manager trees).
+  * Profile configuration from `mkosi.profiles` is now parsed after
+    `mkosi.conf.d` instead of before it. To set defaults for use in
+    `mkosi.conf.d` based on the configured profile, use an early dropin in
+    `mkosi.conf.d` that matches on the configured profile instead.
+  * `Profile=` is renamed to `Profiles=` and takes a comma separated list of
+    profiles now. Scripts now receive `$PROFILES` with a space-separated list
+    of profiles instead of `$PROFILE`. The `%p` specifier for profiles is
+    removed.
+  * Multiple sync, prepare, build, postinst, finalize, postoutput and clean
+    scripts are now picked up from `mkosi.$SCRIPT.d`.
+  * `run0` is now automatically used to escalate privileges for commands that
+    need it, like the `burn` verb.
+  * `/usr/share/keyrings` and `/usr/share/distribution-gpg-keys` are no longer
+    automatically picked up from the tools tree when `ToolsTreeCertificates=` is
+    set, since they aren't certificates, use a sandbox tree instead. This allows
+    one to override `SignedBy=` keys for APT repositories.
+  * The `agetty.autologin` and `login.noauth` credentials are no longer set
+    unconditionally.
+  * Access to the output directory in build scripts was removed. To put
+    artifacts from the build directory into the output directory, copy them from
+    the build directory to the output directory in a post-installation script
+    which does have access to the build directory and the output directory.
+  * `BuildDirectory=` is no longer available in `PrepareScripts=`. If you
+    need to acquire some files for the build process place them somewhere
+    sensible within `$BUILDROOT` so that they can be cached when building
+    incrementally.
+  * When using a tools tree and a relaxed sandbox is used to run a command
+    (qemu, nspawn, ...), we now keep all entries from `$PATH` outside of
+    `/usr` intact. Note that this may cause issues if a `$PATH` entry
+    contains binaries linked against libraries in `/usr` from the host.
+  * Introduced a new specifier `%I` which resolves to the name of the current
+    subimage when used in a config under `mkosi.images/`. This differs to `%o`
+    as it is always the name of the config file without extension (or the name
+    of the directory).
+  * If `/dev/fuse` is found in the host context, it is made available in the
+    sandbox context too.
+  * Added a `sandbox` verb to run a command within a relaxed mkosi sandbox
+    (the same sandbox that `mkosi vm`, `mkosi boot`, ... run in).
+  * OpenSSL providers are now supported as key sources for the various key
+    settings if a recent enough systemd version (257 or newer) is used.
+  * Added support for loading X.509 certificates from OpenSSL providers if
+    a recent enough systemd version (257 or newer) is used.
+  * Added `ToolsTreePackageDirectories=`
+  * Added `--kernel-image=` to `mkosi-initrd` to specify the kernel image to
+    use when building a UKI.
+  * Setting a collection based setting to the empty string via the CLI and
+    then appending to the same setting will now override the settings
+    coming from configuration files, whereas previously the CLI values
+    would be appended to the values from configuration files.
+  * The `mkosi-initrd` default config now includes various extra kernel
+    modules by default.
+  * The `coredumpctl` and `journalctl` verbs will now always operate on
+    the image, even if `ForwardJournal=` is configured.
+  * Bumped default Fedora release to `41`.
+  * Added `addon` output format to build UKI addons.
+  * Renamed `[Host]` section to `[Runtime]` section.
+  * Renamed various settings from `[Host]`.
+  * Binaries coming from `ExtraSearchPaths=` are now executed with the
+    tools tree mounted if one is configured (unlike before where the tools
+    tree was not mounted). This means that any binaries coming from
+    `ExtraSearchPaths=` have to be linked against libraries from the tools
+    tree (or have to be statically linked). Alternatively, the tools tree
+    distribution and release have to match the host.
+  * Binaries from `ExtraSearchPaths=` are not used anymore when building
+    the default tools tree.
+  * Dropped support for `pesign` as a secure boot signing tool.
+  * Added support for `systemd-sbsign` as a secure boot signing tool.
+  * Added `--register=` to control whether to register containers and VMs
+    with systemd-machined or not.
+  * `mkosi.profiles` is now parsed in subimages as well.
+  * `mkosi-initrd` now uses `dnf5` on systems where it is the default.
+  * Added various packages to the default tools tree.
+  * Dropped support for Ubuntu Focal.
+  * Added `Devicetree=` setting for configuring bootloader device trees
+  * Added systemd-machined registration using varlink for `mkosi qemu` vms,
+    which includes the vsock CID so that `ssh vsock/<cid>` or
+    `ssh machine/<name>` will work on systems running `systemd-machined`
+    257 or newer.
+  * Bumped CentOS Stream default release to 10.
+  * mkosi now manages the pacman keyring itself so `/etc/pacman.d/gnupg`
+    from the host is not used anymore and mkosi will run
+    `pacman-key --init` and `pacman-key --populate` itself.
+  * Added `ToolsTreeRelease=` match
+  * mkosi now enforces that images built with `Overlay=yes` only add files
+    on top of the base tree(s) and don't overwrite any existing files or
+    directories.
+  * Added a `mkosi-addon` tool and accompanying kernel-install plugin that
+    allows building PE addons to extend a vendor provided unified kernel
+    image.
+  * Added `systemd-boot-signed`, `uki-signed` and `grub-signed` variants
+    for the `Bootloader=` option which instruct mkosi to only install
+    pre-signed EFI binaries.
+  * `mkosi.profiles` is now parsed in configuration included with
+    `Include=`.
+  * Any initrds configured with `Initrds=` are now used as fallback when
+    booting with qemu direct kernel boot (`--firmware=linux`) if no split
+    initrd was produced by the image build.
+  * mkosi now makes a greater effort to ensure the crypto-policies are
+    configured to allow GPG keys from older distributions.
+  * We don't pick up pre-signed bootloader binaries anymore when
+    `ShimBootloader=signed` is configured. To force usage of pre-signed
+    EFI binaries, use the new `systemd-boot-signed`, `uki-signed` and
+    `grub-signed` variants for the `Bootloader=` option.
+  * Added a new constant `microsoft-mok` for the `FirmwareVariables=`
+    option. If specified, a firmware variables file with the Microsoft
+    keys enrolled will be extended to include a `MokList` entry that
+    trusts the certificate configured with `SecureBootCertificate=` and
+    passed to `qemu`.
+  * We now use `mkosi.pkgcache` as the package cache directory if the
+    directory exists.
+  * `BuildSourcesEphemeral=` learned a new variant `buildcache` in which
+    case the overlay will be cached in the build directory configured with
+    `BuildDirectory=`.
+
 -------------------------------------------------------------------
 Thu Oct 31 13:26:30 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>

--- a/mkosi.spec
+++ b/mkosi.spec
@ -1,7 +1,7 @@
 #
 # spec file for package mkosi
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -19,7 +19,7 @@
 %define pythons python3

 Name:           mkosi
-Version:        24.3
+Version:        25
 Release:        0
 Summary:        Build bespoke OS Images
 License:        LGPL-2.1-or-later
@ -27,7 +27,6 @@ Group:          System/Management
 URL:            https://github.com/systemd/mkosi
 Source0:        https://github.com/systemd/mkosi/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        mkosi-initrd.conf
-Source2:        mkosi-initrd-chroot.sh
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module wheel}
@ -37,7 +36,7 @@ BuildRequires:  fdupes
 BuildRequires:  pandoc
 %endif
 BuildRequires:  python-rpm-macros
-Requires:       bubblewrap
+Requires:       distribution-gpg-keys
 Requires:       python3 >= 3.9
 Requires:       zypper
 Recommends:     btrfsprogs
@ -66,26 +65,25 @@ logs and coredumps, and also serve an image over HTTP.

 See https://mkosi.systemd.io/ for documentation.

+%package addon
+Summary:        Build addons locally for unified kernel images using mkosi
+Requires:       %{name} = %{version}-%{release}
+Requires:       coreutils
+
+%description addon
+This package provides the mkosi-addon wrapper to build PE addons containing
+customizations for unified kernel images specificto the running or local
+system.
+
 %package initrd
 Summary:        Build initrds locally using mkosi
 Requires:       %{name} = %{version}-%{release}
 Requires:       coreutils
-Requires:       (%{name}-initrd-tukit if read-only-root-fs)

 %description initrd
 This package provides the mkosi-initrd wrapper to build initrds with mkosi
 locally.

-%package initrd-tukit
-Summary:        Build initrds locally using mkosi with transactional updates
-Requires:       %{name} = %{version}-%{release}
-Requires:       read-only-root-fs
-
-%description initrd-tukit
-mkosi calls bwrap, and that does not work with transactional updates, so this
-package provides a special mkosi-initrd wrapper to support building initrds on
-transactional systems.
-
 %prep
 %autosetup -p1

@ -94,67 +92,69 @@ transactional systems.
 tools/make-man-page.sh
 %endif
 %pyproject_wheel
+bin/mkosi completion bash > mkosi.bash

 %install
 %pyproject_install
 %python_expand %fdupes %{buildroot}/%{$python_sitelib}/mkosi

 %ifarch x86_64 aarch64
+# Install man pages
 mkdir -p %{buildroot}%{_mandir}/man1
-cp %{buildroot}%{python3_sitelib}/mkosi/resources/mkosi.1* %{buildroot}%{_mandir}/man1/
-cp %{buildroot}%{python3_sitelib}/mkosi/initrd/resources/mkosi-initrd.1* %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi.1* \
+    %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi-addon.1* \
+    %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi-initrd.1* \
+    %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi-sandbox.1* \
+    %{buildroot}%{_mandir}/man1/
 %endif

-# Install mkosi-initrd conf
+# Install bash completions
+install -m 644 -D mkosi.bash \
+    %{buildroot}%{_datadir}/bash-completion/completions/mkosi
+
+# Create configuration directories for mkosi-initrd
 mkdir -p %{buildroot}%{_prefix}/lib/mkosi-initrd
 install -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/mkosi-initrd/mkosi.conf
 mkdir -p %{buildroot}%{_sysconfdir}/mkosi-initrd

-# Install the tukit script
-mkdir -p %{buildroot}%{_prefix}/libexec/mkosi-initrd
-install -m 744 %{SOURCE2} %{buildroot}%{_prefix}/libexec/mkosi-initrd/mkosi-initrd-chroot.sh
-
 %post initrd
 if [ ! -e %{_sysconfdir}/mkosi-initrd/mkosi.conf ]; then
    cat >> %{_sysconfdir}/mkosi-initrd/mkosi.conf<<EOF
 # Write here your own configuration.
 # See man mkosi(1) for details.
-[Content]
+#[Content]
 #ExtraTrees=
 #KernelModulesInclude=
 #KernelModulesExclude=
 EOF
 fi

-%posttrans initrd-tukit
-# mkosi runs in a sandbox, and for that purpose it relies on bubblewrap. The
-# problem is transactional-update chroots to a snapshot, and bubblewrap does not
-# work there because it requires pivot_root:
-# https://github.com/containers/bubblewrap/issues/135
-# The issue is quite old, there is even a PR trying to fall back to chroot if
-# pivot_root fails (https://github.com/containers/bubblewrap/pull/595), but
-# apparently bubblewrap upstream is not trying to fix this.
-# The workaround implemented in mkosi-initrd-chroot.sh was proposed by the main
-# mkosi upstream maintainer:
-# https://github.com/containers/bubblewrap/issues/592#issuecomment-2243087731
-mv %{_bindir}/mkosi-initrd %{_prefix}/libexec/mkosi-initrd
-ln -s %{_prefix}/libexec/mkosi-initrd/mkosi-initrd-chroot.sh %{_bindir}/mkosi-initrd
-
-%preun initrd-tukit
-rm -f %{_prefix}/libexec/mkosi-initrd/mkosi-initrd
-
 %check
 %pytest

 %files
 %doc mkosi.md README.md
-%license LICENSE
+%license LICENSES
 %{_bindir}/mkosi
+%{_bindir}/mkosi-sandbox
 %ifarch x86_64 aarch64
 %{_mandir}/man1/mkosi.1*
+%{_mandir}/man1/mkosi-sandbox.1*
 %endif
 %{python3_sitelib}/mkosi
 %{python3_sitelib}/mkosi-%{version}.dist-info
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/mkosi
+
+%files addon
+%{_bindir}/mkosi-addon
+%ifarch x86_64 aarch64
+%{_mandir}/man1/mkosi-addon.1*
+%endif

 %files initrd
 %{_bindir}/mkosi-initrd
@ -165,8 +165,4 @@ rm -f %{_prefix}/libexec/mkosi-initrd/mkosi-initrd
 %{_prefix}/lib/mkosi-initrd/mkosi.conf
 %dir %{_sysconfdir}/mkosi-initrd

-%files initrd-tukit
-%dir %{_prefix}/libexec/mkosi-initrd
-%{_prefix}/libexec/mkosi-initrd/mkosi-initrd-chroot.sh
-
 %changelog