- Drop the mkosi-initrd-tukit subpackage.

* Since v25 implements its own sandboxing tool and does not use bubblewrap,
    this is not required anymore.
- Update to 25:
  * Instead of using bubblewrap, sandboxing is now done with a new tool
    `mkosi-sandbox`. This tool has a public API and can be used
    independently of mkosi.
  * Image builds are now done in a user namespace with a single user when
    running unprivileged instead of using newuidmap/newgidmap. When
    running unprivileged, all files and directories in the image will be
    owned by the invoking user (and by root inside any produced archives).
    Any attempt to chown files to other users in scripts will fail unless
    the new environment variable `$MKOSI_CHROOT_SUPPRESS_CHOWN` is set to
    a true value.
  * `mkosi` does not drop privileges anymore to the invoking user when
    running as root for various steps.
  * A new `cat-config` verb will show all configuration files that were
    included for each configured image.
  * Added support for Azure Linux
  * Added support for Kali Linux
  * If `mkosi.version` is executable, we now execute it and read the
    version from stdout.
  * Added `--wipe-build-dir` to wipe the build directory before rebuilding
    the image.
  * Introduced `RepositoryKeyFetch=` to control whether to fetch
    distribution GPG keys remotely. This setting is **disabled** by
    default for security reasons except when building rpm based
    or Arch Linux images on Ubuntu.
  * We now handle `SIGHUP` gracefully
  * Universal settings that take a collection of values cannot be
    appended to anymore in subimages. Usage of package manager trees in
    subimages will have to be moved to the top level image. Similarly,
    repositories will have to be enabled in the top level image.
  * Repository metadata is not copied into images anymore.
  * Repository metadata from base trees is not used anymore.
  * Package manager trees are now named sandbox trees.
  * Package manager trees (sandbox trees) do not use the skeleton trees as
    their default anymore if unset.
  * Note to packagers: The manual pages have been moved to resources/man
    and now include man pages for mkosi-initrd and mkosi-sandbox as
    well.
  * `InitrdInclude=` was removed. If you're using `InitrdInclude=`, please
    build your initrd via a subimage in `mkosi.images` containing
    `Include=mkosi-initrd` and any customizations you wish to add and use
    the `Initrds=` setting to use it as the initrd for the main image
    instead of the default initrd.
  * Added `History=` to have mkosi save the config used to build the image
    and reuse it when verbs such as `qemu`, `boot`, … are invoked
    without `-f`.
  * Introduced new `[Build]` section and moved various settings to it.
  * Moved `Include=` to `[Include]` section
  * Added `sysupdate` verb as a wrapper around `systemd-sysupdate` which
    invokes it with definitions from `mkosi.sysupdate`.
  * Added `RuntimeHome=` to mount the current home directory to `/root`
    when running a command that boots the image
  * More directories aside from `/etc` and `/usr` are now picked up from
    sandbox trees (formerly known as package manager trees).
  * Profile configuration from `mkosi.profiles` is now parsed after
    `mkosi.conf.d` instead of before it. To set defaults for use in
    `mkosi.conf.d` based on the configured profile, use an early dropin in
    `mkosi.conf.d` that matches on the configured profile instead.
  * `Profile=` is renamed to `Profiles=` and takes a comma separated list of
    profiles now. Scripts now receive `$PROFILES` with a space-separated list
    of profiles instead of `$PROFILE`. The `%p` specifier for profiles is
    removed.
  * Multiple sync, prepare, build, postinst, finalize, postoutput and clean
    scripts are now picked up from `mkosi.$SCRIPT.d`.
  * `run0` is now automatically used to escalate privileges for commands that
    need it, like the `burn` verb.
  * `/usr/share/keyrings` and `/usr/share/distribution-gpg-keys` are no longer
    automatically picked up from the tools tree when `ToolsTreeCertificates=` is
    set, since they aren't certificates, use a sandbox tree instead. This allows
    one to override `SignedBy=` keys for APT repositories.
  * The `agetty.autologin` and `login.noauth` credentials are no longer set
    unconditionally.
  * Access to the output directory in build scripts was removed. To put
    artifacts from the build directory into the output directory, copy them from
    the build directory to the output directory in a post-installation script
    which does have access to the build directory and the output directory.
  * `BuildDirectory=` is no longer available in `PrepareScripts=`. If you
    need to acquire some files for the build process place them somewhere
    sensible within `$BUILDROOT` so that they can be cached when building
    incrementally.
  * When using a tools tree and a relaxed sandbox is used to run a command
    (qemu, nspawn, ...), we now keep all entries from `$PATH` outside of
    `/usr` intact. Note that this may cause issues if a `$PATH` entry
    contains binaries linked against libraries in `/usr` from the host.
  * Introduced a new specifier `%I` which resolves to the name of the current
    subimage when used in a config under `mkosi.images/`. This differs to `%o`
    as it is always the name of the config file without extension (or the name
    of the directory).
  * If `/dev/fuse` is found in the host context, it is made available in the
    sandbox context too.
  * Added a `sandbox` verb to run a command within a relaxed mkosi sandbox
    (the same sandbox that `mkosi vm`, `mkosi boot`, ... run in).
  * OpenSSL providers are now supported as key sources for the various key
    settings if a recent enough systemd version (257 or newer) is used.
  * Added support for loading X.509 certificates from OpenSSL providers if
    a recent enough systemd version (257 or newer) is used.
  * Added `ToolsTreePackageDirectories=`
  * Added `--kernel-image=` to `mkosi-initrd` to specify the kernel image to
    use when building a UKI.
  * Setting a collection based setting to the empty string via the CLI and
    then appending to the same setting will now override the settings
    coming from configuration files, whereas previously the CLI values
    would be appended to the values from configuration files.
  * The `mkosi-initrd` default config now includes various extra kernel
    modules by default.
  * The `coredumpctl` and `journalctl` verbs will now always operate on
    the image, even if `ForwardJournal=` is configured.
  * Bumped default Fedora release to `41`.
  * Added `addon` output format to build UKI addons.
  * Renamed `[Host]` section to `[Runtime]` section.
  * Renamed various settings from `[Host]`.
  * Binaries coming from `ExtraSearchPaths=` are now executed with the
    tools tree mounted if one is configured (unlike before where the tools
    tree was not mounted). This means that any binaries coming from
    `ExtraSearchPaths=` have to be linked against libraries from the tools
    tree (or have to be statically linked). Alternatively, the tools tree
    distribution and release have to match the host.
  * Binaries from `ExtraSearchPaths=` are not used anymore when building
    the default tools tree.
  * Dropped support for `pesign` as a secure boot signing tool.
  * Added support for `systemd-sbsign` as a secure boot signing tool.
  * Added `--register=` to control whether to register containers and VMs
    with systemd-machined or not.
  * `mkosi.profiles` is now parsed in subimages as well.
  * `mkosi-initrd` now uses `dnf5` on systems where it is the default.
  * Added various packages to the default tools tree.
  * Dropped support for Ubuntu Focal.
  * Added `Devicetree=` setting for configuring bootloader device trees
  * Added systemd-machined registration using varlink for `mkosi qemu` vms,
    which includes the vsock CID so that `ssh vsock/<cid>` or
    `ssh machine/<name>` will work on systems running `systemd-machined`
    257 or newer.
  * Bumped CentOS Stream default release to 10.
  * mkosi now manages the pacman keyring itself so `/etc/pacman.d/gnupg`
    from the host is not used anymore and mkosi will run
    `pacman-key --init` and `pacman-key --populate` itself.
  * Added `ToolsTreeRelease=` match
  * mkosi now enforces that images built with `Overlay=yes` only add files
    on top of the base tree(s) and don't overwrite any existing files or
    directories.
  * Added a `mkosi-addon` tool and accompanying kernel-install plugin that
    allows building PE addons to extend a vendor provided unified kernel
    image.
  * Added `systemd-boot-signed`, `uki-signed` and `grub-signed` variants
    for the `Bootloader=` option which instruct mkosi to only install
    pre-signed EFI binaries.
  * `mkosi.profiles` is now parsed in configuration included with
    `Include=`.
  * Any initrds configured with `Initrds=` are now used as fallback when
    booting with qemu direct kernel boot (`--firmware=linux`) if no split
    initrd was produced by the image build.
  * mkosi now makes a greater effort to ensure the crypto-policies are
    configured to allow GPG keys from older distributions.
  * We don't pick up pre-signed bootloader binaries anymore when
    `ShimBootloader=signed` is configured. To force usage of pre-signed
    EFI binaries, use the new `systemd-boot-signed`, `uki-signed` and
    `grub-signed` variants for the `Bootloader=` option.
  * Added a new constant `microsoft-mok` for the `FirmwareVariables=`
    option. If specified, a firmware variables file with the Microsoft
    keys enrolled will be extended to include a `MokList` entry that
    trusts the certificate configured with `SecureBootCertificate=` and
    passed to `qemu`.
  * We now use `mkosi.pkgcache` as the package cache directory if the
    directory exists.
  * `BuildSourcesEphemeral=` learned a new variant `buildcache` in which
    case the overlay will be cached in the build directory configured with
    `BuildDirectory=`.

OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=47

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

mkosi-23.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:116bd3d848ce767a584ce288ad5a098a47d42067c9b95aa5a6662de33dc04eb9
+size 337863

mkosi-24.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:27e4ee602089509c20d41e6deabae906368dcdc906e44460656272f546b8e2bd
+size 349900

mkosi-25.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1c8c5d1501cb9acb7ed1fbee701c03cd26047262cc854f2cbb17215159246a86
+size 403613

mkosi-initrd-chroot.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+__mkosi_initrd_chroot_call() {
+    mount --rbind / /.mkosi-root --mkdir
+    cd /.mkosi-root
+    mount --move . /
+    chroot . /usr/libexec/mkosi-initrd/mkosi-initrd $@
+    exit
+}
+export -f __mkosi_initrd_chroot_call
+
+unshare --mount /bin/bash -c '__mkosi_initrd_chroot_call $@' -- $@

mkosi-initrd.conf

@@ -0,0 +1,59 @@
+[Content]
+RemoveFiles=
+        /etc/bash_completion.d
+        /etc/man.conf
+        /srv
+        /usr/local/man
+        /usr/share/bash-completion
+        /usr/share/bash/helpfiles
+        /usr/share/doc
+        /usr/share/fillup-templates
+        /usr/share/help
+        /usr/share/icons
+        /usr/share/info
+        /usr/share/licenses
+        /usr/share/locale
+        /usr/share/man
+        /usr/share/zsh
+        /usr/etc/services
+        /var/adm
+
+        # Keep only C.utf-8 locale
+        /usr/lib/locale/*_*/
+        /usr/lib/locale/??/
+        /usr/lib/locale/???/
+
+        # RPM
+        /etc/rpm
+        /usr/bin/gendiff
+        /usr/bin/rpm*
+        /usr/lib/rpm
+        /usr/lib/sysimage
+        /usr/lib/systemd/system/rpmconfigcheck.service
+        /usr/lib64/rpm-plugins
+        /usr/sbin/rpmconfigcheck
+        /usr/src/packages
+
+        # Zypper
+        /etc/zypp
+        /usr/bin/installation_sources
+        /usr/bin/yzpper
+        /usr/bin/zypper
+        /usr/etc/logrotate.d/zypp*
+        /usr/lib/zypper
+        /usr/sbin/zypp-refresh
+        /usr/share/zypper
+        /var/log/zypp
+        /var/log/zypper.log
+
+        # YaST2
+        /etc/YaST2
+
+        # suse-module-tools scripts (except unblacklist: bsc#1224320)
+        /usr/lib/module-init-tools/driver-check.sh
+        /usr/lib/module-init-tools/get_dracut_drivers
+        /usr/lib/module-init-tools/lsinitrd-quick
+        /usr/lib/module-init-tools/weak-modules2
+
+        # dracut modules installed by other packages
+        /usr/lib/dracut

mkosi.spec

@@ -0,0 +1,168 @@
+#
+# spec file for package mkosi
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define pythons python3
+
+Name:           mkosi
+Version:        25
+Release:        0
+Summary:        Build bespoke OS Images
+License:        LGPL-2.1-or-later
+Group:          System/Management
+URL:            https://github.com/systemd/mkosi
+Source0:        https://github.com/systemd/mkosi/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:        mkosi-initrd.conf
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module wheel}
+BuildRequires:  %{pythons}
+BuildRequires:  fdupes
+%ifarch x86_64 aarch64
+BuildRequires:  pandoc
+%endif
+BuildRequires:  python-rpm-macros
+Requires:       distribution-gpg-keys
+Requires:       python3 >= 3.9
+Requires:       zypper
+Recommends:     btrfsprogs
+Recommends:     cpio
+Recommends:     dosfstools
+Recommends:     dpkg
+Recommends:     edk2-ovmf
+Recommends:     gnupg
+Recommends:     squashfs
+Recommends:     tar
+Recommends:     xz
+Recommends:     zstd
+# pandoc is arch specific, so noarch will not work
+#BuildArch:      noarch
+
+%description
+A fancy wrapper around "dnf --installroot", "apt", "pacman", and "zypper" that
+generates disk images with a number of bells and whistles.
+
+Generated images are tailored to the purpose: GPT partitions,
+systemd-boot or grub2, images for containers, VMs, initrd, and extensions.
+
+mkosi can boot an image via QEMU or systemd-nspawn, or simply start a shell in
+chroot, burn the image to a device, connect to a running VM via ssh, extract
+logs and coredumps, and also serve an image over HTTP.
+
+See https://mkosi.systemd.io/ for documentation.
+
+%package addon
+Summary:        Build addons locally for unified kernel images using mkosi
+Requires:       %{name} = %{version}-%{release}
+Requires:       coreutils
+
+%description addon
+This package provides the mkosi-addon wrapper to build PE addons containing
+customizations for unified kernel images specificto the running or local
+system.
+
+%package initrd
+Summary:        Build initrds locally using mkosi
+Requires:       %{name} = %{version}-%{release}
+Requires:       coreutils
+
+%description initrd
+This package provides the mkosi-initrd wrapper to build initrds with mkosi
+locally.
+
+%prep
+%autosetup -p1
+
+%build
+%ifarch x86_64 aarch64
+tools/make-man-page.sh
+%endif
+%pyproject_wheel
+bin/mkosi completion bash > mkosi.bash
+
+%install
+%pyproject_install
+%python_expand %fdupes %{buildroot}/%{$python_sitelib}/mkosi
+
+%ifarch x86_64 aarch64
+# Install man pages
+mkdir -p %{buildroot}%{_mandir}/man1
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi.1* \
+    %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi-addon.1* \
+    %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi-initrd.1* \
+    %{buildroot}%{_mandir}/man1/
+cp %{buildroot}%{python3_sitelib}/mkosi/resources/man/mkosi-sandbox.1* \
+    %{buildroot}%{_mandir}/man1/
+%endif
+
+# Install bash completions
+install -m 644 -D mkosi.bash \
+    %{buildroot}%{_datadir}/bash-completion/completions/mkosi
+
+# Create configuration directories for mkosi-initrd
+mkdir -p %{buildroot}%{_prefix}/lib/mkosi-initrd
+install -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/mkosi-initrd/mkosi.conf
+mkdir -p %{buildroot}%{_sysconfdir}/mkosi-initrd
+
+%post initrd
+if [ ! -e %{_sysconfdir}/mkosi-initrd/mkosi.conf ]; then
+    cat >> %{_sysconfdir}/mkosi-initrd/mkosi.conf<<EOF
+# Write here your own configuration.
+# See man mkosi(1) for details.
+#[Content]
+#ExtraTrees=
+#KernelModulesInclude=
+#KernelModulesExclude=
+EOF
+fi
+
+%check
+%pytest
+
+%files
+%doc mkosi.md README.md
+%license LICENSES
+%{_bindir}/mkosi
+%{_bindir}/mkosi-sandbox
+%ifarch x86_64 aarch64
+%{_mandir}/man1/mkosi.1*
+%{_mandir}/man1/mkosi-sandbox.1*
+%endif
+%{python3_sitelib}/mkosi
+%{python3_sitelib}/mkosi-%{version}.dist-info
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/mkosi
+
+%files addon
+%{_bindir}/mkosi-addon
+%ifarch x86_64 aarch64
+%{_mandir}/man1/mkosi-addon.1*
+%endif
+
+%files initrd
+%{_bindir}/mkosi-initrd
+%ifarch x86_64 aarch64
+%{_mandir}/man1/mkosi-initrd.1*
+%endif
+%dir %{_prefix}/lib/mkosi-initrd
+%{_prefix}/lib/mkosi-initrd/mkosi.conf
+%dir %{_sysconfdir}/mkosi-initrd
+
+%changelog