- Update to 22:
* We'll now try to delete btrfs subvolumes with btrfs subvolume delete
first before falling back to recursively deleting the directory.
* The invoking user is now always mapped to root when running sync
scripts. This fixes an issue where we would fail when a package
manager tree or skeleton tree contained a /usr directory as we would
not have permissions to run mount in the sandbox.
* We now use qemu's official firmware descriptions to find EDK2/OVMF
UEFI firmware. Addititionally, QemuFirmware=uefi now boots without
SecureBoot support, and QemuFirmware=uefi-secure-boot was introduced
to boot with SecureBoot support. By default we will still boot with
SecureBoot support if QemuFirmware=auto.
* Added support for QemuFirmwareVariables=custom and
QemuFirmwareVariables=microsoft to use OVMF/EDK2 variables with
either the user's custom keys enrolled or with the Microsoft keys
enrolled.
* Added UnifiedKernelImages= to control whether we generate unified
kernel images or not.
* Bootloader=grub will now generate a grub EFI image and install it.
If SecureBoot= is enabled and ShimBootloader= is not set to
signed, the grub EFI image will be signed for SecureBoot.
* ShimBootloader=signed will now also instruct mkosi to look for and
install already signed grub, systemd-boot, kernel and UKI binaries.
* We now build grub images with a fixed set of modules and don't copy
any grub modules to the ESP anymore.
* The configuration is now made available as a JSON file to all mkosi
scripts via the $MKOSI_CONFIG environment variable.
* $PROFILE is now set for all mkosi scripts containing the value of
Profile= if it is set.
OBS-URL: https://build.opensuse.org/request/show/1158165
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=26
- Update to 21:
* We now handle unmerged-usr systems correctly
* Builtin configs (mkosi-initrd, mkosi-tools) can now be included
using Include= (e.g. Include=mkosi-initrd)
* The kernel-install plugin now uses the builtin mkosi-initrd
config so there's no need anymore to copy the full mkosi-initrd
config into /usr/lib/mkosi-initrd.
* We don't require a build anymore for the journalctl and
coredumpctl verbs.
* mkosi ssh works again when used with ToolsTree=default
* We now use .zst instead of .zstd for compressed split artifacts
produced by systemd-repart.
* systemd-repart uses a persistent temporary directory again for
assembling images instead of a tmpfs.
* Added MicrocodeHost= setting to only include the CPU specific
microcode for the current host system.
* The kernel-install plugin now only includes the CPU specific
microcode
* Introduced PackageCacheDirectory= to set the directory for
package manager caches. This setting defaults to a suitable
location in the system or user directory depending on how mkosi
is invoked.
* CacheDirectory= is only used for incremental cached images now.
* Repository metadata is now synced once at the start of each
image build and never during an image build. Each image
includes a snapshot of the repository metadata in the canonical
locations in /var so that incremental images and extension
images can reuse the same snapshot. When building an image
intended to be used with
* BaseTrees=, disable CleanPackageMetadata= to make sure the
OBS-URL: https://build.opensuse.org/request/show/1156961
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=24
- update to 20.2:
* Fixed a bug in signing unsigned shim EFI binaries.
* We now build an early microcode initrd in the mkosi kernel-
install plugin.
* Added `PackageDirectories=` to allow providing extra packages
to be made available during the build.
* Fixed issue where `KernelModulesIncludeHost` was including
unnecessary modules
* Fixed `--mirror` specification for CentOS (and variants) and
Fedora.
* Previously a subdirectory within the mirror had to be
specified which prevented using CentOS and EPEL repositories
from the same mirror. Now only the URL has be specified.
* We now mount package manager cache directories when running
scripts on the host so that any packages installed in scripts
are properly cached.
* We don't download filelists on Fedora anymore
* Nested build sources don't cause errors anymore when trying
to install packages.
* We don't try to build the same tools tree more than once
anymore when building multiple images.
* We now create the `/etc/mtab` compatibility symlink in
mkosi's sandbox.
* We now always hash the root password ourselves instead of
leaving it to `systemd-firstboot`.
* `/srv` and `/mnt` are not mounted read-only anymore during
builds.
* Fixed a crash when running mkosi in a directory with fewer
than two parent directories.
* Implemented `RepositoryKeyCheck=` for apt-based
OBS-URL: https://build.opensuse.org/request/show/1140611
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=22
- update to 20.1:
* `BuildSources=` are now mounted when we install packages so
local packages can be made available in the sandbox.
* Fixed check to see if we're running as root which makes sure
we don't do shared mounts when running as root.
* The extension release file is now actually written when
building system or configuration extensions.
* The nspawn settings are copied to the output directory again.
* Incremental caching is now skipped when `Overlay=` is enabled
as this combination isn't supported.
* The SELinux relabel check is more granular and now checks for
all required files instead of just whether there's a policy
configured.
* `qemu-system-xxx` binaries are now preferred over the generic
`qemu` and `qemu-kvm` binaries.
* Grub tools from the tools tree are now used to install grub
instead of grub tools from the image itself. The grub tools
were added to the default tools trees as well.
* The pacman keyring in tools trees is now only populated from
the Arch Linux keyring (and not the Debian/Ubuntu ones anymore).
* `gpg` is allowed to access `/run/pscsd/pscsd.comm` on the
host if it exists to allow interaction with smartcards.
* The current working directory is not mounted unconditionally
to `/work/src` anymore. Instead, the default value for
`BuildSources=` now mounts the current working directory
to `/work/src`. This means that the current working directory
is no longer implicitly included when `BuildSources=` is
explicitly configured.
* Assigning the empty string to a setting that takes a list of
values now overrides any configured default value as well.
OBS-URL: https://build.opensuse.org/request/show/1140555
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=21
Mon Nov 20 09:21:06 UTC 2023 - Fredrik Lönnegren <fredrik.lonnegren@suse.com>
- update to v19:
* Support for RHEL was added!
* Added journalctl and coredumpctl verbs for running the respective tools on
built directory or disk images.
* Added a burn verb to write the output image to a block device.
* Added a new esp output format, which is large similar to the existing uki
output format but wraps it in a disk image with only an ESP.
* Presets were renamed to Images. mkosi.images/ is now used instead of
mkosi.presets/, the Presets= setting was renamed to Images= and the Presets
section was merged into the Config section. The old names can still be used
for backwards compatibility.
* Added profiles to support building variants of the same image in one
repository. Profiles can be defined in mkosi.profiles/ and one can be
selected using the new Profile= setting.
* mkosi will now parse mkosi.local.conf before any other config files if that
exists.
* Added a kernel-install plugin. This is only shipped in source tree and not
included in the Python module.
* Added a --json option to get the output of mkosi summary as JSON.
* Added shorthand -a for --autologin.
* Scripts with the .chroot extension are now executed in the image
automatically.
* Added rpm helper script to have rpm automatically operate on the image when
running scripts.
* Added mkosi-as-caller helper script that can be used in scripts to run
commands as the user invoking mkosi.
* mkosi-chroot will now start a shell if no arguments are specified.
* Added WithRecommends= to configure whether to install recommended packages
by default or not where this is supported. It is disabled by default.
* Added ToolsTreeMirror= setting for configuring the mirror to use for the
default tools tree.
* WithDocs= is now enabled by default.
* Added BuildSourcesEphemeral= to make source directories ephemeral when
running scripts. This means any changes made to source directories while
running scripts will be undone after the scripts have finished executing.
* Added QemuDrives= to have mkosi create extra qemu drives and pass them to
qemu when using the qemu verb.
* Added BuildSources= match to match against configured build source targets.
* PackageManagerTrees= was moved to the Distribution section.
* We now automatically configure the qemu firmware, kernel cmdline and initrd
based on what type of kernel is passed by the user via -kernel or
QemuKernel=.
* The mkosi repository itself now ships configuration to build basic bootable
images that can be used to test mkosi.
* Added support for enabling updates-testing repositories for Fedora.
* GPG keys for CentOS, Fedora, Alma and Rocky are now looked up locally first
before fetching them remotely.
* Signatures are not required for local packages on Arch anymore.
* Packages on opensuse are now always downloaded in advance before
installation when using zypper.
* The tar output is now reproducible.
* We now make sure git can be executed from mkosi scripts without running
into permission errors.
* We don't create subdirectories beneath the configured cache directory anymore.
* Workspace directories are now created outside of any source directories.
mkosi will either use XDG_CACHE_HOME, $HOME/.cache or /var/tmp depending on
the situation.
* Added environment variable MKOSI_DNF to override which dnf to use for
building images (dnf or dnf5).
* The rootfs can now be modified when running build scripts (with all changes
thrown away after the last build script has been executed).
* mkosi now fails if configuration specified via the CLI does not apply to
any image (because it is overridden).
* Added a new doc on building rpms from source with mkosi
(docs/building-rpms-from-source.md).
* /etc/resolv.conf will now only be mounted for scripts when they are run
with network access.
OBS-URL: https://build.opensuse.org/request/show/1127786
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=19
- update to v14:
* mkosi now creates distro~release subdirectories inside the build, cache
and output directories for each distro~release combination that is
built. This allows building for multiple distros without throwing away
the results of a previous distro build every time.
* The preferred names for mkosi configuration files and directories are
now mkosi.conf and mkosi.conf.d/ respectively. The old names
(mkosi.default and mkosi.default.d) have been removed from the docs but
are still supported for backwards compatibility.
* plain_squashfs type images will now also be named with a .raw suffix.
* tar type images will now respect the --compress option.
* Pacman's SigLevel option was changed to use the same default value as
used on Arch which is SigLevel = Required DatabaseOptional. If this
results in keyring errors, you need to update the keyring by running
* Support for CentOS 7 was dropped. If you still need to support CentOS 7,
we recommend using any mkosi version up to 13.
* Support for BIOS/grub was dropped. because EFI hardware is widely
available and legacy BIOS systems do not support the feature set to
fully verify a boot chain from firmware to userland and it has become
bothersome to maintain for little use.
* To generate BIOS images you can use any version of mkosi up to mkosi 13
or the new --bios-size option. This can be used to add a BIOS boot
partition of the specified size on which grub (or any other bootloader)
can be installed with the help of mkosi's script support (depending on
your needs most likely mkosi.postinst or mkosi.finalize). This method
can also be used for other EFI bootloaders that mkosi intentionally does
not support.
* mkosi now unconditionally copies the kernel, initrd and kernel cmdline
from the image that were previously only copied out for Qemu boot.
* mkosi now runs apt and dpkg on the host. As such, we now require apt and
OBS-URL: https://build.opensuse.org/request/show/1039896
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=14
- The `--network-veth` option has been renamed to `--netdev`. The old name made
sense with virtual ethernet devices, but when booting images with qemu a
TUN/TAP device is used instead.
- The network config file installed by mkosi when the `--netdev` (previously
`--network-veth`) option is used (formerly
`/etc/systemd/network/80-mkosi-network-veth.network` in the image) now only
matches network interfaces using the `virtio_net` driver. Please make sure
you weren't relying on this file to configure any network interfaces other
than the tun/tap virtio-net interface created by mkosi when booting the image
in QEMU with the `--netdev` option. If you were relying on this config file
to configure other interfaces, you'll have to re-create it with the correct
match and a lower initial number in the filename to make sure
`systemd-networkd` will keep configuring your interface, e.g. via the
`mkosi.skeleton` or `mkosi.extra` trees or a `mkosi.postinst` script.
- The `kernel-install` script for building unified kernel images has been
removed. From v13 onwards, on systems using `kernel-install`, `mkosi` won't
automatically build new unified kernel images when a kernel is updated or
installed. To keep the old behavior, you can install the `kernel-install`
script manually via a skeleton tree; a copy can be found
[here](3798eb0c2e/mkosi/resources/dracut_unified_kernel_install.sh).
- New `QemuKvm` option configures whether to use KVM when running `mkosi qemu`.
- `mkosi` will not default to the same OS release as the host system anymore
when the host system uses the same distribution as the image that's being
built. Instead, when no release is specified, mkosi will now always default
to the default version embedded in mkosi itself.
- `mkosi` will now use the `pacman` keyring from the host when building Arch
images. This means that users will, on top of installing `archlinux-keyring`,
also have to run `pacman-key --init` and `pacman-key --populate archlinux` on
the host system to be able to build Arch images. Also, unless the package
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=12
- Support for Rocky Linux, Alma Linux, and Gentoo has been added!
- A new `ManifestFormat=` option can be used to generate "manifest" files that
describe what packages were installed. With `json`, a JSON file that shows
the names and versions of all installed packages will be created. With
`changelog`, a longer human-readable file that shows package descriptions and
changelogs will be generated. This latter format should be considered
experimental and likely to change in later versions.
- A new `RemovePackages=` option can be used to uninstall packages after the
build and finalize scripts have been done. This is useful for the case where
packages are required by the build scripts, or pulled in as dependencies
for scriptlets of other packages, but are not necessary in the final image.
- A new `BaseImage=` option can be used to build "system extensions" a.k.a.
"sysexts" — partial images which are mounted on top of an existing system
to provide additional files under `/usr/`. See the
[systemd-sysext man page](https://www.freedesktop.org/software/systemd/man/systemd-sysext.html)
for more information.
- A new `CleanPackageMetadata=` option can be used to force or disable the
removal of package manager files. When this option is not used, they are
removed when the package manager is not installed in the final image.
- A new `UseHostRepositories=` option instructs mkosi to use repository
configuration from the host system, instead of the internal list.
- A new `SshAgent=` option configures the path to the ssh agent.
- A new `SshPort=` option overrides the port used for ssh.
- The `Verity=` setting supports a new value `signed`. When set, verity data
will be signed and the result inserted as an additional partition in the
image. See https://systemd.io/DISCOVERABLE_PARTITIONS for details about
signed disk images. This information is used by `systemd-nspawn`,
`systemd-dissect`, `systemd-sysext`, `systemd-portabled` and `systemd`'s
`RootImage=` setting (among others) to cryptographically validate the image
OBS-URL: https://build.opensuse.org/package/show/Virtualization/mkosi?expand=0&rev=9
