systemd/mkosi.images/system/mkosi.postinst.chroot

#!/bin/sh
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e

if [ "$1" = "build" ]; then
    exit 0
fi

if [ -n "$SANITIZERS" ]; then
    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')

    mkdir -p /etc/systemd/system.conf.d

    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
[Manager]
ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
                   LD_PRELOAD=$LD_PRELOAD
DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
                   LD_PRELOAD=$LD_PRELOAD
EOF

    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
    # sanitizer failures appear directly on the user's console.
    mkdir -p /etc/systemd/system/systemd-journald.service.d
    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
[Service]
StandardOutput=tty
EOF

    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.

    mkdir -p /etc/systemd/system/console-getty.service.d
    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
[Service]
TTYVHangup=no
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
EOF
    # ASAN and syscall filters aren't compatible with each other.
    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +

    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
    systemctl mask systemd-hwdb-update.service
fi

if [ -n "$IMAGE_ID" ] ; then
    sed -n \
        -i \
        -e '/^IMAGE_ID=/!p' \
        -e "\$aIMAGE_ID=$IMAGE_ID" \
        /usr/lib/os-release
fi

if [ -n "$IMAGE_VERSION" ] ; then
    sed -n \
        -i \
        -e '/^IMAGE_VERSION=/!p' \
        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
        /usr/lib/os-release
fi

if command -v authselect >/dev/null; then
    # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
    # let's use the new name if it exists.
    if [ -d /usr/share/authselect/default/local ]; then
        PROFILE=local
    else
        PROFILE=minimal
    fi

    authselect select "$PROFILE"

    if authselect list-features "$PROFILE" | grep -q "with-homed"; then
        authselect enable-feature with-homed
    fi
fi

# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
# if that's the case.
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf

. /usr/lib/os-release

if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
    alternatives --set python3 /usr/bin/python3.9
fi

mkdir -p /usr/lib/sysusers.d
cat >/usr/lib/sysusers.d/testuser.conf <<EOF
u	testuser	4711	"Test User"	/home/testuser
EOF
mkdir -p /usr/lib/tmpfiles.d
cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
q	/home/testuser	0700	4711	4711
EOF
mkosi: Install sd-boot using postinst script instead of in build script This allows us to reuse bootctl install instead of replicating the logic in the build script. 2021-11-23 19:57:18 +01:00			`#!/bin/sh`
			`# SPDX-License-Identifier: LGPL-2.1-or-later`
mkosi: Enable set -e in postinst script 2023-06-02 15:42:14 +02:00			`set -e`
mkosi: Install sd-boot using postinst script instead of in build script This allows us to reuse bootctl install instead of replicating the logic in the build script. 2021-11-23 19:57:18 +01:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`if [ "$1" = "build" ]; then`
			`exit 0`
			`fi`

			`if [ -n "$SANITIZERS" ]; then`
			`LD_PRELOAD=$(ldd /usr/lib/systemd/systemd \| grep libasan.so \| awk '{print $3}')`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`mkdir -p /etc/systemd/system.conf.d`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00			`[Manager]`
			`ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\`
			`UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\`
			`LD_PRELOAD=$LD_PRELOAD`
			`DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\`
			`UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\`
			`LD_PRELOAD=$LD_PRELOAD`
mkosi: Silence gdb debuginfo messages/prompts Let's silence gdb asking about debuginfod and complaining about missing debuginfo to reduce friction when using mkosi to work on systemd. 2022-07-19 13:45:24 +02:00			`EOF`

mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`# ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose`
			`# all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any`
			`# sanitizer failures appear directly on the user's console.`
			`mkdir -p /etc/systemd/system/systemd-journald.service.d`
			`cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00			`[Service]`
			`StandardOutput=tty`
			`EOF`

mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`# Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.`
			# This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
			`# a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login`
			`# from calling vhangup() so that journald's ASAN logs correctly end up in the console.`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`mkdir -p /etc/systemd/system/console-getty.service.d`
			`cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00			`[Service]`
			`TTYVHangup=no`
			`CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG`
			`EOF`
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`# ASAN and syscall filters aren't compatible with each other.`
			`find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\\|SystemCall\)/# \1/' {} +`
mkosi: Changes to allow booting with sanitizers in mkosi - Extra memory because ASAN needs it - The environment variables to make the sanitizers more useful - LD_PRELOAD because the ASAN DSO needs to be the first in the list - The sanitizer library packages - Disable syscall filters because they interfere with ASAN - Disable systemd-hwdb-update because it's super slow when systemd-hwdb is built with sanitizers - Take the value for meson's b_sanitize option from the SANITIZERS environment variable 2022-07-15 02:26:52 +02:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			# `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
			`systemctl mask systemd-hwdb-update.service`
			`fi`
mkosi: Ensure we build all features/components in mkosi Explicitly enable all features/components in the mkosi build to ensure they all get built and we get an error if they can't be built. We also rework the packages sections of all mkosi configs to reduce duplication and cover all the dependencies necessary to build/use all systemd features. Note that for the final image, since systemd is installed by default in base images, we rely on that to install the base library dependencies and we only list extra optional dependencies and tools that aren't already installed by default into the base image. We also drop the centos stream 8 mkosi build as dependencies on that distro are too out-of-date to be able to build all systemd features. Since centos stream 9 has been out for a while, let's focus on that and leave it to downstream to keep systemd building on centos stream 8. Finally, there's a few additions to the mkosi scripts to make sure services don't start by default on boot. 2022-08-22 13:21:07 +02:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`if [ -n "$IMAGE_ID" ] ; then`
			`sed -n \`
			`-i \`
			`-e '/^IMAGE_ID=/!p' \`
			`-e "\$aIMAGE_ID=$IMAGE_ID" \`
			`/usr/lib/os-release`
			`fi`
mkosi: Move more logic to the postinst script Let's move stuff that only applies to the final image to the postinst script. Let's also move out some of the static files to mkosi.extra/ instead of hardcoding them in scripts. 2023-02-21 15:09:38 +01:00
mkosi: Reduce postinst script indentation 2023-02-21 15:23:15 +01:00			`if [ -n "$IMAGE_VERSION" ] ; then`
			`sed -n \`
			`-i \`
			`-e '/^IMAGE_VERSION=/!p' \`
			`-e "\$aIMAGE_VERSION=$IMAGE_VERSION" \`
			`/usr/lib/os-release`
mkosi: Install sd-boot using postinst script instead of in build script This allows us to reuse bootctl install instead of replicating the logic in the build script. 2021-11-23 19:57:18 +01:00			`fi`
mkosi: Update to latest 2023-04-18 14:35:48 +02:00
mkosi: Use authselect minimal if authselect is installed We dropped this logic from mkosi itself, so let's configure it in our postinst script instead. We also enable the with-homed feature if we can find it. It doesn't exist for the minimal profile yet, but might be added in the future. 2023-04-20 10:13:37 +02:00			`if command -v authselect >/dev/null; then`
mkosi: Use authselect local profile if it exists authselect 1.5.0 removed the "minimal" profile and added the "local" profile instead. Let's modify our post-installation script to take these changes into account. 2024-01-22 12:04:45 +01:00			`# authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so`
			`# let's use the new name if it exists.`
			`if [ -d /usr/share/authselect/default/local ]; then`
			`PROFILE=local`
			`else`
			`PROFILE=minimal`
			`fi`

			`authselect select "$PROFILE"`
mkosi: Use authselect minimal if authselect is installed We dropped this logic from mkosi itself, so let's configure it in our postinst script instead. We also enable the with-homed feature if we can find it. It doesn't exist for the minimal profile yet, but might be added in the future. 2023-04-20 10:13:37 +02:00
mkosi: Use authselect local profile if it exists authselect 1.5.0 removed the "minimal" profile and added the "local" profile instead. Let's modify our post-installation script to take these changes into account. 2024-01-22 12:04:45 +01:00			`if authselect list-features "$PROFILE" \| grep -q "with-homed"; then`
mkosi: Use authselect minimal if authselect is installed We dropped this logic from mkosi itself, so let's configure it in our postinst script instead. We also enable the with-homed feature if we can find it. It doesn't exist for the minimal profile yet, but might be added in the future. 2023-04-20 10:13:37 +02:00			`authselect enable-feature with-homed`
			`fi`
			`fi`
mkosi: delete /etc/resolv.conf to let tmpfiles handle it In case the distribution creates or ships resolv.conf, delete it and let tmpfiles handle it 2023-04-23 13:02:06 +01:00
mkosi: Unmount /etc/resolv.conf if it's a mountpoint 2023-08-07 20:17:41 +02:00			`# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that`
			`# if that's the case.`
			`mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf`
mkosi: delete /etc/resolv.conf to let tmpfiles handle it In case the distribution creates or ships resolv.conf, delete it and let tmpfiles handle it 2023-04-23 13:02:06 +01:00			`rm -f /etc/resolv.conf`
mkosi: Switch to use mkosi presets with prebuilt initrds Instead of building the initrds for the mkosi images with dracut, let's switch to using mkosi presets to build the initrd with mkosi as well. This commit splits up our single image build into three separate mkosi presets: 1. The "base" preset. This image contains systemd and all its runtime dependencies. The sole purpose of this image is to serve as a base image for the initrd and the final image. It's also responsible for building systemd from source with the build script. The results are installed into the base image. Note that we install the systemd and udev packages into this image as well to prevent package managers from overriding the systemd we built from source with the distro packaged systemd if it's pulled in as a dependency by another package from the initrd or final profiles. 2. The "initrd" preset. This image provides the initrd. It's trivial and does nothing more than packaging the base image up as a zstd compressed initramfs and adds /init and /etc/initrd-release symlinks to the image. 3. The "final" preset. This image builds on top of the base image and adds a kernel and extra packages that are useful for testing and debugging. We also split out the optional kernel build into a separate set of config files that are only included if a kernel to build is actually provided. Note that this commit doesn't really change anything about how mkosi is used. The commands remain the same, except that mkosi will now build all the presets in order. "mkosi summary" will show the summary of all the presets. "mkosi qemu, boot, shell" will always boot the final preset. With "-f", all presets will be built and the final one is booted. "-i" makes a cache of each preset. The only thing to keep in mind is that specifying config via the mkosi CLI will apply to each of the presets. e.g. any extra packages added with "-p" will be installed in both the initrd and the final image. To apply local configuration to a single preset, create a file 00-local.conf in mkosi.presets/<profile>/mkosi.conf.d and put all the preset specific configuration in there. 2023-04-25 16:04:49 +02:00
mkosi: Make sure our systemd build always overrides the distros Currently, we install the systemd install tree in the base image and then build the initrd and final images from the base image. This means if that any systemd package is pulled in during the initrd or final image builds, it will override our version. To fix this, we stop installing our build of systemd in the base image, and store it in the output directory instead. That allows us to refer to it using ExtraTrees= in the final and initrd image builds to install it after all the distro packages have been installed, ensuring our version always takes priority. 2023-08-04 10:40:30 +02:00			`. /usr/lib/os-release`
mkosi: Switch to use mkosi presets with prebuilt initrds Instead of building the initrds for the mkosi images with dracut, let's switch to using mkosi presets to build the initrd with mkosi as well. This commit splits up our single image build into three separate mkosi presets: 1. The "base" preset. This image contains systemd and all its runtime dependencies. The sole purpose of this image is to serve as a base image for the initrd and the final image. It's also responsible for building systemd from source with the build script. The results are installed into the base image. Note that we install the systemd and udev packages into this image as well to prevent package managers from overriding the systemd we built from source with the distro packaged systemd if it's pulled in as a dependency by another package from the initrd or final profiles. 2. The "initrd" preset. This image provides the initrd. It's trivial and does nothing more than packaging the base image up as a zstd compressed initramfs and adds /init and /etc/initrd-release symlinks to the image. 3. The "final" preset. This image builds on top of the base image and adds a kernel and extra packages that are useful for testing and debugging. We also split out the optional kernel build into a separate set of config files that are only included if a kernel to build is actually provided. Note that this commit doesn't really change anything about how mkosi is used. The commands remain the same, except that mkosi will now build all the presets in order. "mkosi summary" will show the summary of all the presets. "mkosi qemu, boot, shell" will always boot the final preset. With "-f", all presets will be built and the final one is booted. "-i" makes a cache of each preset. The only thing to keep in mind is that specifying config via the mkosi CLI will apply to each of the presets. e.g. any extra packages added with "-p" will be installed in both the initrd and the final image. To apply local configuration to a single preset, create a file 00-local.conf in mkosi.presets/<profile>/mkosi.conf.d and put all the preset specific configuration in there. 2023-04-25 16:04:49 +02:00
			`if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then`
			`alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1`
			`alternatives --set python3 /usr/bin/python3.9`
			`fi`
mkosi: Add testuser and tar to system image The integration tests are installed into the image with the intention that it should be possible to run those tests, but those tests require the named user testuser and tar is needed for machined-import 2023-11-27 17:50:49 +00:00
			`mkdir -p /usr/lib/sysusers.d`
			`cat >/usr/lib/sysusers.d/testuser.conf <<EOF`
			`u testuser 4711 "Test User" /home/testuser`
			`EOF`
			`mkdir -p /usr/lib/tmpfiles.d`
			`cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF`
			`q /home/testuser 0700 4711 4711`
			`EOF`