Merge pull request #33674 from DaanDeMeyer/backport-mkosi

v256-stable: Backport various mkosi changes

.github/workflows/build_test.yml

@@ -33,6 +33,6 @@ jobs:
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: Build check
         run: .github/workflows/build_test.sh

.github/workflows/codeql.yml

@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c

.github/workflows/coverity.yml

@@ -22,7 +22,7 @@ jobs:
       COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
     steps:
       - name: Repository checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       # Reuse the setup phase of the unit test script to avoid code duplication
       - name: Install build dependencies
         run: sudo -E .github/workflows/unit_tests.sh SETUP

.github/workflows/development_freeze.yml

@@ -30,7 +30,7 @@ jobs:
           name: Pull Request Metadata
 
       - name: Repository checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           fetch-depth: 0
 

.github/workflows/differential-shellcheck.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           fetch-depth: 0
 

.github/workflows/gather-pr-metadata.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - id: metadata
         name: Gather Pull Request Metadata

.github/workflows/issue_labeler.yml

@@ -20,7 +20,7 @@ jobs:
         template: [ bug_report.yml, feature_request.yml ]
 
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Parse issue form
         uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94

.github/workflows/labeler.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
     - name: Repository checkout
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       if: github.event_name == 'pull_request'
 
     - name: Label PR based on policy in labeler.yml

.github/workflows/linter.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Repo checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           # We need a full repo clone
           fetch-depth: 0

.github/workflows/mkosi.yml

@@ -91,8 +91,8 @@ jobs:
             cflags: "-Og"
 
     steps:
-    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-    - uses: systemd/mkosi@70aa901697f12182ccaa24e2325867d275479b55
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+    - uses: systemd/mkosi@6b66aa9096948e0bc38154333687584e0351f450
 
     # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
     # immediately, we remove the files in the background. However, we first move them to a different location

.github/workflows/scorecards.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
 

.github/workflows/unit_tests.yml

@@ -30,7 +30,7 @@ jobs:
             cryptolib: gcrypt
     steps:
       - name: Repository checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: Install build dependencies
         run: |
           # Drop XDG_* stuff from /etc/environment, so we don't get the user

mkosi.conf

@@ -1,17 +1,28 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Config]
-@Images=system
 MinimumVersion=23~devel
+InitrdInclude=mkosi.initrd/
 
 [Output]
-@OutputDirectory=build/mkosi.output
-@BuildDirectory=build/mkosi.builddir
-@CacheDirectory=build/mkosi.cache
+RepartDirectories=mkosi.repart
+OutputDirectory=build/mkosi.output
+BuildDirectory=build/mkosi.builddir
+CacheDirectory=build/mkosi.cache
 
 [Content]
-@SELinuxRelabel=no
+SELinuxRelabel=no
 BuildSourcesEphemeral=yes
+Autologin=yes
+
+PostInstallationScripts=mkosi.sanitizers.chroot
+ExtraTrees=
+        mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
+        mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
+        mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
+
+Environment=
+        SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F
 
 # Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
 # various scenarios. Consider adding support for a credential instead if possible and using that.
@@ -43,13 +54,85 @@ KernelCommandLine=systemd.crash_shell
 KernelModulesInitrdExclude=.*
 KernelModulesInitrdInclude=default
 
+ExtraTrees=
+        %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
+        %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
+        %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
+        %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
+        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
+        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
+        %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
+        %O/exitrd:/exitrd
+
+InitrdPackages=
+        btrfs-progs
+        findutils
+        grep
+        sed
+
+Packages=
+        acl
+        attr
+        bash-completion
+        bpftrace
+        btrfs-progs
+        clang
+        coreutils
+        curl
+        diffutils
+        dnsmasq
+        dosfstools
+        e2fsprogs
+        findutils
+        gdb
+        grep
+        gzip
+        jq
+        kbd
+        kexec-tools
+        kmod
+        knot
+        less
+        lld
+        llvm
+        lvm2
+        man
+        mdadm
+        mtools
+        nano
+        nftables
+        nvme-cli
+        opensc
+        openssl
+        p11-kit
+        pciutils
+        python3
+        qrencode
+        radvd
+        rsync
+        sed
+        socat
+        strace
+        systemd
+        tar
+        tmux
+        tree
+        udev
+        util-linux
+        valgrind
+        which
+        wireguard-tools
+        xfsprogs
+        zsh
+        zstd
+
 [Host]
 Credentials=journal.storage=persistent
-@Incremental=yes
-@RuntimeBuildSources=yes
-@RuntimeScratch=no
-@QemuSmp=2
-@QemuSwtpm=yes
-@QemuVsock=yes
-@QemuKvm=yes
+Incremental=yes
+RuntimeBuildSources=yes
+RuntimeScratch=no
+QemuSmp=2
+QemuSwtpm=yes
+QemuVsock=yes
+QemuKvm=yes
 ToolsTreePackages=virtiofsd

mkosi.conf.d/10-centos.conf

@@ -1,11 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
-
-[Distribution]
-@Release=9
-Repositories=epel
-             epel-next
-             hyperscale-packages-main
-             hyperscale-packages-experimental

mkosi.conf.d/10-centos/mkosi.conf

@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Distribution]
+Release=9
+Repositories=epel
+             epel-next
+             hyperscale-packages-main
+             hyperscale-packages-experimental
+
+[Content]
+Environment=
+        Environment=
+                # We'd prefer to use XFS here but it fails to mount on duplicate filesystem UUIDs which
+                # happens when running tests in parallel so we use ext4 instead.
+                SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=ext4
+                # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of
+                # mkfs.ext4 enabled it by default, so we disable it explicitly.
+                SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
+
+        GIT_URL=https://git.centos.org/rpms/systemd.git
+        GIT_BRANCH=c9s-sig-hyperscale
+        GIT_COMMIT=8cf2aed0181920611421384f7374720db269d6c7
+
+Packages=
+        kernel-modules # For squashfs
+        rpmautospec-rpm-macros

mkosi.conf.d/10-debian-ubuntu/mkosi-pinning.pref

@@ -0,0 +1,3 @@
+Package: *
+Pin: release l=mkosi
+Pin-Priority: 1100

mkosi.conf.d/10-debian-ubuntu/mkosi.conf

@@ -4,6 +4,9 @@
 Distribution=|debian
 Distribution=|ubuntu
 
+[Distribution]
+PackageManagerTrees=mkosi-pinning.pref:/etc/apt/preferences.d/mkosi-pinning.pref
+
 [Content]
 Environment=
         GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
@@ -67,7 +70,7 @@ Packages=
         openssh-client
         openssh-server
         passwd
-        policykit-1
+        polkitd
         procps
         psmisc
         python3-pexpect

mkosi.conf.d/10-debian.conf

@@ -1,7 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=debian
-
-[Distribution]
-@Release=testing

mkosi.conf.d/10-debian/mkosi.conf

@@ -3,6 +3,9 @@
 [Match]
 Distribution=debian
 
+[Distribution]
+Release=testing
+
 [Content]
 Packages=
         linux-perf

mkosi.conf.d/10-fedora.conf

@@ -1,7 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Distribution]
-@Release=rawhide

mkosi.conf.d/10-fedora/mkosi.conf

@@ -3,6 +3,9 @@
 [Match]
 Distribution=fedora
 
+[Distribution]
+Release=rawhide
+
 [Content]
 Environment=
         GIT_URL=https://src.fedoraproject.org/rpms/systemd.git

mkosi.conf.d/10-opensuse.conf

@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Distribution]
-@Release=tumbleweed
-PackageManagerTrees=mkosi.conf.d/macros.db_backend:/etc/rpm/macros.db_backend

mkosi.conf.d/10-opensuse/mkosi.conf

@@ -6,6 +6,10 @@ Distribution=opensuse
 [Config]
 InitrdInclude=initrd/
 
+[Distribution]
+Release=tumbleweed
+PackageManagerTrees=macros.db_backend:/etc/rpm/macros.db_backend
+
 [Content]
 Environment=
         GIT_URL=https://src.opensuse.org/rpm/systemd

mkosi.conf.d/10-ubuntu.conf

@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=ubuntu
-
-[Distribution]
-@Release=noble
-Repositories=universe

mkosi.conf.d/10-ubuntu/mkosi.conf

@@ -3,6 +3,10 @@
 [Match]
 Distribution=ubuntu
 
+[Distribution]
+Release=noble
+Repositories=universe
+
 [Content]
 Packages=
         linux-image-generic

mkosi.conf.d/20-none.conf

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# If we're only rerunning the build script, remove all subimage dependencies to speed up builds.
+
+[Match]
+Format=none
+
+[Config]
+Dependencies=

mkosi.conf.d/20-particle/mkosi.conf

@@ -8,8 +8,8 @@ RepartDirectories=
 RepartDirectories=mkosi.repart
 
 [Validation]
-@SecureBoot=yes
-@SignExpectedPcr=yes
+SecureBoot=yes
+SignExpectedPcr=yes
 
 [Host]
-@RuntimeSize=8G
+RuntimeSize=8G

mkosi.images/exitrd/mkosi.conf

@@ -1,22 +1,14 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-[Config]
-ConfigureScripts=
-
 [Output]
 Format=directory
 
 [Content]
 Bootable=no
-@Locale=C.UTF-8
+Locale=C.UTF-8
 WithDocs=no
 CleanPackageMetadata=yes
 MakeInitrd=yes
 
-BuildSources=
-Packages=
-BuildPackages=
-VolatilePackages=
-
 Packages=
         bash

mkosi.images/minimal-0/mkosi.conf

@@ -2,7 +2,6 @@
 
 [Config]
 Dependencies=minimal-base
-ConfigureScripts=
 
 [Distribution]
 CacheOnly=always
@@ -15,11 +14,3 @@ SplitArtifacts=yes
 BaseTrees=%O/minimal-base
 Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
 Bootable=no
-
-BuildSources=
-Packages=
-BuildPackages=
-VolatilePackages=
-
-[Host]
-Incremental=no

mkosi.images/minimal-1/mkosi.conf

@@ -2,7 +2,6 @@
 
 [Config]
 Dependencies=minimal-base
-ConfigureScripts=
 
 [Distribution]
 CacheOnly=always
@@ -15,11 +14,3 @@ SplitArtifacts=yes
 BaseTrees=%O/minimal-base
 Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
 Bootable=no
-
-BuildSources=
-Packages=
-BuildPackages=
-VolatilePackages=
-
-[Host]
-Incremental=no

mkosi.images/minimal-base/mkosi.conf

@@ -1,22 +1,14 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-[Config]
-ConfigureScripts=
-
 [Output]
 Format=directory
 
 [Content]
 Bootable=no
-@Locale=C.UTF-8
+Locale=C.UTF-8
 WithDocs=no
 CleanPackageMetadata=yes
 
-BuildSources=
-Packages=
-BuildPackages=
-VolatilePackages=
-
 Packages=
         bash
         coreutils

mkosi.images/system/initrd/mkosi.conf

@@ -1,7 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Content]
-PostInstallationScripts=../mkosi.sanitizers.chroot
-ExtraTrees=
-    ../leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
-    ../coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf

mkosi.images/system/mkosi.conf

@@ -1,78 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Config]
-InitrdInclude=initrd/
-
-[Output]
-RepartDirectories=mkosi.repart
-
-[Content]
-Autologin=yes
-ExtraTrees=
-        %D/mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
-        leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
-        coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
-
-PostInstallationScripts=mkosi.sanitizers.chroot
-
-InitrdPackages=
-        btrfs-progs
-        findutils
-        grep
-        sed
-
-Packages=
-        acl
-        attr
-        bash-completion
-        bpftrace
-        btrfs-progs
-        clang
-        coreutils
-        curl
-        diffutils
-        dnsmasq
-        dosfstools
-        e2fsprogs
-        findutils
-        gdb
-        grep
-        gzip
-        jq
-        kbd
-        kexec-tools
-        kmod
-        knot
-        less
-        lld
-        llvm
-        lvm2
-        man
-        mdadm
-        mtools
-        nano
-        nftables
-        nvme-cli
-        opensc
-        openssl
-        p11-kit
-        pciutils
-        python3
-        qrencode
-        radvd
-        rsync
-        sed
-        socat
-        strace
-        systemd
-        tar
-        tmux
-        tree
-        udev
-        util-linux
-        valgrind
-        which
-        wireguard-tools
-        xfsprogs
-        zsh
-        zstd

mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf

@@ -1,17 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
-
-[Content]
-Environment=
-        # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of
-        # mkfs.ext4 enabled it by default, so we disable it explicitly.
-        Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
-        GIT_URL=https://git.centos.org/rpms/systemd.git
-        GIT_BRANCH=c9s-sig-hyperscale
-        GIT_COMMIT=8cf2aed0181920611421384f7374720db269d6c7
-
-Packages=
-        kernel-modules # For squashfs
-        rpmautospec-rpm-macros

mkosi.images/system/mkosi.conf.d/20-images.conf

@@ -1,22 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Format=!none
-
-[Config]
-Dependencies=
-        exitrd
-        minimal-base
-        minimal-0
-        minimal-1
-
-[Content]
-ExtraTrees=
-        %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
-        %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
-        %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
-        %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
-        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
-        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
-        %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
-        %O/exitrd:/exitrd

mkosi.images/system/mkosi.extra/.autorelabel

@@ -1 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later

mkosi.initrd/mkosi.conf

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Content]
+PostInstallationScripts=../mkosi.sanitizers.chroot
+ExtraTrees=
+    ../mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
+    ../mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf

mkosi.repart/10-root.conf

@@ -2,7 +2,6 @@
 
 [Partition]
 Type=root
-Format=btrfs
 CopyFiles=/
 SizeMinBytes=8G
 SizeMaxBytes=8G

test/integration-test-wrapper.py

@@ -134,7 +134,6 @@ def main():
         '--runtime-network=none',
         '--runtime-scratch=no',
         *args.mkosi_args,
-        '--append',
         '--qemu-firmware', args.firmware,
         '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
         '--kernel-command-line-extra',
@@ -184,9 +183,8 @@ def main():
                     text=True,
                 ).stdout
             )
-            images = {image["Image"]: image for image in j["Images"]}
-            distribution = images["system"]["Distribution"]
-            release = images["system"]["Release"]
+            distribution = j["Images"][-1]["Distribution"]
+            release = j["Images"][-1]["Release"]
             artifact = f"ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals"
             ops += [f"gh run download {id} --name {artifact} -D ci/{artifact}"]
             journal_file = Path(f"ci/{artifact}/test/journal/{name}.journal")