mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
627d1a9ac1
This PR allows an option for systemd exec units to enable UTS namespaces but not restrict changing hostname via seccomp. Thus, units can change hostname without affecting the host. This is useful for OS-like containers running as units where they should have freedom to change their container hostname if they want, but not the host's hostname. Fixes: #30348
150 lines
3.4 KiB
Plaintext
150 lines
3.4 KiB
Plaintext
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
|
[Config]
|
|
MinimumVersion=25~devel
|
|
Dependencies=
|
|
exitrd
|
|
initrd
|
|
minimal-base
|
|
minimal-0
|
|
minimal-1
|
|
|
|
PassEnvironment=
|
|
NO_BUILD
|
|
NO_SYNC
|
|
WIPE
|
|
SANITIZERS
|
|
CFLAGS
|
|
LDFLAGS
|
|
LLVM
|
|
MESON_VERBOSE
|
|
MESON_OPTIONS
|
|
SYSEXT
|
|
WITH_DEBUG
|
|
ASAN_OPTIONS
|
|
COVERAGE
|
|
|
|
[Output]
|
|
RepartDirectories=mkosi.repart
|
|
OutputDirectory=build/mkosi.output
|
|
|
|
[Build]
|
|
BuildDirectory=build/mkosi.builddir
|
|
CacheDirectory=build/mkosi.cache
|
|
BuildSourcesEphemeral=yes
|
|
Incremental=yes
|
|
|
|
[Validation]
|
|
SignExpectedPcr=yes
|
|
|
|
[Content]
|
|
ExtraTrees=
|
|
mkosi.extra.common
|
|
mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
|
|
%O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
|
|
%O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
|
|
%O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
|
|
%O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
|
|
%O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
|
|
%O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
|
|
%O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
|
|
%O/exitrd:/exitrd
|
|
|
|
Initrds=%O/initrd
|
|
|
|
# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
|
|
# and results in lots of errors when building images as a regular user.
|
|
SELinuxRelabel=no
|
|
|
|
# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
|
|
# various scenarios. Consider adding support for a credential instead if possible and using that.
|
|
KernelCommandLine=
|
|
systemd.crash_shell
|
|
systemd.log_level=debug,console:info
|
|
systemd.log_ratelimit_kmsg=0
|
|
# Disable the kernel's ratelimiting on userspace logging to kmsg.
|
|
printk.devkmsg=on
|
|
# Make sure /sysroot is mounted rw in the initrd.
|
|
rw
|
|
# Make sure no LSMs are enabled by default.
|
|
selinux=0
|
|
systemd.early_core_pattern=/core
|
|
systemd.firstboot=no
|
|
raid=noautodetect
|
|
oops=panic
|
|
panic=-1
|
|
softlockup_panic=1
|
|
panic_on_warn=1
|
|
psi=1
|
|
|
|
KernelModulesInitrdExclude=.*
|
|
KernelModulesInitrdInclude=default
|
|
|
|
Packages=
|
|
acl
|
|
attr
|
|
bash-completion
|
|
binutils
|
|
coreutils
|
|
curl
|
|
diffutils
|
|
dnsmasq
|
|
dosfstools
|
|
e2fsprogs
|
|
findutils
|
|
gdb
|
|
grep
|
|
gzip
|
|
hostname
|
|
jq
|
|
kbd
|
|
kexec-tools
|
|
kmod
|
|
less
|
|
llvm
|
|
lvm2
|
|
man
|
|
mdadm
|
|
mtools
|
|
nano
|
|
nftables
|
|
nvme-cli
|
|
opensc
|
|
openssl
|
|
p11-kit
|
|
pciutils
|
|
python3
|
|
radvd
|
|
rsync
|
|
sed
|
|
socat
|
|
strace
|
|
tar
|
|
tmux
|
|
tree
|
|
util-linux
|
|
valgrind
|
|
which
|
|
wireguard-tools
|
|
xfsprogs
|
|
zsh
|
|
zstd
|
|
|
|
[Host]
|
|
Credentials=
|
|
journal.storage=persistent
|
|
tty.serial.hvc0.agetty.autologin=root
|
|
tty.serial.hvc0.login.noauth=yes
|
|
tty.console.agetty.autologin=root
|
|
tty.console.login.noauth=yes
|
|
RuntimeBuildSources=yes
|
|
RuntimeScratch=no
|
|
QemuSmp=2
|
|
QemuSwtpm=yes
|
|
QemuVsock=yes
|
|
QemuKvm=yes
|
|
|
|
[Include]
|
|
Include=%D/mkosi.sanitizers
|
|
%D/mkosi.coverage
|