1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
systemd/mkosi.conf
Yu Watanabe 627d1a9ac1
core: Add ProtectHostname=private (#35447)
This PR allows an option for systemd exec units to enable UTS namespaces
but not restrict changing hostname via seccomp. Thus, units can change
hostname without affecting the host. This is useful for OS-like
containers running as units where they should have freedom to change
their container hostname if they want, but not the host's hostname.

Fixes: #30348
2024-12-11 10:17:25 +09:00

150 lines
3.4 KiB
Plaintext

# SPDX-License-Identifier: LGPL-2.1-or-later
[Config]
MinimumVersion=25~devel
Dependencies=
exitrd
initrd
minimal-base
minimal-0
minimal-1
PassEnvironment=
NO_BUILD
NO_SYNC
WIPE
SANITIZERS
CFLAGS
LDFLAGS
LLVM
MESON_VERBOSE
MESON_OPTIONS
SYSEXT
WITH_DEBUG
ASAN_OPTIONS
COVERAGE
[Output]
RepartDirectories=mkosi.repart
OutputDirectory=build/mkosi.output
[Build]
BuildDirectory=build/mkosi.builddir
CacheDirectory=build/mkosi.cache
BuildSourcesEphemeral=yes
Incremental=yes
[Validation]
SignExpectedPcr=yes
[Content]
ExtraTrees=
mkosi.extra.common
mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
%O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
%O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
%O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
%O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
%O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
%O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
%O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
%O/exitrd:/exitrd
Initrds=%O/initrd
# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
# and results in lots of errors when building images as a regular user.
SELinuxRelabel=no
# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
# various scenarios. Consider adding support for a credential instead if possible and using that.
KernelCommandLine=
systemd.crash_shell
systemd.log_level=debug,console:info
systemd.log_ratelimit_kmsg=0
# Disable the kernel's ratelimiting on userspace logging to kmsg.
printk.devkmsg=on
# Make sure /sysroot is mounted rw in the initrd.
rw
# Make sure no LSMs are enabled by default.
selinux=0
systemd.early_core_pattern=/core
systemd.firstboot=no
raid=noautodetect
oops=panic
panic=-1
softlockup_panic=1
panic_on_warn=1
psi=1
KernelModulesInitrdExclude=.*
KernelModulesInitrdInclude=default
Packages=
acl
attr
bash-completion
binutils
coreutils
curl
diffutils
dnsmasq
dosfstools
e2fsprogs
findutils
gdb
grep
gzip
hostname
jq
kbd
kexec-tools
kmod
less
llvm
lvm2
man
mdadm
mtools
nano
nftables
nvme-cli
opensc
openssl
p11-kit
pciutils
python3
radvd
rsync
sed
socat
strace
tar
tmux
tree
util-linux
valgrind
which
wireguard-tools
xfsprogs
zsh
zstd
[Host]
Credentials=
journal.storage=persistent
tty.serial.hvc0.agetty.autologin=root
tty.serial.hvc0.login.noauth=yes
tty.console.agetty.autologin=root
tty.console.login.noauth=yes
RuntimeBuildSources=yes
RuntimeScratch=no
QemuSmp=2
QemuSwtpm=yes
QemuVsock=yes
QemuKvm=yes
[Include]
Include=%D/mkosi.sanitizers
%D/mkosi.coverage