Version: 25.3-bp160.1.10
* Sat Feb 01 2025 Antonio Feijoo <antonio.feijoo@suse.com>
- Update to 25.3:
* Use become_root_cmd() when running systemd-repart in run_shell() as well
* Use shutil.copy() to copy ovmf variables
* The dpkg architecture name for loongarch64 is loong64
* mkosi-initrd: Add two more modules
* Check if list matches are empty if empty string is matched against
* opensuse: fix package name: btrfs-progs -> btrfsprogs
* Log command line for abnormal signals
* zypper: set $releasever variable
* Tools tree improvements
* mkosi-initrd: handle PermissionError when reading /etc/crypttab
* Move want_uki() check out of build_uki_profiles()
* mkosi-sandbox: Improve formatting of error messages
* Fix verity signature check in case keys are configured
* Treat terminal as dumb if either stdout or stderr is not a tty
* Various cache fixes
* config: add mkosi-addon
* Calculate PE section size correctly
* Use directory in user's home as output directory if possible
* Fix condition when removing duplicate files from the overlay
* Make secure boot keys/crts/source config universal
- Update to 25.2:
* Only parse profiles from subimages and includes if those are dirs
* Use all threads when relabelling files with setfiles
- Update to 25.1:
* Remove depmod check in check_tools()
* news: fix typo detected by Lintian
* Create zipapp for mkosi sandbox like we do in generate-zipapp.sh
* man: document kernel baseline for mkosi
* sandbox: Show better error on ENOSYS
* Add fallback to sudo if run0 is not available
* Do not check uid in have_cache() for default tools tree
* Use resource_path() to access files in our own module
* Fix accessing "name" field in busctl json output
* Thu Jan 23 2025 Antonio Feijoo <antonio.feijoo@suse.com>
- Drop the mkosi-initrd-tukit subpackage.
* Since v25 implements its own sandboxing tool and does not use bubblewrap,
this is not required anymore.
- Update to 25:
* Instead of using bubblewrap, sandboxing is now done with a new tool
`mkosi-sandbox`. This tool has a public API and can be used
independently of mkosi.
* Image builds are now done in a user namespace with a single user when
running unprivileged instead of using newuidmap/newgidmap. When
running unprivileged, all files and directories in the image will be
owned by the invoking user (and by root inside any produced archives).
Any attempt to chown files to other users in scripts will fail unless
the new environment variable `$MKOSI_CHROOT_SUPPRESS_CHOWN` is set to
a true value.
* `mkosi` does not drop privileges anymore to the invoking user when
running as root for various steps.
* A new `cat-config` verb will show all configuration files that were
included for each configured image.
* Added support for Azure Linux
* Added support for Kali Linux
* If `mkosi.version` is executable, we now execute it and read the
version from stdout.
* Added `--wipe-build-dir` to wipe the build directory before rebuilding
the image.
* Introduced `RepositoryKeyFetch=` to control whether to fetch
distribution GPG keys remotely. This setting is **disabled** by
default for security reasons except when building rpm based
or Arch Linux images on Ubuntu.
* We now handle `SIGHUP` gracefully
* Universal settings that take a collection of values cannot be
appended to anymore in subimages. Usage of package manager trees in
subimages will have to be moved to the top level image. Similarly,
repositories will have to be enabled in the top level image.
* Repository metadata is not copied into images anymore.
* Repository metadata from base trees is not used anymore.
* Package manager trees are now named sandbox trees.
* Package manager trees (sandbox trees) do not use the skeleton trees as
their default anymore if unset.
* Note to packagers: The manual pages have been moved to resources/man
and now include man pages for mkosi-initrd and mkosi-sandbox as
well.
* `InitrdInclude=` was removed. If you're using `InitrdInclude=`, please
build your initrd via a subimage in `mkosi.images` containing
`Include=mkosi-initrd` and any customizations you wish to add and use
the `Initrds=` setting to use it as the initrd for the main image
instead of the default initrd.
* Added `History=` to have mkosi save the config used to build the image
and reuse it when verbs such as `qemu`, `boot`, … are invoked
without `-f`.
* Introduced new `[Build]` section and moved various settings to it.
* Moved `Include=` to `[Include]` section
* Added `sysupdate` verb as a wrapper around `systemd-sysupdate` which
invokes it with definitions from `mkosi.sysupdate`.
* Added `RuntimeHome=` to mount the current home directory to `/root`
when running a command that boots the image
* More directories aside from `/etc` and `/usr` are now picked up from
sandbox trees (formerly known as package manager trees).
* Profile configuration from `mkosi.profiles` is now parsed after
`mkosi.conf.d` instead of before it. To set defaults for use in
`mkosi.conf.d` based on the configured profile, use an early dropin in
`mkosi.conf.d` that matches on the configured profile instead.
* `Profile=` is renamed to `Profiles=` and takes a comma separated list of
profiles now. Scripts now receive `$PROFILES` with a space-separated list
of profiles instead of `$PROFILE`. The `%p` specifier for profiles is
removed.
* Multiple sync, prepare, build, postinst, finalize, postoutput and clean
scripts are now picked up from `mkosi.$SCRIPT.d`.
* `run0` is now automatically used to escalate privileges for commands that
need it, like the `burn` verb.
* `/usr/share/keyrings` and `/usr/share/distribution-gpg-keys` are no longer
automatically picked up from the tools tree when `ToolsTreeCertificates=` is
set, since they aren't certificates, use a sandbox tree instead. This allows
one to override `SignedBy=` keys for APT repositories.
* The `agetty.autologin` and `login.noauth` credentials are no longer set
unconditionally.
* Access to the output directory in build scripts was removed. To put
artifacts from the build directory into the output directory, copy them from
the build directory to the output directory in a post-installation script
which does have access to the build directory and the output directory.
* `BuildDirectory=` is no longer available in `PrepareScripts=`. If you
need to acquire some files for the build process place them somewhere
sensible within `$BUILDROOT` so that they can be cached when building
incrementally.
* When using a tools tree and a relaxed sandbox is used to run a command
(qemu, nspawn, ...), we now keep all entries from `$PATH` outside of
`/usr` intact. Note that this may cause issues if a `$PATH` entry
contains binaries linked against libraries in `/usr` from the host.
* Introduced a new specifier `%I` which resolves to the name of the current
subimage when used in a config under `mkosi.images/`. This differs to `%o`
as it is always the name of the config file without extension (or the name
of the directory).
* If `/dev/fuse` is found in the host context, it is made available in the
sandbox context too.
* Added a `sandbox` verb to run a command within a relaxed mkosi sandbox
(the same sandbox that `mkosi vm`, `mkosi boot`, ... run in).
* OpenSSL providers are now supported as key sources for the various key
settings if a recent enough systemd version (257 or newer) is used.
* Added support for loading X.509 certificates from OpenSSL providers if
a recent enough systemd version (257 or newer) is used.
* Added `ToolsTreePackageDirectories=`
* Added `--kernel-image=` to `mkosi-initrd` to specify the kernel image to
use when building a UKI.
* Setting a collection based setting to the empty string via the CLI and
then appending to the same setting will now override the settings
coming from configuration files, whereas previously the CLI values
would be appended to the values from configuration files.
* The `mkosi-initrd` default config now includes various extra kernel
modules by default.
* The `coredumpctl` and `journalctl` verbs will now always operate on
the image, even if `ForwardJournal=` is configured.
* Bumped default Fedora release to `41`.
* Added `addon` output format to build UKI addons.
* Renamed `[Host]` section to `[Runtime]` section.
* Renamed various settings from `[Host]`.
* Binaries coming from `ExtraSearchPaths=` are now executed with the
tools tree mounted if one is configured (unlike before where the tools
tree was not mounted). This means that any binaries coming from
`ExtraSearchPaths=` have to be linked against libraries from the tools
tree (or have to be statically linked). Alternatively, the tools tree
distribution and release have to match the host.
* Binaries from `ExtraSearchPaths=` are not used anymore when building
the default tools tree.
* Dropped support for `pesign` as a secure boot signing tool.
* Added support for `systemd-sbsign` as a secure boot signing tool.
* Added `--register=` to control whether to register containers and VMs
with systemd-machined or not.
* `mkosi.profiles` is now parsed in subimages as well.
* `mkosi-initrd` now uses `dnf5` on systems where it is the default.
* Added various packages to the default tools tree.
* Dropped support for Ubuntu Focal.
* Added `Devicetree=` setting for configuring bootloader device trees
* Added systemd-machined registration using varlink for `mkosi qemu` vms,
which includes the vsock CID so that `ssh vsock/<cid>` or
`ssh machine/<name>` will work on systems running `systemd-machined`
257 or newer.
* Bumped CentOS Stream default release to 10.
* mkosi now manages the pacman keyring itself so `/etc/pacman.d/gnupg`
from the host is not used anymore and mkosi will run
`pacman-key --init` and `pacman-key --populate` itself.
* Added `ToolsTreeRelease=` match
* mkosi now enforces that images built with `Overlay=yes` only add files
on top of the base tree(s) and don't overwrite any existing files or
directories.
* Added a `mkosi-addon` tool and accompanying kernel-install plugin that
allows building PE addons to extend a vendor provided unified kernel
image.
* Added `systemd-boot-signed`, `uki-signed` and `grub-signed` variants
for the `Bootloader=` option which instruct mkosi to only install
pre-signed EFI binaries.
* `mkosi.profiles` is now parsed in configuration included with
`Include=`.
* Any initrds configured with `Initrds=` are now used as fallback when
booting with qemu direct kernel boot (`--firmware=linux`) if no split
initrd was produced by the image build.
* mkosi now makes a greater effort to ensure the crypto-policies are
configured to allow GPG keys from older distributions.
* We don't pick up pre-signed bootloader binaries anymore when
`ShimBootloader=signed` is configured. To force usage of pre-signed
EFI binaries, use the new `systemd-boot-signed`, `uki-signed` and
`grub-signed` variants for the `Bootloader=` option.
* Added a new constant `microsoft-mok` for the `FirmwareVariables=`
option. If specified, a firmware variables file with the Microsoft
keys enrolled will be extended to include a `MokList` entry that
trusts the certificate configured with `SecureBootCertificate=` and
passed to `qemu`.
* We now use `mkosi.pkgcache` as the package cache directory if the
directory exists.
* `BuildSourcesEphemeral=` learned a new variant `buildcache` in which
case the overlay will be cached in the build directory configured with
`BuildDirectory=`.
* Thu Oct 31 2024 Thorsten Kukuk <kukuk@suse.com>
- Build on all architectures, but only man pages on architectures which
have pandoc
* Tue Aug 20 2024 Antonio Feijoo <antonio.feijoo@suse.com>
- Create new subpackage mkosi-initrd-tukit.
* This package adds a special mkosi-initrd wrapper to support creating initrds
on transactional systems. I.e., with transactional-update, a transaction
runs on a chroot, but mkosi requires bubblewrap, which uses pivot_root, and
that is known to fail on a chroot environment.
- Do not install 50-mkosi.install kernel-install script.
* Although kernel-install is provided in openSUSE, it is not run when a kernel
is installed or removed (this work is done by suse-module-tools). Also, even
calling it manually, it does not support the custom systemd-boot integration
in openSUSE.
* Thu Aug 01 2024 Sebastian Wagner <sebix@sebix.at>
- remove env-shebang from /usr/lib/kernel/install.d/50-mkosi.install
* Tue Jul 30 2024 Antonio Feijoo <antonio.feijoo@suse.com>
- Create new subpackage mkosi-initrd
- Add file %{_prefix}/lib/mkosi-initrd/mkosi.conf
* Sun Jul 28 2024 Fredrik Lönnegren <fredrik.lonnegren@suse.com>
- Update to 24.3:
* Check for $HOME environment variable as well.
- Update to 24.2:
* Look for $USER for the username before reading /etc/passwd
- Update to 24.1:
* completion: fix bash completion script
* Add some documentation on how to implement a new distribution
* Add missing init.py to mkosi/initrd/resources
* Handle dangling symlinks in rmtree() and run_clean()
* Handle failure to detect the distribution in test_parse_config()
- Update to 24:
* The default kernel command line of console=ttyS0 (or equivalent for
other architectures) has been removed. The required console=
argument to have the kernel output to the serial console has to be
added manually from v24 onwards.
* Support for installing local packages located in directories in
BuildSources= was dropped. Instead, the packages can be made
available for installation via PackageManagerTrees=.
* Configuration parsing was reworked to remove the need for the @
specifier and to streamline building multiple images with
mkosi.images/. If you were building multiple images with
mkosi.images/, you'll need to adapt your configuration to the
rework. Read the Building multiple images section in the
documentation for more information.
* mkosi has gained the option to generate completion scripts for bash,
fish and zsh. Packagers should generate the scripts during packaging
and ship them in the appropriate places.
* Added support for CentOS Stream 10.
* mkosi now installs a separate mkosi-initrd script that can be used
to build initramfs images intended for use on the local system.
* We do not automatically append centos-stream or fedora anymore to
CentOS (and derivatives) and Fedora mirrors specified with Mirror=
as not all mirrors store the repository metadata under these
subdirectories. Users are now required to add these subdirectories
themselves in Mirror=. If the EPEL repositories are enabled for
CentOS Stream (and derivatives) and Mirror= is used, we look for the
EPEL repositories in ../fedora relative to the mirror specified in
Mirror=.
* We now support compressed tar archives wherever we already accept tar
archives as input.
* We now always rerun the build if Format=none and don't remove
previous outputs in that case (unless --force is specified). This
allows using mkosi -t none to rerun the build scripts without
removing the previous image. This can then be combined with
RuntimeBuildSources=yes to make the build script outputs available
in a booted container or virtual machine so they can be installed
without having to rebuild the image.
* We now use virtconsole to provide the serial console when booting
with qemu.
* root=PARTUUID and mount.usr=PARTUUID on the kernel command line
are now automatically extended with the actual PARTUUID of the
corresponding partition.
* All available OpenSUSE repositories are now supported and can be
enabled with Repositories=.
* Building OpenSUSE aarch64 images is now supported
* mkosi dependencies was beefed up to handle more scenarios properly
* The default list of kernel modules that are always added to the
initramfs was extended with various virtualization modules.
* Added a Repositories= match.
* Cached images are now invalidated if packages specified via
PackageDirectories= change.
* Added VolatilePackageDirectories= which can be used to provide local
packages that do not invalidate cached images.
* mkosi.pkgmngr is now used as the default path for
PackageManagerTrees=.
* The package directory that build scripts can use to make built
packages available for installation ($PACKAGEDIR) is now shared
between all image builds. This means that packages built in earlier
images and stored in $PACKAGEDIR become available for installation
in all subsequent image builds.
* The default tools tree distribution is now chosen based on the host
distribution instead of the target distribution.
* mkosi can now be invoked from the initramfs.
* Thu Jun 13 2024 Antonio Feijoo <antonio.feijoo@suse.com>
- Update package summary and description.
* BIOS support was removed in v14, but restored in v16.
- Remove dnf dependency.
* With openSUSE, zypper is a sufficient requirement for mkosi to work.
* Wed Jun 12 2024 Sebastian Wagner <sebix@sebix.at>
- Removed obsolete patch opensuse-dont-install-distribution-release-by-default.patch
* Wed Jun 12 2024 Fredrik Lönnegren <fredrik.lonnegren@suse.com>
- Update to 23.1:
* Respin due to git tag mismatch
- Update to 23:
* Added CleanScripts= to allow running custom cleanup code whenever
mkosi cleans up the output directory. This allows cleaning up extra
outputs produced by e.g. a build script that mkosi doesn't know about.
* Added ConfigureScripts= to allow dynamically modifying the mkosi
configuration. Each configure script receives the current config as
JSON on stdin and should output the new config as JSON on stdout.
* When building a UKI, we don't measure for the TPM SHA1 PCR bank
anymore.
* All keys in the mkosi config JSON output are now in pascal case,
except for credentials and environments, where the keys encode names
of credentials and environment variables and are therefore case
sensitive.
* Added various settings to allow running mkosi behind a proxy.
* Various fixes to kernel module filtering that should result in fewer
modules being pulled into the default initrd when
KernelModulesExclude= or KernelModulesInitrdExclude= are used.
* Added ToolsTreeDistribution= match.
* Removed vmspawn verb and replaced it with VirtualMachineMonitor=.
* New specifiers for various directories were added. %D resolves to
the directory that mkosi was invoked in, %P to the current working
directory, and %C to the parent directory of the config file.
* Added ForwardJournal= to have systemd inside a container/VM forward
its journal to the specified file or directory.
Systemd scopes are now allocated for qemu, swtpm, virtiofsd and
systemd-journal-remote if available.
* The mkosi qemu virtual machine is now registered with
systemd-machined if available.
* Added new oci output format
* Runtime trees without a target are now mounted to /root/src instead
of a subdirectory of it (To have the same behaviour as
BuildSources=).
* Added RuntimeBuildSources= to mount build and source directories
when booting the image with mkosi nspawn or mkosi qemu.
Introduced --append to allow command line settings to be parsed
after parsing configuration files.
* distribution-release is not installed by default anymore on
OpenSUSE.
* Setting QemuSmp= to 0 will now make qemu use all available CPUs
* Free page reporting and discard request processing are now enabled by
default in VMs spawned by mkosi qemu.
* Added ToolsTreeCertificates= to allow configuring whether to use
certificates and keys from the tools tree (if one is used) or the
host.
* Added never for CacheOnly= to specify that repository metadata
should always be refreshed.
* Renamed the none option for CacheOnly= to auto.
* Added ProxyExclude= to configure hostnames for which requests should
not go through the configured proxy.
* The default tools tree is now reused on incremental builds.
* Added VolatilePackages= and InitrdVolatilePackages= to configure
packages that should be installed after executing build scripts and
which should not be cached when using Incremental=.
* PackageDirectories= now has an associated default path
mkosi.packages.
* reprepro is now used to generate local apt repositories.
* Support for BSD tar/cpio was dropped.
* When both ExtraSearchPaths= and ToolsTree= are used, mkosi will
now prefer running a binary found in ExtraSearchPaths= without the
tools tree over running the binary from the tools tree. If a binary is
not found in ExtraSearchPaths=, the tools tree is used instead.
* An artifact directory is now made available when running scripts which
can be used to pass around data between different scripts. mkosi will
also look for microcode and initrds in the artifact directory under
the io.mkosi.microcode and io.mkosi.initrd subdirectories.
* Added Environment= match setting to check for environment variables
defined with the Environment= setting.
* The basesystem package is now always installed in Fedora and
CentOS images instead of the filesystem package.
* The qemu, shell and boot verbs do not automatically build the
image anymore unless --force is specified.
* SplitArtifacts= is now supported for the portable, sysext and
confext outputs.
* The WithDocs= option was implemented for pacman-based distributions.
* The default Fedora release was bumped to 40.
* QemuSwtpm= can now be used with QemuFirmware= set to linux or
bios.
* Added UnitProperties= to allow configure properties on the scopes
generated by systemd-nspawn and systemd-run.
* mkosi now only builds a single default tools tree per build using the
settings from the last regular image that we'll build.
* Configure scripts are now only executed for verbs which imply an image
build and are executed with the tools tree instead of without it.
* $QEMU_ARCHITECTURE is now set for configure scripts to easily allow
scripts to figure out which qemu binary will be used to run qemu.
* A file ID can now be specified for QemuDrives=. This allows adding
multiple qemu drives that are backed by the same file.
* mkosi doesn't fail anymore if images already exist when running
mkosi build.
* Image names from mkosi.images/ are now preferred over the specified
image ID when determining the output filename to use for an image.
- -include now has a shorthand option -I.
* The WITH_NETWORK environment variable is now passed to build and
finalize scripts.
* We now clamp mtimes to the specified source date epoch timestamp
instead of resetting all mtimes. This means that we won't touch any
mtimes that are already older than the given source date epoch
timestamp.
* Removed support for CentOS 8 Stream as it is now EOL.
* The coredumpctl and journalctl verbs now operrate on the path
specified in ForwardJournal= if one is set.
* Added UnifiedKernelImageFormat= format setting to allow configuring
the naming of unified kernel images generated by mkosi.
* The versionlock plugin is now enabled by default for dnf with a noop
configuration.
* Repositories= is now implemented for zypper.
* KernelModulesInclude= and KernelModulesInitrdInclude= now take the
special values host and default to include the host's loaded
modules and the default kernel modules defined in mkosi-initrd
respectively.
* KernelModulesIncludeHost= and KernelModulesInitrdIncludeHost= are
now deprecated.
* Added mkosi dependencies to output the list of packages required by
mkosi to build and boot images.