summaryrefslogtreecommitdiffstats
path: root/mkosi.conf
blob: cafd563c35892efb043cfdda41de3677f369e451 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# SPDX-License-Identifier: LGPL-2.1-or-later

[Config]
MinimumVersion=23~devel
InitrdInclude=mkosi.initrd/
Dependencies=
        exitrd
        minimal-base
        minimal-0
        minimal-1

PassEnvironment=
        NO_BUILD
        NO_SYNC
        WIPE
        SANITIZERS
        CFLAGS
        LDFLAGS
        LLVM
        MESON_VERBOSE
        MESON_OPTIONS
        SYSEXT
        WITH_DEBUG

[Output]
RepartDirectories=mkosi.repart
OutputDirectory=build/mkosi.output
BuildDirectory=build/mkosi.builddir
CacheDirectory=build/mkosi.cache

[Content]
BuildSourcesEphemeral=yes
Autologin=yes

ExtraTrees=
        mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
        mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
        mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
        %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
        %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
        %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
        %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
        %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
        %O/exitrd:/exitrd

Environment=
        SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F

# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
# and results in lots of errors when building images as a regular user.
SELinuxRelabel=no

# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
# various scenarios. Consider adding support for a credential instead if possible and using that.
KernelCommandLine=systemd.crash_shell
                  systemd.log_level=debug,console:info
                  systemd.log_ratelimit_kmsg=0
                  # Disable the kernel's ratelimiting on userspace logging to kmsg.
                  printk.devkmsg=on
                  # Make sure /sysroot is mounted rw in the initrd.
                  rw
                  # Lower the default device timeout so we get a shell earlier if the root device does
                  # not appear for some reason.
                  systemd.default_device_timeout_sec=30
                  # Make sure no LSMs are enabled by default.
                  apparmor=0
                  selinux=0
                  enforcing=0
                  systemd.early_core_pattern=/core
                  systemd.firstboot=no
                  raid=noautodetect
                  oops=panic
                  panic=-1
                  softlockup_panic=1
                  panic_on_warn=1
                  # These don't ship proper units with [Install] directives so we have to mask them instead.
                  systemd.mask=isc-dhcp-server.service
                  systemd.mask=mdmonitor.service
                  psi=1

KernelModulesInitrdExclude=.*
KernelModulesInitrdInclude=default

InitrdPackages=
        findutils
        grep
        sed

Packages=
        acl
        attr
        bash-completion
        binutils
        bpftrace
        coreutils
        curl
        diffutils
        dnsmasq
        dosfstools
        e2fsprogs
        findutils
        gdb
        grep
        gzip
        jq
        kbd
        kexec-tools
        kmod
        less
        lvm2
        man
        mdadm
        mtools
        nano
        nftables
        nvme-cli
        opensc
        openssl
        p11-kit
        pciutils
        python3
        radvd
        rsync
        sed
        socat
        strace
        tar
        tmux
        tree
        udev
        util-linux
        valgrind
        which
        wireguard-tools
        xfsprogs
        zsh
        zstd

[Host]
Credentials=journal.storage=persistent
Incremental=yes
RuntimeBuildSources=yes
RuntimeScratch=no
QemuSmp=2
QemuSwtpm=yes
QemuVsock=yes
QemuKvm=yes
ToolsTreePackages=virtiofsd