-
Rename
--no-chownto--chownand set it to default toTrue, preserving current behaviour. -
Add
--idmapoption to run--systemd-nspawnwith ID mapping support. Defaults toTrue.--idmap=nocan be used to prevent usage of ID mapping. -
Migrated to systemd-repart. Many options are dropped in favor of specifying them directly in repart partition definition files:
- Format=gpt_xxx options are replaced with a single "disk" options. Filesystem to use can now be specified with repart's Format= option
- Format=plain_squashfs (Can be reproduced by a single repart squashfs root partition combined with SplitArtifacts=yes)
- Verity= (Replaced by repart's Verity= options)
- Encrypt= (Replaced by repart's Encrypt= option)
- RootSize=, HomeSize=, VarSize=, TmpSize=, ESPSize=, SwapSize=, SrvSize= (Replaced by repart's size options)
- UsrOnly= (replaced with
CopyFiles=/:/usrin a usr partition definition) - OutputSplitRoot=, OutputSplitVerity=, (Replaced by repart's SplitName= option)
- OutputSplitKernel= (UKI is now always written to its own output file)
- GPTFirstLBA (Removed, no equivalent in repart)
- ReadOnly= (Replaced by repart's ReadOnly= option per partition)
- Minimize= (Replaced by repart's Minimize= option per partition)
- CompressFs= (No equivalent in repart, can be replicated by replacing mkfs. in $PATH with a script that adds the necessary command line option)
- MkSquashfs= (Can be replaced with a script in $PATH that invokes the correct binary)
We also remove the WithoutUnifiedKernelImages= switch as building unified kernel images is trivial and fast these days.
-
Support for Clear Linux was dropped. See systemd#1037 for more information.
-
Support for Photon was dropped. See systemd#1048 for more information.
-
The Arch kernel/bootloader pacman hooks were removed. For anyone that still wants to use them, they can be found here.
-
mkosi now creates
distro~releasesubdirectories inside the build, cache and output directories for eachdistro~releasecombination that is built. This allows building for multiple distros without throwing away the results of a previous distro build every time. -
The preferred names for mkosi configuration files and directories are now
mkosi.confandmkosi.conf.d/respectively. The old names (mkosi.defaultandmkosi.default.d) have been removed from the docs but are still supported for backwards compatibility. -
plain_squashfstype images will now also be named with a.rawsuffix. -
tartype images will now respect the--compressoption. -
Pacman's
SigLeveloption was changed to use the same default value as used on Arch which isSigLevel = Required DatabaseOptional. If this results in keyring errors, you need to update the keyring by runningpacman-key --populate archlinux. -
Support for CentOS 7 was dropped. If you still need to support CentOS 7, we recommend using any mkosi version up to 13.
-
Support for BIOS/grub was dropped. because EFI hardware is widely available and legacy BIOS systems do not support the feature set to fully verify a boot chain from firmware to userland and it has become bothersome to maintain for little use.
To generate BIOS images you can use any version of mkosi up to mkosi 13 or the new
--bios-sizeoption. This can be used to add a BIOS boot partition of the specified size on whichgrub(or any other bootloader) can be installed with the help of mkosi's script support (depending on your needs most likelymkosi.postinstormkosi.finalize). This method can also be used for other EFI bootloaders that mkosi intentionally does not support. -
mkosi now unconditionally copies the kernel, initrd and kernel cmdline from the image that were previously only copied out for Qemu boot.
-
mkosi now runs apt and dpkg on the host. As such, we now require apt and dpkg to be installed on the host along with debootstrap in order to be able to build debian/ubuntu images.
-
Split dm-verity artifacts default names have been changed to match what
systemdand other tools expect:image.root.raw,image.root.verity,image.root.roothash,image.root.roothash.p7s(same forusrvariants). -
mkosiwill again default to the same OS release as the host system when the host system uses the same distribution as the image that's being built. -
By default,
mkosiwill now change the owner of newly created directories toSUDO_UIDorPKEXEC_UIDif defined, unless--no-chownis used. -
If
systemd-nspawnv252 or newer is used, bind-mounted directories withsystemd-nspawnwill use the newrootidmapoption so files and directories created from within the container will be owned by the actual directory owner on the host.
- The
--network-vethoption has been renamed to--netdev. The old name made sense with virtual ethernet devices, but when booting images with qemu a TUN/TAP device is used instead. - The network config file installed by mkosi when the
--netdev(previously--network-veth) option is used (formerly/etc/systemd/network/80-mkosi-network-veth.networkin the image) now only matches network interfaces using thevirtio_netdriver. Please make sure you weren't relying on this file to configure any network interfaces other than the tun/tap virtio-net interface created by mkosi when booting the image in QEMU with the--netdevoption. If you were relying on this config file when the host system uses the same distribution as the image that's being built. Instead, when no release is specified, mkosi will now always default to the default version embedded in mkosi itself. mkosiwill now use thepacmankeyring from the host when building Arch images. This means that users will, on top of installingarchlinux-keyring, also have to runpacman-key --initandpacman-key --populate archlinuxon the host system to be able to build Arch images. Also, unless the package manager is configured to do it automatically, the host keyring will have to be updated afterarchlinux-keyringupdates by runningpacman-key --populate archlinuxandpacman-key --updatedb.- Direct qemu linux boot is now supported with
BootProtocols=linux. When enabled, the kernel image, initrd, and cmdline will be extracted from the image and passed toqemubymkosi qemuto directly boot into the kernel image without a bootloader. This can be used to boot for example s390x images inqemu. - The initrd will now always be rebuilt after the extra trees and build artifacts have been installed into the image.
- The github action has been migrated to Ubuntu Jammy. To migrate any jobs
using the action, add
runs-on: ubuntu-22.04to the job config. - All images are now configured by default with the
C.UTF-8locale. - New
--repository-directoryoption can be used to configure a directory with extra repository files to be used by the package manager when building an image. Note that this option is currently only supported forpacmananddnf-based distros. - Option
--skeleton-treeis now supported on Debian-based distros.
- Fix handling of baselayout in Gentoo installations.
- Support for Rocky Linux, Alma Linux, and Gentoo has been added!
- A new
ManifestFormat=option can be used to generate "manifest" files that describe what packages were installed. Withjson, a JSON file that shows the names and versions of all installed packages will be created. Withchangelog, a longer human-readable file that shows package descriptions and changelogs will be generated. This latter format should be considered experimental and likely to change in later versions. - A new
RemovePackages=option can be used to uninstall packages after the build and finalize scripts have been done. This is useful for the case where packages are required by the build scripts, or pulled in as dependencies for scriptlets of other packages, but are not necessary in the final image. - A new
BaseImage=option can be used to build "system extensions" a.k.a. "sysexts" — partial images which are mounted on top of an existing system to provide additional files under/usr/. See the systemd-sysext man page for more information. - A new
CleanPackageMetadata=option can be used to force or disable the removal of package manager files. When this option is not used, they are removed when the package manager is not installed in the final image. - A new
UseHostRepositories=option instructs mkosi to use repository configuration from the host system, instead of the internal list. - A new
SshAgent=option configures the path to the ssh agent. - A new
SshPort=option overrides the port used for ssh. - The
Verity=setting supports a new valuesigned. When set, verity data will be signed and the result inserted as an additional partition in the image. See https://systemd.io/DISCOVERABLE_PARTITIONS for details about signed disk images. This information is used bysystemd-nspawn,systemd-dissect,systemd-sysext,systemd-portabledandsystemd'sRootImage=setting (among others) to cryptographically validate the image file systems before use. - The
--build-environment=option was renamed to--environment=and extended to cover all invoked scripts, not just themkosi.build. The old name is still understood. - With
--with-network=never,dnfis called with--cacheonly, so that the package lists are not refreshed. This gives a degree of reproducibility when doing repeated installs with the same package set (and also makes installs significantly faster). - The
--debug=option gained a new valuediskto show information about disk sized and partition allocations. - Some sections and settings have been renamed for clarity: [Packages] is now
[Content],
Password=,PasswordIsHashed=, andAutologin=are now in [Content]. The old names are still supported, but not documented. - When
--prepare-script=/--build-script=/--finalize-script=is used with an empty argument, the corresponding script will not be called. - Python 3.7 is the minimal supported version.
- Note to packagers: the Python
cryptographymodule is needed for signing of verity data.
- Minimum supported Python version is now 3.7.
- Automatic configuration of the network for Arch Linux was removed to bring different distros more in line with each other. To add it back, add a postinstall script to configure your network manager of choice.
- The
--defaultoption was changed to not affect the search location ofmkosi.default.d/. mkosi now always searches formkosi.default.d/in the working directory. quietwas dropped from the default kernel command line.--source-file-transferand--source-file-transfer-finalnow accept an empty value as the argument which can be used to override a previous setting.- A new command
mkosi servecan be used to serve build artifacts using a small embedded HTTP server. This is useful formachinectl pull-raw …andmachinectl pull-tar …. - A new command
mkosi genkeycan be used to generate secure boot keys for use with mkosi's--secure-bootoptions. The number of days the keys should remain valid can be specified via--secure-boot-valid-days=and their CN via--secure-boot-common-name=. - When booting images with
qemu, firmware that supports Secure Boot will be used if available. --source-resolve-symlinksand--source-resolve-symlinks-finaloptions are added to control how symlinks in the build sources are handled when--source-file-transfer[-final]=copy-allis used.--build-environment=option was added to set variables for the build script.--usr-onlyoption was added to build images that comprise only the/usr/directory, instead of the whole root file system. This is useful for stateless systems where/etc/and/var/are populated bysystemd-tmpfiles/systemd-sysusersand related calls at boot, or systems that are originally shipped without a root file system, but wheresystemd-repartadds one on the first boot.- Support for "image versions" has been added. The version number can be set
with
--version-number=. It is included in the default output filename and passed as$IMAGE_VERSIONto the build script. In addition,mkosi bumpcan be used to increase the version number by one, and--auto-bumpcan be used to increase it automatically after successful builds. - Support for "image identifiers" has been added. The id can be set with
--image=idand is passed to the build script as$IMAGE_ID. - The list of packages to install can be configured with
--base-packages=. With--base-packages=no, only packages specified with--packages=will be installed. With--base-packages=conditional, various packages will be installed "conditionally", i.e. only if some other package is otherwise pulled in. For example,systemd-udevmay be installed only ifsystemdis listed in--packages=. - CPIO output format has been added. This is useful for kernel initramfs images.
- Output compression can be configured with
--compress-fs=and--compress-output=, and support forzstdhas been added. --ssh-key=option was added to control the ssh key used to connect to the image.--remove-files=option was added to remove file from the generated images.- Inline comments are now allowed in config files (anything from
#until the end of the line will be ignored). - The development branch was renamed from
mastertomain.
- The mkosi Github action now defaults to the current release of mkosi instead of the tip of the master branch.
- Add a
sshverb and accompanying--sshoption. The latter sets up SSH keys for direct SSH access into a booted image, whereas the former can be used to start an SSH connection to the image. - Allow for distribution specific
mkosi.*files in subdirectories ofmkosi.default.d/. These files are only processed if a subdirectory named after the target distribution of the image is found inmkosi.default.d/. - The summary of used options for the image is now only printed when building
the image for the first time or when the
summaryverb is used. - All of mkosi's output, except for the build script, will now go to stderr. There was no clear policy on this before and this choice makes it easier to use images generated and booted via mkosi with language servers using stdin and stdout for communication.
--source-file-transfernow defaults tocopy-git-othersto also include untracked files.- black is now used as a code style and conformance with it is checked in CI.
- Add a new
--ephemeraloption to boot into a temporary snapshot of the image that will be thrown away on shutdown. - Add a new option
--network-vethto set up a virtual Ethernet link between the host and the image for usage with nspawn or QEMU - Add a new
--autologinoption to automatically log into the root account upon boot of the image. This is useful when using mkosi for boot tests. - Add a new
--hostonlyoption to generate host specific initrds. This is useful when using mkosi for boot tests. - Add a new
--install-directoryoption and special directorymkosi.installdir/that will be used as$DESTDIRfor the build script, so that the contents of this directory can be shared between builds. - Add a new
--include-directoryoption and special directorymkosi.includedir/that will be mounted at/usr/includeduring the build. This way headers files installed during the build can be made available to the host system, which is useful for usage with language servers. - Add a new
--source-file-transfer-finaloption to complement--source-file-transfer. It does the same--source-file-transferdoes for the build image, but for the final one. - Add a new
--tar-strip-selinux-contextoption to remove SELinux xattrs. This is useful when an image with a target distribution not using SELinux is generated on a host that is using it. - Document the
--no-chownoption. Using this option, artifacts generated by mkosi are not chowned to the user invoking mkosi when it is invoked via sudo. It has been with as for a while, but hasn't been documented until now.
- Daan De Meyer
- Joerg Behrmann
- Luca Boccassi
- Peter Hutterer
- ValdikSS