image: update mkosi to 24.3 (#3342)

* flake: format * image: update mkosi to 24.3 This updates mkosi to a next-version of v24.3, which is now available in nixpkgs. This removes the non-hermetic `uidmap` dependency, which is a great advantage. It will also be less of an effort to upgrade to v25 going forward. Changes required are keeping `/var/cache` around (which is reproducible for our images, so no problem), as mkosi needs files from it in the build process. mkosi now additionally requires an explicit option to fetch the signing keys for the package repositories from the internet. A hack was required to satisfy the Bazel package, which should probably be solved properly at some point.
2024-10-01 01:36:09 -04:00 · 2024-09-09 11:18:51 +02:00 · 2024-09-09 11:18:51 +02:00 · f7c2392be2
commit f7c2392be2
parent 5720fcc330
6 changed files with 106 additions and 65 deletions
--- a/flake.lock
+++ b/flake.lock
@ -36,11 +36,11 @@
    },
    "nixpkgsUnstable": {
      "locked": {
-        "lastModified": 1717399147,
-        "narHash": "sha256-eCWaE/q1VItpFAxxLVt171MdtDcjEnwi6QB/yuF73JU=",
+        "lastModified": 1725816686,
+        "narHash": "sha256-0Kq2MkQ/sQX1rhWJ/ySBBQlBJBUK8mPMDcuDhhdBkSU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4a4ecb0ab415c9fccfb005567a215e6a9564cdf5",
+        "rev": "add0443ee587a0c44f22793b8c8649a0dbc3bb00",
        "type": "github"
      },
      "original": {
@ -83,11 +83,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715947971,
-        "narHash": "sha256-1YpxN5R3lEQnOUg94B2B/Ah2WDABUQTZ6kpyQMPt/xI=",
+        "lastModified": 1725522308,
+        "narHash": "sha256-AtsFZ92WkVkH8fd0Xa0D6/PR84/dtOH6gpM4mtn32Hk=",
        "owner": "edgelesssys",
        "repo": "uplosi",
-        "rev": "73b6208ac21603bb69e8079fa8be821e590de286",
+        "rev": "c8a482de299b5442f558d7381f0cbf898e0de0e1",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -21,76 +21,98 @@
  };

  outputs =
-    { self
-    , nixpkgsUnstable
-    , nixpkgsBazel
-    , flake-utils
-    , uplosi
-    }:
-    flake-utils.lib.eachDefaultSystem (system:
-    let
-      pkgsUnstable = import nixpkgsUnstable { inherit system; };
-
-      bazelPkgsUnstable = import nixpkgsBazel { inherit system; };
-
-      callPackage = pkgsUnstable.callPackage;
-
-      mkosiDev = (pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
-        propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ (with pkgsUnstable;  [
-          # package management
-          dnf5
-          rpm
-          createrepo_c
-
-          # filesystem tools
-          squashfsTools # mksquashfs
-          dosfstools # mkfs.vfat
-          mtools # mcopy
-          cryptsetup # dm-verity
-          util-linux # flock
-          kmod # depmod
-          cpio # cpio
-          zstd # zstd
-          xz # xz
-
-          # utils
-          gnused # sed
-          gnugrep # grep
-        ]);
-      }));
-
-      uplosiDev = uplosi.outputs.packages."${system}".uplosi;
-
-      openssl-static = pkgsUnstable.openssl.override { static = true; };
-
-      bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { pkgs = bazelPkgsUnstable; nixpkgs = nixpkgsBazel; };
-
-    in
    {
-      packages.mkosi = mkosiDev;
+      self,
+      nixpkgsUnstable,
+      nixpkgsBazel,
+      flake-utils,
+      uplosi,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgsUnstable = import nixpkgsUnstable { inherit system; };

-      packages.uplosi = uplosiDev;
+        bazelPkgsUnstable = import nixpkgsBazel { inherit system; };

-      packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };
+        callPackage = pkgsUnstable.callPackage;

-      packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        mkosiDev = (
+          pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
+            propagatedBuildInputs =
+              oldAttrs.propagatedBuildInputs
+              ++ (with pkgsUnstable; [
+                # package management
+                dnf5
+                rpm
+                createrepo_c

-      packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+                # filesystem tools
+                squashfsTools # mksquashfs
+                dosfstools # mkfs.vfat
+                mtools # mcopy
+                cryptsetup # dm-verity
+                util-linux # flock
+                kmod # depmod
+                cpio # cpio
+                zstd # zstd
+                xz # xz

-      packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+                # utils
+                gnused # sed
+                gnugrep # grep
+              ]);
+          })
+        );

-      packages.vpn = callPackage ./nix/container/vpn/vpn.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        uplosiDev = uplosi.outputs.packages."${system}".uplosi;

-      packages.awscli2 = pkgsUnstable.awscli2;
+        openssl-static = pkgsUnstable.openssl.override { static = true; };

-      packages.bazel_7 = bazel_7;
+        bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix {
+          pkgs = bazelPkgsUnstable;
+          nixpkgs = nixpkgsBazel;
+        };

-      packages.createrepo_c = pkgsUnstable.createrepo_c;
+      in
+      {
+        packages.mkosi = mkosiDev;

-      packages.dnf5 = pkgsUnstable.dnf5;
+        packages.uplosi = uplosiDev;

-      devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; };
+        packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };

-      formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
-    });
+        packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.libvirt = callPackage ./nix/cc/libvirt.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.vpn = callPackage ./nix/container/vpn/vpn.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.awscli2 = pkgsUnstable.awscli2;
+
+        packages.bazel_7 = bazel_7;
+
+        packages.createrepo_c = pkgsUnstable.createrepo_c;
+
+        packages.dnf5 = pkgsUnstable.dnf5;
+
+        devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; };
+
+        formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
+      }
+    );
 }
--- a/image/base/mkosi.conf
+++ b/image/base/mkosi.conf
@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes

 [Output]
 Format=tar
--- a/image/base/mkosi.postinst
+++ b/image/base/mkosi.postinst
@ -15,3 +15,19 @@ cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/"

 # copy rpmdb to outputs
 cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
+
+# FIXME(msanft):
+# Hack to satisfy Bazel's [output expectations](./BUILD.bazel).
+# 2 Bazel packages can't share the same output paths, as it seems, and the
+# files being copied around here aren't large, so copying them around doesn't
+# hurt.
+cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/lts-packagemanifest"
+cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/lts-.rpm.lock"
+cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/lts-rpmdb.sqlite"
+cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/lts-rpmdb.sqlite-shm"
+cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/lts-rpmdb.sqlite-wal"
+cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/mainline-packagemanifest"
+cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/mainline-.rpm.lock"
+cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/mainline-rpmdb.sqlite"
+cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/mainline-rpmdb.sqlite-shm"
+cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/mainline-rpmdb.sqlite-wal"
--- a/image/initrd/mkosi.conf
+++ b/image/initrd/mkosi.conf
@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes

 [Output]
 Format=cpio
--- a/image/system/mkosi.conf
+++ b/image/system/mkosi.conf
@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes

 [Output]
 Format=disk