Enable Multipath TCP (MPTCP) to allow using multiple interface paths to send and receive TCP packets for improving throughput and redundancy.
Signed-off-by: Chris Co <chrco@microsoft.com>
Enable the Extended Verification Module (EVM) support to allow the verification of security-related extended attributes like SELinux file labels or IMA hash
Signed-off-by: Chris Co <chrco@microsoft.com>
Co-authored-by: Chris Co <chrco@microsoft.com>
In PR #9932, a bug fix was made to ensure that GPT partitions don't receive a default label of "primary". Unfortunately, that change relies on a bug fix to `parted` that was made in v3.5, which is relatively recent.
For reference:
- Ubuntu 22.04: 3.4
- Ubuntu 24.04: 3.6
- Azure Linux 2.0: 3.4
- Azure Linux 3.0: 3.6
This change provides a workaround by giving partitions a default name of "primary", if the build host has an older version of parted.
Add tests for enabling and disabling services, both for services that exist and ones that don't exist.
Also, fix a bug in the `IsServiceEnabled` function where the disabled state isn't being properly distinguished from other types of errors.
1. Use either the `grub-install` or `grub2-install` command, whichever is available on the build host.
2. Add `grub2-install` to the image customizer prerequisites list in the README.
3. Add `grub2-install` to the image customizer container.
4. Remove the `grub2` package from the legacy boot config, since it isn't needed.
5. Allow the `USER` environment variable to be empty, which is the case in docker containers.
Enable FS-verity and Integrity Policy Enforcement LSM. These are useful security features that users/services can leverage to better secure their system.
Signed-off-by: Chris Co <chrco@microsoft.com>
1. When calling `cp`, include the last line of `stderr` in the error message.
2. Ensure that the `file.CopyDir` function adds useful information to the error message.
3. Add path information to error message for `.os.additionalDirs` errors.
Add DMI sysfs and EROFS module support. Additionally hooks for Secure Boot with dm-verity verification.
These kconfigs will also be necessary to onboard Azure Linux into upstream systemd's CI testing.
Signed-off-by: Chris Co <chrco@microsoft.com>
When creating partitions using `parted`, the API is:
- MBR: `parted mkpart <partition-type> <fs-type> ...`
- GPT: `parted mkpart <partition-label> <fs-type> ...`
But currently we are treating the first param as always being the `<partition-type>`, when for GPT it is `<partition-label>`. This has the effect that GPT partitions are given a default label of "primary", which is a tad silly. (If an explicit label is provided by the user, then the label is overridden in a subsequent step.)
This change fixes this behavior so that GPT partitions have a default label of nothing ("").
Moving batch of configs that were built-in to be modules to maintain flexibility, though reduce kernel size and boot speed.
These modules are already set as modules on x86 and only targeted to change on arm64.
Signed-off-by: Kelsey Steele <kelseysteele@microsoft.com>
Ubuntu seems to like to call dumpe2fs on ext4 partitions when you mount a disk (even if you don't mount any of the partitions). Depending the size of partition, this can take a little bit of time to run, which can block the loopback from detaching.
The Image Customizer tool uses loopback devices a lot, some of which are only used for a short period of time. So, it can timeout waiting for the loopback to detach. So, this change increases the timeout.
The gpg command, and by extension, the tdnf command expects the USER and HOME environment variables to be valid for the OS they are running under (including under chroot). Since, the image customizer tool is typically run under `sudo` and since root is always a valid user, this generally isn't a problem. But this isn't true if `sudo -E` is used. And this can result in strange difficult to diganose errors in tdnf. So, this change verifies that `sudo -E` isn't being used.
The verity hash partition must be given a placeholder filesystem type. This should probably be `fat32` for simplicty's sake. But currently, the verity example config uses `ext4`. This causes a problem when the `--shrink-filesystems` is set because it means the verity hash partition gets shrunk to almost nothing and therefore isn't big enough to store the hash tree.
This change fixes this problem by ensuring that the verity hash partition is never subject to being shrunk regardless of its placeholder filesystem type. A test is added to verify this.