v25.2

What's Changed

• Only parse profiles from subimages and includes if those are dirs by @DaanDeMeyer in #3423
• Use all threads when relabelling files with setfiles by @DaanDeMeyer in #3424

Full Changelog: v25.1...v25.2

v25.1

What's Changed

• Remove depmod check in check_tools() by @DaanDeMeyer in #3413
• news: fix typo detected by Lintian by @bluca in #3414
• Create zipapp for mkosi sandbox like we do in generate-zipapp.sh by @DaanDeMeyer in #3415
• man: document kernel baseline for mkosi by @behrmann in #3416
• sandbox: Show better error on ENOSYS by @DaanDeMeyer in #3417
• Add fallback to sudo if run0 is not available by @DaanDeMeyer in #3418
• Do not check uid in have_cache() for default tools tree by @DaanDeMeyer in #3419
• Use resource_path() to access files in our own module by @DaanDeMeyer in #3420
• Fix accessing "name" field in busctl json output by @DaanDeMeyer in #3422

Full Changelog: v25...v25.1

v25

• Instead of using bubblewrap, sandboxing is now done with a new tool
  mkosi-sandbox. This tool has a public API and can be used
  independently of mkosi.
• Image builds are now done in a user namespace with a single user when
  running unprivileged instead of using newuidmap/newgidmap. When
  running unprivileged, all files and directories in the image will be
  owned by the invoking user (and by root inside any produced archives).
  Any attempt to chown files to other users in scripts will fail unless
  the new environment variable $MKOSI_CHROOT_SUPPRESS_CHOWN is set to
  a true value.
• mkosi does not drop privileges anymore to the invoking user when
  running as root for various steps.
• A new cat-config verb will show all configuration files that were
  included for each configured image.
• Added support for Azure Linux
• Added support for Kali Linux
• If mkosi.version is executable, we now execute it and read the
  version from stdout.
• Added --wipe-build-dir to wipe the build directory before rebuilding
  the image.
• Introduced RepositoryKeyFetch= to control whether to fetch
  distribution GPG keys remotely. This setting is disabled by
  default for security reasons except when building rpm based
  or Arch Linux images on Ubuntu.
• We now handle SIGHUP gracefully
• Universal settings that take a collection of values cannot be
  appended to anymore in subimages. Usage of package manager trees in
  subimages will have to be moved to the top level image. Similarly,
  repositories will have to be enabled in the top level image.
• Repository metadata is not copied into images anymore.
• Repository metadata from base trees is not used anymore.
• Package manager trees are now named sandbox trees.
• Package manager trees (sandbox trees) do not use the skeleton trees as
  their default anymore if unset.
• Note to packagers: The manual pages have been moved to resources/man
  and now include man pages for mkosi-initrd and mkosi-sandbox as
  well.
• InitrdInclude= was removed. If you're using InitrdInclude=, please
  build your initrd via a subimage in mkosi.images containing
  Include=mkosi-initrd and any customizations you wish to add and use
  the Initrds= setting to use it as the initrd for the main image
  instead of the default initrd.
• Added History= to have mkosi save the config used to build the image
  and reuse it when verbs such as qemu, boot, … are invoked
  without -f.
• Introduced new [Build] section and moved various settings to it.
• Moved Include= to [Include] section
• Added sysupdate verb as a wrapper around systemd-sysupdate which
  invokes it with definitions from mkosi.sysupdate.
• Added RuntimeHome= to mount the current home directory to /root
  when running a command that boots the image
• More directories aside from /etc and /usr are now picked up from
  sandbox trees (formerly known as package manager trees).
• Profile configuration from mkosi.profiles is now parsed after
  mkosi.conf.d instead of before it. To set defaults for use in mkosi.conf.d
  based on the configured profile, use an early dropin in mkosi.conf.d that
  matches on the configured profile instead.
• Profile= is renamed to Profiles= and takes a comma separated list of
  profiles now. Scripts now receive $PROFILES with a space-separated list
  of profiles instead of $PROFILE. The %p specifier for profiles is
  removed.
• Multiple sync, prepare, build, postinst, finalize, postoutput and clean scripts are now picked up from
  mkosi.$SCRIPT.d.
• run0 is now automatically used to escalate privileges for commands that need it, like the burn verb.
• /usr/share/keyrings and /usr/share/distribution-gpg-keys are no longer automatically picked up from the
  tools tree when ToolsTreeCertificates= is set, since they aren't certificates, use a sandbox tree
  instead. This allows to override SignedBy= keys for APT repositories.
• The agetty.autologin and login.noauth credentials are no longer set unconditionally.
• Access to the output directory in build scripts was removed. To put artifacts
  from the build directory into the output directory, copy them from the build directory
  to the output directory in a post-installation script which does have access to the build
  directory and the output directory.
• BuildDirectory= is no longer available in PrepareScripts=. If you
  need to acquire some files for the build process place them somewhere
  sensible within $BUILDROOT so that they can be cached when building
  incrementally.
• When using a tools tree and a relaxed sandbox is used to run a command
  (qemu, nspawn, ...), we now keep all entries from $PATH outside of
  /usr intact. Note that this may cause issues if a $PATH entry
  contains binaries linked against libraries in /usr from the host.
• Introduced a new specifier %I which resolves to the name of the current
  subimage when used in a config under mkosi.images/. This differs to %o
  as it is always the name of the config file without extension (or the name
  of the directory).
• If /dev/fuse is found in the host context, it is made available in the
  sandbox context too.
• Added a sandbox verb to run a command within a relaxed mkosi sandbox
  (the same sandbox that mkosi vm, mkosi boot, ... run in).
• OpenSSL providers are now supported as key sources for the various key
  settings if a recent enough systemd version (257 or newer) is used.
• Added support for loading X.509 certificates from OpenSSL providers if
  a recent enough systemd version (257 or newer) is used.
• Added ToolsTreePackageDirectories=
• Added --kernel-image= to mkosi-initrd to specify the kernel image to
  use when building a UKI.
• Setting a collection based setting to the empty string via the CLI and
  then appending to the same setting will now override the settings
  coming from configuration files, whereas previously the CLI values
  would be appended to the values from configuration files.
• The mkosi-initrd default config now includes various extra kernel
  modules by default.
• The coredumpctl and journalctl verbs will now always operate on
  the image, even if ForwardJournal= is configured.
• Bumped default Fedora release to 41.
• Added addon output format to build UKI addons.
• Renamed [Host] section to [Runtime] section.
• Renamed various settings from [Host].
• Binaries coming from ExtraSearchPaths= are now executed with the
  tools tree mounted if one is configured (unlike before where the tools
  tree was not mounted). This means that any binaries coming from
  ExtraSearchPaths= have to be linked against libraries from the tools
  tree (or have to be statically linked). Alternatively, the tools tree
  distribution and release have to match the host.
• Binaries from ExtraSearchPaths= are not used anymore when building
  the default tools tree.
• Dropped support for pesign as a secure boot signing tool.
• Added support for systemd-sbsign as a secure boot signing tool.
• Added --register= to control whether to register containers and VMs
  with systemd-machined or not.
• mkosi.profiles is now parsed in subimages as well.
• mkosi-initrd now uses dnf5 on systems where it is the default.
• Added various packages to the default tools tree.
• Dropped support for Ubuntu Focal.
• Added Devicetree= setting for configuring bootloader device trees
• Added systemd-machined registration using varlink for mkosi qemu vms,
  which includes the vsock CID so that ssh vsock/<cid> or
  ssh machine/<name> will work on systems running systemd-machined
  257 or newer.
• Bumped CentOS Stream default release to 10.
• mkosi now manages the pacman keyring itself so /etc/pacman.d/gnupg
  from the host is not used anymore and mkosi will run
  pacman-key --init and pacman-key --populate itself.
• Added ToolsTreeRelease= match
• mkosi now enforces that images built with Overlay=yes only add files
  on top of the base tree(s) and don't overwrite any existing files or
  directories.
• Added a mkosi-addon tool and accompanying kernel-install plugin that
  allows building PE addons to extend a vendor provided unified kernel
  image.
• Added systemd-boot-signed, uki-signed and grub-signed variants
  for the Bootloader= option which instruct mkosi to only install
  pre-signed EFI binaries.
• mkosi.profiles is now parsed in configuration included with
  Include=.
• Any initrds configured with Initrds= are now used as fallback when
  booting with qemu direct kernel boot (--firmware=linux) if no split
  initrd was produced by the image build.
• mkosi now makes a greater effort to ensure the crypto-policies are
  configured to allow GPG keys from older distributions.
• We don't pick up pre-signed bootloader binaries anymore when
  ShimBootloader=signed is configured. To force usage of pre-signed
  EFI binaries, use the new systemd-boot-signed, uki-signed and
  grub-signed variants for the Bootloader= option.
• Added a new constant microsoft-mok for the FirmwareVariables=
  option. If specified, a firmware variables file with the Microsoft
  keys enrolled will be extended to include a MokList entry that
  trusts the certificate configured with SecureBootCertificate= and
  passed to qemu.
• We now use mkosi.pkgcache as the package cache directory if the
  directory exists.
• BuildSourcesEphemeral= learned a new variant buildcache in which
  case the overlay will be cached in the build directory configured with
  BuildDirectory=.

v24.3

What's Changed

• Check for $HOME environment variable as well by @DaanDeMeyer in #2927

v24.2

What's Changed

• Look for $USER for the username before reading /etc/passwd by @DaanDeMeyer in #2926

v24.1

What's Changed

• completion: fix bash completion script by @behrmann in #2916
• Add some documentation on how to implement a new distribution by @DaanDeMeyer in #2919
• Add missing init.py to mkosi/initrd/resources by @DaanDeMeyer in #2920
• Handle dangling symlinks in rmtree() and run_clean() by @DaanDeMeyer in #2922
• Handle failure to detect the distribution in test_parse_config() by @DaanDeMeyer in #2923

v24

• The default kernel command line of console=ttyS0 (or equivalent for
  other architectures) has been removed. The required console=
  argument to have the kernel output to the serial console has to be
  added manually from v24 onwards.
• Support for installing local packages located in directories in
  BuildSources= was dropped. Instead, the packages can be made
  available for installation via PackageManagerTrees=.
• Configuration parsing was reworked to remove the need for the @
  specifier and to streamline building multiple images with
  mkosi.images/. If you were building multiple images with
  mkosi.images/, you'll need to adapt your configuration to the
  rework. Read the Building multiple images section in the
  documentation for more information.
• mkosi has gained the option to generate completion scripts for bash,
  fish and zsh. Packagers should generate the scripts during packaging
  and ship them in the appropriate places.
• Added support for CentOS Stream 10.
• mkosi now installs a separate mkosi-initrd script that can be used
  to build initramfs images intended for use on the local system.
• We do not automatically append centos-stream or fedora anymore to
  CentOS (and derivatives) and Fedora mirrors specified with Mirror=
  as not all mirrors store the repository metadata under these
  subdirectories. Users are now required to add these subdirectories
  themselves in Mirror=. If the EPEL repositories are enabled for
  CentOS Stream (and derivatives) and Mirror= is used, we look for the
  EPEL repositories in ../fedora relative to the mirror specified in
  Mirror=.
• We now support compressed tar archives wherever we already accept tar
  archives as input.
• We now always rerun the build if Format=none and don't remove
  previous outputs in that case (unless --force is specified). This
  allows using mkosi -t none to rerun the build scripts without
  removing the previous image. This can then be combined with
  RuntimeBuildSources=yes to make the build script outputs available
  in a booted container or virtual machine so they can be installed
  without having to rebuild the image.
• We now use virtconsole to provide the serial console when booting
  with qemu.
• root=PARTUUID and mount.usr=PARTUUID on the kernel command line
  are now automatically extended with the actual PARTUUID of the
  corresponding partition.
• All available OpenSUSE repositories are now supported and can be
  enabled with Repositories=.
• Building OpenSUSE aarch64 images is now supported
• mkosi dependencies was beefed up to handle more scenarios properly
• The default list of kernel modules that are always added to the
  initramfs was extended with various virtualization modules.
• Added a Repositories= match.
• Cached images are now invalidated if packages specified via
  PackageDirectories= change.
• Added VolatilePackageDirectories= which can be used to provide local
  packages that do not invalidate cached images.
• mkosi.pkgmngr is now used as the default path for
  PackageManagerTrees=.
• The package directory that build scripts can use to make built
  packages available for installation ($PACKAGEDIR) is now shared
  between all image builds. This means that packages built in earlier
  images and stored in $PACKAGEDIR become available for installation
  in all subsequent image builds.
• The default tools tree distribution is now chosen based on the host
  distribution instead of the target distribution.
• mkosi can now be invoked from the initramfs.

mkosi v23.1

v23.1

• Respin due to git tag mismatch

v23

• Added CleanScripts= to allow running custom cleanup code whenever
  mkosi cleans up the output directory. This allows cleaning up extra
  outputs produced by e.g. a build script that mkosi doesn't know about.
• Added ConfigureScripts= to allow dynamically modifying the mkosi
  configuration. Each configure script receives the current config as
  JSON on stdin and should output the new config as JSON on stdout.
• When building a UKI, we don't measure for the TPM SHA1 PCR bank
  anymore.
• All keys in the mkosi config JSON output are now in pascal case,
  except for credentials and environments, where the keys encode names
  of credentials and environment variables and are therefore case
  sensitive.
• Added various settings to allow running mkosi behind a proxy.
• Various fixes to kernel module filtering that should result in fewer
  modules being pulled into the default initrd when
  KernelModulesExclude= or KernelModulesInitrdExclude= are used.
• Added ToolsTreeDistribution= match.
• Removed vmspawn verb and replaced it with VirtualMachineMonitor=.
• New specifiers for various directories were added. %D resolves to
  the directory that mkosi was invoked in, %P to the current working
  directory, and %C to the parent directory of the config file.
• Added ForwardJournal= to have systemd inside a container/VM forward
  its journal to the specified file or directory.
• Systemd scopes are now allocated for qemu, swtpm, virtiofsd and
  systemd-journal-remote if available.
• The mkosi qemu virtual machine is now registered with
  systemd-machined if available.
• Added new oci output format
• Runtime trees without a target are now mounted to /root/src instead
  of a subdirectory of it (To have the same behaviour as
  BuildSources=).
• Added RuntimeBuildSources= to mount build and source directories
  when booting the image with mkosi nspawn or mkosi qemu.
• Introduced --append to allow command line settings to be parsed
  after parsing configuration files.
• distribution-release is not installed by default anymore on
  OpenSUSE.
• Setting QemuSmp= to 0 will now make qemu use all available CPUs
• Free page reporting and discard request processing are now enabled by
  default in VMs spawned by mkosi qemu.
• Added ToolsTreeCertificates= to allow configuring whether to use
  certificates and keys from the tools tree (if one is used) or the
  host.
• Added never for CacheOnly= to specify that repository metadata
  should always be refreshed.
• Renamed the none option for CacheOnly= to auto.
• Added ProxyExclude= to configure hostnames for which requests should
  not go through the configured proxy.
• The default tools tree is now reused on incremental builds.
• Added VolatilePackages= and InitrdVolatilePackages= to configure
  packages that should be installed after executing build scripts and
  which should not be cached when using Incremental=.
• PackageDirectories= now has an associated default path
  mkosi.packages.
• reprepro is now used to generate local apt repositories.
• Support for BSD tar/cpio was dropped.
• When both ExtraSearchPaths= and ToolsTree= are used, mkosi will
  now prefer running a binary found in ExtraSearchPaths= without the
  tools tree over running the binary from the tools tree. If a binary is
  not found in ExtraSearchPaths=, the tools tree is used instead.
• An artifact directory is now made available when running scripts which
  can be used to pass around data between different scripts. mkosi will
  also look for microcode and initrds in the artifact directory under
  the io.mkosi.microcode and io.mkosi.initrd subdirectories.
• Added Environment= match setting to check for environment variables
  defined with the Environment= setting.
• The basesystem package is now always installed in Fedora and
  CentOS images instead of the filesystem package.
• The qemu, shell and boot verbs do not automatically build the
  image anymore unless --force is specified.
• SplitArtifacts= is now supported for the portable, sysext and
  confext outputs.
• The WithDocs= option was implemented for pacman-based distributions.
• The default Fedora release was bumped to 40.
• QemuSwtpm= can now be used with QemuFirmware= set to linux or
  bios.
• Added UnitProperties= to allow configure properties on the scopes
  generated by systemd-nspawn and systemd-run.
• mkosi now only builds a single default tools tree per build using the
  settings from the last regular image that we'll build.
• Configure scripts are now only executed for verbs which imply an image
  build and are executed with the tools tree instead of without it.
• $QEMU_ARCHITECTURE is now set for configure scripts to easily allow
  scripts to figure out which qemu binary will be used to run qemu.
• A file ID can now be specified for QemuDrives=. This allows adding
  multiple qemu drives that are backed by the same file.
• mkosi doesn't fail anymore if images already exist when running
  mkosi build.
• Image names from mkosi.images/ are now preferred over the specified
  image ID when determining the output filename to use for an image.
• --include now has a shorthand option -I.
• The WITH_NETWORK environment variable is now passed to build and
  finalize scripts.
• We now clamp mtimes to the specified source date epoch timestamp
  instead of resetting all mtimes. This means that we won't touch any
  mtimes that are already older than the given source date epoch
  timestamp.
• Removed support for CentOS 8 Stream as it is now EOL.
• The coredumpctl and journalctl verbs now operrate on the path
  specified in ForwardJournal= if one is set.
• Added UnifiedKernelImageFormat= format setting to allow configuring
  the naming of unified kernel images generated by mkosi.
• The versionlock plugin is now enabled by default for dnf with a noop
  configuration.
• Repositories= is now implemented for zypper.
• KernelModulesInclude= and KernelModulesInitrdInclude= now take the
  special values host and default to include the host's loaded
  modules and the default kernel modules defined in mkosi-initrd
  respectively.
• KernelModulesIncludeHost= and KernelModulesInitrdIncludeHost= are
  now deprecated.
• Added mkosi dependencies to output the list of packages required by
  mkosi to build and boot images.

mkosi v22

• We'll now try to delete btrfs subvolumes with btrfs subvolume delete
  first before falling back to recursively deleting the directory.
• The invoking user is now always mapped to root when running sync
  scripts. This fixes an issue where we would fail when a package
  manager tree or skeleton tree contained a /usr directory as we would
  not have permissions to run mount in the sandbox.
• We now use qemu's official firmware descriptions to find EDK2/OVMF
  UEFI firmware. Addititionally, QemuFirmware=uefi now boots without
  SecureBoot support, and QemuFirmware=uefi-secure-boot was introduced
  to boot with SecureBoot support. By default we will still boot with
  SecureBoot support if QemuFirmware=auto.
• Added support for QemuFirmwareVariables=custom and
  QemuFirmwareVariables=microsoft to use OVMF/EDK2 variables with
  either the user's custom keys enrolled or with the Microsoft keys
  enrolled.
• Added UnifiedKernelImages= to control whether we generate unified
  kernel images or not.
• Bootloader=grub will now generate a grub EFI image and install it.
  If SecureBoot= is enabled and ShimBootloader= is not set to
  signed, the grub EFI image will be signed for SecureBoot.
• ShimBootloader=signed will now also instruct mkosi to look for and
  install already signed grub, systemd-boot, kernel and UKI binaries.
• We now build grub images with a fixed set of modules and don't copy
  any grub modules to the ESP anymore.
• The configuration is now made available as a JSON file to all mkosi
  scripts via the $MKOSI_CONFIG environment variable.
• $PROFILE is now set for all mkosi scripts containing the value of
  Profile= if it is set.

mkosi v21

• We now handle unmerged-usr systems correctly
• Builtin configs (mkosi-initrd, mkosi-tools) can now be included
  using Include= (e.g. Include=mkosi-initrd)
• The kernel-install plugin now uses the builtin mkosi-initrd config
  so there's no need anymore to copy the full mkosi-initrd config into
  /usr/lib/mkosi-initrd.
• We don't require a build anymore for the journalctl and
  coredumpctl verbs.
• mkosi ssh works again when used with ToolsTree=default
• We now use .zst instead of .zstd for compressed split artifacts
  produced by systemd-repart.
• systemd-repart uses a persistent temporary directory again for
  assembling images instead of a tmpfs.
• Added MicrocodeHost= setting to only include the CPU specific
  microcode for the current host system.
• The kernel-install plugin now only includes the CPU specific microcode
• Introduced PackageCacheDirectory= to set the directory for package
  manager caches. This setting defaults to a suitable location in the
  system or user directory depending on how mkosi is invoked.
  CacheDirectory= is only used for incremental cached images now.
• Repository metadata is now synced once at the start of each image
  build and never during an image build. Each image includes a snapshot
  of the repository metadata in the canonical locations in /var so
  that incremental images and extension images can reuse the same
  snapshot. When building an image intended to be used with
  BaseTrees=, disable CleanPackageMetadata= to make sure the
  repository metadata in /var is not cleaned up, otherwise any
  extension images using this image as their base tree will not be able
  to install additional packages.
• Implemented CacheOnly=metadata. Note that in the JSON output, the
  value of CacheOnly= will now be a string instead of a boolean.
• Added CompressLevel= to set the compression level to use.
• Dropped experimental Gentoo support.
• Added TriggerMatch= to specify multiple match sections of which only
  one should be satisfied.
• Added jq, attr, acl, git, sed, grep and findutils to
  the default tools tree.
• Added mkosi-install, mkosi-upgrade, mkosi-remove and
  mkosi-reinstall scripts which allow writing scripts that are
  independent of the package manager being used to build the image.
• We now expand specifiers in Match section values
• Made GPG key handling for Fedora rawhide more robust
• If systemd-repart 256 or newer is available, mkosi will instruct it
  to generate /etc/fstab and /etc/crypttab for the image if any
  partition definitions contain the corresponding settings
  (MountPoint= and EncryptedVolume=).
• bash is now started in the debug shell instead of sh.
• The default release for Ubuntu is now noble.
• Ubuntu is now used as the default tools tree distribution for Ubuntu
  instead of Debian.
• Added mkosi vmspawn which boots the image with systemd-vmspawn.
  Note that systemd-vmspawn is experimental and its interface may
  still change. As such mkosi vmspawn is also considered experimental.
  Note that systemd-vmspawn version 256 or newer is required.
• Added SyncScripts= which can be used to update various build sources
  before starting the image build.
• The DISTRIBUTION= and RELEASE= environment variables are now set
  when running scripts.
• Added ToolsTreeRepositories= and ToolsTreePackageManagerTrees=.
• Added RuntimeNetwork= to configure the networking used when booting
  the image.
• Added SecureBootKeySource= and VerityKeySource= to support signing
  images with OpenSSL engines. Note that these settings require various
  systemd tools to be version 256 or newer.
• We don't clean up package manager metadata anymore unless explicitly
  requested with CleanPackageManagerMetadata=yes when building
  directory and tar images.