Rework configuration parsing (again)

action.yaml

@@ -38,6 +38,17 @@ runs:
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
 
+  # Both the unix-chkpwd and swtpm profiles are broken (https://gitlab.com/apparmor/apparmor/-/issues/402) so let's
+  # just disable and remove apparmor completely. It's not relevant in this context anyway.
+  # TODO: Remove if https://github.com/actions/runner-images/issues/10015 is ever fixed.
+  - name: Disable and mask apparmor service
+    shell: bash
+    run: |
+        # This command fails with a non-zero error code even though it unloads the apparmor profiles.
+        # https://gitlab.com/apparmor/apparmor/-/issues/403
+        sudo aa-teardown || true
+        sudo apt-get remove apparmor
+
   - name: Dependencies
     shell: bash
     run: |

docs/sysext.md

@@ -62,7 +62,7 @@ BaseTrees=%O/base
 Packages=btrfs-progs
 ```
 
-`BaseTrees=` point to our base image and `Overlay=yes` instructs mkosi
+`BaseTrees=` points to our base image and `Overlay=yes` instructs mkosi
 to only package the files added on top of the base tree.
 
 We can't sign the extension image without a key, so let's generate one
@@ -72,20 +72,19 @@ key will need to be loaded into your kernel keyring either at build time
 or via MOK for systemd to accept the system extension at runtime as
 trusted.
 
-Finally, you can build the base image and the extensions by running
+Finally, you can build the base image and the extension by running
 `mkosi -f`. You'll find `btrfs.raw` in `mkosi.output` which is the
-extension image.
+extension image. You'll also find the main image `image.raw` there but
+it will be almost empty.
 
-If you want to package up the base image into another format, for
-example an initrd, we can do that by adding the following to
-`mkosi.images/initrd/mkosi.conf`:
+What we can do now is package up the base image as the main image, but
+in another format, for example an initrd, we can do that by adding the
+following to `mkosi.conf`:
 
 ```conf
-[Config]
-Dependencies=base
-
 [Output]
 Format=cpio
+Output=initrd
 
 [Content]
 MakeInitrd=yes

mkosi.conf

@@ -3,14 +3,14 @@
 [Output]
 # These images are (among other things) used for running mkosi which means we need some disk space available so
 # default to directory output where disk space isn't a problem.
-@Format=directory
-@CacheDirectory=mkosi.cache
-@OutputDirectory=mkosi.output
+Format=directory
+CacheDirectory=mkosi.cache
+OutputDirectory=mkosi.output
 
 [Content]
 Autologin=yes
-@SELinuxRelabel=no
-@ShimBootloader=unsigned
+SELinuxRelabel=no
+ShimBootloader=unsigned
 BuildSources=.
 BuildSourcesEphemeral=yes
 
@@ -36,4 +36,4 @@ RemoveFiles=
 KernelCommandLine=enforcing=0
 
 [Host]
-@QemuMem=4G
+QemuMem=4G

mkosi.conf.d/15-bootable.conf

@@ -9,4 +9,4 @@ Architecture=|x86-64
 Architecture=|arm64
 
 [Content]
-@Bootable=yes
+Bootable=yes

mkosi.conf.d/15-memory.conf

@@ -6,4 +6,4 @@ Format=|uki
 Format=|cpio
 
 [Host]
-@QemuMem=8G
+QemuMem=8G

mkosi.conf.d/15-x86-64.conf

@@ -8,4 +8,4 @@ Architecture=x86-64
 ToolsTreeDistribution=!opensuse
 
 [Content]
-@BiosBootloader=grub
+BiosBootloader=grub

mkosi.conf.d/20-centos.conf

@@ -6,10 +6,10 @@ Distribution=|alma
 Distribution=|rocky
 
 [Distribution]
-@Release=9
+Release=9
 
 [Content]
 # CentOS Stream 10 does not ship an unsigned shim
-@ShimBootloader=none
+ShimBootloader=none
 Packages=
         linux-firmware

mkosi.conf.d/20-debian/mkosi.conf

@@ -4,7 +4,7 @@
 Distribution=debian
 
 [Distribution]
-@Release=testing
+Release=testing
 Repositories=non-free-firmware
 
 [Content]

mkosi.conf.d/20-fedora/mkosi.conf

@@ -4,7 +4,7 @@
 Distribution=fedora
 
 [Distribution]
-@Release=rawhide
+Release=rawhide
 
 [Content]
 Packages=

mkosi.conf.d/20-opensuse/mkosi.conf

@@ -4,11 +4,11 @@
 Distribution=opensuse
 
 [Distribution]
-@Release=tumbleweed
+Release=tumbleweed
 
 [Content]
 # OpenSUSE does not ship an unsigned shim
-@ShimBootloader=none
+ShimBootloader=none
 Packages=
         bash
         diffutils

mkosi.conf.d/20-rhel-ubi.conf

@@ -4,7 +4,7 @@
 Distribution=rhel-ubi
 
 [Distribution]
-@Release=9
+Release=9
 
 [Content]
 Bootable=no

mkosi.conf.d/20-ubuntu/mkosi.conf

@@ -4,7 +4,7 @@
 Distribution=ubuntu
 
 [Distribution]
-@Release=noble
+Release=noble
 Repositories=universe
 
 [Content]

mkosi/__init__.py

@@ -102,6 +102,8 @@ def mount_base_trees(context: Context) -> Iterator[None]:
         for path in context.config.base_trees:
             d = context.workspace / f"bases/{path.name}-{uuid.uuid4().hex}"
 
+            path = path.resolve()
+
             if path.is_dir():
                 bases += [path]
             elif can_extract_tar(path):
@@ -328,20 +330,6 @@ def configure_autologin(context: Context) -> None:
                                     "--keep-baud 115200,57600,38400,9600 -")
 
 
-@contextlib.contextmanager
-def mount_cache_overlay(context: Context, cached: bool) -> Iterator[None]:
-    if not context.config.incremental or not context.config.base_trees or context.config.overlay or cached:
-        yield
-        return
-
-    d = context.workspace / "cache-overlay"
-    with umask(~0o755):
-        d.mkdir(exist_ok=True)
-
-    with mount_overlay([context.root], d, context.root):
-        yield
-
-
 @contextlib.contextmanager
 def mount_build_overlay(context: Context, volatile: bool = False) -> Iterator[Path]:
     d = context.workspace / "build-overlay"
@@ -3235,28 +3223,19 @@ def need_build_overlay(config: Config) -> bool:
 
 
 def save_cache(context: Context) -> None:
-    if not context.config.incremental or context.config.overlay:
+    if not context.config.incremental or context.config.base_trees or context.config.overlay:
         return
 
     final, build, manifest = cache_tree_paths(context.config)
 
     with complete_step("Installing cache copies"):
         rmtree(final, sandbox=context.sandbox)
 
-        # We only use the cache-overlay directory for caching if we have a base tree, otherwise we just
-        # cache the root directory.
-        if (context.workspace / "cache-overlay").exists():
-            move_tree(
-                context.workspace / "cache-overlay", final,
-                use_subvolumes=context.config.use_subvolumes,
-                sandbox=context.sandbox,
-            )
-        else:
-            move_tree(
-                context.root, final,
-                use_subvolumes=context.config.use_subvolumes,
-                sandbox=context.sandbox,
-            )
+        move_tree(
+            context.root, final,
+            use_subvolumes=context.config.use_subvolumes,
+            sandbox=context.sandbox,
+        )
 
         if need_build_overlay(context.config) and (context.workspace / "build-overlay").exists():
             rmtree(build, sandbox=context.sandbox)
@@ -3277,7 +3256,7 @@ def save_cache(context: Context) -> None:
 
 
 def have_cache(config: Config) -> bool:
-    if not config.incremental or config.overlay:
+    if not config.incremental or config.base_trees or config.overlay:
         return False
 
     final, build, manifest = cache_tree_paths(config)
@@ -3850,21 +3829,19 @@ def build_image(context: Context) -> None:
         install_base_trees(context)
         cached = reuse_cache(context)
 
-        with mount_cache_overlay(context, cached):
-            copy_repository_metadata(context)
+        copy_repository_metadata(context)
 
         context.config.distribution.setup(context)
         install_package_directories(context)
 
         if not cached:
-            with mount_cache_overlay(context, cached):
-                install_skeleton_trees(context)
-                install_distribution(context)
-                run_prepare_scripts(context, build=False)
-                install_build_packages(context)
-                run_prepare_scripts(context, build=True)
-                fixup_vmlinuz_location(context)
-                run_depmod(context, cache=True)
+            install_skeleton_trees(context)
+            install_distribution(context)
+            run_prepare_scripts(context, build=False)
+            install_build_packages(context)
+            run_prepare_scripts(context, build=True)
+            fixup_vmlinuz_location(context)
+            run_depmod(context, cache=True)
 
             save_cache(context)
             reuse_cache(context)
@@ -4649,6 +4626,12 @@ def run_sync(args: Args, config: Config, *, resources: Path) -> None:
 
 
 def run_build(args: Args, config: Config, *, resources: Path) -> None:
+    if (uid := os.getuid()) != 0:
+        become_root()
+    unshare(CLONE_NEWNS)
+    if uid == 0:
+        run(["mount", "--make-rslave", "/"])
+
     for p in (
         config.output_dir,
         config.cache_dir,
@@ -4662,12 +4645,6 @@ def run_build(args: Args, config: Config, *, resources: Path) -> None:
         p.mkdir(parents=True, exist_ok=True)
         INVOKING_USER.chown(p)
 
-    if (uid := os.getuid()) != 0:
-        become_root()
-    unshare(CLONE_NEWNS)
-    if uid == 0:
-        run(["mount", "--make-rslave", "/"])
-
     if config.build_dir:
         # Make sure the build directory is owned by root (in the user namespace) so that the correct uid-mapping is
         # applied if it is used in RuntimeTrees=