By Akashdeep Dhar in Mkosi

Playing Around With Mkosi - Part II

This covers the second part of my experiences of descending down the rabbit hole of exploring the nifty tool for generating bespoke operating system images called mkosi. In this part, I will boot the generated image as a container using systemd-nspawn and its wrappers like mkosi and machinectl.

Playing Around With Mkosi - Part II

Intro

Following up with the previous part of the article, I would be using the same operating system image generated of the Fedora Linux distribution and try booting it up as a container using systemd-nspawn. This article covers three ways in which one can boot a generated operating system image as a container.

How-to

Here are the steps I followed to boot the generated operating system image as a container service that is capable of running headlessly indefinitely until they are explicitly terminated and as a container process capable of running only when console connections are made for as long as the connection remains active.

As service

The following method can be used to run the generated operating system image as a container service.

From machinectl

  • STEP 1
    Ensure that the directory where the operating system image was generated is the current working directory. 
$ cd fedogrid
  • STEP 2
    Ensure that SELinux is temporarily set to permissive mode to allow importing of operating system images.
$ sudo setenforce 0
  • STEP 3
    Execute the following command to enrol the generated operating system image with the machinectl daemon.
$ sudo machinectl import-raw fedogrid_0.1.0.raw fedogrid
Enqueued transfer job 1. Press C-c to continue download in background.
Importing '/home/fedohide-main/projects/fedogrid/fedogrid_0.1.0.raw', saving as 'fedogrid'.
Imported 0%.
Imported 1%.
....
....
Imported 98%.
Imported 99%.
Wrote 8.0G.
Operation completed successfully.
Exiting.
  • STEP 4
    List all the enrolled images to confirm if the generated image has been registered using this command.
$ sudo machinectl list-images
NAME     TYPE RO  USAGE CREATED                     MODIFIED
fedogrid raw  no 617.1M Sat 2023-09-02 17:51:06 IST Sat 2023-09-02 18:45:12 IST
  • STEP 5
    Start the enrolled operating system image as a container by executing the following command. 
$ sudo machinectl start fedogrid
  • STEP 6
    List all the running containers to confirm if the container is indeed in a running state using this command.
$ sudo machinectl list
MACHINE  CLASS     SERVICE        OS                  VERSION  ADDRESSES
fedogrid container systemd-nspawn fedora              40       -

1 machine listed.
  • STEP 7
    Drop into the interactive teletypewriter shell of the container by executing the following command.
$ sudo machinectl login
Connected to machine fedogrid. Press ^] three times within 1s to exit session.

Fedora Linux 40 (Rawhide Prerelease)
Kernel 6.5.0-0.rc7.20230823git89bf6209cad6.52.fc40.x86_64 on an x86_64 (pts/1)

fedogrid login:
  • STEP 8
    Log into the newly created shell using the root username and root password mentioned in the configuration.
fedogrid login: root
Password:
Last login: Sat Sep  2 18:55:49 on pts/0
[root@fedogrid ~]#
  • STEP 9
    Check the nature of the running operating system image by executing this command after logging in.
# hostnamectl
     Static hostname: fedogrid
           Icon name: computer-container
             Chassis: container ☐
          Machine ID: 5223d1b0e81147fab94bc6edbb059ff5
             Boot ID: 172bb5d177944b3da5f3aef3c031f591
      Virtualization: systemd-nspawn
    Operating System: Fedora Linux 40 (Rawhide Prerelease)
         CPE OS Name: cpe:/o:fedoraproject:fedora:40
      OS Support End: Tue 2024-05-14
OS Support Remaining: 8month 1w 3d
              Kernel: Linux 6.5.0-0.rc7.20230823git89bf6209cad6.52.fc40.x86_64
        Architecture: x86-64
  • STEP 10
    Play around with the running container and then disconnect from the session by pressing Ctrl + ] three times.
  • STEP 11
    Note that this will not terminate the container but it can be terminated by running this command.
$ sudo machinectl terminate fedogrid
  • STEP 12
    When done with the operating system image operations, set the SELinux in the permissive mode using this command.
$ sudo setenforce 1

As process

The following two methods can be used to run the generated operating system image as a container process.

From mkosi

  • STEP 1
    Ensure that the directory where the operating system image was generated is the current working directory.
$ cd fedogrid
  • STEP 2
    Execute the following command to boot the operating system image using systemd-nspawn from mkosi.
$ sudo mkosi boot fedogrid
File '/home/fedohide-main/projects/fedogrid/fedogrid_0.1.0.raw' grown from 1.7G to 8.0G by truncation.
Resized partition table.
No machine ID set, using randomized partition UUIDs.
TYPE        LABEL       UUID                                FILE NODE                                    SIZE  PADDING
esp         esp         41db202f-09cc-4e6e-a005-d0a930df0c…      /home/fedohide-main/projects/fedog…   512.0M       0B
root-x86-64 root-x86-64 b0b30572-58d3-45d9-b598-f174074267…      /home/fedohide-main/projects/fedog…     1.2G     6.2G
                                                                                                     Σ = 1.7G Σ = 6.2G

 ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
 │      └─ root-x86-64                                                                                               
 └─ esp                                                                                                              

No changes.
systemd 254.1-2.fc40 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.
Detected first boot.
Received regular credentials: agetty.autologin, firstboot.locale, firstboot.timezone, login.noauth
Acquired 4 regular credentials, 0 untrusted credentials.

Welcome to Fedora Linux 40 (Rawhide Prerelease)!

Initializing machine ID from container UUID.
bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Populated /etc with preset unit settings.
Queued start job for default target graphical.target.
[  OK  ] Created slice system-getty.slice - Slice /system/getty.
[  OK  ] Created slice system-modprobe.slice - Slice /system/modprobe.
....
....
....
....
Fedora Linux 40 (Rawhide Prerelease)
Kernel 6.5.0-0.rc7.20230823git89bf6209cad6.52.fc40.x86_64 on an x86_64 (console)

fedogrid login: root (automatic login)

[root@fedogrid ~]#
  • STEP 3
    Check the nature of the running operating system image by executing this command from the newly created shell.
# hostnamectl
     Static hostname: fedogrid
           Icon name: computer-container
             Chassis: container ☐
          Machine ID: 5223d1b0e81147fab94bc6edbb059ff5
             Boot ID: 5cadb5e848e3430b9ff14200be20665b
      Virtualization: systemd-nspawn
    Operating System: Fedora Linux 40 (Rawhide Prerelease)
         CPE OS Name: cpe:/o:fedoraproject:fedora:40
      OS Support End: Tue 2024-05-14
OS Support Remaining: 8month 1w 3d
              Kernel: Linux 6.5.0-0.rc7.20230823git89bf6209cad6.52.fc40.x86_64
        Architecture: x86-64
  • STEP 4
    Play around with the running operating system container and then terminate it by pressing Ctrl + ] three times.

From systemd-nspawn

  • STEP 1
    Ensure that the directory where the operating system was generated is the current working directory. 
$ cd fedogrid
  • STEP 2
    Boot the generated operating system image directly from systemd-nspawn by executing the following command.
$ sudo systemd-nspawn --boot --image fedogrid_0.1.0.raw
Spawning container fedogrid0.1.0 on /home/fedohide-main/projects/fedogrid/fedogrid_0.1.0.raw.
Press Ctrl-] three times within 1s to kill container.
systemd 254.1-2.fc40 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.

Welcome to Fedora Linux 40 (Rawhide Prerelease)!

Hostname set to <fedogrid>.
bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Queued start job for default target graphical.target.
[  OK  ] Created slice system-getty.slice - Slice /system/getty.
[  OK  ] Created slice system-modprobe.slice - Slice /system/modprobe.
....
....
....
....
Fedora Linux 40 (Rawhide Prerelease)
Kernel 6.5.0-0.rc7.20230823git89bf6209cad6.52.fc40.x86_64 on an x86_64 (console)

fedogrid login: root (automatic login)

Last login: Sat Sep  2 18:38:50 on pts/0
[root@fedogrid ~]#
  • STEP 3
    Check the nature of the running operating system image by executing this command from the newly created shell.
# hostnamectl
     Static hostname: fedogrid
           Icon name: computer-container
             Chassis: container ☐
          Machine ID: 5223d1b0e81147fab94bc6edbb059ff5
             Boot ID: 5cadb5e848e3430b9ff14200be20665b
      Virtualization: systemd-nspawn
    Operating System: Fedora Linux 40 (Rawhide Prerelease)
         CPE OS Name: cpe:/o:fedoraproject:fedora:40
      OS Support End: Tue 2024-05-14
OS Support Remaining: 8month 1w 3d
              Kernel: Linux 6.5.0-0.rc7.20230823git89bf6209cad6.52.fc40.x86_64
        Architecture: x86-64
  • STEP 4
    Play around with the running operating system container and then terminate it by pressing Ctrl + ] three times.

Outro

In the subsequent posts, I will take the same generated operating system image for a spin and attempt to run it as a virtual machine by using QEMU/KVM. Readers are encouraged to read up on machinectl for additional information on the commands that are possible to execute but have not been covered here.