Support building openSUSE OSI images

[rezib]

Currently, building openSUSE Leap 15.6 and 16.0 OSI images fails with Fatbuildr.

Here is a summary of what I've done so far:

• Update OSI image to Fedora rawhide with few more packages:

--- a/conf/images/osi.mkosi
+++ b/conf/images/osi.mkosi
@@ -1,6 +1,6 @@
 [Distribution]
 Distribution=fedora
-Release=40
+Release=rawhide
 
 [Output]
 Format=directory
@@ -19,6 +19,7 @@ Packages=
   diffutils
   cpio
   debootstrap
+  distribution-gpg-keys
   systemd-udev
   systemd-container
   systemd-ukify
@@ -32,4 +33,5 @@ Packages=
   edk2-ovmf
   sbsigntools
   man-db
+  zypper
 PostInstallationScripts=/usr/share/fatbuildr/images/scripts/osi-postinstall.sh

• Support of openSUSE leap is broken in latest release 25.3 available in Fedora rawhide. Install development version of mkosi:

$ pip install git+https://github.com/systemd/mkosi.git

• Update apparmor profile to allow running this special version of mkosi:

diff --git a/conf/system/apparmor/usr.libexec.fatbuildr.u-nspawn b/conf/system/apparmor/usr.libexec.fatbuildr.u-nspawn
index cbf99c3..a7cca7b 100644
--- a/conf/system/apparmor/usr.libexec.fatbuildr.u-nspawn
+++ b/conf/system/apparmor/usr.libexec.fatbuildr.u-nspawn
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with Fatbuildr.  If not, see <https://www.gnu.org/licenses/>.
-
+#
 # This is an apparmor profile for u-nspawn, a wrapper for systemd-nspawn
 # provided by Fatbuildr. It is designed to confine u-nspawn, systemd-nspawn
 # (when launch by u-nspawn). However, build systems such as cowbuilder, mock
@@ -105,6 +105,8 @@ include <tunables/global>
 
     pivot_root -> /var/lib/fatbuildr/images/*/*.img/,
 
+    /etc/pki/tls/openssl.cnf r,
+    /etc/pki/tls/openssl.d/ r,
     /proc/sys/kernel/cap_last_cap r,
     /run/systemd/resolve/stub-resolv.conf r,
     /usr/bin/bash Ux,
@@ -116,6 +118,8 @@ include <tunables/global>
     /usr/bin/mkosi Px -> /usr/libexec/fatbuildr/u-nspawn//fatbuildr-builder,
     /usr/bin/rpmlint Px -> /usr/libexec/fatbuildr/u-nspawn//fatbuildr-utils,
     /usr/bin/systemd-nspawn mr,
+    /usr/bin/tput Px -> /usr/libexec/fatbuildr/u-nspawn//fatbuildr-utils,
+    /usr/local/bin/mkosi Px -> /usr/libexec/fatbuildr/u-nspawn//fatbuildr-builder,
     /usr/sbin/cowbuilder Px -> /usr/libexec/fatbuildr/u-nspawn//fatbuildr-builder,
     /var/cache/fatbuildr/** r,
     /var/lib/fatbuildr/ r,

• Patch mkosi:

--- opensuse.py.orig	2025-12-06 11:14:44.899001968 +0100
+++ /usr/local/lib/python3.14/site-packages/mkosi/distribution/opensuse.py	2025-12-04 15:50:34.597399146 +0100
@@ -73,35 +73,35 @@
 
         zypper = cls.package_manager(context.config) is Zypper
         mirror = context.config.mirror or "https://download.opensuse.org"
-
-        if context.config.release == "tumbleweed":
-            gpgkeys = tuple(
-                p
-                for key in ("RPM-GPG-KEY-openSUSE-Tumbleweed", "RPM-GPG-KEY-openSUSE")
-                if (p := find_rpm_gpgkey(context, key, required=False))
+        gpgkeys = tuple(
+            p
+            for key in ("RPM-GPG-KEY-openSUSE-Tumbleweed", "RPM-GPG-KEY-openSUSE")
+            if (p := find_rpm_gpgkey(context, key, required=False))
+        )
+
+        if not gpgkeys and not context.config.repository_key_fetch:
+            die(
+                "openSUSE GPG keys not found in /usr/share/distribution-gpg-keys",
+                hint="Make sure the distribution-gpg-keys package is installed",
             )
 
-            if not gpgkeys and not context.config.repository_key_fetch:
-                die(
-                    "openSUSE GPG keys not found in /usr/share/distribution-gpg-keys",
-                    hint="Make sure the distribution-gpg-keys package is installed",
-                )
-
-            if zypper and gpgkeys:
-                run(
-                    [
-                        "rpm",
-                        "--root=/buildroot",
-                        "--import",
-                        *(key.removeprefix("file://") for key in gpgkeys),
+        if zypper and gpgkeys:
+            run(
+                [
+                    "rpm",
+                    "--root=/buildroot",
+                    "--import",
+                    *(key.removeprefix("file://") for key in gpgkeys),
+                ],
+                sandbox=context.sandbox(
+                    options=[
+                        *context.rootoptions(),
+                        *finalize_certificate_mounts(context.config),
                     ],
-                    sandbox=context.sandbox(
-                        options=[
-                            *context.rootoptions(),
-                            *finalize_certificate_mounts(context.config),
-                        ],
-                    ),
-                )  # fmt: skip
+                ),
+            )  # fmt: skip
+
+        if context.config.release == "tumbleweed":
 
             if context.config.snapshot:
                 if context.config.architecture != Architecture.x86_64:
@@ -277,6 +277,6 @@
     for child in tags.iter("{http://linux.duke.edu/metadata/repo}content"):
         if child.text and child.text.startswith("gpg-pubkey"):
             gpgkey = child.text.partition("?")[0]
-            gpgurls += [f"{repourl}{gpgkey}"]
+            gpgurls += [f"{repourl}/{gpgkey}"]
 
     return tuple(gpgurls)

• Add new openSUSE Leap SLE GPG signing key (reference) in keyring from distribution-gpg-keys:

# cat <<EOF >>/usr/share/distribution-gpg-keys/opensuse/RPM-GPG-KEY-openSUSE
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)

mQINBGPJSBwBEAC+sp2UJHVei0aAkvnEeeuRrIbzyWotRYuDgdWzS4V01alxFl97
ZPA6syyyZpITGP6fLP0AG0KipXABcYdaF7iFGKnhm6v5ExQ+Aft9SNaJmGqxwPng
2jHGoaovbcOrvpix1INwPlxyxAaKfCtdH6kE9ZBzZXKHhDwTuBAyIJmvz5P4djxs
RFxryZ2wq2IbhT/eu5b+3QRdeOHhbP/K2ZA+jd4Ct6uSyEAV0n9D5rVrtKhYqzp7
zXPYntFW9IgEC/HisQ3TcDhKqK0xfxsQAYjsrvrbhc2O1sHWfhDEqV7W8yPrEbH2
NTWmQxiSf4ZEJsKOZa6TI4fOS89OPRRIC0Ec+mFWHHSfhGaiK0g59TSuBECke7jV
hgwLKa0WGzxhYaZ/dPxjke9MfHPIlCrwfH4tKsEY5Cy+GQWwt8s7J9lK1gEGz0c2
nLA4PBDCPqKB/+GEHkF+hyN1GHlhoY78mJ+c/QHyTv/DYOvS3jr5RaJYwKkBHS+0
5pBUGW6PANT6yoDGOGLaq7hJLdeAwW+qLSfFSxBOnjBrtBV4Pqj1kbzCKFBGgazF
UPhWOSRms8erkr4ltGtUPDJxna16uoTZaYkjn7fZ/3iTqVgnSC/sOJM9KpA1kFrg
5R1OdTzymu7OwH7cmPSn0Yyg1BlU3K8EYFRFfhKptcNzuwERIAdcY39QnQARAQAB
tChTVVNFIFBhY2thZ2UgU2lnbmluZyBLZXkgPGJ1aWxkQHN1c2UuZGU+iQI+BBMB
AgAoBQJjyUgcAhsDBQkHhM4ABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD3
Twm8P6HWzozMD/9xq1D3I+YWyrKJJRhyX8O1x3oYwayo1Si8VaqHUHMx5vL4VGub
cCGieg6+9cwbGVVqh4f0wozrrllTgwXuepzivvwlQnZ/cfdjYwV961MTl2/+0JD3
Hv39ef78DSU7iq8Pa22MPbXiliRvm3YJEsBnPRxDnGdGKDvLXlwugmHwHQXUTUvm
XpipD19xgJ+FUKxbsHudiFBHAfvzmvckn2wsz6pIasAH8PoWFyyoYbGbffDBx17v
YHhkZODadeD9N5lyo/mNkjFjTgHSTDYuhsor2AkSe4ptyY6EWONGg8ezqLLqJgWj
KcI3o0dOf1dpIIubkbrnshul/tT5DHQrKqqPDu6zuloKOSdKBWwh2zDPGYVGmii6
E/YKw8+lgTBs4Xuz4IxPhD/mSjLrADjuObhZhwQuM71SkQlScX4NhEeWoWfBg1k2
2V7zU6lGodEx5QtmeMe3yhMsTUBn9ls9VR+Zr6N1rhcubDwDu5JLbbUyNBOiqDc9
yQbIOD9bBG+XTxzs2VsAFkKWuW8opSJIDQ1LDg9pKF10IjrSyb+ln4OuRwQK5LHy
mGllHiz1Feivf6//Tb63qgd3k8HtwdjeK5YuXM1LwnisIhfZuhKWm2gdzKCvdGsn
Y0bH1r5E/rCFhRii/iyCxZN/2KIg/dHo8BXoh5zvzJ1XZ/bgiDnWSkQvdA==
=umXA
-----END PGP PUBLIC KEY BLOCK-----
EOF