deps: update to Fedora 42 (edgelesssys#3929)

* [wip] chore: update to Fedora 42

* image: update shasums

* image: fix build

* measured-boot: ignore PCR9 temporarily

* image: don't include osrel section in UKI

* nix: patch systemd to not include .osrel section

Author: msanft

debugd/filebeat/Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release
+FROM fedora:42@sha256:3da64cb89971a1cdbc6046e307eeebcb54f7281c0a606ee48d9995473f6b88d5 AS release
 
 RUN dnf install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-x86_64.rpm
 

debugd/logstash/Dockerfile

@@ -1,11 +1,11 @@
-FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS build
+FROM fedora:42@sha256:3da64cb89971a1cdbc6046e307eeebcb54f7281c0a606ee48d9995473f6b88d5 AS build
 
 ARG LOGSTASH_VER=8.6.1
 
 RUN curl -fsSLO https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
 RUN tar -zxvf logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
 
-FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release
+FROM fedora:42@sha256:3da64cb89971a1cdbc6046e307eeebcb54f7281c0a606ee48d9995473f6b88d5 AS release
 
 COPY --from=build logstash-* /usr/share/logstash
 

debugd/metricbeat/Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:40@sha256:3c86d25fef9d2001712bc3d9b091fc40cf04be4767e48f1aa3b785bf58d300ed AS release
+FROM fedora:42@sha256:3da64cb89971a1cdbc6046e307eeebcb54f7281c0a606ee48d9995473f6b88d5 AS release
 
 RUN dnf install -y https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-8.9.2-x86_64.rpm
 

flake.nix

@@ -20,6 +20,10 @@
       system:
       let
         overlay = final: prev: {
+          systemd = prev.systemd.overrideAttrs (old: {
+            patches = old.patches or [ ] ++ [ ./image/0001-ukify-dont-bundle-osrel-section.patch ];
+          });
+
           rpm = prev.rpm.overrideAttrs (old: {
             nativeBuildInputs = old.nativeBuildInputs ++ [ prev.makeWrapper ];
             postFixup = ''
@@ -94,7 +98,8 @@
         # Note that it's *not* a legacy attribute.
         legacyPackages = {
           generate = pkgs.callPackage ./nix/generate.nix { };
-        } // pkgs;
+        }
+        // pkgs;
 
         packages.mkosi = mkosiDev;
 

image/0001-ukify-dont-bundle-osrel-section.patch

@@ -0,0 +1,26 @@
+From f4d9b358e9ff6761a3e72db6f109fe4576ea58c2 Mon Sep 17 00:00:00 2001
+From: Moritz Sanft <[email protected]>
+Date: Tue, 2 Sep 2025 10:21:58 +0200
+Subject: [PATCH] ukify: dont bundle osrel section
+
+Signed-off-by: Moritz Sanft <[email protected]>
+---
+ src/ukify/ukify.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
+index fce36b6686..1f261299b3 100755
+--- a/src/ukify/ukify.py
++++ b/src/ukify/ukify.py
+@@ -1393,7 +1393,7 @@ def make_uki(opts: UkifyConfig) -> None:
+ 
+     sections = [
+         # name,      content,         measure?
+-        ('.osrel',   opts.os_release, True),
++        # ('.osrel',   opts.os_release, True),
+         ('.cmdline', opts.cmdline,    True),
+         ('.dtb',     opts.devicetree, True),
+         *(('.dtbauto', dtb, True) for dtb in opts.devicetree_auto),
+-- 
+2.51.0
+

image/base/mkosi.conf

@@ -1,6 +1,6 @@
 [Distribution]
 Distribution=fedora
-Release=40
+Release=42
 RepositoryKeyFetch=yes
 
 [Output]
@@ -63,6 +63,7 @@ Packages=passwd
          vim
          curl
          wget
+         rpm
 
 RemoveFiles=/var/log
 RemoveFiles=/var/cache

image/base/mkosi.finalize

@@ -10,5 +10,5 @@ set -euxo pipefail
 # /etc/shadow-.
 tmp=$(mktemp)
 cp -a "${BUILDROOT}/etc/shadow-" "${tmp}"
-mkosi-chroot chage -d "" etcd
+mkosi-chroot chage -d "" etcd || true
 cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"

image/base/mkosi.postinst

@@ -14,20 +14,20 @@ mkosi-chroot rpm -qa --qf '%{name};%{version};%{license}\n' --dbpath "/var/lib/r
 cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/"
 
 # copy rpmdb to outputs
-cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
+cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite} "${OUTPUTDIR}/"
 
 # FIXME(msanft):
 # Hack to satisfy Bazel's [output expectations](./BUILD.bazel).
 # 2 Bazel packages can't share the same output paths, as it seems, and the
 # files being copied around here aren't large, so copying them around doesn't
 # hurt.
 cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/lts-packagemanifest"
-cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/lts-.rpm.lock"
+touch "${OUTPUTDIR}/lts-.rpm.lock"
 cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/lts-rpmdb.sqlite"
 cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/lts-rpmdb.sqlite-shm"
 cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/lts-rpmdb.sqlite-wal"
 cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/mainline-packagemanifest"
-cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/mainline-.rpm.lock"
+touch "${OUTPUTDIR}/mainline-.rpm.lock"
 cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/mainline-rpmdb.sqlite"
 cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/mainline-rpmdb.sqlite-shm"
 cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/mainline-rpmdb.sqlite-wal"

image/initrd/mkosi.conf

@@ -1,6 +1,6 @@
 [Distribution]
 Distribution=fedora
-Release=40
+Release=42
 RepositoryKeyFetch=yes
 
 [Output]