NAS-137225 / 26.04 / Fix scale build for trixie (#925)

* Trixie related changes for scale-build

* Point to HM mirrors

* Update apt preferences for trixie

* Update debootstrap changes for trixie

* Minor fix

* Remove python3 package

* Remove mandatory explicit dep

* Use openjdk-21-jdk for kernel

* Update passwd

* There is no need for custom openssl now

* Move from libssl3 to libssl3t64

* Remove util-linux from build manifest

* Set env variable for spdk

* Don't buidl spdk for now

* ipmctl is not available in stable

* Remove legacy sysv unit stuff

* Comment out netdata for now

* Small umount fix

* Also umount efivars

* Update build manifest to reflect updated branches

* Remove nfs entry from mtree

* Make sure to umount efivars

* Properly have apt sources fixed in update image

* Pull in grub2-common

* Add netdata mirror

* Fix url

* Make sure corepack is non-interactive

* Update netdata groups

* Fix efivars mounting

* Properly use clean_mounts

* Add fixme for netdata

* Properly comment out spdk explicit deps

* Remove grub-efi-amd64-signed from iso

* Make sure efivarfs is definitely mounted

* Bring in isc-dhcp-client for now

* Revert "Bring in isc-dhcp-client for now"

This reverts commit 259ffebba5.

* Only try to umount efivarfs if host is actually efi based

* Update repo's branches

conf/build.manifest

@@ -1,6 +1,6 @@
 ---
 code_name: "Halfmoon"
-debian_release: "bookworm"
+debian_release: "trixie"
 identity_file_path_default: "~/.ssh/id_rsa"
 #
 # List of apt repositories that are used and setup inside the build environment
@@ -10,24 +10,27 @@ identity_file_path_default: "~/.ssh/id_rsa"
 apt-repos:
   base-url: https://apt.sys.truenas.net/
   base-url-internal: http://apt-mirror.tn.ixsystems.net/
-  url: goldeye/nightlies/debian/
+  url: halfmoon/nightlies/debian/
-  distribution: bookworm
+  distribution: trixie
   components: main
   additional:
-  - url: goldeye/nightlies/debian-security/
+  - url: halfmoon/nightlies/debian-security/
-    distribution: bookworm-security
+    distribution: trixie-security
     component: main
-  - url: goldeye/nightlies/debian-backports/
+  - url: halfmoon/nightlies/debian-backports/
-    distribution: bookworm-backports
+    distribution: trixie-backports
     component: "main contrib non-free non-free-firmware"
-  - url: goldeye/nightlies/debian-debug/
+  - url: halfmoon/nightlies/debian-debug/
-    distribution: bookworm-debug
+    distribution: trixie-debug
     component: main
-  - url: goldeye/nightlies/yarn/
+  - url: halfmoon/nightlies/yarn/
     distribution: stable
     component: main
-  - url: goldeye/nightlies/docker/
+  - url: halfmoon/nightlies/netdata/
-    distribution: bookworm
+    distribution: trixie
+    component: main
+  - url: halfmoon/nightlies/docker/
+    distribution: trixie
     component: stable
     key: keys/docker.gpg
 
@@ -36,9 +39,9 @@ apt-repos:
 # NOTE: Installed in the order listed
 ############################################################################
 base-packages:
-- name: libssl3
+- name: libssl3t64
   install_recommends: true
-- name: openssl
+- name: openssl-provider-fips
   install_recommends: true
 - name: dosfstools
   install_recommends: true
@@ -86,6 +89,8 @@ base-packages:
   install_recommends: true
 - name: grub-efi-amd64-bin
   install_recommends: true
+- name: grub2-common
+  install_recommends: true
 - name: htop
   install_recommends: true
 - name: incus
@@ -117,8 +122,8 @@ base-packages:
   install_recommends: true
 - name: truenas-ipaclient
   install_recommends: true
-- name: truenas-spdk
+# - name: truenas-spdk
-  install_recommends: true
+#  install_recommends: true
 - name: cifs-utils
   install_recommends: true
 - name: nfs4xdr-acl-tools
@@ -208,7 +213,7 @@ build-epoch: 13
 ############################################################################
 apt_preferences:
 - Package: "*"
-  Pin: "release n=bookworm-backports"
+  Pin: "release n=trixie"
   Pin-Priority: 900
 - Package: "*"
   Pin: "origin \"\""
@@ -217,7 +222,7 @@ apt_preferences:
   Pin: "version 525.89*"
   Pin-Priority: 1000
 - Package: "*curl*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
   Pin-Priority: 1000
 - Package: "*libcrypto*"
   Pin: "origin \"\""
@@ -229,22 +234,22 @@ apt_preferences:
   Pin: "origin \"\""
   Pin-Priority: 1050
 - Package: "*node*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
   Pin-Priority: 1000
 - Package: "*policykit*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
   Pin-Priority: 1000
 - Package: "*polkit*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
   Pin-Priority: 1000
 - Package: "*ssh*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
   Pin-Priority: 1000
 - Package: "*ssl*"
   Pin: "origin \"\""
   Pin-Priority: 1050
 - Package: "*tls*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
   Pin-Priority: 1000
 - Package: "*zfs*"
   Pin: "version 2.1.*"
@@ -288,9 +293,9 @@ additional-packages:
 - name: ndctl
   comment: requested by community (NAS-108490)
   install_recommends: true
-- name: ipmctl
+# - name: ipmctl
-  comment: requested by community (NAS-108490)
+#  comment: requested by community (NAS-108490)
-  install_recommends: true
+#  install_recommends: true
 - name: acpica-tools
   comment: requested by platform team (NAS-118432)
   install_recommends: true
@@ -348,14 +353,6 @@ iso-packages:
 # to be built
 ############################################################################
 sources:
-- name: openssl
-  repo: https://github.com/truenas/openssl
-  branch: master
-  generate_version: false
-  batch_priority: 0
-  predepscmd:
-    - "apt install -y wget xz-utils"
-    - "./pull.sh"
 - name: kernel
   repo: https://github.com/truenas/linux
   branch: truenas/linux-6.12
@@ -364,12 +361,10 @@ sources:
   env:
     EXTRAVERSION: "-production"
     PYTHON: "python3"
-  explicit_deps:
-   - python3
   predepscmd:
     - "apt install -y flex bison dwarves libssl-dev devscripts"
     # Install dependencies to build perf
-    - "apt install -y libelf-dev libdw-dev systemtap-sdt-dev libunwind-dev libslang2-dev libperl-dev binutils-dev libiberty-dev python3 python3-setuptools python3-dev liblzma-dev libzstd-dev libcap-dev libnuma-dev libbabeltrace-dev openjdk-17-jdk libcapstone-dev llvm-dev"
+    - "apt install -y libelf-dev libdw-dev systemtap-sdt-dev libunwind-dev libslang2-dev libperl-dev binutils-dev libiberty-dev python3 python3-setuptools python3-dev liblzma-dev libzstd-dev libcap-dev libnuma-dev libbabeltrace-dev openjdk-21-jdk libcapstone-dev llvm-dev"
     # We remove git files because kernel makefile tries to interact with git for determining version
     # which results in misconfigured version due to our debian based changes
     - "rm -rf .git .gitattributes .gitignore"
@@ -432,7 +427,6 @@ sources:
   explicit_deps:
     - kernel
     - kernel-dbg
-    - openssl
   generate_version: false
   subpackages:
     - name: openzfs-dbg
@@ -459,7 +453,6 @@ sources:
       explicit_deps:
         - kernel
         - kernel-dbg
-        - openssl
       generate_version: false
 - name: truenas_pylibzfs
   repo: https://github.com/truenas/truenas_pylibzfs
@@ -497,21 +490,22 @@ sources:
     - "sh -x fetch.sh"
   explicit_deps:
     - openzfs
-    - python3
     - truenas_samba
     - truenas_sssd
-- name: truenas_spdk
+# spdk does not support debian trixie now on upstream side for now
-  repo: https://github.com/truenas/truenas_spdk
+# - name: truenas_spdk
-  branch: master
+#  repo: https://github.com/truenas/truenas_spdk
-  generate_version: false
+#  branch: master
-  predepscmd:
+#  generate_version: false
-    - "apt install -y rsync"
+#  env:
-    - "sh -x fetch.sh"
+#    PIP_BREAK_SYSTEM_PACKAGES: "1"
-    - "scripts/pkgdep.sh  --rdma"
+#  predepscmd:
-  explicit_deps:
+#    - "apt install -y rsync"
-    - python3
+#    - "sh -x fetch.sh"
-    - kernel
+#    - "scripts/pkgdep.sh  --rdma"
-    - kernel-dbg
+#  explicit_deps:
+#    - kernel
+#    - kernel-dbg
 - name: avahi
   repo: https://github.com/truenas/avahi
   branch: SCALE-v0.8
@@ -575,6 +569,8 @@ sources:
   branch: master
 - name: truenas_webui
   repo: https://github.com/truenas/webui
+  env:
+    COREPACK_ENABLE_DOWNLOAD_PROMPT: "0"
   predepscmd:
     - "apt -y install wget"
   prebuildcmd:
@@ -692,25 +688,6 @@ sources:
     - "./pull.sh"
   deoptions: nocheck
   generate_version: false
-- name: util-linux
-  repo: https://github.com/truenas/util-linux
-  branch: master
-  debian_fork: true
-  predepscmd:
-    - "apt install -y wget xz-utils"
-    - "./pull.sh"
-  deoptions: nocheck
-  generate_version: false
-- name: python3
-  repo: https://github.com/truenas/python.git
-  branch: master
-  batch_priority: 0
-  deoptions: nocheck
-  generate_version: false
-  predepscmd:
-    - "apt install -y python3-docs-theme python3-sphinx texinfo wget"
-    - "wget https://www.python.org/ftp/python/3.11.9/Python-3.11.9.tar.xz"
-    - "tar --strip-components=1 -xvf Python-3.11.9.tar.xz"
 - name: truenas_audit_rules
   repo: https://github.com/truenas/audit_rules.git
   branch: master

conf/reference-files/etc/group

@@ -11,7 +11,7 @@ mail:x:8:
 news:x:9:
 uucp:x:10:
 man:x:12:
-proxy:x:13:
+proxy:x:13:netdata
 ftp:x:14:
 kmem:x:15:
 dialout:x:20:nut
@@ -39,7 +39,7 @@ staff:x:50:
 games:x:60:
 users:x:100:
 nogroup:x:65534:
-nobody:x:65534:
+nobody:x:65534:netdata
 systemd-timesync:x:101:
 systemd-journal:x:102:
 systemd-network:x:103:
@@ -76,9 +76,9 @@ apps:x:568:
 webdav:x:666:
 truenas_readonly_administrators:x:951:
 truenas_sharing_administrators:x:952:
-docker:x:999:
+docker:x:999:netdata
 libvirt-qemu:x:986:libvirt-qemu
-haproxy:x:130:
+haproxy:x:130:netdata
 uuidd:x:131:
 i2c:x:132:
 sgx:x:133:

conf/reference-files/etc/passwd

@@ -54,3 +54,4 @@ polkitd:x:998:998:polkit:/var/empty:/usr/sbin/nologin
 netdata:x:999:997::/var/lib/netdata:/bin/sh
 sssd:x:117:122:SSSD system user:/var/lib/sss:/usr/sbin/nologin
 caddy:x:997:994:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
+dhcpcd:x:119:65534:DHCP Client Daemon:/usr/lib/dhcpcd:/bin/false

scale_build/bootstrap/bootstrapdir.py

@@ -30,9 +30,16 @@ class BootstrapDir(CacheMixin, HashMixin):
 
     def debootstrap_debian(self):
         manifest = get_manifest()
+        # Debootstrap needs binary format key, convert ASCII-armored to binary
+        keyring_path = os.path.join(BUILDER_DIR, 'keys/truenas.gpg')
+        binary_keyring = '/tmp/truenas-binary.gpg'
+
+        # Convert ASCII-armored key to binary format for debootstrap
+        run(['sh', '-c', f'gpg --dearmor < {keyring_path} > {binary_keyring}'])
+
         run(
             ['debootstrap'] + self.deopts + [
-                '--keyring', '/etc/apt/trusted.gpg.d/debian-archive-truenas-automatic.gpg',
+                '--keyring', binary_keyring,
                 manifest['debian_release'],
                 self.chroot_basedir, get_apt_repos(check_custom=True)['url']
             ]
@@ -44,7 +51,6 @@ class BootstrapDir(CacheMixin, HashMixin):
             self.logger.debug('Basechroot cache is intact and does not need to be changed')
             return
 
-        self.add_trusted_apt_key()
         apt_repos = get_apt_repos(check_custom=True)
         self.debootstrap_debian()
         self.setup_mounts()
@@ -52,34 +58,51 @@ class BootstrapDir(CacheMixin, HashMixin):
         self.logger.debug('Updating apt preferences')
         apt_path = os.path.join(self.chroot_basedir, 'etc/apt')
         apt_sources_path = os.path.join(apt_path, 'sources.list')
-        # Set bullseye repo as the priority
+
+        # Set up apt preferences
         with open(os.path.join(apt_path, 'preferences'), 'w') as f:
             f.write(get_apt_preferences())
 
-        run(['chroot', self.chroot_basedir, 'apt', 'update'])
+        # Create keyrings directory in chroot
-        # We need to have gnupg installed before adding apt mirrors because apt-key needs it
+        keyring_dir = os.path.join(self.chroot_basedir, 'etc/apt/keyrings')
-        run(['chroot', self.chroot_basedir, 'apt', 'install', '-y', 'gnupg'])
+        os.makedirs(keyring_dir, exist_ok=True)
 
-        # Save the correct repo in sources.list
+        # Copy TrueNAS key to chroot keyrings
-        apt_sources = [f'deb {apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}']
+        truenas_key = os.path.join(keyring_dir, 'truenas-archive.gpg')
+        shutil.copy(os.path.join(BUILDER_DIR, 'keys/truenas.gpg'), truenas_key)
+
+        # Build sources.list with signed-by directives
+        # Main repository
+        apt_sources = [
+            'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+            f'{apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}'
+        ]
 
         # Add additional repos
         for repo in apt_repos['additional']:
             self.logger.debug('Adding additional repo: %r', repo['url'])
             if repo.get('key'):
-                shutil.copy(os.path.join(BUILDER_DIR, repo['key']), os.path.join(self.chroot_basedir, 'apt.key'))
+                # Copy specific key to chroot keyrings
-                run(['chroot', self.chroot_basedir, 'apt-key', 'add', '/apt.key'])
+                key_name = os.path.basename(repo['key'])
-                os.unlink(os.path.join(self.chroot_basedir, 'apt.key'))
+                shutil.copy(os.path.join(BUILDER_DIR, repo['key']), os.path.join(keyring_dir, key_name))
-
+                # Add repo with its specific key
-            apt_sources.append(f'deb {repo["url"]} {repo["distribution"]} {repo["component"]}')
+                apt_sources.append(
+                    f'deb [signed-by=/etc/apt/keyrings/{key_name}] '
+                    f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+                )
+            else:
+                # Repo without specific key - uses TrueNAS key
+                apt_sources.append(
+                    f'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+                    f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+                )
 
+        # Write initial sources.list
         with open(apt_sources_path, 'w') as f:
             f.write('\n'.join(apt_sources))
 
-        # Update apt
+        # Update and upgrade
         run(['chroot', self.chroot_basedir, 'apt', 'update'])
-        # Upgrade apt so that packages which were pulled in by debootstrap i.e libssl, they also
-        # respect the apt preferences we have specified
         run(['chroot', self.chroot_basedir, 'apt', 'upgrade', '-y'])
 
         if self.extra_packages_to_install:
@@ -100,12 +123,6 @@ class BootstrapDir(CacheMixin, HashMixin):
     def after_extra_packages_installation_steps(self):
         pass
 
-    def add_trusted_apt_key(self):
-        run([
-            'apt-key', '--keyring', '/etc/apt/trusted.gpg.d/debian-archive-truenas-automatic.gpg', 'add',
-            os.path.join(BUILDER_DIR, 'keys/truenas.gpg')
-        ])
-
     @property
     def extra_packages_to_install(self):
         raise NotImplementedError
@@ -147,9 +164,16 @@ class RootfsBootstrapDir(BootstrapDir):
 
     def debootstrap_debian(self):
         manifest = get_manifest()
+        # Debootstrap needs binary format key, convert ASCII-armored to binary
+        keyring_path = os.path.join(BUILDER_DIR, 'keys/truenas.gpg')
+        binary_keyring = '/tmp/truenas-binary.gpg'
+
+        # Convert ASCII-armored key to binary format for debootstrap
+        run(['sh', '-c', f'gpg --dearmor < {keyring_path} > {binary_keyring}'])
+
         run(
             ['debootstrap'] + self.deopts + [
-                '--foreign', '--keyring', '/etc/apt/trusted.gpg.d/debian-archive-truenas-automatic.gpg',
+                '--foreign', '--keyring', binary_keyring,
                 manifest['debian_release'],
                 self.chroot_basedir, get_apt_repos(check_custom=True)['url']
             ]

scale_build/extensions.py

@@ -117,7 +117,7 @@ class DevToolsExtension(Extension):
 
 
 class NvidiaExtension(Extension):
-    binaries = ("apt", "apt-config", "apt-key", "dpkg")
+    binaries = ("apt", "apt-config", "dpkg")
     temporary_packages = ["gcc", "make", "pkg-config"]
     permanent_packages = ["libvulkan1", "nvidia-container-toolkit", "vulkan-validationlayers"]
 

scale_build/image/bootstrap.py

@@ -33,6 +33,8 @@ def umount_chroot_basedir():
     for command in (
         ['umount', '-f', PACKAGE_PATH],
         ['umount', '-f', os.path.join(CHROOT_BASEDIR, 'proc')],
+        # Need to unmount efivarfs before sys (automatically mounted under sys)
+        ['umount', '-f', os.path.join(CHROOT_BASEDIR, 'sys/firmware/efi/efivars')],
         ['umount', '-f', os.path.join(CHROOT_BASEDIR, 'sys')],
     ):
         run(command, check=False, log=False)

scale_build/image/iso.py

@@ -128,7 +128,7 @@ def make_iso_file():
         run_in_chroot(['apt-get', 'update'], check=False)
         run_in_chroot([
             'apt-get', 'install', '-y', 'grub-common', 'grub2-common', 'grub-efi-amd64-bin',
-            'grub-efi-amd64-signed', 'grub-pc-bin', 'mtools', 'xorriso'
+            'grub-pc-bin', 'mtools', 'xorriso'
         ])
 
         # Debian GRUB EFI searches for GRUB config in a different place

scale_build/image/mtree.py

@@ -32,7 +32,7 @@ ETC_FILES_TO_REMOVE = [
     'etc/avahi/services/nut.service',
     'etc/chrony/chrony.conf',
     'etc/default/rpcbind',
-    'etc/netdata/netdata.conf',
+    # 'etc/netdata/netdata.conf',  # FIXME: please fix this once aligned with newer netdata packages
     'etc/nginx/nginx.conf',
     'etc/nvme/hostid',
     'etc/nvme/hostnqn',

scale_build/image/update.py

@@ -3,7 +3,6 @@ import itertools
 import logging
 import os
 import platform
-import textwrap
 import shutil
 import stat
 import tempfile
@@ -136,9 +135,28 @@ def install_rootfs_packages_impl():
 def get_apt_sources():
     # We want the final sources.list to be in the rootfs image
     apt_repos = get_apt_repos(check_custom=False)
-    apt_sources = [f'deb {apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}']
+
+    # Main repository with TrueNAS key
+    apt_sources = [
+        'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+        f'{apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}'
+    ]
+
+    # Add additional repos
     for repo in apt_repos['additional']:
-        apt_sources.append(f'deb {repo["url"]} {repo["distribution"]} {repo["component"]}')
+        if repo.get('key'):
+            # Repo with specific key
+            key_name = os.path.basename(repo['key'])
+            apt_sources.append(
+                f'deb [signed-by=/etc/apt/keyrings/{key_name}] '
+                f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+            )
+        else:
+            # Repo without specific key - uses TrueNAS key
+            apt_sources.append(
+                f'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+                f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+            )
     return apt_sources
 
 
@@ -313,26 +331,6 @@ def custom_rootfs_setup():
 
         run_in_chroot(['update-initramfs', '-k', kernel_name, '-u'])
 
-    # Generate native systemd unit files for SysV services that lack ones to prevent systemd-sysv-generator warnings
-    tmp_systemd = os.path.join(CHROOT_BASEDIR, 'tmp/systemd')
-    os.makedirs(tmp_systemd)
-    run_in_chroot([
-        '/usr/lib/systemd/system-generators/systemd-sysv-generator', '/tmp/systemd', '/tmp/systemd', '/tmp/systemd'
-    ])
-    for unit_file in filter(lambda f: f.endswith('.service'), os.listdir(tmp_systemd)):
-        with open(os.path.join(tmp_systemd, unit_file), 'a') as f:
-            f.write(textwrap.dedent('''\
-                [Install]
-                WantedBy=multi-user.target
-            '''))
-
-    for f in os.listdir(os.path.join(tmp_systemd, 'multi-user.target.wants')):
-        file_path = os.path.join(tmp_systemd, f)
-        if os.path.isfile(file_path) and not os.path.islink(file_path):
-            os.unlink(file_path)
-
-    run_in_chroot(['rsync', '-av', '/tmp/systemd/', '/usr/lib/systemd/system/'])
-    shutil.rmtree(tmp_systemd)
     run_in_chroot(['depmod'], check=False)
 
     # /usr will be readonly, and so we want the ca-certificates directory to

scale_build/iso.py

@@ -4,7 +4,7 @@ import os
 
 from .bootstrap.bootstrapdir import CdromBootstrapDirectory
 from .exceptions import CallError
-from .image.bootstrap import clean_mounts, setup_chroot_basedir, umount_tmpfs_and_clean_chroot_dir
+from .image.bootstrap import clean_mounts, setup_chroot_basedir
 from .image.iso import install_iso_packages, make_iso_file
 from .image.manifest import get_image_version, update_file_path
 from .utils.logger import LoggingContext
@@ -47,6 +47,6 @@ def build_impl():
         with LoggingContext('cdrom-iso', 'w'):
             make_iso_file()
     finally:
-        umount_tmpfs_and_clean_chroot_dir()
+        clean_mounts()
 
     logger.info('Success! CD/USB: %s/TrueNAS-SCALE-%s.iso', RELEASE_DIR, image_version)

scale_build/packages/package.py

@@ -22,8 +22,6 @@ from .utils import (
 
 logger = logging.getLogger(__name__)
 
-MANDATORY_EXPLICIT_DEPS = frozenset(['python3'])
-
 
 class Package(BootstrapMixin, BuildPackageMixin, BuildCleanMixin, CCacheMixin, GitPackageMixin, OverlayMixin):
     def __init__(
@@ -42,7 +40,7 @@ class Package(BootstrapMixin, BuildPackageMixin, BuildCleanMixin, CCacheMixin, G
         self.buildcmd = buildcmd or []
         self.build_constraints = build_constraints or []
         self.depscmd = depscmd or []
-        self.explicit_deps = set(explicit_deps or set()) | MANDATORY_EXPLICIT_DEPS
+        self.explicit_deps = set(explicit_deps or set())
         self.generate_version = generate_version
         self.predepscmd = predepscmd or []
         self.deps_path = deps_path

scale_build/update_image.py

@@ -3,9 +3,7 @@ import os
 
 from .bootstrap.bootstrapdir import RootfsBootstrapDir
 from .exceptions import CallError
-from .image.bootstrap import (
+from .image.bootstrap import clean_mounts, setup_chroot_basedir
-    clean_mounts, setup_chroot_basedir, umount_chroot_basedir, umount_tmpfs_and_clean_chroot_dir
-)
 from .image.manifest import update_file_path
 from .image.update import install_rootfs_packages, build_rootfs_image
 from .utils.logger import LoggingContext
@@ -78,7 +76,6 @@ def build_update_image_impl():
         with LoggingContext('rootfs-image', 'w'):
             build_rootfs_image()
     finally:
-        umount_chroot_basedir()
+        clean_mounts()
-        umount_tmpfs_and_clean_chroot_dir()
 
     logger.info('Success! Update image created at: %s', update_file_path())

truenas_install/__main__.py

@@ -535,6 +535,8 @@ def main():
 
                 run_command(["mount", "-t", "sysfs", "none", f"{root}/sys"])
                 undo.append(["umount", f"{root}/sys"])
+                if os.path.exists("/sys/firmware/efi"):
+                    undo.append(["umount", f"{root}/sys/firmware/efi/efivars"])
 
                 run_command(["mount", "-t", "zfs", f"{pool_name}/grub", f"{root}/boot/grub"])
                 undo.append(["umount", f"{root}/boot/grub"])
@@ -596,8 +598,6 @@ def main():
 
                     if os.path.exists("/sys/firmware/efi"):
                         run_command(["mount", "-t", "efivarfs", "efivarfs", f"{root}/sys/firmware/efi/efivars"])
-                        undo.append(["umount", f"{root}/sys/firmware/efi/efivars"])
-
                         # Clean up dumps from NVRAM to prevent
                         # "failed to register the EFI boot entry: No space left on device"
                         for item in os.listdir("/sys/firmware/efi/efivars"):