NAS-137225 / 26.04 / Fix scale build for trixie (#925)

* Trixie related changes for scale-build * Point to HM mirrors * Update apt preferences for trixie * Update debootstrap changes for trixie * Minor fix * Remove python3 package * Remove mandatory explicit dep * Use openjdk-21-jdk for kernel * Update passwd * There is no need for custom openssl now * Move from libssl3 to libssl3t64 * Remove util-linux from build manifest * Set env variable for spdk * Don't buidl spdk for now * ipmctl is not available in stable * Remove legacy sysv unit stuff * Comment out netdata for now * Small umount fix * Also umount efivars * Update build manifest to reflect updated branches * Remove nfs entry from mtree * Make sure to umount efivars * Properly have apt sources fixed in update image * Pull in grub2-common * Add netdata mirror * Fix url * Make sure corepack is non-interactive * Update netdata groups * Fix efivars mounting * Properly use clean_mounts * Add fixme for netdata * Properly comment out spdk explicit deps * Remove grub-efi-amd64-signed from iso * Make sure efivarfs is definitely mounted * Bring in isc-dhcp-client for now * Revert "Bring in isc-dhcp-client for now" This reverts commit 259ffebba5. * Only try to umount efivarfs if host is actually efi based * Update repo's branches
2025-12-20 02:49:28 +00:00 · 2025-09-19 21:55:20 +05:00
parent 4b0ece7ac1
commit 8e86e2d981
13 changed files with 133 additions and 136 deletions
--- a/conf/build.manifest
+++ b/conf/build.manifest
@@ -1,6 +1,6 @@
 ---
 code_name: "Halfmoon"
-debian_release: "bookworm"
+debian_release: "trixie"
 identity_file_path_default: "~/.ssh/id_rsa"
 #
 # List of apt repositories that are used and setup inside the build environment
@@ -10,24 +10,27 @@ identity_file_path_default: "~/.ssh/id_rsa"
 apt-repos:
  base-url: https://apt.sys.truenas.net/
  base-url-internal: http://apt-mirror.tn.ixsystems.net/
-  url: goldeye/nightlies/debian/
-  distribution: bookworm
+  url: halfmoon/nightlies/debian/
+  distribution: trixie
  components: main
  additional:
-  - url: goldeye/nightlies/debian-security/
-    distribution: bookworm-security
+  - url: halfmoon/nightlies/debian-security/
+    distribution: trixie-security
    component: main
-  - url: goldeye/nightlies/debian-backports/
-    distribution: bookworm-backports
+  - url: halfmoon/nightlies/debian-backports/
+    distribution: trixie-backports
    component: "main contrib non-free non-free-firmware"
-  - url: goldeye/nightlies/debian-debug/
-    distribution: bookworm-debug
+  - url: halfmoon/nightlies/debian-debug/
+    distribution: trixie-debug
    component: main
-  - url: goldeye/nightlies/yarn/
+  - url: halfmoon/nightlies/yarn/
    distribution: stable
    component: main
-  - url: goldeye/nightlies/docker/
-    distribution: bookworm
+  - url: halfmoon/nightlies/netdata/
+    distribution: trixie
+    component: main
+  - url: halfmoon/nightlies/docker/
+    distribution: trixie
    component: stable
    key: keys/docker.gpg

@@ -36,9 +39,9 @@ apt-repos:
 # NOTE: Installed in the order listed
 ############################################################################
 base-packages:
- name: libssl3
+- name: libssl3t64
  install_recommends: true
- name: openssl
+- name: openssl-provider-fips
  install_recommends: true
 - name: dosfstools
  install_recommends: true
@@ -86,6 +89,8 @@ base-packages:
  install_recommends: true
 - name: grub-efi-amd64-bin
  install_recommends: true
+- name: grub2-common
+  install_recommends: true
 - name: htop
  install_recommends: true
 - name: incus
@@ -117,8 +122,8 @@ base-packages:
  install_recommends: true
 - name: truenas-ipaclient
  install_recommends: true
- name: truenas-spdk
-  install_recommends: true
+# - name: truenas-spdk
+#  install_recommends: true
 - name: cifs-utils
  install_recommends: true
 - name: nfs4xdr-acl-tools
@@ -208,7 +213,7 @@ build-epoch: 13
 ############################################################################
 apt_preferences:
 - Package: "*"
-  Pin: "release n=bookworm-backports"
+  Pin: "release n=trixie"
  Pin-Priority: 900
 - Package: "*"
  Pin: "origin \"\""
@@ -217,7 +222,7 @@ apt_preferences:
  Pin: "version 525.89*"
  Pin-Priority: 1000
 - Package: "*curl*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
  Pin-Priority: 1000
 - Package: "*libcrypto*"
  Pin: "origin \"\""
@@ -229,22 +234,22 @@ apt_preferences:
  Pin: "origin \"\""
  Pin-Priority: 1050
 - Package: "*node*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
  Pin-Priority: 1000
 - Package: "*policykit*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
  Pin-Priority: 1000
 - Package: "*polkit*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
  Pin-Priority: 1000
 - Package: "*ssh*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
  Pin-Priority: 1000
 - Package: "*ssl*"
  Pin: "origin \"\""
  Pin-Priority: 1050
 - Package: "*tls*"
-  Pin: "release n=bookworm-security"
+  Pin: "release n=trixie-security"
  Pin-Priority: 1000
 - Package: "*zfs*"
  Pin: "version 2.1.*"
@@ -288,9 +293,9 @@ additional-packages:
 - name: ndctl
  comment: requested by community (NAS-108490)
  install_recommends: true
- name: ipmctl
-  comment: requested by community (NAS-108490)
-  install_recommends: true
+# - name: ipmctl
+#  comment: requested by community (NAS-108490)
+#  install_recommends: true
 - name: acpica-tools
  comment: requested by platform team (NAS-118432)
  install_recommends: true
@@ -348,14 +353,6 @@ iso-packages:
 # to be built
 ############################################################################
 sources:
- name: openssl
-  repo: https://github.com/truenas/openssl
-  branch: master
-  generate_version: false
-  batch_priority: 0
-  predepscmd:
-    - "apt install -y wget xz-utils"
-    - "./pull.sh"
 - name: kernel
  repo: https://github.com/truenas/linux
  branch: truenas/linux-6.12
@@ -364,12 +361,10 @@ sources:
  env:
    EXTRAVERSION: "-production"
    PYTHON: "python3"
-  explicit_deps:
-   - python3
  predepscmd:
    - "apt install -y flex bison dwarves libssl-dev devscripts"
    # Install dependencies to build perf
-    - "apt install -y libelf-dev libdw-dev systemtap-sdt-dev libunwind-dev libslang2-dev libperl-dev binutils-dev libiberty-dev python3 python3-setuptools python3-dev liblzma-dev libzstd-dev libcap-dev libnuma-dev libbabeltrace-dev openjdk-17-jdk libcapstone-dev llvm-dev"
+    - "apt install -y libelf-dev libdw-dev systemtap-sdt-dev libunwind-dev libslang2-dev libperl-dev binutils-dev libiberty-dev python3 python3-setuptools python3-dev liblzma-dev libzstd-dev libcap-dev libnuma-dev libbabeltrace-dev openjdk-21-jdk libcapstone-dev llvm-dev"
    # We remove git files because kernel makefile tries to interact with git for determining version
    # which results in misconfigured version due to our debian based changes
    - "rm -rf .git .gitattributes .gitignore"
@@ -432,7 +427,6 @@ sources:
  explicit_deps:
    - kernel
    - kernel-dbg
-    - openssl
  generate_version: false
  subpackages:
    - name: openzfs-dbg
@@ -459,7 +453,6 @@ sources:
      explicit_deps:
        - kernel
        - kernel-dbg
-        - openssl
      generate_version: false
 - name: truenas_pylibzfs
  repo: https://github.com/truenas/truenas_pylibzfs
@@ -497,21 +490,22 @@ sources:
    - "sh -x fetch.sh"
  explicit_deps:
    - openzfs
-    - python3
    - truenas_samba
    - truenas_sssd
- name: truenas_spdk
-  repo: https://github.com/truenas/truenas_spdk
-  branch: master
-  generate_version: false
-  predepscmd:
-    - "apt install -y rsync"
-    - "sh -x fetch.sh"
-    - "scripts/pkgdep.sh  --rdma"
-  explicit_deps:
-    - python3
-    - kernel
-    - kernel-dbg
+# spdk does not support debian trixie now on upstream side for now
+# - name: truenas_spdk
+#  repo: https://github.com/truenas/truenas_spdk
+#  branch: master
+#  generate_version: false
+#  env:
+#    PIP_BREAK_SYSTEM_PACKAGES: "1"
+#  predepscmd:
+#    - "apt install -y rsync"
+#    - "sh -x fetch.sh"
+#    - "scripts/pkgdep.sh  --rdma"
+#  explicit_deps:
+#    - kernel
+#    - kernel-dbg
 - name: avahi
  repo: https://github.com/truenas/avahi
  branch: SCALE-v0.8
@@ -575,6 +569,8 @@ sources:
  branch: master
 - name: truenas_webui
  repo: https://github.com/truenas/webui
+  env:
+    COREPACK_ENABLE_DOWNLOAD_PROMPT: "0"
  predepscmd:
    - "apt -y install wget"
  prebuildcmd:
@@ -692,25 +688,6 @@ sources:
    - "./pull.sh"
  deoptions: nocheck
  generate_version: false
- name: util-linux
-  repo: https://github.com/truenas/util-linux
-  branch: master
-  debian_fork: true
-  predepscmd:
-    - "apt install -y wget xz-utils"
-    - "./pull.sh"
-  deoptions: nocheck
-  generate_version: false
- name: python3
-  repo: https://github.com/truenas/python.git
-  branch: master
-  batch_priority: 0
-  deoptions: nocheck
-  generate_version: false
-  predepscmd:
-    - "apt install -y python3-docs-theme python3-sphinx texinfo wget"
-    - "wget https://www.python.org/ftp/python/3.11.9/Python-3.11.9.tar.xz"
-    - "tar --strip-components=1 -xvf Python-3.11.9.tar.xz"
 - name: truenas_audit_rules
  repo: https://github.com/truenas/audit_rules.git
  branch: master
--- a/conf/reference-files/etc/group
+++ b/conf/reference-files/etc/group
@@ -11,7 +11,7 @@ mail:x:8:
 news:x:9:
 uucp:x:10:
 man:x:12:
-proxy:x:13:
+proxy:x:13:netdata
 ftp:x:14:
 kmem:x:15:
 dialout:x:20:nut
@@ -39,7 +39,7 @@ staff:x:50:
 games:x:60:
 users:x:100:
 nogroup:x:65534:
-nobody:x:65534:
+nobody:x:65534:netdata
 systemd-timesync:x:101:
 systemd-journal:x:102:
 systemd-network:x:103:
@@ -76,9 +76,9 @@ apps:x:568:
 webdav:x:666:
 truenas_readonly_administrators:x:951:
 truenas_sharing_administrators:x:952:
-docker:x:999:
+docker:x:999:netdata
 libvirt-qemu:x:986:libvirt-qemu
-haproxy:x:130:
+haproxy:x:130:netdata
 uuidd:x:131:
 i2c:x:132:
 sgx:x:133:
--- a/conf/reference-files/etc/passwd
+++ b/conf/reference-files/etc/passwd
@@ -54,3 +54,4 @@ polkitd:x:998:998:polkit:/var/empty:/usr/sbin/nologin
 netdata:x:999:997::/var/lib/netdata:/bin/sh
 sssd:x:117:122:SSSD system user:/var/lib/sss:/usr/sbin/nologin
 caddy:x:997:994:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
+dhcpcd:x:119:65534:DHCP Client Daemon:/usr/lib/dhcpcd:/bin/false
--- a/scale_build/bootstrap/bootstrapdir.py
+++ b/scale_build/bootstrap/bootstrapdir.py
@@ -30,9 +30,16 @@ class BootstrapDir(CacheMixin, HashMixin):

    def debootstrap_debian(self):
        manifest = get_manifest()
+        # Debootstrap needs binary format key, convert ASCII-armored to binary
+        keyring_path = os.path.join(BUILDER_DIR, 'keys/truenas.gpg')
+        binary_keyring = '/tmp/truenas-binary.gpg'
+
+        # Convert ASCII-armored key to binary format for debootstrap
+        run(['sh', '-c', f'gpg --dearmor < {keyring_path} > {binary_keyring}'])
+
        run(
            ['debootstrap'] + self.deopts + [
-                '--keyring', '/etc/apt/trusted.gpg.d/debian-archive-truenas-automatic.gpg',
+                '--keyring', binary_keyring,
                manifest['debian_release'],
                self.chroot_basedir, get_apt_repos(check_custom=True)['url']
            ]
@@ -44,7 +51,6 @@ class BootstrapDir(CacheMixin, HashMixin):
            self.logger.debug('Basechroot cache is intact and does not need to be changed')
            return

-        self.add_trusted_apt_key()
        apt_repos = get_apt_repos(check_custom=True)
        self.debootstrap_debian()
        self.setup_mounts()
@@ -52,34 +58,51 @@ class BootstrapDir(CacheMixin, HashMixin):
        self.logger.debug('Updating apt preferences')
        apt_path = os.path.join(self.chroot_basedir, 'etc/apt')
        apt_sources_path = os.path.join(apt_path, 'sources.list')
-        # Set bullseye repo as the priority
+
+        # Set up apt preferences
        with open(os.path.join(apt_path, 'preferences'), 'w') as f:
            f.write(get_apt_preferences())

-        run(['chroot', self.chroot_basedir, 'apt', 'update'])
-        # We need to have gnupg installed before adding apt mirrors because apt-key needs it
-        run(['chroot', self.chroot_basedir, 'apt', 'install', '-y', 'gnupg'])
+        # Create keyrings directory in chroot
+        keyring_dir = os.path.join(self.chroot_basedir, 'etc/apt/keyrings')
+        os.makedirs(keyring_dir, exist_ok=True)

-        # Save the correct repo in sources.list
-        apt_sources = [f'deb {apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}']
+        # Copy TrueNAS key to chroot keyrings
+        truenas_key = os.path.join(keyring_dir, 'truenas-archive.gpg')
+        shutil.copy(os.path.join(BUILDER_DIR, 'keys/truenas.gpg'), truenas_key)
+
+        # Build sources.list with signed-by directives
+        # Main repository
+        apt_sources = [
+            'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+            f'{apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}'
+        ]

        # Add additional repos
        for repo in apt_repos['additional']:
            self.logger.debug('Adding additional repo: %r', repo['url'])
            if repo.get('key'):
-                shutil.copy(os.path.join(BUILDER_DIR, repo['key']), os.path.join(self.chroot_basedir, 'apt.key'))
-                run(['chroot', self.chroot_basedir, 'apt-key', 'add', '/apt.key'])
-                os.unlink(os.path.join(self.chroot_basedir, 'apt.key'))
-
-            apt_sources.append(f'deb {repo["url"]} {repo["distribution"]} {repo["component"]}')
+                # Copy specific key to chroot keyrings
+                key_name = os.path.basename(repo['key'])
+                shutil.copy(os.path.join(BUILDER_DIR, repo['key']), os.path.join(keyring_dir, key_name))
+                # Add repo with its specific key
+                apt_sources.append(
+                    f'deb [signed-by=/etc/apt/keyrings/{key_name}] '
+                    f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+                )
+            else:
+                # Repo without specific key - uses TrueNAS key
+                apt_sources.append(
+                    f'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+                    f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+                )

+        # Write initial sources.list
        with open(apt_sources_path, 'w') as f:
            f.write('\n'.join(apt_sources))

-        # Update apt
+        # Update and upgrade
        run(['chroot', self.chroot_basedir, 'apt', 'update'])
-        # Upgrade apt so that packages which were pulled in by debootstrap i.e libssl, they also
-        # respect the apt preferences we have specified
        run(['chroot', self.chroot_basedir, 'apt', 'upgrade', '-y'])

        if self.extra_packages_to_install:
@@ -100,12 +123,6 @@ class BootstrapDir(CacheMixin, HashMixin):
    def after_extra_packages_installation_steps(self):
        pass

-    def add_trusted_apt_key(self):
-        run([
-            'apt-key', '--keyring', '/etc/apt/trusted.gpg.d/debian-archive-truenas-automatic.gpg', 'add',
-            os.path.join(BUILDER_DIR, 'keys/truenas.gpg')
-        ])
-
    @property
    def extra_packages_to_install(self):
        raise NotImplementedError
@@ -147,9 +164,16 @@ class RootfsBootstrapDir(BootstrapDir):

    def debootstrap_debian(self):
        manifest = get_manifest()
+        # Debootstrap needs binary format key, convert ASCII-armored to binary
+        keyring_path = os.path.join(BUILDER_DIR, 'keys/truenas.gpg')
+        binary_keyring = '/tmp/truenas-binary.gpg'
+
+        # Convert ASCII-armored key to binary format for debootstrap
+        run(['sh', '-c', f'gpg --dearmor < {keyring_path} > {binary_keyring}'])
+
        run(
            ['debootstrap'] + self.deopts + [
-                '--foreign', '--keyring', '/etc/apt/trusted.gpg.d/debian-archive-truenas-automatic.gpg',
+                '--foreign', '--keyring', binary_keyring,
                manifest['debian_release'],
                self.chroot_basedir, get_apt_repos(check_custom=True)['url']
            ]
--- a/scale_build/extensions.py
+++ b/scale_build/extensions.py
@@ -117,7 +117,7 @@ class DevToolsExtension(Extension):


 class NvidiaExtension(Extension):
-    binaries = ("apt", "apt-config", "apt-key", "dpkg")
+    binaries = ("apt", "apt-config", "dpkg")
    temporary_packages = ["gcc", "make", "pkg-config"]
    permanent_packages = ["libvulkan1", "nvidia-container-toolkit", "vulkan-validationlayers"]

--- a/scale_build/image/bootstrap.py
+++ b/scale_build/image/bootstrap.py
@@ -33,6 +33,8 @@ def umount_chroot_basedir():
    for command in (
        ['umount', '-f', PACKAGE_PATH],
        ['umount', '-f', os.path.join(CHROOT_BASEDIR, 'proc')],
+        # Need to unmount efivarfs before sys (automatically mounted under sys)
+        ['umount', '-f', os.path.join(CHROOT_BASEDIR, 'sys/firmware/efi/efivars')],
        ['umount', '-f', os.path.join(CHROOT_BASEDIR, 'sys')],
    ):
        run(command, check=False, log=False)
--- a/scale_build/image/iso.py
+++ b/scale_build/image/iso.py
@@ -128,7 +128,7 @@ def make_iso_file():
        run_in_chroot(['apt-get', 'update'], check=False)
        run_in_chroot([
            'apt-get', 'install', '-y', 'grub-common', 'grub2-common', 'grub-efi-amd64-bin',
-            'grub-efi-amd64-signed', 'grub-pc-bin', 'mtools', 'xorriso'
+            'grub-pc-bin', 'mtools', 'xorriso'
        ])

        # Debian GRUB EFI searches for GRUB config in a different place
--- a/scale_build/image/mtree.py
+++ b/scale_build/image/mtree.py
@@ -32,7 +32,7 @@ ETC_FILES_TO_REMOVE = [
    'etc/avahi/services/nut.service',
    'etc/chrony/chrony.conf',
    'etc/default/rpcbind',
-    'etc/netdata/netdata.conf',
+    # 'etc/netdata/netdata.conf',  # FIXME: please fix this once aligned with newer netdata packages
    'etc/nginx/nginx.conf',
    'etc/nvme/hostid',
    'etc/nvme/hostnqn',
--- a/scale_build/image/update.py
+++ b/scale_build/image/update.py
@@ -3,7 +3,6 @@ import itertools
 import logging
 import os
 import platform
-import textwrap
 import shutil
 import stat
 import tempfile
@@ -136,9 +135,28 @@ def install_rootfs_packages_impl():
 def get_apt_sources():
    # We want the final sources.list to be in the rootfs image
    apt_repos = get_apt_repos(check_custom=False)
-    apt_sources = [f'deb {apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}']
+
+    # Main repository with TrueNAS key
+    apt_sources = [
+        'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+        f'{apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}'
+    ]
+
+    # Add additional repos
    for repo in apt_repos['additional']:
-        apt_sources.append(f'deb {repo["url"]} {repo["distribution"]} {repo["component"]}')
+        if repo.get('key'):
+            # Repo with specific key
+            key_name = os.path.basename(repo['key'])
+            apt_sources.append(
+                f'deb [signed-by=/etc/apt/keyrings/{key_name}] '
+                f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+            )
+        else:
+            # Repo without specific key - uses TrueNAS key
+            apt_sources.append(
+                f'deb [signed-by=/etc/apt/keyrings/truenas-archive.gpg] '
+                f'{repo["url"]} {repo["distribution"]} {repo["component"]}'
+            )
    return apt_sources


@@ -313,26 +331,6 @@ def custom_rootfs_setup():

        run_in_chroot(['update-initramfs', '-k', kernel_name, '-u'])

-    # Generate native systemd unit files for SysV services that lack ones to prevent systemd-sysv-generator warnings
-    tmp_systemd = os.path.join(CHROOT_BASEDIR, 'tmp/systemd')
-    os.makedirs(tmp_systemd)
-    run_in_chroot([
-        '/usr/lib/systemd/system-generators/systemd-sysv-generator', '/tmp/systemd', '/tmp/systemd', '/tmp/systemd'
-    ])
-    for unit_file in filter(lambda f: f.endswith('.service'), os.listdir(tmp_systemd)):
-        with open(os.path.join(tmp_systemd, unit_file), 'a') as f:
-            f.write(textwrap.dedent('''\
-                [Install]
-                WantedBy=multi-user.target
-            '''))
-
-    for f in os.listdir(os.path.join(tmp_systemd, 'multi-user.target.wants')):
-        file_path = os.path.join(tmp_systemd, f)
-        if os.path.isfile(file_path) and not os.path.islink(file_path):
-            os.unlink(file_path)
-
-    run_in_chroot(['rsync', '-av', '/tmp/systemd/', '/usr/lib/systemd/system/'])
-    shutil.rmtree(tmp_systemd)
    run_in_chroot(['depmod'], check=False)

    # /usr will be readonly, and so we want the ca-certificates directory to
--- a/scale_build/iso.py
+++ b/scale_build/iso.py
@@ -4,7 +4,7 @@ import os

 from .bootstrap.bootstrapdir import CdromBootstrapDirectory
 from .exceptions import CallError
-from .image.bootstrap import clean_mounts, setup_chroot_basedir, umount_tmpfs_and_clean_chroot_dir
+from .image.bootstrap import clean_mounts, setup_chroot_basedir
 from .image.iso import install_iso_packages, make_iso_file
 from .image.manifest import get_image_version, update_file_path
 from .utils.logger import LoggingContext
@@ -47,6 +47,6 @@ def build_impl():
        with LoggingContext('cdrom-iso', 'w'):
            make_iso_file()
    finally:
-        umount_tmpfs_and_clean_chroot_dir()
+        clean_mounts()

    logger.info('Success! CD/USB: %s/TrueNAS-SCALE-%s.iso', RELEASE_DIR, image_version)
--- a/scale_build/packages/package.py
+++ b/scale_build/packages/package.py
@@ -22,8 +22,6 @@ from .utils import (

 logger = logging.getLogger(__name__)

-MANDATORY_EXPLICIT_DEPS = frozenset(['python3'])
-

 class Package(BootstrapMixin, BuildPackageMixin, BuildCleanMixin, CCacheMixin, GitPackageMixin, OverlayMixin):
    def __init__(
@@ -42,7 +40,7 @@ class Package(BootstrapMixin, BuildPackageMixin, BuildCleanMixin, CCacheMixin, G
        self.buildcmd = buildcmd or []
        self.build_constraints = build_constraints or []
        self.depscmd = depscmd or []
-        self.explicit_deps = set(explicit_deps or set()) | MANDATORY_EXPLICIT_DEPS
+        self.explicit_deps = set(explicit_deps or set())
        self.generate_version = generate_version
        self.predepscmd = predepscmd or []
        self.deps_path = deps_path
--- a/scale_build/update_image.py
+++ b/scale_build/update_image.py
@@ -3,9 +3,7 @@ import os

 from .bootstrap.bootstrapdir import RootfsBootstrapDir
 from .exceptions import CallError
-from .image.bootstrap import (
-    clean_mounts, setup_chroot_basedir, umount_chroot_basedir, umount_tmpfs_and_clean_chroot_dir
-)
+from .image.bootstrap import clean_mounts, setup_chroot_basedir
 from .image.manifest import update_file_path
 from .image.update import install_rootfs_packages, build_rootfs_image
 from .utils.logger import LoggingContext
@@ -78,7 +76,6 @@ def build_update_image_impl():
        with LoggingContext('rootfs-image', 'w'):
            build_rootfs_image()
    finally:
-        umount_chroot_basedir()
-        umount_tmpfs_and_clean_chroot_dir()
+        clean_mounts()

    logger.info('Success! Update image created at: %s', update_file_path())
--- a/truenas_install/main.py
+++ b/truenas_install/main.py
@@ -535,6 +535,8 @@ def main():

                run_command(["mount", "-t", "sysfs", "none", f"{root}/sys"])
                undo.append(["umount", f"{root}/sys"])
+                if os.path.exists("/sys/firmware/efi"):
+                    undo.append(["umount", f"{root}/sys/firmware/efi/efivars"])

                run_command(["mount", "-t", "zfs", f"{pool_name}/grub", f"{root}/boot/grub"])
                undo.append(["umount", f"{root}/boot/grub"])
@@ -596,8 +598,6 @@ def main():

                    if os.path.exists("/sys/firmware/efi"):
                        run_command(["mount", "-t", "efivarfs", "efivarfs", f"{root}/sys/firmware/efi/efivars"])
-                        undo.append(["umount", f"{root}/sys/firmware/efi/efivars"])
-
                        # Clean up dumps from NVRAM to prevent
                        # "failed to register the EFI boot entry: No space left on device"
                        for item in os.listdir("/sys/firmware/efi/efivars"):