1 <?xml version='
1.0'
?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
6 <refentry id=
"systemd-mountfsd.service" conditional='ENABLE_MOUNTFSD'
>
9 <title>systemd-mountfsd.service
</title>
10 <productname>systemd
</productname>
14 <refentrytitle>systemd-mountfsd.service
</refentrytitle>
15 <manvolnum>8</manvolnum>
19 <refname>systemd-mountfsd.service
</refname>
20 <refname>systemd-mountfsd
</refname>
21 <refpurpose>Disk Image File System Mount Service
</refpurpose>
25 <para><filename>systemd-mountfsd.service
</filename></para>
26 <para><filename>/usr/lib/systemd/systemd-mountfsd
</filename></para>
30 <title>Description
</title>
32 <para><command>systemd-mountfsd
</command> is a system service that dissects disk images, and returns mount
33 file descriptors for the file systems contained therein to clients, via a Varlink IPC API.
</para>
35 <para>The disk images provided must contain a raw file system image or must follow the
<ulink
36 url=
"https://uapi-group.org/specifications/specs/discoverable_partitions_specification/">Discoverable
37 Partitions Specification
</ulink>. Before mounting any file systems authenticity of the disk image is
38 established in one or a combination of the following ways:
</para>
41 <listitem><para>If the disk image is located in a regular file in one of the directories
42 <filename>/var/lib/machines/
</filename>,
<filename>/var/lib/portables/
</filename>,
43 <filename>/var/lib/extensions/
</filename>,
<filename>/var/lib/confexts/
</filename> or their
44 counterparts in the
<filename>/etc/
</filename>,
<filename>/run/
</filename>,
45 <filename>/usr/lib/
</filename> it is assumed to be trusted.
</para></listitem>
47 <listitem><para>If the disk image contains a Verity enabled disk image, along with a signature
48 partition with a key in the kernel keyring or in
<filename>/etc/verity.d/
</filename> (and related
49 directories) the disk image is considered trusted.
</para></listitem>
52 <para>This service provides one
<ulink url=
"https://varlink.org/">Varlink
</ulink> service:
53 <constant>io.systemd.MountFileSystem
</constant> which accepts a file descriptor to a regular file or
54 block device, and returns a number of file descriptors referring to an
<function>fsmount()
</function>
55 file descriptor the client may then attach to a path of their choice.
</para>
57 <para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
58 <citerefentry><refentrytitle>systemd-nsresourced.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
60 <para>The file systems are automatically fsck'ed before mounting.
</para>
64 <title>See Also
</title>
66 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
67 <citerefentry><refentrytitle>systemd-nsresourced.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>