man/systemd-mountfsd.service.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
   5
   6 <refentry id="systemd-mountfsd.service" conditional='ENABLE_MOUNTFSD'>
   7
   8   <refentryinfo>
   9     <title>systemd-mountfsd.service</title>
  10     <productname>systemd</productname>
  11   </refentryinfo>
  12
  13   <refmeta>
  14     <refentrytitle>systemd-mountfsd.service</refentrytitle>
  15     <manvolnum>8</manvolnum>
  16   </refmeta>
  17
  18   <refnamediv>
  19     <refname>systemd-mountfsd.service</refname>
  20     <refname>systemd-mountfsd</refname>
  21     <refpurpose>Disk Image File System Mount Service</refpurpose>
  22   </refnamediv>
  23
  24   <refsynopsisdiv>
  25     <para><filename>systemd-mountfsd.service</filename></para>
  26     <para><filename>/usr/lib/systemd/systemd-mountfsd</filename></para>
  27   </refsynopsisdiv>
  28
  29   <refsect1>
  30     <title>Description</title>
  31
  32     <para><command>systemd-mountfsd</command> is a system service that dissects disk images, and returns mount
  33     file descriptors for the file systems contained therein to clients, via a Varlink IPC API.</para>
  34
  35     <para>The disk images provided must contain a raw file system image or must follow the <ulink
  36     url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification/">Discoverable
  37     Partitions Specification</ulink>. Before mounting any file systems authenticity of the disk image is
  38     established in one or a combination of the following ways:</para>
  39
  40     <orderedlist>
  41       <listitem><para>If the disk image is located in a regular file in one of the directories
  42       <filename>/var/lib/machines/</filename>, <filename>/var/lib/portables/</filename>,
  43       <filename>/var/lib/extensions/</filename>, <filename>/var/lib/confexts/</filename> or their
  44       counterparts in the <filename>/etc/</filename>, <filename>/run/</filename>,
  45       <filename>/usr/lib/</filename> it is assumed to be trusted.</para></listitem>
  46
  47       <listitem><para>If the disk image contains a Verity enabled disk image, along with a signature
  48       partition with a key in the kernel keyring or in <filename>/etc/verity.d/</filename> (and related
  49       directories) the disk image is considered trusted.</para></listitem>
  50     </orderedlist>
  51
  52     <para>This service provides one <ulink url="https://varlink.org/">Varlink</ulink> service:
  53     <constant>io.systemd.MountFileSystem</constant> which accepts a file descriptor to a regular file or
  54     block device, and returns a number of file descriptors referring to an <function>fsmount()</function>
  55     file descriptor the client may then attach to a path of their choice.</para>
  56
  57     <para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
  58     <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
  59
  60     <para>The file systems are automatically fsck'ed before mounting.</para>
  61   </refsect1>
  62
  63   <refsect1>
  64     <title>See Also</title>
  65     <para>
  66       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
  67       <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  68     </para>
  69   </refsect1>
  70 </refentry>