Merge pull request #16301 from poettering/firstboot-image

Add --image= switch to firstboot, similar to --root= but with support for operating on disk image

diff --combined TODO
index 2056dcf74eb5de7977331a3e97eebddc042d9b9f,0cd9bc114fcca90789f1ae8728f75f18db9af31b..7ee5f26cc1ca3a3b6497499e929c590ee548f41e
--- 1/TODO
--- 2/TODO
+++ b/TODO
@@@ -49,6 -49,9 +49,9 @@@ Features
  
  * nspawn: support time namespaces
  
+ * systemd-firstboot: make sure to always use chase_symlinks() before
+   reading/writing files
+ 
  * add ConditionSecurity=tpm2
  
  * Remove any support for booting without /usr pre-mounted in the initrd entirely.
@@@ -94,8 -97,9 +97,9 @@@
    this, it's useful to have one that can dump contents of them, too.
  
  * All tools that support --root= should also learn --image= so that they can
-   operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
-   sysusers, systemctl, repart, journalctl, coredumpctl.
+   operate on disk images directly. Specifically: bootctl, tmpfiles, sysusers,
+   systemctl, repart, journalctl, coredumpctl. (Already done: systemd-nspawn,
+   systemd-firstboot)
  
  * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
  
@@@ -138,12 -142,12 +142,12 @@@
  
  * homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
  
 -* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
 -  exists and responds.
 -
  * homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
    easily?
  
 +* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
 +  exists and responds.
 +
  * when systemd-nspawn and suchlike dissect an OS image, and there are multiple
    root partitions, do an strverscmp() on the partition label and boot
    first. That is inspired how sd-boot figures out which kernel to boot, and
@@@ -343,8 -347,7 +347,8 @@@
      beefing up logind to make pam session close hook synchronous and wait until
      systemd --user is shut down.
    - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
 -  - maybe make automatic, read-only, time-based reflink-copies of LUKS disk images (think: time machine)
 +  - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
 +    images (and btrfs snapshots of subvolumes) (think: time machine)
    - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
    - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
    - fingerprint authentication, pattern authentication, …
@@@ -360,9 -363,6 +364,9 @@@
    - make slice for users configurable (requires logind rework)
    - logind: populate auto-login list bus property from PKCS#11 token
    - when determining state of a LUKS home directory, check DM suspended sysfs file
 +  - introduce API for "making room", that grows/shrinks home directory
 +    according to elastic parameters, discards blocks, and removes additional snapshots. Call it
 +    either from UI when disk space gets low
  
  * introduce a new per-process uuid, similar to the boot id, the machine id, the
    invocation id, that is derived from process creds, specifically a hashed