<xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>_netdev</option></term>
+
+ <listitem><para>Marks this veritysetup device as requiring network. It will be started after the
+ network is available, similarly to
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ units marked with <option>_netdev</option>. The service unit to set up this device will be ordered
+ between <filename>remote-fs-pre.target</filename> and
+ <filename>remote-integritysetup.target</filename>, instead of
+ <filename>integritysetup-pre.target</filename> and <filename>integritysetup.target</filename>.</para>
+
+ <para>Hint: if this device is used for a mount point that is specified in <citerefentry
+ project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, the
+ <option>_netdev</option> option should also be used for the mount point. Otherwise, a dependency loop
+ might be created where the mount point will be pulled in by <filename>local-fs.target</filename>,
+ while the service to configure the network is usually only started <emphasis>after</emphasis> the
+ local file system has been mounted.</para>
+
+ <xi:include href="version-info.xml" xpointer="v258"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>noauto</option></term>
+
+ <listitem><para>This device will not be added to <filename>integritysetup.target</filename>. This
+ means that it will not be automatically enabled on boot, unless something else pulls it in. In
+ particular, if the device is used for a mount point, it'll be enabled automatically during boot,
+ unless the mount point itself is also disabled with <option>noauto</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>nofail</option></term>
+
+ <listitem><para>This device will not be a hard dependency of
+ <filename>integritysetup.target</filename>. It'll still be pulled in and started, but the system will
+ not wait for the device to show up and be enabled, and boot will not fail if this is
+ unsuccessful. Note that other units that depend on the enabled device may still fail. In particular,
+ if the device is used for a mount point, the mount point itself also needs to have the
+ <option>nofail</option> option, or the boot will fail if the device is not enabled
+ successfully.</para>
+
+ <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+ </varlistentry>
</variablelist>
<para>At early boot and when the system manager configuration is
<filename>printer.target</filename>,
<filename>reboot.target</filename>,
<filename>remote-cryptsetup.target</filename>,
+ <filename>remote-integritysetup.target</filename>,
<filename>remote-veritysetup.target</filename>,
<filename>remote-fs-pre.target</filename>,
<filename>remote-fs.target</filename>,
<xi:include href="version-info.xml" xpointer="v235"/>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><filename>remote-integritysetup.target</filename></term>
+ <listitem>
+ <para>Similar to <filename>integritysetup.target</filename>, but for integrity protected devices
+ which are accessed over the network. It is used for
+ <citerefentry><refentrytitle>integritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ entries marked with <option>_netdev</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v258"/>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><filename>remote-veritysetup.target</filename></term>
<listitem>
<para>Similar to <filename>veritysetup.target</filename>, but for verity
- integrity protected devices which are accessed over the network. It is used for
+ protected devices which are accessed over the network. It is used for
<citerefentry><refentrytitle>veritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
entries marked with <option>_netdev</option>.</para>
enable remote-fs.target
enable remote-cryptsetup.target
+enable remote-integritysetup.target
enable remote-veritysetup.target
enable machines.target
_cleanup_free_ char *n = NULL, *dd = NULL, *e = NULL, *name_escaped = NULL, *key_file_escaped = NULL;
_cleanup_fclose_ FILE *f = NULL;
- int r;
char *dmname = NULL;
+ bool noauto, nofail, netdev;
+ int r;
assert(name);
assert(device);
+ noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
+ nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
+ netdev = fstab_test_option(options, "_netdev\0");
+
name_escaped = specifier_escape(name);
if (!name_escaped)
return log_oom();
"Before=blockdev@dev-mapper-%%i.target\n"
"Wants=blockdev@dev-mapper-%%i.target\n"
"Conflicts=umount.target\n"
- "Before=integritysetup.target\n"
"BindsTo=%s\n"
"After=%s\n"
"Before=umount.target\n",
arg_integritytab,
dd, dd);
+ if (netdev)
+ fprintf(f, "After=remote-fs-pre.target\n");
+
+ if (!nofail)
+ fprintf(f,
+ "Before=%s\n",
+ netdev ? "remote-integritysetup.target" : "integritysetup.target");
+
fprintf(f,
"\n"
"[Service]\n"
if (r < 0)
return log_error_errno(r, "Failed to write unit file %s: %m", n);
- r = generator_add_symlink(arg_dest, "integritysetup.target", "requires", n);
- if (r < 0)
- return r;
+ if (!noauto) {
+ r = generator_add_symlink(
+ arg_dest,
+ netdev ? "remote-integritysetup.target" : "integritysetup.target",
+ nofail ? "wants" : "requires",
+ n);
+ if (r < 0)
+ return r;
+ }
dmname = strjoina("dev-mapper-", e, ".device");
return generator_add_symlink(arg_dest, dmname, "requires", n);
},
{ 'file' : 'remote-fs-pre.target' },
{ 'file' : 'remote-fs.target' },
+ {
+ 'file' : 'remote-integritysetup.target',
+ 'conditions' : ['HAVE_LIBCRYPTSETUP'],
+ 'symlinks' : ['initrd-root-device.target.wants/'],
+ },
{
'file' : 'remote-veritysetup.target',
'conditions' : ['HAVE_LIBCRYPTSETUP'],
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Remote Integrity Protected Volumes
+Documentation=man:systemd.special(7)
+After=remote-fs-pre.target integritysetup-pre.target
+DefaultDependencies=no
+Conflicts=shutdown.target
+
+[Install]
+WantedBy=multi-user.target
projects / thirdparty / systemd.git / commitdiff
