or the host. See:
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
- <xi:include href="system-only.xml" xpointer="singular"/></listitem>
+ <para>Note that usage from user units requires overlayfs support in unprivileged user namespaces,
+ which was first introduced in kernel v5.11.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
_cleanup_strv_free_ char **empty_directories = NULL, **symlinks = NULL;
const char *tmp_dir = NULL, *var_tmp_dir = NULL;
const char *root_dir = NULL, *root_image = NULL;
- _cleanup_free_ char *creds_path = NULL, *incoming_dir = NULL, *propagate_dir = NULL;
+ _cleanup_free_ char *creds_path = NULL, *incoming_dir = NULL, *propagate_dir = NULL,
+ *extension_dir = NULL;
NamespaceInfo ns_info;
bool needs_sandboxing;
BindMount *bind_mounts = NULL;
r = -ENOMEM;
goto finalize;
}
- }
+
+ extension_dir = strdup("/run/systemd/unit-extensions");
+ if (!extension_dir) {
+ r = -ENOMEM;
+ goto finalize;
+ }
+ } else
+ if (asprintf(&extension_dir, "/run/user/" UID_FMT "/systemd/unit-extensions", geteuid()) < 0) {
+ r = -ENOMEM;
+ goto finalize;
+ }
r = setup_namespace(root_dir, root_image, context->root_image_options,
&ns_info, context->read_write_paths,
context->extension_directories,
propagate_dir,
incoming_dir,
+ extension_dir,
root_dir || root_image ? params->notify_socket : NULL,
error_path);
char **hierarchy, **extension_directory;
int r;
- assert(p);
- assert(extension_dir);
-
if (n == 0 && strv_isempty(extension_directories))
return 0;
+ assert(p);
+ assert(extension_dir);
+
/* Prepare a list of overlays, that will have as each element a string suitable for being
* passed as a lowerdir= parameter, so start with the hierarchy on the root.
* The overlays vector will have the same number of elements and will correspond to the
char **extension_directories,
const char *propagate_dir,
const char *incoming_dir,
+ const char *extension_dir,
const char *notify_socket,
char **error_path) {
_cleanup_strv_free_ char **hierarchies = NULL;
MountEntry *m = NULL, *mounts = NULL;
bool require_prefix = false, setup_propagate = false;
- const char *root, *extension_dir = "/run/systemd/unit-extensions";
+ const char *root;
DissectImageFlags dissect_image_flags =
DISSECT_IMAGE_GENERIC_ROOT |
DISSECT_IMAGE_REQUIRE_ROOT |
char **extension_directories,
const char *propagate_dir,
const char *incoming_dir,
+ const char *extension_dir,
const char *notify_socket,
char **error_path);
NULL,
NULL,
NULL,
+ NULL,
NULL);
assert_se(r == 0);
NULL,
NULL,
NULL,
+ NULL,
NULL);
if (r < 0) {
log_error_errno(r, "Failed to set up namespace: %m");
test_append_files() {
(
+ instmods overlay =overlayfs
+ generate_module_dependencies
inst_binary unsquashfs
install_verity_minimal
)
runas testuser systemd-run --wait --user --unit=test-root-dir-bind \
-p PrivateUsers=yes -p RootDirectory=/tmp/img_bind \
grep MARKER=1 /etc/os-release
+
+# Unprivileged overlayfs was added to Linux 5.11, so try to detect it first
+mkdir -p /tmp/a /tmp/b /tmp/c
+if unshare --mount --user --map-root-user mount -t overlay overlay /tmp/c -o lowerdir=/tmp/a:/tmp/b; then
+ unsquashfs -no-xattrs -d /tmp/app2 /usr/share/app1.raw
+ runas testuser systemd-run --wait --user --unit=test-extension-dir \
+ -p PrivateUsers=yes -p ExtensionDirectories=/tmp/app2 \
+ -p TemporaryFileSystem=/run -p RootDirectory=/tmp/img \
+ -p MountAPIVFS=yes \
+ grep PORTABLE_PREFIXES=app1 /usr/lib/extension-release.d/extension-release.app2
+fi
+
umount /tmp/img_bind
systemd-analyze log-level info
projects / thirdparty / systemd.git / commitdiff
