--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120
--- /dev/null
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=1
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service"
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120
--- /dev/null
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=2
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service"
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+@Locale=C.UTF-8
+WithDocs=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+Packages=
+ bash
+ coreutils
+ grep
+ util-linux
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ inetutils
+ iproute
+ openbsd-netcat
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ hostname
+ iproute
+ iproute-tc
+ netcat
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ hostname
+ iproute2
+ mount
+ netcat-openbsd
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+ hostname
+ iproute2
+ netcat-openbsd
+ patterns-base-minimal_base
--- /dev/null
+../usr/lib/os-release
\ No newline at end of file
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# This is a stub resolv.conf intended as a mountpoint for the host's resolv.conf
# SPDX-License-Identifier: LGPL-2.1-or-later
+[Config]
+Dependencies=
+ minimal-0
+ minimal-1
+
[Output]
@Format=directory
Autologin=yes
ExtraTrees=
%D/mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
+ %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
+ %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
+ %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
+ %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
+ %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
+ %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
Packages=
acl
[Content]
Packages=
rpmautospec-rpm-macros
+ kernel-modules # For squashfs
ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
fi
+
+for f in "$BUILDROOT"/usr/share/*.verity.sig; do
+ jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+done
test_require_bin mksquashfs
test_append_files() {
+ inst_binary mksquashfs
inst_binary unsquashfs
install_verity_minimal
}
integration_tests = {
'01': 'TEST-01-BASIC',
'02': 'TEST-02-UNITTESTS',
+ '29': 'TEST-29-PORTABLE',
+ '43': 'TEST-43-PRIVATEUSER-UNPRIV',
+ '50': 'TEST-50-DISSECT',
}
foreach test_number, dirname : integration_tests
test_params = {
mksquashfs "$initdir" "$oldinitdir/usr/share/minimal_1.raw" -noappend
veritysetup format "$oldinitdir/usr/share/minimal_1.raw" "$oldinitdir/usr/share/minimal_1.verity" | \
grep '^Root hash:' | cut -f2 | tr -d '\n' >"$oldinitdir/usr/share/minimal_1.roothash"
-
- # Rolling distros like Arch do not set VERSION_ID
- local version_id=""
- if grep -q "^VERSION_ID=" "$os_release"; then
- version_id="$(grep "^VERSION_ID=" "$os_release")"
- fi
-
- export initdir="$TESTDIR/app0"
- mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
- grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app0"
- echo "${version_id}" >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
- ( echo "${version_id}"
- echo "SYSEXT_IMAGE_ID=app" ) >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
- cat >"$initdir/usr/lib/systemd/system/app0.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/opt/script0.sh
-TemporaryFileSystem=/var/lib
-StateDirectory=app0
-RuntimeDirectory=app0
-EOF
- cat >"$initdir/opt/script0.sh" <<EOF
-#!/bin/bash
-set -e
-test -e /usr/lib/os-release
-echo bar >\${STATE_DIRECTORY}/foo
-cat /usr/lib/extension-release.d/extension-release.app0
-EOF
- chmod +x "$initdir/opt/script0.sh"
- echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
- mksquashfs "$initdir" "$oldinitdir/usr/share/app0.raw" -noappend
-
- export initdir="$TESTDIR/conf0"
- mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt"
- grep "^ID=" "$os_release" >"$initdir/etc/extension-release.d/extension-release.conf0"
- echo "${version_id}" >>"$initdir/etc/extension-release.d/extension-release.conf0"
- ( echo "${version_id}"
- echo "CONFEXT_IMAGE_ID=app" ) >>"$initdir/etc/extension-release.d/extension-release.conf0"
- echo MARKER_1 >"$initdir/etc/systemd/system/some_file"
- mksquashfs "$initdir" "$oldinitdir/usr/share/conf0.raw" -noappend
-
- export initdir="$TESTDIR/app1"
- mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
- grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app2"
- ( echo "${version_id}"
- echo "SYSEXT_SCOPE=portable"
- echo "SYSEXT_IMAGE_ID=app"
- echo "SYSEXT_IMAGE_VERSION=1"
- echo "PORTABLE_PREFIXES=app1" ) >>"$initdir/usr/lib/extension-release.d/extension-release.app2"
- setfattr -n user.extension-release.strict -v false "$initdir/usr/lib/extension-release.d/extension-release.app2"
- cat >"$initdir/usr/lib/systemd/system/app1.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/opt/script1.sh
-StateDirectory=app1
-RuntimeDirectory=app1
-EOF
- cat >"$initdir/opt/script1.sh" <<EOF
-#!/bin/bash
-set -e
-test -e /usr/lib/os-release
-echo baz >\${STATE_DIRECTORY}/foo
-cat /usr/lib/extension-release.d/extension-release.app2
-EOF
- chmod +x "$initdir/opt/script1.sh"
- echo MARKER=1 >"$initdir/usr/lib/systemd/system/other_file"
- mksquashfs "$initdir" "$oldinitdir/usr/share/app1.raw" -noappend
-
- export initdir="$TESTDIR/app-nodistro"
- mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
- ( echo "ID=_any"
- echo "ARCHITECTURE=_any" ) >"$initdir/usr/lib/extension-release.d/extension-release.app-nodistro"
- echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
- mksquashfs "$initdir" "$oldinitdir/usr/share/app-nodistro.raw" -noappend
-
- export initdir="$TESTDIR/service-scoped-test"
- mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system"
- ( echo "ID=_any"
- echo "ARCHITECTURE=_any" ) >"$initdir/etc/extension-release.d/extension-release.service-scoped-test"
- echo MARKER_CONFEXT_123 >"$initdir/etc/systemd/system/some_file"
- mksquashfs "$initdir" "$oldinitdir/etc/service-scoped-test.raw" -noappend
-
- # We need to create a dedicated sysext image to test the reload mechanism. If we share an image to install the
- # 'foo.service' it will be loaded from another test run, which will impact the targeted test.
- export initdir="$TESTDIR/app-reload"
- mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
- ( echo "ID=_any"
- echo "ARCHITECTURE=_any"
- echo "EXTENSION_RELOAD_MANAGER=1" ) >"$initdir/usr/lib/extension-release.d/extension-release.app-reload"
- mkdir -p "$initdir/usr/lib/systemd/system/multi-user.target.d"
- cat >"${initdir}/usr/lib/systemd/system/foo.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=echo foo
-
-[Install]
-WantedBy=multi-user.target
-EOF
- { echo "[Unit]"; echo "Upholds=foo.service"; } > "$initdir/usr/lib/systemd/system/multi-user.target.d/10-foo-service.conf"
- mksquashfs "$initdir" "$oldinitdir/usr/share/app-reload.raw" -noappend
)
}
set -eux
set -o pipefail
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+install_extension_images
+
# Set longer timeout for slower machines, e.g. non-KVM vm.
mkdir -p /run/systemd/system.conf.d
cat >/run/systemd/system.conf.d/10-timeout.conf <<EOF
systemd-dissect --no-pager /usr/share/minimal_0.raw | grep -q '✓ portable service'
systemd-dissect --no-pager /usr/share/minimal_1.raw | grep -q '✓ portable service'
-systemd-dissect --no-pager /usr/share/app0.raw | grep -q '✓ sysext for portable service'
-systemd-dissect --no-pager /usr/share/app1.raw | grep -q '✓ sysext for portable service'
-systemd-dissect --no-pager /usr/share/conf0.raw | grep -q '✓ confext for portable service'
+systemd-dissect --no-pager /tmp/app0.raw | grep -q '✓ sysext for portable service'
+systemd-dissect --no-pager /tmp/app1.raw | grep -q '✓ sysext for portable service'
+systemd-dissect --no-pager /tmp/conf0.raw | grep -q '✓ confext for portable service'
export SYSTEMD_LOG_LEVEL=debug
mkdir -p /run/systemd/system/systemd-portabled.service.d/
portablectl list | grep -q -F "No images."
busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1
-portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
systemctl is-active app0.service
status="$(portablectl is-attached --extension app0 minimal_0)"
grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0.raw" /run/systemd/system.attached/app0.service.d/20-portable.conf
grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf
-portablectl "${ARGS[@]}" reattach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0
+portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app0.raw /usr/share/minimal_1.raw app0
systemctl is-active app0.service
status="$(portablectl is-attached --extension app0 minimal_1)"
grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0.raw" /run/systemd/system.attached/app0.service.d/20-portable.conf
grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf
-portablectl detach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0
+portablectl detach --now --runtime --extension /tmp/app0.raw /usr/share/minimal_1.raw app0
# Ensure versioned images are accepted without needing to use --force to override the extension-release
# matching
-cp /usr/share/app0.raw /tmp/app0_1.0.raw
+cp /tmp/app0.raw /tmp/app0_1.0.raw
portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_0.raw app0
systemctl is-active app0.service
portablectl detach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_1.raw app0
rm -f /tmp/app0_1.0.raw
-portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
systemctl is-active app1.service
status="$(portablectl is-attached --extension app1 minimal_0)"
[[ "${status}" == "running-runtime" ]]
# Ensure that adding or removing a version to the image doesn't break reattaching
-cp /usr/share/app1.raw /tmp/app1_2.raw
+cp /tmp/app1.raw /tmp/app1_2.raw
portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app1_2.raw /usr/share/minimal_1.raw app1
systemctl is-active app1.service
status="$(portablectl is-attached --extension app1_2 minimal_1)"
[[ "${status}" == "running-runtime" ]]
-portablectl "${ARGS[@]}" reattach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_1.raw app1
+portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app1.raw /usr/share/minimal_1.raw app1
systemctl is-active app1.service
status="$(portablectl is-attached --extension app1 minimal_1)"
[[ "${status}" == "running-runtime" ]]
-portablectl detach --force --no-reload --runtime --extension /usr/share/app1.raw /usr/share/minimal_1.raw app1
-portablectl "${ARGS[@]}" attach --force --no-reload --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl detach --force --no-reload --runtime --extension /tmp/app1.raw /usr/share/minimal_1.raw app1
+portablectl "${ARGS[@]}" attach --force --no-reload --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
systemctl daemon-reload
systemctl restart app1.service
status="$(portablectl is-attached --extension app1 minimal_0)"
[[ "${status}" == "running-runtime" ]]
-portablectl detach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl detach --now --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
# Ensure vpick works, including reattaching to a new image
mkdir -p /tmp/app1.v/
-cp /usr/share/app1.raw /tmp/app1.v/app1_1.0.raw
+cp /tmp/app1.raw /tmp/app1.v/app1_1.0.raw
cp /tmp/app1_2.raw /tmp/app1.v/app1_2.0.raw
portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app1.v/ /usr/share/minimal_1.raw app1
grep -q -F baz "${STATE_DIRECTORY}/app1/foo"
# Ensure that we can override the check on extension-release.NAME
-cp /usr/share/app0.raw /tmp/app10.raw
+cp /tmp/app0.raw /tmp/app10.raw
portablectl "${ARGS[@]}" attach --force --now --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0
systemctl is-active app0.service
portablectl detach --force --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0
# portablectl also accepts confexts
-portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw app0
systemctl is-active app0.service
-status="$(portablectl is-attached --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw)"
+status="$(portablectl is-attached --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw)"
[[ "${status}" == "running-runtime" ]]
-portablectl inspect --force --cat --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /usr/share/conf0.raw"
+portablectl inspect --force --cat --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /tmp/conf0.raw"
-portablectl detach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0
+portablectl detach --now --runtime --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw app0
# Ensure that mixed mode copies the images and units (client-owned) but symlinks the profile (OS owned)
-portablectl "${ARGS[@]}" attach --copy=mixed --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --copy=mixed --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
test -f /run/portables/app0.raw
test -f /run/portables/minimal_0.raw
test -f /run/systemd/system.attached/app0.service
test -L /run/systemd/system.attached/app0.service.d/10-profile.conf
-portablectl detach --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
+portablectl detach --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
# Ensure that when two portables share the same base image, removing one doesn't remove the other too
-portablectl "${ARGS[@]}" attach --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
-portablectl "${ARGS[@]}" attach --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl "${ARGS[@]}" attach --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
status="$(portablectl is-attached --extension app0 minimal_0)"
[[ "${status}" == "attached-runtime" ]]
portablectl list | grep -F "app0" | grep -q -F "attached-runtime"
portablectl list | grep -F "app1" | grep -q -F "attached-runtime"
-portablectl detach --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app
+portablectl detach --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app
status="$(portablectl is-attached --extension app1 minimal_0)"
[[ "${status}" == "attached-runtime" ]]
-portablectl detach --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app
+portablectl detach --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app
# portablectl also works with directory paths rather than images
mkdir /tmp/rootdir /tmp/app0 /tmp/app1 /tmp/overlay /tmp/os-release-fix /tmp/os-release-fix/etc
-mount /usr/share/app0.raw /tmp/app0
-mount /usr/share/app1.raw /tmp/app1
+mount /tmp/app0.raw /tmp/app0
+mount /tmp/app1.raw /tmp/app1
mount /usr/share/minimal_0.raw /tmp/rootdir
# Fix up os-release to drop the valid PORTABLE_SERVICES field (because we are
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
+install_extension_images
+
if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
echo "Cannot create unprivileged user namespaces" >/skipped
exit 77
# Unprivileged overlayfs was added to Linux 5.11, so try to detect it first
mkdir -p /tmp/a /tmp/b /tmp/c
if unshare --mount --user --map-root-user mount -t overlay overlay /tmp/c -o lowerdir=/tmp/a:/tmp/b; then
- unsquashfs -no-xattrs -d /tmp/app2 /usr/share/app1.raw
+ unsquashfs -no-xattrs -d /tmp/app2 /tmp/app1.raw
runas testuser systemd-run --wait --user --unit=test-extension-dir \
-p ExtensionDirectories=/tmp/app2 \
-p TemporaryFileSystem=/run -p RootDirectory=/tmp/img \
systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \
grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"'
systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1"
+# shellcheck disable=SC2153
systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F -f <(sed 's/"//g' "$OS_RELEASE")
systemd-dissect --list "$MINIMAL_IMAGE.raw" | grep -q '^etc/os-release$'
# ExtensionImages will set up an overlay
systemd-run -P \
- --property ExtensionImages=/usr/share/app0.raw \
+ --property ExtensionImages=/tmp/app0.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -P \
- --property ExtensionImages=/usr/share/app0.raw \
+ --property ExtensionImages=/tmp/app0.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
- --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -P \
- --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
- --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script1.sh | grep -q -F "extension-release.app2"
systemd-run -P \
- --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+ --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
systemd-run -P \
- --property ExtensionImages=/usr/share/app-nodistro.raw \
+ --property ExtensionImages=/tmp/app-nodistro.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
"${BIND_LOG_SOCKETS[@]}" \
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
# Check that using a symlink to NAME-VERSION.raw works as long as the symlink has the correct name NAME.raw
-mkdir -p /usr/share/symlink-test/
-cp /usr/share/app-nodistro.raw /usr/share/symlink-test/app-nodistro-v1.raw
-ln -fs /usr/share/symlink-test/app-nodistro-v1.raw /usr/share/symlink-test/app-nodistro.raw
+mkdir -p /tmp/symlink-test/
+cp /tmp/app-nodistro.raw /tmp/symlink-test/app-nodistro-v1.raw
+ln -fs /tmp/symlink-test/app-nodistro-v1.raw /tmp/symlink-test/app-nodistro.raw
systemd-run -P \
- --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
+ --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
# And again mixing sysext and confext
systemd-run -P \
- --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
+ --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
systemd-run -P \
- --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
+ --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
TemporaryFileSystem=/run /var/lib
StateDirectory=app0
RootImage=$MINIMAL_IMAGE.raw
-ExtensionImages=/usr/share/app0.raw /usr/share/app1.raw:nosuid
+ExtensionImages=/tmp/app0.raw /tmp/app1.raw:nosuid
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
# Relevant only for sanitizer runs
UnsetEnvironment=LD_PRELOAD
VDIR="/tmp/$VBASE.v"
mkdir "$VDIR"
-ln -s /usr/share/app0.raw "$VDIR/${VBASE}_0.raw"
-ln -s /usr/share/app1.raw "$VDIR/${VBASE}_1.raw"
+ln -s /tmp/app0.raw "$VDIR/${VBASE}_0.raw"
+ln -s /tmp/app1.raw "$VDIR/${VBASE}_1.raw"
systemd-run -P -p ExtensionImages="$VDIR" bash -c '/opt/script1.sh | grep ID'
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh)
-systemd-dissect --mount /usr/share/app0.raw "$IMAGE_DIR/app0"
-systemd-dissect --mount /usr/share/app1.raw "$IMAGE_DIR/app1"
-systemd-dissect --mount /usr/share/app-nodistro.raw "$IMAGE_DIR/app-nodistro"
+systemd-dissect --mount /tmp/app0.raw "$IMAGE_DIR/app0"
+systemd-dissect --mount /tmp/app1.raw "$IMAGE_DIR/app1"
+systemd-dissect --mount /tmp/app-nodistro.raw "$IMAGE_DIR/app-nodistro"
systemd-dissect --mount /etc/service-scoped-test.raw "$IMAGE_DIR/service-scoped-test"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0" \
# Test that an extension consisting of an empty directory under /etc/extensions/ takes precedence
mkdir -p /var/lib/extensions/
-ln -s /usr/share/app-nodistro.raw /var/lib/extensions/app-nodistro.raw
+ln -s /tmp/app-nodistro.raw /var/lib/extensions/app-nodistro.raw
systemd-sysext merge
grep -q -F "MARKER=1" /usr/lib/systemd/system/some_file
systemd-sysext unmerge
# Test that systemd-sysext reloads the daemon.
mkdir -p /var/lib/extensions/
-ln -s /usr/share/app-reload.raw /var/lib/extensions/app-reload.raw
+ln -s /tmp/app-reload.raw /var/lib/extensions/app-reload.raw
systemd-sysext merge --no-reload
# the service should not be running
(! systemctl --quiet is-active foo.service)
# shellcheck source=test/units/test-control.sh
. "$(dirname "$0")"/test-control.sh
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
# Setup shared stuff & run all subtests
at_exit() {
MINIMAL_IMAGE="$IMAGE_DIR/minimal_0"
MINIMAL_IMAGE_ROOTHASH="$(<"$MINIMAL_IMAGE.roothash")"
+install_extension_images
+
OS_RELEASE="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"
if systemctl --version | grep -q -- +OPENSSL ; then
umount -l /usr
fi
}
+
+install_extension_images() {
+ local os_release
+ os_release="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"
+
+ # Rolling distros like Arch do not set VERSION_ID
+ local version_id=""
+ if grep -q "^VERSION_ID=" "$os_release"; then
+ version_id="$(grep "^VERSION_ID=" "$os_release")"
+ fi
+
+ local initdir="/var/tmp/app0"
+ mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
+ grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app0"
+ echo "$version_id" >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
+ (
+ echo "$version_id"
+ echo "SYSEXT_IMAGE_ID=app"
+ ) >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
+ cat >"$initdir/usr/lib/systemd/system/app0.service" <<EOF
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/opt/script0.sh
+TemporaryFileSystem=/var/lib
+StateDirectory=app0
+RuntimeDirectory=app0
+EOF
+ cat >"$initdir/opt/script0.sh" <<EOF
+#!/bin/bash
+set -e
+test -e /usr/lib/os-release
+echo bar >\${STATE_DIRECTORY}/foo
+cat /usr/lib/extension-release.d/extension-release.app0
+EOF
+ chmod +x "$initdir/opt/script0.sh"
+ echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
+ mksquashfs "$initdir" /tmp/app0.raw -noappend
+
+ initdir="/var/tmp/conf0"
+ mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt"
+ grep "^ID=" "$os_release" >"$initdir/etc/extension-release.d/extension-release.conf0"
+ echo "$version_id" >>"$initdir/etc/extension-release.d/extension-release.conf0"
+ (
+ echo "$version_id"
+ echo "CONFEXT_IMAGE_ID=app"
+ ) >>"$initdir/etc/extension-release.d/extension-release.conf0"
+ echo MARKER_1 >"$initdir/etc/systemd/system/some_file"
+ mksquashfs "$initdir" /tmp/conf0.raw -noappend
+
+ initdir="/var/tmp/app1"
+ mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
+ grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app2"
+ (
+ echo "$version_id"
+ echo "SYSEXT_SCOPE=portable"
+ echo "SYSEXT_IMAGE_ID=app"
+ echo "SYSEXT_IMAGE_VERSION=1"
+ echo "PORTABLE_PREFIXES=app1"
+ ) >>"$initdir/usr/lib/extension-release.d/extension-release.app2"
+ setfattr -n user.extension-release.strict -v false "$initdir/usr/lib/extension-release.d/extension-release.app2"
+ cat >"$initdir/usr/lib/systemd/system/app1.service" <<EOF
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/opt/script1.sh
+StateDirectory=app1
+RuntimeDirectory=app1
+EOF
+ cat >"$initdir/opt/script1.sh" <<EOF
+#!/bin/bash
+set -e
+test -e /usr/lib/os-release
+echo baz >\${STATE_DIRECTORY}/foo
+cat /usr/lib/extension-release.d/extension-release.app2
+EOF
+ chmod +x "$initdir/opt/script1.sh"
+ echo MARKER=1 >"$initdir/usr/lib/systemd/system/other_file"
+ mksquashfs "$initdir" /tmp/app1.raw -noappend
+
+ initdir="/var/tmp/app-nodistro"
+ mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
+ (
+ echo "ID=_any"
+ echo "ARCHITECTURE=_any"
+ ) >"$initdir/usr/lib/extension-release.d/extension-release.app-nodistro"
+ echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
+ mksquashfs "$initdir" /tmp/app-nodistro.raw -noappend
+
+ initdir="/var/tmp/service-scoped-test"
+ mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system"
+ (
+ echo "ID=_any"
+ echo "ARCHITECTURE=_any"
+ ) >"$initdir/etc/extension-release.d/extension-release.service-scoped-test"
+ echo MARKER_CONFEXT_123 >"$initdir/etc/systemd/system/some_file"
+ mksquashfs "$initdir" /etc/service-scoped-test.raw -noappend
+
+ # We need to create a dedicated sysext image to test the reload mechanism. If we share an image to install the
+ # 'foo.service' it will be loaded from another test run, which will impact the targeted test.
+ initdir="/var/tmp/app-reload"
+ mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
+ (
+ echo "ID=_any"
+ echo "ARCHITECTURE=_any"
+ echo "EXTENSION_RELOAD_MANAGER=1"
+ ) >"$initdir/usr/lib/extension-release.d/extension-release.app-reload"
+ mkdir -p "$initdir/usr/lib/systemd/system/multi-user.target.d"
+ cat >"$initdir/usr/lib/systemd/system/foo.service" <<EOF
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=echo foo
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ echo -e "[Unit]\nUpholds=foo.service" >"$initdir/usr/lib/systemd/system/multi-user.target.d/10-foo-service.conf"
+ mksquashfs "$initdir" /tmp/app-reload.raw -noappend
+}
projects / thirdparty / systemd.git / commitdiff
