require direct IMDS access. The new meson option "-Dimds-network="
can be used to change the default mode to "locked" at build-time.
+ Changes in systemd-sysext/systemd-confext:
+
+ * New initrd services systemd-sysext-sysroot.service and
+ systemd-confext-sysroot.service are provided. These services are
+ used to merge system and configuration extensions for the main system
+ from the initrd. This overcomes the limitation that system and
+ configuration extensions merged from the main system itself cannot be
+ used to modify the resources which are used in the early boot.
+
CHANGES WITH 260:
Feature Removals and Incompatible Changes:
similar "devices"
Features:
+* sysext: make systemd-{sys,conf}ext-sysroot.service work in the split '/var'
+ configuration.
* sd-varlink: add fully async modes of the protocol upgrade stuff
* in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
-* systemd-sysext: optionally, run it in initrd already, before transitioning
- into host, to open up possibility for services shipped like that.
-
* whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
reception limit the kernel silently enforces.
'8',
['systemd-confext',
'systemd-confext-initrd.service',
+ 'systemd-confext-sysroot.service',
'systemd-confext.service',
'systemd-sysext-initrd.service',
+ 'systemd-sysext-sysroot.service',
'systemd-sysext.service'],
'ENABLE_SYSEXT'],
['systemd-system-update-generator', '8', [], ''],
<refname>systemd-sysext</refname>
<refname>systemd-sysext.service</refname>
<refname>systemd-sysext-initrd.service</refname>
+ <refname>systemd-sysext-sysroot.service</refname>
<refname>systemd-confext</refname>
<refname>systemd-confext.service</refname>
<refname>systemd-confext-initrd.service</refname>
+ <refname>systemd-confext-sysroot.service</refname>
<refpurpose>Activates System Extension Images</refpurpose>
</refnamediv>
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> with
extension images found in the system's EFI System Partition.</para>
- <para>During boot OS extension images are activated automatically, if the
- <filename>systemd-sysext.service</filename> is enabled. Note that this service runs only after the
- underlying file systems where system extensions may be located have been mounted. This means they are not
- suitable for shipping resources that are processed by subsystems running in earliest boot. Specifically,
- OS extension images are not suitable for shipping system services or
+ <para>During boot, system and configuration extension images are activated automatically if the
+ <filename>systemd-sysext.service</filename> and <filename>systemd-confext.service</filename> services are
+ enabled. Note that these services run only after the underlying file systems where system and configuration
+ extensions may be located have been mounted. To make it possible to ship resources that are processed by
+ subsystems running in the earliest boot stages (for example, system services or
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- definitions. See the <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> page
- for a simple mechanism for shipping system services in disk images, in a similar fashion to OS
- extensions. Note the different isolation on these two mechanisms: while system extension directly extend
- the underlying OS image with additional files that appear in a way very similar to as if they were
- shipped in the OS image itself and thus imply no security isolation, portable services imply service
- level sandboxing in one way or another. The <filename>systemd-sysext.service</filename> service is
- guaranteed to finish start-up before <filename>basic.target</filename> is reached; i.e. at the time
+ definitions), the <filename>systemd-sysext-sysroot.service</filename> and
+ <filename>systemd-confext-sysroot.service</filename> initrd services are provided. Currently, these
+ services cannot be used to merge system extensions from <filename>/sysroot/var/lib/extensions/</filename>
+ and configuration extensions from <filename>/sysroot/var/lib/confexts/</filename> when the
+ <filename>/var/</filename> partition is split off. These extensions are later merged by the
+ <filename>systemd-sysext.service</filename> and <filename>systemd-confext.service</filename> services
+ during the main OS boot process.</para>
+
+ <para>Also, see the <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>
+ page for a simple mechanism for shipping system services in disk images, in a similar fashion to OS
+ extensions. Note the differences in isolation between these two mechanisms: while system extensions directly extend
+ the underlying OS image with additional files that appear as if they were shipped in the OS image itself
+ and thus imply no security isolation, portable services imply service-level sandboxing in one way or another.</para>
+
+ <para>The <filename>systemd-sysext.service</filename> and <filename>systemd-confext.service</filename>
+ services are guaranteed to finish start-up before <filename>basic.target</filename> is reached; i.e., by the time
regular services initialize (those which do not use <varname>DefaultDependencies=no</varname>), the files
- and directories system extensions provide are available in <filename>/usr/</filename> and
- <filename>/opt/</filename> and may be accessed.</para>
+ and directories provided by system and configuration extensions are available in <filename>/usr/</filename>,
+ <filename>/opt/</filename>, and <filename>/etc/</filename> and may be accessed.</para>
+
+ <para>System and configuration extensions can also be used to extend the initrd, and the
+ <filename>systemd-sysext-initrd.service</filename> and <filename>systemd-confext-initrd.service</filename>
+ initrd services are provided. Note that some limitations apply: resources that are used in the earliest boot
+ stages of the initrd (e.g. system services) cannot be updated.</para>
<para>Note that there is no concept of enabling/disabling installed system extension images: all
installed extension images are automatically activated at boot. However, you can place an empty directory
# Settings for systemd units distributed with systemd itself, specific to initrds.
+enable systemd-confext-sysroot.service
enable systemd-journald-audit.socket
enable systemd-network-generator.service
enable systemd-networkd.service
enable systemd-networkd-wait-online.service
enable systemd-pstore.service
enable systemd-resolved.service
+enable systemd-sysext-sysroot.service
enable systemd-tpm2-clear.service
disable console-getty.service
disable syslog.socket
disable systemd-boot-check-no-failures.service
+disable systemd-confext-sysroot.service
disable systemd-journal-gatewayd.*
disable systemd-journal-remote.*
disable systemd-journal-upload.*
+disable systemd-sysext-sysroot.service
disable systemd-time-wait-sync.service
'conditions' : ['ENABLE_INITRD', 'ENABLE_SYSEXT'],
'symlinks' : ['initrd.target.wants/'],
},
+ {
+ 'file' : 'systemd-confext-sysroot.service',
+ 'conditions' : ['ENABLE_INITRD', 'ENABLE_SYSEXT'],
+ },
{
'file' : 'systemd-coredump.socket',
'conditions' : ['ENABLE_COREDUMP'],
'conditions' : ['ENABLE_INITRD', 'ENABLE_SYSEXT'],
'symlinks' : ['initrd.target.wants/'],
},
+ {
+ 'file' : 'systemd-sysext-sysroot.service',
+ 'conditions' : ['ENABLE_INITRD', 'ENABLE_SYSEXT'],
+ },
{
'file' : 'systemd-sysext.socket',
'conditions' : ['ENABLE_SYSEXT'],
# (at your option) any later version.
[Unit]
-Description=Merge System Configuration Images into /etc/
+Description=Merge System Configuration Images into /etc/ of the initrd
Documentation=man:systemd-confext-initrd.service(8)
ConditionCapability=CAP_SYS_ADMIN
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Merge System Configuration Images into /sysroot/etc/
+Documentation=man:systemd-confext-sysroot.service(8)
+
+ConditionCapability=CAP_SYS_ADMIN
+ConditionDirectoryNotEmpty=|/sysroot/var/lib/confexts
+ConditionDirectoryNotEmpty=|/sysroot/usr/local/lib/confexts
+ConditionDirectoryNotEmpty=|/sysroot/usr/lib/confexts
+ConditionPathExists=/etc/initrd-release
+
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=initrd-root-fs.target shutdown.target
+Wants=modprobe@loop.service modprobe@dm_mod.service
+After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount sysroot-usr.mount systemd-volatile-root.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-confext --root=/sysroot refresh
+
+[Install]
+WantedBy=initrd.target
# (at your option) any later version.
[Unit]
-Description=Merge System Extension Images into /usr/ and /opt/
+Description=Merge System Extension Images into /usr/ and /opt/ of the initrd
Documentation=man:systemd-sysext-initrd.service(8)
ConditionCapability=CAP_SYS_ADMIN
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Merge System Extension Images into /sysroot/usr/ and /sysroot/opt/
+Documentation=man:systemd-sysext-sysroot.service(8)
+
+ConditionCapability=CAP_SYS_ADMIN
+ConditionDirectoryNotEmpty=|/sysroot/etc/extensions
+ConditionDirectoryNotEmpty=|/sysroot/var/lib/extensions
+ConditionPathExists=/etc/initrd-release
+
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=initrd-root-fs.target shutdown.target
+Wants=modprobe@loop.service modprobe@dm_mod.service
+After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount sysroot-usr.mount systemd-volatile-root.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-sysext --root=/sysroot refresh
+
+[Install]
+WantedBy=initrd.target
projects / thirdparty / systemd.git / commitdiff
