Switch /etc to use confext in mutable mode #3555
Conversation
pothos
force-pushed
the
kai/default-confext
branch
from
57b08de to
18bda4e
Compare
pothos
force-pushed
the
kai/default-confext
branch
3 times, most recently
from
dc36a2c to
1fff71f
Compare
Test report for 4550.0.0+nightly-20251215-2100 / amd64 arm64Platforms tested : qemu_uefi-amd64 qemu_update-amd64 qemu_uefi-arm64 qemu_update-arm64
Diagnostic output for qemu_update-amd64, run 1
|
From 7f0d7d0eb24afe14cd62bfa78cb9e139b9f824d1 Signed-off-by: Kai Lueke <[email protected]>
From d45a090cf70ae75de9e22b54016b049a90f7abc8 Signed-off-by: Kai Lueke <[email protected]>
Most sysexts need a daemon reload to get their services (re)started when systemd-sysext (re)loads extensions after boot. Up to now this was done through ensure-sysext.service but only when systemd-sysext.service was restarted. A manual invocation of systemd-sysext did not get the daemon reload and, e.g., Docker failed to start. Since the daemon reload is done when at least one extension needs it and we can say that this is likely true for most of the extensions we build, we can unconditionally set it for now and see if we need to make it conditional per sysext later, e.g., when one could only have plain CLI extensions and no service extensions such as Docker/containerd or Podman (and even NVIDIA/ZFS require services after load). Signed-off-by: Kai Lueke <[email protected]>
This reverts commit d28ece4.
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <[email protected]>
Signed-off-by: Kai Lueke <[email protected]>
pothos
force-pushed
the
kai/default-confext
branch
from
1fff71f to
6025111
Compare
|
I've added the upstream PR links to the commit message: |
|
For less disruption due to emerge version picking I've deleted the unused systemd ebuilds but can add them back and make sure that the mask setting is enough to use the wanted version. |
| # folder and then convert it to a DDI and remove the folder. | ||
| sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default" | ||
| sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default" | ||
| sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc" |
There was a problem hiding this comment.
Just to make sure I'm understanding this correctly, the reason we don't mv here is because the image only contains /usr anyway, so /etc will get thrown away in the end?
That said, could you simplify this by just creating extension-release.00-flatcar-default under ${root_fs_dir}/etc and pointing systemd-repart at that?
For A/B-updated /etc contents we used a custom overlay mount that
provides the default files through a lowerdir loaded from /usr. Since
then we upstreamed mutable systemd-confext support and now we can switch
to it.
This pulls in flatcar/init#138 and
flatcar/bootengine#115 together with backported
systemd patches that have opened or merged upstream PRs to fix --root=
issues and add a refresh skip check to prevent boot disruptions due to
the multiple daemon reloads and - more important - the missing atomic
remount that would mean /etc is gone for a few milliseconds during boot.
The skip logic works best with verity hashes and thus the default
confext must be a verity extension image.
User-provided confext don't work well yet unless they use verity due to
the missing atomic remount and reliance on the skipping logic. We also
need to look into stacking order and other mutabiliy settings.
This includes a systemd update to 258.2 to have a smaller diff for the backports.
How to use
Update git refs before merging.
Testing done
We should also add a mantle kola test for "Skipping extension refresh because no change was found" for sysext and confext because we never want to have a refresh during boot on an unmodified Flatcar image.
TODO: CI and Jenkins.
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.