From 69b18e62a9336f0cb8b4feb99048ce9f361c2d11 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Fri, 24 Oct 2025 18:20:07 +0900 Subject: [PATCH 1/5] Make systemd-confext automatically use the mutable mode So far we had a custom overlay mount for /etc that provided the A/B updated files from /usr in a lowerdir. Since then we upstreamed a mutable mode for sysext and confext. We can now switch over to it and provide a default confext by using the mutable mode. For user-provided to be supported we need to wait for the atomic remount to be there so that a reload is less impacting. Also, one has to be careful with the stacking order for user-provided extensions and modes other than mutable. The read-only mode also needs more design work in Flatcar. Signed-off-by: Kai Lueke --- systemd/confext.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 systemd/confext.conf diff --git a/systemd/confext.conf b/systemd/confext.conf new file mode 100644 index 0000000..af3c8ac --- /dev/null +++ b/systemd/confext.conf @@ -0,0 +1,2 @@ +[ConfExt] +Mutable=auto From fdd2787582ff65b16e9f2d5c885d9bb3f41fb9a3 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Sat, 6 Dec 2025 00:43:25 +0900 Subject: [PATCH 2/5] Drop old ensure-sysext.service workaround When systemd-sysext didn't support issuing a daemon reload, we had this service do it. This is now doing the same thing again while not needed. The service also added support to using .wants but in general .upholds should be used. For extensions that use .wants we can still start their services when we set the extension up from the initrd. Left is just the case where the extension is loaded live but since this was a Flatcar-specific workaround it's not something we want to support and users either should migrate to .upholds, start the service manually (or with the target restart as done in this workaround), or do a reboot when they add new extensions live. We also plan to add a service restart field to the extension-release metadata file so that one doesn't need to use .upholds and it even covers more cases. Signed-off-by: Kai Lueke --- systemd/system/ensure-sysext.service | 17 ----------------- .../sysinit.target.wants/ensure-sysext.service | 1 - 2 files changed, 18 deletions(-) delete mode 100644 systemd/system/ensure-sysext.service delete mode 120000 systemd/system/sysinit.target.wants/ensure-sysext.service diff --git a/systemd/system/ensure-sysext.service b/systemd/system/ensure-sysext.service deleted file mode 100644 index e35d7ac..0000000 --- a/systemd/system/ensure-sysext.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -BindsTo=systemd-sysext.service -After=systemd-sysext.service -DefaultDependencies=no -# Keep in sync with systemd-sysext.service -ConditionDirectoryNotEmpty=|/etc/extensions -ConditionDirectoryNotEmpty=|/run/extensions -ConditionDirectoryNotEmpty=|/var/lib/extensions -ConditionDirectoryNotEmpty=|/usr/local/lib/extensions -ConditionDirectoryNotEmpty=|/usr/lib/extensions -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/systemctl daemon-reload -ExecStart=/usr/bin/systemctl restart --no-block sockets.target timers.target multi-user.target -[Install] -WantedBy=sysinit.target diff --git a/systemd/system/sysinit.target.wants/ensure-sysext.service b/systemd/system/sysinit.target.wants/ensure-sysext.service deleted file mode 120000 index 8fe8067..0000000 --- a/systemd/system/sysinit.target.wants/ensure-sysext.service +++ /dev/null @@ -1 +0,0 @@ -../ensure-sysext.service \ No newline at end of file From 8c2c1f40f22ee48dd5068e1c0fbd49d74b778780 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Mon, 8 Dec 2025 21:47:18 +0900 Subject: [PATCH 3/5] systemd: Define order for confext and sysext For a confext to influence how things shipped in a sysext behave or even how sysext itself behaves it's good to define that confext runs first. This is also explicitly done in bootengine. With the skip logic we ideally don't set up extensions again during boot but that only works if the contents can be ensured to be equal and the fallback is a full refresh otherwise. Signed-off-by: Kai Lueke --- systemd/system/systemd-sysext.service.d/after-confext.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 systemd/system/systemd-sysext.service.d/after-confext.conf diff --git a/systemd/system/systemd-sysext.service.d/after-confext.conf b/systemd/system/systemd-sysext.service.d/after-confext.conf new file mode 100644 index 0000000..c0dea74 --- /dev/null +++ b/systemd/system/systemd-sysext.service.d/after-confext.conf @@ -0,0 +1,3 @@ +# Define an order to allow a confext to influence systemd-sysext +[Unit] +After=systemd-confext.service From ac458a94c1d954c6254c15e911817d4aba84abd7 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Sat, 13 Dec 2025 01:35:32 +0900 Subject: [PATCH 4/5] systemd: Add workaround for late mounted /var partitions When users have their own /var partitions these get mounted only in the final system and then lack the preparation done in the initrd for mutable /etc. Do this just before we run systemd-confext.service so that it sees that /etc should be mutable and thus does not do a refresh into read-only but skips the refresh. Signed-off-by: Kai Lueke --- systemd/system/systemd-confext.service.d/prepare-mutable.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 systemd/system/systemd-confext.service.d/prepare-mutable.conf diff --git a/systemd/system/systemd-confext.service.d/prepare-mutable.conf b/systemd/system/systemd-confext.service.d/prepare-mutable.conf new file mode 100644 index 0000000..4177e1a --- /dev/null +++ b/systemd/system/systemd-confext.service.d/prepare-mutable.conf @@ -0,0 +1,3 @@ +[Service] +# Users having their own /var partition don't get this set up in the initrd +ExecStartPre=/bin/bash -c "mkdir -p /var/lib/extensions.mutable/ && if [ ! -L /var/lib/extensions.mutable/etc ] && [ ! -e /var/lib/extensions.mutable/etc ]; then ln -s /etc /var/lib/extensions.mutable/etc; fi" From 8105e6447529662110ae12de78cf2e03e4c3c467 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Sat, 13 Dec 2025 23:47:55 +0900 Subject: [PATCH 5/5] systemd: Add noop sysupdate transfer config When the systemd-sysupdate.service runs it fails if there is no config. Since we don't use it, it's expected to do nothing but this failure is making problems when the service is started from the timer unit which is now enabled by default. This service is also used by the sysext-bakery update configs for drop-in steps that update sysupdate components. There we let users add a noop config to prevent this service failure. Since we run into this in Flatcar now and we anyway had users add this manually, let's just add it directly to Flatcar. Signed-off-by: Kai Lueke --- Makefile | 2 ++ sysupdate.d/noop.transfer | 8 ++++++++ 2 files changed, 10 insertions(+) create mode 100644 sysupdate.d/noop.transfer diff --git a/Makefile b/Makefile index 1b1495b..90d2a14 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ install: $(DESTDIR)/usr/bin \ $(DESTDIR)/usr/sbin \ $(DESTDIR)/usr/lib/flatcar \ + $(DESTDIR)/usr/lib/sysupdate.d \ $(DESTDIR)/usr/lib/systemd/system \ $(DESTDIR)/usr/lib/systemd/network \ $(DESTDIR)/usr/lib/systemd/system-generators \ @@ -33,6 +34,7 @@ install: install -m 644 configs/modules-load.d/* $(DESTDIR)/usr/lib/modules-load.d/ install -m 644 configs/tmpfiles.d/* $(DESTDIR)/usr/lib/tmpfiles.d/ cp -a systemd/* $(DESTDIR)/usr/lib/systemd/ + cp -a sysupdate.d/* $(DESTDIR)/usr/lib/sysupdate.d/ chmod 755 $(DESTDIR)/usr/lib/systemd/system-generators/* ln -sf ../run/issue $(DESTDIR)/etc/issue ln -sfT flatcar $(DESTDIR)/usr/lib/coreos diff --git a/sysupdate.d/noop.transfer b/sysupdate.d/noop.transfer new file mode 100644 index 0000000..a591a2e --- /dev/null +++ b/sysupdate.d/noop.transfer @@ -0,0 +1,8 @@ +[Source] +Type=regular-file +Path=/ +MatchPattern=invalid@v.raw +[Target] +Type=regular-file +Path=/ +MatchPattern=invalid@v.raw