For A/B-updated /etc contents we used a custom overlay mount that
provides the default files through a lowerdir loaded from /usr. Since
then we upstreamed mutable systemd-confext support and now we can switch
to it.
This pulls in https://github.com/flatcar/init/pull/138 and
https://github.com/flatcar/bootengine/pull/115 together with backported
systemd patches that have opened or merged upstream PRs to fix --root=
issues and add a refresh skip check to prevent boot disruptions due to
the multiple daemon reloads and - more important - the missing atomic
remount that would mean /etc is gone for a few milliseconds during boot.
The skip logic works best with verity hashes and thus the default
confext must be a verity extension image.
User-provided confext don't work well yet unless they use verity due to
the missing atomic remount and reliance on the skipping logic. We also
need to look into stacking order and other mutabiliy settings.
The backported systemd patches relate to the following upstream PRs:
https://github.com/systemd/systemd/pull/39843 for
vpick-Don-t-use-openat-directly-but-resolve-symlinks
discover-image-Follow-symlinks-in-a-given-root
sysext-Use-correct-image-name-for-extension-release
test-Add-tests-for-handling-symlinks-with-systemd-sy
Note that the patch in the PR relies on
0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not.
https://github.com/systemd/systemd/pull/39980 for
sysext-Create-mutable-directory-with-the-right-mode
sysext-Skip-refresh-if-no-changes-are-found
https://github.com/systemd/systemd/pull/39991 for
sysext-Get-verity-user-certs-from-given-root
https://github.com/systemd/systemd/pull/40063 for
sysext-Fix-config-file-support-with-root
which relies on https://github.com/systemd/systemd/pull/38250 for
man-sysext.conf-add-systemd-sysext-config-files
sysext-introduce-global-config-file
sysext-support-ImagePolicy-global-config-option
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
Most sysexts need a daemon reload to get their services (re)started when
systemd-sysext (re)loads extensions after boot. Up to now this was done
through ensure-sysext.service but only when systemd-sysext.service was
restarted. A manual invocation of systemd-sysext did not get the
daemon reload and, e.g., Docker failed to start.
Since the daemon reload is done when at least one extension needs it
and we can say that this is likely true for most of the extensions we
build, we can unconditionally set it for now and see if we need to
make it conditional per sysext later, e.g., when one could only have
plain CLI extensions and no service extensions such as Docker/containerd
or Podman (and even NVIDIA/ZFS require services after load).
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
The CI automation test report library used embedded images to indicate
test success / failures. The URL these images were referenced from has
gone AWOL some time ago, resulting in ugly "missing image" references in
test reports.
This change updates the test result indicator code to only use emojis.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
It's essentially a standalone userspace project that happens to live
within the kernel sources. It should not be built like the kernel.
hv_fcopy_daemon was dropped upstream.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Having too many variables is confusing, so use the ones already provided
by upstream. linux-info.eclass uses KERNEL_DIR (if set) as the kernel
sources directory and sets KV_DIR to that for use elsewhere. If
KERNEL_DIR is unset, it checks the /usr/src/linux symlink. While we
could rely on the symlink, we want to be sure that coreos-modules and
coreos-kernel are built against the matching kernel version.
KV_OUT_DIR is the kernel output directory. It is automatically set by
linux-info.eclass, and it will never leave it empty.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We removed the sysext compression, because we double-compression is
redundant for sysexts stored in already coimpressed BTRFS /usr. However,
OS-dependent sysexts that are downloaded on-demand were now also
uncompressed. This commit brings back the compression via
SYSTEMD_REPART_MKFS_OPTIONS_EROFS option.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
