shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

Merge 09e73afc4f21462f432bcbf1fea4ca56a5e811a1 into e707d0459cb0143cdd449362ae372173143b970f

Browse Source
This commit is contained in:
leafcompost 2025-03-13 12:51:56 -07:00 committed by GitHub
commit 1305e5d818
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 844 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
man/systemd.exec.xml
View File

@ -562,6 +562,17 @@
To disable the safety check that the extension-release file name matches the image file name, the
<varname>x-systemd.relax-extension-release-check</varname> mount option may be appended.</para>
<para>This option can be used together with a <option>notify-reload</option> service type and
<citerefentry><refentrytitle>systemd.v</refentrytitle><manvolnum>7</manvolnum></citerefentry>
to manage configuration updates. When such a service carrying confext images is reloaded via
<command>systemctl reload foo.service</command> or equivalent D-Bus method, the confext itself will
be reloaded to pick up any changes. This only applies to confext extensions. Note that in case a
service has this configuration enabled at first, and then it is subsequently removed in an update
followed by a daemon-reload operation, reloading the confexts will be a no-op, and a full service
restart is required instead. See
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
also for details.</para>
<para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or
<literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is
set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode,
@ -606,6 +617,17 @@
or the host. See:
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para>This option can be used together with a <option>notify-reload</option> service type and
<citerefentry><refentrytitle>systemd.v</refentrytitle><manvolnum>7</manvolnum></citerefentry>
to manage configuration updates. When such a service carrying confext directories is reloaded via
<command>systemctl reload foo.service</command> or equivalent D-Bus method, the confext itself will
be reloaded to pick up any changes. This only applies to confext extensions. Note that in case a
service has this configuration enabled at first, and then it is subsequently removed in an update
followed by a daemon-reload operation, reloading the confexts will be a no-op, and a full service
restart is required instead. See
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
also for details.</para>
<para>Note that usage from user units requires overlayfs support in unprivileged user namespaces,
which was first introduced in kernel v5.11.</para>

1
mkosi.images/minimal-base/mkosi.conf
View File

@ -13,6 +13,7 @@ Packages=
bash
coreutils
grep
socat
util-linux
[Include]

1
src/basic/unit-def.c
View File

@ -221,6 +221,7 @@ static const char* const service_state_table[_SERVICE_STATE_MAX] = {
[SERVICE_RELOAD] = "reload",
[SERVICE_RELOAD_SIGNAL] = "reload-signal",
[SERVICE_RELOAD_NOTIFY] = "reload-notify",
[SERVICE_RELOAD_MOUNTING] = "reload-mounting",
[SERVICE_STOP] = "stop",
[SERVICE_STOP_WATCHDOG] = "stop-watchdog",
[SERVICE_STOP_SIGTERM] = "stop-sigterm",

1
src/basic/unit-def.h
View File

@ -138,6 +138,7 @@ typedef enum ServiceState {
SERVICE_RELOAD, /* Reloading via ExecReload= */
SERVICE_RELOAD_SIGNAL, /* Reloading via SIGHUP requested */
SERVICE_RELOAD_NOTIFY, /* Waiting for READY=1 after RELOADING=1 notify */
SERVICE_RELOAD_MOUNTING, /* Refreshing extensions for a reload request */
SERVICE_MOUNTING, /* Performing a live mount into the namespace of the service */
SERVICE_STOP, /* No STOP_PRE state, instead just register multiple STOP executables */
SERVICE_STOP_WATCHDOG,

20
src/core/execute.c
View File

@ -72,6 +72,7 @@
#include "unit-serialize.h"
#include "user-util.h"
#include "utmp-wtmp.h"
#include "vpick.h"
static bool is_terminal_input(ExecInput i) {
return IN_SET(i,
@ -2003,6 +2004,25 @@ char** exec_context_get_restrict_filesystems(const ExecContext *c) {
return l ? TAKE_PTR(l) : strv_new(NULL);
}
int exec_context_has_vpicked_extensions(const ExecContext *context) {
int r;
assert(context);
FOREACH_ARRAY(mi, context->extension_images, context->n_extension_images) {
r = path_uses_vpick(mi->source);
if (r != 0)
return r;
}
STRV_FOREACH(ed, context->extension_directories) {
r = path_uses_vpick(*ed);
if (r != 0)
return r;
}
return 0;
}
void exec_status_start(ExecStatus *s, pid_t pid, const dual_timestamp *ts) {
assert(s);

2
src/core/execute.h
View File

@ -562,6 +562,8 @@ char** exec_context_get_syscall_log(const ExecContext *c);
char** exec_context_get_address_families(const ExecContext *c);
char** exec_context_get_restrict_filesystems(const ExecContext *c);
int exec_context_has_vpicked_extensions(const ExecContext *context);
void exec_status_start(ExecStatus *s, pid_t pid, const dual_timestamp *ts);
void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status);
void exec_status_handoff(ExecStatus *s, const struct ucred *ucred, const dual_timestamp *ts);

1
src/core/manager.c
View File

@ -1959,6 +1959,7 @@ static bool manager_dbus_is_running(Manager *m, bool deserialized) {
SERVICE_MOUNTING,
SERVICE_RELOAD,
SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD_MOUNTING,
SERVICE_RELOAD_SIGNAL))
return false;

428
src/core/namespace.c
View File

@ -24,6 +24,7 @@
#include "lock-util.h"
#include "loop-util.h"
#include "loopback-setup.h"
#include "missing_magic.h"
#include "missing_syscall.h"
#include "mkdir-label.h"
#include "mount-util.h"
@ -34,6 +35,8 @@
#include "nulstr-util.h"
#include "os-util.h"
#include "path-util.h"
#include "pidref.h"
#include "process-util.h"
#include "selinux-util.h"
#include "socket-util.h"
#include "sort-util.h"
@ -3310,6 +3313,431 @@ bool ns_type_supported(NamespaceType type) {
return access(ns_proc, F_OK) == 0;
}
static int unpeel_get_fd(const char *mount_path, int *ret_fd) {
_cleanup_close_pair_ int pipe_fds[2] = EBADF_PAIR;
_cleanup_close_ int fs_fd = -EBADF;
pid_t pid;
int r;
assert(mount_path);
assert(ret_fd);
r = socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, pipe_fds);
if (r < 0)
return log_debug_errno(errno, "Failed to create socket pair: %m");
/* Clone mount namespace here to unpeel without affecting live process */
r = safe_fork("(sd-ns-unpeel)", FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_WAIT|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE, &pid);
if (r < 0)
return r;
if (r == 0) {
_cleanup_close_ int dir_fd = -EBADF;
pipe_fds[0] = safe_close(pipe_fds[0]);
/* Opportunistically unmount any overlay at this path */
r = path_is_fs_type(mount_path, OVERLAYFS_SUPER_MAGIC);
if (r < 0) {
log_debug_errno(r, "Failed to check if %s is an overlayfs: %m", mount_path);
_exit(EXIT_FAILURE);
}
if (r > 0) {
r = umount_recursive(mount_path, MNT_DETACH);
if (r < 0) {
log_debug_errno(r, "Failed to unmount %s: %m", mount_path);
_exit(EXIT_FAILURE);
} else if (r == 0) /* no umounts done, possible if a previous reload deleted all extensions */
log_debug("No overlay layer unmountable from %s", mount_path);
}
/* Now that /mount_path is exposed, get an FD for it and pass back */
dir_fd = open_tree(-EBADF, mount_path, AT_SYMLINK_NOFOLLOW|OPEN_TREE_CLONE);
if (dir_fd < 0) {
log_debug_errno(errno, "Failed to clone mount %s: %m", mount_path);
_exit(EXIT_FAILURE);
}
r = send_one_fd(pipe_fds[1], dir_fd, 0);
if (r < 0) {
log_debug_errno(r, "Failed to send mount fd: %m");
_exit(EXIT_FAILURE);
}
_exit(EXIT_SUCCESS);
}
pipe_fds[1] = safe_close(pipe_fds[1]);
r = receive_one_fd(pipe_fds[0], 0);
if (r < 0)
return log_debug_errno(r, "Failed to receive mount fd: %m");
fs_fd = r;
r = fd_is_fs_type(fs_fd, OVERLAYFS_SUPER_MAGIC);
if (r < 0)
return log_debug_errno(r, "Unable to determine if unpeeled directory refers to overlayfs: %m");
if (r > 0)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unpeeled mount is still an overlayfs, something is weird, refusing.");
*ret_fd = TAKE_FD(fs_fd);
return 0;
}
/* In target namespace, unmounts an existing overlayfs at mount_path (if one exists), grabs FD from the
* underlying directory, and sets up a new overlayfs mount. Coordinates with parent process over pair_fd:
* 1. Creates and sends new overlay fs fd to parent
* 2. Fake-unmounts overlay at mount_path to obtain underlying directory fd to build new overlay
* 3. Waits for parent to configure layers
* 4. Performs final mount at mount_path
*
* This is used by refresh_extensions_in_namespace() to peel back any existing overlays and reapply them.
*/
static int unpeel_mount_and_setup_overlay(int pair_fd, const char *mount_path) {
_cleanup_close_ int dir_unpeeled_fd = -EBADF, overlay_fs_fd = -EBADF, mount_fd = -EBADF;
int r;
assert(pair_fd >= 0);
assert(mount_path);
/* Create new OverlayFS and send to parent */
overlay_fs_fd = fsopen("overlay", FSOPEN_CLOEXEC);
if (overlay_fs_fd < 0)
return log_debug_errno(errno, "Failed to create overlay fs for %s: %m", mount_path);
r = send_one_fd(pair_fd, overlay_fs_fd, /* flags= */ 0);
if (r < 0)
return log_debug_errno(r, "Failed to send overlay fs fd to parent: %m");
/* Unpeel in cloned mount namespace to get underlying directory fd */
r = unpeel_get_fd(mount_path, &dir_unpeeled_fd);
if (r < 0)
return log_debug_errno(r, "Failed to unpeel mount %s: %m", mount_path);
/* Send the fd to the parent */
r = send_one_fd(pair_fd, dir_unpeeled_fd, /* flags= */ 0);
if (r < 0)
return log_debug_errno(r, "Failed to send %s fd to parent: %m", mount_path);
/* Wait for parent to signal overlay configuration completion */
log_debug("Waiting for configured overlay fs for %s", mount_path);
r = receive_one_fd(pair_fd, 0);
if (r < 0)
return log_debug_errno(r, "Failed to receive configured overlay: %m");
/* Create the mount */
mount_fd = fsmount(overlay_fs_fd, FSMOUNT_CLOEXEC, /* flags= */ 0);
if (mount_fd < 0)
return log_debug_errno(errno, "Failed to create overlay mount: %m");
/* Move mount to final location */
r = mount_exchange_graceful(mount_fd, mount_path, /* mount_beneath= */ true);
if (r < 0)
return log_debug_errno(r, "Failed to move overlay to %s: %m", mount_path);
return 0;
}
static int refresh_grandchild_proc(
const PidRef *target,
MountList *ml,
const char *overlay_prefix,
int pidns_fd,
int mntns_fd,
int root_fd,
int pipe_fd) {
int r;
assert(pidref_is_set(target));
assert(ml);
assert(overlay_prefix);
assert(pidns_fd >= 0);
assert(mntns_fd >= 0);
assert(root_fd >= 0);
assert(pipe_fd >= 0);
r = namespace_enter(pidns_fd, mntns_fd, /* netns_fd= */ -EBADF, /* userns_fd= */ -EBADF, root_fd);
if (r < 0)
return log_debug_errno(r, "Failed to enter namespace: %m");
/* Handle each overlay mount path */
FOREACH_ARRAY(m, ml->mounts, ml->n_mounts) {
if (m->mode != MOUNT_OVERLAY)
continue;
const char *mount_path = startswith(mount_entry_unprefixed_path(m), overlay_prefix);
if (!mount_path)
mount_path = mount_entry_unprefixed_path(m);
r = path_is_mount_point(mount_path);
if (r < 0)
return log_debug_errno(r, "Unable to determine whether '%s' is a mount point: %m", mount_path);
if (r == 0)
continue;
/* If there are no extensions mounted for this overlay layer, instead of setting everything
* up, the correct behavior is to unmount the existing overlay in the target namespace to
* expose the original files. */
if (strv_isempty(m->overlay_layers)) {
r = path_is_fs_type(mount_path, OVERLAYFS_SUPER_MAGIC);
if (r < 0)
return log_debug_errno(r, "Unable to determine if directory '%s' refers to overlayfs: %m", mount_path);
if (r > 0) {
log_debug("No extensions for %s, undoing existing mount", mount_path);
r = umount_recursive(mount_path, MNT_DETACH);
if (r < 0)
log_debug_errno(r, "Failed to unmount %s: %m", mount_path);
}
continue;
}
r = unpeel_mount_and_setup_overlay(pipe_fd, mount_path);
if (r < 0)
return log_debug_errno(r, "Failed to setup overlay mount for %s: %m", mount_path);
}
return 0;
}
static int handle_mount_from_grandchild(
MountEntry *m,
const char *overlay_prefix,
int **fd_layers,
size_t *n_fd_layers,
int pipe_fd) {
_cleanup_free_ char *layers = NULL, *options = NULL, *hierarchy_path_moved_mount = NULL;
_cleanup_close_ int hierarchy_path_fd = -EBADF, overlay_fs_fd = -EBADF;
_cleanup_strv_free_ char **new_layers = NULL;
int r;
assert(m);
assert(overlay_prefix);
assert(fd_layers);
assert(n_fd_layers);
assert(pipe_fd >= 0);
if (m->mode != MOUNT_OVERLAY)
return 0;
const char *mount_path = startswith(mount_entry_unprefixed_path(m), overlay_prefix);
if (!mount_path)
mount_path = mount_entry_unprefixed_path(m);
/* If there are no extensions mounted for this overlay layer, we only need to
* unmount the existing overlay (this is handled in the grandchild process) and
* would skip the usual cooperative processing here.
*/
if (strv_isempty(m->overlay_layers)) {
log_debug("No layers for %s, skip setting up overlay", mount_path);
return 0;
}
/* Receive the fds from grandchild */
overlay_fs_fd = receive_one_fd(pipe_fd, 0);
if (overlay_fs_fd < 0)
return log_debug_errno(overlay_fs_fd, "Failed to receive overlay fs fd from grandchild: %m");
hierarchy_path_fd = receive_one_fd(pipe_fd, 0);
if (hierarchy_path_fd < 0)
return log_debug_errno(hierarchy_path_fd, "Failed to receive fd from grandchild for %s: %m", mount_path);
/* move_mount so that it is visible on our end. */
hierarchy_path_moved_mount = path_join(overlay_prefix, mount_path);
if (!hierarchy_path_moved_mount)
return log_oom_debug();
(void) mkdir_p_label(hierarchy_path_moved_mount, 0555);
r = move_mount(hierarchy_path_fd, "", AT_FDCWD, hierarchy_path_moved_mount, MOVE_MOUNT_F_EMPTY_PATH);
if (r < 0)
return log_debug_errno(r, "Failed to move mount for %s: %m", mount_path);
/* Turn all overlay layer directories into FD-based references */
*fd_layers = GREEDY_REALLOC(*fd_layers, *n_fd_layers + strv_length(m->overlay_layers));
if (!*fd_layers)
return log_oom();
STRV_FOREACH(ol, m->overlay_layers) {
_cleanup_close_ int tree_fd = -EBADF;
tree_fd = open_tree(-EBADF, *ol, /* flags= */ 0);
if (tree_fd < 0)
return log_debug_errno(errno, "Failed to open_tree overlay layer: %m");
r = strv_push(&new_layers, FORMAT_PROC_FD_PATH(tree_fd));
if (r < 0)
return log_debug_errno(r, "Failed to append overlay layer: %m");
*fd_layers[(*n_fd_layers)++] = TAKE_FD(tree_fd);
}
m->overlay_layers = strv_free(m->overlay_layers);
m->overlay_layers = TAKE_PTR(new_layers);
layers = strv_join(m->overlay_layers, ":");
if (!layers)
return log_oom_debug();
/* Append the underlying hierarchy path as the last lowerdir */
options = strjoin(layers, ":", FORMAT_PROC_FD_PATH(hierarchy_path_fd));
if (!options)
return log_oom_debug();
if (fsconfig(overlay_fs_fd, FSCONFIG_SET_STRING, "lowerdir", options, 0) < 0)
return log_debug_errno(errno, "Failed to set lowerdir: %m");
/* Create the superblock */
if (fsconfig(overlay_fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) < 0)
return log_debug_errno(errno, "Failed to create overlay superblock: %m");
/* Signal completion to grandchild */
r = send_one_fd(pipe_fd, overlay_fs_fd, 0);
if (r < 0)
return log_debug_errno(r, "Failed to signal overlay configuration complete for %s: %m", mount_path);
return 0;
}
int refresh_extensions_in_namespace(
const PidRef *target,
const char *hierarchy_env,
const NamespaceParameters *p) {
_cleanup_close_ int mntns_fd = -EBADF, root_fd = -EBADF, pidns_fd = -EBADF;
const char *overlay_prefix = "/run/systemd/mount-rootfs";
_cleanup_(mount_list_done) MountList ml = {};
_cleanup_free_ char *extension_dir = NULL;
_cleanup_strv_free_ char **hierarchies = NULL;
int r;
assert(pidref_is_set(target));
assert(hierarchy_env);
assert(p);
log_debug("Refreshing extensions in-namespace for hierarchy '%s'", hierarchy_env);
r = pidref_namespace_open(target, &pidns_fd, &mntns_fd, /* ret_netns_fd= */ NULL, /* ret_userns_fd= */ NULL, &root_fd);
if (r < 0)
return log_debug_errno(r, "Failed to open namespace: %m");
r = is_our_namespace(mntns_fd, NAMESPACE_MOUNT);
if (r < 0)
return log_debug_errno(r, "Failed to check if target namespace is separate: %m");
if (r > 0)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Target namespace is not separate, cannot reload extensions");
extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
if (!extension_dir)
return log_oom_debug();
r = parse_env_extension_hierarchies(&hierarchies, hierarchy_env);
if (r < 0)
return r;
r = append_extensions(
&ml,
overlay_prefix,
p->private_namespace_dir,
hierarchies,
p->extension_images,
p->n_extension_images,
p->extension_directories);
if (r < 0)
return r;
sort_and_drop_unused_mounts(&ml, overlay_prefix);
if (ml.n_mounts == 0)
return 0;
/**
* There are three main steps:
* 1. In child, set up the extension images and directories in a slave mountns, so that we have
* access to their FDs
* 2. Fork into a grandchild, which will enter the target namespace and attempt to "unpeel" the
* overlays to obtain FDs the underlying directories, over which we will reapply the overlays
* 3. In the child again, receive the FDs and reapply the overlays
*/
r = safe_fork("(sd-ns-refresh-exts)",
FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE,
NULL);
if (r < 0)
return r;
if (r == 0) {
/* Child (host namespace) */
_cleanup_close_pair_ int pair[2] = EBADF_PAIR;
_cleanup_(sigkill_waitp) pid_t grandchild_pid = 0;
(void) mkdir_p_label(overlay_prefix, 0555);
/* Open all extension roots on the host */
FOREACH_ARRAY(m, ml.mounts, ml.n_mounts)
if (IN_SET(m->mode, MOUNT_EXTENSION_DIRECTORY, MOUNT_EXTENSION_IMAGE)) {
r = apply_one_mount("/", m, p);
if (r < 0) {
log_debug_errno(r, "Failed to apply extension mount: %m");
_exit(EXIT_FAILURE);
}
}
/* Create a grandchild process to handle the unmounting and reopening of hierarchy */
r = socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, pair);
if (r < 0) {
log_debug_errno(errno, "Failed to create socket pair: %m");
_exit(EXIT_FAILURE);
}
r = safe_fork("(sd-ns-refresh-exts-grandchild)",
FORK_LOG|FORK_DEATHSIG_SIGKILL,
&grandchild_pid);
if (r < 0)
_exit(EXIT_FAILURE);
if (r == 0) {
/* Grandchild (target service namespace) */
pair[0] = safe_close(pair[0]);
r = refresh_grandchild_proc(target, &ml, overlay_prefix, pidns_fd, mntns_fd, root_fd, pair[1]);
if (r < 0) {
pair[1] = safe_close(pair[1]);
_exit(EXIT_FAILURE);
}
_exit(EXIT_SUCCESS);
}
pair[1] = safe_close(pair[1]);
/* Until kernel 6.15, the FDs to the individual layers used to set up the OverlayFS via
* lowerdir=/proc/self/fd/X need to remain open until the OverlayFS mount is _attached_
* (as opposed to merely created) to its mount point, hence we need to ensure these FDs
* stay open until the grandchild has attached the mount and exited. */
// TODO: once the kernel baseline is >= 6.15, move the FD array into the helper function
// and close them immediately
int *fd_layers = NULL;
size_t n_fd_layers = 0;
CLEANUP_ARRAY(fd_layers, n_fd_layers, close_many_and_free);
FOREACH_ARRAY(m, ml.mounts, ml.n_mounts) {
r = handle_mount_from_grandchild(m, overlay_prefix, &fd_layers, &n_fd_layers, pair[0]);
if (r < 0)
_exit(EXIT_FAILURE);
}
r = wait_for_terminate_and_check("(sd-ns-refresh-exts-grandchild)", TAKE_PID(grandchild_pid), 0);
if (r < 0) {
log_debug_errno(r, "Failed to wait for target namespace process to finish: %m");
_exit(EXIT_FAILURE);
}
if (r != EXIT_SUCCESS) {
log_debug("Target namespace fork did not succeed");
_exit(EXIT_FAILURE);
}
_exit(EXIT_SUCCESS);
}
return 0;
}
static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
[PROTECT_HOME_NO] = "no",
[PROTECT_HOME_YES] = "yes",

6
src/core/namespace.h
View File

@ -16,6 +16,7 @@ typedef struct MountImage MountImage;
#include "fs-util.h"
#include "macro.h"
#include "namespace-util.h"
#include "pidref.h"
#include "runtime-scope.h"
#include "string-util.h"
@ -263,3 +264,8 @@ const char* namespace_type_to_string(NamespaceType t) _const_;
NamespaceType namespace_type_from_string(const char *s) _pure_;
bool ns_type_supported(NamespaceType type);
int refresh_extensions_in_namespace(
const PidRef *target,
const char *hierarchy_env,
const NamespaceParameters *p);

224
src/core/service.c
View File

@ -21,6 +21,7 @@
#include "devnum-util.h"
#include "env-util.h"
#include "escape.h"
#include "execute.h"
#include "exec-credential.h"
#include "exit-status.h"
#include "fd-util.h"
@ -33,12 +34,14 @@
#include "manager.h"
#include "missing_audit.h"
#include "mount-util.h"
#include "namespace.h"
#include "open-file.h"
#include "parse-util.h"
#include "path-util.h"
#include "pidfd-util.h"
#include "process-util.h"
#include "random-util.h"
#include "runtime-scope.h"
#include "selinux-util.h"
#include "serialize.h"
#include "service.h"
@ -66,6 +69,7 @@ static const UnitActiveState state_translation_table[_SERVICE_STATE_MAX] = {
[SERVICE_RELOAD] = UNIT_RELOADING,
[SERVICE_RELOAD_SIGNAL] = UNIT_RELOADING,
[SERVICE_RELOAD_NOTIFY] = UNIT_RELOADING,
[SERVICE_RELOAD_MOUNTING] = UNIT_REFRESHING,
[SERVICE_MOUNTING] = UNIT_REFRESHING,
[SERVICE_STOP] = UNIT_DEACTIVATING,
[SERVICE_STOP_WATCHDOG] = UNIT_DEACTIVATING,
@ -97,6 +101,7 @@ static const UnitActiveState state_translation_table_idle[_SERVICE_STATE_MAX] =
[SERVICE_RELOAD] = UNIT_RELOADING,
[SERVICE_RELOAD_SIGNAL] = UNIT_RELOADING,
[SERVICE_RELOAD_NOTIFY] = UNIT_RELOADING,
[SERVICE_RELOAD_MOUNTING] = UNIT_REFRESHING,
[SERVICE_MOUNTING] = UNIT_REFRESHING,
[SERVICE_STOP] = UNIT_DEACTIVATING,
[SERVICE_STOP_WATCHDOG] = UNIT_DEACTIVATING,
@ -121,13 +126,13 @@ static int service_dispatch_watchdog(sd_event_source *source, usec_t usec, void
static int service_dispatch_exec_io(sd_event_source *source, int fd, uint32_t events, void *userdata);
static void service_enter_signal(Service *s, ServiceState state, ServiceResult f);
static void service_enter_reload_by_notify(Service *s);
static void service_enter_reload_propagate(Service *s);
static bool SERVICE_STATE_WITH_MAIN_PROCESS(ServiceState state) {
return IN_SET(state,
SERVICE_START, SERVICE_START_POST,
SERVICE_RUNNING,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP, SERVICE_STOP_WATCHDOG, SERVICE_STOP_SIGTERM, SERVICE_STOP_SIGKILL, SERVICE_STOP_POST,
SERVICE_FINAL_WATCHDOG, SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL);
@ -137,7 +142,7 @@ static bool SERVICE_STATE_WITH_CONTROL_PROCESS(ServiceState state) {
return IN_SET(state,
SERVICE_CONDITION,
SERVICE_START_PRE, SERVICE_START, SERVICE_START_POST,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP, SERVICE_STOP_WATCHDOG, SERVICE_STOP_SIGTERM, SERVICE_STOP_SIGKILL, SERVICE_STOP_POST,
SERVICE_FINAL_WATCHDOG, SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
@ -1288,7 +1293,7 @@ static void service_set_state(Service *s, ServiceState state) {
if (!IN_SET(state,
SERVICE_CONDITION, SERVICE_START_PRE, SERVICE_START, SERVICE_START_POST,
SERVICE_RUNNING,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP, SERVICE_STOP_WATCHDOG, SERVICE_STOP_SIGTERM, SERVICE_STOP_SIGKILL, SERVICE_STOP_POST,
SERVICE_FINAL_WATCHDOG, SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
@ -1318,7 +1323,7 @@ static void service_set_state(Service *s, ServiceState state) {
if (state != SERVICE_START)
s->exec_fd_event_source = sd_event_source_disable_unref(s->exec_fd_event_source);
if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_MOUNTING))
if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING, SERVICE_MOUNTING))
service_stop_watchdog(s);
if (state != SERVICE_MOUNTING) /* Just in case */
@ -1363,6 +1368,7 @@ static usec_t service_coldplug_timeout(Service *s) {
case SERVICE_RELOAD:
case SERVICE_RELOAD_SIGNAL:
case SERVICE_RELOAD_NOTIFY:
case SERVICE_RELOAD_MOUNTING:
case SERVICE_MOUNTING:
return usec_add(UNIT(s)->state_change_timestamp.monotonic, s->timeout_start_usec);
@ -1431,7 +1437,7 @@ static int service_coldplug(Unit *u) {
(void) unit_setup_exec_runtime(u);
}
if (IN_SET(s->deserialized_state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_MOUNTING))
if (IN_SET(s->deserialized_state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING, SERVICE_MOUNTING))
service_start_watchdog(s);
if (UNIT_ISSET(s->accept_socket)) {
@ -2372,7 +2378,7 @@ static void service_enter_running(Service *s, ServiceResult f) {
/* If there are any queued up sd_notify() notifications, process them now */
if (s->notify_state == NOTIFY_RELOADING)
service_enter_reload_by_notify(s);
service_enter_reload_propagate(s);
else if (s->notify_state == NOTIFY_STOPPING)
service_enter_stop_by_notify(s);
else {
@ -2686,7 +2692,7 @@ static void service_enter_restart(Service *s, bool shortcut) {
unit_add_to_dbus_queue(UNIT(s));
}
static void service_enter_reload_by_notify(Service *s) {
static void service_enter_reload_propagate(Service *s) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
int r;
@ -2702,14 +2708,167 @@ static void service_enter_reload_by_notify(Service *s) {
service_set_state(s, SERVICE_RELOAD_NOTIFY);
/* service_enter_reload_by_notify is never called during a reload, thus no loops are possible. */
/* service_enter_reload_propagate is never called during a reload, thus no loops are possible. */
r = manager_propagate_reload(UNIT(s)->manager, UNIT(s), JOB_FAIL, &error);
if (r < 0)
log_unit_warning(UNIT(s), "Failed to schedule propagation of reload, ignoring: %s", bus_error_message(&error, r));
}
static void service_enter_reload(Service *s) {
bool killed = false;
static void service_enter_reload_signal(Service *s) {
int r;
assert(s);
service_unwatch_control_pid(s);
s->reload_result = SERVICE_SUCCESS;
if (pidref_is_set(&s->main_pid)) {
r = pidref_kill_and_sigcont(&s->main_pid, s->reload_signal);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to send reload signal: %m");
goto fail;
}
r = service_arm_timer(s, /* relative= */ true, s->timeout_start_usec);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
goto fail;
}
service_set_state(s, SERVICE_RELOAD_SIGNAL);
} else
service_enter_running(s, SERVICE_SUCCESS);
return;
fail:
s->reload_result = SERVICE_FAILURE_RESOURCES;
service_enter_running(s, SERVICE_SUCCESS);
}
static bool service_should_reload_extensions(Service *s) {
int r;
assert(s);
if (!pidref_is_set(&s->main_pid)) {
log_unit_debug(UNIT(s), "Not reloading extensions for service without main PID.");
return false;
}
r = exec_context_has_vpicked_extensions(&s->exec_context);
if (r < 0)
log_unit_warning_errno(UNIT(s), r, "Failed to determine if service should reload extensions, assuming false: %m");
if (r <= 0)
return false;
// TODO: Add support for user services, which can use ExtensionDirectories= + notify-reload.
// For now, skip for user services.
if (UNIT(s)->manager->runtime_scope != RUNTIME_SCOPE_SYSTEM) {
log_once(LOG_WARNING, "Not reloading extensions for user services.");
return false;
}
return true;
}
static void service_enter_reload_extensions(Service *s) {
_cleanup_(pidref_done) PidRef worker = PIDREF_NULL;
int r;
assert(s);
/* If we don't have extensions to reload, immediately go to the signal step */
if (!service_should_reload_extensions(s))
return (void) service_enter_reload_signal(s);
service_unwatch_control_pid(s);
s->reload_result = SERVICE_SUCCESS;
s->control_command = NULL;
s->control_command_id = _SERVICE_EXEC_COMMAND_INVALID;
/* Given we are running from PID1, avoid doing potentially heavy I/O operations like opening images
* directly, and instead fork a worker process. */
r = unit_fork_helper_process(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false, &worker);
if (r < 0) {
log_unit_error_errno(UNIT(s), r, "Failed to fork process to refresh extensions in unit's namespace: %m");
goto fail;
}
if (r == 0) {
PidRef *unit_pid = unit_main_pid(UNIT(s));
if (!pidref_is_set(unit_pid)) {
/* Mostly paranoia, as it was checked by the parent */
log_unit_error(UNIT(s), "Failed to determine main PID for service '%s'", UNIT(s)->id);
_exit(EXIT_FAILURE);
}
_cleanup_free_ char *propagate_dir = path_join("/run/systemd/propagate/", UNIT(s)->id);
if (!propagate_dir) {
log_unit_error_errno(UNIT(s), -ENOMEM, "Failed to allocate memory for propagate directory: %m");
_exit(EXIT_FAILURE);
}
NamespaceParameters p = {
.private_namespace_dir = "/run/systemd",
.incoming_dir = "/run/systemd/incoming",
.propagate_dir = propagate_dir,
.runtime_scope = UNIT(s)->manager->runtime_scope,
.extension_images = s->exec_context.extension_images,
.n_extension_images = s->exec_context.n_extension_images,
.extension_directories = s->exec_context.extension_directories,
.extension_image_policy = s->exec_context.extension_image_policy,
};
/* Only reload confext, and not sysext as they also typically contain the executable(s) used
* by the service and a simply reload cannot meaningfully handle that. */
r = refresh_extensions_in_namespace(
unit_pid,
"SYSTEMD_CONFEXT_HIERARCHIES",
&p);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "Failed to refresh extensions in unit's namespace: %m");
else
log_unit_debug(UNIT(s), "Refreshed extensions in unit's namespace");
_exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
}
r = unit_watch_pidref(UNIT(s), &worker, /* exclusive= */ true);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to watch extensions refresh helper process: %m");
goto fail;
}
s->control_pid = TAKE_PIDREF(worker);
service_set_state(s, SERVICE_RELOAD_MOUNTING);
return;
fail:
s->reload_result = SERVICE_FAILURE_RESOURCES;
service_enter_running(s, SERVICE_SUCCESS);
}
static void service_enter_reload_by_notify(Service *s) {
int r;
assert(s);
usec_t ts = now(CLOCK_MONOTONIC);
r = service_arm_timer(s, /* relative= */ true, s->timeout_start_usec);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
s->reload_result = SERVICE_FAILURE_RESOURCES;
service_enter_running(s, SERVICE_SUCCESS);
return;
}
s->reload_begin_usec = ts;
service_enter_reload_extensions(s);
}
static void service_enter_reload_by_exec(Service *s) {
int r;
assert(s);
@ -2719,16 +2878,6 @@ static void service_enter_reload(Service *s) {
usec_t ts = now(CLOCK_MONOTONIC);
if (s->type == SERVICE_NOTIFY_RELOAD && pidref_is_set(&s->main_pid)) {
r = pidref_kill_and_sigcont(&s->main_pid, s->reload_signal);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to send reload signal: %m");
goto fail;
}
killed = true;
}
s->control_command = s->exec_command[SERVICE_EXEC_RELOAD];
if (s->control_command) {
s->control_command_id = SERVICE_EXEC_RELOAD;
@ -2745,14 +2894,6 @@ static void service_enter_reload(Service *s) {
}
service_set_state(s, SERVICE_RELOAD);
} else if (killed) {
r = service_arm_timer(s, /* relative= */ true, s->timeout_start_usec);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
goto fail;
}
service_set_state(s, SERVICE_RELOAD_SIGNAL);
} else {
service_enter_running(s, SERVICE_SUCCESS);
return;
@ -2957,6 +3098,9 @@ static int service_stop(Unit *u) {
service_kill_control_process(s);
service_live_mount_finish(s, SERVICE_FAILURE_PROTOCOL, BUS_ERROR_UNIT_INACTIVE);
_fallthrough_;
case SERVICE_RELOAD_MOUNTING:
service_kill_control_process(s);
_fallthrough_;
case SERVICE_CONDITION:
case SERVICE_START_PRE:
case SERVICE_START:
@ -2995,7 +3139,10 @@ static int service_reload(Unit *u) {
assert(IN_SET(s->state, SERVICE_RUNNING, SERVICE_EXITED));
service_enter_reload(s);
if (s->type == SERVICE_NOTIFY_RELOAD)
service_enter_reload_by_notify(s);
else
service_enter_reload_by_exec(s);
return 1;
}
@ -3986,6 +4133,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
case SERVICE_RELOAD:
case SERVICE_RELOAD_SIGNAL:
case SERVICE_RELOAD_NOTIFY:
case SERVICE_RELOAD_MOUNTING:
case SERVICE_MOUNTING:
/* If neither main nor control processes are running then the current
* state can never exit cleanly, hence immediately terminate the
@ -4207,6 +4355,11 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
service_enter_running(s, SERVICE_SUCCESS);
break;
case SERVICE_RELOAD_MOUNTING:
/* Remounting extensions asynchronously done, proceed to signal */
service_enter_reload_signal(s);
break;
case SERVICE_MOUNTING:
service_live_mount_finish(s, f, SD_BUS_ERROR_FAILED);
@ -4314,6 +4467,7 @@ static int service_dispatch_timer(sd_event_source *source, usec_t usec, void *us
case SERVICE_RELOAD:
case SERVICE_RELOAD_SIGNAL:
case SERVICE_RELOAD_NOTIFY:
case SERVICE_RELOAD_MOUNTING:
log_unit_warning(UNIT(s), "Reload operation timed out. Killing reload process.");
service_kill_control_process(s);
s->reload_result = SERVICE_FAILURE_TIMEOUT;
@ -4648,7 +4802,7 @@ static void service_notify_message(
r = service_notify_message_parse_new_pid(u, tags, fds, &new_main_pid);
if (r > 0 &&
IN_SET(s->state, SERVICE_START, SERVICE_START_POST, SERVICE_RUNNING,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_STOP, SERVICE_STOP_SIGTERM) &&
(!s->main_pid_known || !pidref_equal(&new_main_pid, &s->main_pid))) {
@ -4685,7 +4839,7 @@ static void service_notify_message(
if (strv_contains(tags, "STOPPING=1")) {
s->notify_state = NOTIFY_STOPPING;
if (IN_SET(s->state, SERVICE_RUNNING, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY))
if (IN_SET(s->state, SERVICE_RUNNING, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING))
service_enter_stop_by_notify(s);
notify_dbus = true;
@ -4737,12 +4891,12 @@ static void service_notify_message(
if (s->state == SERVICE_RELOAD_SIGNAL &&
monotonic_usec != USEC_INFINITY &&
monotonic_usec >= s->reload_begin_usec)
/* Note, we don't call service_enter_reload_by_notify() here, because we
/* Note, we don't call service_enter_reload_propagate() here, because we
* don't need reload propagation nor do we want to restart the timeout. */
service_set_state(s, SERVICE_RELOAD_NOTIFY);
if (s->state == SERVICE_RUNNING)
service_enter_reload_by_notify(s);
service_enter_reload_propagate(s);
notify_dbus = true;
}
@ -4991,6 +5145,7 @@ static bool pick_up_pid_from_bus_name(Service *s) {
SERVICE_RELOAD,
SERVICE_RELOAD_SIGNAL,
SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING);
}
@ -5175,6 +5330,7 @@ static bool service_needs_console(Unit *u) {
SERVICE_RELOAD,
SERVICE_RELOAD_SIGNAL,
SERVICE_RELOAD_NOTIFY,
SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP,
SERVICE_STOP_WATCHDOG,

35
src/shared/vpick.c
View File

@ -682,6 +682,41 @@ int path_pick_update_warn(
return 1;
}
int path_uses_vpick(const char *path) {
_cleanup_free_ char *dir = NULL, *parent = NULL, *fname = NULL;
int r;
assert(path);
r = path_extract_filename(path, &fname);
if (r == -EADDRNOTAVAIL)
return 0;
if (r < 0)
return r;
/* ...PATH/NAME.SUFFIX.v */
if (endswith(fname, ".v"))
return 1;
/* ...PATH.v/NAME___.SUFFIX */
if (!strrstr(fname, "___"))
return 0;
r = path_extract_directory(path, &dir);
if (IN_SET(r, -EDESTADDRREQ, -EADDRNOTAVAIL)) /* only filename specified (no dir), or root or "." */
return 0;
if (r < 0)
return r;
r = path_extract_filename(dir, &parent);
if (r == -EADDRNOTAVAIL)
return 0;
if (r < 0)
return r;
return !!endswith(parent, ".v");
}
const PickFilter pick_filter_image_raw = {
.type_mask = (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK),
.architecture = _ARCHITECTURE_INVALID,

2
src/shared/vpick.h
View File

@ -56,6 +56,8 @@ int path_pick_update_warn(
PickFlags flags,
PickResult *ret);
int path_uses_vpick(const char *path);
extern const PickFilter pick_filter_image_raw;
extern const PickFilter pick_filter_image_dir;
extern const PickFilter pick_filter_image_any;

23
src/test/test-vpick.c
View File

@ -168,4 +168,27 @@ TEST(path_pick) {
assert_se(result.architecture == ARCHITECTURE_S390);
}
TEST(path_uses_vpick) {
ASSERT_OK_POSITIVE(path_uses_vpick("foo.v"));
ASSERT_OK_POSITIVE(path_uses_vpick("path/to/foo.v"));
ASSERT_OK_POSITIVE(path_uses_vpick("./path/to/foo.v"));
ASSERT_OK_POSITIVE(path_uses_vpick("path/to.v/foo.v"));
ASSERT_OK_POSITIVE(path_uses_vpick("path/to/foo.raw.v"));
ASSERT_OK_POSITIVE(path_uses_vpick("/var/lib/machines/mymachine.raw.v/"));
ASSERT_OK_POSITIVE(path_uses_vpick("path/to.v/foo___.hi/a.v"));
ASSERT_OK_ZERO(path_uses_vpick("path/to/foo.mp4.vtt"));
ASSERT_OK_ZERO(path_uses_vpick("path/to/foo.mp4.v.1"));
ASSERT_OK_ZERO(path_uses_vpick("path/to.v/a"));
ASSERT_OK_POSITIVE(path_uses_vpick("to.v/foo___.raw"));
ASSERT_OK_POSITIVE(path_uses_vpick("path/to.v/foo___.raw"));
ASSERT_OK_ZERO(path_uses_vpick("path/to/foo___.raw"));
ASSERT_OK_ZERO(path_uses_vpick("path/to.v/foo__"));
ASSERT_OK_ZERO(path_uses_vpick("foo___.raw"));
ASSERT_LE(path_uses_vpick("/"), 0);
ASSERT_LE(path_uses_vpick("."), 0);
ASSERT_LE(path_uses_vpick(""), 0);
}
DEFINE_TEST_MAIN(LOG_DEBUG);

112
test/units/TEST-50-DISSECT.dissect.sh
View File

@ -558,6 +558,118 @@ rm -rf "$VDIR" "$EMPTY_VDIR"
systemd-dissect --umount "$IMAGE_DIR/app0"
systemd-dissect --umount "$IMAGE_DIR/app1"
# Check reloading refreshes vpick extensions
VBASE="vtest$RANDOM"
VDIR="/tmp/${VBASE}.v"
mkdir "$VDIR"
rm -rf /tmp/markers/
mkdir /tmp/markers/
cat >/run/systemd/system/testservice-50g.service <<EOF
[Service]
Type=notify-reload
EnvironmentFile=-/usr/lib/systemd/systemd-asan-env
PrivateTmp=disconnected
BindPaths=/tmp/markers/
ExtensionDirectories=-${VDIR}
ExecStart=bash -c ' \\
trap "{ \\
systemd-notify --reloading; \\
(ls /etc | grep marker || echo no-marker) >/tmp/markers/50g; \\
systemd-notify --ready; \\
}" SIGHUP; \\
systemd-notify --ready; \\
while true; do sleep 1; done; \\
'
EOF
mkdir -p "$VDIR/${VBASE}_1/etc/extension-release.d/"
echo "ID=_any" >"$VDIR/${VBASE}_1/etc/extension-release.d/extension-release.${VBASE}_1"
touch "$VDIR/${VBASE}_1/etc/${VBASE}_1.marker"
systemctl start testservice-50g.service
systemctl is-active testservice-50g.service
# First reload; at reload time, the marker file in /etc should be picked up.
systemctl try-reload-or-restart testservice-50g.service
grep -q -F "${VBASE}_1.marker" /tmp/markers/50g
# Make a version 2 and reload again; this time we should see the v2 marker
mkdir -p "$VDIR/${VBASE}_2/etc/extension-release.d/"
echo "ID=_any" >"$VDIR/${VBASE}_2/etc/extension-release.d/extension-release.${VBASE}_2"
touch "$VDIR/${VBASE}_2/etc/${VBASE}_2.marker"
systemctl try-reload-or-restart testservice-50g.service
grep -q -F "${VBASE}_2.marker" /tmp/markers/50g
# Do it for a couple more times (to make sure we're tearing down old overlays)
for _ in {1..5}; do systemctl reload testservice-50g.service; done
systemctl stop testservice-50g.service
# Repeat the same vpick notify-reload test with ExtensionImages= (keeping the
# same VBASE and reusing VDIR files for convenience, but using .raw extensions
# this time)
VDIR2="/tmp/${VBASE}.raw.v"
mkdir "$VDIR2"
cp /run/systemd/system/testservice-50g.service /run/systemd/system/testservice-50h.service
sed -i -e "s%ExtensionDirectories=.*%ExtensionImages=-$VDIR2%g" -e "s/50g/50h/g" \
/run/systemd/system/testservice-50h.service
mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
systemctl start testservice-50h.service
systemctl is-active testservice-50h.service
# First reload should pick up the v1 marker
systemctl try-reload-or-restart testservice-50h.service
grep -q -F "${VBASE}_1.marker" /tmp/markers/50h
# Second reload should pick up the v2 marker
mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
systemctl try-reload-or-restart testservice-50h.service
grep -q -F "${VBASE}_2.marker" /tmp/markers/50h
# Test that removing all the extensions don't cause any issues
rm -rf "${VDIR2:?}"/*
systemctl try-reload-or-restart testservice-50h.service
systemctl is-active testservice-50h.service
grep -q -F "no-marker" /tmp/markers/50h
systemctl stop testservice-50h.service
# Test combining vpick reload/restart with RootDirectory= & RootImage=
cat >/run/systemd/system/testservice-50i.service <<EOF
[Service]
Type=notify-reload
EnvironmentFile=-/usr/lib/systemd/systemd-asan-env
PrivateTmp=disconnected
BindPaths=/tmp/markers/
RootImage=$MINIMAL_IMAGE.raw
ExtensionDirectories=-${VDIR}
NotifyAccess=all
ExecStart=bash -c ' \
trap '"'"' \
printf "RELOADING=1\\nMONOTONIC_USEC=\$\${EPOCHREALTIME/[^0-9]/}" | socat -t 5 - UNIX-SENDTO:\$\$NOTIFY_SOCKET; \
(ls /etc | grep marker) >/tmp/markers/50i; \
(cat /usr/lib/os-release) >>/tmp/markers/50i; \
echo -n "READY=1" | socat -t 5 - UNIX-SENDTO:\$\$NOTIFY_SOCKET; \
'"'"' SIGHUP; \
echo -n "READY=1" | socat -t 5 - UNIX-SENDTO:\$\$NOTIFY_SOCKET; \
while true; do sleep 1; done; \
'
EOF
# Move away the v2 extension for now
mv "$VDIR/${VBASE}_2/" "$VDIR/.${VBASE}_2"
systemctl start testservice-50i.service
systemctl is-active testservice-50i.service
# Move the v2 extension back and reload
mv "$VDIR/.${VBASE}_2" "$VDIR/${VBASE}_2/"
systemctl try-reload-or-restart testservice-50i.service
grep -q -F "${VBASE}_2.marker" /tmp/markers/50i
# Ensure that we are also still seeing files exclusive to the root image
grep -q -F "MARKER=1" /tmp/markers/50i
systemctl stop testservice-50i.service
unsquashfs -no-xattrs -d /tmp/vpickminimg "$MINIMAL_IMAGE.raw"
cp /run/systemd/system/testservice-50i.service /run/systemd/system/testservice-50j.service
sed -i -e "s%RootImage=.*%RootDirectory=/tmp/vpickminimg%g" -e "s/50i/50j/g" \
/run/systemd/system/testservice-50j.service
systemctl start testservice-50j.service
systemctl is-active testservice-50j.service
systemctl try-reload-or-restart testservice-50j.service
grep -q -F "${VBASE}_2.marker" /tmp/markers/50j
grep -q -F "MARKER=1" /tmp/markers/50j
systemctl stop testservice-50j.service
rm -rf "$VDIR" "$VDIR2" /tmp/vpickminimg /tmp/markers/
# Test that an extension consisting of an empty directory under /etc/extensions/ takes precedence
mkdir -p /var/lib/extensions/
ln -s /tmp/app-nodistro.raw /var/lib/extensions/app-nodistro.raw