diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index fa6b9651017..e23b59dfd71 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -562,6 +562,17 @@
To disable the safety check that the extension-release file name matches the image file name, the
x-systemd.relax-extension-release-check mount option may be appended.
+ This option can be used together with a service type and
+ systemd.v7
+ to manage configuration updates. When such a service carrying confext images is reloaded via
+ systemctl reload foo.service or equivalent D-Bus method, the confext itself will
+ be reloaded to pick up any changes. This only applies to confext extensions. Note that in case a
+ service has this configuration enabled at first, and then it is subsequently removed in an update
+ followed by a daemon-reload operation, reloading the confexts will be a no-op, and a full service
+ restart is required instead. See
+ systemd.service5
+ also for details.
+
When DevicePolicy= is set to closed or
strict, or set to auto and DeviceAllow= is
set, then this setting adds /dev/loop-control with rw mode,
@@ -606,6 +617,17 @@
or the host. See:
os-release5.
+ This option can be used together with a service type and
+ systemd.v7
+ to manage configuration updates. When such a service carrying confext directories is reloaded via
+ systemctl reload foo.service or equivalent D-Bus method, the confext itself will
+ be reloaded to pick up any changes. This only applies to confext extensions. Note that in case a
+ service has this configuration enabled at first, and then it is subsequently removed in an update
+ followed by a daemon-reload operation, reloading the confexts will be a no-op, and a full service
+ restart is required instead. See
+ systemd.service5
+ also for details.
+
Note that usage from user units requires overlayfs support in unprivileged user namespaces,
which was first introduced in kernel v5.11.
diff --git a/mkosi.images/minimal-base/mkosi.conf b/mkosi.images/minimal-base/mkosi.conf
index 56040f8b21e..d5b3b5addfd 100644
--- a/mkosi.images/minimal-base/mkosi.conf
+++ b/mkosi.images/minimal-base/mkosi.conf
@@ -13,6 +13,7 @@ Packages=
bash
coreutils
grep
+ socat
util-linux
[Include]
diff --git a/src/basic/unit-def.c b/src/basic/unit-def.c
index 3be9d16333b..e8d91c57f1f 100644
--- a/src/basic/unit-def.c
+++ b/src/basic/unit-def.c
@@ -221,6 +221,7 @@ static const char* const service_state_table[_SERVICE_STATE_MAX] = {
[SERVICE_RELOAD] = "reload",
[SERVICE_RELOAD_SIGNAL] = "reload-signal",
[SERVICE_RELOAD_NOTIFY] = "reload-notify",
+ [SERVICE_RELOAD_MOUNTING] = "reload-mounting",
[SERVICE_STOP] = "stop",
[SERVICE_STOP_WATCHDOG] = "stop-watchdog",
[SERVICE_STOP_SIGTERM] = "stop-sigterm",
diff --git a/src/basic/unit-def.h b/src/basic/unit-def.h
index a9548e29913..d25a87db096 100644
--- a/src/basic/unit-def.h
+++ b/src/basic/unit-def.h
@@ -138,6 +138,7 @@ typedef enum ServiceState {
SERVICE_RELOAD, /* Reloading via ExecReload= */
SERVICE_RELOAD_SIGNAL, /* Reloading via SIGHUP requested */
SERVICE_RELOAD_NOTIFY, /* Waiting for READY=1 after RELOADING=1 notify */
+ SERVICE_RELOAD_MOUNTING, /* Refreshing extensions for a reload request */
SERVICE_MOUNTING, /* Performing a live mount into the namespace of the service */
SERVICE_STOP, /* No STOP_PRE state, instead just register multiple STOP executables */
SERVICE_STOP_WATCHDOG,
diff --git a/src/core/execute.c b/src/core/execute.c
index 1b6fe5b31af..5f8c4916f61 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -72,6 +72,7 @@
#include "unit-serialize.h"
#include "user-util.h"
#include "utmp-wtmp.h"
+#include "vpick.h"
static bool is_terminal_input(ExecInput i) {
return IN_SET(i,
@@ -2003,6 +2004,25 @@ char** exec_context_get_restrict_filesystems(const ExecContext *c) {
return l ? TAKE_PTR(l) : strv_new(NULL);
}
+int exec_context_has_vpicked_extensions(const ExecContext *context) {
+ int r;
+
+ assert(context);
+
+ FOREACH_ARRAY(mi, context->extension_images, context->n_extension_images) {
+ r = path_uses_vpick(mi->source);
+ if (r != 0)
+ return r;
+ }
+ STRV_FOREACH(ed, context->extension_directories) {
+ r = path_uses_vpick(*ed);
+ if (r != 0)
+ return r;
+ }
+
+ return 0;
+}
+
void exec_status_start(ExecStatus *s, pid_t pid, const dual_timestamp *ts) {
assert(s);
diff --git a/src/core/execute.h b/src/core/execute.h
index 65a9b0dea13..d5363fbda80 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -562,6 +562,8 @@ char** exec_context_get_syscall_log(const ExecContext *c);
char** exec_context_get_address_families(const ExecContext *c);
char** exec_context_get_restrict_filesystems(const ExecContext *c);
+int exec_context_has_vpicked_extensions(const ExecContext *context);
+
void exec_status_start(ExecStatus *s, pid_t pid, const dual_timestamp *ts);
void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status);
void exec_status_handoff(ExecStatus *s, const struct ucred *ucred, const dual_timestamp *ts);
diff --git a/src/core/manager.c b/src/core/manager.c
index 2382592d4ef..f30d5b58a8c 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1959,6 +1959,7 @@ static bool manager_dbus_is_running(Manager *m, bool deserialized) {
SERVICE_MOUNTING,
SERVICE_RELOAD,
SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD_MOUNTING,
SERVICE_RELOAD_SIGNAL))
return false;
diff --git a/src/core/namespace.c b/src/core/namespace.c
index c99233ce65b..a599805ded7 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -24,6 +24,7 @@
#include "lock-util.h"
#include "loop-util.h"
#include "loopback-setup.h"
+#include "missing_magic.h"
#include "missing_syscall.h"
#include "mkdir-label.h"
#include "mount-util.h"
@@ -34,6 +35,8 @@
#include "nulstr-util.h"
#include "os-util.h"
#include "path-util.h"
+#include "pidref.h"
+#include "process-util.h"
#include "selinux-util.h"
#include "socket-util.h"
#include "sort-util.h"
@@ -3310,6 +3313,431 @@ bool ns_type_supported(NamespaceType type) {
return access(ns_proc, F_OK) == 0;
}
+static int unpeel_get_fd(const char *mount_path, int *ret_fd) {
+ _cleanup_close_pair_ int pipe_fds[2] = EBADF_PAIR;
+ _cleanup_close_ int fs_fd = -EBADF;
+ pid_t pid;
+ int r;
+
+ assert(mount_path);
+ assert(ret_fd);
+
+ r = socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, pipe_fds);
+ if (r < 0)
+ return log_debug_errno(errno, "Failed to create socket pair: %m");
+
+ /* Clone mount namespace here to unpeel without affecting live process */
+ r = safe_fork("(sd-ns-unpeel)", FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_WAIT|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE, &pid);
+ if (r < 0)
+ return r;
+ if (r == 0) {
+ _cleanup_close_ int dir_fd = -EBADF;
+
+ pipe_fds[0] = safe_close(pipe_fds[0]);
+
+ /* Opportunistically unmount any overlay at this path */
+ r = path_is_fs_type(mount_path, OVERLAYFS_SUPER_MAGIC);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to check if %s is an overlayfs: %m", mount_path);
+ _exit(EXIT_FAILURE);
+ }
+ if (r > 0) {
+ r = umount_recursive(mount_path, MNT_DETACH);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to unmount %s: %m", mount_path);
+ _exit(EXIT_FAILURE);
+ } else if (r == 0) /* no umounts done, possible if a previous reload deleted all extensions */
+ log_debug("No overlay layer unmountable from %s", mount_path);
+ }
+
+ /* Now that /mount_path is exposed, get an FD for it and pass back */
+ dir_fd = open_tree(-EBADF, mount_path, AT_SYMLINK_NOFOLLOW|OPEN_TREE_CLONE);
+ if (dir_fd < 0) {
+ log_debug_errno(errno, "Failed to clone mount %s: %m", mount_path);
+ _exit(EXIT_FAILURE);
+ }
+
+ r = send_one_fd(pipe_fds[1], dir_fd, 0);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to send mount fd: %m");
+ _exit(EXIT_FAILURE);
+ }
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ pipe_fds[1] = safe_close(pipe_fds[1]);
+
+ r = receive_one_fd(pipe_fds[0], 0);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to receive mount fd: %m");
+ fs_fd = r;
+
+ r = fd_is_fs_type(fs_fd, OVERLAYFS_SUPER_MAGIC);
+ if (r < 0)
+ return log_debug_errno(r, "Unable to determine if unpeeled directory refers to overlayfs: %m");
+ if (r > 0)
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unpeeled mount is still an overlayfs, something is weird, refusing.");
+
+ *ret_fd = TAKE_FD(fs_fd);
+ return 0;
+}
+
+/* In target namespace, unmounts an existing overlayfs at mount_path (if one exists), grabs FD from the
+ * underlying directory, and sets up a new overlayfs mount. Coordinates with parent process over pair_fd:
+ * 1. Creates and sends new overlay fs fd to parent
+ * 2. Fake-unmounts overlay at mount_path to obtain underlying directory fd to build new overlay
+ * 3. Waits for parent to configure layers
+ * 4. Performs final mount at mount_path
+ *
+ * This is used by refresh_extensions_in_namespace() to peel back any existing overlays and reapply them.
+ */
+static int unpeel_mount_and_setup_overlay(int pair_fd, const char *mount_path) {
+ _cleanup_close_ int dir_unpeeled_fd = -EBADF, overlay_fs_fd = -EBADF, mount_fd = -EBADF;
+ int r;
+
+ assert(pair_fd >= 0);
+ assert(mount_path);
+
+ /* Create new OverlayFS and send to parent */
+ overlay_fs_fd = fsopen("overlay", FSOPEN_CLOEXEC);
+ if (overlay_fs_fd < 0)
+ return log_debug_errno(errno, "Failed to create overlay fs for %s: %m", mount_path);
+
+ r = send_one_fd(pair_fd, overlay_fs_fd, /* flags= */ 0);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to send overlay fs fd to parent: %m");
+
+ /* Unpeel in cloned mount namespace to get underlying directory fd */
+ r = unpeel_get_fd(mount_path, &dir_unpeeled_fd);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to unpeel mount %s: %m", mount_path);
+
+ /* Send the fd to the parent */
+ r = send_one_fd(pair_fd, dir_unpeeled_fd, /* flags= */ 0);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to send %s fd to parent: %m", mount_path);
+
+ /* Wait for parent to signal overlay configuration completion */
+ log_debug("Waiting for configured overlay fs for %s", mount_path);
+ r = receive_one_fd(pair_fd, 0);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to receive configured overlay: %m");
+
+ /* Create the mount */
+ mount_fd = fsmount(overlay_fs_fd, FSMOUNT_CLOEXEC, /* flags= */ 0);
+ if (mount_fd < 0)
+ return log_debug_errno(errno, "Failed to create overlay mount: %m");
+
+ /* Move mount to final location */
+ r = mount_exchange_graceful(mount_fd, mount_path, /* mount_beneath= */ true);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to move overlay to %s: %m", mount_path);
+
+ return 0;
+}
+
+static int refresh_grandchild_proc(
+ const PidRef *target,
+ MountList *ml,
+ const char *overlay_prefix,
+ int pidns_fd,
+ int mntns_fd,
+ int root_fd,
+ int pipe_fd) {
+
+ int r;
+
+ assert(pidref_is_set(target));
+ assert(ml);
+ assert(overlay_prefix);
+ assert(pidns_fd >= 0);
+ assert(mntns_fd >= 0);
+ assert(root_fd >= 0);
+ assert(pipe_fd >= 0);
+
+ r = namespace_enter(pidns_fd, mntns_fd, /* netns_fd= */ -EBADF, /* userns_fd= */ -EBADF, root_fd);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to enter namespace: %m");
+
+ /* Handle each overlay mount path */
+ FOREACH_ARRAY(m, ml->mounts, ml->n_mounts) {
+ if (m->mode != MOUNT_OVERLAY)
+ continue;
+
+ const char *mount_path = startswith(mount_entry_unprefixed_path(m), overlay_prefix);
+ if (!mount_path)
+ mount_path = mount_entry_unprefixed_path(m);
+
+ r = path_is_mount_point(mount_path);
+ if (r < 0)
+ return log_debug_errno(r, "Unable to determine whether '%s' is a mount point: %m", mount_path);
+ if (r == 0)
+ continue;
+
+ /* If there are no extensions mounted for this overlay layer, instead of setting everything
+ * up, the correct behavior is to unmount the existing overlay in the target namespace to
+ * expose the original files. */
+ if (strv_isempty(m->overlay_layers)) {
+ r = path_is_fs_type(mount_path, OVERLAYFS_SUPER_MAGIC);
+ if (r < 0)
+ return log_debug_errno(r, "Unable to determine if directory '%s' refers to overlayfs: %m", mount_path);
+ if (r > 0) {
+ log_debug("No extensions for %s, undoing existing mount", mount_path);
+ r = umount_recursive(mount_path, MNT_DETACH);
+ if (r < 0)
+ log_debug_errno(r, "Failed to unmount %s: %m", mount_path);
+ }
+
+ continue;
+ }
+
+ r = unpeel_mount_and_setup_overlay(pipe_fd, mount_path);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to setup overlay mount for %s: %m", mount_path);
+ }
+
+ return 0;
+}
+
+static int handle_mount_from_grandchild(
+ MountEntry *m,
+ const char *overlay_prefix,
+ int **fd_layers,
+ size_t *n_fd_layers,
+ int pipe_fd) {
+
+ _cleanup_free_ char *layers = NULL, *options = NULL, *hierarchy_path_moved_mount = NULL;
+ _cleanup_close_ int hierarchy_path_fd = -EBADF, overlay_fs_fd = -EBADF;
+ _cleanup_strv_free_ char **new_layers = NULL;
+ int r;
+
+ assert(m);
+ assert(overlay_prefix);
+ assert(fd_layers);
+ assert(n_fd_layers);
+ assert(pipe_fd >= 0);
+
+ if (m->mode != MOUNT_OVERLAY)
+ return 0;
+
+ const char *mount_path = startswith(mount_entry_unprefixed_path(m), overlay_prefix);
+ if (!mount_path)
+ mount_path = mount_entry_unprefixed_path(m);
+
+ /* If there are no extensions mounted for this overlay layer, we only need to
+ * unmount the existing overlay (this is handled in the grandchild process) and
+ * would skip the usual cooperative processing here.
+ */
+ if (strv_isempty(m->overlay_layers)) {
+ log_debug("No layers for %s, skip setting up overlay", mount_path);
+ return 0;
+ }
+
+ /* Receive the fds from grandchild */
+ overlay_fs_fd = receive_one_fd(pipe_fd, 0);
+ if (overlay_fs_fd < 0)
+ return log_debug_errno(overlay_fs_fd, "Failed to receive overlay fs fd from grandchild: %m");
+
+ hierarchy_path_fd = receive_one_fd(pipe_fd, 0);
+ if (hierarchy_path_fd < 0)
+ return log_debug_errno(hierarchy_path_fd, "Failed to receive fd from grandchild for %s: %m", mount_path);
+
+ /* move_mount so that it is visible on our end. */
+ hierarchy_path_moved_mount = path_join(overlay_prefix, mount_path);
+ if (!hierarchy_path_moved_mount)
+ return log_oom_debug();
+
+ (void) mkdir_p_label(hierarchy_path_moved_mount, 0555);
+ r = move_mount(hierarchy_path_fd, "", AT_FDCWD, hierarchy_path_moved_mount, MOVE_MOUNT_F_EMPTY_PATH);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to move mount for %s: %m", mount_path);
+
+ /* Turn all overlay layer directories into FD-based references */
+ *fd_layers = GREEDY_REALLOC(*fd_layers, *n_fd_layers + strv_length(m->overlay_layers));
+ if (!*fd_layers)
+ return log_oom();
+
+ STRV_FOREACH(ol, m->overlay_layers) {
+ _cleanup_close_ int tree_fd = -EBADF;
+
+ tree_fd = open_tree(-EBADF, *ol, /* flags= */ 0);
+ if (tree_fd < 0)
+ return log_debug_errno(errno, "Failed to open_tree overlay layer: %m");
+
+ r = strv_push(&new_layers, FORMAT_PROC_FD_PATH(tree_fd));
+ if (r < 0)
+ return log_debug_errno(r, "Failed to append overlay layer: %m");
+
+ *fd_layers[(*n_fd_layers)++] = TAKE_FD(tree_fd);
+ }
+ m->overlay_layers = strv_free(m->overlay_layers);
+ m->overlay_layers = TAKE_PTR(new_layers);
+
+ layers = strv_join(m->overlay_layers, ":");
+ if (!layers)
+ return log_oom_debug();
+
+ /* Append the underlying hierarchy path as the last lowerdir */
+ options = strjoin(layers, ":", FORMAT_PROC_FD_PATH(hierarchy_path_fd));
+ if (!options)
+ return log_oom_debug();
+
+ if (fsconfig(overlay_fs_fd, FSCONFIG_SET_STRING, "lowerdir", options, 0) < 0)
+ return log_debug_errno(errno, "Failed to set lowerdir: %m");
+
+ /* Create the superblock */
+ if (fsconfig(overlay_fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) < 0)
+ return log_debug_errno(errno, "Failed to create overlay superblock: %m");
+
+ /* Signal completion to grandchild */
+ r = send_one_fd(pipe_fd, overlay_fs_fd, 0);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to signal overlay configuration complete for %s: %m", mount_path);
+
+ return 0;
+}
+
+int refresh_extensions_in_namespace(
+ const PidRef *target,
+ const char *hierarchy_env,
+ const NamespaceParameters *p) {
+
+ _cleanup_close_ int mntns_fd = -EBADF, root_fd = -EBADF, pidns_fd = -EBADF;
+ const char *overlay_prefix = "/run/systemd/mount-rootfs";
+ _cleanup_(mount_list_done) MountList ml = {};
+ _cleanup_free_ char *extension_dir = NULL;
+ _cleanup_strv_free_ char **hierarchies = NULL;
+ int r;
+
+ assert(pidref_is_set(target));
+ assert(hierarchy_env);
+ assert(p);
+
+ log_debug("Refreshing extensions in-namespace for hierarchy '%s'", hierarchy_env);
+
+ r = pidref_namespace_open(target, &pidns_fd, &mntns_fd, /* ret_netns_fd= */ NULL, /* ret_userns_fd= */ NULL, &root_fd);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to open namespace: %m");
+
+ r = is_our_namespace(mntns_fd, NAMESPACE_MOUNT);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to check if target namespace is separate: %m");
+ if (r > 0)
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Target namespace is not separate, cannot reload extensions");
+
+ extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
+ if (!extension_dir)
+ return log_oom_debug();
+
+ r = parse_env_extension_hierarchies(&hierarchies, hierarchy_env);
+ if (r < 0)
+ return r;
+
+ r = append_extensions(
+ &ml,
+ overlay_prefix,
+ p->private_namespace_dir,
+ hierarchies,
+ p->extension_images,
+ p->n_extension_images,
+ p->extension_directories);
+ if (r < 0)
+ return r;
+
+ sort_and_drop_unused_mounts(&ml, overlay_prefix);
+ if (ml.n_mounts == 0)
+ return 0;
+
+ /**
+ * There are three main steps:
+ * 1. In child, set up the extension images and directories in a slave mountns, so that we have
+ * access to their FDs
+ * 2. Fork into a grandchild, which will enter the target namespace and attempt to "unpeel" the
+ * overlays to obtain FDs the underlying directories, over which we will reapply the overlays
+ * 3. In the child again, receive the FDs and reapply the overlays
+ */
+ r = safe_fork("(sd-ns-refresh-exts)",
+ FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE,
+ NULL);
+ if (r < 0)
+ return r;
+ if (r == 0) {
+ /* Child (host namespace) */
+ _cleanup_close_pair_ int pair[2] = EBADF_PAIR;
+ _cleanup_(sigkill_waitp) pid_t grandchild_pid = 0;
+
+ (void) mkdir_p_label(overlay_prefix, 0555);
+
+ /* Open all extension roots on the host */
+ FOREACH_ARRAY(m, ml.mounts, ml.n_mounts)
+ if (IN_SET(m->mode, MOUNT_EXTENSION_DIRECTORY, MOUNT_EXTENSION_IMAGE)) {
+ r = apply_one_mount("/", m, p);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to apply extension mount: %m");
+ _exit(EXIT_FAILURE);
+ }
+ }
+
+ /* Create a grandchild process to handle the unmounting and reopening of hierarchy */
+ r = socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, pair);
+ if (r < 0) {
+ log_debug_errno(errno, "Failed to create socket pair: %m");
+ _exit(EXIT_FAILURE);
+ }
+
+ r = safe_fork("(sd-ns-refresh-exts-grandchild)",
+ FORK_LOG|FORK_DEATHSIG_SIGKILL,
+ &grandchild_pid);
+ if (r < 0)
+ _exit(EXIT_FAILURE);
+ if (r == 0) {
+ /* Grandchild (target service namespace) */
+ pair[0] = safe_close(pair[0]);
+
+ r = refresh_grandchild_proc(target, &ml, overlay_prefix, pidns_fd, mntns_fd, root_fd, pair[1]);
+ if (r < 0) {
+ pair[1] = safe_close(pair[1]);
+ _exit(EXIT_FAILURE);
+ }
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ pair[1] = safe_close(pair[1]);
+
+ /* Until kernel 6.15, the FDs to the individual layers used to set up the OverlayFS via
+ * lowerdir=/proc/self/fd/X need to remain open until the OverlayFS mount is _attached_
+ * (as opposed to merely created) to its mount point, hence we need to ensure these FDs
+ * stay open until the grandchild has attached the mount and exited. */
+ // TODO: once the kernel baseline is >= 6.15, move the FD array into the helper function
+ // and close them immediately
+ int *fd_layers = NULL;
+ size_t n_fd_layers = 0;
+ CLEANUP_ARRAY(fd_layers, n_fd_layers, close_many_and_free);
+
+ FOREACH_ARRAY(m, ml.mounts, ml.n_mounts) {
+ r = handle_mount_from_grandchild(m, overlay_prefix, &fd_layers, &n_fd_layers, pair[0]);
+ if (r < 0)
+ _exit(EXIT_FAILURE);
+ }
+
+ r = wait_for_terminate_and_check("(sd-ns-refresh-exts-grandchild)", TAKE_PID(grandchild_pid), 0);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to wait for target namespace process to finish: %m");
+ _exit(EXIT_FAILURE);
+ }
+ if (r != EXIT_SUCCESS) {
+ log_debug("Target namespace fork did not succeed");
+ _exit(EXIT_FAILURE);
+ }
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ return 0;
+}
+
static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
[PROTECT_HOME_NO] = "no",
[PROTECT_HOME_YES] = "yes",
diff --git a/src/core/namespace.h b/src/core/namespace.h
index 069cdb831ab..79909fd818e 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -16,6 +16,7 @@ typedef struct MountImage MountImage;
#include "fs-util.h"
#include "macro.h"
#include "namespace-util.h"
+#include "pidref.h"
#include "runtime-scope.h"
#include "string-util.h"
@@ -263,3 +264,8 @@ const char* namespace_type_to_string(NamespaceType t) _const_;
NamespaceType namespace_type_from_string(const char *s) _pure_;
bool ns_type_supported(NamespaceType type);
+
+int refresh_extensions_in_namespace(
+ const PidRef *target,
+ const char *hierarchy_env,
+ const NamespaceParameters *p);
diff --git a/src/core/service.c b/src/core/service.c
index ccfa439dd0a..8a38b63f75a 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -21,6 +21,7 @@
#include "devnum-util.h"
#include "env-util.h"
#include "escape.h"
+#include "execute.h"
#include "exec-credential.h"
#include "exit-status.h"
#include "fd-util.h"
@@ -33,12 +34,14 @@
#include "manager.h"
#include "missing_audit.h"
#include "mount-util.h"
+#include "namespace.h"
#include "open-file.h"
#include "parse-util.h"
#include "path-util.h"
#include "pidfd-util.h"
#include "process-util.h"
#include "random-util.h"
+#include "runtime-scope.h"
#include "selinux-util.h"
#include "serialize.h"
#include "service.h"
@@ -66,6 +69,7 @@ static const UnitActiveState state_translation_table[_SERVICE_STATE_MAX] = {
[SERVICE_RELOAD] = UNIT_RELOADING,
[SERVICE_RELOAD_SIGNAL] = UNIT_RELOADING,
[SERVICE_RELOAD_NOTIFY] = UNIT_RELOADING,
+ [SERVICE_RELOAD_MOUNTING] = UNIT_REFRESHING,
[SERVICE_MOUNTING] = UNIT_REFRESHING,
[SERVICE_STOP] = UNIT_DEACTIVATING,
[SERVICE_STOP_WATCHDOG] = UNIT_DEACTIVATING,
@@ -97,6 +101,7 @@ static const UnitActiveState state_translation_table_idle[_SERVICE_STATE_MAX] =
[SERVICE_RELOAD] = UNIT_RELOADING,
[SERVICE_RELOAD_SIGNAL] = UNIT_RELOADING,
[SERVICE_RELOAD_NOTIFY] = UNIT_RELOADING,
+ [SERVICE_RELOAD_MOUNTING] = UNIT_REFRESHING,
[SERVICE_MOUNTING] = UNIT_REFRESHING,
[SERVICE_STOP] = UNIT_DEACTIVATING,
[SERVICE_STOP_WATCHDOG] = UNIT_DEACTIVATING,
@@ -121,13 +126,13 @@ static int service_dispatch_watchdog(sd_event_source *source, usec_t usec, void
static int service_dispatch_exec_io(sd_event_source *source, int fd, uint32_t events, void *userdata);
static void service_enter_signal(Service *s, ServiceState state, ServiceResult f);
-static void service_enter_reload_by_notify(Service *s);
+static void service_enter_reload_propagate(Service *s);
static bool SERVICE_STATE_WITH_MAIN_PROCESS(ServiceState state) {
return IN_SET(state,
SERVICE_START, SERVICE_START_POST,
SERVICE_RUNNING,
- SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP, SERVICE_STOP_WATCHDOG, SERVICE_STOP_SIGTERM, SERVICE_STOP_SIGKILL, SERVICE_STOP_POST,
SERVICE_FINAL_WATCHDOG, SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL);
@@ -137,7 +142,7 @@ static bool SERVICE_STATE_WITH_CONTROL_PROCESS(ServiceState state) {
return IN_SET(state,
SERVICE_CONDITION,
SERVICE_START_PRE, SERVICE_START, SERVICE_START_POST,
- SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP, SERVICE_STOP_WATCHDOG, SERVICE_STOP_SIGTERM, SERVICE_STOP_SIGKILL, SERVICE_STOP_POST,
SERVICE_FINAL_WATCHDOG, SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
@@ -1288,7 +1293,7 @@ static void service_set_state(Service *s, ServiceState state) {
if (!IN_SET(state,
SERVICE_CONDITION, SERVICE_START_PRE, SERVICE_START, SERVICE_START_POST,
SERVICE_RUNNING,
- SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP, SERVICE_STOP_WATCHDOG, SERVICE_STOP_SIGTERM, SERVICE_STOP_SIGKILL, SERVICE_STOP_POST,
SERVICE_FINAL_WATCHDOG, SERVICE_FINAL_SIGTERM, SERVICE_FINAL_SIGKILL,
@@ -1318,7 +1323,7 @@ static void service_set_state(Service *s, ServiceState state) {
if (state != SERVICE_START)
s->exec_fd_event_source = sd_event_source_disable_unref(s->exec_fd_event_source);
- if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_MOUNTING))
+ if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING, SERVICE_MOUNTING))
service_stop_watchdog(s);
if (state != SERVICE_MOUNTING) /* Just in case */
@@ -1363,6 +1368,7 @@ static usec_t service_coldplug_timeout(Service *s) {
case SERVICE_RELOAD:
case SERVICE_RELOAD_SIGNAL:
case SERVICE_RELOAD_NOTIFY:
+ case SERVICE_RELOAD_MOUNTING:
case SERVICE_MOUNTING:
return usec_add(UNIT(s)->state_change_timestamp.monotonic, s->timeout_start_usec);
@@ -1431,7 +1437,7 @@ static int service_coldplug(Unit *u) {
(void) unit_setup_exec_runtime(u);
}
- if (IN_SET(s->deserialized_state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_MOUNTING))
+ if (IN_SET(s->deserialized_state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING, SERVICE_MOUNTING))
service_start_watchdog(s);
if (UNIT_ISSET(s->accept_socket)) {
@@ -2372,7 +2378,7 @@ static void service_enter_running(Service *s, ServiceResult f) {
/* If there are any queued up sd_notify() notifications, process them now */
if (s->notify_state == NOTIFY_RELOADING)
- service_enter_reload_by_notify(s);
+ service_enter_reload_propagate(s);
else if (s->notify_state == NOTIFY_STOPPING)
service_enter_stop_by_notify(s);
else {
@@ -2686,7 +2692,7 @@ static void service_enter_restart(Service *s, bool shortcut) {
unit_add_to_dbus_queue(UNIT(s));
}
-static void service_enter_reload_by_notify(Service *s) {
+static void service_enter_reload_propagate(Service *s) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
int r;
@@ -2702,14 +2708,167 @@ static void service_enter_reload_by_notify(Service *s) {
service_set_state(s, SERVICE_RELOAD_NOTIFY);
- /* service_enter_reload_by_notify is never called during a reload, thus no loops are possible. */
+ /* service_enter_reload_propagate is never called during a reload, thus no loops are possible. */
r = manager_propagate_reload(UNIT(s)->manager, UNIT(s), JOB_FAIL, &error);
if (r < 0)
log_unit_warning(UNIT(s), "Failed to schedule propagation of reload, ignoring: %s", bus_error_message(&error, r));
}
-static void service_enter_reload(Service *s) {
- bool killed = false;
+static void service_enter_reload_signal(Service *s) {
+ int r;
+
+ assert(s);
+
+ service_unwatch_control_pid(s);
+ s->reload_result = SERVICE_SUCCESS;
+
+ if (pidref_is_set(&s->main_pid)) {
+ r = pidref_kill_and_sigcont(&s->main_pid, s->reload_signal);
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to send reload signal: %m");
+ goto fail;
+ }
+
+ r = service_arm_timer(s, /* relative= */ true, s->timeout_start_usec);
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
+ goto fail;
+ }
+
+ service_set_state(s, SERVICE_RELOAD_SIGNAL);
+ } else
+ service_enter_running(s, SERVICE_SUCCESS);
+
+ return;
+
+fail:
+ s->reload_result = SERVICE_FAILURE_RESOURCES;
+ service_enter_running(s, SERVICE_SUCCESS);
+}
+
+static bool service_should_reload_extensions(Service *s) {
+ int r;
+
+ assert(s);
+
+ if (!pidref_is_set(&s->main_pid)) {
+ log_unit_debug(UNIT(s), "Not reloading extensions for service without main PID.");
+ return false;
+ }
+
+ r = exec_context_has_vpicked_extensions(&s->exec_context);
+ if (r < 0)
+ log_unit_warning_errno(UNIT(s), r, "Failed to determine if service should reload extensions, assuming false: %m");
+ if (r <= 0)
+ return false;
+
+ // TODO: Add support for user services, which can use ExtensionDirectories= + notify-reload.
+ // For now, skip for user services.
+ if (UNIT(s)->manager->runtime_scope != RUNTIME_SCOPE_SYSTEM) {
+ log_once(LOG_WARNING, "Not reloading extensions for user services.");
+ return false;
+ }
+
+ return true;
+}
+
+static void service_enter_reload_extensions(Service *s) {
+ _cleanup_(pidref_done) PidRef worker = PIDREF_NULL;
+ int r;
+
+ assert(s);
+
+ /* If we don't have extensions to reload, immediately go to the signal step */
+ if (!service_should_reload_extensions(s))
+ return (void) service_enter_reload_signal(s);
+
+ service_unwatch_control_pid(s);
+ s->reload_result = SERVICE_SUCCESS;
+ s->control_command = NULL;
+ s->control_command_id = _SERVICE_EXEC_COMMAND_INVALID;
+
+ /* Given we are running from PID1, avoid doing potentially heavy I/O operations like opening images
+ * directly, and instead fork a worker process. */
+ r = unit_fork_helper_process(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false, &worker);
+ if (r < 0) {
+ log_unit_error_errno(UNIT(s), r, "Failed to fork process to refresh extensions in unit's namespace: %m");
+ goto fail;
+ }
+ if (r == 0) {
+ PidRef *unit_pid = unit_main_pid(UNIT(s));
+ if (!pidref_is_set(unit_pid)) {
+ /* Mostly paranoia, as it was checked by the parent */
+ log_unit_error(UNIT(s), "Failed to determine main PID for service '%s'", UNIT(s)->id);
+ _exit(EXIT_FAILURE);
+ }
+
+ _cleanup_free_ char *propagate_dir = path_join("/run/systemd/propagate/", UNIT(s)->id);
+ if (!propagate_dir) {
+ log_unit_error_errno(UNIT(s), -ENOMEM, "Failed to allocate memory for propagate directory: %m");
+ _exit(EXIT_FAILURE);
+ }
+
+ NamespaceParameters p = {
+ .private_namespace_dir = "/run/systemd",
+ .incoming_dir = "/run/systemd/incoming",
+ .propagate_dir = propagate_dir,
+ .runtime_scope = UNIT(s)->manager->runtime_scope,
+ .extension_images = s->exec_context.extension_images,
+ .n_extension_images = s->exec_context.n_extension_images,
+ .extension_directories = s->exec_context.extension_directories,
+ .extension_image_policy = s->exec_context.extension_image_policy,
+ };
+
+ /* Only reload confext, and not sysext as they also typically contain the executable(s) used
+ * by the service and a simply reload cannot meaningfully handle that. */
+ r = refresh_extensions_in_namespace(
+ unit_pid,
+ "SYSTEMD_CONFEXT_HIERARCHIES",
+ &p);
+ if (r < 0)
+ log_unit_error_errno(UNIT(s), r, "Failed to refresh extensions in unit's namespace: %m");
+ else
+ log_unit_debug(UNIT(s), "Refreshed extensions in unit's namespace");
+
+ _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
+ }
+
+ r = unit_watch_pidref(UNIT(s), &worker, /* exclusive= */ true);
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to watch extensions refresh helper process: %m");
+ goto fail;
+ }
+
+ s->control_pid = TAKE_PIDREF(worker);
+ service_set_state(s, SERVICE_RELOAD_MOUNTING);
+ return;
+
+fail:
+ s->reload_result = SERVICE_FAILURE_RESOURCES;
+ service_enter_running(s, SERVICE_SUCCESS);
+}
+
+static void service_enter_reload_by_notify(Service *s) {
+ int r;
+
+ assert(s);
+
+ usec_t ts = now(CLOCK_MONOTONIC);
+
+ r = service_arm_timer(s, /* relative= */ true, s->timeout_start_usec);
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
+ s->reload_result = SERVICE_FAILURE_RESOURCES;
+ service_enter_running(s, SERVICE_SUCCESS);
+ return;
+ }
+
+ s->reload_begin_usec = ts;
+
+ service_enter_reload_extensions(s);
+}
+
+static void service_enter_reload_by_exec(Service *s) {
int r;
assert(s);
@@ -2719,16 +2878,6 @@ static void service_enter_reload(Service *s) {
usec_t ts = now(CLOCK_MONOTONIC);
- if (s->type == SERVICE_NOTIFY_RELOAD && pidref_is_set(&s->main_pid)) {
- r = pidref_kill_and_sigcont(&s->main_pid, s->reload_signal);
- if (r < 0) {
- log_unit_warning_errno(UNIT(s), r, "Failed to send reload signal: %m");
- goto fail;
- }
-
- killed = true;
- }
-
s->control_command = s->exec_command[SERVICE_EXEC_RELOAD];
if (s->control_command) {
s->control_command_id = SERVICE_EXEC_RELOAD;
@@ -2745,14 +2894,6 @@ static void service_enter_reload(Service *s) {
}
service_set_state(s, SERVICE_RELOAD);
- } else if (killed) {
- r = service_arm_timer(s, /* relative= */ true, s->timeout_start_usec);
- if (r < 0) {
- log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
- goto fail;
- }
-
- service_set_state(s, SERVICE_RELOAD_SIGNAL);
} else {
service_enter_running(s, SERVICE_SUCCESS);
return;
@@ -2957,6 +3098,9 @@ static int service_stop(Unit *u) {
service_kill_control_process(s);
service_live_mount_finish(s, SERVICE_FAILURE_PROTOCOL, BUS_ERROR_UNIT_INACTIVE);
_fallthrough_;
+ case SERVICE_RELOAD_MOUNTING:
+ service_kill_control_process(s);
+ _fallthrough_;
case SERVICE_CONDITION:
case SERVICE_START_PRE:
case SERVICE_START:
@@ -2995,7 +3139,10 @@ static int service_reload(Unit *u) {
assert(IN_SET(s->state, SERVICE_RUNNING, SERVICE_EXITED));
- service_enter_reload(s);
+ if (s->type == SERVICE_NOTIFY_RELOAD)
+ service_enter_reload_by_notify(s);
+ else
+ service_enter_reload_by_exec(s);
return 1;
}
@@ -3986,6 +4133,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
case SERVICE_RELOAD:
case SERVICE_RELOAD_SIGNAL:
case SERVICE_RELOAD_NOTIFY:
+ case SERVICE_RELOAD_MOUNTING:
case SERVICE_MOUNTING:
/* If neither main nor control processes are running then the current
* state can never exit cleanly, hence immediately terminate the
@@ -4207,6 +4355,11 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
service_enter_running(s, SERVICE_SUCCESS);
break;
+ case SERVICE_RELOAD_MOUNTING:
+ /* Remounting extensions asynchronously done, proceed to signal */
+ service_enter_reload_signal(s);
+ break;
+
case SERVICE_MOUNTING:
service_live_mount_finish(s, f, SD_BUS_ERROR_FAILED);
@@ -4314,6 +4467,7 @@ static int service_dispatch_timer(sd_event_source *source, usec_t usec, void *us
case SERVICE_RELOAD:
case SERVICE_RELOAD_SIGNAL:
case SERVICE_RELOAD_NOTIFY:
+ case SERVICE_RELOAD_MOUNTING:
log_unit_warning(UNIT(s), "Reload operation timed out. Killing reload process.");
service_kill_control_process(s);
s->reload_result = SERVICE_FAILURE_TIMEOUT;
@@ -4648,7 +4802,7 @@ static void service_notify_message(
r = service_notify_message_parse_new_pid(u, tags, fds, &new_main_pid);
if (r > 0 &&
IN_SET(s->state, SERVICE_START, SERVICE_START_POST, SERVICE_RUNNING,
- SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING,
SERVICE_STOP, SERVICE_STOP_SIGTERM) &&
(!s->main_pid_known || !pidref_equal(&new_main_pid, &s->main_pid))) {
@@ -4685,7 +4839,7 @@ static void service_notify_message(
if (strv_contains(tags, "STOPPING=1")) {
s->notify_state = NOTIFY_STOPPING;
- if (IN_SET(s->state, SERVICE_RUNNING, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY))
+ if (IN_SET(s->state, SERVICE_RUNNING, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY, SERVICE_RELOAD_MOUNTING))
service_enter_stop_by_notify(s);
notify_dbus = true;
@@ -4737,12 +4891,12 @@ static void service_notify_message(
if (s->state == SERVICE_RELOAD_SIGNAL &&
monotonic_usec != USEC_INFINITY &&
monotonic_usec >= s->reload_begin_usec)
- /* Note, we don't call service_enter_reload_by_notify() here, because we
+ /* Note, we don't call service_enter_reload_propagate() here, because we
* don't need reload propagation nor do we want to restart the timeout. */
service_set_state(s, SERVICE_RELOAD_NOTIFY);
if (s->state == SERVICE_RUNNING)
- service_enter_reload_by_notify(s);
+ service_enter_reload_propagate(s);
notify_dbus = true;
}
@@ -4991,6 +5145,7 @@ static bool pick_up_pid_from_bus_name(Service *s) {
SERVICE_RELOAD,
SERVICE_RELOAD_SIGNAL,
SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING);
}
@@ -5175,6 +5330,7 @@ static bool service_needs_console(Unit *u) {
SERVICE_RELOAD,
SERVICE_RELOAD_SIGNAL,
SERVICE_RELOAD_NOTIFY,
+ SERVICE_RELOAD_MOUNTING,
SERVICE_MOUNTING,
SERVICE_STOP,
SERVICE_STOP_WATCHDOG,
diff --git a/src/shared/vpick.c b/src/shared/vpick.c
index 08f6dd72d92..2dd7ace708f 100644
--- a/src/shared/vpick.c
+++ b/src/shared/vpick.c
@@ -682,6 +682,41 @@ int path_pick_update_warn(
return 1;
}
+int path_uses_vpick(const char *path) {
+ _cleanup_free_ char *dir = NULL, *parent = NULL, *fname = NULL;
+ int r;
+
+ assert(path);
+
+ r = path_extract_filename(path, &fname);
+ if (r == -EADDRNOTAVAIL)
+ return 0;
+ if (r < 0)
+ return r;
+
+ /* ...PATH/NAME.SUFFIX.v */
+ if (endswith(fname, ".v"))
+ return 1;
+
+ /* ...PATH.v/NAME___.SUFFIX */
+ if (!strrstr(fname, "___"))
+ return 0;
+
+ r = path_extract_directory(path, &dir);
+ if (IN_SET(r, -EDESTADDRREQ, -EADDRNOTAVAIL)) /* only filename specified (no dir), or root or "." */
+ return 0;
+ if (r < 0)
+ return r;
+
+ r = path_extract_filename(dir, &parent);
+ if (r == -EADDRNOTAVAIL)
+ return 0;
+ if (r < 0)
+ return r;
+
+ return !!endswith(parent, ".v");
+}
+
const PickFilter pick_filter_image_raw = {
.type_mask = (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK),
.architecture = _ARCHITECTURE_INVALID,
diff --git a/src/shared/vpick.h b/src/shared/vpick.h
index 38251c84e85..3093f02cb05 100644
--- a/src/shared/vpick.h
+++ b/src/shared/vpick.h
@@ -56,6 +56,8 @@ int path_pick_update_warn(
PickFlags flags,
PickResult *ret);
+int path_uses_vpick(const char *path);
+
extern const PickFilter pick_filter_image_raw;
extern const PickFilter pick_filter_image_dir;
extern const PickFilter pick_filter_image_any;
diff --git a/src/test/test-vpick.c b/src/test/test-vpick.c
index 88646ec053e..aeea50c603d 100644
--- a/src/test/test-vpick.c
+++ b/src/test/test-vpick.c
@@ -168,4 +168,27 @@ TEST(path_pick) {
assert_se(result.architecture == ARCHITECTURE_S390);
}
+TEST(path_uses_vpick) {
+ ASSERT_OK_POSITIVE(path_uses_vpick("foo.v"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("path/to/foo.v"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("./path/to/foo.v"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("path/to.v/foo.v"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("path/to/foo.raw.v"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("/var/lib/machines/mymachine.raw.v/"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("path/to.v/foo___.hi/a.v"));
+ ASSERT_OK_ZERO(path_uses_vpick("path/to/foo.mp4.vtt"));
+ ASSERT_OK_ZERO(path_uses_vpick("path/to/foo.mp4.v.1"));
+ ASSERT_OK_ZERO(path_uses_vpick("path/to.v/a"));
+
+ ASSERT_OK_POSITIVE(path_uses_vpick("to.v/foo___.raw"));
+ ASSERT_OK_POSITIVE(path_uses_vpick("path/to.v/foo___.raw"));
+ ASSERT_OK_ZERO(path_uses_vpick("path/to/foo___.raw"));
+ ASSERT_OK_ZERO(path_uses_vpick("path/to.v/foo__"));
+ ASSERT_OK_ZERO(path_uses_vpick("foo___.raw"));
+
+ ASSERT_LE(path_uses_vpick("/"), 0);
+ ASSERT_LE(path_uses_vpick("."), 0);
+ ASSERT_LE(path_uses_vpick(""), 0);
+}
+
DEFINE_TEST_MAIN(LOG_DEBUG);
diff --git a/test/units/TEST-50-DISSECT.dissect.sh b/test/units/TEST-50-DISSECT.dissect.sh
index fc33d91f0fa..cb8cd385a97 100755
--- a/test/units/TEST-50-DISSECT.dissect.sh
+++ b/test/units/TEST-50-DISSECT.dissect.sh
@@ -558,6 +558,118 @@ rm -rf "$VDIR" "$EMPTY_VDIR"
systemd-dissect --umount "$IMAGE_DIR/app0"
systemd-dissect --umount "$IMAGE_DIR/app1"
+# Check reloading refreshes vpick extensions
+VBASE="vtest$RANDOM"
+VDIR="/tmp/${VBASE}.v"
+mkdir "$VDIR"
+rm -rf /tmp/markers/
+mkdir /tmp/markers/
+cat >/run/systemd/system/testservice-50g.service </tmp/markers/50g; \\
+ systemd-notify --ready; \\
+ }" SIGHUP; \\
+ systemd-notify --ready; \\
+ while true; do sleep 1; done; \\
+'
+EOF
+mkdir -p "$VDIR/${VBASE}_1/etc/extension-release.d/"
+echo "ID=_any" >"$VDIR/${VBASE}_1/etc/extension-release.d/extension-release.${VBASE}_1"
+touch "$VDIR/${VBASE}_1/etc/${VBASE}_1.marker"
+systemctl start testservice-50g.service
+systemctl is-active testservice-50g.service
+# First reload; at reload time, the marker file in /etc should be picked up.
+systemctl try-reload-or-restart testservice-50g.service
+grep -q -F "${VBASE}_1.marker" /tmp/markers/50g
+# Make a version 2 and reload again; this time we should see the v2 marker
+mkdir -p "$VDIR/${VBASE}_2/etc/extension-release.d/"
+echo "ID=_any" >"$VDIR/${VBASE}_2/etc/extension-release.d/extension-release.${VBASE}_2"
+touch "$VDIR/${VBASE}_2/etc/${VBASE}_2.marker"
+systemctl try-reload-or-restart testservice-50g.service
+grep -q -F "${VBASE}_2.marker" /tmp/markers/50g
+# Do it for a couple more times (to make sure we're tearing down old overlays)
+for _ in {1..5}; do systemctl reload testservice-50g.service; done
+systemctl stop testservice-50g.service
+
+# Repeat the same vpick notify-reload test with ExtensionImages= (keeping the
+# same VBASE and reusing VDIR files for convenience, but using .raw extensions
+# this time)
+VDIR2="/tmp/${VBASE}.raw.v"
+mkdir "$VDIR2"
+cp /run/systemd/system/testservice-50g.service /run/systemd/system/testservice-50h.service
+sed -i -e "s%ExtensionDirectories=.*%ExtensionImages=-$VDIR2%g" -e "s/50g/50h/g" \
+ /run/systemd/system/testservice-50h.service
+mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
+systemctl start testservice-50h.service
+systemctl is-active testservice-50h.service
+# First reload should pick up the v1 marker
+systemctl try-reload-or-restart testservice-50h.service
+grep -q -F "${VBASE}_1.marker" /tmp/markers/50h
+# Second reload should pick up the v2 marker
+mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
+systemctl try-reload-or-restart testservice-50h.service
+grep -q -F "${VBASE}_2.marker" /tmp/markers/50h
+# Test that removing all the extensions don't cause any issues
+rm -rf "${VDIR2:?}"/*
+systemctl try-reload-or-restart testservice-50h.service
+systemctl is-active testservice-50h.service
+grep -q -F "no-marker" /tmp/markers/50h
+systemctl stop testservice-50h.service
+
+# Test combining vpick reload/restart with RootDirectory= & RootImage=
+cat >/run/systemd/system/testservice-50i.service </tmp/markers/50i; \
+ (cat /usr/lib/os-release) >>/tmp/markers/50i; \
+ echo -n "READY=1" | socat -t 5 - UNIX-SENDTO:\$\$NOTIFY_SOCKET; \
+ '"'"' SIGHUP; \
+ echo -n "READY=1" | socat -t 5 - UNIX-SENDTO:\$\$NOTIFY_SOCKET; \
+ while true; do sleep 1; done; \
+'
+EOF
+# Move away the v2 extension for now
+mv "$VDIR/${VBASE}_2/" "$VDIR/.${VBASE}_2"
+systemctl start testservice-50i.service
+systemctl is-active testservice-50i.service
+# Move the v2 extension back and reload
+mv "$VDIR/.${VBASE}_2" "$VDIR/${VBASE}_2/"
+systemctl try-reload-or-restart testservice-50i.service
+grep -q -F "${VBASE}_2.marker" /tmp/markers/50i
+# Ensure that we are also still seeing files exclusive to the root image
+grep -q -F "MARKER=1" /tmp/markers/50i
+systemctl stop testservice-50i.service
+
+unsquashfs -no-xattrs -d /tmp/vpickminimg "$MINIMAL_IMAGE.raw"
+cp /run/systemd/system/testservice-50i.service /run/systemd/system/testservice-50j.service
+sed -i -e "s%RootImage=.*%RootDirectory=/tmp/vpickminimg%g" -e "s/50i/50j/g" \
+ /run/systemd/system/testservice-50j.service
+systemctl start testservice-50j.service
+systemctl is-active testservice-50j.service
+systemctl try-reload-or-restart testservice-50j.service
+grep -q -F "${VBASE}_2.marker" /tmp/markers/50j
+grep -q -F "MARKER=1" /tmp/markers/50j
+systemctl stop testservice-50j.service
+
+rm -rf "$VDIR" "$VDIR2" /tmp/vpickminimg /tmp/markers/
+
# Test that an extension consisting of an empty directory under /etc/extensions/ takes precedence
mkdir -p /var/lib/extensions/
ln -s /tmp/app-nodistro.raw /var/lib/extensions/app-nodistro.raw