mirror of
https://github.com/systemd/systemd.git
synced 2025-01-05 13:18:06 +03:00
9c0c670125
This setting allows services to run in an ephemeral copy of the root directory or root image. To make sure the ephemeral copies are always cleaned up, we add a tmpfiles snippet to unconditionally clean up /var/lib/systemd/ephemeral. To prevent in use ephemeral copies from being cleaned up by tmpfiles, we use the newly added COPY_LOCK_BSD and BTRFS_SNAPSHOT_LOCK_BSD flags to take a BSD lock on the ephemeral copies which instruct tmpfiles to not touch those ephemeral copies as long as the BSD lock is held.
77 lines
3.4 KiB
Plaintext
77 lines
3.4 KiB
Plaintext
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
# See tmpfiles.d(5) for details
|
|
|
|
d /run/user 0755 root root -
|
|
{% if ENABLE_UTMP %}
|
|
F! /run/utmp 0664 root utmp -
|
|
{% endif %}
|
|
|
|
d /run/systemd/ask-password 0755 root root -
|
|
d /run/systemd/seats 0755 root root -
|
|
d /run/systemd/sessions 0755 root root -
|
|
d /run/systemd/users 0755 root root -
|
|
d /run/systemd/machines 0755 root root -
|
|
d /run/systemd/shutdown 0755 root root -
|
|
|
|
d /run/log 0755 root root -
|
|
|
|
z /run/log/journal 2755 root systemd-journal - -
|
|
Z /run/log/journal/%m ~2750 root systemd-journal - -
|
|
{% if HAVE_ACL %}
|
|
{% if ENABLE_ADM_GROUP and ENABLE_WHEEL_GROUP %}
|
|
a+ /run/log/journal - - - - d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x,group::r-x,group:adm:r-x,group:wheel:r-x
|
|
a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x,group:adm:r-x,group:wheel:r-x
|
|
a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--,group:wheel:r--
|
|
{% elif ENABLE_ADM_GROUP %}
|
|
a+ /run/log/journal - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x
|
|
a+ /run/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x
|
|
a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--
|
|
{% elif ENABLE_WHEEL_GROUP %}
|
|
a+ /run/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:wheel:r-x
|
|
a+ /run/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x
|
|
a+ /run/log/journal/%m/*.journal* - - - - group:wheel:r--
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
z /var/log/journal 2755 root systemd-journal - -
|
|
z /var/log/journal/%m 2755 root systemd-journal - -
|
|
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
|
|
{% if HAVE_ACL %}
|
|
{% if ENABLE_ADM_GROUP and ENABLE_WHEEL_GROUP %}
|
|
a+ /var/log/journal - - - - d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x,group::r-x,group:adm:r-x,group:wheel:r-x
|
|
a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x,group:adm:r-x,group:wheel:r-x
|
|
a+ /var/log/journal/%m/system.journal - - - - group:adm:r--,group:wheel:r--
|
|
{% elif ENABLE_ADM_GROUP %}
|
|
a+ /var/log/journal - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x
|
|
a+ /var/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x
|
|
a+ /var/log/journal/%m/system.journal - - - - group:adm:r--
|
|
{% elif ENABLE_WHEEL_GROUP %}
|
|
a+ /var/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:wheel:r-x
|
|
a+ /var/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x
|
|
a+ /var/log/journal/%m/system.journal - - - - group:wheel:r--
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
d /var/lib/systemd 0755 root root -
|
|
d /var/lib/systemd/coredump 0755 root root 3d
|
|
# Files and directories in /var/lib/systemd/ephemeral-trees are locked by pid 1 to prevent tmpfiles from
|
|
# removing them, and tmpfiles is told to clean up anything in /var/lib/systemd/ephemeral-trees that isn't
|
|
# locked unconditionally.
|
|
d /var/lib/systemd/ephemeral-trees 0755 root root 0
|
|
|
|
d /var/lib/private 0700 root root -
|
|
d /var/log/private 0700 root root -
|
|
d /var/cache/private 0700 root root -
|
|
|
|
{% if ENABLE_EFI %}
|
|
# Copy sd-stub provided PCR signature and public key file from initrd into /run/, so that it will survive the initrd stage
|
|
C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json
|
|
C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem
|
|
{% endif %}
|