Switch /etc to use confext in mutable mode #138
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pothos
force-pushed
the
kai/default-confext
branch
from
d7672b5 to
782b1d2
Compare
3 tasks
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 12, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. Signed-off-by: Kai Lueke <kailuke@microsoft.com>
So far we had a custom overlay mount for /etc that provided the A/B updated files from /usr in a lowerdir. Since then we upstreamed a mutable mode for sysext and confext. We can now switch over to it and provide a default confext by using the mutable mode. For user-provided to be supported we need to wait for the atomic remount to be there so that a reload is less impacting. Also, one has to be careful with the stacking order for user-provided extensions and modes other than mutable. The read-only mode also needs more design work in Flatcar. Signed-off-by: Kai Lueke <kailuke@microsoft.com>
When systemd-sysext didn't support issuing a daemon reload, we had this service do it. This is now doing the same thing again while not needed. The service also added support to using .wants but in general .upholds should be used. For extensions that use .wants we can still start their services when we set the extension up from the initrd. Left is just the case where the extension is loaded live but since this was a Flatcar-specific workaround it's not something we want to support and users either should migrate to .upholds, start the service manually (or with the target restart as done in this workaround), or do a reboot when they add new extensions live. We also plan to add a service restart field to the extension-release metadata file so that one doesn't need to use .upholds and it even covers more cases. Signed-off-by: Kai Lueke <kailuke@microsoft.com>
For a confext to influence how things shipped in a sysext behave or even how sysext itself behaves it's good to define that confext runs first. This is also explicitly done in bootengine. With the skip logic we ideally don't set up extensions again during boot but that only works if the contents can be ensured to be equal and the fallback is a full refresh otherwise. Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
force-pushed
the
kai/default-confext
branch
from
782b1d2 to
8c2c1f4
Compare
When users have their own /var partitions these get mounted only in the final system and then lack the preparation done in the initrd for mutable /etc. Do this just before we run systemd-confext.service so that it sees that /etc should be mutable and thus does not do a refresh into read-only but skips the refresh. Signed-off-by: Kai Lueke <kailuke@microsoft.com>
When the systemd-sysupdate.service runs it fails if there is no config. Since we don't use it, it's expected to do nothing but this failure is making problems when the service is started from the timer unit which is now enabled by default. This service is also used by the sysext-bakery update configs for drop-in steps that update sysupdate components. There we let users add a noop config to prevent this service failure. Since we run into this in Flatcar now and we anyway had users add this manually, let's just add it directly to Flatcar. Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
force-pushed
the
kai/default-confext
branch
from
658f50e to
8105e64
Compare
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 15, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. TODO: List of PRs and patch files (inc dep commits) Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 15, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. TODO: List of PRs and patch files (inc dep commits) Signed-off-by: Kai Lueke <kailuke@microsoft.com>
chewi
approved these changes
Dec 15, 2025
Contributor
chewi
left a comment
chewi
left a comment
There was a problem hiding this comment.
Looks good!
I'm really happy about the noop thing. I hated that we needed to expose that kludge to bakery users. It would be even better if sysupdate just permitted no config, but this will do.
Regarding prepare-mutable.conf, is there anything to ensure that /var gets mounted before systemd-confext.service starts? Do we maybe need a RequiresMountsFor? Or perhaps even a BindsTo?
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 16, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
Member
Author
Good question, in general it sounds good to do this but I've also seen that the zfs sysext has this drop-in to let sysext run before udev which I don't really understand yet. Probably zfs users won't store extension images on a zfs /var but encoding that sysext requires /var could cause them troubles? I guess it's also important to say that while we have a test case for a separate /var in kola, this setup is not that well supported and ideally the /var mount would be done from the initrd so that tmpfiles and similar have a proper chance to run. |
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 17, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 18, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 18, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make systemd-confext automatically use the mutable mode
So far we had a custom overlay mount for /etc that provided the A/B
updated files from /usr in a lowerdir. Since then we upstreamed a
mutable mode for sysext and confext.
We can now switch over to it and provide a default confext by using the
mutable mode. For user-provided to be supported we need to wait for the
atomic remount to be there so that a reload is less impacting. Also, one
has to be careful with the stacking order for user-provided extensions
and modes other than mutable. The read-only mode also needs more design
work in Flatcar.
Drop old ensure-sysext.service workaround
When systemd-sysext didn't support issuing a daemon reload, we had this
service do it. This is now doing the same thing again while not needed.
The service also added support to using .wants but in general .upholds
should be used. For extensions that use .wants we can still start their
services when we set the extension up from the initrd. Left is just the
case where the extension is loaded live but since this was a
Flatcar-specific workaround it's not something we want to support and
users either should migrate to .upholds, start the service manually (or
with the target restart as done in this workaround), or do a reboot when
they add new extensions live. We also plan to add a service restart
field to the extension-release metadata file so that one doesn't need to
use .upholds and it even covers more cases.
systemd: Define order for confext and sysext
For a confext to influence how things shipped in a sysext behave or even
how sysext itself behaves it's good to define that confext runs first.
This is also explicitly done in bootengine. With the skip logic we
ideally don't set up extensions again during boot but that only works if
the contents can be ensured to be equal and the fallback is a full
refresh otherwise.
These changes are needed to ship the default /etc files as confext in the mutable mode.
How to use
With the scripts PR that uses it.
Testing done
See scripts PR