From d6e7a31eb148e36188e24f61aa95c05ec6f602a9 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Mon, 10 Jun 2024 10:10:32 +0200 Subject: [PATCH] Add sysext policy config for uki mode (#890) --- .../static/kairos-overlay-files/collection.yaml | 2 +- .../files/system/oem/24_sysext.yaml | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/packages/static/kairos-overlay-files/collection.yaml b/packages/static/kairos-overlay-files/collection.yaml index 2ef9189..35c4fb6 100644 --- a/packages/static/kairos-overlay-files/collection.yaml +++ b/packages/static/kairos-overlay-files/collection.yaml @@ -1,4 +1,4 @@ packages: - name: "kairos-overlay-files" category: "static" - version: "1.1.33" + version: "1.1.34" diff --git a/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml b/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml index 141aaea..77338a8 100644 --- a/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml +++ b/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml @@ -10,6 +10,20 @@ stages: - path: /usr/lib/extensions - path: /usr/local/lib/extensions initramfs: + - name: "systemd-sysext uki config" + if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]' + files: + - path: /etc/systemd/system/systemd-sysext.service.d/uki.conf + permissions: 0644 + owner: 0 + group: 0 + content: | + [Service] + TimeoutStartSec=10 + ExecStart=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent" + ExecReload=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent" + [Unit] + JobRunningTimeoutSec=5 - name: "systemd-sysext initramfs settings" if: '[ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ]' systemctl: