rancher/packages
1
0
Fork 0
mirror of https://github.com/kairos-io/packages.git synced 2025-06-01 03:26:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enable sysext on non-uki (#1353)

Browse Source 
Signed-off-by: Itxaka <itxaka@kairos.io>
This commit is contained in:
Itxaka 2025-04-08 10:24:13 +02:00 committed by GitHub
parent 434579356b
commit f143d7267e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/static/kairos-overlay-files/collection.yaml
View File

@ -1,4 +1,4 @@
packages: packages:
- name: "kairos-overlay-files" - name: "kairos-overlay-files"
category: "static" category: "static"
version: "1.6.8" version: "1.7.0"

2
packages/static/kairos-overlay-files/files/system/oem/00_rootfs.yaml
View File

@ -54,6 +54,7 @@ stages:
/var/lib/snapd /var/lib/snapd
/var/lib/tailscale /var/lib/tailscale
/var/lib/wicked /var/lib/wicked
/var/lib/kairos
/var/log /var/log
/var/run/cilium /var/run/cilium
/var/snap /var/snap
@ -106,6 +107,7 @@ stages:
/var/lib/snapd /var/lib/snapd
/var/lib/tailscale /var/lib/tailscale
/var/lib/wicked /var/lib/wicked
/var/lib/kairos
/var/log /var/log
/var/run/cilium /var/run/cilium
/var/snap /var/snap

1
packages/static/kairos-overlay-files/files/system/oem/00_rootfs_uki.yaml
View File

@ -47,6 +47,7 @@ stages:
/var/lib/rancher /var/lib/rancher
/var/lib/snapd /var/lib/snapd
/var/lib/wicked /var/lib/wicked
/var/lib/kairos
/var/log /var/log
/var/snap /var/snap
- if: '[ -e "/run/cos/uki_boot_mode" ] && ([ -e "/run/cos/recovery_mode" ] || [ -e "/run/cos/autoreset_mode" ])' - if: '[ -e "/run/cos/uki_boot_mode" ] && ([ -e "/run/cos/recovery_mode" ] || [ -e "/run/cos/autoreset_mode" ])'

30
packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
View File

@ -13,7 +13,7 @@ stages:
- name: "systemd-sysext uki config" - name: "systemd-sysext uki config"
if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]' if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
files: files:
- path: /etc/systemd/system/systemd-sysext.service.d/uki.conf - path: /etc/systemd/system/systemd-sysext.service.d/kairos-uki.conf
permissions: 0644 permissions: 0644
owner: 0 owner: 0
group: 0 group: 0
@ -22,7 +22,9 @@ stages:
# Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
TimeoutStartSec=10 TimeoutStartSec=10
# override exec and reload to set the image policy # override exec and reload to set the image policy
ExecStart=
ExecStart=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent" ExecStart=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
ExecReload=
ExecReload=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent" ExecReload=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
# set the sysext hierarchies so we dont overwrite our mount at /usr/local # set the sysext hierarchies so we dont overwrite our mount at /usr/local
# set them very specifically instead of a generic /usr/local as systemd <= 255 mounts the overlay as RO # set them very specifically instead of a generic /usr/local as systemd <= 255 mounts the overlay as RO
@ -32,8 +34,32 @@ stages:
[Unit] [Unit]
# Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
JobRunningTimeoutSec=5 JobRunningTimeoutSec=5
- name: "systemd-sysext config"
if: '[ ! -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
files:
- path: /etc/systemd/system/systemd-sysext.service.d/kairos.conf
permissions: 0644
owner: 0
group: 0
content: |
[Service]
# Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
TimeoutStartSec=10
# override exec and reload to set the image policy
ExecStart=
ExecStart=systemd-sysext refresh --image-policy="root=verity+absent:usr=verity+absent"
ExecReload=
ExecReload=systemd-sysext refresh --image-policy="root=verity+absent:usr=verity+absent"
# set the sysext hierarchies so we dont overwrite our mount at /usr/local
# set them very specifically instead of a generic /usr/local as systemd <= 255 mounts the overlay as RO
# and we dont want the full /usr/local to be RO as we store state in there
# on systemd 256 we can control if they are mutable or not
Environment="SYSTEMD_SYSEXT_HIERARCHIES=/usr/local/bin:/usr/local/sbin:/usr/local/include:/usr/local/lib:/usr/local/share:/usr/local/src:/usr/bin:/usr/share:/usr/lib:/usr/include:/usr/src:/usr/sbin"
[Unit]
# Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
JobRunningTimeoutSec=5
- name: "systemd-sysext set hierarchy system-wide" - name: "systemd-sysext set hierarchy system-wide"
if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]' if: '[ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
files: files:
- path: /etc/profile.d/systemd-sysext.sh - path: /etc/profile.d/systemd-sysext.sh
permissions: 0644 permissions: 0644