GitHub-Mirror/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2025-10-06 00:13:24 +02:00
Code Issues Releases Wiki Activity

integritysetup: add remote-integritysetup.target to match remote-{crypt|verity}setup.target

Browse Source 
Let's make the three subsystems more alike, and add remote-*setup.traget
for all three, enable them all three in the presets, and make them
behave in a similar fashion.
This commit is contained in:
Lennart Poettering
2025-02-24 11:32:00 +01:00
parent 65ced7578e
commit 810708f4b8
6 changed files with 107 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
man/integritytab.xml
View File

@@ -133,6 +133,53 @@
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry>
<varlistentry>
<term><option>_netdev</option></term>
<listitem><para>Marks this veritysetup device as requiring network. It will be started after the
network is available, similarly to
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
units marked with <option>_netdev</option>. The service unit to set up this device will be ordered
between <filename>remote-fs-pre.target</filename> and
<filename>remote-integritysetup.target</filename>, instead of
<filename>integritysetup-pre.target</filename> and <filename>integritysetup.target</filename>.</para>
<para>Hint: if this device is used for a mount point that is specified in <citerefentry
project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, the
<option>_netdev</option> option should also be used for the mount point. Otherwise, a dependency loop
might be created where the mount point will be pulled in by <filename>local-fs.target</filename>,
while the service to configure the network is usually only started <emphasis>after</emphasis> the
local file system has been mounted.</para>
<xi:include href="version-info.xml" xpointer="v258"/>
</listitem>
</varlistentry>
<varlistentry>
<term><option>noauto</option></term>
<listitem><para>This device will not be added to <filename>integritysetup.target</filename>. This
means that it will not be automatically enabled on boot, unless something else pulls it in. In
particular, if the device is used for a mount point, it'll be enabled automatically during boot,
unless the mount point itself is also disabled with <option>noauto</option>.</para>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
<varlistentry>
<term><option>nofail</option></term>
<listitem><para>This device will not be a hard dependency of
<filename>integritysetup.target</filename>. It'll still be pulled in and started, but the system will
not wait for the device to show up and be enabled, and boot will not fail if this is
unsuccessful. Note that other units that depend on the enabled device may still fail. In particular,
if the device is used for a mount point, the mount point itself also needs to have the
<option>nofail</option> option, or the boot will fail if the device is not enabled
successfully.</para>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
</variablelist>
<para>At early boot and when the system manager configuration is

14
man/systemd.special.xml
View File

@@ -66,6 +66,7 @@
<filename>printer.target</filename>,
<filename>reboot.target</filename>,
<filename>remote-cryptsetup.target</filename>,
<filename>remote-integritysetup.target</filename>,
<filename>remote-veritysetup.target</filename>,
<filename>remote-fs-pre.target</filename>,
<filename>remote-fs.target</filename>,
@@ -641,11 +642,22 @@
<xi:include href="version-info.xml" xpointer="v235"/>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>remote-integritysetup.target</filename></term>
<listitem>
<para>Similar to <filename>integritysetup.target</filename>, but for integrity protected devices
which are accessed over the network. It is used for
<citerefentry><refentrytitle>integritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
entries marked with <option>_netdev</option>.</para>
<xi:include href="version-info.xml" xpointer="v258"/>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>remote-veritysetup.target</filename></term>
<listitem>
<para>Similar to <filename>veritysetup.target</filename>, but for verity
integrity protected devices which are accessed over the network. It is used for
protected devices which are accessed over the network. It is used for
<citerefentry><refentrytitle>veritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
entries marked with <option>_netdev</option>.</para>

1
presets/90-systemd.preset
View File

@@ -13,6 +13,7 @@
enable remote-fs.target
enable remote-cryptsetup.target
enable remote-integritysetup.target
enable remote-veritysetup.target
enable machines.target

28
src/integritysetup/integritysetup-generator.c
View File

@@ -36,12 +36,17 @@ static int create_disk(
_cleanup_free_ char *n = NULL, *dd = NULL, *e = NULL, *name_escaped = NULL, *key_file_escaped = NULL;
_cleanup_fclose_ FILE *f = NULL;
int r;
char *dmname = NULL;
bool noauto, nofail, netdev;
int r;
assert(name);
assert(device);
noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
netdev = fstab_test_option(options, "_netdev\0");
name_escaped = specifier_escape(name);
if (!name_escaped)
return log_oom();
@@ -88,13 +93,20 @@ static int create_disk(
"Before=blockdev@dev-mapper-%%i.target\n"
"Wants=blockdev@dev-mapper-%%i.target\n"
"Conflicts=umount.target\n"
"Before=integritysetup.target\n"
"BindsTo=%s\n"
"After=%s\n"
"Before=umount.target\n",
arg_integritytab,
dd, dd);
if (netdev)
fprintf(f, "After=remote-fs-pre.target\n");
if (!nofail)
fprintf(f,
"Before=%s\n",
netdev ? "remote-integritysetup.target" : "integritysetup.target");
fprintf(f,
"\n"
"[Service]\n"
@@ -110,9 +122,15 @@ static int create_disk(
if (r < 0)
return log_error_errno(r, "Failed to write unit file %s: %m", n);
r = generator_add_symlink(arg_dest, "integritysetup.target", "requires", n);
if (r < 0)
return r;
if (!noauto) {
r = generator_add_symlink(
arg_dest,
netdev ? "remote-integritysetup.target" : "integritysetup.target",
nofail ? "wants" : "requires",
n);
if (r < 0)
return r;
}
dmname = strjoina("dev-mapper-", e, ".device");
return generator_add_symlink(arg_dest, dmname, "requires", n);

5
units/meson.build
View File

@@ -190,6 +190,11 @@ units = [
},
{ 'file' : 'remote-fs-pre.target' },
{ 'file' : 'remote-fs.target' },
{
'file' : 'remote-integritysetup.target',
'conditions' : ['HAVE_LIBCRYPTSETUP'],
'symlinks' : ['initrd-root-device.target.wants/'],
},
{
'file' : 'remote-veritysetup.target',
'conditions' : ['HAVE_LIBCRYPTSETUP'],

18
units/remote-integritysetup.target Normal file
View File

@@ -0,0 +1,18 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Remote Integrity Protected Volumes
Documentation=man:systemd.special(7)
After=remote-fs-pre.target integritysetup-pre.target
DefaultDependencies=no
Conflicts=shutdown.target
[Install]
WantedBy=multi-user.target