[systemd-devel] Using systemd.offline-updates from an ostree based system

Dan Nicholson nicholson at endlessm.com
Fri Apr 26 13:47:05 UTC 2019

On Fri, Apr 26, 2019 at 3:54 AM Lennart Poettering
<lennart at poettering.net> wrote:
> On Do, 25.04.19 17:10, Richard Hughes (hughsient at gmail.com) wrote:
> >  Hi all,
> >
> > I use the offline updates feature
> > https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html
> > in fwupd to install some kinds of firmware. I've just found out this
> > doesn't work on Fedora SilverBlue as / is immutable and of course
> > creating the /system-update symlink fails.
> Hmm, the assumption was always that / was mutable if offline updates
> are used to update /...
> I have the suspicion the ostree folks might have some specific ideas
> on how to do this in their environment?

In a bootable ostree you're never updating /. You're updating a new
deployment in /ostree/deploy/<os>/deploy/<deployment>. In a standard
update path you'd make modifications in there, but this is different
since you're not updating the OS.

> > I'm using the offline update mode rather than updating "live" as I'm
> > updating the keyboard controller itself, which means the keyboard (and
> > power button!) is disabled and various things like ACPI battery
> > reporting also get upset for the 30 seconds of flashing. I'm stuck for
> > ideas. I suppose I could write a new boot entry (BLS?) that has a new
> > kernel command line argument set to go into system-update.target (and
> > patch src/system-update-generator/system-update-generator.c) although
> > I don't think BLS has the concept of a "oneshot" entry that would
> > delete after running it once.
> What precisely is writable on those systems? Is /etc? You need
> something that is accessible during early boot (i.e. right after the
> transition from the initrd to the host OS). This excludes /var in the
> general case, but includes /etc, / or /usr...

/etc and /var are the typical places to put writable data (/usr is
also mounted RO). Early in boot a writable /etc is available.
Basically, there are 2 parts to the ostree boot process.

In the initrd, ostree-prepare-root runs late to take the deployment in
/sysroot/ostree/<os>/deploy/<deployment> and remounts things so that
it sits at /sysroot instead. It does most of the mounting to prepare
the system including making /usr a read only mount. It will mount
/sysroot/ostree/<os>/var (a /var shared between deployments of the
same OS) at /var in some scenarios but not all. It also handles bind
mounting /boot to the correct location if it's on the same filesystem
as the deployments. See the following:


Note that ostree makes a separate reference to "/sysroot". At runtime,
the actual root of the filesystem is mounted at /sysroot and there are
a couple symlinks into it to make things work. For instance, /ostree
is a symlink to /sysroot/ostree. Creating new deployments on the live
system wouldn't work if /ostree was actually a directory inside the
currently running deployment.

After pivoting to the new root, there's a generator that runs that
ensures /var is mounted as described above. It's in 2 pieces at:


> Note that the boot loader spec is not universally adopted. Fedora uses
> something they call the boot loader spec, but it#s very different from
> what bootctl, logind, systemd's shutdown code and sd-boot understand
> and not compatible. They really should stop using the name in its
> current state, it's just confusing.
> The boot loader interface systemd undestands actually has support for
> oneshot boots, see:
> https://systemd.io/BOOT_LOADER_INTERFACE.html, see the
> LoaderEntryOneShot EFI variable.
> Given that GRUB doesn't support that and maybe you don't want to bind
> yourself to EFI variables it's not the best approach anyway?
> I mean, you could store the flag at the following places at least:
>    1. EFI variables
>    2. ESP
>    3. /boot if different from ESP
>    4. /
>    5. /etc

I think /etc is the only guaranteed to be writable location that's
generic to all ostree systems. If possible, I'd get systemd to honor


More information about the systemd-devel mailing list