[systemd-devel] the need for a discoverable sub-volumes specification
Lennart Poettering
lennart at poettering.net
Tue Nov 9 21:03:17 UTC 2021
On Di, 09.11.21 19:48, Topi Miettinen (toiwoton at gmail.com) wrote:
> > i.e. we'd drop the counting suffix.
>
> Could we have this automatic versioning scheme extended also to service
> RootImages & RootDirectories as well? If the automatic versioning was also
> extended to services, we could have A/B testing also for RootImages with
> automatic fallback to last known good working version.
At least in the case of RootImage= this was my implied assumption:
we'd implement the same there, since that uses the exact same code as
systemd-nspawn's image dissection and we definitely want it there.
Doing this RootDirectory= would make a ton of sense too I guess, but
it's not as obvious there: we'd need to extend the setting a bit I
think to explicitly enable this logic. As opposed to the RootImage=
case (where the logic should be default on) I think any such logic for
RootDirectory= should be opt-in for security reasons because we cannot
safely detect environments where this logic is desirable and discern
them from those where it isn't. In RootImage= we can bind this to the
right GPT partition type being used to mark root file systems that are
arranged for this kind of setup. But in RootDirectory= we have no
concept like that and the stuff inside the image is (unlike a GPT
partition table) clearly untrusted territory, if you follow what I am
babbling.
Or in other words: to enable this for RootDirectory= we probably need
a new option RootDirectoryVersioned= or so that takes a boolean.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list