[systemd-devel] ConditionNeedsUpdate, read-only /usr, and sysext

Lennart Poettering lennart at poettering.net
Wed Feb 14 09:07:29 UTC 2024


On Mi, 07.02.24 20:42, Valentin David (me at valentindavid.com) wrote:

> Hello everybody,
>
> The behavior of ConditionNeedsUpdate is that if /etc/.updated is
> older than /usr/, then it is true.
>
> I have some issues with this. But maybe I do not use it the right
> way.
>
> First, when using a read-only /usr partition (updated through
> sysupdate), the time of /usr is of the build of that filesystem. In
> the case of GNOME OS, to ensure reproducibility bit by bit, we set
> all times to some time in 2011. So that does not work for us.

Hmm, I wonder if the os-release file in /usr/ should optionally have a
timestamp field which could be used. That could be directly
initialized from $SOURCE_DATE_EPOCH at build time (maybe the field
should even be named like that). I think that would make sense, no?

> But now let's say we work-around that, and we make our system take a
> date that is reproducible, let's say the git commit of our
> metadata. Then we have a second issue.
>
> Because of systemd-sysext, it might be that /usr is not anymore the
> time of the /usr filesystem, but the time of a directory created on
> the fly by systemd-sysext (or maybe it keeps the time from the /
> fileystem, I do not know, but for sure the time stamp is from when
> systemd-sysext was started). If systemd-update-done happens after
> systemd-sysext (and it effectively does on 254), then the date of
> /etc/.updated will become the time when systemd-sysext started.

Uh. That'd be a bug. Can you file an issue about this?

> Let's imagine that I do not boot that machine often. My system is
> booting a new version. And there is already another new version
> available on the sysupdate server. My system will download a build
> of /usr that is likely to be older than the boot time. So next
> reboot, the condition will be false, even though I did have an
> update. And it will be false until I download a version that was
> built after the boot time of my last successful update.
>
> So my question is, is there plan to replace time stamp comparison
> for ConditionNeedsUpdate with something that works better with
> sysupdate and sysext? Maybe copying IMAGE_VERSION from
> /usr/lib/os-release into /etc/.updated for example?

Yeah, we should fix this.

I have so far never though about the mixture of sysext and
ConditionNeedsUpdate=. This is unchartered territory. But I think we
can fix this. But please open issues about this.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list