[systemd-devel] Hermetic-usr implementation on dracut
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Thu Mar 6 09:04:36 UTC 2025
On Mon, Mar 03, 2025 at 11:54:35AM +0100, Nils Kattenbeck wrote:
> Hi,
>
> systemd definitely already has all the stuff in place to do this on it's
> own.
> The stuff creating the root partition would be sd-repart which just needs a
> corresponding partition description.
>
> A good example of how this can be used is particleOS
> https://github.com/systemd/particleos
> which is an experiment to implement a OS based on the blog post you
> mentioned.
> It uses mkosi https://github.com/systemd/mkosi to create the image
> which in turn will generate a purely systemd based initrd.
Yes, particleos shows us what we are missing in upstream systemd and
what doesn't work great.
E.g. https://github.com/systemd/systemd/pull/36512 +
https://github.com/systemd/particleos/pull/28.
In particular 36512 is good example of work that needs to be done
to make factory resets actually usuable.
We had an online discussion with Emanuele and other folks and this
highlighted one important difference in approach. Both particleos [1]
and Emanuele's new work copy all files under /usr. But the interesting
difference in approach is that particleos symlinks only allowlisted
files into /etc [2], while Emanuele copied everything. The list of
projects that will need _some_ files in /etc is long [3], and Emanuele
made a good point that mantainaing a list of such files is a problem.
OTOH, just copying everything back seems like giving up ;(
Daan, any comments, what is your long-term solution for this?
Another difference is that Emanuele's work uses /usr/etc instead of
/usr/share/factory, but that conflicts with [4] and libeconf.
[1] https://github.com/systemd/particleos/blob/main/mkosi.finalize
[2] https://github.com/systemd/particleos/blob/main/mkosi.extra/usr/lib/tmpfiles.d/etc.conf
[3] https://github.com/uapi-group/specifications/issues/76
[4] https://en.opensuse.org/openSUSE:Packaging_UsrEtc
Zbyszek
> On Mon, Mar 3, 2025, 11:45 Emanuele Giuseppe Esposito <eesposit at redhat.com>
> wrote:
>
> > Hello everyone,
> >
> > As you might know already, I tried to submit a new dracut module that
> > implements the hermetic-usr approach described by Lennart in his
> > blogpost "Fitting everything together":
> > https://0pointer.net/blog/fitting-everything-together.html.
> >
> > The PR is here: https://github.com/dracut-ng/dracut-ng/pull/1234
> >
> > While there are some small things to fix, it works well, at least in the
> > environments that I tried.
> >
> > It is able to recreate the whole root from scratch, provided that /usr
> > is existing in a separate partition.It creates a LUKS as well as
> > plaintext root, and supports plaintext /usr as well as dm-verity
> > protected one.
> >
> > Zbigniew pointed me that a dracut module might not be the best way to
> > achieve this, and there might be work in progress already in systemd to
> > achieve the same goal with a separate systemd component.
> >
> > Can you point me to the work that is being done in systemd? More
> > specifically, if there is something similar to what I implemented that
> > puts together systemd-repart with systemd-tmpfiles and sysusers and
> > creates a root. Is there some project already going on that does this?
> >
> > My module uses only 3 systemd units, and most of this stuff could be
> > reused, if you want. Or maybe is it better to continue the work on dracut?
More information about the systemd-devel
mailing list