systemd-sysext: Introduce a global config

[vittyvk]

Component

systemd-sysext

Is your feature request related to a problem? Please describe

systemd-sysext has a few options which are only available on the command line. Namely:

--image-policy=policy
--mutable=BOOL|auto|import

cannot be set without modifying (or overriding) /usr/lib/systemd/system/systemd-sysext.service as there's no config file for systemd-sysext.

Describe the solution you'd like

Introduce a global systemd-sysext conffile (/usr/lib/systemd/sysext.conf, /etc/systemd/sysext.conf) allowing to set global parameters:

[Sysext]
Mutable=yes
ImagePolicy=root=verity+signed+encrypted+unprotected+absent

Describe alternatives you've considered

Placing modified systemd-sysext.service to /etc/systemd/ helps to workaround the absence of global config.

The systemd version you checked that didn't have the feature you are asking for

No response

[bluca]

I'm not sure, the defaults are the way it's intended to be used, all these options are really just for debugging and such, and really should be avoided otherwise, what's the use case?

[vittyvk]

Hm, neither "--image-policy" nor "-mutable" look like debugging options to me... The use-case I have in mind is the ability to use sysext/confext with more traditional systems where some sort of mutability is expected (either persistent or at least ephemeral). Also, image policy can be tuned when e.g. extensions are loaded from a trusted source and users may want to relax signature restrictions for convenience.
Also, even for "debugging" options (e.g. "--force") , isn't it beneficial to be able to set them in a config? In case extensions are used to modify system's behavior on boot, it may not be the same as doing "systemd-sysext --my-debug-option refresh" post boot.

[bluca]

The issue is that there's really no such thing as a "some sort of mutability", either a system is immutable and cryptographically verified, or it isn't. If you have a use case for a writable system, then it just doesn't make a lot of sense to jump through all these hoops to go back to a semi-normal system... just don't use any of this, and have a normal writable filesystem?
The entire point is to have code integrity and other strong security policies, without that it's just really a lot of work and trouble, for no benefit at all, so you should ask whether it's worth it and what you get out of it in the first place

[vittyvk]

What's wrong about ephemeral overlays? I.e. I want to have a system image which is e.g. verity protected and I want to have some confexts to customize my /etc but at the same time I want things like sshd to not stumble when they're trying to create host keys in /etc. So I want, for example, to have system-sysext.service use "--mutable=ephemeral". This can, of course, be approached from another point of view: let's eliminate everything trying to write to /etc and long term it's probably the right way to go but IMO in the short/mid term this may slow down sysext/confext adoption.

[bluca]

There's nothing wrong with a writable system, what I am questioning is the complex way to get there. We can even support an ephemeral rootfs already, via options like systemd.volatile= that use your normal disk. The point is, either the system is immutable, and then for the price of all the complications you get strong security properties, or it isn't, and then you get nothing good out of it, and a whole lot of complexities and complications. Why bother at that point (aside from debug/dev cases ofc)?

[vittyvk]

systemd.volatile=overlay does not currently work well with sysext: we get writeable ephemeral overlay mounted in the initramfs but then systemd-sysext.service in the main system kicks in and makes e.g. /usr ro again.

# cat /proc/cmdline 
console=tty0 console=ttyS0 roothash=5fec4e7acf56209dd50f11cf37e20104e9b4bd396349f9d373d317fc6b3d6bdb systemd.volatile=overlay

# systemd-sysext status
HIERARCHY EXTENSIONS SINCE                      
/opt      none       -                          
/usr      myext.sys  Tue 2025-07-01 11:55:44 UTC

# touch /usr/1234
touch: cannot touch '/usr/1234': Read-only file system

# systemd-sysext unmerge

Unmerged '/usr'.
# touch /usr/1234
<success>

[bluca]

Sorry, I didn't mention it for the sysext use case, I mentioned for the use case where you want to make the system ephemeral. No extensions in that case

[keszybz]

Yeah, this is reasonable to expose the options via a secondary interface. Those command-line options are a supported interface, but when ran as a service, it's inconvenient to modify them.